Chapter 7: Protecting a Cybersecurity Domain

Protecting your domain is an on-going process to secure an organization’s network infrastructure. It requires that individuals remain constantly vigilant to
threats and take action to prevent any compromises. This chapter discusses the technologies, processes and procedures that cybersecurity professionals
use to defend the systems, devices, and data that make up the network infrastructure.

A secure network is only as strong as its weakest link. It is important to secure the end devices that reside on the network. Endpoint security includes
securing the network infrastructure devices on the local-area network (LAN) and end systems, such as workstations, servers, IP phones, and access points.

Device hardening is a critical task when securing the network. It involves implementing proven methods of physically securing network devices. Some of
these methods involve securing administrative access, maintaining passwords, and implementing secure communications.

Operating System Security

The operating system plays a critical role in the operation of a computer system and is the target of many attacks. The security of the operating system has
a cascading effect on the overall security of a computer system.

An administrator hardens an operating system by modifying the default configuration to make it more secure to outside threats. This process includes the
removal of unnecessary programs and services. Another critical requirement of hardening operating systems is the application of security patches and
updates. Security patches and updates are fixes which companies release in an effort to mitigate vulnerability and correct faults in their products.

An organization should have a systematic approach in place for addressing system updates by:

 Establishing procedures for monitoring security-related information

 Evaluating updates for applicability

 Planning the installation of application updates and patches

 Installing updates using a documented plan

Another critical requirement of securing operating systems is to identify potential vulnerabilities. This can be accomplished by establishing a baseline.
Establishing a baseline enables the administrator to do a comparison of how a system is performing versus its baseline expectations.

Microsoft Baseline Security Analyzer (MBSA) assesses missing security updates and security misconfigurations in Microsoft Windows. MBSA checks blank,
simple, or non-existent passwords, firewall settings, guest account status, administrator account details, security event auditing, unnecessary services,
network shares, and registry settings. After hardening the operating system, the administrator creates the policies and procedures to maintain a high level of
security.

Antimalware

Malware includes viruses, worms, Trojan horses, keyloggers, spyware, and adware. They all invade privacy, steal information, damage the system, or delete
and corrupt data.

It is important to protect computers and mobile devices using reputable antimalware software. The following types of antimalware programs are available:

 Antivirus protection - Program continuously monitors for viruses. When it detects a virus, the program warns the user, and it attempts to
quarantine or delete the virus, as shown in Figure 1.

 Adware protection – Program continuously looks for programs that display advertising on a computer.

 Phishing protection – Program blocks the IP addresses of known phishing websites and warns the user about suspicious sites.

 Spyware protection – Program scans for keyloggers and other spyware.

 Trusted / untrusted sources – Program warns the user about unsafe programs trying to install or unsafe websites before a user visits them.

It may take several different programs and multiple scans to remove all malicious software completely. Run only one malware protection program at a time.

Several reputable security organizations such as McAfee, Symantec, and Kaspersky offer all-inclusive malware protection for computers and mobile devices.

Be cautious of malicious rogue antivirus products that may appear while browsing the Internet. Most of these rogue antivirus products display an ad or pop-
up that looks like an actual Windows warning window, as shown in Figure 2. They usually state that malware is infecting the computer and prompts the user
to clean it. Clicking anywhere inside the window may actually begin the download and installation of the malware.

Unapproved, or non-compliant, software is not just software that a user unintentionally installs on a computer. It can also come from users that meant to
install it. It may not be malicious, but it still may violate security policy. This type of non-compliant system can interfere with company software, or network
services. Users must remove unapproved software immediately.
Patch Management

Patches are code updates that manufacturers provide to prevent a newly discovered virus or worm from making a successful attack. From time to time,
manufacturers combine patches and upgrades into a comprehensive update application called a service pack. Many devastating virus attacks could have
been much less severe if more users had downloaded and installed the latest service pack.

Windows routinely checks the Windows Update website for high-priority updates that can help protect a computer from the latest security threats. These
updates include security updates, critical updates, and service packs. Depending on the setting configured, Windows automatically downloads and installs
any high-priority updates that the computer needs or notifies the user as these updates become available.

Some organizations may want to test a patch before deploying it throughout the organization. The organization would use a service to manage patches
locally instead of using the vendor’s online update service. The benefits of using an automated patch update service include the following:

 Administrators can approve or decline updates

 Administrators can force the update of systems for a specific date

 Administrators can obtain reports on the update needed by each system

 Each computer does not have to connect to the vendor’s service to download patches; a system gets the update from a local server

 Users cannot disable or circumvent updates

An automated patch service provides administrators with a more controlled setting.

Host-Based Firewalls and Intrusion Detection Systems

A host-based solution is a software application that runs on a local host computer to protect it. The software works with the operating system to help prevent
attacks.

Host-based Firewalls

A software firewall is a program that runs on a computer to allow or deny traffic between the computer and other connected computers. The software firewall
applies a set of rules to data transmissions through inspection and filtering of data packets. Windows Firewall is an example of a software firewall. The
Windows operating system installs it by default during installation.

The user can control the type of data sent to and from the computer by opening or blocking selected ports. Firewalls block incoming and outgoing network
connections, unless exceptions are defined to open and close the ports required by a program.

In Figure 1, the user selects Inbound Rules to configure the types of traffic allowed to pass through to the system. Configuring inbound rules will help protect
the system from unwanted traffic.

