Chapter 1 Overview

1 2009 Cisco Learning Institute.
CCNA Security
Chapter One
Modern Network Security Threats
2009 Cisco Learning Institute.
esson Planning
W This lesson should take 3-6 hours to present
W The lesson should include lecture,
demonstrations, discussion and assessment
W The lesson can be taught in person or using
remote instruction
3 3 3 2009 Cisco Learning Institute.
ajor Concepts
W #ationale for network security
W ata confidentiality, integrity, availability
W #isks, threats, vulnerabilities and countermeasures
W Methodology of a structured attack
W Security model (McCumber cube)
W Security policies, standards and guidelines
W Selecting and implementing countermeasures
W Network security design
esson Objectives
&pon completion of this lesson, the successful
participant will be able to:
1. escribe the rationale for network security
. escribe the three principles of network security
3. dentify risks, threats, vulnerabilities and
countermeasures
. iscuss the three states of information and identify
threats and appropriate countermeasures for each state
5. ifferentiate between security policies, standards and
guidelines
esson Objectives
6. escribe the difference between structured and
unstructured network attacks
7. escribe the stages and tools used in a structured
attack
8. dentify security organizations that influence and shape
network security
9. dentify career specializations in network security
at is Network Security?
ationaI Security TeIecommunications and
Information Systems Security Committee (STISSC)
Network security is the protection of information and
systems and hardware that use, store, and transmit that
information.
Network security encompasses those steps that are taken
to ensure the confidentiality, integrity, and availability of
data or resources.
%ationale for Network Security
Network security initiatives and network security
specialists can be found in private and public, large and
small companies and organizations. The need for network
security and its growth are driven by many factors:
1. nternet connectivity is 7 and is worldwide
. ncrease in cyber crime
3. mpact on business and individuals
. Legislation & liabilities
5. Proliferation of threats
6. Sophistication of threats
Cyber Crime
W raudScams
W dentity Theft
W Child Pornography
W Theft of Telecommunications Services
W lectronic Vandalism, Terrorism and tortion
WASHNGTON, .C. An estimated
3.6 million households, or about 3
percent of all households in the nation,
learned that they had been the victim of
at least one type of identity theft during
a si-month period in , according
to the Justice epartment's Bureau of
Justice Statistics
usiness !mpact
1. ecrease in productivity
. Loss of sales revenue
3. #elease of unauthorized sensitive data
. Threat of trade secrets or formulas
5. Compromise of reputation and trust
6. Loss of communications
7. Threat to environmental and safety systems
8. Loss of time
Current Computer Crime Cases
Proliferation of Treats
n 1, the National nfrastructure Protection Center at the B
released a document summarizing the Ten Most Critical nternet
Security Vulnerabilities.
Since that time, thousands of organizations rely on this list to
prioritize their efforts so they can close the most dangerous holes
first.
The threat landscape is very
dynamic, which in turn makes it
necessary to adopt newer
security measures.
Just over the last few years, the
kinds of vulnerabilities that are
being eploited are very different
from the ones being eploited in
the past.
Sopistication of Treats
egislation
ederal and local government has passed legislation that
holds organizations and individuals liable for
mismanagement of sensitive data. These laws include:
1.The Health nsurance Portability and Accountability Act of
1996 (HPAA)
.The Sarbanes-Oley Act of (Sarbo)
3.The Gramm-Leach-Blilely Act (GLBA)
.&S PAT#OT Act 1
oals of an !nformation
Security Program
W Confidentiality
- Prevent the disclosure of sensitive information from unauthorized
people, resources, and processes
W ntegrity
- The protection of system information or processes from
intentional or accidental modification
W Availability
- The assurance that systems and data are
accessible by authorized users when needed
Information States
Security Measures
Information
Security
Properties
NSTSS 11: National Training Standard for nformation Systems Security Professionals, 199
!nformation Security odel
AvaiIabiIity
Integrity
ConfidentiaIity
!nformation Security Properties
Processing
Storage
Transmission
!nformation States
PoIicy and Procedures
TechnoIogy
Education, Training, and Awareness
Security easures
ConfidentiaIity
Integrity
AvaiIabiIity
Processing
Storage
Transmission
PoIicy and Procedures
TechnoIogy
Education, Training,
and Awareness
!nformation Security odel
%isk anagement
W #isk Analysis
W Threats
W Vulnerabilities
W Countermeasures
%isk anagement
Control physical access
Password protection
evelop a Security Policy
W The process of assessing and quantifying risk and establishing an
acceptable level of risk for the organization
W #isk can be mitigated, but cannot be eliminated
%isk Assessment
W #isk assessment involves determining the likelihood that
the vulnerability is a risk to the organization
W ach vulnerability can be ranked by the scale
W Sometimes calculating anticipated losses can be helpful
in determining the impact of a vulnerability
Asset !dentification
W Categories of assets
- nformation Assets (people, hardware, software, systems)
- Supporting Assets (facilities, utilities, services)
- Critical Assets (can be either of those listed above)
W Attributes of the assets need to be compiled
W etermine each item's relative value
- How much revenueprofit does it generate?
