Week 1 - Module 1

Module 1: Network Security
July 22, 2022

6NSECURE
1.1 Securing Networks
Explain network security.
1.2 Network Threats
Explain the various types
of threats and attacks.
1.3 Mitigating Threats
Explain tools and
procedures to mitigate the
effects of malware and common
network attacks.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
1.1 Securing Networks
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Networks Are Targets
https://threatmap.checkpoint.com/
Networks Are Targets
Cyber Attack Maps
• ThreatCoud Live Cyber Attack Threat map

• https://threatmap.checkpoint.com/
• Kaspersky Cyber Malware and DDoS Real-Time Map
• https://cybermap.kaspersky.com/
• Arbor Networks DDoS Attack Map
• https://www.digitalattackmap.com/
• Fortinet Threat Map
• https://threatmap.fortiguard.com/
• Akamai Real-Time Web Attack Monitor
• https://www.akamai.com/es/es/resources/visualizing-akamai/real-time-
web-monitor.jsp?tab=attacks&theme=dark
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cybersecurity vs. Information Security vs. Network Security
Information security, according to security training specialist the SANS Institute, refers to
“the processes and methodologies which are designed and implemented to protect print,
electronic, or any other form of confidential, private and sensitive information or data from
unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.”
Cybersecurity is “the practice of protecting systems, networks and programs from digital
attacks,” according to Cisco. “These attacks are usually aimed at accessing, changing, or
destroying sensitive information; extorting money from users; or interrupting normal
business processes.” PCmag simplifies the definition to: “the protection of data and
systems in networks that are connected to the internet.”
Network security, the SANS Institute explains, is “the process of taking physical and
software preventative measures to protect the underlying networking infrastructure from
unauthorized access, misuse, malfunction, modification, destruction, or improper
disclosure, thereby creating a secure platform for computers, users and programs to
perform their permitted critical functions within a secure environment.”
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Reasons for Network Security
Network security breaches can disrupt e-commerce, cause the loss of business data,
threaten people’s privacy, and compromise the integrity of information.
Drivers:
• Threat
Potential danger to an asset such as data or the network.
▪ Vulnerability and Attack Surface
Weakness in a system or its design that could be exploited by a threat.
Attack surface describes different points where an attacker could get into a
system and could get to the data
▪ Exploit
Mechanism used to leverage a vulnerability to compromise an asset.
▪ Risk
Likelihood that a threat will exploit a vulnerability of an asset and result in an
undesirable consequence. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Vectors of Network Attacks
An attack vector is a path by which a threat actor can gain access to a server, host, or network.
Attack vectors originate from inside or outside the corporate network. Threat actors may target a
network through the internet, to disrupt network operations and create a denial of service (DoS)
attack.)
Network Topology Overview
Campus Area Networks
Campus Area Networks
Term Definition
VPN The Cisco ISR is secured. It protects data in motion that is flowing from the CAN to the outside world by establishing
Virtual Private Networks (VPNs). VPNs ensure data confidentiality and integrity from authenticated sources.
ASA Firewall A Cisco Adaptive Security Appliance (ASA) firewall performs stateful packet filtering to filter return traffic from the
outside network into the campus network.
IPS A Cisco Intrusion Prevention System (IPS) device continuously monitors incoming and outgoing network traffic for
malicious activity. It logs information about the activity and attempts to block and report it.
Layer 3 Switches These distribution layer switches are secured and provide secure redundant trunk connections to the Layer 2 switches.
Several different security features can be implemented, such as ACLs, DHCP snooping, Dynamic ARP Inspection (DAI), and
IP source guard.
Layer 2 Switches These access layer switches are secured and connect user-facing ports to the network. Several different security features
can be implemented, such as port security, DHCP snooping, and 802.1X user authentication.
ESA/WSA A Cisco Email Security Appliance (ESA) and Web Security Appliance (WSA) provide advanced threat defense, application
visibility and control, reporting, and secure mobility to secure and control email and web traffic.
AAA Server An authentication, authorization, and accounting (AAA) server authenticates users, authorizes what they are allowed to
do, and tracks what they are doing.
Hosts End points are secured using various features including antivirus and antimalware software, Host Intrusion Protection
System features, and 802.1X authentication features.
Small Office and Home Office Networks
• The Layer 2 Switch is an access layer
switch that is hardened with various
security measures. It connects user-
facing ports that use port security to
the SOHO network.
• Wireless hosts connect to the
wireless network using WPA2 data
encryption technology.
• Hosts typically have antivirus and
antimalware software installed.
• Combined, these security measures
provide comprehensive defense at
different layers of the network.
Wide Area Networks
Organizations must ensure secure
transport for the data in motion as it
travels between sites over the
public network. Network security
professionals must use secure
devices on the edge of the network.
In the figure, the main site is

