ccnas ch10 slides
DESCRIPTION
Ccnas Ch10 SlidesTRANSCRIPT
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 1
Chapter 10: Managing a Secure Network
CCNA Security
Presentation_ID 2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Chapter 10: Objectives In this chapter, you will:
Describe the high-level considerations for ensuring that a network is secure.
Describe the benefits of risk management and the measures to take to optimize risk management.
Define and describe the components, technologies and devices of the Cisco SecureX Architecture.
Describe the five product families used in the SecureX Architecture.
Describe the overarching concepts of operations security.
Describe the core principles of operations security.
Describe the purpose of and the techniques used in network security testing.
Describe the tools used in network security testing.
Describe business continuity planning and disaster recovery.
Configure the Cisco Secure Copy feature.
Describe the SDLC.
Describe the five phases of the SDLC.
Describe the goals of a security policy.
Describe the structure of a security policy.
Describe the standards, guidelines, and procedures of a security policy.
Describe the roles and responsibilities entailed within a security policy.
Describe the concepts of security awareness and how to achieve security awareness through education and training.
Describe ethical guidelines and laws for network security.
Describe how to respond to a security breach.
Presentation_ID 3 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Chapter 10
10.0 Introduction
10.1 Principles of Secure Network Design
10.2 Security Architecture
10.3 Operations Security
10.4 Network Security Testing
10.5 Business Continuity Planning and Disaster Recovery
10.6 System Development Life Cycle
10.7 Developing a Comprehensive Security Policy
10.8 Summary
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 4
10.1 Principles of Secure Network Design
Presentation_ID 11 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Ensuring a Network is Secure
Security Policies
Created and maintained to mitigate existing and new kinds of attacks.
Enforce a structured, informed, consistent approach to securing the network.
Designed to address the following:
• Business needs
• Threat Identification
• Risk analysis
• Security needs
• Industry-recommended practices
• Security operations
Presentation_ID 12 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Business needs:
• What does the organization want to do with the network?
• What are the organizational needs?
Threat identification - What are the most likely types of threats given the organization’s purpose?
Risk analysis:
• What is the cost versus benefit analysis of implementing various security technologies?
• How do the latest security techniques affect the network environment and what is the risk if they are not implemented?
Ensuring a Network is Secure
Security Policies Cont.
Presentation_ID 13 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Security needs:
• What are the policies, standards, and guidelines needed to address business needs and risks?
Industry-recommended practices:
• What are the reliable, well-understood, and recommended security practices that similar organizations currently employ?
Security operations:
• What are the current procedures for incident response, monitoring, maintenance, and auditing of the system for compliance?
Ensuring a Network is Secure
Security Policies Cont.
Presentation_ID 14 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
There are guidelines to help you avoid making wrong assumptions:
Expect that any aspect of a security system might fail.
Identify any elements that fail-open. Fail-open occurs when a failure results in a complete bypass of the security function
Try to identify all attack possibilities.
• Use top-down analysis of possible system failures, which involves evaluating the simplicity and probability of every attack on a system.
• Known an attack tree analysis.
Ensuring a Network is Secure
Avoid Wrong Assumptions
Presentation_ID 15 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Evaluate the probability of exploitation. Focus on the resources that are needed to create an attack, not the obscurity of a particular vulnerability.
Assume that people make mistakes.
Attackers might not use common and well-established techniques to compromise a system..
Check all assumptions with other people. Peers might have a fresh perspective on potential threats and their probability.
Ensuring a Network is Secure
Avoid Wrong Assumptions Cont.
Presentation_ID 16 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
When identifying threats, it is important to ask two questions:
1. What are the possible vulnerabilities of a system?
2. What are the consequences if system vulnerabilities are exploited?
Threat Identification and Risk Analysis
Identifying Threats
Presentation_ID 17 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Risk analysis is the systematic study of uncertainties and risks. It identifies the risks, determines how and when those risks might arise, and estimates the impact (financial or otherwise) of adverse outcomes.
After the threats are evaluated for severity and likelihood, the information is used in a risk analysis.
Threat Identification and Risk Analysis
Risk Analysis in IT
Presentation_ID 18 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The first step in developing a risk analysis is to evaluate each threat to determine its severity and probability.
For example, threats in an e-banking system may include:
Internal system compromise
Stolen customer data
Phony transactions if external server is breached
Phony transactions using a stolen customer PIN or smart card
Insider attack on the system
Data input errors
Data center destruction
Threat Identification and Risk Analysis
Risk Analysis in IT Cont.
Presentation_ID 19 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
After the threats are evaluated for severity and likelihood, this information is used in a risk analysis.