Host Intrusion Detection Systems

A host intrusion detection system (HIDS) is software that runs on a host computer that monitors suspicious activity. Each server or desktop system that
requires protection will need to have the software installed as shown in Figure 2. HIDS monitors system calls and file system access to ensure that the
requests are not the result of malicious activity. It can also monitor system registry settings. The registry maintains configuration information about the
computer.

HIDS stores all log data locally. It can also affect system performance because it is resource intensive. A host intrusion detection system cannot monitor any
network traffic that does not reach the host system, but it does monitor operating system and critical system processes specific to that host.

Secure Communications

When connecting to the local network and sharing files, the communication between computers remains within that network. Data remains secure because it
is off other networks and off the Internet. To communicate and share resources over a network that is not secure, users employ a Virtual Private Network
(VPN).

A VPN is a private network that connects remote sites or users together over a public network, like the Internet. The most common type of VPN accesses a
corporate private network. The VPN uses dedicated secure connections, routed through the Internet, from the corporate private network to the remote user.
When connected to the corporate private network, users become part of that network and have access to all services and resources as if they physically
connected to the corporate LAN.

Remote-access users must have a VPN client installed on their computers to form a secure connection with the corporate private network. The VPN client
software encrypts data before sending it over the Internet to the VPN gateway at the corporate private network. VPN gateways establish, manage, and
control VPN connections, also known as VPN tunnels.

Operating systems include a VPN client that the user configures for a VPN connection.

WEP

One of the most important components of modern computing are mobile devices. The majority of devices found on today’s networks are laptops, tablets,
smart phones and other wireless devices. Mobile devices transmit data using radio signals that any device with a compatible antenna can receive. For this
reason the computer industry has developed a suite of wireless or mobile security standards, products and devices. These standards encrypt information
transmitted through the airwaves by mobile devices.

Wired Equivalent Privacy (WEP) is one of the first and widely used Wi-Fi security standards. The WEP standard provides authentication and encryption
protections. The WEP standards are obsolete but many devices still support WEP for backwards compatibility. The WEP standard became a Wi-Fi security
standard in 1999 when wireless communication was just catching on. Despite revisions to the standard and an increased key size, WEP suffered from
numerous security weaknesses. Cyber criminals can crack WEP passwords in minutes using freely available software. Despite improvements, WEP
remains highly vulnerable and users should upgrade systems that rely on WEP.

WPA/WPA2

The next major improvement to wireless security was the introduction of WPA and WPA2. Wi-Fi Protected Access (WPA) was the computer industry’s
response to the weakness of the WEP standard. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit,
a significant increase over the 64-bit and 128-bit keys used in the WEP system.

The WPA standard provided several security improvements. First, WPA provided message integrity checks (MIC) which could detect if an attacker had
captured and altered data passed between the wireless access point and a wireless client. Another key security enhancement was Temporal Key Integrity
Protocol (TKIP). The TKIP standard provided the ability to better handle, protect and change encryption keys. Advanced Encryption Standard (AES)
superseded TKIP for even better key management and encryption protection.

WPA, like its predecessor WEP, included several widely recognized vulnerabilities. As a result, the release of Wi-Fi Protected Access II (WPA2) standard
happened in 2006. One of the most significant security improvements from WPA to WPA2 was the mandatory use of AES algorithms and the introduction of
Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCM) as a replacement for TKIP.

Mutual Authentication

One of the great vulnerabilities of wireless networks is the use of rogue access points. Access points are the devices that communicate with the wireless
devices and connect them back to the wired network. Any device that has a wireless transmitter and hardwired interface to a network can potentially act as a
rouge or unauthorized access point. The rouge access point can imitate an authorized access point. The result is that wireless devices on the wireless
network establish communication with the rouge access point instead of the authorized access point.

The imposter can receive connection requests, copy the data in the request and forward the data to the authorized network access point. This type of man-
in-the-middle attack is very difficult to detect and can result in stolen login credentials and transmitted data. To prevent rouge access points, the computer
industry developed mutual authentication. Mutual authentication, also called two-way authentication, is a process or technology in which both entities in a
communications link authenticate to each other. In a wireless network environment, the client authenticates to the access point and the access point
authenticates the client. This improvement enabled clients to detect rouge access points before connecting to the unauthorized device.

File Access Control

Permissions are rules configured to limit folder or file access for an individual or for a group of users. The figure lists the permissions that are available for
files and folders.

Principle of Least Privilege

Users should be limited to only the resources they need on a computer system or on a network. For example, they should not be able to access all files on a
server if they only need access to a single folder. It may be easier to provide users access to the entire drive, but it is more secure to limit access to only the
folder that they need to perform their job. This is the principle of least privilege. Limiting access to resources also prevents malicious programs from
accessing those resources if the user’s computer becomes infected.

Restricting User Permissions

If an administrator denies permissions to a network share for an individual or a group, this denial overrides any other permission settings. For example, if the
administrator denies someone permission to a network share, the user cannot access that share, even if the user is the administrator or part of the
administrator group. The local security policy must outline which resources and the type of access allowed for each user and group.

When a user changes the permissions of a folder, she has the option to apply the same permissions to all sub-folders. This is permission propagation.
Permission propagation is an easy way to apply permissions to many files and folders quickly. After parent folder permissions have been set, folders and
files created inside the parent folder inherit the permissions of the parent folder.

In addition, the location of the data and the action performed on the data determine the permission propagation:

 Data moved to the same volume will keep the original permissions

 Data copied to the same volume will inherit new permissions

 Data moved to a different volume will inherit new permissions

 Data copied to a different volume will inherit new permission

File Encryption

Encryption is a tool used to protect data. Encryption transforms data using a complicated algorithm to make it unreadable. A special key returns the
unreadable information back into readable data. Software programs encrypt files, folders, and even entire drives.
Encrypting File System (EFS) is a Windows feature that can encrypt data. The Windows implementation of EFS links it directly to a specific user account.
Only the user that encrypted the data will be able to access the encrypted files or folders.