protected by an Adaptive Security
Appliance (ASA), which provides
stateful firewall features and
establishes secure Virtual Private
Network (VPN) tunnels to various
destinations.
1.2 Network Threats
Who is Attacking Our Network?
Evolution of Threat Actors
Since hacking started in the 1960s with phone freaking, or phreaking, it has evolved to
include many types of threat actors.
Threat Actor Explanation
Script Kiddies Script kiddies emerged in the 1990s. They are teenagers or inexperienced threat actors running
existing scripts, tools, and exploits, to cause harm, but typically not for profit.
Vulnerability Brokers Vulnerability brokers are grey hat hackers who attempt to discover exploits and report them to
vendors, sometimes for prizes or rewards.
Hacktivists Hacktivists are grey hat hackers who rally and protest against different political and social ideas.
Cybercriminals Cybercriminal is a term for black hat hackers who are either self-employed or working for large
cybercrime organizations.
State- Sponsored State-Sponsored hackers are threat actors who steal government secrets, gather intelligence, and
sabotage networks of foreign governments, terrorist groups, and corporations.
Who is Attacking Our Network?
Cybercriminals
• Money-motivated threat actors.
• Buy, sell, and trade exploits, and
private information and intellectual
property.
• Steal from consumers, small
businesses, as well as large
enterprises and industries.
• While some cybercriminals work
independently, they are more often
financed and sponsored by criminal
organizations.
• It is estimated that globally,
cybercriminals steal billions of dollars
from consumers and businesses
every year.
Threat Actor Tools
Evolution of Security Tools

Ethical hacking uses many different types of tools to test the network and end devices. To validate the security of a
network and its systems, many network penetration testing tools have been developed. However, many of these
tools can also be used by threat actors for exploitation.
Categories of Tools Description
password crackers Passwords are the most vulnerable security threat. Password cracking tools are often referred to as password
recovery tools and can be used to crack or recover the password. Password crackers repeatedly make guesses
in order to crack the password and access the system. Examples of password cracking tools include John the
Ripper, Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
wireless hacking tools Wireless networks are more susceptible to network security threats. Wireless hacking tools are used to
intentionally hack into a wireless network to detect security vulnerabilities. Examples of wireless hacking tools
include Aircrack-ng, Kismet, InSSIDer, KisMAC, Firesheep, and NetStumbler.
network scanning and hacking Network scanning tools are used to probe network devices, servers, and hosts for open TCP or UDP ports.
tools Examples of scanning tools include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
packet crafting tools Packet crafting tools are used to probe and test a firewall’s robustness using specially crafted forged packets.
Examples of such tools include Hping, Scapy, Socat, Yersinia, Netcat, Nping, and Nemesis.
packet sniffers Packet sniffer tools are used to capture and analyze packets within traditional Ethernet LANs or WLANs. Tools
include Wireshark, Tcpdump, Ettercap, Dsniff, EtherApe, Paros, Fiddler, Ratproxy, and SSLstrip.
rootkit detectors A rootkit detector is a directory and file integrity checker used by white hat hackers to detect installed root kits.
Example tools include AIDE, Netfilter, and PF: OpenBSD Packet Filter.
Threat Actor Tools
Evolution of Security Tools (Cont.)

