ccnas ch10 slides

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1

Chapter 10: Managing a Secure Network

CCNA Security

Presentation_ID 2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Chapter 10: Objectives In this chapter, you will:

Describe the high-level considerations for ensuring that a network is secure.

Describe the benefits of risk management and the measures to take to optimize risk management.

Define and describe the components, technologies and devices of the Cisco SecureX Architecture.

Describe the five product families used in the SecureX Architecture.

Describe the overarching concepts of operations security.

Describe the core principles of operations security.

Describe the purpose of and the techniques used in network security testing.

Describe the tools used in network security testing.

Describe business continuity planning and disaster recovery.

Configure the Cisco Secure Copy feature.

Describe the SDLC.

Describe the five phases of the SDLC.

Describe the goals of a security policy.

Describe the structure of a security policy.

Describe the standards, guidelines, and procedures of a security policy.

Describe the roles and responsibilities entailed within a security policy.

Describe the concepts of security awareness and how to achieve security awareness through education and training.

Describe ethical guidelines and laws for network security.

Describe how to respond to a security breach.


Chapter 10

10.0 Introduction

10.1 Principles of Secure Network Design

10.2 Security Architecture

10.3 Operations Security

10.4 Network Security Testing

10.5 Business Continuity Planning and Disaster Recovery

10.6 System Development Life Cycle

10.7 Developing a Comprehensive Security Policy

10.8 Summary


10.1 Principles of Secure Network Design


Ensuring a Network is Secure

Security Policies

Created and maintained to mitigate existing and new kinds of attacks.

Enforce a structured, informed, consistent approach to securing the network.

Designed to address the following:

• Business needs

• Threat Identification

• Risk analysis

• Security needs

• Industry-recommended practices

• Security operations


Business needs:

• What does the organization want to do with the network?

• What are the organizational needs?

Threat identification - What are the most likely types of threats given the organization’s purpose?

Risk analysis:

• What is the cost versus benefit analysis of implementing various security technologies?

• How do the latest security techniques affect the network environment and what is the risk if they are not implemented?


Security Policies Cont.


Security needs:

• What are the policies, standards, and guidelines needed to address business needs and risks?

Industry-recommended practices:

• What are the reliable, well-understood, and recommended security practices that similar organizations currently employ?

Security operations:

• What are the current procedures for incident response, monitoring, maintenance, and auditing of the system for compliance?


Security Policies Cont.


There are guidelines to help you avoid making wrong assumptions:

Expect that any aspect of a security system might fail.

Identify any elements that fail-open. Fail-open occurs when a failure results in a complete bypass of the security function

Try to identify all attack possibilities.

• Use top-down analysis of possible system failures, which involves evaluating the simplicity and probability of every attack on a system.

• Known an attack tree analysis.


Avoid Wrong Assumptions


Evaluate the probability of exploitation. Focus on the resources that are needed to create an attack, not the obscurity of a particular vulnerability.

Assume that people make mistakes.

Attackers might not use common and well-established techniques to compromise a system..

Check all assumptions with other people. Peers might have a fresh perspective on potential threats and their probability.


Avoid Wrong Assumptions Cont.


When identifying threats, it is important to ask two questions:

1. What are the possible vulnerabilities of a system?

2. What are the consequences if system vulnerabilities are exploited?

Threat Identification and Risk Analysis

Identifying Threats


Risk analysis is the systematic study of uncertainties and risks. It identifies the risks, determines how and when those risks might arise, and estimates the impact (financial or otherwise) of adverse outcomes.

After the threats are evaluated for severity and likelihood, the information is used in a risk analysis.


Risk Analysis in IT


The first step in developing a risk analysis is to evaluate each threat to determine its severity and probability.

For example, threats in an e-banking system may include:

Internal system compromise

Stolen customer data

Phony transactions if external server is breached

Phony transactions using a stolen customer PIN or smart card

Insider attack on the system

Data input errors

Data center destruction


Risk Analysis in IT Cont.


