Chapter 10: Managing
a Secure Network
CCNA Security
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
Chapter 10: Objectives
In this chapter, you will:

Describe the high-level considerations for ensuring that a network is secure.

Describe the benefits of risk management and the measures to take to optimize risk management.

Define and describe the components, technologies and devices of the Cisco SecureX Architecture.

Describe the five product families used in the SecureX Architecture.

Describe the overarching concepts of operations security.

Describe the core principles of operations security.

Describe the purpose of and the techniques used in network security testing.

Describe the tools used in network security testing.

Describe business continuity planning and disaster recovery.

Configure the Cisco Secure Copy feature.

Describe the SDLC.

Describe the five phases of the SDLC.

Describe the goals of a security policy.

Describe the structure of a security policy.

Describe the standards, guidelines, and procedures of a security policy.

Describe the roles and responsibilities entailed within a security policy.

Describe the concepts of security awareness and how to achieve security awareness through education and training.

Describe ethical guidelines and laws for network security.

Describe how to respond to a security breach.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Chapter 10
10.0 Introduction
10.1 Principles of Secure Network Design
10.2 Security Architecture
10.3 Operations Security
10.4 Network Security Testing
10.5 Business Continuity Planning and Disaster Recovery
10.6 System Development Life Cycle
10.7 Developing a Comprehensive Security Policy
10.8 Summary
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
10.1 Principles of Secure
Network Design
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Ensuring a Network is Secure
Security Policies
 Created and maintained to mitigate existing
and new kinds of attacks.
 Enforce a structured, informed, consistent
approach to securing the network.
 Designed to address the following:
• Business needs
• Threat Identification
• Risk analysis
• Security needs
• Industry-recommended practices
• Security operations
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
Ensuring a Network is Secure
Security Policies Cont.
 Business needs:
• What does the organization want to do with the network?
• What are the organizational needs?
 Threat identification - What are the most likely types of threats
given the organization’s purpose?
 Risk analysis:
• What is the cost versus benefit analysis of implementing various
security technologies?
• How do the latest security techniques affect the network
environment and what is the risk if they are not implemented?
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
Ensuring a Network is Secure
Security Policies Cont.
 Security needs:
• What are the policies, standards, and guidelines needed to address
business needs and risks?
 Industry-recommended practices:
• What are the reliable, well-understood, and recommended security
practices that similar organizations currently employ?
 Security operations:
• What are the current procedures for incident response, monitoring,
maintenance, and auditing of the system for compliance?
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Ensuring a Network is Secure
Avoid Wrong Assumptions
There are guidelines to help you avoid making wrong assumptions:
 Expect that any aspect of a security system might fail.
 Identify any elements that fail-open. Fail-open occurs when a
failure results in a complete bypass of the security function
 Try to identify all attack possibilities.
• Use top-down analysis of possible system failures, which involves
evaluating the simplicity and probability of every attack on a
system.
• Known an attack tree analysis.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Ensuring a Network is Secure
Avoid Wrong Assumptions Cont.
 Evaluate the probability of exploitation. Focus on the resources
that are needed to create an attack, not the obscurity of a
particular vulnerability.
 Assume that people make mistakes.
 Attackers might not use common and well-established techniques
to compromise a system..
 Check all assumptions with other people. Peers might have a
fresh perspective on potential threats and their probability.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
Threat Identification and Risk Analysis
Identifying Threats
When identifying threats, it is important to ask two questions:
1. What are the possible vulnerabilities of a system?
2. What are the consequences if system vulnerabilities are exploited?
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16
Threat Identification and Risk Analysis
Risk Analysis in IT
 Risk analysis is the systematic
study of uncertainties and
risks. It identifies the risks,
determines how and when
those risks might arise, and
estimates the impact (financial
or otherwise) of adverse
outcomes.
 After the threats are evaluated
for severity and likelihood, the
information is used in a risk
analysis.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
17
Threat Identification and Risk Analysis
Risk Analysis in IT Cont.
The first step in developing a risk analysis is to evaluate each
threat to determine its severity and probability.
For example, threats in an e-banking system may include:
 Internal system compromise
 Stolen customer data
 Phony transactions if external server is breached
 Phony transactions using a stolen customer PIN or smart
card
 Insider attack on the system
 Data input errors
 Data center destruction
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
18
Threat Identification and Risk Analysis
Risk Analysis in IT Cont.
 After the threats are evaluated for severity and likelihood, this
information is used in a risk analysis.
 There are two types of risk analysis in information security:
• Quantitative Risk Analysis - Uses a mathematical model that
assigns a monetary figure to the value of assets, the cost of
threats being realized, and the cost of security implementations.