A user can also choose to encrypt an entire hard drive in Windows using a feature called BitLocker. To use BitLocker, at least two volumes must be present
on a hard disk.

Before using BitLocker, the user needs to enable Trusted Platform Module (TPM) in the BIOS. The TPM is a specialized chip installed on the motherboard.
The TPM stores information specific to the host system, such as encryption keys, digital certificates, and passwords. Applications, like BitLocker, that use
encryption can make use of the TPM chip. Click TPM Administration to view the TPM details, as shown in the Figure.

BitLocker To Go encrypts removable drives. BitLocker To Go does not use a TPM chip, but still provides encryption for the data and requires a password.

System and Data Backups

An organization can lose data if cyber criminals steal it, equipment fails, or a disaster occurs. For this reason, it is important to perform a data backup
regularly.

A data backup stores a copy of the information from a computer to removable backup media. The operator stores the backup media in a safe place. Backing
up data is one of the most effective ways of protecting against data loss. If the computer hardware fails, the user can restore the data from the backup once
the system is functional.

The organization’s security policy should include data backups. Users should perform data backups on a regular basis. Data backups are usually stored
offsite to protect the backup media if anything happens to the main facility.

These are some considerations for data backups:

 Frequency - Backups can take a long time. Sometimes it is easier to make a full backup monthly or weekly, and then do frequent partial
backups of any data that has changed since the last full backup. However, having many partial backups increases the amount of time needed to
restore the data.

 Storage - For extra security, transport backups to an approved offsite storage location on a daily, weekly, or monthly rotation, as required by
the security policy.

 Security – Protect backups with passwords. The operator then enters the password before restoring the data on the backup media.

 Validation - Always validate backups to ensure the integrity of the data.

Content Screening and Blocking

Content control software restricts the content that a user can access using a web browser over the Internet. Content control software can block sites that
contain certain types of material such as pornography or controversial religious or political content. A parent may implement content control software on the
computer used by a child. Libraries and schools also implement the software to prevent access to content considered objectionable.

An administrator can implement the following types of filters:

 Browser-based filters through a third-party browser extension

 Email filters through a client- or server-based filter

 Client-side filters installed on a specific computer

 Router-based content filters that block traffic from entering the network

 Appliance-based content filtering similar to router based

 Cloud-based content filtering

Search engines such as Google offers the option of turning on a safety filter to exclude inappropriate links from search results.

Click here for a comparison of content-control software providers.

Disk Cloning and Deep Freeze

Many third-party applications are available to restore a system back to a default state. This allows the administrator to protect the operating system and
configuration files for a system.
Disk cloning copies the contents of the computer’s hard disk to an image file. For example, an administrator creates the required partitions on a system,
formats the partition, and then installs the operating system. She installs all required application software and configures all hardware. The administrator
then uses disk-cloning software to create the image file. The administrator can use the cloned image as follows:

 To automatically wipe a system and restore a clean master image

 To deploy new computers within the organization

 To provide a full system backup

Click here for a comparison of disk cloning software.

Deep Freeze “freezes” the hard drive partition. When a user restarts the system, the system reverts to its frozen configuration. The system does not save
any changes that the user makes, so any applications installed or files saved are lost when the system restarts.

If the administrator needs to change the system’s configuration, she must first “thaw” the protected partition by disabling Deep Freeze. After making the
changes, she must re-enable the program. The administrator can configure Deep Freeze to restart after a user logs out, shuts down after a period of
inactivity, or shuts down at a scheduled time.

These products do not offer real-time protection. A system remains vulnerable until the user or a scheduled event restarts the system. A system infected
with malicious code though, gets a fresh start as soon as the system restarts.

Security Cables and Locks

There are several methods of physically protecting computer equipment:

 Use cable locks with equipment, as shown in Figure 1.

 Keep telecommunication rooms locked.

 Use security cages around equipment.

Many portable devices and expensive computer monitors have a special steel bracket security slot built in to use in conjunction with cable locks.

The most common type of door lock is a standard keyed entry lock. It does not automatically lock when the door closes. Additionally, an individual can
wedge a thin plastic card such as a credit card between the lock and the door casing to force the door open. Door locks in commercial buildings are different
from residential door locks. For additional security, a deadbolt lock provides extra security. Any lock that requires a key, though, poses a vulnerability if the
keys are lost, stolen, or duplicated.

A cipher lock, shown in Figure 2, uses buttons that a user presses in a given sequence to open the door. It is possible to program a cipher lock. This means
that a user’s code may only work during certain days or certain times. For example, a cipher lock may only allow Bob access to the server room between the
hours of 7 a.m. and 6 p.m. Monday through Friday. Cipher locks can also keep a record of when the door opened, and the code used to open it.

Logout Timers

An employee gets up and leaves his computer to take a break. If the employee does not take any action to secure his workstation, any information on that
system is vulnerable to an unauthorized user. An organization can take the following measures to deter unauthorized access:

Idle Timeout and Screen Lock

Employees may or may not log out of their computer when they leave the workplace. Therefore, it is a security best practice to configure an idle timer that
will automatically log the user out and lock the screen after a specified period. The user must log back in to unlock the screen.