After the threats are evaluated for severity and likelihood, this information is used in a risk analysis.

There are two types of risk analysis in information security:

• Quantitative Risk Analysis - Uses a mathematical model that assigns a monetary figure to the value of assets, the cost of threats being realized, and the cost of security implementations.

• Qualitative Risk Analysis - Can be used when the risk assessment must either be done in a relatively short time, under a tight budget, or when relevant data or lack of expertise is not readily available.


Risk Analysis in IT Cont.


Quantitative risk analysis relies on specific formulas to determine the value of the risk decision variables.

These include formulas that calculate the:

• Asset Value (AV)

• Exposure Factor (EF)


Single Loss Expectancy Quantitative Risk Analysis


Single Loss Expectancy (SLE) - Represents the expected loss from a single occurrence of

the threat.

Asset Value (AV) - Includes the cost of development or purchase price, deployment, and

maintenance.

Exposure Factor (EF) - An estimate of the degree of destruction that could occur.

Annualized Loss Expectancy (ALE) - Addresses the cost to the organization if it does

nothing to counter existing threats.

Annualized Rate of Occurrence (ARO) - Estimates the frequency of an event and is used

to calculate the ALE.


Single Loss Expectancy Quantitative Risk Analysis Cont.


Flood threat

Exposure Factor is: 60 percent

AV of the enterprise is: $10,000,000

SLE is: $10,000,000 * .60

SLE is equal to: $ 6,000,000




Data entry error

Exposure Factor is: .001 percent

AV of the enterprise is: $1,000,000

SLE is: $1,000,000 * .00001

SLE is equal to: $ 10




Data entry error

SLE is: $ 10

ARO is: 125,000

ALE is: $10 * 125,000

ALE is equal to: $ 1,250,000


Annualized Rate of Occurrence Quantitative Risk Analysis

Annualized Rate of Occurrence Annualized Loss Expectancy


Flood threat

SLE is: $ 6,000,000

ARO is: .01

ALE is: $ 6,000,000 * .01

ALE is equal to: $ 60,000


Annualized Rate of Occurrence Quantitative Risk Analysis Cont.

Annualized Rate of Occurrence Annualized Loss Expectancy


It is necessary to perform a quantitative risk analysis for all threats identified during the threat identification process.

Then prioritize the threats and address the most serious threat first to enable management to focus resources where they do the most good.


Quantitative Risk Analysis


When the threats are identified and the risks are assessed, a protection strategy must be deployed to protect against the risks.

There are two very different methods to handle risks:

• Risk management - Deploys protection mechanisms to reduce risks to acceptable levels.

• Risk avoidance - Eliminates risk by avoiding the threats altogether.

Risk Management and Risk Avoidance

Methods of Handling Risks


Method deploys protection mechanisms to reduce risks to acceptable levels.

Risk management is perhaps the most basic and the most difficult aspect of building secure systems, because it requires a good knowledge of risks, risk environments, and mitigation methods.


Risk Management


Not all mitigation techniques are implemented based on the risk versus cost formula used in the quantitative risk analysis:

• Internal system compromise

• Stolen customer data

• Phony transactions if external server is broken into

• Phony transactions using a stolen customer PIN or smart card

• Insider attack on the system Data input error

• Data center destruction


Risk Management Cont.


Using the risk avoidance approach, a company might decide against offering e-banking services as it is deemed too risky.

Such an attitude might be valid for some military organizations, but is usually not an option in the commercial world.

Organizations that can manage the risks are traditionally the most profitable.


Risk Management Cont.


10.2 Security Architecture


Today, Internet worms and other security threats spread across the world in a matter of minutes requiring that the security system, and the network itself, react instantaneously.

Consumer endpoints, such as iPhones, BlackBerrys, netbooks, and thousands of other devices, are becoming powerful substitutes for, or complements to, the traditional PC.

More people use these devices to access enterprise information.