Categories of Tools Description
fuzzers Fuzzers are tools used by threat actors when attempting to discover a computer system’s security
vulnerabilities. Examples of fuzzers include Skipfish, Wapiti, and W3af.
forensic tools White hat hackers use forensic tools to sniff out any trace of evidence existing in a particular computer
system. Example of tools include Sleuth Kit, Helix, Maltego, and Encase.
debuggers Debugger tools are used by black hat hackers to reverse engineer binary files when writing exploits.
They are also used by white hat hackers when analyzing malware. Debugging tools include GDB,
WinDbg, IDA Pro, and Immunity Debugger.
hacking operating systems Hacking operating systems are specially designed operating systems preloaded with tools and
technologies optimized for hacking. Examples of specially designed hacking operating systems include
Kali Linux, SELinux, Knoppix, Parrot OS, and BackBox Linux.
encryption tools These tools safeguard the contents of an organization’s data when it is stored or transmitted. Encryption
tools use algorithm schemes to encode the data to prevent unauthorized access to the data. Examples
of these tools include VeraCrypt, CipherShed, Open SSH, OpenSSL, OpenVPN, and Stunnel.
vulnerability exploitation tools These tools identify whether a remote host is vulnerable to a security attack. Examples of vulnerability
exploitation tools include Metasploit, Core Impact, Sqlmap, Social Engineer Tool Kit, and Netsparker.
vulnerability scanners These tools scan a network or system to identify open ports. They can also be used to scan for known
vulnerabilities and scan VMs, BYOD devices, and client databases. Examples of these tools include
Nipper, Securia PSI, Core Impact, Nessus, SAINT, and Open VAS.
Threat Actor Tools
Categories of Attacks
▪Eavesdropping - capture and listen to network traffic.
▪Data modification - alter the captured data in the packet without the knowledge
of the sender or receiver.
▪IP address spoofing - constructs an IP packet that appears to originate from a
valid address inside the corporate intranet.
▪Password-based - uses the stolen valid accounts to obtain lists of other users
and network information.
▪Denial-of-Service - prevents normal use of a computer or network by valid
users.
▪Man-in-the-Middle - hackers position themselves between a source and
destination to monitor, capture and control communication.
▪Compromised-Key - gain access to a secured communication without the
sender or receiver being aware of the attack by obtaining the secret key.
▪Sniffer - an application or device that can read, monitor, and capture network
data exchanges and read network packets. © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Common Threats and Attacks
Malware
– Short for malicious software or malicious code.
– Specifically designed to damage, disrupt, steal or inflict illegitimate action on data hosts or
networks.
Types of Malware
A virus spreads by inserting a copy of itself into
another program. After the program is run,
viruses then spread from one computer to
another, infecting the computers. Most viruses
require human help to spread.
Trojan horse malware is software that appears to

be legitimate, but it contains malicious code
which exploits the privileges of the user who runs
it.
Computer worms are like viruses because they

replicate and can cause the same type of
damage. Specifically, worms replicate themselves
by independently exploiting vulnerabilities in
networks. Worms can slow down networks as
they spread from system to system.
Malware
Ransomware
Currently, the most dominant malware is ransomware.
• Ransomware is malware that denies access to the infected computer system or its
data. The cybercriminals then demand payment to release the computer system.
• Ransomware has evolved to become the most profitable malware type in history.
• There are dozens of ransomware variants.
• Ransomware frequently uses an encryption algorithm to encrypt system files and data.
• Payments are typically paid in Bitcoin because users of bitcoin can remain
anonymous.
• Email and malicious advertising, also known as malvertising, are vectors for
ransomware campaigns.
• Social engineering is also used.
Malware
Other Malware
These are some examples of the varieties of modern malware:
Type of Malware Description
Spyware Used to gather information about a user and send the information to another entity without the user’s
consent. Spyware can be a system monitor, Trojan horse, Adware, tracking cookies, and key loggers.
Adware Displays annoying pop-ups to generate revenue for its author. The malware may analyze user interests
by tracking the websites visited. It can then send pop-up advertising pertinent to those sites.
Scareware Includes scam software which uses social engineering to shock or induce anxiety by creating the
perception of a threat. It is generally directed at an unsuspecting user and attempts to persuade the
user to infect a computer by taking action to address the bogus threat.
Phishing Attempts to convince people to divulge sensitive information. Examples include receiving an email
from their bank asking users to divulge their account and PIN numbers.
Rootkits Installed on a compromised system. After it is installed, it continues to hide its intrusion and provide
privileged access to the threat actor.
Types of Network Attacks
• By categorizing network attacks, it is