• Qualitative Risk Analysis - Can be used when the risk
assessment must either be done in a relatively short time, under
a tight budget, or when relevant data or lack of expertise is not
readily available.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
19
Threat Identification and Risk Analysis
Single Loss Expectancy Quantitative Risk Analysis
 Quantitative risk analysis relies on specific formulas to
determine the value of the risk decision variables.
 These include formulas that calculate the:
• Asset Value (AV)
• Exposure Factor (EF)
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
21
Threat Identification and Risk Analysis
Single Loss Expectancy Quantitative Risk Analysis Cont.
 Single Loss Expectancy (SLE) - Represents the expected loss from a single occurrence of
the threat.
 Asset Value (AV) - Includes the cost of development or purchase price, deployment, and
maintenance.
 Exposure Factor (EF) - An estimate of the degree of destruction that could occur.
 Annualized Loss Expectancy (ALE) - Addresses the cost to the organization if it does
nothing to counter existing threats.
 Annualized Rate of Occurrence (ARO) - Estimates the frequency of an event and is used
to calculate the ALE.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
22
Threat Identification and Risk Analysis
Single Loss Expectancy Quantitative Risk Analysis Cont.
Flood threat
Exposure Factor is:
60 percent
AV of the enterprise is: $10,000,000
SLE is:
SLE is equal to:
Presentation_ID
$10,000,000 * .60
$ 6,000,000
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
23
Threat Identification and Risk Analysis
Single Loss Expectancy Quantitative Risk Analysis Cont.
Data entry error
Exposure Factor is:
.001 percent
AV of the enterprise is: $1,000,000
SLE is:
SLE is equal to:
Presentation_ID
$1,000,000 * .00001
$ 10
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
24
Threat Identification and Risk Analysis
Annualized Rate of Occurrence Quantitative Risk Analysis
Annualized Loss Expectancy
Annualized Rate of Occurrence
Data entry error
Presentation_ID
SLE is:
ARO is:
$ 10
125,000
ALE is:
ALE is equal to:
$10 * 125,000
$ 1,250,000
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
25
Threat Identification and Risk Analysis
Annualized Rate of Occurrence Quantitative Risk Analysis Cont.
Annualized Loss Expectancy
Annualized Rate of Occurrence
Flood threat
SLE is:
ARO is:
$ 6,000,000
.01
ALE is:
ALE is equal to:
$ 6,000,000 * .01
$ 60,000
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
26
Threat Identification and Risk Analysis
Quantitative Risk Analysis
 It is necessary to perform a quantitative risk analysis for all
threats identified during the threat identification process.
 Then prioritize the threats and address the most serious threat
first to enable management to focus resources where they do the
most good.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
27
Risk Management and Risk Avoidance
Methods of Handling Risks
 When the threats are identified and the risks are assessed, a
protection strategy must be deployed to protect against the risks.
 There are two very different methods to handle risks:
• Risk management - Deploys protection mechanisms to reduce
risks to acceptable levels.
• Risk avoidance - Eliminates risk by avoiding the threats altogether.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
28
Risk Management and Risk Avoidance
Risk Management
 Method deploys protection mechanisms to reduce risks to
acceptable levels.
 Risk management is perhaps the most basic and the most difficult
aspect of building secure systems, because it requires a good
knowledge of risks, risk environments, and mitigation methods.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
29
Risk Management and Risk Avoidance
Risk Management Cont.
Not all mitigation techniques are implemented based on the risk
versus cost formula used in the quantitative risk analysis:
•
•
•
•
•
•
Presentation_ID
Internal system compromise
Stolen customer data
Phony transactions if external server is broken into
Phony transactions using a stolen customer PIN or smart card
Insider attack on the system Data input error
Data center destruction
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
30
Risk Management and Risk Avoidance
Risk Management Cont.
 Using the risk avoidance approach, a company might decide
against offering e-banking services as it is deemed too risky.
 Such an attitude might be valid for some military organizations,
but is usually not an option in the commercial world.
 Organizations that can manage the risks are traditionally the most
profitable.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
31
10.2 Security Architecture
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
32
Introducing the Cisco SecureX Architecture
Borderless Networks
 Today, Internet worms and other security threats spread across
the world in a matter of minutes requiring that the security system,
and the network itself, react instantaneously.
 Consumer endpoints, such as iPhones, BlackBerrys, netbooks,
and thousands of other devices, are becoming powerful
substitutes for, or complements to, the traditional PC.
 More people use these devices to access enterprise information.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
33
Introducing the Cisco SecureX Architecture
SecureX Security Architecture
 Designed to provide effective security for any user, using any
device, from any location, and at any time.
 Uses a high-level policy language that can describe the full
context of a situation, including who, what, where, when, and
how.
 With highly distributed security policy enforcement, security is
pushed closer to where the end user is working, anywhere on the
planet. This architecture is comprised of five major components:
•
•
•
•
•
Presentation_ID
Scanning engines
Delivery mechanisms
Security Intelligence Operations (SIO)
Policy management consoles
Next-generation endpoints
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
34
Introducing the Cisco SecureX Architecture
SecureX Security Architecture Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
35
Introducing the Cisco SecureX Architecture