Introducing the Cisco SecureX Architecture

Borderless Networks


Designed to provide effective security for any user, using any device, from any location, and at any time.

Uses a high-level policy language that can describe the full context of a situation, including who, what, where, when, and how.

With highly distributed security policy enforcement, security is pushed closer to where the end user is working, anywhere on the planet. This architecture is comprised of five major components:

• Scanning engines

• Delivery mechanisms

• Security Intelligence Operations (SIO)

• Policy management consoles

• Next-generation endpoints


SecureX Security Architecture



SecureX Security Architecture Cont.


A context-aware scanning element does more than just examine packets on the wire.

It looks at external information to understand the full context of the situation: the who, what, where, when, and how of security.

These scanning elements are available as standalone appliances, software modules running in a router, or an image in the cloud.

They are managed from a central policy console that uses a high level to build context aware policies.

A context-aware policy uses a simplified descriptive business language to define security policies based on five parameters:

• The person’s identity

• The application in use

• The type of device being used for access

• The location

• The time of access


Centralized Context-Aware



Centralized Context-Aware


Delivers real-time global threat intelligence.

World’s largest cloud-based security ecosystem, using almost a million live data feeds from deployed Cisco email, web, firewall, and IPS solutions.

Cisco SIO weighs and processes the data, automatically categorizing threats and creating rules using more than 200 parameters.

Rules are dynamically delivered to deployed Cisco security devices every three to five minutes.


Cisco Security Intelligence Operations



Cisco Security Intelligence Operations Cont.


Solutions for the Cisco SecureX Architecture

SecureX Products


• The goal of the Cisco secure edge and branch is to deploy devices and systems to detect and block attacks and exploits, and prevent intruder access.

• With firewall and intrusion prevention in standalone and integrated deployment options, organizations can avoid attacks and meet compliance requirements.


Cisco Secure Edge and Branch



Cisco Secure Edge and Branch Cont.


• Cisco secure email and web solutions protect an organization from evolving email and web threats.

• They reduce costly downtime associated with email-based spam, viruses, and web threats, and are available in a variety of form factors, including:

• On- premise appliances - Includes Cisco IronPort email security and IronPort web security appliances

• Cisco ScanSafe Cloud Web Security


Secure Email and Web


Secure access technologies enforce network security policies, secure user and host access controls, and control network access based on dynamic conditions.


SecureX Products


Cisco secure mobility solutions promote highly secure mobile connectivity with VPN, wireless security, and remote workforce security solutions that extend network access safely and easily to a wide range of users and devices.


Secure Mobility


Cisco secure data center and virtualization solutions protect high-value data and data center resources with threat defense, secure virtualization, segmentation, and policy control.


Secure Data Center and Virtualization


The security industry is always changing.

The next few years prove to be a period of significant change, driven by three major trends:

• Consumerization of the endpoint

• Increasing use of high-definition video conferencing

• Adoption of cloud computing


Network Security Services



Network Security Services Cont.


10.3 Operations Security


Operations security is concerned with the day-to-day practices necessary to first deploy and later maintain a secure system.

It starts with the planning and implementation process of a network.

• During these phases, the operations team proactively analyzes designs, identifies risks and vulnerabilities, and makes the necessary adaptations.

• After a network is set up, the actual operational tasks begin, including the continual day-to-day maintenance of the environment.

Introducing Operations Security

Operations Security


The responsibilities of the operations team pertain to everything that takes place to keep the network, computer systems, applications, and the environment up and running in a secure and protected manner.

The operations team usually has the objectives of preventing reoccurring problems, reducing hardware failures to an acceptable level, and reducing the impact of hardware failure or disruption.


Operations Security Team


To ensure a secure working environment within the operations department, certain core principles should be integrated into the day-to-day activities:

Separation of duties

Rotation of duties

Trusted recovery

Change and configuration controls


Operations Security Team Cont.


Is the most difficult and sometimes the most costly control to achieve.

SoD states that no single individual has control over two or more phases of a transaction or operation.

