CCNA Security: Security Policy Using a Life Cycle Approach

CCNA Security: Security Policy Using a Life Cycle Approach

Risk Analysis and Management

Secure Network Life Cycle

• Initiation: Preliminary risk assessments and categorization
• Acquisition/Development: Detailed risk assessment, acquiring countermeasures to reduce risk, testing countermeasures
• Implementation: Where countermeasures are deployed into a production network
• Operations/Maintenance: Monitoring and incident handling of network security devices
• Disposition: Disposing of network equipment, including wiping/sanitizing

Risk Analysis Methods

• Qualitiative: Data is gathered by an individual subject matter expert of the asset who can speak to its value and vulnerability
• Quantitative: Numbers and statistics determine risk

Using both methods yields a risk score which allows companies to justify cost of risk mitigation techniques

Security Posture Assessment

• General Assessment: High-level idea about security state of network devices with intent to identify vulnerabilities
• Internal Assessment: Identify how well protected the network is from internal attack
• External Assessment: Assess security risks from devices that connect from the outside of the network
• Wireless Assessment: Identifies vulnerabilities and weaknesses associated with wireless implementation, such as AP range allowing external access from outside the building
• Analysis/Documentation: Report combining details about vulnerabilities taht may exist following security assessments and recommended solutions to mitigate attack

One Approach to Risk Management

When determining risk score of an asset, consider:

• Asset Value
• Vulnerabilities
• Compliance Issues
• Potential Threats
• Business Needs

For new assets for which risk has not been identified, a qualitative/quantitative risk assessment should be performed, appropriate mitigation measures taken (transfer, acceptance or reduction in risk with countermeasures), and then the risk should be monitored

Regulatory Compliance Risk

Impact of not complying with local/state/federal compliance rules should be considered as part of risk assessment

Security Policy

Executive senior management is ultimately responsible for data, data governance policy must be created at high level from executive senior management such as an Acceptable Use Policy

Security policies have risk management as a primary aspect that should include an overview about the policy, what it covers and does not cover, Scope of Policy

Security policies exist to educate users about the company policy is in terms of security measures needed to be followed/enforced

Specific Types of Policy

• Guideline: AUP, audit policy, password policy, etc
• Email: Spam / Forwarding policies, etc
• Remote Access: VPN access, minimum requirements for remote access such as virus scanning, etc
• Telephony: Acceptable use of phone services
• Network: Standards for access over wired or wireless, minimum requirements for PCs connecting to network, etc
• Application: Minimum security features needed in applications, restrictions on what end users can install and run on company computers

Standards/Procedures/Guidelines

• Standard: Specifies the use of specific technologies as countermeasures
• Procedures: Document encompassing standards and guidelines for implementing security for the network, allows consistency in implementation of security
• Guidelines: Best practice, suggestions, used in place of solid direction in order to determine best course
• Policies: High-level documents that define strategic objectives of security, not technical in nature

Testing Security

Several techniques used to test security of a network:

• Network Scanning
• Password Cracking
• Penetration Testing
• Vulnerability Scanning
• Social Engineering

Responding to Incidents

• Assist in recovery of business operation while preserving attack evidence for forensics
• Document details of incident
• Prevent future incidents similar to one just experienced

Collecting Evidence

Equipment involved should be photographed or otherwise shown to be untampered with to preserve chain of evidence should a matter be brought to court. Disk storage should be saved before being disconnected, etc

Disaster Recovery and Continuity of Business Planning

Risk assessment can determine proper DR/ConOps strategy. Cost of maintaining DR should be weighed against potential business loss of not having DR. Max Tolerable Downtime (MTD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are needed to deterine proper DR strategy

RTO: Number of hours/days needed to resume business

RPO: State of data restoration, ie restoring to 4 hours after disaster occurred

 

CCNA Security: Network Security Concepts

               CCNA Security: Network Security Concepts

Basic Network Security Objectives

• Confidentiality

Data at rest should be protected by authentication to ensure sensitive information is restricted
Data in motion should be protected by encryption/isolation as it moves through the network

• Integrity

Data integrity is concerned with making sure that only authorized sources are manipulating data

• Availability

For systems and data, availability refers to the ability to access data by authorized users

 Cost/Benefit Security Analysis

Risk management deals with identifying assets, threats/vulnerabilities and countermeasures that make sense commeasurate to the value of the asset

Asset: Anything that has value to an organization such as property or data

Vulnerability: Exploitable weakness in a system or its design

Threat: Potential danger to an asset. An unrealized threat is a vulnerability that has not yet been exploited. A realized threat is a successful attack against an asset. Attacker is a threat agent or threat vector.