Centralized Context-Aware
 A context-aware scanning element does more than just examine packets
on the wire.
 It looks at external information to understand the full context of the
situation: the who, what, where, when, and how of security.
 These scanning elements are available as standalone appliances,
software modules running in a router, or an image in the cloud.
 They are managed from a central policy console that uses a high level to
build context aware policies.
 A context-aware policy uses a simplified descriptive business language
to define security policies based on five parameters:
•
•
•
•
•
Presentation_ID
The person’s identity
The application in use
The type of device being used for access
The location
The time of access
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
36
Introducing the Cisco SecureX Architecture
Centralized Context-Aware
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
37
Introducing the Cisco SecureX Architecture
Cisco Security Intelligence Operations
 Delivers real-time global threat intelligence.
 World’s largest cloud-based security ecosystem, using almost a
million live data feeds from deployed Cisco email, web, firewall,
and IPS solutions.
 Cisco SIO weighs and processes the data, automatically
categorizing threats and creating rules using more than 200
parameters.
 Rules are dynamically delivered to deployed Cisco security
devices every three to five minutes.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
38
Introducing the Cisco SecureX Architecture
Cisco Security Intelligence Operations Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
39
Solutions for the Cisco SecureX Architecture
SecureX Products
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
40
Solutions for the Cisco SecureX Architecture
Cisco Secure Edge and Branch
• The goal of the Cisco secure edge and branch is to deploy
devices and systems to detect and block attacks and exploits,
and prevent intruder access.
• With firewall and intrusion prevention in standalone and
integrated deployment options, organizations can avoid attacks
and meet compliance requirements.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
41
Solutions for the Cisco SecureX Architecture
Cisco Secure Edge and Branch Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
42
Solutions for the Cisco SecureX Architecture
Secure Email and Web
• Cisco secure email and web solutions protect an organization
from evolving email and web threats.
• They reduce costly downtime associated with email-based
spam, viruses, and web threats, and are available in a variety of
form factors, including:
• On- premise appliances - Includes Cisco IronPort email security
and IronPort web security appliances
• Cisco ScanSafe Cloud Web Security
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
43
Solutions for the Cisco SecureX Architecture
SecureX Products
Secure access technologies enforce network security policies,
secure user and host access controls, and control network access
based on dynamic conditions.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
44
Solutions for the Cisco SecureX Architecture
Secure Mobility
Cisco secure mobility solutions promote highly secure mobile
connectivity with VPN, wireless security, and remote workforce
security solutions that extend network access safely and easily to
a wide range of users and devices.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
45
Solutions for the Cisco SecureX Architecture
Secure Data Center and Virtualization
Cisco secure data center and virtualization solutions protect highvalue data and data center resources with threat defense, secure
virtualization, segmentation, and policy control.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
46
Solutions for the Cisco SecureX Architecture
Network Security Services
 The security industry is always changing.
 The next few years prove to be a period of significant change,
driven by three major trends:
• Consumerization of the endpoint
• Increasing use of high-definition video conferencing
• Adoption of cloud computing
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
47
Solutions for the Cisco SecureX Architecture
Network Security Services Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
48
10.3 Operations Security
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
49
Introducing Operations Security
Operations Security
 Operations security is concerned with the day-to-day practices
necessary to first deploy and later maintain a secure system.
 It starts with the planning and implementation process of a
network.
• During these phases, the operations team proactively analyzes
designs, identifies risks and vulnerabilities, and makes the
necessary adaptations.
• After a network is set up, the actual operational tasks begin,
including the continual day-to-day maintenance of the environment.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
50
Introducing Operations Security
Operations Security Team
 The responsibilities of the operations team pertain to everything
that takes place to keep the network, computer systems,
applications, and the environment up and running in a secure and
protected manner.
 The operations team usually has the objectives of preventing
reoccurring problems, reducing hardware failures to an
acceptable level, and reducing the impact of hardware failure or
disruption.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
51
Introducing Operations Security
Operations Security Team Cont.
To ensure a secure working environment within the operations
department, certain core principles should be integrated into the
day-to-day activities:
 Separation of duties
 Rotation of duties
 Trusted recovery
 Change and configuration controls
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
52
Principles of Operations Security
Separation of Duties
 Is the most difficult and sometimes
the most costly control to achieve.
 SoD states that no single
individual has control over two or
more phases of a transaction or
operation.
• Instead, responsibilities are
assigned in a way that
incorporates checks and
balances.
