CCNA Security: Security Policy Using a Life Cycle Approach
Risk Analysis and Management
Secure Network Life Cycle
- Initiation: Preliminary risk assessments and categorization
- Acquisition/Development: Detailed risk assessment, acquiring countermeasures to reduce risk, testing countermeasures
- Implementation: Where countermeasures are deployed into a production network
- Operations/Maintenance: Monitoring and incident handling of network security devices
- Disposition: Disposing of network equipment, including wiping/sanitizing
Risk Analysis Methods
- Qualitiative: Data is gathered by an individual subject matter expert of the asset who can speak to its value and vulnerability
- Quantitative: Numbers and statistics determine risk
Using both methods yields a risk score which allows companies to justify cost of risk mitigation techniques
Security Posture Assessment
- General Assessment: High-level idea about security state of network devices with intent to identify vulnerabilities
- Internal Assessment: Identify how well protected the network is from internal attack
- External Assessment: Assess security risks from devices that connect from the outside of the network
- Wireless Assessment: Identifies vulnerabilities and weaknesses associated with wireless implementation, such as AP range allowing external access from outside the building
- Analysis/Documentation: Report combining details about vulnerabilities taht may exist following security assessments and recommended solutions to mitigate attack
One Approach to Risk Management
When determining risk score of an asset, consider:
- Asset Value
- Vulnerabilities
- Compliance Issues
- Potential Threats
- Business Needs
For new assets for which risk has not been identified, a qualitative/quantitative risk assessment should be performed, appropriate mitigation measures taken (transfer, acceptance or reduction in risk with countermeasures), and then the risk should be monitored
Regulatory Compliance Risk
Impact of not complying with local/state/federal compliance rules should be considered as part of risk assessment
Security Policy
Executive senior management is ultimately responsible for data, data governance policy must be created at high level from executive senior management such as an Acceptable Use Policy
Security policies have risk management as a primary aspect that should include an overview about the policy, what it covers and does not cover, Scope of Policy
Security policies exist to educate users about the company policy is in terms of security measures needed to be followed/enforced
Specific Types of Policy
- Guideline: AUP, audit policy, password policy, etc
- Email: Spam / Forwarding policies, etc
- Remote Access: VPN access, minimum requirements for remote access such as virus scanning, etc
- Telephony: Acceptable use of phone services
- Network: Standards for access over wired or wireless, minimum requirements for PCs connecting to network, etc
- Application: Minimum security features needed in applications, restrictions on what end users can install and run on company computers
Standards/Procedures/Guidelines
- Standard: Specifies the use of specific technologies as countermeasures
- Procedures: Document encompassing standards and guidelines for implementing security for the network, allows consistency in implementation of security
- Guidelines: Best practice, suggestions, used in place of solid direction in order to determine best course
- Policies: High-level documents that define strategic objectives of security, not technical in nature
Testing Security
Several techniques used to test security of a network:
- Network Scanning
- Password Cracking
- Penetration Testing
- Vulnerability Scanning
- Social Engineering
Responding to Incidents
- Assist in recovery of business operation while preserving attack evidence for forensics
- Document details of incident
- Prevent future incidents similar to one just experienced
Collecting Evidence
Equipment involved should be photographed or otherwise shown to be untampered with to preserve chain of evidence should a matter be brought to court. Disk storage should be saved before being disconnected, etc
Disaster Recovery and Continuity of Business Planning
Risk assessment can determine proper DR/ConOps strategy. Cost of maintaining DR should be weighed against potential business loss of not having DR. Max Tolerable Downtime (MTD), Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are needed to deterine proper DR strategy
RTO: Number of hours/days needed to resume business
RPO: State of data restoration, ie restoring to 4 hours after disaster occurred