There are two types of risk analysis in information security:
• Quantitative Risk Analysis - Uses a mathematical model that assigns a monetary figure to the value of assets, the cost of threats being realized, and the cost of security implementations.
• Qualitative Risk Analysis - Can be used when the risk assessment must either be done in a relatively short time, under a tight budget, or when relevant data or lack of expertise is not readily available.
Threat Identification and Risk Analysis
Risk Analysis in IT Cont.
Presentation_ID 21 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Quantitative risk analysis relies on specific formulas to determine the value of the risk decision variables.
These include formulas that calculate the:
• Asset Value (AV)
• Exposure Factor (EF)
Threat Identification and Risk Analysis
Single Loss Expectancy Quantitative Risk Analysis
Presentation_ID 22 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Single Loss Expectancy (SLE) - Represents the expected loss from a single occurrence of
the threat.
Asset Value (AV) - Includes the cost of development or purchase price, deployment, and
maintenance.
Exposure Factor (EF) - An estimate of the degree of destruction that could occur.
Annualized Loss Expectancy (ALE) - Addresses the cost to the organization if it does
nothing to counter existing threats.
Annualized Rate of Occurrence (ARO) - Estimates the frequency of an event and is used
to calculate the ALE.
Threat Identification and Risk Analysis
Single Loss Expectancy Quantitative Risk Analysis Cont.
Presentation_ID 23 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Flood threat
Exposure Factor is: 60 percent
AV of the enterprise is: $10,000,000
SLE is: $10,000,000 * .60
SLE is equal to: $ 6,000,000
Threat Identification and Risk Analysis
Single Loss Expectancy Quantitative Risk Analysis Cont.
Presentation_ID 24 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Data entry error
Exposure Factor is: .001 percent
AV of the enterprise is: $1,000,000
SLE is: $1,000,000 * .00001
SLE is equal to: $ 10
Threat Identification and Risk Analysis
Single Loss Expectancy Quantitative Risk Analysis Cont.
Presentation_ID 25 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Data entry error
SLE is: $ 10
ARO is: 125,000
ALE is: $10 * 125,000
ALE is equal to: $ 1,250,000
Threat Identification and Risk Analysis
Annualized Rate of Occurrence Quantitative Risk Analysis
Annualized Rate of Occurrence Annualized Loss Expectancy
Presentation_ID 26 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Flood threat
SLE is: $ 6,000,000
ARO is: .01
ALE is: $ 6,000,000 * .01
ALE is equal to: $ 60,000
Threat Identification and Risk Analysis
Annualized Rate of Occurrence Quantitative Risk Analysis Cont.
Annualized Rate of Occurrence Annualized Loss Expectancy
Presentation_ID 27 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
It is necessary to perform a quantitative risk analysis for all threats identified during the threat identification process.
Then prioritize the threats and address the most serious threat first to enable management to focus resources where they do the most good.
Threat Identification and Risk Analysis
Quantitative Risk Analysis
Presentation_ID 28 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
When the threats are identified and the risks are assessed, a protection strategy must be deployed to protect against the risks.
There are two very different methods to handle risks:
• Risk management - Deploys protection mechanisms to reduce risks to acceptable levels.
• Risk avoidance - Eliminates risk by avoiding the threats altogether.
Risk Management and Risk Avoidance
Methods of Handling Risks
Presentation_ID 29 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Method deploys protection mechanisms to reduce risks to acceptable levels.
Risk management is perhaps the most basic and the most difficult aspect of building secure systems, because it requires a good knowledge of risks, risk environments, and mitigation methods.
Risk Management and Risk Avoidance
Risk Management
Presentation_ID 30 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Not all mitigation techniques are implemented based on the risk versus cost formula used in the quantitative risk analysis:
• Internal system compromise
• Stolen customer data
• Phony transactions if external server is broken into
• Phony transactions using a stolen customer PIN or smart card
• Insider attack on the system Data input error
• Data center destruction
Risk Management and Risk Avoidance
Risk Management Cont.
Presentation_ID 31 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Using the risk avoidance approach, a company might decide against offering e-banking services as it is deemed too risky.
Such an attitude might be valid for some military organizations, but is usually not an option in the commercial world.
Organizations that can manage the risks are traditionally the most profitable.
Risk Management and Risk Avoidance
Risk Management Cont.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 32
10.2 Security Architecture
Presentation_ID 33 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Today, Internet worms and other security threats spread across the world in a matter of minutes requiring that the security system, and the network itself, react instantaneously.
Consumer endpoints, such as iPhones, BlackBerrys, netbooks, and thousands of other devices, are becoming powerful substitutes for, or complements to, the traditional PC.
More people use these devices to access enterprise information.