• This makes a deliberate fraud
more difficult to perpetrate
because it requires a collusion of
two or more individuals or
parties.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
53
Principles of Operations Security
Rotation of Duties
 Trained individuals are given a specific
assignment for a certain amount of time
before moving to a new assignment.
 A peer review is built into the practice of
rotation of duties. For example, when
five people do one job in the course of
the week, each person reviews the work
of the others.
 Rotation of duties also prevents
boredom and gives individuals a greater
breadth of exposure to the entire
network operation and creates a strong
and flexible operations department.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
54
Principles of Operations Security
Trusted Recovery
 Systems eventually fail!
•
•
Therefore a process for recovery
must be established.
Back up data on a regular basis.
 Backing up data is standard
practice in most IT departments.
 Being prepared for system failure
is also an important part of
operations security:
•
•
•
Presentation_ID
Back up critical data on a
regular basis.
Evaluate who has access to the
files to back them up and what
kind of access they have.
Secure the backup media.
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
55
Principles of Operations Security
Configuration and Change Control
 Ensures that standardized methods and procedures are used to
efficiently handle all changes.
 It should address three major components:
• The processes in place to minimize system and network disruption
• Backups and reversing changes that go badly
• Guidance on the economic utilization of resources and time
 A few suggestions are recommended to accomplish configuration
changes in an effective and safe manner:
• Ensure that the change is implemented in an orderly manner with
formalized testing.
• Ensure that the end users are aware of the coming change when
necessary.
• Analyze the effects of the change after it is implemented.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
56
Principles of Operations Security
Configuration and Change Control Cont.
Step 1. Apply to introduce the change.
Step 2. Catalog the proposed change.
Step 3. Schedule the change.
Step 4. Implement the change.
Step 5. Report the change to the relevant parties.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
57
10.4 Network Security
Testing
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
58
Introducing Network Security Testing
Network Security Testing
 Network security testing is testing that is performed on a network
to ensure all security implementations are operating as expected.
Testing is typically conducted during the implementation and
operational stages.
 During the implementation stage, security testing is conducted on
specific parts of the security system.
 After a network is fully integrated and operational, a Security Test
and Evaluation (ST&E) is performed. ST&E is an examination or
analysis of the protective measures that are placed on an
operational network.
 Tests should be repeated periodically and whenever a change is
made to the system. Test more frequently on critical information
or hosts that are exposed to constant threat.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
59
Introducing Network Security Testing
Network Security Tests
Many tests can be conducted to assess the operational status of
the system:
 Penetration testing
 Network scanning
 Vulnerability scanning
 Password cracking
 Log review
 Integrity checkers
 Virus detection
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
60
Introducing Network Security Testing
Network Security Tests Cont.
 Penetration testing
• Network penetration tests, or pen testing, simulate attacks from
malicious sources.
• The goal is to determine the feasibility of an attack and possible
consequences if one were to occur.
 Network scanning
• Includes software that can ping computers, scan for listening TCP
ports and display which types of resources are available on the
network.
• Some scanning software can also detect usernames, groups, and
shared resources.
• Network administrators can use this information to strengthen their
networks.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
61
Introducing Network Security Testing
Network Security Tests Cont.
 Vulnerability scanning
• Includes software that can detect potential weaknesses in the
tested systems.
• These weaknesses can include misconfiguration, blank or default
passwords, or potential targets for DoS attacks.
• Some software allows administrators to attempt to crash the system
through the identified vulnerability.
 Password cracking
• Includes software that is used to test and detect weak passwords
that should be changed.
• Password policies should include guidelines to prevent weak
passwords.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
62
Introducing Network Security Testing
Network Security Tests Cont.
 Log review
• System administrators should review security logs to identify
potential security threats.
• Abnormal activity should be investigated using filtering software to
scan lengthy log files.
 Integrity checkers
• An integrity checking system detects and reports on changes in the
system.
• Most of the monitoring is focused on file system. However, some
checking systems can report on login and logout activities.
 Virus detection
• Virus detection software can be used to identify and remove
computer viruses and other malware.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
63
Introducing Network Security Testing
Applying Network Test Results
Network security testing results can be used in several ways:
 To define mitigation activities to address identified vulnerabilities
 As a benchmark to trace the progress of an organization in
meeting security requirements
 To assess the implementation status of system security
requirements
 To conduct cost and benefit analysis for improvements to system
security
 To enhance other activities, such as risk assessments,
certification and authorization (C&A), and performance
improvement efforts