Login Times

In some situations, an organization may want employees to log in during specific hours, such as 7 a.m. to 6 p.m. The system blocks logins during the hours
that fall outside of the allowed login hours.

GPS Tracking

The Global Positioning System (GPS) uses satellites and computers to determine the location of a device. GPS technology is a standard feature on
smartphones that provide real-time position tracking. GPS tracking can pinpoint a location within 100 meters. This technology is available to track children,
senior citizens, pets, and vehicles. Using GPS to locate a cell phone without the user’s permission though is an invasion of privacy and it is illegal.

Many cell phone apps use GPS tracking to track a phone’s location. For example, Facebook allows users to check in to a location, which is then visible to
people in their networks.

Inventory and RFID Tags

Radio frequency identification (RFID) uses radio waves to identify and track objects. RFID inventory systems use tags attached to all items that an
organization wants to track. The tags contain an integrated circuit that connects to an antenna. RFID tags are small and require very little power, so they do
not need a battery to store information to exchange with a reader. RFID can help automate asset tracking or wirelessly lock, unlock, or configure electronic
devices.

RFID systems operate within different frequencies. Low frequency systems have a shorter read range and slower data read rates, but are not as sensitive to
radio wave interference caused by liquids and metals that are present. Higher frequencies have a faster data transfer rate and longer read ranges, but are
more sensitive to radio wave interference.

Managing Remote Access

Remote access refers to any combination of hardware and software that enables users to access a local internal network remotely.

With the Windows operating system, technicians can use Remote Desktop and Remote Assistance to repair and upgrade computers. Remote Desktop, as
shown in the figure, allows technicians to view and control a computer from a remote location. Remote Assistance allows technicians to assist customers
with problems from a remote location. Remote Assistance also allows the customer to view the repair or upgrade in real time on the screen.

The Windows installation process does not enable remote desktop by default. Enabling this feature opens port 3389 and could result in a vulnerability if a
user does not need this service.

Telnet, SSH, and SCP

Secure Shell (SSH) is a protocol that provides a secure (encrypted) management connection to a remote device. SSH should replace Telnet for
management connections. Telnet is an older protocol that uses unsecure plaintext transmission of both the login authentication (username and password)
and the data transmitted between the communicating devices. SSH provides security for remote connections by providing strong encryption when a device
authenticates (username and password) and for transmitting data between the communicating devices. SSH uses TCP port 22. Telnet uses TCP port 23.

In Figure 1, cyber criminals monitor packets using Wireshark. In Figure 2, cyber criminals capture the username and password of the administrator from the
plaintext Telnet session.

Figure 3 shows the Wireshark view of an SSH session. Cyber criminals track the session using the IP address of the administrator device, but in Figure 4,
the session encrypts the username and password.

Secure copy (SCP) securely transfers computer files between two remote systems. SCP uses SSH for data transfer (including the authentication element),
so SCP ensures the authenticity and confidentiality of the data in transit.

Securing Ports and Services

Cyber criminals exploit the services running on a system because they know that most devices run more services or programs than they need. An
administrator should look at every service to verify its necessity and evaluate its risk. Remove any unnecessary services.

A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. For example,
if a switch has 24 ports and there are three Fast Ethernet connections in use, it is good practice to disable the 21 unused ports.

The process of enabling and disabling ports can be time-consuming, but it enhances security on the network and is well worth the effort.

Privileged Accounts

Cyber criminals exploit privileged accounts because they are the most powerful accounts in the organization. Privileged accounts have the credentials to
gain access to systems and they provide elevated, unrestricted access. Administrators use these accounts to deploy and manage operating systems,
applications, and network devices. The figure summarizes the types of privileged accounts.

Organization should adopt the following best practices for securing privileged accounts:

 Identify and reduce the number of privileged accounts

 Enforce the principle of least privilege

 Establish a process for revocation of rights when employees leave or change jobs

 Eliminate shared accounts with passwords that do not expire

 Secure password storage

 Eliminate shared credentials for multiple administrators

 Automatically change privileged account passwords every 30 or 60 days

 Record privileged sessions

  Implement a process to change embedded passwords for scripts and service accounts

 Log all user activity

 Generate alerts for unusual behavior

 Disable inactive privileged accounts

 Use multi-factor authentication for all administrative access

 Implement a gateway between the end-user and sensitive assets to limit network exposure to malware

Locking down privileged accounts is critical to the security of the organization. Securing these accounts needs to be a continuous process. An organization
should evaluate this process to make any required adjustments to improve security.

Group Policies

In most networks that use Windows computers, an administrator configures Active Directory with Domains on a Windows Server. Windows computers are
members of a domain. The administrator configures a Domain Security Policy that applies to all computers that join. Account policies are automatically set
when a user logs in to Windows.

When a computer is not part of an Active Directory domain, the user configures policies through Windows Local Security Policy. In all versions of Windows
except Home edition, enter secpol.msc at the Run command to open the Local Security Policy tool.

An administrator configures user account policies such as password policies and lockout policies by expanding Account Policies > Password Policy. With
the settings shown in Figure 1, users must change their passwords every 90 days and use the new password for at least one (1) day. Passwords must
contain eight (8) characters and three of the following four categories: uppercase letters, lowercase letters, numbers, and symbols. Lastly, the user can
reuse a password after 24 unique passwords.

An account Lockout Policy locks a computer for a configured duration when too many incorrect login attempts occur. For example, the policy shown in
Figure 2 allows the user to enter the wrong username and/or password five times. After five attempts, the account locks users out for 30 minutes. After 30
minutes, the number of attempts resets to zero and the user can attempt to login again.