Introducing the Cisco SecureX Architecture
Borderless Networks
Presentation_ID 34 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Designed to provide effective security for any user, using any device, from any location, and at any time.
Uses a high-level policy language that can describe the full context of a situation, including who, what, where, when, and how.
With highly distributed security policy enforcement, security is pushed closer to where the end user is working, anywhere on the planet. This architecture is comprised of five major components:
• Scanning engines
• Delivery mechanisms
• Security Intelligence Operations (SIO)
• Policy management consoles
• Next-generation endpoints
Introducing the Cisco SecureX Architecture
SecureX Security Architecture
Presentation_ID 35 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Introducing the Cisco SecureX Architecture
SecureX Security Architecture Cont.
Presentation_ID 36 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
A context-aware scanning element does more than just examine packets on the wire.
It looks at external information to understand the full context of the situation: the who, what, where, when, and how of security.
These scanning elements are available as standalone appliances, software modules running in a router, or an image in the cloud.
They are managed from a central policy console that uses a high level to build context aware policies.
A context-aware policy uses a simplified descriptive business language to define security policies based on five parameters:
• The person’s identity
• The application in use
• The type of device being used for access
• The location
• The time of access
Introducing the Cisco SecureX Architecture
Centralized Context-Aware
Presentation_ID 37 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Introducing the Cisco SecureX Architecture
Centralized Context-Aware
Presentation_ID 38 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Delivers real-time global threat intelligence.
World’s largest cloud-based security ecosystem, using almost a million live data feeds from deployed Cisco email, web, firewall, and IPS solutions.
Cisco SIO weighs and processes the data, automatically categorizing threats and creating rules using more than 200 parameters.
Rules are dynamically delivered to deployed Cisco security devices every three to five minutes.
Introducing the Cisco SecureX Architecture
Cisco Security Intelligence Operations
Presentation_ID 39 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Introducing the Cisco SecureX Architecture
Cisco Security Intelligence Operations Cont.
Presentation_ID 40 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Solutions for the Cisco SecureX Architecture
SecureX Products
Presentation_ID 41 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
• The goal of the Cisco secure edge and branch is to deploy devices and systems to detect and block attacks and exploits, and prevent intruder access.
• With firewall and intrusion prevention in standalone and integrated deployment options, organizations can avoid attacks and meet compliance requirements.
Solutions for the Cisco SecureX Architecture
Cisco Secure Edge and Branch
Presentation_ID 42 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Solutions for the Cisco SecureX Architecture
Cisco Secure Edge and Branch Cont.
Presentation_ID 43 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
• Cisco secure email and web solutions protect an organization from evolving email and web threats.
• They reduce costly downtime associated with email-based spam, viruses, and web threats, and are available in a variety of form factors, including:
• On- premise appliances - Includes Cisco IronPort email security and IronPort web security appliances
• Cisco ScanSafe Cloud Web Security
Solutions for the Cisco SecureX Architecture
Secure Email and Web
Presentation_ID 44 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Secure access technologies enforce network security policies, secure user and host access controls, and control network access based on dynamic conditions.
Solutions for the Cisco SecureX Architecture
SecureX Products
Presentation_ID 45 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco secure mobility solutions promote highly secure mobile connectivity with VPN, wireless security, and remote workforce security solutions that extend network access safely and easily to a wide range of users and devices.
Solutions for the Cisco SecureX Architecture
Secure Mobility
Presentation_ID 46 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Cisco secure data center and virtualization solutions protect high-value data and data center resources with threat defense, secure virtualization, segmentation, and policy control.
Solutions for the Cisco SecureX Architecture
Secure Data Center and Virtualization
Presentation_ID 47 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The security industry is always changing.
The next few years prove to be a period of significant change, driven by three major trends:
• Consumerization of the endpoint
• Increasing use of high-definition video conferencing
• Adoption of cloud computing
Solutions for the Cisco SecureX Architecture
Network Security Services
Presentation_ID 48 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Solutions for the Cisco SecureX Architecture
Network Security Services Cont.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 49
10.3 Operations Security
Presentation_ID 50 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Operations security is concerned with the day-to-day practices necessary to first deploy and later maintain a secure system.
It starts with the planning and implementation process of a network.
• During these phases, the operations team proactively analyzes designs, identifies risks and vulnerabilities, and makes the necessary adaptations.
• After a network is set up, the actual operational tasks begin, including the continual day-to-day maintenance of the environment.
Introducing Operations Security
Operations Security
Presentation_ID 51 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The responsibilities of the operations team pertain to everything that takes place to keep the network, computer systems, applications, and the environment up and running in a secure and protected manner.