• Instead, responsibilities are assigned in a way that incorporates checks and balances.

• This makes a deliberate fraud more difficult to perpetrate because it requires a collusion of two or more individuals or parties.

Principles of Operations Security

Separation of Duties


Trained individuals are given a specific assignment for a certain amount of time before moving to a new assignment.

A peer review is built into the practice of rotation of duties. For example, when five people do one job in the course of the week, each person reviews the work of the others.

Rotation of duties also prevents boredom and gives individuals a greater breadth of exposure to the entire network operation and creates a strong and flexible operations department.


Rotation of Duties


Systems eventually fail!

• Therefore a process for recovery must be established.

• Back up data on a regular basis.

Backing up data is standard practice in most IT departments.

Being prepared for system failure is also an important part of operations security:

• Back up critical data on a regular basis.

• Evaluate who has access to the files to back them up and what kind of access they have.

• Secure the backup media.


Trusted Recovery


Ensures that standardized methods and procedures are used to efficiently handle all changes.

It should address three major components:

• The processes in place to minimize system and network disruption

• Backups and reversing changes that go badly

• Guidance on the economic utilization of resources and time

A few suggestions are recommended to accomplish configuration changes in an effective and safe manner:

• Ensure that the change is implemented in an orderly manner with formalized testing.

• Ensure that the end users are aware of the coming change when necessary.

• Analyze the effects of the change after it is implemented.


Configuration and Change Control


Step 1. Apply to introduce the change.

Step 2. Catalog the proposed change.

Step 3. Schedule the change.

Step 4. Implement the change.

Step 5. Report the change to the relevant parties.


Configuration and Change Control Cont.


10.4 Network Security Testing


Network security testing is testing that is performed on a network to ensure all security implementations are operating as expected. Testing is typically conducted during the implementation and operational stages.

During the implementation stage, security testing is conducted on specific parts of the security system.

After a network is fully integrated and operational, a Security Test and Evaluation (ST&E) is performed. ST&E is an examination or analysis of the protective measures that are placed on an operational network.

Tests should be repeated periodically and whenever a change is made to the system. Test more frequently on critical information or hosts that are exposed to constant threat.

Introducing Network Security Testing

Network Security Testing


Many tests can be conducted to assess the operational status of the system:

Penetration testing

Network scanning

Vulnerability scanning

Password cracking

Log review

Integrity checkers

Virus detection


Network Security Tests


Penetration testing

• Network penetration tests, or pen testing, simulate attacks from malicious sources.

• The goal is to determine the feasibility of an attack and possible consequences if one were to occur.

Network scanning

• Includes software that can ping computers, scan for listening TCP ports and display which types of resources are available on the network.

• Some scanning software can also detect usernames, groups, and shared resources.

• Network administrators can use this information to strengthen their networks.


Network Security Tests Cont.


Vulnerability scanning

• Includes software that can detect potential weaknesses in the tested systems.

• These weaknesses can include misconfiguration, blank or default passwords, or potential targets for DoS attacks.

• Some software allows administrators to attempt to crash the system through the identified vulnerability.

Password cracking

• Includes software that is used to test and detect weak passwords that should be changed.

• Password policies should include guidelines to prevent weak passwords.




Log review

• System administrators should review security logs to identify potential security threats.

• Abnormal activity should be investigated using filtering software to scan lengthy log files.

Integrity checkers

• An integrity checking system detects and reports on changes in the system.

• Most of the monitoring is focused on file system. However, some checking systems can report on login and logout activities.

Virus detection

• Virus detection software can be used to identify and remove computer viruses and other malware.