More security settings are available by expanding the Local Policies folder. An Audit Policy creates a security log file used to track the events listed in
Figure 3.

Enable Logs and Alerts

A log records all events as they occur. Log entries make up a log file, and a log entry contains all of the information related to a specific event. Logs that
relate to computer security have grown in importance.

For example, an audit log tracks user authentication attempts, and an access log provides all of the details on requests for specific files on a system.
Monitoring system logs can determine how an attack occurred and whether the defenses deployed were successful.

With the increase in the sheer number of log files generated for computer security purposes, the organization should consider a log management process.
Log management determines the process for generating, transmitting, storing, analyzing, and disposing of computer security log data.

Operating System Logs

Operating system logs record events that occur because of operational actions performed by the operating system. System events include the following:

 Client requests and server responses such as successful user authentications

 Usage information that contains the number and size of transactions in a given period of time

Security Application Logs

Organizations use network-based or system-based security software to detect malicious activity. This software generates a security log to provide computer
security data. Logs are useful for performing auditing analysis and identifying trends and long-term problems. Logs also enable an organization to provide
documentation showing that it is in compliance with laws and regulatory requirements.

Power

A critical issue in protecting information systems is electrical power systems and power considerations. A continuous supply of electrical power is critical in
today's massive server and data storage facilities. Here are some general rules in building effective electrical supply systems:

 Data centers should be on a different power supply from the rest of the building
  Redundant power sources: two or more feeds coming from two or more electrical substations

 Power conditioning

 Backup power systems are often required

 UPS should be available to gracefully shutdown systems

An organization must protect itself from several issues when designing its electrical power supply systems.

Power Excess

 Spike: momentary high voltage

 Surge: prolonged high voltage

Power Loss

 Fault: momentary loss of power

 Blackout: complete loss of power

Power Degradation

 Sag/dip: momentary low voltage

 Brownout: prolonged low voltage

 Inrush Current: initial surge of power

Heating, Ventilation, and Air Conditioning (HVAC)

HVAC systems are critical to the safety of people and information systems in the organization's facilities. When designing modern IT facilities, these systems
play a very important role in the overall security. HVAC systems control the ambient environment (temperature, humidity, airflow, and air filtering) and must
be planned for and operated along with other data center components such as computing hardware, cabling, data storage, fire protection, physical security
systems and power. Almost all physical computer hardware devices come with environmental requirements that include acceptable temperature and
humidity ranges. Environmental requirements appear in a product specifications document or in a physical planning guide. It is critical to maintain these
environmental requirements to prevent system failures and extend the life of IT systems. Commercial HVAC systems and other building management
systems now connect to the Internet for remote monitoring and control. Recent events have shown such systems (often called "smart systems") also raise
big security implications.

One of the risks associated with smart systems is that the individuals who access and manage the system work for a contractor or a third-party vendor.
Because HVAC technicians need to be able to find information quickly, crucial data tends to be stored in many different places, making it accessible to even
more people. Such a situation allows a wide network of individuals, including even associates of contractors, to gain access to the credentials for an HVAC
system. The interruption of these systems can pose considerable risk to the organization's information security.

Hardware Monitoring

Hardware monitoring is often found in large server farms. A server farm is a facility that houses hundreds or thousands of servers for companies. Google
has many server farms around the world to provide optimal services. Even smaller companies are building local server farms to house the growing number
of servers need to conduct business. Hardware monitoring systems are used to monitor the health of these systems and to minimize server and application
downtime. Modern hardware monitoring systems use USB and network ports to transmit the condition of CPU temperature, power supply status, fan speed
and temperature, memory status, disk space and network card status. Hardware monitoring systems enable a technician to monitor hundreds or thousands
of systems from a single terminal. As the number of server farms continues to grow, hardware-monitoring systems have become an essential security
countermeasure.

Operation Centers

The Network Operation Center (NOC) is one or more locations containing the tools that provide administrators with a detailed status of the organization’s
network. The NOC is ground zero for network troubleshooting, performance monitoring, software distribution and updates, communications management,
and device management.

The Security Operation Center (SOC) is a dedicated site that monitors, assesses, and defends the organization’s information systems such as websites,
applications, databases, data centers, networks, servers, and user systems. A SOC is a team of security analysts who detect, analyze, respond to, report on,
and prevent cybersecurity incidents.

Both of these entities use a hierarchical tier structure to handle events. The first tier handles all events and escalates any event that it cannot handle to the
second tier. Tier 2 staff reviews the event in detail to try to resolve it. If they cannot, they escalate the event to Tier 3, the subject matter experts.
To measure the overall effectiveness of an operation center, an organization will conduct realistic drills and exercises. A tabletop simulation exercise is a
structured walk-through by a team to simulate an event and evaluate the center’s effectiveness. A more effective measure is to simulate a full-fledged
intrusion with no warning. This involves using a Red Team, an independent group of individuals who challenges processes within an organization, to
evaluate the organization’s effectiveness. For example, the Red Team should attack a critical mission system and include reconnaissance and attack,
privilege escalation, and remote access.

Switches, Routers, and Network Appliances

Network devices ship with either no passwords or default passwords. Change the default passwords before connecting any device to the network.
Document the changes to network devices and log the changes. Lastly, examine all configuration logs.

The following sections discuss several measures that an administrator can take to protect various network devices.

