Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Basics
The first thing that must be clear when studying for any security exam is the basics of what network
security is about. There are three main goals which are defined to achieve network security:
Confidentiality – In order to achieve confidentiality, the data being held or transferred
is kept private.
Integrity – In order to achieve integrity, the data must be ensured to be unmodified.
Availability – In order to achieve availability, data must remain accessible to anyone trying to
access it.
Classification
Organizations can benefit from structuring their own data classification model after pre-existing models.
There are two main classification models which are used to classify data:
Government and Military Model
Organizational Model
Government and Military Model
The following classifications are used by both the government and the military. These different
classifications include:
Unclassified – Data which has few or no privacy requirements.
Sensitive but unclassified – Data which could be embarrassing but is not a security threat.
Confidential – Data which has a reasonable probability of causing damage if disclosed.
Secret – Data which has a reasonable probability of causing serious damage if disclosed.
Top-Secret – Data which has a reasonable probability of causing exceptionally grave
damage if disclosed.
Organizational Model
The following classifications are used by private organizations:
Public – Data which can be made available.
Sensitive – Data which could be embarrassing but is not a security threat.
Private – Data which should be kept secret inside the organization.
Confidential – Data which is sensitive and should be kept secret inside the organization.
Roles
Members of an organization assume a number of different roles as they relate to security, including:
Owner – The owner initially determines the classification levels of the data and reviews the
procedures for classifying data. The owner then passes responsibility of data protection
to the custodian.
Custodian – The custodian takes care of the data, including the backup and restoration of data
and the verification of data integrity. The custodian is also responsible for following policy in
maintaining data.
User – The user accesses and uses the data per policy guidelines and takes measures to protect
the data according to the security policy established by the owner and maintained
by the custodian.
Security Controls
There are a number of controls which can be implemented to maintain a secure solution. These are split
into three types, including:
Administrative Controls – These controls are policy-centric and include clear security policies
and good security awareness training.
Physical Controls – These controls maintain a secure environment and prevent
potential physical attacks.
Technical Controls – These controls include both hardware and software solutions which are
implemented to protect data. This is the type of control which is the focus of this exam.
Control Classification
Each of the three different security control types can be further classified into one of three types:
Preventive – This type attempts to prevent access to data or systems which contain data.
Deterrent – This type attempts to prevent data access by influencing a potential attacker from
launching the attack.
Detective – This type attempts to detect when either the data is accessed or when the system
containing the data is accessed.
Law
In most countries legal issues are separated into three major categories, including:
Criminal Law – Criminal law involves crimes which have been committed that may result in fines
and/or imprisonment.
Civil Law – Civil law involves wrongs which have been committed which are not
considered crimes but may involve consequences including paying damages or cease
and desist of illegal activity.
Administrative Law – Administrative law involves the enforcement of regulations by the
government agencies.
Attack Categories
Attacks can be categorized into five broad categories, including:
Passive Attacks – This type of attack happens when the attacker passively listens to traffic and/or
tries to decrypt captured packets. These are very hard to detect.
Active Attacks – This type of attack happens when the attacker is actively sending traffic toward
the network in an attempt to access unauthorized data. This type of attack is easy to detect.
Close-In Attacks – This type of attack involves an attacker who is physically close the target data
equipment. The attacker can then take advantage of attack types which require physical access.
Insider Attacks – This type of attack involves an attacker who is a legitimate user who tries to
access unauthorized data.
Distribution Attacks – This type of attack happens before equipment is distributed and
involves the introduction of “back doors” which are taken advantage of once the equipment
is at its destination.
IP Spoofing Attacks
The concept of IP spoofing is simple; it involves the faking of an IP address as being trusted by the target
network. Obviously if an attacker is able to make the target system believe that they are coming from
a trusted IP then attacks become easier as external attack prevention is circumvented. There are two
different types of IP spoofing attacks which include:
Nonblind spoofing – This type is an attack from the same IP subnet as the target, allowing packet
capture tools to be used.
Blind Spoofing – This type is an attack not from the same subnet. Often IP source routing is used
when performing a blind spoofing attack.
IP Source Routing
IP source routing allows the attacking machine the ability to specify the exact return path of an IP packet.
There are two different types of IP source routing which can be used, including:
Loose – A source route which is loosely followed as the routing equipment can change
the path used.
Strict – A source route which is strictly followed by using the exact sequence of hops specified.
Prevention
There are three main ways used to prevent IP spoofing attacks, including:
Access Control Lists (ACL) – ACLs can be used to prevent internal IP addresses from being used
from an external interface. Internal traffic destined for external interfaces should be checked to
ensure that the address being used is sourced from an internal IP address ranged.
Link encryption – The use of link encryption prevents the attacker from capturing and reading
packets to obtain useful data.