Network security testing results can be used in several ways:

To define mitigation activities to address identified vulnerabilities

As a benchmark to trace the progress of an organization in meeting security requirements

To assess the implementation status of system security requirements

To conduct cost and benefit analysis for improvements to system security

To enhance other activities, such as risk assessments, certification and authorization (C&A), and performance improvement efforts

As a reference point for corrective action


Applying Network Test Results


Nmap - Discovers computers and services on a computer network, thus creating a map of the network

SuperScan - Port scanning software designed to detect open TCP and UDP ports, what services are running on those ports, and run queries, such as whois, ping, traceroute, and hostname lookups

GFI LANguard - Network and security scanner which detects vulnerabilities

Tripwire - Assesses and validates IT configurations against internal policies, compliance standards, and security best practices

Nessus - Vulnerability scanning software, focusing on remote access, misconfiguration passwords, and DoS against the TCP/IP stack

L0phtcrack - Password auditing and recovery application

Metasploit - Provides information about vulnerabilities and aids in penetration testing and IDS signature development

Network Security Testing Tools

Network Testing Tools


Nmap is a low-level scanner that has an array of excellent features which can be used for network mapping and reconnaissance.

Classic TCP and UDP port scanning - Searches for different services on one host.

Classic TCP and UDP port sweeping - Searches for the same service on multiple hosts.

Stealth TCP and UDP port scans and sweeps - Similar to classic scans and sweeps, but harder to detect by the target host or IPS.

Remote operating system identification - This is also known as OS fingerprinting.


Nmap



Nmap Cont.


SuperScan is a Microsoft Windows port scanning tool.

SuperScan version 4 has a number of useful features:

• Adjustable scanning speed

• Support for unlimited IP ranges

• Improved host detection using multiple ICMP methods

• TCP SYN scanning

• UDP scanning (two methods)

• Simple HTML report generation

• Source port scanning

• Fast hostname resolving

• Extensive banner grabbing

• Massive built-in port list description database

• IP and port scan order randomization

• A selection of useful tools, such as ping, traceroute, and whois

• Extensive Windows host enumeration capability


SuperScan



SuperScan Cont.


10.5 Business Continuity and Business Planning


Business continuity planning addresses the continuing operations of an organization in the event of a disaster or prolonged service interruption that affects the mission of the organization.

These plans address:

• An emergency response phase

• A recovery phase

• A return to normal operation phase

Business continuity planning may include plans, such as:

• Moving or relocating critical business components and people to a remote location while the original location is being repaired.

• Using different channels of communication to deal with customers, shareholders, and partners until operations are returned to normal.

Continuity Planning and Disaster Recovery

Business Continuity Planning


Disaster recovery is the process of regaining access to the data, hardware, and software necessary to resume critical business operations after a natural or human-induced disaster.

It includes plans for coping with the unexpected or sudden loss of key personnel.

Continuity Planning and Disaster Recovery

Disaster Recovery


When planning for disaster recovery and business continuity, the first step is identifying the possible types of disasters and disruptions.

Not all disruptions to business operations are equal.

A good disaster recovery plan considers the magnitude of the disruption, recognizing that there are differences between catastrophes, disasters, and minor incidents.

Recovery Plans and Redundancy

Recovery Plans


Large organizations might require a redundant facility if some catastrophic event results in facility destruction.

Hot sites:

• A completely redundant facility with almost identical equipment.

Warm site:

• Physically redundant facilities, but software and data are not stored and updated on the equipment.

• A disaster recovery team is required to physically go to the redundant facility and get it operational.

• Depending on how much software and data is involved, it can take days before operations are ready to resume.

Cold site:

• An empty datacenter with racks, power, WAN links, and heating, ventilation, and air conditioning (HVAC) already present, but no equipment.

Recovery Plans and Redundancy

Redundancy


The primary goal of disaster recovery is to restore the network to a fully functional state.

Two of the most critical components of a functional network are the router configuration and the router image files.

Every disaster recovery plan should include backup and retrieval of these files.

Because an organization's network configuration includes private or proprietary information, these files must be copied in a secure manner.

The secure copy (SCP) feature provides a secure and authenticated method for copying router configuration or router image files.

Secure Copy

Secure Copy


Secure Copy

Secure Copy Cont.