- What is the cost to replace it?
- How difficult would it be to replace?
- How quickly can it be replaced?
Network Security Treat"
W A potential danger to information or a system
W An eample: the ability to gain unauthorized access to systems or
information in order to commit fraud, network intrusion, industrial
espionage, identity theft, or simply to disrupt the system or network
W There may be weaknesses that greatly increase the likelihood of a
threat manifesting
W Threats may include equipment failure,
structured attacks, natural disasters,
physical attacks, theft, viruses and
many other potential events causing
danger or damage
Types of Network Treats
W mpersonation
W avesdropping
W enial-of-service
W Packet replay
W Man-in-the-middle
W Packet modification
ulnerability
W A network vulnerability is a weakness in a system,
technology, product or policy
W n today's environment, several organizations track,
organize and test these vulnerabilities
W The &S government has a contract with an organization
to track and publish network vulnerabilities
W ach vulnerability is given an and can be reviewed by
network security professionals over the nternet.
W The common vulnerability eposure (CV) list also
publishes ways to prevent the vulnerability from being
attacked
ulnerability Appraisal
W t is very important that network security specialists
comprehend the importance of vulnerability appraisal
W A vulnerability appraisal is a snapshot of the current
security of the organization as it now stands
W What current security weaknesses may epose the
assets to these threats?
W Vulnerability scanners are tools available as free nternet
downloads and as commercial products
- These tools compare the asset against a database of known
vulnerabilities and produce a discovery report that eposes the
vulnerability and assesses its severity
%isk anagement Terms
W Vulnerability a system, network or device weakness
W Threat potential danger posed by a vulnerability
W Threat agent the entity that indentifies a vulnerability
and uses it to attack the victim
W #isk likelihood of a threat agent taking advantage of
a vulnerability and the corresponding business impact
W posure potential to eperience losses from a threat
agent
W Countermeasure put into place to mitigate the
potential risk
nderstanding %isk
Threat
Agent
#isk
Threat
Vulnerability
Asset
Countermeasure
posure
Gives rise to
ploits
Leads to
Can damage
Causes
Can be safeguarded by
irectly affects
$ualitative %isk Analysis
A new worm
Web site defacement
ire protection system
loods datacenter
Exposure vaIues prioritize the order for addressing risks
$uantitative %isk Analysis
W posure actor ()
- % of loss of an asset
W Single Loss pectancy (SL)
- Value of asset in $
W Annualized #ate of Occurrence (A#O)
- A number representing frequency of occurrence of a threat
ample: . = Never 1 = Occurs very often
W Annualized Loss pectancy (AL)
- ollar value derived from: SL A#O
anaging %isks
AcknowIedge that
the risk exists, but
appIy no safeguard
Shift responsibiIity
for the risk to a
third party (ISP,
Insurance, etc.)
Change the asset's
risk exposure (appIy
safeguard)
EIiminate the asset's
exposure to risk, or
eIiminate the asset
aItogether
Accept
Avoid Mitigate
Transfer
Risk
Types of Attacks
$tructured attack
Come from hackers who are more highly motivated and technically
competent. These people know system vulnerabilities and can
understand and develop eploit code and scripts. They understand,
develop, and use sophisticated hacking techniques to penetrate
unsuspecting businesses. These groups are often involved with the
major fraud and theft cases reported to law enforcement agencies.