The operations team usually has the objectives of preventing reoccurring problems, reducing hardware failures to an acceptable level, and reducing the impact of hardware failure or disruption.
Introducing Operations Security
Operations Security Team
Presentation_ID 52 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
To ensure a secure working environment within the operations department, certain core principles should be integrated into the day-to-day activities:
Separation of duties
Rotation of duties
Trusted recovery
Change and configuration controls
Introducing Operations Security
Operations Security Team Cont.
Presentation_ID 53 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Is the most difficult and sometimes the most costly control to achieve.
SoD states that no single individual has control over two or more phases of a transaction or operation.
• Instead, responsibilities are assigned in a way that incorporates checks and balances.
• This makes a deliberate fraud more difficult to perpetrate because it requires a collusion of two or more individuals or parties.
Principles of Operations Security
Separation of Duties
Presentation_ID 54 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Trained individuals are given a specific assignment for a certain amount of time before moving to a new assignment.
A peer review is built into the practice of rotation of duties. For example, when five people do one job in the course of the week, each person reviews the work of the others.
Rotation of duties also prevents boredom and gives individuals a greater breadth of exposure to the entire network operation and creates a strong and flexible operations department.
Principles of Operations Security
Rotation of Duties
Presentation_ID 55 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Systems eventually fail!
• Therefore a process for recovery must be established.
• Back up data on a regular basis.
Backing up data is standard practice in most IT departments.
Being prepared for system failure is also an important part of operations security:
• Back up critical data on a regular basis.
• Evaluate who has access to the files to back them up and what kind of access they have.
• Secure the backup media.
Principles of Operations Security
Trusted Recovery
Presentation_ID 56 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Ensures that standardized methods and procedures are used to efficiently handle all changes.
It should address three major components:
• The processes in place to minimize system and network disruption
• Backups and reversing changes that go badly
• Guidance on the economic utilization of resources and time
A few suggestions are recommended to accomplish configuration changes in an effective and safe manner:
• Ensure that the change is implemented in an orderly manner with formalized testing.
• Ensure that the end users are aware of the coming change when necessary.
• Analyze the effects of the change after it is implemented.
Principles of Operations Security
Configuration and Change Control
Presentation_ID 57 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Step 1. Apply to introduce the change.
Step 2. Catalog the proposed change.
Step 3. Schedule the change.
Step 4. Implement the change.
Step 5. Report the change to the relevant parties.
Principles of Operations Security
Configuration and Change Control Cont.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 58
10.4 Network Security Testing
Presentation_ID 59 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Network security testing is testing that is performed on a network to ensure all security implementations are operating as expected. Testing is typically conducted during the implementation and operational stages.
During the implementation stage, security testing is conducted on specific parts of the security system.
After a network is fully integrated and operational, a Security Test and Evaluation (ST&E) is performed. ST&E is an examination or analysis of the protective measures that are placed on an operational network.
Tests should be repeated periodically and whenever a change is made to the system. Test more frequently on critical information or hosts that are exposed to constant threat.
Introducing Network Security Testing
Network Security Testing
Presentation_ID 60 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Many tests can be conducted to assess the operational status of the system:
Penetration testing
Network scanning
Vulnerability scanning
Password cracking
Log review
Integrity checkers
Virus detection
Introducing Network Security Testing
Network Security Tests
Presentation_ID 61 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Penetration testing
• Network penetration tests, or pen testing, simulate attacks from malicious sources.
• The goal is to determine the feasibility of an attack and possible consequences if one were to occur.
Network scanning
• Includes software that can ping computers, scan for listening TCP ports and display which types of resources are available on the network.
• Some scanning software can also detect usernames, groups, and shared resources.
• Network administrators can use this information to strengthen their networks.
Introducing Network Security Testing
Network Security Tests Cont.
Presentation_ID 62 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Vulnerability scanning
• Includes software that can detect potential weaknesses in the tested systems.
• These weaknesses can include misconfiguration, blank or default passwords, or potential targets for DoS attacks.
• Some software allows administrators to attempt to crash the system through the identified vulnerability.
Password cracking
• Includes software that is used to test and detect weak passwords that should be changed.
• Password policies should include guidelines to prevent weak passwords.
Introducing Network Security Testing
Network Security Tests Cont.
Presentation_ID 63 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Log review
• System administrators should review security logs to identify potential security threats.
• Abnormal activity should be investigated using filtering software to scan lengthy log files.
Integrity checkers
• An integrity checking system detects and reports on changes in the system.
• Most of the monitoring is focused on file system. However, some checking systems can report on login and logout activities.
Virus detection
• Virus detection software can be used to identify and remove computer viruses and other malware.