Cryptographic authentication – If the parties involved in exchanging data are both
authenticated to ensure identity, then an attack is highly unlikely.'
Confidentiality Attacks
There are a number of different attack strategies which can be used to affect the confidentiality of data.
These include:
Packet Capture – This is a simple strategy: capture target traffic in order to obtain information
that could be used to affect the confidentiality of the target data.
Ping Sweeps and Port Scans – These techniques can be used to map out a target’s network and
to figure out what services are being run on these machines. Ping sweeps are used to identify
devices and port scans are used to verify active TCP/UDP ports.
Dumpster Diving –This involves the sifting through of the targets trash in order to find
confidential data.
Electromagnetic Interface Interception – This involves the capture of data by utilizing the EMI
which is a side effect on wire media.
Wiretapping – This involves the capture of data through a physical tap of target wiring systems.
Social Engineering – This involves the use of non-technical social techniques to obtain
confidential data from unknowing individuals.
Sending Information over Overt Channels – This involves the sending of data over a primary
channel but obscured in some way; techniques include tunneling of data and steganography.
Sending Information over Covert Channels – This involves the sending of data over a secondary
non-obvious channel.
Integrity Attacks
Integrity attacks focus on trying to change the data that is being sent in a way that is not noticed.
There are a number of different types of integrity attacks including:
Salami Attack – A collection of small attacks that result in a larger attack.
Data Diddling – The process of changing data before it is stored on a computing system.
Trust Relationship Exploitation – Involves the exploitation of a device which has a trust
relationship with the target.
Password Attacks – Includes a number of different password exploitation attacks including
Trojan horse programs, packet capture, keylogger programs, brute force, and dictionary attacks.
Botnet – Involves the infection of remote machines that become drones or “robots” which can be
used to source an attack. These “robots” are controlled remotely and focused on the target.
Hijacking Sessions – Involves the hijacking of an already initiated user session; this way, the
target still believes that the attacker is a legitimate user.
Availability Attacks
Availability attacks focus on affecting the availability of the target system. There are a number of different
attacks which can be used to affect availability including:
Denial of Service (DoS)– A Denial of Service attack involves the transmission of a large amount of
data (flood) and/or requests which is used to consume the resources of the target system.
Distributed Denial of Service (DDoS) – A Distributed Denial of Service attack involves the
same techniques of a normal DoS attack but from multiple sources. These sources are typically
compromised systems which are used to direct multiple flows of traffic at the target.
TCP SYN Flood – A TCP SYN flood involves the attack of a target system by attempting to
consume the available TCP sessions on the target device. This is accomplished through
beginning but not finalizing a TCP handshake with the target device.
ICMP Attacks – There are a number of different ways to utilize ICMP in an attack. These attacks
are typically DoS in nature.
Electrical Disturbances – As all computing devices require an electrical source, the effect of
many different electrical problems can affect availability. These include spikes, surges, blackouts,
and brownouts, among others. These types of attacks can be mitigated through the use of
uninterruptable power supplies, power conditioners, and generators.
Physical Environment Attacks – An environment can also be influenced through the alteration of
the physical environment. This includes changes in temperature, humidity and gas. The easiest
way to mitigate these types of attack is to control the physical security of the environment.
System Development Life Cycle (SDLC)
A network as a whole is in constant motion; the different network hardware and software components
have a specific lifecycle that should be followed which allows them to have a useful lifetime and to have a
point where they are retired. The SDLC describes this cycle with five phases including the following:
Initiation
Security Categorization – Categorizes the severity of a security breach on a specific network
component. These devices are typically placed into high, medium and low risk categories.
Preliminary Risk Assessment – Provides a high-level overview of a
system’s security requirements.
Acquisition and Development
Risk Assessment – Specifies the initial protection requirements.
Security Functional Requirement Analysis – Identifies what is required to properly secure a
system so it can function in its intended capacity.
Security Assurance Requirements Analysis – Provides evidence that the network resource in
question will be protected at a desired level.
Cost Considerations and Reporting – Details the costs of securing a system.
Security Planning – Details what security controls are to be used.
Security Control Development – Details how the already determined security controls are
to be designed, developed, and implemented.
Development Security Test and Evaluation – Validates the operation of the implemented
security controls.
Implementation
Inspection and Acceptance – The installation of a system and its functional
requirements are verified.
System Integration – The system is integrated with all required components and
operation is verified.
Security Certification – The operation of security controls is verified.
Security Accreditation – The system is given administrative privileges to process, store
and/or transmit specific data.
Operations and Maintenance
Configuration Management and Control – Before any configuration change is made its
impact on other part of the network is analyzed.
Continuous Monitoring – After a security solution is implemented it should be routinely
monitored and tested to validate operation.
Disposition
Information Preservation – Any information which is required to be stored should be
archived to a modern storage technology to ensure data availability.