 As a reference point for corrective action
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
64
Network Security Testing Tools
Network Testing Tools
 Nmap - Discovers computers and services on a computer network, thus
creating a map of the network
 SuperScan - Port scanning software designed to detect open TCP and UDP
ports, what services are running on those ports, and run queries, such as
whois, ping, traceroute, and hostname lookups
 GFI LANguard - Network and security scanner which detects vulnerabilities
 Tripwire - Assesses and validates IT configurations against internal policies,
compliance standards, and security best practices
 Nessus - Vulnerability scanning software, focusing on remote access,
misconfiguration passwords, and DoS against the TCP/IP stack
 L0phtcrack - Password auditing and recovery application
 Metasploit - Provides information about vulnerabilities and aids in penetration
testing and IDS signature development
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
65
Network Security Testing Tools
Nmap
Nmap is a low-level scanner that has an array of excellent features
which can be used for network mapping and reconnaissance.
 Classic TCP and UDP port scanning - Searches for different
services on one host.
 Classic TCP and UDP port sweeping - Searches for the
same service on multiple hosts.
 Stealth TCP and UDP port scans and sweeps - Similar to
classic scans and sweeps, but harder to detect by the target
host or IPS.
 Remote operating system identification - This is also known
as OS fingerprinting.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
66
Network Security Testing Tools
Nmap Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
67
Network Security Testing Tools
SuperScan
 SuperScan is a Microsoft Windows port scanning tool.
 SuperScan version 4 has a number of useful features:
•
•
•
•
•
•
•
•
•
•
•
•
•
Presentation_ID
Adjustable scanning speed
Support for unlimited IP ranges
Improved host detection using multiple ICMP methods
TCP SYN scanning
UDP scanning (two methods)
Simple HTML report generation
Source port scanning
Fast hostname resolving
Extensive banner grabbing
Massive built-in port list description database
IP and port scan order randomization
A selection of useful tools, such as ping, traceroute, and whois
Extensive Windows host enumeration capability
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
68
Network Security Testing Tools
SuperScan Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
69
10.5 Business Continuity
and Business
Planning
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
70
Continuity Planning and Disaster Recovery
Business Continuity Planning
 Business continuity planning addresses the continuing operations
of an organization in the event of a disaster or prolonged service
interruption that affects the mission of the organization.
 These plans address:
• An emergency response phase
• A recovery phase
• A return to normal operation phase
 Business continuity planning may include plans, such as:
• Moving or relocating critical business components and people to a
remote location while the original location is being repaired.
• Using different channels of communication to deal with customers,
shareholders, and partners until operations are returned to normal.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
71
Continuity Planning and Disaster Recovery
Disaster Recovery
 Disaster recovery is the process of regaining access to the data,
hardware, and software necessary to resume critical business
operations after a natural or human-induced disaster.
 It includes plans for coping with the unexpected or sudden loss of
key personnel.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
72
Recovery Plans and Redundancy
Recovery Plans
 When planning for disaster
recovery and business
continuity, the first step is
identifying the possible types of
disasters and disruptions.
 Not all disruptions to business
operations are equal.
 A good disaster recovery plan
considers the magnitude of the
disruption, recognizing that
there are differences between
catastrophes, disasters, and
minor incidents.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
73
Recovery Plans and Redundancy
Redundancy
 Large organizations might require a redundant facility if some
catastrophic event results in facility destruction.
 Hot sites:
•
A completely redundant facility with almost identical equipment.
 Warm site:
•
•
•
Physically redundant facilities, but software and data are not stored
and updated on the equipment.
A disaster recovery team is required to physically go to the redundant
facility and get it operational.
Depending on how much software and data is involved, it can take
days before operations are ready to resume.
 Cold site:
•
Presentation_ID
An empty datacenter with racks, power, WAN links, and heating,
ventilation, and air conditioning (HVAC) already present, but no
equipment.
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
74
Secure Copy
Secure Copy
 The primary goal of disaster recovery is to restore the network to
a fully functional state.
 Two of the most critical components of a functional network are
the router configuration and the router image files.
 Every disaster recovery plan should include backup and retrieval
of these files.
 Because an organization's network configuration includes private
or proprietary information, these files must be copied in a secure
manner.
 The secure copy (SCP) feature provides a secure and
authenticated method for copying router configuration or router
image files.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
75
Secure Copy
Secure Copy Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
76
Secure Copy
SCP Server Configuration
 Because SCP relies on SSH for secure transport, before enabling
SCP, you must correctly configure SSH, and the router must have
an RSA key pair.
 To configure the router for server-side SCP, perform these steps:
Step 1. Enable AAA with the aaa new-model global configuration
mode command.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
77
Secure Copy
SCP Server Configuration Cont.
