CCNA Security: Security Policy Using a Life Cycle Approach

CCNA Security: Security Policy Using a Life Cycle Approach

Risk Analysis and Management

Secure Network Life Cycle

• Initiation: Preliminary risk assessments and categorization
• Acquisition/Development: Detailed risk assessment, acquiring countermeasures to reduce risk, testing countermeasures
• Implementation: Where countermeasures are deployed into a production network
• Operations/Maintenance: Monitoring and incident handling of network security devices
• Disposition: Disposing of network equipment, including wiping/sanitizing

Risk Analysis Methods

• Qualitiative: Data is gathered by an individual subject matter expert of the asset who can speak to its value and vulnerability
• Quantitative: Numbers and statistics determine risk

Using both methods yields a risk score which allows companies to justify cost of risk mitigation techniques

Security Posture Assessment

• General Assessment: High-level idea about security state of network devices with intent to identify vulnerabilities
• Internal Assessment: Identify how well protected the network is from internal attack
• External Assessment: Assess security risks from devices that connect from the outside of the network
• Wireless Assessment: Identifies vulnerabilities and weaknesses associated with wireless implementation, such as AP range allowing external access from outside the building
• Analysis/Documentation: Report combining details about vulnerabilities taht may exist following security assessments and recommended solutions to mitigate attack

One Approach to Risk Management

When determining risk score of an asset, consider:

• Asset Value
• Vulnerabilities
• Compliance Issues
• Potential Threats
• Business Needs

For new assets for which risk has not been identified, a qualitative/quantitative risk assessment should be performed, appropriate mitigation measures taken (transfer, acceptance or reduction in risk with countermeasures), and then the risk should be monitored

Regulatory Compliance Risk

Impact of not complying with local/state/federal compliance rules should be considered as part of risk assessment

Security Policy

Executive senior management is ultimately responsible for data, data governance policy must be created at high level from executive senior management such as an Acceptable Use Policy

Security policies have risk management as a primary aspect that should include an overview about the policy, what it covers and does not cover, Scope of Policy

Security policies exist to educate users about the company policy is in terms of security measures needed to be followed/enforced

Specific Types of Policy

• Guideline: AUP, audit policy, password policy, etc
• Email: Spam / Forwarding policies, etc
• Remote Access: VPN access, minimum requirements for remote access such as virus scanning, etc
• Telephony: Acceptable use of phone services
• Network: Standards for access over wired or wireless, minimum requirements for PCs connecting to network, etc
• Application: Minimum security features needed in applications, restrictions on what end users can install and run on company computers

Standards/Procedures/Guidelines

• Standard: Specifies the use of specific technologies as countermeasures
• Procedures: Document encompassing standards and guidelines for implementing security for the network, allows consistency in implementation of security
• Guidelines: Best practice, suggestions, used in place of solid direction in order to determine best course
• Policies: High-level documents that define strategic objectives of security, not technical in nature

Testing Security

Several techniques used to test security of a network:

• Network Scanning
• Password Cracking
• Penetration Testing
• Vulnerability Scanning
• Social Engineering

Responding to Incidents

• Assist in recovery of business operation while preserving attack evidence for forensics
• Document details of incident
• Prevent future incidents similar to one just experienced

Collecting Evidence

Equipment involved should be photographed or otherwise shown to be untampered with to preserve chain of evidence should a matter be brought to court. Disk storage should be saved before being disconnected, etc

Disaster Recovery and Continuity of Business Planning

Risk assessment can determine proper DR/ConOps strategy. Cost of maintaining DR should be weighed against potential business loss of not having DR. Max Tolerable Downtime (MTD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are needed to deterine proper DR strategy

RTO: Number of hours/days needed to resume business

RPO: State of data restoration, ie restoring to 4 hours after disaster occurred