Switches

Network switches are the heart of the modern data communication network. The main threat to network switches are theft, hacking and remote access,
attacks against network protocols like ARP/STP or attacks against performance and availability. Several countermeasures and controls can protect network
switches including improved physical security, advanced configuration, and implementing proper system updates and patches as needed. Another effective
control is the implementation of port security. An administrator should secure all switch ports (interfaces) before deploying the switch for production use. One
way to secure ports is by implementing a feature called port security. Port security limits the number of valid MAC addresses allowed on a port. The switch
allows access to devices with legitimate MAC addresses while it denies other MAC addresses.

VLANs

VLANs provide a way to group devices within a LAN and on individual switches. VLANs use logical connections instead of physical connections. Individual
ports of a switch can be assigned to a specific VLAN. Other ports can be used to physically interconnect switches and allow multiple VLAN traffic between
switches. These ports are called trunks.

For example, the HR department may need to protect sensitive data. VLANs allow an administrator to segment networks based on factors such as function,
project team, or application, without regard for the physical location of the user or device as shown in Figure 1. Devices within a VLAN act as if they are in
their own independent network, even if they share a common infrastructure with other VLANs. A VLAN can separate groups that have sensitive data from
the rest of the network, decreasing the chances of confidential information breaches. Trunks allow individuals on the HR VLAN to be physically connected to
multiple switches.

There are many different types of VLAN vulnerabilities and attacks. These can include attacking the VLAN and Trucking protocols. These attack details are
beyond the scope of this course. Hackers can also attack VLAN performance and availability. Common countermeasures include monitoring VLAN changes
and performance, advanced configurations and regular system patching and updates to the IOS.

Firewalls

Firewalls are hardware or software solutions that enforce network security policies. A firewall filters unauthorized or potentially dangerous traffic from
entering the network (Figure 2). A simple firewall provides basic traffic filtering capabilities using access control lists (ACLs). Administrators use ACLs to stop
traffic or permit only specified traffic on their networks. An ACL is a sequential list of permit or deny statements that apply to addresses or protocols. ACLs
provide a powerful way to control traffic into and out of a network. Firewalls keep attacks out of a private network and are a common target of hackers in
order to defeat the firewall protections. The main threat to firewalls are theft, hacking and remote access, attacks against ACLs or attacks against
performance and availability. Several countermeasures and controls can protect firewalls including improved physical security, advanced configuration,
secure remote access and authentication, and proper system updates and patches as needed.

Routers

Routers form the backbone of the Internet and communications between different networks. Routers communicate with one another to identify the best
possible path to deliver traffic to different networks. Routers use routing protocols to make routing decision. Routers can also integrate other services like
switching and firewall capabilities. These operations make routers prime targets. The main threat to network routers are theft, hacking and remote access,
attacks against routing protocols like RIP/OSPF or attacks against performance and availability. Several countermeasures and controls can protect network
routers including improved physical security, advanced configuration settings, use of secure routing protocols with authentication, and proper system
updates and patches as needed.

Wireless and Mobile Devices

Wireless and mobile devices have become the predominant type of devices on most modern networks. They provide mobility and convenience but pose a
host of vulnerabilities. These vulnerabilities include theft, hacking and unauthorized remote access, sniffing, man-in-the-middle attacks, and attacks against
performance and availability. The best way to secure a wireless network is to use authentication and encryption. The original wireless standard, 801.11,
introduced two types of authentication as shown in the figure:

 Open system authentication - Any wireless device can connect to the wireless network. Use this method in situations where security is of no
concern.

 Shared key authentication - Provides mechanisms to authenticate and encrypt data between a wireless client and AP or wireless router.

The three shared key authentication techniques for WLANs are as follows:

 Wired Equivalent Privacy (WEP) - This was the original 802.11 specification securing WLANs. However, the encryption key never changes
when exchanging packets, making it easy to hack.

 Wi-Fi Protected Access (WPA) - This standard uses WEP, but secures the data with the much stronger Temporal Key Integrity Protocol (TKIP)
encryption algorithm. TKIP changes the key for each packet, making it much more difficult to hack.

 IEEE 802.11i/WPA2 - IEEE 802.11i is now the industry standard for securing WLANs. 802.11i and WPA2 both use the Advanced Encryption
Standard (AES) for encryption, which is currently the strongest encryption protocol.
Since 2006, any device that bears the Wi-Fi Certified logo is WPA2 certified. Therefore, modern WLANs should always use the 802.11i/WPA2 standard.
Other countermeasure include improved physical security and regular system updates and patching of devices.

Network and Routing Services

Cyber criminals use vulnerable network services to attack a device or to use it as part of the attack. To check for insecure network services, review a device
for open ports using a port scanner. A port scanner is an application that probes a device for open ports by sending a message to each port and waiting for a
response. The response indicates how the port is used. Cyber criminals will also use port scanners for the same reason. Securing network services ensures
that only necessary ports are exposed and available.

Dynamic Host Control Protocol (DHCP)

DHCP uses a server to assign an IP address and other configuration information automatically to network devices. In effect, the device is getting a
permission slip from the DHCP server to use the network. Attackers can target DHCP servers in order to deny access to devices on the network. Figure 1
provides a security checklist for DHCP.

Domain Name System (DNS)

DNS resolves a Uniform Resource Locator URL or website address (http://www.cisco.com) to the IP address of the site. When users type a web address
into the address bar they depend on DNS servers to resolve the actual IP address of that destination. Attackers can target DNS servers in order to deny
access to network resources or redirect traffic to rogue websites. Click on Figure 2 to view a security checklist for DNS. Use secure service and
authentication between DNS servers to protect them from these attacks.