Introducing Network Security Testing
Network Security Tests Cont.
Presentation_ID 64 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Network security testing results can be used in several ways:
To define mitigation activities to address identified vulnerabilities
As a benchmark to trace the progress of an organization in meeting security requirements
To assess the implementation status of system security requirements
To conduct cost and benefit analysis for improvements to system security
To enhance other activities, such as risk assessments, certification and authorization (C&A), and performance improvement efforts
As a reference point for corrective action
Introducing Network Security Testing
Applying Network Test Results
Presentation_ID 65 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Nmap - Discovers computers and services on a computer network, thus creating a map of the network
SuperScan - Port scanning software designed to detect open TCP and UDP ports, what services are running on those ports, and run queries, such as whois, ping, traceroute, and hostname lookups
GFI LANguard - Network and security scanner which detects vulnerabilities
Tripwire - Assesses and validates IT configurations against internal policies, compliance standards, and security best practices
Nessus - Vulnerability scanning software, focusing on remote access, misconfiguration passwords, and DoS against the TCP/IP stack
L0phtcrack - Password auditing and recovery application
Metasploit - Provides information about vulnerabilities and aids in penetration testing and IDS signature development
Network Security Testing Tools
Network Testing Tools
Presentation_ID 66 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Nmap is a low-level scanner that has an array of excellent features which can be used for network mapping and reconnaissance.
Classic TCP and UDP port scanning - Searches for different services on one host.
Classic TCP and UDP port sweeping - Searches for the same service on multiple hosts.
Stealth TCP and UDP port scans and sweeps - Similar to classic scans and sweeps, but harder to detect by the target host or IPS.
Remote operating system identification - This is also known as OS fingerprinting.
Network Security Testing Tools
Nmap
Presentation_ID 67 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Network Security Testing Tools
Nmap Cont.
Presentation_ID 68 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
SuperScan is a Microsoft Windows port scanning tool.
SuperScan version 4 has a number of useful features:
• Adjustable scanning speed
• Support for unlimited IP ranges
• Improved host detection using multiple ICMP methods
• TCP SYN scanning
• UDP scanning (two methods)
• Simple HTML report generation
• Source port scanning
• Fast hostname resolving
• Extensive banner grabbing
• Massive built-in port list description database
• IP and port scan order randomization
• A selection of useful tools, such as ping, traceroute, and whois
• Extensive Windows host enumeration capability
Network Security Testing Tools
SuperScan
Presentation_ID 69 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Network Security Testing Tools
SuperScan Cont.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 70
10.5 Business Continuity and Business Planning
Presentation_ID 71 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Business continuity planning addresses the continuing operations of an organization in the event of a disaster or prolonged service interruption that affects the mission of the organization.
These plans address:
• An emergency response phase
• A recovery phase
• A return to normal operation phase
Business continuity planning may include plans, such as:
• Moving or relocating critical business components and people to a remote location while the original location is being repaired.
• Using different channels of communication to deal with customers, shareholders, and partners until operations are returned to normal.
Continuity Planning and Disaster Recovery
Business Continuity Planning
Presentation_ID 72 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Disaster recovery is the process of regaining access to the data, hardware, and software necessary to resume critical business operations after a natural or human-induced disaster.
It includes plans for coping with the unexpected or sudden loss of key personnel.
Continuity Planning and Disaster Recovery
Disaster Recovery
Presentation_ID 73 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
When planning for disaster recovery and business continuity, the first step is identifying the possible types of disasters and disruptions.
Not all disruptions to business operations are equal.
A good disaster recovery plan considers the magnitude of the disruption, recognizing that there are differences between catastrophes, disasters, and minor incidents.
Recovery Plans and Redundancy
Recovery Plans
Presentation_ID 74 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Large organizations might require a redundant facility if some catastrophic event results in facility destruction.
Hot sites:
• A completely redundant facility with almost identical equipment.
Warm site:
• Physically redundant facilities, but software and data are not stored and updated on the equipment.
• A disaster recovery team is required to physically go to the redundant facility and get it operational.
• Depending on how much software and data is involved, it can take days before operations are ready to resume.
Cold site:
• An empty datacenter with racks, power, WAN links, and heating, ventilation, and air conditioning (HVAC) already present, but no equipment.
Recovery Plans and Redundancy
Redundancy
Presentation_ID 75 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The primary goal of disaster recovery is to restore the network to a fully functional state.
Two of the most critical components of a functional network are the router configuration and the router image files.
Every disaster recovery plan should include backup and retrieval of these files.
Because an organization's network configuration includes private or proprietary information, these files must be copied in a secure manner.
The secure copy (SCP) feature provides a secure and authenticated method for copying router configuration or router image files.