Step 2. Define a named list of authentication methods, with the
aaa authentication login {default |listname} method1 [method2...] command.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
78
Secure Copy
SCP Server Configuration Cont.
Step 3. Configure command authorization with the aaa
authorization {network | exec | commands
level} {default | list-name}
method1...[method4] command.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
79
Secure Copy
SCP Server Configuration Cont.
Step 4. Configure a username and password to use for local
authentication with the username name [privilege
level] {password encryption-type password}
command. This step is optional if using network-based
authentication such as TACACS+ or RADIUS.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
80
Secure Copy
SCP Server Configuration Cont.
Step 5. Enable SCP server-side functionality with the ip scp
server enable command.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
81
Secure Copy
SCP Server Configuration Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
82
Secure Copy
SCP Server Configuration Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
83
10.6 System Development
Life Cycle
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
84
Introducing SDLC
System Life Cycle
 Business continuity and disaster recovery plans are everchanging documents.
 Evaluating system changes and adjusting plans are all part of a
system life cycle.
 The term “system” can refer to a single device or a group of
devices that operate together within a network.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
85
Introducing SDLC
Phases of SCLC
Five phases of the SDLC:
1.
2.
3.
4.
5.
Initiation
Acquisition and development
Implementation
Operation and maintenance
Disposition
When using the SDLC to design a network, each phase should
include a minimum set of security requirements. This results in less
expensive and more effective security as compared to adding
security to an operational system after the fact.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
86
Introducing SDLC
Phases of SCLC Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
87
Phases of the SDLC
Initiation
 Security categorization - Define three levels (low, moderate, and
high) of potential impact on organizations or individuals if there is a
breach of security.
 Preliminary risk assessment - Initial description of the basic
security needs of the system that defines the threat environment in
which the system operates.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
88
Phases of the SDLC
Acquisition and
Development
Consists of the following tasks:
• Risk assessment
• Security functional
requirements
• Security assurance
requirements
• Security cost considerations
and reporting
• Security planning
• Security control development
• Developmental security test
and evaluation
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
89
Phases of the SDLC
Implementation Phase
Consists of the following
tasks:
• Inspection and
acceptance
• System integration
• Security certification
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
90
Phases of the SDLC
Operations and
Maintenance
Consists of the following
tasks:
• Configuration
management and
control
• Continuous
monitoring
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
91
Phases of the SDLC
Disposition Phase
Consists of the following
tasks:
• Information preservation
• Media sanitization
• Hardware and software
disposal
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
92
10.7 Developing a
Comprehensive
Security Policy
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
93
Security Policy Overview
Secure Network Life Cycle
 The Secure Network Life Cycle is a
process of assessment and re-evaluation
of equipment and security needs as the
network changes.
 One important aspect of this ongoing
evaluation is to understand which assets
an organization must protect, even as
those assets are changing.
•
Determine what the assets of an
organization are by asking questions:
•
What does the organization have that
others want?
•
What processes, data, or information
systems are critical to the organization?
•
What would stop the organization from
doing business or fulfilling its mission?
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
94
Security Policy Overview
Security Policy
A security policy may include the following:
•
•
•
•
•
•
Presentation_ID
Identification and Authentication Policies Specifies authorized persons that can have
access to network resources and verification
procedures.
Password Policies - Ensures passwords
meet minimum requirements and are
changed regularly.
Acceptable Use Policies - Identifies network
applications and usages that are acceptable
to the organization. It may also identify
ramifications if this policy is violated.
Remote Access Policies - Identifies how
remote users can access a network and what
is accessible via remote connectivity.
Network Maintenance Policies - Specifies
network device operating systems and end
user application update procedures.
Incident Handling Procedures - Describes
how security incidents are handled.
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
95
Security Policy Overview
Security Policy Audience
The audience for the security policy is anyone who has access to
the network.
 Internal audience includes various personnel, such as
managers and executives, departments and business units,
technical staff, and employees.
 External audience is also a varied group that includes
partners, customers, suppliers, consultants, and contractors.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
96
Structure of a Security Policy
Security Policy
Hierarchy
These documents are often broken into a hierarchical structure:
•
Governing policy - High-level treatment of the security guidelines that are important to the entire
company. Managers and technical staff are the intended audience. The governing policy controls all
security-related interactions among business units and supporting departments in the company.
•
Technical policy - Used by security staff members as they carry out security responsibilities for the