Internet Control Messaging Protocol (ICMP)

Network devices use ICMP to send error messages like a requested service is not available or that the host could not reach the router. The ping command is
a network utility that uses ICMP to test the reachability of a host on a network. Ping sends ICMP messages to the host and waits for a reply. Cyber criminals
can alter the use of ICMP for the evil purposes listed in Figure 3. Denial-of-Service attacks use ICMP, so many networks filter certain ICMP requests to
prevent such attacks.

Routing Information Protocol (RIP)

RIP limits the number of hops allowed in a path on a network from the source device to the destination. The maximum number of hops allowed for RIP is
fifteen. RIP is a routing protocol used to exchange routing information about which networks each router can reach and how far away those networks are.
RIP calculates the best route based on hop count. Figure 4 lists RIP vulnerabilities and defenses against RIP attack. Hackers can target routers and the RIP
protocol. Attacks on routing services can effect performance and availability. Some attacks can even result in traffic redirection. Use secure services with
authentication and implement system patching and updates to protect routing services such as RIP.

Network Time Protocol (NTP)

Having the correct time within networks is important. Correct time stamps accurately track network events such as security violations. Additionally, clock
synchronization is critical for the correct interpretation of events within syslog data files as well as for digital certificates.

Network Time Protocol (NTP) is a protocol that synchronizes the clocks of computer systems over data networks. NTP allows network devices to
synchronize their time settings with an NTP server. Figure 5 lists the various methods used to provide secure clocking for the network. Cyber criminals
attack timeservers to disrupt secure communication that depends on digital certificates and to hide attack information like accurate time stamps.

VoIP Equipment

Voice over IP (VoIP) uses networks such as the Internet to make and receive phone calls. The equipment required for VoIP includes an Internet connection
plus a phone. Several options are available for the phone set:

 A traditional phone with an adapter (the adapter acts as a hardware interface between a traditional, analog phone and a digital VoIP line)

 A VoIP-enabled phone

 VoIP software installed on a computer

Most consumer VoIP services use the Internet for phone calls. Many organizations, though, use their private networks because they provide stronger
security and service quality. VoIP security is only as reliable as the underlying network security. Cyber criminals target these systems in order to gain access
to free phone services, eavesdrop on phone calls, or to affect performance and availability.

Implement the following countermeasures to secure VoIP:

 Encrypt voice message packets to protect against eavesdropping.

 Use SSH to protect gateways and switches.

 Change all default passwords.

 Use an intrusion detection system to detect attacks such as ARP poisoning.

  Use strong authentication to mitigate registration spoofing (cyber criminals route all incoming calls for the victim to them), proxy impersonating
(tricks the victim into communicating with a rogue proxy set up by the cyber criminals), and call hijacking (the call is intercepted and rerouted to a
different path before reaching the destination).

 Implement firewalls that recognize VoIP to monitor streams and filter abnormal signals.

When the network goes down, voice communications will also go down.

Cameras

An Internet camera sends and receives data over a LAN and/or the Internet. A user can remotely view live video using a web browser on a wide range of
devices including computer systems, laptops, tablets, and smartphones.

Cameras come in various forms including the traditional security camera. Other options include Internet cameras discreetly hidden in clock radios, books, or
DVD players.

Internet cameras transmit digital video over a data connection. The camera connects directly to the network and has everything required for transferring the
images over the network. The figure lists best practices for camera systems.

Videoconferencing Equipment

Videoconferencing allows two or more locations to communicate simultaneously using telecommunication technologies. These technologies take advantage
of the new high definition video standards. Products like Cisco TelePresence enable a group of people in one location to conference with a group of people
from other locations in real time. Videoconferencing is now part of normal day-to-day operations in industries like the medical field. Doctors can review
patient symptoms and consult with experts to identify potential treatments.

Many local pharmacies employ physician assistants that can link live to doctors using videoconferencing to schedule visits or emergency responses. Many
manufacturing organizations are using teleconferencing to help engineers and technicians perform complex operations or maintenance tasks.
Videoconferencing equipment can be extremely expensive and are high value targets for thieves and cyber criminals. Cyber criminals target these systems
in order to eavesdrop on video calls or to affect performance and availability.

Network and IoT Sensors

One of the fastest sectors of information technology is the use of intelligent devices and sensors. The computer industry brands this sector as the Internet of
Things (IoT). Businesses and consumers use IoT devices to automate processes, monitor environmental conditions, and alert the user of adverse conditions.
Most IoT devices connect to a network via wireless technology and include cameras, door locks, proximity sensors, lights, and other types of sensors used
to collect information about an environment or the status of a device. Several appliance manufacturers use IoT to inform users that parts need replacement,
components are failing, or supplies are running out.

Businesses use these devices to track inventory, vehicles, and personnel. IoT devices contain geospatial sensors. A user can globally locate, monitor, and
control environmental variables such as temperature, humidity, and lighting. The IoT industry poses a tremendous challenge to information security
professionals because many IoT devices capture and transmit sensitive information. Cyber criminals target these systems in order to intercept data or to
affect performance and availability.

Fencing and Barricades

Physical barriers are the first thing that comes to mind when thinking about physical security. This is the outermost layer of security, and these solutions are
the most publicly visible. A perimeter security system typically consists of the following components:

 Perimeter fence system

 Security gate system

 Bollards (a short post used to protect from vehicle intrusions as shown in Figure 2)

 Vehicle entry barriers

 Guard shelters

A fence is a barrier that encloses secure areas and designates property boundaries. All barriers should meet specific design requirements and fabric
specifications. High-security areas often require a "top guard" such as barbed wire or concertina wire. When designing the perimeter, fencing systems use
the following rules:

 1 meter (3-4 ft.) will only deter casual trespassers

 2 meters (6-7 ft.) are too high to climb by casual trespassers

 2.5 meters (8 ft.) will offer limited delay to a determined intruder

Top guards provide an added deterrent and can delay the intruder by severely cutting the intruder; however, attackers can use a blanket or mattress to
alleviate this threat. Local regulations may restrict the type of fencing system an organization can use.