possible to address types of attacks
rather than individual attacks.
Common Network Attacks - Reconnaissance, Access, and Social Engineering
Reconnaissance Attacks
Reconnaissance is information gathering. Threat actors use reconnaissance (or recon) attacks to do
unauthorized discovery and mapping of systems, services, or vulnerabilities. Recon attacks precede
access attacks or DoS attacks. Some of the techniques used by malicious threat actors to conduct
reconnaissance attacks are described in the table.
Technique Description
Perform an information query of a target The threat actor is looking for initial information about a target. Various tools can be used,
including the Google search, organizations website, whois, and more.
Initiate a ping sweep of the target network The information query usually reveals the target’s network address. The threat actor can now
initiate a ping sweep to determine which IP addresses are active.
Initiate a port scan of active IP addresses This is used to determine which ports or services are available. Examples of port scanners
include Nmap, SuperScan, Angry IP Scanner, and NetScanTools.
Run vulnerability scanners This is to query the identified ports to determine the type and version of the application and
operating system that is running on the host. Examples of tools include Nipper, Secuna PSI,
Core Impact, Nessus v6, SAINT, and Open VAS.
Run exploitation tools The threat actor now attempts to discover vulnerable services that can be exploited. A variety
of vulnerability exploitation tools exist including Metasploit, Core Impact, Sqlmap, Social
Engineer Toolkit, and Netsparker.
Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and
web services. The purpose of this type of attack is to gain entry to web accounts,
confidential databases, and other sensitive information.
Technique Description
Password Attacks In a password attack, the threat actor attempts to discover critical system passwords using various
methods.
Spoofing Attacks In spoofing attacks, the threat actor’s device attempts to pose as another device by falsifying data.
Common spoofing attacks include IP spoofing, MAC spoofing, and DHCP spoofing.
Trust Exploitation In a trust exploitation attack, a threat actor uses unauthorized privileges to gain access to a system,
possibly compromising the target.
Port redirection In a port redirection attack, a threat actor uses a compromised system as a base for attacks against
other targets.
Man-in-the-Middle In a man-in-the-middle attack, the threat actor is positioned in between two legitimate entities in order to
read or modify the data that passes between the two parties.
Buffer Overflow Attack In a buffer overflow attack, the threat actor exploits the buffer memory and overwhelms it with
unexpected values. This usually renders the system inoperable, resulting in a DoS attack.
Social Engineering Attacks
Social engineering is an access attack that attempts to manipulate individuals into performing actions or
divulging confidential information. Information about social engineering techniques is shown in the table.
Social Engineering Description
Attack
Pretexting A threat actor pretends to need personal or financial data to confirm the identity of the recipient.
Phishing A threat actor sends fraudulent email which is disguised as being from a legitimate, trusted source to trick the
recipient into installing malware on their device, or to share personal or financial information.
Spear phishing A threat actor creates a targeted phishing attack tailored for a specific individual or organization.
Spam Also known as junk mail, this is unsolicited email which often contains harmful links, malware, or deceptive
content.
Something for Sometimes called “Quid pro quo”, this is when a threat actor requests personal information from a party in
Something exchange for something such as a gift.
Baiting A threat actor leaves a malware-infected flash drive in a public location. A victim finds the drive and
unsuspectingly inserts it into their laptop, unintentionally installing malware.
Impersonation In this type of attack, a threat actor pretends to be someone else to gain the trust of a victim.
Social Engineering Attacks (Cont.)
Social Description
Engineering
Attack
Tailgating This is where a threat actor quickly follows an
authorized person into a secure location to gain
access to a secure area.
Shoulder This is where a threat actor inconspicuously looks
surfing over someone’s shoulder to steal their passwords
or other information.
Dumpster This is where a threat actor rummages through
diving trash bins to discover confidential documents.
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
DoS and DDoS Attacks
A Denial of Service (DoS)
attack creates some sort of
interruption of network
services to users, devices, or
applications. There are two
major types of DoS attacks:
•Overwhelming Quantity
of Traffic
•Maliciously Formatted
Packets
A Distributed DoS Attack