&nstructured attack
Consists of mostly ineperienced individuals using easily available
hacking tools such as shell scripts and password crackers. ven
unstructured threats that are only eecuted with the intent of testing
and challenging a hacker's skills can still do serious damage to a
company.
Types of Attacks
ternal attacks
nitiated by individuals or groups working outside of a company. They
do not have authorized access to the computer systems or network.
They gather information in order to work their way into a network
mainly from the nternet or dialup access servers.
nternal attacks
More common and dangerous. nternal attacks are initiated by
someone who has authorized access to the network. According to
the B, internal access and misuse account for 6 to 8 percent of
reported incidents. These attacks often are traced to disgruntled
employees.
Types of Attacks
W Passive Attack
- Listen to system passwords
- #elease of message content
- Traffic analysis
- ata capturing
W Active Attack
- Attempt to log into someone else's account
- Wire taps
- enial of services
- Masquerading
- Message modifications
Specific Network Attacks
W A#P Attack
W Brute orce Attack
W Worms
W looding
W Sniffers
W Spoofing
W #edirected Attacks
W Tunneling Attack
W Covert Channels
enialofService Facts
W Commonly used against information
stores like web sites
W Simple and usually quite effective
W oes not pose a direct threat to
sensitive data
W The attacker tries to prevent a service
from being used and making that
service unavailable to legitimate users
W Attackers typically go for high visibility
targets such as the web server, or for
infrastructure targets like routers and
network links
&h-Oh.
Another DoS
attack!
enialofService Example
f a mail server is capable of receiving and
delivering 1 messages a second, an attacker
simply sends messages per second. The
legitimate traffic (as well as a lot of the malicious
traffic) will get dropped, or the mail server might
stop responding entirely.
- This type of an attack may be used as a diversion
while another attack is made to actually compromise
systems
- n addition, administrators are likely to make mistakes
during an attack and possibly change a setting that
creates a vulnerability that can be further eploited
Types of enialofService Attacks
W Buffer Overflow Attacks
W SYN lood Attack
W Teardrop Attacks
W Smurf Attack
W NS Attacks
W mail Attacks
W Physical nfrastructure
Attacks
W VirusesWorms
oS uffer Overflow Attacks
The most common oS attack sends more traffic to a
device than the program anticipates that someone
might send Buffer Overflow.
oS SYN Flood Attack
W When connection sessions are initiated between
a client and server in a network, a very small
space eists to handle the usually rapid "hand-
shaking" echange of messages that sets up a
session.
W The session-establishing packets include a SYN
field that identifies the sequence order.
W To cause this kind of attack, an attacker can
send many packets, usually from a spoofed
address, thus ensuring that no response is sent.
oS Teardrop Attack
W ploits the way that the nternet
Protocol (P) requires a packet that is
too large for the net router to handle
be divided into fragments.
W The fragmented packet identifies an
offset to the beginning of the first
packet that enables the entire packet
to be reassembled by the receiving
system.
W n the teardrop attack, an attacker's
P puts a confusing value in the
second or later fragment. f the
receiving operating system cannot
cope with such fragmentation, then it
can cause the system to crash.
oS Smurf Attack
The attacker sends an P ping
request to a network site.
The ping packet requests that it
be broadcast to a number of hosts
within that local network.
The packet also indicates that the
request is from a different site, i.e.
the victim site that is to receive the
denial of service.
This is called P Spoofing--the victim site becomes the address of
the originating packet.
The result is that lots of ping replies flood back to the victim host.
f the flood is big enough then the victim host will no longer be
able to receive or process "real" traffic.
oS NS Attacks
W A famous NS attack was
a oS "ping" attack. The
attackers broke into
machines on the nternet
(popularly called "zombies")
and sent streams of forged
packets at the 13 NS
root servers via intermediary
legitimate machines.
