Module 3. Mitigating Threats

Acceptable Use Policy

Network Security Policies

3.4 Mitigating Common Network Attacks

Defending the network

Network Security Domains

Its a

Constant vigilance and ongoing education are required to defend your network against attack.

Practices for securing a network

Vital for network security professionals to understand the reasons for network security. They must also be familiar with the organizational requirements for network security as embodied by the 14 network security domains.

Domains provide a framework for discussing network security and understanding the operational needs that should be addressed by each organization.

Control physical access to systems.

There are

14 network security domains specified by the International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC). Described by ISO/IEC 27001, these 14 domains serve to organize, at a high level, the vast realm of information and activities under the umbrella of network security. These domains have some significant parallels with domains defined by the Certified Information Systems Security Professional (CISSP) certification.

Use strong passwords and change them often.

Domains are

Encrypt and password-protect sensitive data.

Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN) devices, antivirus software, and content filtering.

Operations Security

Cryptography

Communications Security

Access Control

System Acquisition, Development, and Maintenance

Asset Management

Supplier Relationships

Human Resources Security

Infromation Security Incident Management

Organization of Infromation Security

Bussines Continuity Management

Infromation Security Policies

Compilance

Shut down unnecessary services and ports.

Perform security audits to test the network.

Keep patches up-to-date by installing them weekly or daily, if possible, to prevent buffer overflow and privilege escalation attacks.

Introduction

Perform backups and test the backed-up files on a regular basis.

Mitigating Malware

Why Should I Take this Module?

Malware, including viruses, worms, and Trojan horses, can cause serious problems on networks and end devices. Network administrators have several means of mitigating these attacks.

Defending the network is the job of a security professional. How can you stay informed of the current security climate? What organizations can help keep you informed of the latest risks and tools? What do onions and artichokes have to do with security?

One way of mitigating virus and Trojan horse attacks is antivirus software. Antivirus software helps prevent hosts from getting infected and spreading malicious code.

Antivirus software is the most widely deployed security product on the market today.

Defending the Network

Physical and Enviromental Security

Another way to mitigate malware threats is to prevent malware files from entering the network at all. Security devices at the network perimeter can identify known malware files based on their indicators of compromise.

Network Security Professionals

Regulatory and Standards Compilance

Security Polices

Bussines Polices

BYOD Polices

Mitigating Worms

Worms are more network-based than viruses. Worm mitigation requires diligence and coordination on the part of network security professionals.

Four phases for mitigate

Network security professionals are responsible for maintaining data assurance for an organization and ensuring the integrity and confidentiality of information.

Are the

Guidelines that are developed by an organization to govern its actions. The policies define standards of correct behavior for the business and its employees. In networking, policies define the activities that are allowed on the network. This sets a baseline of acceptable use. If behavior that violates business policy is detected on the network, it is possible that a security breach has occurred.

Containment

An organization may have several guiding policies, as:

Employee polices

Security polices

Company polices

Security specialist job roles within an enterprise include ⁉

Involves limiting the spread of a worm infection to areas of the network that are already affected.

Chief Information Officer (CIO)

Security Operations (SecOps)

Chief Information Security Officer (CISO)

Inoculation

Chief Security Officer (CSO)

Runs parallel to or a subsequent to the containment phase. During this phase, all uninfected systems are patched with the appropriate vendor patch.

Are used to

Inform users, staff, and managers of an organization’s requirements for protecting technology and information assets. A security policy also specifies the mechanisms that are needed to meet security requirements and provides a baseline from which to acquire, configure, and audit computer systems and networks for compliance.

Benefits:

Ensures consistency in system operations, software and hardware acquisition and use, and maintenance

Defines the legal consequences of violations

Sets the rules for expected behavior

Gives security staff the backing of management

Demonstrates an organization’s commitment to security

Quarantine

policies that may be included in a security policy:

Security Manager and Network Security Engineer.

Acceptable Use Policy

Remote acces policy

Password polices

Network maintenance policy

Identification and authentication policy

Incident handling procedures

Involves tracking down and identifying infected machines within the contained areas and disconnecting, blocking or removing them.

Network Intelligence Communities

Treatment

Involves actively disinfecting infected systems.

Explain tools and procedures to mitigate the effects of malware and common network attacks.

To effectively protect a network, security professionals must stay informed about threats and vulnerabilities as they evolve. There are many security organizations which provide network intelligence

Mitigating Reconnaissance Attacks

Reconnaissance attacks are typically the precursor to other attacks that have the intent of gaining unauthorized access to a network or disrupting network functionality.