Secure Copy
Secure Copy
Presentation_ID 76 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Secure Copy
Secure Copy Cont.
Presentation_ID 77 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Because SCP relies on SSH for secure transport, before enabling SCP, you must correctly configure SSH, and the router must have an RSA key pair.
To configure the router for server-side SCP, perform these steps:
Step 1. Enable AAA with the aaa new-model global configuration
mode command.
Secure Copy
SCP Server Configuration
Presentation_ID 78 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Step 2. Define a named list of authentication methods, with the aaa authentication login {default |list-
name} method1 [method2...] command.
Secure Copy
SCP Server Configuration Cont.
Presentation_ID 79 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Step 3. Configure command authorization with the aaa authorization {network | exec | commands
level} {default | list-name}
method1...[method4] command.
Secure Copy
SCP Server Configuration Cont.
Presentation_ID 80 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Step 4. Configure a username and password to use for local authentication with the username name [privilege level] {password encryption-type password}
command. This step is optional if using network-based authentication such as TACACS+ or RADIUS.
Secure Copy
SCP Server Configuration Cont.
Presentation_ID 81 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Step 5. Enable SCP server-side functionality with the ip scp server enable command.
Secure Copy
SCP Server Configuration Cont.
Presentation_ID 82 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Secure Copy
SCP Server Configuration Cont.
Presentation_ID 83 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Secure Copy
SCP Server Configuration Cont.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 84
10.6 System Development Life Cycle
Presentation_ID 85 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Business continuity and disaster recovery plans are ever-changing documents.
Evaluating system changes and adjusting plans are all part of a system life cycle.
The term “system” can refer to a single device or a group of devices that operate together within a network.
Introducing SDLC
System Life Cycle
Presentation_ID 86 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Five phases of the SDLC:
1. Initiation
2. Acquisition and development
3. Implementation
4. Operation and maintenance
5. Disposition
When using the SDLC to design a network, each phase should include a minimum set of security requirements. This results in less expensive and more effective security as compared to adding security to an operational system after the fact.
Introducing SDLC
Phases of SCLC
Presentation_ID 87 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Introducing SDLC
Phases of SCLC Cont.
Presentation_ID 88 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Security categorization - Define three levels (low, moderate, and high) of potential impact on organizations or individuals if there is a breach of security.
Preliminary risk assessment - Initial description of the basic security needs of the system that defines the threat environment in which the system operates.
Phases of the SDLC
Initiation
Presentation_ID 89 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Consists of the following tasks:
• Risk assessment
• Security functional requirements
• Security assurance requirements
• Security cost considerations and reporting
• Security planning
• Security control development
• Developmental security test and evaluation
Phases of the SDLC
Acquisition and Development
Presentation_ID 90 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Consists of the following tasks:
• Inspection and acceptance
• System integration
• Security certification
Phases of the SDLC
Implementation Phase
Presentation_ID 91 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Consists of the following tasks:
• Configuration management and control
• Continuous monitoring
Phases of the SDLC
Operations and Maintenance
Presentation_ID 92 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Consists of the following tasks:
• Information preservation
• Media sanitization
• Hardware and software disposal
Phases of the SDLC
Disposition Phase
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential Presentation_ID 93
10.7 Developing a Comprehensive Security Policy
Presentation_ID 94 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Security Policy Overview
Secure Network Life Cycle
The Secure Network Life Cycle is a process of assessment and re-evaluation of equipment and security needs as the network changes.
One important aspect of this ongoing evaluation is to understand which assets an organization must protect, even as those assets are changing.
• Determine what the assets of an organization are by asking questions:
• What does the organization have that others want?
• What processes, data, or information systems are critical to the organization?
• What would stop the organization from doing business or fulfilling its mission?
Presentation_ID 95 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Security Policy Overview
Security Policy A security policy may include the following:
• Identification and Authentication Policies - Specifies authorized persons that can have access to network resources and verification procedures.
• Password Policies - Ensures passwords meet minimum requirements and are changed regularly.
• Acceptable Use Policies - Identifies network applications and usages that are acceptable to the organization. It may also identify ramifications if this policy is violated.
• Remote Access Policies - Identifies how remote users can access a network and what is accessible via remote connectivity.
• Network Maintenance Policies - Specifies network device operating systems and end user application update procedures.
• Incident Handling Procedures - Describes how security incidents are handled.
Presentation_ID 96 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Security Policy Overview
Security Policy Audience The audience for the security policy is anyone who has access to the network.
Internal audience includes various personnel, such as managers and executives, departments and business units, technical staff, and employees.
External audience is also a varied group that includes partners, customers, suppliers, consultants, and contractors.