W The goal was to clog the servers, and communication links on the
way to the servers, so that useful traffic was gridlocked. The assault is
not NS-specific--the same attack has been used against several
popular Web servers in the last few years.
oS Email Attacks
W When using Microsoft Outlook, a script reads your
address book and sends a copy of itself to everyone
listed there, thus propagating itself around the nternet.
W The script then modifies the computer's registry so that
the script runs itself again when restarted.
oS Pysical !nfrastructure Attacks
W Someone can just simply snip your cables! ortunately
this can be quickly noticed and dealt with.
W Other physical infrastructure attacks can include
recycling systems, affecting power to systems and actual
destruction of computers or storage devices.
oS iruses/orms
W Viruses or worms, which replicate across a network in
various ways, can be viewed as denial-of-service attacks
where the victim is not usually specifically targeted but
simply a host unlucky enough to get the virus.
W Available bandwidth can become saturated as the
virusworm attempts to replicate itself and find new
victims.
alicious Code Attacks
W Malicious code attacks refers to
viruses, worms, Trojan horses,
logic bombs, and other
uninvited software
W amages personal computers,
but also attacks systems that
are more sophisticated
W Actual costs attributed to the
presence of malicious code
have resulted primarily from
system outages and staff time
involved in repairing the
systems
W Costs can be significant
Packet Sniffing Attacks
W Most organization LANs are thernet networks
W On thernet-based networks, any machine on the network can see
the traffic for every machine on that network
W Sniffer programs eploit this characteristic, monitoring all traffic and
capturing the first 18 bytes or so of every unencrypted TP or
Telnet session (the part that contains user passwords)
!nformation eakage Attacks
W Attackers can sometimes get data without having to
directly use computers
W ploit nternet services that are intended to give out
information
W nduce these services to reveal etra information or to
give it out to unauthorized people
W Many services designed for use on local area networks
do not have the security needed for safe use across the
nternet
W Thus these services become the means for important
information leakage
Social Engineering Attacks
W Hacker-speak for tricking a person into revealing some
confidential information
W Social ngineering is defined as an attack based on
deceiving users or administrators at the target site
W one to gain illicit access to systems or useful
information
W The goals of social engineering are fraud, network
intrusion, industrial espionage, identity theft, etc.
Attack etodology
Stages - the methodology of network attacks is well
documented and researched. This research has led to
greater understanding of network attacks and an entire
specialization of engineers that test and protect networks
against attacks (Certified thical HackersPenetration
Testers)
TooIs - penetration testers have a variety of power tools that
are now commercially available. They also have may open
source free tools. This proliferation of powerful tools has
increased the threat of attack due to the fact that even
technical novices can now launch sophisticated attacks.
Stages of an Attack
W Today's attackers have a abundance of targets. n fact
their greatest challenge is to select the most vulnerable
victims. This has resulted in very well- planned and
structured attacks. These attacks have common logistical
and strategic stages. These stages include;
- #econnaissance
- Scanning (addresses, ports, vulnerabilities)
- Gaining access
- Maintaining Access
- Covering Tracks
Tools of te Attacker
W The following are a few of the most popular tools used by
network attackers:
- numeration tools (dumpreg, netview and netuser)
- Portaddress scanners (AngryP, nmap, Nessus)
- Vulnerability scanners (Meta Sploit, Core mpact, SS)
- Packet Sniffers (Snort, Wire Shark, Air Magnet)
- #oot kits
- Cryptographic cracking tools (Cain, WepCrack)
- Malicious codes (worms, Trojan horse, time bombs)
- System hijack tools (netcat, MetaSploit, Core mpact)
Countermeasures
W MZNAT
W SPS
W Content ilteringNAC
W irewallsproy services
W AuthenticationAuthorizationAccounting
W Self-defending networks
W Policies, procedures, standards guidelines
W Training and awareness
Countermeasure Selection
W Cost benefit calculation
(AL before implementing safeguard) (AL after implementing
safeguard) (annual cost of safeguard) = value of safeguard to the
company
W valuating cost of a countermeasure
- Product costs
- esignplanning costs
- mplementation costs
- nvironment modifications
- Compatibility
- Maintenance requirements
- Testing requirements
- #epair, replacement, or
update costs
- Operating and support
costs
- ffects of productivity
Security Administration
W Policies
W Standards
W Guidelines
W Procedures
W Baselines
. Risk Assessment
2. Security PoIicy
3. Organization of Information Security
4. Asset Management
5. Human Resources Security
6. PhysicaI and EnvironmentaI Security
7. Communications and Operations Management
8. Access ControI
9. Information Systems Acquisition, DeveIopment
and Maintenance
0. Information Security Incident Management
. Business Continuity Management
2. CompIiance
omains of Network Security
at !s a Security Policy?