(DDoS) is like a DoS attack,
but it originates from multiple,
coordinated sources.
Network Attacks - Denial of Service, Buffer Overflows, and Evasion
Components of DDoS Attacks
If threat actors can compromise many hosts, they can perform a Distributed DoS Attack (DDoS). DDoS attacks are
similar in intent to DoS attacks, except that a DDoS attack increases in magnitude because it originates from
multiple, coordinated sources. The following terms are used to describe components of a DDoS attack:
Component Description
zombies This refers to a group of compromised hosts (i.e., agents). These hosts run malicious code referred to as robots
(i.e., bots). The zombie malware continually attempts to self-propagate like a worm.
bots Bots are malware that is designed to infect a host and communicate with a handler system. Bots can also log
keystrokes, gather passwords, capture and analyze packets, and more.
botnet This refers to a group of zombies that have been infected using self-propagating malware (i.e., bots) and are
controlled by handlers.
handlers This refers to a master command-and-control (CnC or C2) server controlling groups of zombies. The originator of a
botnet can use Internet Relay Chat (IRC) or a web server on the C2 server to remotely control the zombies.
botmaster This is the threat actor who is in control of the botnet and handlers.
1.1 Mitigating Threats
Defending the Network
Network Security Professionals
Network security professionals are responsible for maintaining data assurance for an organization and
ensuring the integrity and confidentiality of information.
Security specialist job roles within an enterprise include Chief Information Officer (CIO), Chief
Information Security Officer (CISO), Security Operations (SecOps) Manager, Chief Security Officer
(CSO), Security Manager, and Network Security Engineer. Regardless of job titles, network security
professionals must always stay one step ahead of the hackers:
• They must constantly upgrade their skill set to keep abreast of the latest threats.
• They must attend training and workshops.
• They must subscribe to real-time feeds regarding threats.
• They must peruse security websites daily.
• They must maintain familiarity with network security organizations. These organizations often
have the latest information on threats and vulnerabilities.
Network Intelligence Communities
Organization Description
SANS SysAdmin, Audit, Network, Security (SANS) Institute resources are
largely free upon request and include:
• The Internet Storm Center - the popular internet early warning
system
• NewsBites, the weekly digest of news articles about computer
security.
• @RISK, the weekly digest of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
• Flash security alerts
• Reading Room - more than 1,200 award-winning, original research
papers.
• SANS also develops security courses.
Mitre The Mitre Corporation maintains a list of common vulnerabilities and

exposures (CVE) used by prominent security organizations.
Network Intelligence Communities (Cont.)
Organization Description
FIRST Forum of Incident Response and Security Teams (FIRST) is a security
organization that brings together a variety of computer security
incident response teams from government, commercial, and
educational organizations to foster cooperation and coordination in
information sharing, incident prevention and rapid reaction.
SecurityNewsWire A security news portal that aggregates the latest breaking news
pertaining to alerts, exploits, and vulnerabilities.
(ISC)2 International Information Systems Security Certification Consortium
(ISC2) provides vendor neutral education products and career services
to more than 75,000+ industry professionals in more than 135
countries.
CIS The Center for Internet Security (CIS) is a focal point for cyber threat
prevention, protection, response, and recovery for state, local, tribal,
and territorial (SLTT) governments through the Multi-State Information
Sharing and Analysis Center (MS-ISAC). The MS-ISAC offers 24x7 cyber
threat warnings and advisories, vulnerability identification, and
mitigation and incident response.
Communications Security: CIA
Information security deals with protecting information
and information systems from unauthorized access,
use, disclosure, disruption, modification, or
destruction. The CIA Triad serves as a conceptual
foundation for the field.
The CIA Triad consists of three components of

information security:
• Confidentiality - Only authorized individuals,
entities, or processes can access sensitive
information.
• Integrity - This refers to the protection of data from
unauthorized alteration.
• Availability - Authorized users must have
uninterrupted access to the network resources and
data that they require.
Network Security Domains
There are 14 network security domains specified by the ISO/IEC.
Network Security Domain Description
Information Security Policies This annex is designed to ensure that security policies are created, reviewed, and
maintained.
Organization of Information Security This is the governance model set out by an organization for information security. It
assigns responsibilities for information security tasks within in organization.
Human Resources Security This addresses security responsibilities relating to employees joining, moving within,
and leaving an organization.
Asset Management This concerns the way that organizations create an inventory of and classification
scheme for information assets.
Access Control This describes the restriction of access rights to networks, systems, applications,
functions, and data.
Cryptography This concerns data encryption and the management of sensitive information to protect
confidentiality, integrity, and availability of data.
Physical and Environmental Security This describes the protection of the physical computer facilities and equipment within
an organization.
Operations Security This describes the management of technical security controls in systems and networks
including malware defenses, data backup, logging and monitoring, vulnerability
management, and audit considerations. This domain is also concerned with the integrity
of software that is used in business operations.
Network Security Policies
Network Security Domains (Cont.)
Network Security Domain Description
Communications Security This concerns the security of data as it is communicated on networks,
both within an organization or between and organization and third
parties such as customers or suppliers.
System Acquisition, Development, and Maintenance This ensures that information security remains a central concern in an
organization’s processes across the entire lifecycle, in both private and
public networks.
Supplier Relationships This concerns the specification of contractual agreements that protect
an organization’s information and technology assets that are accessible
by third parties that provide supplies and services to the organization.
Information Security Incident Management This describes how to anticipate and respond to information security
breaches.
Business Continuity Management This describes the protection, maintenance, and recovery of business-
critical processes and systems.
Compliance This describes the process of ensuring conformance with information
security policies, standards, and regulations.
Security Policy
Security policies are used to inform users, staff, and managers of an organization’s requirements for
protecting technology and information assets. A security policy also specifies the mechanisms that are
needed to meet security requirements and provides a baseline from which to acquire, configure, and audit
computer systems and networks for compliance. Policies that may be included in a security policy are:
Policy Description
Identification and authentication policy Specifies authorized persons that can have access to network
resources and identity verification procedures.
Password policies Ensures passwords meet minimum requirements and are changed
regularly.
Acceptable Use Policy (AUP) Identifies network applications and uses that are acceptable to the
organization. It may also identify ramifications if this policy is violated.
Remote access policy Identifies how remote users can access a network and what is
accessible via remote connectivity.
Network maintenance policy Specifies network device operating systems and end user application
update procedures.
Incident handling procedures Describes how security incidents are handled.
BYOD Policies
Many organizations must now also support Bring Your Own Device (BYOD). This enables employees to use
their own mobile devices to access company systems, software, networks, or information. This can bring an
increased information security risk because BYOD can lead to data breaches and greater liability for the
organization. BYOD security best practices to help mitigate BYOD vulnerabilities are:
Best Practice Description