Presentation_ID 97 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Structure of a Security Policy
Security Policy Hierarchy
These documents are often broken into a hierarchical structure:
• Governing policy - High-level treatment of the security guidelines that are important to the entire company. Managers and technical staff are the intended audience. The governing policy controls all security-related interactions among business units and supporting departments in the company.
• Technical policy - Used by security staff members as they carry out security responsibilities for the system. These policies are more detailed than the governing policy and are system-specific or issue-specific. For example, access control and physical security issues are described in a technical policy.
• End user policy - Covers all security topics that are important to end users. End users can include employees, customers, and any other individual user of the network.
Presentation_ID 98 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Structure of a Security Policy
Governing Policy
The governing policy outlines the company’s overall security goals for managers and technical staff.
It covers all security-related interactions among business units and supporting departments in the company.
Includes several components:
• Statement of the issue that the policy addresses
• How the policy applies in the environment
• Roles and responsibilities of those affected by the policy
• Actions, activities, and processes that are allowed (and not allowed)
• Consequences of noncompliance
Presentation_ID 99 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Structure of a Security Policy
Technical Policy
Technical policies are detailed documents that are used by technical staff in the conduct of their daily security responsibilities.
Technical policies are broken down into specified technical areas, including:
• General Policies
• Telephony Policy
• Email and Communications Policy
• Remote Access Policy
• Network Policy
• Application Policy
Presentation_ID 100 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Structure of a Security Policy
End User Policies
End user policies cover all rules pertaining to information security that end users should know about and follow.
End user policies might overlap with technical policies, but may also include:
• Identity Policy
• Password Policy
• Anti-Virus Policy
Presentation_ID 101 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Standards, Guidelines, and Procedures
Security Policy Documents
The security policy documents are high-level overview documents.
These include:
• Standards documents
• Guidelines documents
• Procedures documents
Presentation_ID 102 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
One of the most important security principles is consistency and therefore it is necessary for organizations to establish standards.
Each organization develops standards to support its unique operating environment.
Device configuration standards are defined in the technical section of an organization's security policy.
Standards, Guidelines, and Procedures
Standard Documents
Presentation_ID 103 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Guidelines provide a list of suggestions on how to do things better.
• They are similar to standards, but are more flexible and are not usually mandatory.
• Guidelines can be used to define how standards are developed and to guarantee adherence to general security policies.
A number of guidelines are widely available:
• National Institute of Standards and Technology (NIST) Computer Security Resource Center
• National Security Agency (NSA) Security Configuration Guides
• The Common Criteria Standard
Standards, Guidelines, and Procedures
Guideline Documents
Presentation_ID 104 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Procedure documents are longer and more detailed than standards and guidelines.
Procedure documents include implementation details, usually with step-by-step instructions and graphics.
Procedure documents are extremely important for large organizations to have the consistency of deployment that is necessary for a secure environment.
Standards, Guidelines, and Procedures
Procedure Documents
Presentation_ID 105 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
All persons in an organization, from the Chief Executive Officer (CEO) to the newest hires, are considered end users of the network and must abide by the organization’s security policy.
Developing and maintaining the security policy is delegated to specific roles within the IT department.
Roles and Responsibilities
Organizational Reporting Structure
Presentation_ID 106 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Chief Executive Officer (CEO)
• Is ultimately responsible for the success of an organization.
• All executive positions report to the CEO.
Chief Technology Officer (CTO)
• Identifies and evaluates new technologies and drives new technology development to meet organization objectives.
• Maintains and enhances the enterprise systems, while providing direction in all technology-related to support operations.
Roles and Responsibilities
Common Executive Titles
Presentation_ID 107 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Chief Information Officer (CIO) • Responsible for the information technology and computer systems that
support enterprise goals, including successful deployment of new technologies and work processes.
• Small-to-medium-sized organizations typically combine the responsibilities of CTO and CIO into a single position.
• When an organization has both a CTO and CIO, the CIO is generally responsible for processes and practices supporting the flow of information, and the CTO is responsible for technology infrastructure.
Chief Security Officer (CSO) • Develops, implements, and manages the organization’s security strategy,
programs, and processes associated with all aspects of business operation, including intellectual property.
• A major aspect of this position is to limit exposure to liability in all areas of financial, physical, and personal risk.
Chief Information Security Officer (CISO) • Similar to the CSO, except that this position has a specific focus on IT
security.
• CISO must develop and implement the security policy, either as the primary author or management of authorship. In either case, the CISO is responsible and accountable for security policy content.
Roles and Responsibilities
Common Executive Titles
Presentation_ID 108 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Where is the weakest link in any network infrastructure? The User!