Because SCP relies on SSH for secure transport, before enabling SCP, you must correctly configure SSH, and the router must have an RSA key pair.

To configure the router for server-side SCP, perform these steps:

Step 1. Enable AAA with the aaa new-model global configuration

mode command.

Secure Copy

SCP Server Configuration


Step 2. Define a named list of authentication methods, with the aaa authentication login {default |list-

name} method1 [method2...] command.

Secure Copy

SCP Server Configuration Cont.


Step 3. Configure command authorization with the aaa authorization {network | exec | commands

level} {default | list-name}

method1...[method4] command.

Secure Copy



Step 4. Configure a username and password to use for local authentication with the username name [privilege level] {password encryption-type password}

command. This step is optional if using network-based authentication such as TACACS+ or RADIUS.

Secure Copy



Step 5. Enable SCP server-side functionality with the ip scp server enable command.

Secure Copy



Secure Copy



10.6 System Development Life Cycle


Business continuity and disaster recovery plans are ever-changing documents.

Evaluating system changes and adjusting plans are all part of a system life cycle.

The term “system” can refer to a single device or a group of devices that operate together within a network.

Introducing SDLC

System Life Cycle


Five phases of the SDLC:

1. Initiation

2. Acquisition and development

3. Implementation

4. Operation and maintenance

5. Disposition

When using the SDLC to design a network, each phase should include a minimum set of security requirements. This results in less expensive and more effective security as compared to adding security to an operational system after the fact.

Introducing SDLC

Phases of SCLC


Introducing SDLC

Phases of SCLC Cont.


Security categorization - Define three levels (low, moderate, and high) of potential impact on organizations or individuals if there is a breach of security.

Preliminary risk assessment - Initial description of the basic security needs of the system that defines the threat environment in which the system operates.

Phases of the SDLC

Initiation


Consists of the following tasks:

• Risk assessment

• Security functional requirements

• Security assurance requirements

• Security cost considerations and reporting

• Security planning

• Security control development

• Developmental security test and evaluation

Phases of the SDLC

Acquisition and Development



• Inspection and acceptance

• System integration

• Security certification

Phases of the SDLC

Implementation Phase



• Configuration management and control

• Continuous monitoring

Phases of the SDLC

Operations and Maintenance



• Information preservation

• Media sanitization

• Hardware and software disposal

Phases of the SDLC

Disposition Phase


10.7 Developing a Comprehensive Security Policy


Security Policy Overview

Secure Network Life Cycle

The Secure Network Life Cycle is a process of assessment and re-evaluation of equipment and security needs as the network changes.

One important aspect of this ongoing evaluation is to understand which assets an organization must protect, even as those assets are changing.

• Determine what the assets of an organization are by asking questions:

• What does the organization have that others want?

• What processes, data, or information systems are critical to the organization?

• What would stop the organization from doing business or fulfilling its mission?



Security Policy A security policy may include the following:

• Identification and Authentication Policies - Specifies authorized persons that can have access to network resources and verification procedures.

• Password Policies - Ensures passwords meet minimum requirements and are changed regularly.

• Acceptable Use Policies - Identifies network applications and usages that are acceptable to the organization. It may also identify ramifications if this policy is violated.

• Remote Access Policies - Identifies how remote users can access a network and what is accessible via remote connectivity.

• Network Maintenance Policies - Specifies network device operating systems and end user application update procedures.

• Incident Handling Procedures - Describes how security incidents are handled.



Security Policy Audience The audience for the security policy is anyone who has access to the network.

Internal audience includes various personnel, such as managers and executives, departments and business units, technical staff, and employees.

External audience is also a varied group that includes partners, customers, suppliers, consultants, and contractors.


Structure of a Security Policy

Security Policy Hierarchy

These documents are often broken into a hierarchical structure:

• Governing policy - High-level treatment of the security guidelines that are important to the entire company. Managers and technical staff are the intended audience. The governing policy controls all security-related interactions among business units and supporting departments in the company.

• Technical policy - Used by security staff members as they carry out security responsibilities for the system. These policies are more detailed than the governing policy and are system-specific or issue-specific. For example, access control and physical security issues are described in a technical policy.

• End user policy - Covers all security topics that are important to end users. End users can include employees, customers, and any other individual user of the network.



Governing Policy

The governing policy outlines the company’s overall security goals for managers and technical staff.

It covers all security-related interactions among business units and supporting departments in the company.

Includes several components:

• Statement of the issue that the policy addresses

• How the policy applies in the environment

• Roles and responsibilities of those affected by the policy

• Actions, activities, and processes that are allowed (and not allowed)

• Consequences of noncompliance



Technical Policy

Technical policies are detailed documents that are used by technical staff in the conduct of their daily security responsibilities.

Technical policies are broken down into specified technical areas, including:

• General Policies

• Telephony Policy

• Email and Communications Policy

• Remote Access Policy

• Network Policy

• Application Policy



End User Policies

End user policies cover all rules pertaining to information security that end users should know about and follow.

End user policies might overlap with technical policies, but may also include:

• Identity Policy

• Password Policy

• Anti-Virus Policy


Standards, Guidelines, and Procedures

Security Policy Documents

The security policy documents are high-level overview documents.

These include:

• Standards documents

• Guidelines documents

• Procedures documents


One of the most important security principles is consistency and therefore it is necessary for organizations to establish standards.

Each organization develops standards to support its unique operating environment.

Device configuration standards are defined in the technical section of an organization's security policy.


Standard Documents


Guidelines provide a list of suggestions on how to do things better.

• They are similar to standards, but are more flexible and are not usually mandatory.

• Guidelines can be used to define how standards are developed and to guarantee adherence to general security policies.

A number of guidelines are widely available:

• National Institute of Standards and Technology (NIST) Computer Security Resource Center

• National Security Agency (NSA) Security Configuration Guides

• The Common Criteria Standard


Guideline Documents


Procedure documents are longer and more detailed than standards and guidelines.

Procedure documents include implementation details, usually with step-by-step instructions and graphics.

Procedure documents are extremely important for large organizations to have the consistency of deployment that is necessary for a secure environment.


Procedure Documents


All persons in an organization, from the Chief Executive Officer (CEO) to the newest hires, are considered end users of the network and must abide by the organization’s security policy.

Developing and maintaining the security policy is delegated to specific roles within the IT department.

Roles and Responsibilities

Organizational Reporting Structure


Chief Executive Officer (CEO)

• Is ultimately responsible for the success of an organization.

• All executive positions report to the CEO.

Chief Technology Officer (CTO)

• Identifies and evaluates new technologies and drives new technology development to meet organization objectives.

• Maintains and enhances the enterprise systems, while providing direction in all technology-related to support operations.


Common Executive Titles


Chief Information Officer (CIO) • Responsible for the information technology and computer systems that

support enterprise goals, including successful deployment of new technologies and work processes.

• Small-to-medium-sized organizations typically combine the responsibilities of CTO and CIO into a single position.

• When an organization has both a CTO and CIO, the CIO is generally responsible for processes and practices supporting the flow of information, and the CTO is responsible for technology infrastructure.

Chief Security Officer (CSO) • Develops, implements, and manages the organization’s security strategy,

programs, and processes associated with all aspects of business operation, including intellectual property.

• A major aspect of this position is to limit exposure to liability in all areas of financial, physical, and personal risk.

Chief Information Security Officer (CISO) • Similar to the CSO, except that this position has a specific focus on IT

security.

• CISO must develop and implement the security policy, either as the primary author or management of authorship. In either case, the CISO is responsible and accountable for security policy content.


Common Executive Titles


Where is the weakest link in any network infrastructure? The User!

To help ensure the enforcement of the security policy, a security awareness program must be put in place.

Security Awareness and Training

Security Awareness Program


A security awareness program usually has two major components:

• Awareness campaigns

• Training and education

A good security awareness program:

• Informs users of their IT security responsibilities.

