Please enable JavaScript.
Coggle requires JavaScript to display documents.
Module 3: Mitigating Thereats, Core Exam: Implementing and Operating Cisco…
Module 3: Mitigating Thereats
3.1 Defending the Network
3.1.1 Network Security Professionals
Roles
CIO, CISO, SecOps Manager, CSO, Security Manager, Network Security Engineer
Responsibilities:
Stay Updated on Threats
Security websites, blogs, and podcasts
Real-time feeds
Continuous Skill Improvement
Training and workshops
Security organizations
Career Demand: High demand due to sophisticated hacker tools and legislation
3.1.2 Network Intelligence Communities
SANS
Mitre
First
SecurityNewsWire
Staying Informed:
Latest threats and vulnerabilities
Security-related updates
3.1.3 Network Security Certifications
Certifying Organizations:
GIAC
ISC2
ISACA
EC-Council
CWSP
Cisco Certifications:
Specializations:
300-710 SNCF
300-715 SISE
300-720 SESA
300-725 SWSA
300-730 SVPN
300-735 SAUTO
3.1.4 Communications Security - CIA
Confidentiality
Access control to sensitive information
Integrity
Protection from unauthorized data alteration
Availability
Uninterrupted access to resources and data
Cryptography
Encryption of data communications (e.g., IP phone conversations, files)
Trend towards all communication being encrypted
3.2 Network Security Policies
3.2.1 Network Security Domains
Information Security Policies
Organization of Information Security
Human Resources Security
Asset Management
Access Control
Cryptography
Physical and Environmental Security
This
Operations Security
Communications Security
System Acquisition, Development, and Maintenance
Supplier Relationships
Information Security Incident Management
Business Continuity Management
Compliance
3.2.2 Business Policies
Company policies
Employee policies
Security policies
3.2.3 Security Policy
Password protected access
Manually control wireless connectivity
Keep updated
Back up data
Enable "Find my Device"
Provide antivirus software
Use Mobile Device Management (MDM) software
BYOD security policy
Specify the goals of the BYOD program.
Identify which employees can bring their own devices.
Identify which devices will be supported.
Identify the level of access employees are granted when using personal devices.
Describe the rights to access and activities permitted to security personnel on the device.
Identify which regulations must be adhered to when using employee devices.
Identify safeguards to put in place if a device is compromised.
3.2.5 Regulatory and Standards Compliance
External Regulations:
Govern network security for INFOSEC professionals.
Include laws and codes of ethics.
Organizational Responsibility:
Develop and implement security policies.
Compliance Regulations:
Define responsibilities and liability based on:
Type of organization.
Type of data handled.
3.3 Security Tools, Platforms, and Services
3.3.1 The Security Onion and The Security Artichoke
Security Onion
Defense-in-Depth
Strategy: Multiple layers of protection to safeguard data.
Each layer represents a barrier the attacker must overcome.
Onion Layers
Outer Layer:
Firewalls
Perimeter security
Inner Layers:
Internal network security
Security of internal devices (servers, computers)
Core (the "heart"):
Critical data or systems protected at the center.
Security Artichoke
Borderless Networks
Changes in network architecture:
Use of mobile devices, IoT, and distributed systems.
Artichoke Leaves
Each leaf represents:
Individual devices (e.g., mobile devices, laptops, IoT)
Less protected systems (e.g., cloud applications)
Each leaf may contain or expose sensitive data.
Attack Process
Selective Attack:
Attackers only need to compromise certain “leaves.”
Not every layer of defense needs to be removed
Vulnerabilities
Mobile devices are more vulnerable than internal servers.
Hackers can find gaps in the perimeter to access the core (the "heart").
3.3.2 Security Testing Tools
Password Crackers
Wireless hacking tools
Network scanning and hacking tools
Packet crafting tools
Packet Sniffers
Rookit detectors
Fuzzers to search vulnerabilities
Foresic tools
Debuggers
Hacking Operating Systems
Vulnerability exploitation tools
Vulnerability Scanners
3.3.3 Data Security Platforms
Data Security Platforms (DSP)
Definition: Integrated security solutions that combine traditionally independent tools into a suite of tools that work together
Challenges in Integration
Tools from different vendors
Difficulty in creating a single view of network security
Resources required to integrate various devices and software
Benefits of DSP
Unified network view
Integrated protection and monitoring
Examples of DSP
Features:
Event management
Network behavior analytics
Advanced threat detection
Incident security orchestration, automation, and response (SOAR)
Relies on:
Mandiant threat intelligence
Incident response
Security expertise
Cisco SecureX
Features:
Unified visibility
Automation
Stronger defenses
Integrates:
Third-party security tools
Next-generation firewalls
VPN, network analytics, identity services engine, advanced malware protection (AMP)
Secures network, users, endpoints, applications, and cloud
3.3.5 Security Services
Threat Intelligence Services
Automatic distribution of firewall rules and IOCs.