Media Sanitation – Storage media that is being disposed of should be sanitized so that the
data is not retrievable.
Hardware and Software Disposal – The disposal of both hardware and software should be
done through a formal procedure which provides for protection against malicious activities.
Backup Sites
Backup sites are used to provide redundancy or high availability to critical data. Below are the different
types of backup sites used today:
Hot sites are ready-to-run, dedicated sites that have equipment, software, and real-time data in
place. These sites are used to provide highly available data with little to no downtime.
These sites are the most expensive type of disaster recovery arrangement.
They are generally used by organizations in extremely data-sensitive industries, such as
financial services, public safety, and healthcare.
Warm sites provide all of the equipment and environmental controls necessary to restore
operations but do not have applications installed or data restored.
These sites take longer to activate than hot sites but are typically much less expensive.
They may be shared by multiple organizations.
Cold sites are buildings with proper infrastructure to support computing operations (i.e., power,
environmental controls, etc.) but without any computer equipment, data, or software in place.
These sites are the cheapest alternative.
They take a very long time to bring to an operational state.
They are useful only in disasters that last for an extended period of time.
Hot sites, warm sites, and cold sites may be either owned and operated by the organization that
they serve, or by a subscription service that keeps the facilities available for its clients.
Security Policy
The development of a comprehensive security policy is important for the network security of an
organization. It is a constantly changing document that sets up guidelines for network use. The main
purpose of this policy is to protect corporate assets but it also should be designed to educate users and
describe a baseline for security monitoring.
One major part of the security policy is the establishment of an Acceptable Use Policy (AUP). The AUP
identifies what users of a network are and are not allowed to do on and with the network.
Security Policy Components
There are four main components that should be part of the security policy:
Governing Policy – This is a high-level policy which addresses important security concepts and is
primarily targeted at managerial and technical employees.
Technical Policies – These policies are used to provide a much higher level of detail of the
organization’s security policy.
End-User Policies – These policies are intended to address security issues and procedures
which are relevant to end users.
Standards, Guidelines and Procedures:
Standards – Define mandatory practices of network use.
Guidelines – Define a set of suggested practices of network use.
Procedures – Detailed documents which are used to specify step-by-step instructions
for the completion of specific tasks.
Risk Analysis
Risk Analysis is defined as a method of analyzing the probability that a specific threat will occur and the
severity of consequences that it brings to the network. There are two different methods for analyzing risk:
Quantitative analysis – Uses mathematical models to forecast the probability and severity of risk.
In the following equations, you are calculating Annualized Loss Expectancy (ALE) and Single Loss
Expectancy (SLE) based on the relationships between an asset’s value (AV), its exposure factor
(EF) and, in the case of the ALE, an Annual Rate of Occurrence (ARO).
ALE = AV * EF * ARO
SLE = AV * EF
AV = Asset Value
EF = Exposure Factor
ARO = Annualized Rate of Occurrence
Qualitative analysis – Uses behavior models to attempt to predict the probability that someone
would want to cause a risk and how much they want to achieve it. This analysis method is more
useful when analyzing large networks.
Risk Mitigation
Risk Management – Assumes that not all potential threats can be eliminated and attempts to
reduce anticipated damage from risk.
Risk Avoidance – Eliminates identified risks by not exposing a system to end users.
Security Awareness
User awareness is a big part of the security of a network. In order to make sure that a good security
awareness program is implemented, it is recommended that three different core components be fulfilled:
Awareness – If the end users of the network are aware of the different security threats which
exist, they will be more likely to notice when they are happening.
Training – A good training program creates end user competence and allows them to perform
specific tasks and serve in different security roles.
Education – A more comprehensive education program allows the coverage of a larger amount
of material to be covered.
Cisco Self-Defending Network
The concept behind a self-defending network is simple: have the network try to recognize threats in real
time and have it automatically adjust to deal with the specific threat. A part of this concept requires close
integration of individual network security products. Cisco’s Self-Defending Network is a marketing term
that defines a collection of security best-practice solutions which identify threats and attempt to prevent
them as well as emerging threats.
Core Characteristics
There are three core characteristics of the self-defending network:
Integrated – Security is built into the network instead of being added to an existing network.
Collaborative – Both IT personnel and security personnel work together on network operations.
Adaptive – Security solutions are designed to adapt to evolving threats.
Cisco Integrated Security Products
There are a number of different products that have been introduced by Cisco to provide security solutions.
Some of the major products which are currently in use include:
Cisco Router
Cisco ASA 5500 Series
Cisco PIX 500 Series
Cisco 4200 Series IPS
Cisco Security Agent
Cisco Security Access Control Server
Cisco Catalyst 6500 series switches
Cisco Router and Security Device Manager (SDM)
Cisco Security Monitoring, Analysis, and Response System (MARS)
No comments:
Post a Comment