The important network security organizations ‼

Mean

Bring Your Own Device

SysAdmin, Audit, Network, Security (SANS)

Mitre

This enables

Forum of Incident Response and Security Teams (FIRST)

Employees to use their own mobile devices to access company systems, software, networks, or information. BYOD provides several key benefits to enterprises, including increased productivity, reduced IT and operating costs, better mobility for employees, and greater appeal when it comes to hiring and retaining employees.

However, these benefits also bring an increased information security risk because BYOD can lead to data breaches and greater liability for the organization.

SecurityNewsWire

Can be mitigate in this ways

International Information Systems Security Certification Consortium (ISC2)

CIS

Implementing authentication to ensure proper access.

should be developed to accomplish the following:

Using encryption to render packet sniffer attacks useless.

Using anti-sniffer tools to detect packet sniffer attacks.

Identify the level of access employees are granted when using personal devices.

Describe the rights to access and activities permitted to security personnel on the device.

Identify which devices will be supported.

Identify which regulations must be adhered to when using employee devices.

Identify which employees can bring their own devices.

Identify safeguards to put in place if a device is compromised.

Implementing a switched infrastructure.

Using a firewall and IPS.

Specify the goals of the BYOD program.

Encryption is also effective for mitigating packet sniffer attacks.

Mitigating Access Attacks

Best practices to help mitigate BYOD vulnerabilities:

Back up data

Enable "Find my Device"

Manually control wireless conectivity

Provide antivirus software

Several techniques are available for mitigating access attacks

Keep updated

Use Mobile Device Management (MDM) software

Use strong passwords - Strong passwords are at least eight characters and contain uppercase letters, lowercase letters, numbers, and special characters.

Password protected access

Disable accounts after a specified number of unsuccessful logins has occurred - This practice helps to prevent continuous password attempts

Network Security Certifications

Obtaining recognized network security certifications greatly enhances your qualifications for these positions.

The network should also be designed using the principle of minimum trust.

There are also external regulations regarding network security. Network security professionals must be familiar with the laws and codes of ethics that are binding on Information Systems Security (INFOSEC) professionals.

Many organizations are mandated to develop and implement security policies. Compliance regulations define what organizations are responsible for providing and the liability if they fail to comply. The compliance regulations that an organization is obligated to follow depend on the type of organization and the data that the organization handles. Specific compliance regulations will be discussed later in the course.

Numerous certifications exist Certifications for network security professionals are offered by the following organizations

Using encryption for remote access to a network is recommended.

3.5 Cisco Network Foundation Protection Framework

The Cisco Network Foundation Protection (NFP) framework provides comprehensive guidelines for protecting the network infrastructure.

NFP logically divides routers and switches into three functional areas

Control plane - Responsible for routing data correctly.

Management plane - Responsible for managing network elements.

Data plane (Forwarding plane) - Responsible for forwarding data.

Securing the Control Plane

Control plane traffic consists of device-generated packets required for the operation of the network itself.

Routing protocol authentication - Routing protocol authentication, or neighbor authentication, prevents a router from accepting fraudulent routing updates.

Control Plane Policing (CoPP) - CoPP is a Cisco IOS feature designed to allow users to control the flow of traffic that is handled by the route processor of a network device.

AutoSecure - AutoSecure can lock down the management plane functions and the forwarding plane services and functions of a router.

Securing the Management Plane

Management plane traffic is generated either by network devices or network management stations using processes and protocols such as Telnet, SSH, and TFTP, etc.

Present legal notification - Displays legal notices.

Ensure the confidentiality of data - Protects locally stored sensitive data from being viewed or copied.

Role-based access control (RBAC) - Ensures access is only granted to authenticated users, groups, and services.

Authorize actions - Restricts the actions and views that are permitted by any particular user, group, or service.

Enable management access reporting - Logs and accounts for all access.

Securing the Data Plane

Data plane traffic consists mostly of user packets being forwarded through the router via the data plane. Data plane security can be implemented using ACLs, antispoofing mechanisms, and Layer 2 security features, as shown in the figure.

Blocking unwanted traffic or users - ACLs can filter incoming or outgoing packets on an interface.

Reducing the chance of DoS attacks - ACLs can be used to specify whether traffic from hosts, networks, or users, can access the network.

Providing bandwidth control - ACLs on a slow link can prevent excess traffic.

Classifying traffic to protect the Management and Control planes - ACLs can be applied on the vty lines.

Global Information Assurance Certification (GIAC)

International Information System Security Certification Consortium (ISC)2

Information Systems Audit and Control Association (ISACA)

International Council of E-Commerce Consultants (EC-Council)

Certified Wireless Security Professional (CWSP)

Communications Security - CIA

Information security deals with protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. The CIA Triad serves as a conceptual foundation for the field.

Confidentiality

Integrity

Availability