• Explains all IT security policies and procedures for using the IT systems and data within a company.

• Helps protect the organization from loss of intellectual capital, critical data, and even physical equipment.

• Must also detail the sanctions that the organization imposes for noncompliance.

• Should be part of all new hire orientation.


Security Awareness Program Cont.


“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information... Awareness relies on reaching broad audiences with attractive packaging techniques.” (NIST Special Publication 800-16)


Awareness Campaigns


There are several methods of increasing security awareness:

• Posters, newsletter articles, and bulletins

• Lectures, videos

• Awards for good security practices

• Reminders, such as login banners, mouse pads, coffee cups, and notepads, etc.


Awareness Campaigns Cont.



Security Training Course


An effective security training course requires proper planning, implementation, maintenance, and periodic evaluation.

The life cycle of a security training course includes several steps:

Step 1. Identify course scope, goals, and objectives.

Step 2. Identify and educate training staff.

Step 3. Identify target audiences.

Step 4. Motivate management and employees.

Step 5. Administer the courses.

Step 6. Maintain the courses.

Step 7. Evaluate the courses.


Security Training Course Cont.


Education integrates all the security skills and competencies of the various functional specialties into a common body of knowledge.

It adds a multidisciplinary study of concepts, issues, and principle, both technological and social, and strives to produce IT security professionals capable of vision and proactive response.

An example of an educational program is a degree program at a college or university.


Educational Program


A big reason for setting security policies and implementing awareness programs is compliance with the law.

• You must be familiar with the laws and codes of ethics that are binding for Information Systems Security (INFOSEC) professionals.

Most countries have three types of laws:

• Criminal law:

• Concerned with crimes, and its penalties usually involve fines or imprisonment, or both.

• Civil law (also called tort):

• Focuses on correcting situations in which entities have been harmed and an economic award can help.

• Imprisonment is not possible in civil law.

• For example: suing for patent infringement.

• Administrative law:

• Involves government agencies enforcing regulations.

• For example: a company might owe its employees vacation pay.

Laws and Ethics

Laws


Ethics is a standard that is higher than the law.

It is a set of moral principles that govern civil behavior and are often referred to as codes of ethics.

Ethical principles are often the foundation of many of the laws currently in place.

Individuals that violate the code of ethics can face consequences such as loss of certification, loss of employment, and even prosecution by criminal or civil court.

Laws and Ethics

Ethics


The information security profession has a number of formalized codes:

International Information Systems Security Certification Consortium, Inc (ISC)2 Code of Ethics

Computer Ethics Institute (CEI)

Internet Activities Board (IAB)

Generally Accepted System Security Principles (GASSP)

Laws and Ethics

Ethics Cont.


Code of Ethics Preamble

“Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification.”

Code of Ethics Canons

• Protect society, the commonwealth, and the infrastructure.

• Act honorably, honestly, justly, responsibly, and legally.

• Provide diligent and competent service to principals.

• Advance and protect the profession.

Laws and Ethics

Code of Ethics


Different countries have different legal standards. In most countries and courts, to successfully prosecute an individual, it is necessary to establish motive, opportunity, and means.

Motive answers the question of why a person committed the illegal act.

Opportunity answers the question of when and where the person committed the crime.

Means answers the question of how the person committed the crime.

Establishing motive, opportunity, and means is a standard for finding and prosecuting individuals of all types of crimes.

Responding to a Security Breach

Motive, Opportunity, and Means


The process of collecting data must be done precisely and quickly.

When a security breach occurs, it is necessary to isolate the infected system immediately.

After data is collected, but before equipment is disconnected, it is necessary to photograph the equipment in place.

If security protocols are established and followed, organizations can minimize the loss and damages resulting from attacks.

Responding to a Security Breach

Collecting Data

ccnas ch10 slides

Documents

security architecture

network security testing

security breach

cisco systems

secure security policies

comprehensive security

concepts of security

various security technologies