Fences require regular maintenance. Animals may burrow under the fence or the earth may wash out leaving the fence unstable providing easy access for
an intruder. Inspect fencing systems regularly. Do not park any vehicles near fences. A parked vehicle near the fence can assist the intruder climbing over or
damaging the fence. Click here for additional fencing recommendations.

Biometrics

Biometrics describes the automated methods of recognizing an individual based on a physiological or behavioral characteristic. Biometric authentication
systems include measurements of the face, fingerprint, hand geometry, iris, retina, signature, and voice. Biometric technologies can be the foundation of
highly secure identification and personal verification solutions. The popularity and use of biometric systems has increased because of the increased number
of security breaches and transaction fraud. Biometrics provides confidential financial transactions and personal data privacy. For example, Apple uses
fingerprint technology with its smartphones. The user’s fingerprint unlocks the device and accesses various apps such as online banking or payment apps.

When comparing biometric systems there are several important factors to consider including accuracy, speed or throughput rate, acceptability to users,
uniqueness of the biometric organ and action, resistance to counterfeiting, reliability, data storage requirements, enrollment time, and intrusiveness of the
scan. The most important factor is accuracy. Accuracy is expressed in error types and rates.

The first error rate is Type I Errors or false rejections. A Type I Error rejects a person that registers and is an authorized user. In access control, if the
requirement is to keep the bad guys out, false rejection is the least important error. However, in many biometric applications, false rejections can have a very
negative impact on business. For example, bank or retail store needs to authenticate customer identity and account balance. False rejection means that the
transaction or sale is lost, and the customer becomes upset. Most bankers and retailers are willing to allow a few false accepts as long as there are minimal
false rejects.

The acceptance rate is stated as a percentage and is the rate at which a system accepts unenrolled individuals or imposters as authentic users. False
acceptance is a Type II error. Type II errors allow the bad guys in so they are normally considered to be the most important error for a biometric access
control system.

The most widely used method to measure the accuracy of biometric authentication is the Crossover Error Rate (CER). The CER is the rate where false
rejection rate and the false acceptance rate are equal as shown in the figure.

Badges and Access Logs

An access badge allows an individual to gain access to an area with automated entry points. An entry point can be a door, a turnstile, a gate, or other barrier.
Access badges use various technologies such as a magnetic stripe, barcode, or biometrics.

A card reader reads a number contained on the access badge. The system sends the number to a computer that makes access control decisions based on
the credential provided. The system logs the transaction for later retrieval. Reports reveal who entered what entry points at what time.

Guards and Escorts

All physical access controls including deterrent and detection systems ultimately rely on personnel to intervene and stop the actual attack or intrusion. In
highly secure information system facilities, guards control access to the organization’s sensitive areas. The benefit of using guards is that they can adapt
more than automated systems. Guards can learn and distinguish many different conditions and situations and make decisions on the spot. Security guards
are the best solution for access control when the situation requires an instantaneous and appropriate response. However, guards are not always the best
solution. There are numerous disadvantages to using security guards including cost and the ability to monitor and record high volume traffic. The use of
guards also introduces human error to the mix.

Video and Electronic Surveillance

Video and electronic surveillance supplement or in some cases, replace security guards. The benefit of video and electronic surveillance is the ability to
monitor areas even when no guards or personnel are present, the ability to record and log surveillance videos and data for long periods, and the ability to
incorporate motion detection and notification.

Video and electronic surveillance can also be more accurate in capturing events even after they occur. Another major advantage is that video and electronic
surveillance provide points of view not easily achieved with guards. It can also be far more economical to use cameras to monitor the entire perimeter of a
facility. In a highly secure environment, an organization should place video and electronic surveillance at all entrances, exits, loading bays, stairwells and
refuse collection areas. In most cases, video and electronic surveillance supplement security guards.

RFID and Wireless Surveillance

Managing and locating important information system assets are a key challenge for most organizations. Growth in the number of mobile devices and IoT
devices has made this job even more difficult. Time spent searching for critical equipment can lead to expensive delays or downtime. The use of Radio
Frequency Identification (RFID) asset tags can be of great value to the security staff. An organization can place RFID readers in the door frames of secure
areas so that they are not visible to individuals.

The benefit of RFID asset tags is that they can track any asset that physically leaves a secure area. New RFID asset tag systems can read multiple tags
simultaneously. RFID systems do not require line-of-sight to scan tags. Another advantage of RFID is the ability to read tags that are not visible. Unlike
barcodes and human readable tags that must be physically located and viewable to read, RFID tags do not need to be visible to scan. For example, tagging
a PC up under a desk would require personnel to crawl under the desk to physically locate and view the tag when using a manual or barcode process. Using
an RFID tag would allow personnel to scan the tag without even seeing it.

Packet Tracer – Server Firewalls and Router ACLs

In this Packet Tracer activity, you will complete the following objectives:
  Connect to the Web Server

 Prevent Unencrypted HTTP Sessions

 Access the Firewall on the Email Server

Packet Tracer - Server Firewalls and Router ACLs - Instructions

Packet Tracer - Server Firewalls and Router ACLs - Activity