Risk: Potential for compromise/destruction/access to an asset

Countermeasure: Safeguard that mitigates risk by eliminating or reducing a vulnerability, or otherwise making the asset less vulnerable.


Thresholds apply to classification, generally a countermeasure or risk mitigation would not cost more than the value of the asset excepting government/financial regulations, etc

Classifying Assets

Assets can be classified so that policy can be developed on how to take action for certain classifications

Government Classifications

• Unclassified
• Sensitive But Unclassified
• Confidential
• Secret
• Top Secret

Private Sector Classifications

•  Public 
• Confidential
• Sensitive 
• Private

Classification Criteria

• Value
• Replacement Cost
• Lifetime
• Age

Classification Roles

• Owner: Person or group ultimately responsible for the data
• User: People who access the data any abide by acceptable use policy
• Custodian: Group responsible for implementing policy dictated by owner

Classifying Vulnerabilities

 Potential Vulnerabilities

• Policy Flaw
• Misconfiguration
• Protocol Weakness
• Design Error
• Software vulnerability
• Malware
• Hardware vulnerability
• Human ffactor
• Physical Access to Resources

 Classifying Countermeasures

Control Methods to Implement Countermeasures

• Administrative: Policy, procedure, change control
• Physical: Locked doors, access badges, cameras, etc
• Logical: Passwords, firewalls, VPN, IPS, access lists

Recognizing Current Network Threats

 

Potential Attackers

• Terrorists
• Hackers
• Government Agencies
• Competitors
• Criminals
• Nation-states
• Disgruntled Employees
• Anyone that can access a computer

Attack Methods

• Reconnaissance: Discovery process used to find information about the network. Port scans, IP scans, etc
• Social Engineering: User compromise, email, misdirection of web pages, phishing, pharming
• Privilege Escalation: Escalating level of access beyond what is allowed by policy/role
• Back Door: Application or user access left behind by an attacker to allow future access

Attack Vectors

Attacks can be launched from outside or inside company, even by authorized users. Using ICE/NAC or 802.1x can help mitigate authorized users from launching attacks internally 

 

 

Man-in-the-Middle Attack

 Attacker places itself between two devices that are communicating to perform reconnaissance or manipulate data as it moves between them. Main purpose is eavesdropping so attacker can see all traffic.


Layer 2 MITM Attacks

• ARP Poisoning: Attacker spoofs MAC address of actual default gateway in order to become gateway for the clients. Can be mitigated with Dynamic ARP Inspection
• Root Bridge Attack: Attacker connects switch to network with intent of becoming spanning-tree root bridge and forcing all traffic through that switch. Mitigated by Root Guard and BPDU Guard.

Layer 3 MITM Attacks

• Rogue Router: Rogue router can inject routes with better metric to force routing to go through the rogue router. Mitigated by routing protocol authentication and only listening for routing protocols on specific interfaces

Miscellaneous Attack Vectors

• Covert Channels: Uses communications in unintended ways such as tunnelling P2P file sharing inside of HTTP traffic, or a backdoor using ICMP to communicate with an attacker 
• Trust Exploitation:  Attacker leverages implied trust relationship to gain access, such as exploiting a DMZ server that can communicate to the inside to launch attacks internally
• Password Attack: Brute force attacks to guess passwords, MITM or key logging software
• BotNet: Infected computers that listen for command/control signals from an attacker utilizing a backdoor channel to communicate
• DoS and DDoS: Usinga  botnet to target a particular system in order to flood it with malicious traffic with the intent to deny legitimate access

Applying Fundamental Security Principles to Network Design

Guidelines

• Least Privilege: Minimal access to perform the function is assigned and no more
• Defense in Depth: Security is implemented in multiple places on the network, such as a firewall with an IPS, host-based firewall, etc
• Separation of Duty: Specific individuals are placed into specific roles, allows checks and balance regarding implementation of security policy
• Auditing: Keeping records of what is occurring on the network using things like AAA and syslogs, logs can be reviewed to check access and events