Sharing threat information (vulnerabilities, IOCs, mitigation techniques).
Example: Cisco Talos Threat Intelligence Group.
Protects users, data, and infrastructure from active threats.
Collects information on existing, active, and emerging threats.
Maintains security detection rules for tools like Snort, ClamAV, and SpamCop.
Security Products Connected to Threat Intelligence
Real-time intelligence used for fast and effective protection.
Cisco Talos:
Provides free software, services, resources, and data.
Managed Security Services
Managed Service Providers:
Cisco
Sentinel Intrusion Prevention Systems
IBM
AT&T
Core Security
SECaaS (Security as a Service)
Wide range of managed network security services.
3.4 Mitigating Common Network Attacks
3.4.1 Defending the Network
Best practices for securing a network
Develop a written security policy for the company.
Educate employees about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.
Control physical access to systems.
Use strong passwords and change them often.
Encrypt and password-protect sensitive data.
Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, antivirus software, and content filtering.
Perform backups and test the backed-up files on a regular basis.
Shut down unnecessary services and ports.
Keep patches up-to-date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks.
Perform security audits to test the network.
Antivirus Software
Benefits
Detects and removes viruses and trojans.
Automatic definition updates.
Reduces cleanup time.
Recommendations
Keep software and definitions up-to-date.
Implement on desktops, laptops, and servers.
Network Security
Methods
Security devices at the network perimeter.
Identify malware based on indicators of compromise.
Limitations
Malware can evade detection by modification.
Mitigation techniques are not 100% effective.
Security Policy
Purpose
Formalize update and maintenance practices.
Aspects
Automatic antivirus updates.
Continuous monitoring of new threats
3.4.3 Mitigating Worms
Containment
Inculation
Quarantine
Treatment
3.4.4 Mitigating Reconnaissance Attacks
Reconnaissance attacks can be mitigated in several ways, including the following:
Implementing authentication to ensure proper access.
Using encryption to render packet sniffer attacks useless.
Using anti-sniffer tools to detect packet sniffer attacks.
Implementing a switched infrastructure.
Using a firewall and IPS.
Reconnaissance Attack Mitigation Techniques
3.4.5 Mitigating Access Attacks
Strong Authentication Policies
Use Strong Passwords
At least 8 characters
Includes uppercase letters, lowercase letters, numbers, special characters
Principle of Minimum Trust
Systems should not trust one another unnecessarily
Example: Trusted servers should not trust untrusted devices unconditionally
Cryptography
Encryption for Remote Access
Protects data during transmission
Encrypt Routing Protocol Traffic
Reduces opportunities for man-in-the-middle attacks
Encrypted/Hashed Authentication Protocols
Enhances security by reducing the probability of successful attacks
Educate Employees
Risks of social engineering
Strategies to validate identities (phone, email, in-person)
Multifactor Authentication (MFA)
Tokens for one-time use
Example: Password + code sent via text
Network Security Policy
Formal maintenance of logs
Regular log reviews to identify suspicious activities
3.5 Cisco Network Foundation Protection Framework
Cisco NFP Framework
Provides guidelines to protect network infrastructure.
Divides routers and switches into three functional areas:
Control Plane
Management Plane
Data Plane
Control Plane
Responsible for routing data within the network.
Security implementation:
Routing Protocol Authentication (prevents fraudulent routing updates).
Control Plane Policing (CoPP) (controls traffic flow to the route processor).
AutoSecure (locks down management plane functions and forwarding services).
Managment Plane
Responsible for managing network elements.
Traffic can be OOB (out-of-band) or in-band.
Security features:
Login and Password Policies.
Legal Notifications.
Confidentiality of Data.
Role-Based Access Control (RBAC).
Management Access Reporting.
Data Plane
Responsible for forwarding user-generated data.
Security implementation:
Access Control Lists (ACLs) (filter traffic).
Antispoofing Mechanisms.
uRPF (complements antispoofing strategy).
Layer 2 Security Tools (Port Security, DHCP Snooping, DAI, IPSG).
Core Exam: Implementing and Operating Cisco Security Core Technologies (350-701 SCOR)