W A document that states how an organization plans to
protect its tangible and intangible information assets
- Management instructions indicating a course of action, a guiding
principle, or appropriate procedure
- High-level statements that provide guidance to workers who
must make present and future decisions
- Generalized requirements that must be written down and
communicated to others
Cange rivers
W Built into the information security program
W vents that cause us to revisit policies,
procedures, standards, and guidelines
- Changes in technology
- Changes in senior level personnel
- Acquisition of other companies
- New products, services, or business lines
ocuments Supporting Policies
W Standards dictate specific minimum requirements in
our policies
W Guidelines suggest the best way to accomplish certain
tasks
W Procedures provide a method by which a policy is
accomplished (the instructions)
Example: Te Policy
W All users must have a unique user and
password that conforms to the company
password standard
W &sers must not share their password with
anyone regardless of title or position
W Passwords must not be stored in written or any
readable form
W f a compromise is suspected, it must be
reported to the help desk and a new password
must be requested
Example: Te Standards
W Minimum of 8 upper- and lowercase
alphanumeric characters
W Must include a special character
W Must be changed every 3 days
W Password history of previous passwords will
be used to ensure passwords aren't reused
Example: Te uideline
W Take a phrase
&p and At 'em at 7!
W Convert to a strong password
&p&atm@7!
W To create other passwords from this phrase,
change the number, move the symbol, or
change the punctuation mark
Example: Te Procedure
Procedure for changing a password
1. Press Control, Alt, elete to bring up the
log in dialog bo
. Click the "change password button
3. nter your current password in the top
bo
. .
Policy Elements
W Statement of Authority an introduction to the
information security policies
W Policy Headings logistical information (security domain,
policy number, name of organization, effective date,
author, change control documentation or number)
W Policy Objectives states ,9 we are trying to achieve
by implementing the policy
W Policy Statement of Purpose y the policy was
adopted, and 4 it will be implemented
Policy Elements, 2
W Policy Audience states 4 the policy is intended for
W Policy Statement 4 the policy will be implemented
(the rules)
W Policy ceptions special situations calling for
eception to the normal, accepted rules
W Policy nforcement Clause consequences for violation
W Policy efinitions a "glossary to ensure that the target
audience understands the policy
Policy Example
Subsection 6. PERSOEL SEC&RITY Change ControI #: .0
PoIicy 6..3 ConfidentiaIity Agreements Approved by: SMH
Objectives
ConfidentiaIity of organizationaI data is a key tenet of our information security program. In support of this
goaI, ABC Co wiII require signed confidentiaIity agreements of aII authorized users of information systems.
This agreement shaII conform to aII federaI, state, reguIatory, and union requirements.
Purpose
The purpose of this poIicy is to protect the assets of the organization by cIearIy informing staff of their roIes
and responsibiIities for keeping the organization's information confidentiaI.
Audience
ABC Co confidentiaIity agreement poIicy appIies equaIIy to aII individuaIs granted access priviIeges to an
ABC Co Information resources
PoIicy
This poIicy requires that staff sign a confidentiaIity poIicy agreement prior to being granted access to any
sensitive information or systems.
Agreements wiII be reviewed with the staff member when there is any change to the empIoyment or contract,
or prior to Ieaving the organization.
The agreements wiII be provided to the empIoyees by the Human Resource Dept.
Exceptions
At the discretion of the Information Security Officer, third parties whose contracts incIude a confidentiaIity
cIause may be exempted from signing individuaI confidentiaIity agreements.
DiscipIinary
Actions
VioIation of this poIicy may resuIt in discipIinary actions, which may incIude termination for empIoyees and
temporaries; a termination of empIoyment reIations in the case of contractors or consuItants; or dismissaI for
interns and voIunteers. AdditionaIIy, individuaIs are subject to civiI and criminaI prosecution.
www.infosyssec.com
www.sans.org
www.cisecurity.org
www.cert.org
www.isc.org
www.first.org
www.infragard.net
www.mitre.org
www.cnss.gov
Network Security Organizations
SANS
CE%T
Systems Security Certified Practitioner (SCCP)
Certification and Accreditation Professional (CAP)
Certified Secure Software Lifecycle Professional (CSSLP)
Certified nformation Systems Security Professional (CSSP)
Information security certifications Offered by (ISC)2
!SC2
Network Security ]obs
W Network Security Administrator
W #isk Analyst
W VPN Specialist
W Penetration Tester
W Network Perimeterirewall Specialist
W Security #esponse SPS ngineer
Network Security ]obs
amples from Salary.com:
W Network Security Administrator
Troubleshoots network access problems and implements network security
policies and procedures. nsures network security access and protects
against unauthorized access, modification, or destruction. #equires a
bachelor's degree with at least 5 years of eperience in the field. amiliar
with a variety of the field's concepts, practices, and procedures. #elies on
etensive eperience and judgment to plan and accomplish goals. Performs
a variety of tasks. May lead and direct the work of others. A wide degree of
creativity and latitude is epected.
W #isk Analyst
Performs risk analysis studies in order to maintain maimum protection of
an organization's assets. nvestigates any incidences that may result in
asset loss and compiles findings in reports for further review. #equires a
bachelor's degree and - years of eperience in the field or in a related
area. Has knowledge of commonly-used concepts, practices, and
procedures within a particular field. #elies on instructions and pre-
established guidelines to perform the functions of the job. Works under
immediate supervision. Primary job functions do not typically require
eercising independent judgment.
Network Security ]obs, 2
W Chief nformation Security Officer
#esponsible for determining enterprise information security standards.
evelops and implements information security standards and procedures.
nsures that all information systems are functional and secure. #equires a
bachelor's degree with at least 1 years of eperience in the field. amiliar
with a variety of the field's concepts, practices, and procedures. #elies on
etensive eperience and judgment to plan and accomplish goals.
Performs a variety of tasks. Leads and directs the work of others. A wide
degree of creativity and latitude is epected. Typically reports to top
management.
W Network Perimeterirewall Specialist
This position requires perience and Skills working with perimeter
protection devices and network firewalls. The candidate must have
eperience with PX irewalls and MPLS Network eperience. Cisco
Switch and #outer eperience is a plus. perience with Network
Transformation and Server #e-P projects is a definite plus. Other irewall
eperience is a definite plus.
Network Security ]obs, 3
W thical hackerPenetration Tester
#esponsible for testing and improving network and information system
security systems. This is a very sensitive hands-on front line position. This
person will be working in a team environment. This individual will be
performing mostly network and web application ethical hacking
assessments on multi-protocol enterprise network and application systems.
uties may include: #equirements analysis and design, scoping of testing
activity, vulnerability assessment, assessing toolsscript testing,
troubleshooting and physical security audits, logical security audits, logical
protocol and traffic audits.
W Security #esponse SPS ngineer
Provides support for the ntrusion etectionPrevention Service, Host Log
Monitoring Service, and Wireless PS Service associated with Managed
Security Services. Must have a well-rounded security background and are
responsible for performing etensive troubleshooting of customer issues
via Customer Support escalations from the Security Operations Center
(SOC) Analysts. This individual performs both infrastructure engineering
and customer focused projects to resolve all incidents in timely manner.
These needs may involve performing device upgrades, investigating and
responding to advanced security threats, and making changes to the
security policy of a customer's device.

Chapter 1 Overview

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 1 Overview

Uploaded by

Copyright:

Available Formats

1 2009 Cisco Learning Institute.

You might also like