system. These policies are more detailed than the governing policy and are system-specific or issuespecific. For example, access control and physical security issues are described in a technical policy.
•
End user policy - Covers all security topics that are important to end users. End users can include
employees, customers, and any other individual user of the network.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
97
Structure of a Security Policy
Governing Policy
 The governing policy outlines the company’s overall
security goals for managers and technical staff.
 It covers all security-related interactions among business
units and supporting departments in the company.
 Includes several components:
• Statement of the issue that the policy addresses
• How the policy applies in the environment
• Roles and responsibilities of those affected by the policy
• Actions, activities, and processes that are allowed (and not
allowed)
• Consequences of noncompliance
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
98
Structure of a Security Policy
Technical Policy
 Technical policies are detailed documents that are used by
technical staff in the conduct of their daily security
responsibilities.
 Technical policies are broken down into specified technical
areas, including:
• General Policies
• Telephony Policy
• Email and Communications Policy
• Remote Access Policy
• Network Policy
• Application Policy
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
99
Structure of a Security Policy
End User Policies
 End user policies cover all rules pertaining to information
security that end users should know about and follow.
 End user policies might overlap with technical policies, but
may also include:
• Identity Policy
• Password Policy
• Anti-Virus Policy
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
100
Standards, Guidelines, and Procedures
Security Policy Documents
 The security policy documents are high-level overview
documents.
 These include:
• Standards documents
• Guidelines documents
• Procedures documents
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
101
Standards, Guidelines, and Procedures
Standard Documents
 One of the most important security principles is consistency and
therefore it is necessary for organizations to establish standards.
 Each organization develops standards to support its unique
operating environment.
 Device configuration standards are defined in the technical
section of an organization's security policy.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
102
Standards, Guidelines, and Procedures
Guideline Documents
 Guidelines provide a list of suggestions on how to do things
better.
• They are similar to standards, but are more flexible and are not
usually mandatory.
• Guidelines can be used to define how standards are developed and
to guarantee adherence to general security policies.
 A number of guidelines are widely available:
• National Institute of Standards and Technology (NIST) Computer
Security Resource Center
• National Security Agency (NSA) Security Configuration Guides
• The Common Criteria Standard
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
103
Standards, Guidelines, and Procedures
Procedure Documents
 Procedure documents are longer and more detailed than
standards and guidelines.
 Procedure documents include implementation details, usually with
step-by-step instructions and graphics.
 Procedure documents are extremely important for large
organizations to have the consistency of deployment that is
necessary for a secure environment.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
104
Roles and Responsibilities
Organizational Reporting Structure
 All persons in an organization, from the Chief Executive Officer
(CEO) to the newest hires, are considered end users of the
network and must abide by the organization’s security policy.
 Developing and maintaining the security policy is delegated to
specific roles within the IT department.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
105
Roles and Responsibilities
Common Executive Titles
 Chief Executive Officer (CEO)
• Is ultimately responsible for the success of an organization.
• All executive positions report to the CEO.
 Chief Technology Officer (CTO)
• Identifies and evaluates new technologies and drives new
technology development to meet organization objectives.
• Maintains and enhances the enterprise systems, while providing
direction in all technology-related to support operations.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
106
Roles and Responsibilities
Common Executive Titles
 Chief Information Officer (CIO)
•
•
•
Responsible for the information technology and computer systems that
support enterprise goals, including successful deployment of new
technologies and work processes.
Small-to-medium-sized organizations typically combine the responsibilities
of CTO and CIO into a single position.
When an organization has both a CTO and CIO, the CIO is generally
responsible for processes and practices supporting the flow of information,
and the CTO is responsible for technology infrastructure.
 Chief Security Officer (CSO)
•
•
Develops, implements, and manages the organization’s security strategy,
programs, and processes associated with all aspects of business
operation, including intellectual property.
A major aspect of this position is to limit exposure to liability in all areas of
financial, physical, and personal risk.
 Chief Information Security Officer (CISO)
•
•
Presentation_ID
Similar to the CSO, except that this position has a specific focus on IT
security.
CISO must develop and implement the security policy, either as the
primary author or management of authorship. In either case, the CISO is
responsible and accountable for security policy content.
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
107
Security Awareness and Training
Security Awareness Program
 Where is the weakest link in any network infrastructure?
The User!
 To help ensure the enforcement of the security policy, a security
awareness program must be put in place.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
108
Security Awareness and Training
Security Awareness Program Cont.
 A security awareness program usually has two major
components:
• Awareness campaigns
• Training and education
 A good security awareness program:
• Informs users of their IT security responsibilities.
• Explains all IT security policies and procedures for using the IT
systems and data within a company.
• Helps protect the organization from loss of intellectual capital,
critical data, and even physical equipment.
• Must also detail the sanctions that the organization imposes for
noncompliance.
• Should be part of all new hire orientation.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
109
Security Awareness and Training
Awareness Campaigns
“Awareness is not training. The
purpose of awareness presentations
is simply to focus attention on
security. Awareness presentations
are intended to allow individuals to
recognize IT security concerns and
respond accordingly. In awareness
activities, the learner is the recipient
of information... Awareness relies on
reaching broad audiences with
attractive packaging techniques.”
(NIST Special Publication 800-16)
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
110
Security Awareness and Training
Awareness Campaigns Cont.
There are several methods of
increasing security awareness:
• Posters, newsletter articles, and
bulletins
• Lectures, videos
• Awards for good security
practices
• Reminders, such as login
banners, mouse pads, coffee
cups, and notepads, etc.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
111
Security Awareness and Training
Security Training Course
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
112
Security Awareness and Training
Security Training Course Cont.
 An effective security training course requires proper planning,
implementation, maintenance, and periodic evaluation.
 The life cycle of a security training course includes several steps:
Step 1. Identify course scope, goals, and objectives.
Step 2. Identify and educate training staff.
Step 3. Identify target audiences.
Step 4. Motivate management and employees.
Step 5. Administer the courses.
Step 6. Maintain the courses.
Step 7. Evaluate the courses.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
113
Security Awareness and Training
Educational Program
 Education integrates all the security skills and competencies of
the various functional specialties into a common body of
knowledge.
 It adds a multidisciplinary study of concepts, issues, and principle,
both technological and social, and strives to produce IT security
professionals capable of vision and proactive response.
 An example of an educational program is a degree program at a
college or university.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
114
Laws and Ethics
Laws
 A big reason for setting security policies and implementing awareness programs
is compliance with the law.
• You must be familiar with the laws and codes of ethics that are binding for
Information Systems Security (INFOSEC) professionals.
 Most countries have three types of laws:
• Criminal law:
•
•
•
Presentation_ID
Concerned with crimes, and its penalties usually involve fines or
imprisonment, or both.
Civil law (also called tort):
•
Focuses on correcting situations in which entities have been harmed
and an economic award can help.
•
Imprisonment is not possible in civil law.
• For example: suing for patent infringement.
Administrative law:
•
Involves government agencies enforcing regulations.
•
For example: a company might owe its employees vacation pay.
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
115
Laws and Ethics
Ethics
 Ethics is a standard that is higher than the law.
 It is a set of moral principles that govern civil behavior and are
often referred to as codes of ethics.
 Ethical principles are often the foundation of many of the laws
currently in place.
 Individuals that violate the code of ethics can face consequences
such as loss of certification, loss of employment, and even
prosecution by criminal or civil court.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
116
Laws and Ethics
Ethics Cont.
The information security profession has a number of formalized
codes:
 International Information Systems Security Certification
Consortium, Inc (ISC)2 Code of Ethics
 Computer Ethics Institute (CEI)
 Internet Activities Board (IAB)
 Generally Accepted System Security Principles (GASSP)
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
117
Laws and Ethics
Code of Ethics
 Code of Ethics Preamble
“Safety of the commonwealth, duty to our principals, and to each other
requires that we adhere, and be seen to adhere, to the highest ethical
standards of behavior. Therefore, strict adherence to this Code is a
condition of certification.”
 Code of Ethics Canons
•
•
•
•
Presentation_ID
Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
118
Responding to a Security Breach
Motive, Opportunity, and Means
 Different countries have different legal standards. In most
countries and courts, to successfully prosecute an individual, it is
necessary to establish motive, opportunity, and means.
 Motive answers the question of why a person committed the
illegal act.
 Opportunity answers the question of when and where the person
committed the crime.
 Means answers the question of how the person committed the
crime.
 Establishing motive, opportunity, and means is a standard for
finding and prosecuting individuals of all types of crimes.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
119
Responding to a Security Breach
Collecting Data
 The process of collecting data must be done precisely and
quickly.
 When a security breach occurs, it is necessary to isolate the
infected system immediately.
 After data is collected, but before equipment is disconnected, it is
necessary to photograph the equipment in place.
 If security protocols are established and followed, organizations
can minimize the loss and damages resulting from attacks.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
120
© 2012 Cisco and/or its affiliates. All rights reserved.
121
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
122