Password protected access Use unique passwords for each device and account.
Manually control wireless connectivity Turn off Wi-Fi and Bluetooth connectivity when not in use. Connect only to trusted
networks.
Keep updated Always keep the device OS and other software updated. Updated software often
contains security patches to mitigate against the latest threats or exploits.
Back up data Enable backup of the device in case it is lost or stolen.
Enable “Find my Device” Subscribe to a device locator service with remote wipe feature.
Provide antivirus software Provide antivirus software for approved BYOD devices.
Use Mobile Device Management (MDM) software MDM software enables IT teams to implement security settings and software
configurations on all devices that connect to company networks.
Security Tools, Platforms, and Services
The Security Onion and The Security Artichoke
A common analogy used to describe a

defense-in-depth approach is called
“the security onion.” A threat actor
would have to peel away at a network’s
defenses layer by layer in a manner
similar to peeling an onion. Only after
penetrating each layer would the threat
actor reach the target data or system.
Note: The security onion described on

this page is a way of visualizing
defense-in-depth. This is not to be
confused with the Security Onion suite
of network security tools.
The Security Onion and The Security Artichoke (Cont.)
The changing landscape of networking,

such as the evolution of borderless
networks, has changed this analogy to
the “security artichoke”, which benefits
threat actors because they no longer
have to peel away each layer. They only
need to remove certain “artichoke
leaves.” The threat actor peels away the
security armor along the perimeter to get
to the “heart” of the enterprise.
Data Security Platforms
Data Security Platforms (DSP) are an integrated security solution that combines traditionally
independent tools into a suite of tools that are made to work together. Security tools that protect and
monitor networks are often made by different vendors. It can be difficult to integrate these tools in
such a way that a single view of network security can be achieved.
One such DSP is the Helix platform from FireEye.

FireEye Helix is a cloud-based security operations
platform that enables organizations to integrate many
security functionalities into a single platform. Helix
provides event management, network behavior
analytics, advanced threat detection, and incident
security orchestration, automation, and response
(SOAR) for response to threats as they are detected.
Data Security Platforms (Cont.)

Another integrated DSP is Cisco SecureX. The Cisco
Secure portfolio consists of a broad set of technologies
that function as a team - providing interoperability with
the security infrastructure, including third-party
technologies. This results in unified visibility, automation,
and stronger defenses. The Cisco SecureX platform
works with diverse products that combine to safeguard
your network, users and endpoints, cloud edge, and
applications. SecureX functionality is built in to a large
and diverse portfolio of Cisco security products including
next-generation firewalls, VPN, network analytics,
identity service engine, advanced malware protection
(AMP), and many other systems that work to secure all
aspects of a network. SecureX also integrates a range
of third-party security tools.
Security Services
Threat intelligence and security services allow the
exchange of threat information such as vulnerabilities,
indicators of compromise (IOC), and mitigation techniques.
As threats emerge, threat intelligence services create and
distribute firewall rules and IOCs to the devices that have
subscribed to the service.
One such service is the Cisco Talos Threat Intelligence

Group. Talos is one of the largest commercial threat
intelligence teams in the world. The goal of Talos is to help
protect enterprise users, data, and infrastructure from
active adversaries. The Talos team collects information
about active, existing, and emerging threats. Talos then
provides comprehensive protection against these attacks
and malware to its subscribers.
Cisco Security products can use Talos threat intelligence in

real time to provide fast and effective security solutions.
Mitigating Common Network Attacks
Constant vigilance and ongoing education are required to defend your network against attack. The
following are best practices for securing a network:
• Develop a written security policy for the company.
• Educate employees about the risks of social engineering, and develop strategies to validate
identities over the phone, via email, or in person.
• Control physical access to systems.
• Use strong passwords and change them often.
• Encrypt and password-protect sensitive data.
• Implement security hardware and software such as firewalls, IPSs, virtual private network (VPN)
devices, antivirus software, and content filtering.
• Perform backups and test the backed-up files on a regular basis.
• Shut down unnecessary services and ports.
• Keep patches up-to-date by installing them weekly or daily, if possible, to prevent buffer overflow
and privilege escalation attacks.
• Perform security audits to test the network.
Mitigating Malware
Malware, including viruses, worms, and Trojan horses, can cause serious problems on
networks and end devices. Network administrators have several means of mitigating these
attacks.
Antivirus software helps prevent hosts from getting infected and spreading malicious code.
Several companies that create antivirus software, such as Symantec, McAfee, and Trend
Micro. Antivirus products have update automation options so that new virus definitions and new
software updates can be downloaded automatically or on demand. This practice is the most
critical requirement for keeping a network free of viruses and should be formalized in a network
security policy.
These products are installed on computers and servers to detect and eliminate viruses.
However, they do not prevent viruses from entering the network. Another way to mitigate
malware threats is to prevent malware files from entering the network at all. Security devices at
the network perimeter can identify known malware files based on their indictors of compromise.
The files can be removed from the incoming data stream before they can cause an incident.
Mitigating Worms
Worms are more network-based than viruses. Worm mitigation requires diligence and
coordination on the part of network security professionals. The response to a worm attack can
be broken down into four phases: containment, inoculation, quarantine, and treatment.
Phase Response
1. Containment The containment phase involves limiting the spread of a worm infection to areas of the network that are already
affected. This requires compartmentalization and segmentation of the network to slow down or stop the worm
and to prevent currently infected hosts from targeting and infecting other systems. Containment requires using
both outgoing and incoming ACLs on routers and firewalls at control points within the network.
2. Inoculation The inoculation phase runs parallel to or subsequent to the containment phase. During the inoculation phase, all
uninfected systems are patched with the appropriate vendor patch. The inoculation process further deprives the
worm of available targets.
3. Quarantine The quarantine phase involves tracking down and identifying infected machines within the contained areas and
disconnecting, blocking, or removing them. This isolates these systems appropriately for the treatment phase.
4. Treatment The treatment phase involves actively disinfecting infected systems. This can involve terminating the worm
process, removing modified files or system settings that the worm introduced, and patching the vulnerability the
worm used to exploit the system. Alternatively, in more severe cases, the system may need to be reinstalled to
ensure that the worm and its by-products are removed.
Mitigating Reconnaissance Attacks
Reconnaissance attacks are typically the precursor to other attacks that are designed to gain
unauthorized access to a network or disrupt network functionality. You can detect when a
reconnaissance attack is underway by receiving notifications from preconfigured alarms. These
alarms are triggered when certain parameters are exceeded, such as the number of ICMP requests
per second. Reconnaissance attacks can be mitigated in several ways, including the following:
• Implementing authentication to ensure proper access.

• Using encryption to render packet sniffer attacks useless.
• Using anti-sniffer tools to detect packet sniffer attacks.
• Implementing a switched infrastructure.
• Using a firewall and IPS.
It is impossible to mitigate port scanning. Using an IPS and firewall can limit the information that can
be discovered with a port scanner. Ping sweeps can be stopped if ICMP echo and echo-reply are
turned off on edge routers; however, when these services are turned off, network diagnostic data is
lost.
Mitigating Access Attacks
Several techniques are available for mitigating access attacks, including strong password
security, principle of minimum trust, cryptography, and applying operating system and
application patches. A surprising number of access attacks are carried out through simple
password guessing or brute-force dictionary attacks against passwords. To defend against this,
create and enforce a strong authentication policy which includes:
• Use strong passwords - Strong passwords are at least eight characters and contain
uppercase letters, lowercase letters, numbers, and special characters.
• Disable accounts after a specified number of unsuccessful logins has occurred - This
practice helps to prevent continuous password attempts.
Use encryption for remote access to a network and routing protocol traffic to reduce the
possibility of man-in-the-middle attacks. Educate employees about the risks of social
engineering, and develop strategies to validate identities over the phone, via email, or in
person. Multifactor authentication (MFA) has become increasingly common.
Mitigating DoS Attacks
One of the first signs of a DoS attack is a large number of user complaints about
unavailable resources or unusually slow network performance. A network utilization graph
showing unusual activity could indicate a DoS attack. To minimize the number of attacks,
a network utilization software package should be running at all times.
Historically, many DoS attacks were sourced from spoofed addresses. Cisco routers and
switches support many antispoofing technologies, such as port security, Dynamic Host
Configuration Protocol (DHCP) snooping, IP Source Guard, Dynamic Address Resolution
Protocol (ARP) Inspection, and access control lists (ACLs).
Cisco Network Foundation Protection Framework
Securing the Control Plane
Control plane traffic consists of device-generated packets required for the operation of
the network itself. Control plane security can be implemented using the following
features:
• Routing protocol authentication - Routing protocol authentication, or neighbor
authentication, prevents a router from accepting fraudulent routing updates.
• Control Plane Policing (CoPP) - CoPP is a Cisco IOS feature that lets users control
the flow of traffic that is handled by the route processor of a network device.
• AutoSecure - This can lock down the management plane functions and the
forwarding plane services and functions of a router.
CoPP is designed to prevent unnecessary traffic from overwhelming the route processor.
The CoPP feature treats the control plane as a separate entity with its own ingress (input)
and egress (output) ports. A set of rules can be established and associated with the
ingress and egress ports of the control plane.
Securing the Management Plane
Management plane traffic is generated either by network devices or network
management stations using processes and protocols such as Telnet, SSH, and TFTP,
etc. The management plane is a very attractive target to hackers.
Management plane security can be implemented using the following features:

• Login and password policy - Restricts device accessibility.
• Present legal notification - Displays legal notices.
• Ensure the confidentiality of data - Protects locally stored sensitive data from being
viewed or copied. Uses management protocols with strong authentication to mitigate
confidentiality attacks aimed at exposing passwords and device configurations.
• Role-based access control (RBAC) - Ensures access is only granted to
authenticated users, groups, and services.
• Authorize actions - Restricts the actions and views that are permitted by any
particular user, group, or service.
• Enable management access reporting - Logs and accounts for all access.
Securing the Data Plane
Data plane traffic consists mostly of user packets being forwarded through the router. Data
plane security can be implemented using ACLs, antispoofing mechanisms, and Layer 2
security features. ACLs are used to secure the data plane in a variety of ways:
• Blocking unwanted traffic or users
• Reducing the chance of DoS
• Mitigating spoofing attacks.
• Providing bandwidth control
• Classifying traffic to protect the Management and Control planes
Cisco Catalyst switches can use integrated features to help secure the Layer 2 infrastructure.
The following Layer 2 security tools are integrated into the Cisco Catalyst switches:
• Port security
• DHCP snooping
• Dynamic ARP Inspection (DAI)
• IP Source Guard

Week 1 - Module 1

Uploaded by

Copyright:

Available Formats

Week 1 - Module 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Week 1 - Module 1

Uploaded by

Copyright:

Available Formats

Module 1: Network Security

July 22, 2022

Cyber Attack Maps

• ThreatCoud Live Cyber Attack Threat map

In the figure, the main site is

Evolution of Security Tools

Evolution of Security Tools (Cont.)

Trojan horse malware is software that appears to

Computer worms are like viruses because they

Currently, the most dominant malware is ransomware.

• By categorizing network attacks, it is

A Distributed DoS Attack

Mitre The Mitre Corporation maintains a list of common vulnerabilities and

The CIA Triad consists of three components of

Best Practice Description

A common analogy used to describe a

Note: The security onion described on

The changing landscape of networking,

One such DSP is the Helix platform from FireEye.

Data Security Platforms (Cont.)

One such service is the Cisco Talos Threat Intelligence

Cisco Security products can use Talos threat intelligence in

• Implementing authentication to ensure proper access.

Management plane security can be implemented using the following features:

You might also like