To help ensure the enforcement of the security policy, a security awareness program must be put in place.
Security Awareness and Training
Security Awareness Program
Presentation_ID 109 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
A security awareness program usually has two major components:
• Awareness campaigns
• Training and education
A good security awareness program:
• Informs users of their IT security responsibilities.
• Explains all IT security policies and procedures for using the IT systems and data within a company.
• Helps protect the organization from loss of intellectual capital, critical data, and even physical equipment.
• Must also detail the sanctions that the organization imposes for noncompliance.
• Should be part of all new hire orientation.
Security Awareness and Training
Security Awareness Program Cont.
Presentation_ID 110 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
“Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is the recipient of information... Awareness relies on reaching broad audiences with attractive packaging techniques.” (NIST Special Publication 800-16)
Security Awareness and Training
Awareness Campaigns
Presentation_ID 111 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
There are several methods of increasing security awareness:
• Posters, newsletter articles, and bulletins
• Lectures, videos
• Awards for good security practices
• Reminders, such as login banners, mouse pads, coffee cups, and notepads, etc.
Security Awareness and Training
Awareness Campaigns Cont.
Presentation_ID 112 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Security Awareness and Training
Security Training Course
Presentation_ID 113 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
An effective security training course requires proper planning, implementation, maintenance, and periodic evaluation.
The life cycle of a security training course includes several steps:
Step 1. Identify course scope, goals, and objectives.
Step 2. Identify and educate training staff.
Step 3. Identify target audiences.
Step 4. Motivate management and employees.
Step 5. Administer the courses.
Step 6. Maintain the courses.
Step 7. Evaluate the courses.
Security Awareness and Training
Security Training Course Cont.
Presentation_ID 114 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Education integrates all the security skills and competencies of the various functional specialties into a common body of knowledge.
It adds a multidisciplinary study of concepts, issues, and principle, both technological and social, and strives to produce IT security professionals capable of vision and proactive response.
An example of an educational program is a degree program at a college or university.
Security Awareness and Training
Educational Program
Presentation_ID 115 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
A big reason for setting security policies and implementing awareness programs is compliance with the law.
• You must be familiar with the laws and codes of ethics that are binding for Information Systems Security (INFOSEC) professionals.
Most countries have three types of laws:
• Criminal law:
• Concerned with crimes, and its penalties usually involve fines or imprisonment, or both.
• Civil law (also called tort):
• Focuses on correcting situations in which entities have been harmed and an economic award can help.
• Imprisonment is not possible in civil law.
• For example: suing for patent infringement.
• Administrative law:
• Involves government agencies enforcing regulations.
• For example: a company might owe its employees vacation pay.
Laws and Ethics
Laws
Presentation_ID 116 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Ethics is a standard that is higher than the law.
It is a set of moral principles that govern civil behavior and are often referred to as codes of ethics.
Ethical principles are often the foundation of many of the laws currently in place.
Individuals that violate the code of ethics can face consequences such as loss of certification, loss of employment, and even prosecution by criminal or civil court.
Laws and Ethics
Ethics
Presentation_ID 117 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The information security profession has a number of formalized codes:
International Information Systems Security Certification Consortium, Inc (ISC)2 Code of Ethics
Computer Ethics Institute (CEI)
Internet Activities Board (IAB)
Generally Accepted System Security Principles (GASSP)
Laws and Ethics
Ethics Cont.
Presentation_ID 118 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Code of Ethics Preamble
“Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification.”
Code of Ethics Canons
• Protect society, the commonwealth, and the infrastructure.
• Act honorably, honestly, justly, responsibly, and legally.
• Provide diligent and competent service to principals.
• Advance and protect the profession.
Laws and Ethics
Code of Ethics
Presentation_ID 119 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
Different countries have different legal standards. In most countries and courts, to successfully prosecute an individual, it is necessary to establish motive, opportunity, and means.
Motive answers the question of why a person committed the illegal act.
Opportunity answers the question of when and where the person committed the crime.
Means answers the question of how the person committed the crime.
Establishing motive, opportunity, and means is a standard for finding and prosecuting individuals of all types of crimes.
Responding to a Security Breach
Motive, Opportunity, and Means
Presentation_ID 120 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential
The process of collecting data must be done precisely and quickly.
When a security breach occurs, it is necessary to isolate the infected system immediately.
After data is collected, but before equipment is disconnected, it is necessary to photograph the equipment in place.
If security protocols are established and followed, organizations can minimize the loss and damages resulting from attacks.
Responding to a Security Breach
Collecting Data
© 2012 Cisco and/or its affiliates. All rights reserved. 121
Presentation_ID 122 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential