Security Certification

CyberOps Associate v1.0

Amal Sayari

2022-2023
Course Outline
Module Title

1 The Danger 15 Network Monitoring and Tools

2 Fighters in the War Against Cybercrime 16 Attacking the Foundation

3 The Windows Operating System 17 Attacking What We Do

4 Linux Overview 18 Understanding Defense

5 Network Protocols 19 Access Control

6 Ethernet and Internet Protocol (IP) 20 Threat Intelligence

7 Connectivity Verification 21 Cryptography

8 Address Resolution Protocol 22 Endpoint Protection

9 The Transport Layer 23 Endpoint Vulnerability Assessment

10 Network Services 24 Technologies and Protocols

11 Network Communication Devices 25 Network Security Data

12 Network Security Infrastructure 26 Evaluating Alerts

13 Attackers and their Tools 27 Working with Network Security Data

14 Common Threats and Attacks 28 Digital Forensics and Incident Analysis Response

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Module 18: Understanding Defense

CyberOps Associate v1.0

Module Objectives

Module Objective: Explain approaches to network security defense.

Topic Title Topic Objective

Defense-in-Depth Explain how the defense-in-depth strategy is used to protect networks.

Security Policies, Regulations, and Standards Explain security policies, regulations, and standards.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
18.1 Defense-in-Depth

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Understanding Defense
Assets, Vulnerabilities, Threats
• Cybersecurity analysts must prepare for any type of attack. It is their job to secure the assets
of the organization’s network.
• To do this, cybersecurity analysts must first identify:

• Assets - Anything of value to an organization that must be protected including servers,

infrastructure devices, end devices, and the greatest asset, data.
• Vulnerabilities - A weakness in a system or its design that could be exploited by a threat
actor.
• Threats - Any potential danger to an asset.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Understanding Defense
Identify Assets
• Many organizations only have a general idea of the assets that need to be protected.

• All the devices and information owned or managed by the organization are the assets.

• Assets constitute the attack surface that threat actors could target.

• Asset management consists of:

• Inventorying all assets.
• Developing and implementing policies and procedures to protect them.
• Identify where critical information assets are stored, and how access is gained to that
information.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Understanding Defense
Identify Vulnerabilities
• Identifying vulnerabilities includes answering the following questions:
• What are the vulnerabilities?
• Who might exploit the vulnerabilities?
• What are the consequences if the vulnerability is exploited?
• Identifying vulnerabilities on a network requires an understanding of the important
applications that are used, as well as the different vulnerabilities of that application and
hardware. This can require a significant amount of research on the part of the network
administrator

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Understanding Defense
Identify Threats
• Organizations must use a defense-in-depth approach to identify threats and secure vulnerable assets. This approach uses
multiple layers of security at the network edge, within the network, and on network endpoints.

• Using a defense-in-depth approach to identify assets might include a topology with the following devices as an example:

• Edge router – first line of defense; configured with a set of rules specifying which traffic it allows or denies. It passes all
connections that are intended for the internal LAN to the firewall.
• Firewall – A second line of defense; performs additional filtering, user authentication, and tracks the state of the
connections.
• Internal router – a third line of defense; applies final filtering rules on the traffic before it is forwarded to its destination.
• Other security devices could be used such as Intrusion Prevention Systems (IPS), advanced malware protection (AMP), web
and email content security systems, network access controls and more.

• In the layered defense-in-depth security approach, the different layers work together to create a security architecture in which
the failure of one safeguard does not affect the effectiveness of the other safeguards.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Understanding Defense
The Security Onion and The Security Artichoke
There are two common analogies that are used to describe a defense-in-depth approach.
Security Onion
• The security onion analogy
illustrates a layered approach to
security.
• As illustrated in figure, a threat actor
would have to peel away at a
network’s defenses layer by layer in
a manner similar to peeling an
onion.
• Only after penetrating each layer
would the threat actor reach the
target data or system.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Understanding Defense
The Security Onion and The Security Artichoke (Contd.)
Security Artichoke
• However, with the evolution of borderless networks,
a security artichoke is a better analogy.
• Threat actors may only need to remove certain
“artichoke leaves” to access sensitive data.
• Each “leaf” of the network may reveal sensitive data
that is not well secured.
• The heart of the artichoke is where the most
confidential data is found. Each leaf provides a layer
of protection while simultaneously providing a path to
attack.
• The key difference between security onion and
security artichoke is that not every leaf needs to be
removed in order to get at the data.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
18.2 Security Policies,
Regulations, and Standards

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Security Policies, Regulations, and Standards
Business Policies
• In networking, policies define the activities that are allowed on the network. This sets a
baseline of acceptable use.
• Business policies are the guidelines developed by an organization that govern its actions
and the actions of its employees.
• A organization may have several guiding policies:
• Company policies - establish the rules of conduct and the responsibilities of both
employees and employers related to the terms and conditions of employment..
• Employee policies - identify employee salary, pay schedule, employee benefits, work
schedule, vacations, and more.
• Security policies - identify a set of security objectives for a company, define the rules of
behavior for users and administrators, and specify system requirements.
• Ensure the security of a network and the computer systems in an organization.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Security Policies, Regulations, and Standards
Security Policy
• A comprehensive security policy has a number of benefits:
• Demonstrates an organization’s commitment to security.
• Sets the rules for expected behavior.
• Ensures consistency in system operations, software and hardware acquisition and use,
and maintenance.
• Defines the legal consequences of violations.
• A security policy also specifies the mechanisms that are needed to meet security
requirements and provides a baseline from which to acquire, configure, and audit computer
systems and networks for compliance.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Security Policies, Regulations, and Standards
Security Policy
• Security policy may include the following:
• Identification and authentication policy - Specifies authorized persons that can have access to network
resources and identity verification procedures.
• Password policies - Ensures passwords meet minimum requirements and are changed regularly.
• Acceptable use policy (AUP) - Identifies network applications and uses that are acceptable to the
organization.
• Remote access policy - Identifies how remote users can access a network and what is accessible via remote
connectivity.
• Network maintenance policy - Specifies network device operating systems and end user application update
procedures.
• Incident handling procedures - Describes how security incidents are handled.
• One of the most common security policy components is an acceptable use policy (AUP). This can also be
referred to as an appropriate use policy.
• AUP defines what users are allowed and not allowed to do on the various system components. This includes the
type of traffic that is allowed on the network.
• The AUP should be as explicit as possible to avoid misunderstanding.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Security Policies, Regulations, and Standards
BYOD Policies
• Bring Your Own Device (BYOD) enables employees to use their own mobile devices to access company
systems, software, networks, or information.
• It provides key benefits to enterprises, including increased productivity, reduced costs, better mobility for
employees, and so on. These benefits also bring an increased security risk as BYOD can lead to data
breaches and greater liability for the organization.
• Therefore, a BYOD security policy should be developed to accomplish the following:
• Specify the goals of the BYOD program
• Identify which employees can bring their own devices
• Identify which devices will be supported
• Identify the level of access employees are granted when using personal devices
• Describe the rights to access and activities permitted to security personnel on the device
• Identify which regulations must be adhered to when using employee devices
• Identify safeguards to put in place if a device is compromised

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Security Policies, Regulations, and Standards
BYOD Policies
• The following BYOD security best practices help mitigate BYOD risks:
• Password protected access: Use unique passwords for each device and account.
• Manually controlled wireless connectivity so the device only connects to trusted
networks.
• Keep software updated to mitigate against the latest threats.
• Back up data in case device is lost or stolen.
• Enable “Find my Device” locator services with the ability to remotely wipe data on a lost
device.
• Provide antivirus software.
• Use Mobile Device Management (MDM) software to enable IT teams to implement
security settings and software configurations on all devices that connect to company
networks.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Security Policies, Regulations, and Standards
Regulatory and Standards Compliance
• There are also external regulations regarding network security.
• Network security professionals must be familiar with the laws and codes of ethics that are binding on
Information Systems Security (INFOSEC) professionals.
• Many organizations are mandated to develop and implement security policies.
• Compliance regulations define what organizations are responsible for providing and the liability if they fail
to comply.
• The compliance regulations that an organization is obligated to follow depend on the type of organization
and the data that the organization handles.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Module 19: Access Control

CyberOps Associate v1.0

Module Objectives

Module Objective: Explain access control as a method of protecting a network.

Topic Title Topic Objective

Access Control Concepts Explain how access control protocols network data.
AAA Usage and
Explain how AAA is used to control network access.
Operation

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
19.1 Access Control Concepts

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Access Control
Communications Security: CIA
• Information security deals with protecting information
and information systems from unauthorized access,
use, disclosure, disruption, modification, or destruction.
• CIA Triad
• The CIA triad consists of three components of
information security:
• Confidentiality - only authorized entities can access
information.
• Integrity - information should be protected from
unauthorized alteration.
• Availability - information must be available to the
authorized parties who require it, when they require it.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Access Control
Access Control Models
• Basic access control models include the following:
• Mandatory access control (MAC) – applies the strictest access control. It assigns security
level labels to information and enables users with access based on their security level
clearance.
• Discretionary access control (DAC) – allows users to control access to their data as owners
of that data.
• Non-Discretionary access control – access is based on roles and responsibilities; also known
as role-based access control (RBAC).
• Attribute-based access control (ABAC) – access is based on attributes of the resource
accessed, the user accessing it, and environmental factors, such as time of day.
• Another access control model is the principle of least privilege, which states that users
should be granted the minimum amount of access required to perform their work function.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
19.2 AAA Usage and Operation

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
AAA Usage and Operation
AAA Operation (Contd.)
• Authentication, Authorization, and Accounting (AAA)
is a scalable system for access control.
• Authentication - users and administrators must
prove that they are who they say they are.
Authentication can be established using username
and password combinations, challenge and
response questions, token cards, and other methods
• Authorization - determines which resources the
user can access and which operations the user is
allowed to perform.
• Accounting - records what the user does and when
they do it including what is accessed, the amount of
time the resource is accessed, and any changes
that were made. Accounting keeps track of how
network resources are used.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
AAA Usage and Operation
AAA Authentication
• AAA Authentication can be used to authenticate users for administrative access or it can be used to
authenticate users for remote network access.

• Two common AAA authentication methods include:

• Local AAA Authentication - known as self-contained authentication. This method authenticates

users against locally stored usernames and passwords. Local AAA is ideal for small networks.
• Server-Based AAA Authentication – This method authenticates against a central AAA server that
contains the usernames and passwords for all users. Server-based AAA authentication is appropriate
for medium-to-large networks.
• Devices communicate with the centralized AAA server using either the Remote Authentication Dial-
In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+)
protocols.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
AAA Usage and Operation
AAA Accounting Logs
• Centralized AAA also enables the use of the Accounting method. Accounting records from all devices are
sent to centralized repositories, enabling simplified auditing of user actions.

• AAA Accounting collects and reports usage data in AAA logs. The collected data might include the start and
stop connection times, executed commands, number of packets, and number of bytes.

• Accounting provides more security than just authentication.

• AAA servers keep a detailed log of exactly what the authenticated user does on the device..

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
AAA Usage and Operation
AAA Accounting Logs
• The various types of accounting information that can be collected include:
• Network Accounting - captures information such as packet and byte counts.
• Connection Accounting - captures information about all outbound connections.
• EXEC Accounting - captures information about user shells including username, date, start
and stop times, and the access server IP address.
• System Accounting - captures information about all systemlevel events (system reboot,
accounting turn on and off,...).
• Command Accounting - captures information about executed shell commands.
• Resource Accounting - captures "start" and "stop" record support for calls that have
passed user authentication.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Module 20: Threat Intelligence

CyberOps Associate v1.0

Module Objectives

Module Objective: Use various intelligence sources to locate current security threats.

Topic Title Topic Objective

Information Sources Describe information sources used to communicate emerging network
security threats.
Threat Intelligence Services Describe various threat intelligence services.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
20.1 Information Sources

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Threat Intelligence
Network Intelligence Communities
• Threat intelligence organizations such as CERT, SANS, and MITRE offer detailed threat
information that is vital to cybersecurity practices.
• To remain effective, a network security professional must:
• Keep abreast of the latest threats – This includes subscribing to real-time feeds
regarding threats, routinely perusing security-related websites, following security blogs
and podcasts, and more.
• Continue to upgrade skills – This includes attending security-related training,
workshops, and conferences.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Threat Intelligence
Cisco Cybersecurity Reports
• Resources to help security professionals stay abreast of the latest threats are the Cisco Annual
Cybersecurity Report and the Mid-Year Cybersecurity Report.

• These reports provide an update on the state of security preparedness, expert analysis of top
vulnerabilities, factors behind the explosion of attacks using adware, spam, and so on.

• Cybersecurity analysts should subscribe and read these reports to learn how threat actors are
targeting their networks, and what action can be taken to mitigate these attacks.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Threat Intelligence
Security Blogs and Podcasts
• Security blogs and podcasts help
cybersecurity professionals understand
and mitigate emerging threats.

• There are several security blogs and

podcasts available that a cybersecurity
analyst should follow to learn about the
latest threats, vulnerabilities, and
exploits.

• Cisco provides a downloadable podcast

and a blog from the Cisco Talos group.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
20.2 Threat Intelligence
Services

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Threat Intelligence Services
Cisco Talos
• Talos is one of the largest commercial threat intelligence
teams in the world, and is comprised of world-class
researchers, analysts and engineers.

• The goal is to help protect enterprise users, data, and

infrastructure from active adversaries.

• The team collects information about active, existing, and

emerging threats, and then provides comprehensive
protection against these attacks and malware to its
subscribers.

• Cisco Security products can use Talos threat intelligence in real time to provide fast and effective security
solutions.

• Cisco Talos also provides free software, services, resources, data and maintains the security incident
detection rule sets for the Snort.org, ClamAV, and SpamCop network security tools.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Threat Intelligence Services
FireEye
• FireEye is another security company that offers services to help enterprises secure their networks.

• FireEye offers emerging threat information and threat intelligence reports.

• The FireEye Security System blocks attacks across web and email threat vectors, and latent
malware that resides on file shares.

• It can block advanced malware that easily bypasses traditional signature-based defenses and
compromises the majority of enterprise networks.

• It addresses all stages of an attack lifecycle with a signature-less engine utilizing stateful attack
analysis to detect zero-day threats.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Threat Intelligence Services
Automated Indicator Sharing
• Automated Indicator Sharing (AIS) is program which allows the U.S. Federal Government and the
private sector to share threat indicators (e.g., malicious IP addresses, the sender address of a
phishing email, etc.).

• AIS creates an ecosystem where, as soon as a threat is recognized, it is immediately shared with the
community.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Threat Intelligence Services
Common Vulnerabilities and Exposures (CVE) Database
• The United States government sponsored the MITRE Corporation to create and
maintain a catalog of known security threats called Common Vulnerabilities and
Exposures (CVE).
• The CVE serves as a dictionary of CVE Identifiers for publicly known cybersecurity
vulnerabilities.
• The MITRE Corporation defines unique CVE Identifiers for publicly known information-
security vulnerabilities to make it easier to share data.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Threat Intelligence Services
Threat Intelligence Communication Standards
Three common threat intelligence sharing standards include the
following:
• Structured Threat Information Expression (STIX) -
This is a set of specifications for exchanging cyber
threat information between organizations.
• Trusted Automated Exchange of Indicator
Information (TAXII) – This is the specification for an
application layer protocol that allows the communication
of CTI over HTTPS. TAXII is designed to support STIX.
• CybOX - This is a set of standardized schema for
specifying, capturing, characterizing, and
communicating events and properties of network
operations that supports many cybersecurity functions.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Threat Intelligence Services
Threat Intelligence Communication Standards
• The Malware Information Sharing Platform (MISP) is an open source platform for
sharing IOCs for newly discovered threats.
• MISP is supported by the European Union and is used by over 6,000 organizations
globally.
• MISP enables automated sharing of IOCs between people and machines by using
STIX and other export formats.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Threat Intelligence Services
Threat Intelligence Platforms
• A Threat Intelligence Platform (TIP) centralizes the collection of threat data from
numerous data sources and formats.
• Types of threat Intelligence data:
• Indicators of Compromise (IOC)
• Tools Techniques and Procedures (TTP)
• Reputation information about internet destinations or domains
• Organizations can contribute to threat intelligence by sharing their intrusion data over
the internet, typically through automation.
• Honeypots are simulated networks or servers that are designed to attract attackers.
The attack-related information gathered from honeypots can be shared with threat
intelligence platform subscribers.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Module 21: Cryptography

CyberOps Associate v1.0

Module Objectives

Module Objective: Explain how the public key infrastructure (PKI) supports network security.
.

Topic Title Topic Objective

Integrity and Authenticity Explain the role of cryptography in ensuring the integrity and authenticity of data.
Confidentiality Explain how cryptographic approaches enhance data confidentiality.
Public Key Cryptography Explain public key cryptography.
Authorities and the PKI Trust System Explain how the public key infrastructure functions.

Applications and Impacts of Cryptography Explain how the use of cryptography affects cybersecurity operations.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
21.1 Integrity and Authenticity

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Cryptography
Securing Communications
• Organizations must provide support to secure the data internally as well as externally.

• The four elements of securing communications are:

• Data Integrity - Guarantees that the message was not altered.
• Origin Authentication - Guarantees that the message is not a forgery and it actually
comes from whom it states.
• Data Confidentiality - Guarantees that only authorized users can read the message.
• Data Non-Repudiation - Guarantees that the sender cannot repudiate, or refute, the
validity of a message sent.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Cryptography
Cryptographic Hash Functions
• Hashes are used to verify and ensure data integrity.

• A hash function takes a variable block of binary data, called the

message, and produces a fixed-length, condensed
representation, called the hash.
• The resulting hash is also sometimes called the message digest,
digest, or digital fingerprint.
• Every time the data is changed or altered, the hash value also
changes.
• A cryptographic hash function should have the following
properties:
• The input can be any length.
• The output has a fixed length.
• H(x) is relatively easy to compute for given x.
• H(x) is one way and not reversible.
• H(x) is collision free, meaning that two different input values
will result in different hash values.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Cryptography
MD5 and SHA
• Hash functions are used to ensure the integrity of a message either accidentally or intentionally.
• In the figure, the sender is sending a $100 money transfer to Alex. The sender wants to ensure that the
message is not altered on its way to the receiver.

There are four well-known hash functions:

• MD5 with 128-bit digest - A one-way function
that produces a 128-bit hashed message.
MD5 is a legacy algorithm.
• SHA-1 - Very similar to the MD5 hash
functions. SHA-1 creates a 160-bit hashed
message and is slightly slower than MD5.
• SHA-2 - If you are using SHA-2, then SHA-
256, SHA-384, and SHA-512 algorithms
should be used.

• SHA-3 - Next-generation algorithms and should be used whenever possible.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Cryptography
MD5 and SHA
• While hashing can be used to detect accidental changes, it cannot be used to guard against
deliberate changes.
• When the message traverses the network, a potential attacker could intercept the
message, change it, recalculate the hash, and append it to the message.
• The receiving device will only validate against whatever hash is appended.
• Hashing is vulnerable to man-in-the-middle attacks and does not provide security to
transmitted data. To provide integrity and origin authentication, something more is required.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Cryptography
Origin Authentication
Hash Message Authentication Code
• To add authentication to integrity assurance, a
keyed-hash message authentication code (HMAC)
(also sometimes abbreviated as KHMAC) is used.
• To add authentication, HMAC uses an additional
secret key as input to the hash function.
• Only the sender and the receiver know the secret
key, and the output of the hash function now
depends on the input data and the secret key.
• Only parties who have access to that secret key can
compute the digest of an HMAC function.
• If the digest that is calculated by the receiving device
is equal to the digest that was sent, the message
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
has not been altered.
21.2 Confidentiality

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Confidentiality
Data Confidentiality
• There are two classes of encryption used to provide data confidentiality; asymmetric and
symmetric. These two classes differ in how they use keys.
• Symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES, and
Advanced Encryption Standard (AES) are based on the premise that each communicating
party knows the pre-shared key.
• Data confidentiality can also be ensured using asymmetric algorithms, including Rivest,
Shamir, and Adleman (RSA) and the public key infrastructure (PKI).
• The figure highlights some differences between symmetric and asymmetric encryption.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Confidentiality
Symmetric Encryption
• Symmetric algorithms use the same pre-shared key to encrypt and decrypt data.
• Symmetric algorithms use less CPU than asymmetric encryption algorithms.
• When using symmetric encryption algorithms, like any other type of encryption, the longer the
key, the longer it will take for someone to discover the key

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Confidentiality
Symmetric Encryption
Block Ciphers
• Block ciphers transform a fixed-length block of plaintext into a common block of ciphertext of
64 or 128 bits.
• Common block ciphers include DES with a 64-bit block size and AES with a 128-bit block
size.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Confidentiality
Symmetric Encryption
Stream Ciphers
• Stream ciphers encrypt plaintext one byte or one bit at a time.

• Stream ciphers are basically a block cipher with a block size of one byte or bit.

• Stream ciphers are typically faster than block ciphers because data is continuously encrypted.

• Examples include RC4 and A5 which is used to encrypt GSM cell phone communications.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Confidentiality
Symmetric Encryption
Well-known symmetric encryption algorithms are described in the table.
Symmetric Encryption Description
Algorithms
Data Encryption
This is a legacy algorithm. It uses a short key length that makes it insecure.
Standard (DES)
This is the replacement for DES and repeats the DES algorithm three times. It
3DES (Triple DES) should be avoided as it is scheduled to be retired in 2023. If implemented, use very
short key lifetimes.

Advanced Encryption It offers combinations of 128-, 192-, or 256-bit keys to encrypt 128, 192, or 256 bit-
Standard (AES) long data blocks.
Software-Optimized
It is a stream cipher that uses a 160-bit encryption key and has a lower impact on
Encryption Algorithm
the CPU compared to other software-based algorithms.
(SEAL)
Rivest ciphers (RC) RC4 is a stream cipher that was used to secure web traffic. It has been found to
series algorithms have multiple vulnerabilities which have made it insecure. RC4 should not be used.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Confidentiality
Asymmetric Encryption
• Asymmetric algorithms, also called public-key algorithms, are designed so that the key that is
used for encryption is different from the key that is used for decryption.
• The decryption key cannot, in any reasonable amount of time, be calculated from the
encryption key and vice versa.
• Asymmetric algorithms use a public key and a private key.
• Both keys are capable of the encryption process, but the complementary paired key is
required for decryption.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Confidentiality
Asymmetric Encryption
Common examples of asymmetric encryption algorithms are described in the table.
Asymmetric Encryption
Key Length Description
Algorithms
This algorithm allows two parties to agree on a key that they can use
512, 1024, to encrypt messages they want to send to each other. The security
Diffie-Hellman (DH) 2048, 3072, depends on the assumption that it is easy to raise a number to a
4096 certain power, but difficult to compute which power was used, given
the number and the outcome.
Digital Signature It specifies DSA as the algorithm for digital signatures. DSA is a
Standard (DSS) and public key algorithm based on the ElGamal signature scheme.
512 – 1024
Digital Signature Signature creation speed is similar to RSA, but is 10 to 40 times
Algorithm (DSA) slower for verification.
Elliptic curve cryptography can be used to adapt many cryptographic
224 or
Elliptic curve techniques algorithms, such as Diffie-Hellman or ElGamal. The main advantage
higher
of elliptic curve cryptography is that the keys can be much smaller.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Confidentiality
Asymmetric Encryption - Confidentiality
• Asymmetric algorithms are used to Example: Data exchange between Bob and Alice
provide confidentiality without pre-sharing
a password.
• The confidentiality objective of asymmetric
algorithms is initiated when the encryption
process is started with the public key.
• The process can be summarized using the
formula: Public Key (Encrypt) + Private
Key (Decrypt) = Confidentiality
• When the public key is used to encrypt Alice acquires and Bob decrypts the
data, the private key must be used to uses Bob’s public key message with the private
decrypt data. to encrypt a message key and as he is the only
and then send it to one with the private key,
• Only one host has the private key;
Bob. confidentiality is
therefore, confidentiality is achieved.
achieved.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Confidentiality
Asymmetric Encryption - Authentication
• The authentication objective of asymmetric algorithms is initiated with the private key
encryption process.
• The process can be summarized using the formula: Private Key (Encrypt) + Public Key
(Decrypt) = Authentication
• When the private key is used to encrypt the data, the corresponding public key must be
used to decrypt the data.
• Because only one host has the private key, only that host could have encrypted the
message, providing authentication of the sender.
• When a host successfully decrypts a message using a public key, it is trusted that the
private key encrypted the message, which verifies who the sender is. This is a form of
authentication.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Confidentiality
Asymmetric Encryption - Authentication
• Let's see how the private and public keys can be used to provide authentication to the data
exchange between Bob and Alice.
Alice uses her private key Bob decrypts using the public key
Alice encrypts a message using her After Bob obtains Alice’s public key, he uses it to decrypt
private key and sends it to Bob. the message and to authenticate that the message
has been received from Alice.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
Confidentiality
Asymmetric Encryption - Integrity
• Combining the two asymmetric encryption processes provides message confidentiality,
authentication, and integrity. In this example, a message will be ciphered using Bob’s public
key and a ciphered hash will be encrypted using Alice’s private key.

Alice uses Bob’s Alice encrypts a Bob uses Alice’s Bob uses his private
Public Key hash using her public key to key to decrypt the
private key decrypt the hash message
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
21.3 Public Key Cryptography

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Public Key Cryptography
Using Digital Signatures
• Digital signatures are a mathematical technique used to provide authenticity, integrity, and
nonrepudiation.
• Digital signatures use asymmetric cryptography.
• Digital signatures are commonly used in the following two situations:
• Code signing - Code signing is used to verify the integrity of executable files downloaded
from a vendor website. It also uses signed digital certificates to authenticate and verify the
identity of the site that is the source of the files.
• Digital certificates - These are used to authenticate the identity of a system with a vendor
website and establish an encrypted connection to exchange confidential data.
• The Digital Signature Standard (DSS) algorithms used for generating and verifying digital
signatures are:
• Digital Signature Algorithm (DSA)
• Rivest-Shamir Adelman Algorithm (RSA)
• Elliptic Curve Digital Signature Algorithm (ECDSA)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Public Key Cryptography
Digital Signatures for Code Signing
• Digital signatures are commonly used to provide assurance of the authenticity and integrity of
software code.
• Executable files are wrapped in a digitally signed envelope, which allows the end user to
verify the signature before installing the software.
• Digitally signing code provides several assurances about the code:
• The code is authentic and is actually sourced by the publisher.
• The code has not been modified since it left the software publisher.
• The publisher undeniably published the code. This provides nonrepudiation of the act of
publishing.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Public Key Cryptography
Digital Signatures for Digital Certificates
• A digital certificate is equivalent to an electronic
passport. They enable users, hosts, and
organizations to securely exchange information
over the Internet.
• Specifically,a digital certificate is used to
authenticate and verify that users sending a
message are who they claim to be.
• Digital certificates can also be used to provide
confidentiality for the receiver with the means to
encrypt a reply

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
21.4 Authorities and the PKI
Trust System

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Authorities and the PKI Trust System
Public Key Management
• When establishing an asymmetric connection
between two hosts, the hosts will exchange their
public key information.
• Trusted third parties on the Internet validate the
authenticity of these public keys using digital
certificates.
• From that point forward, all individuals who trust the
third party simply accept the credentials that the third
party issues. Authorities and the PKI Trust System
Public Key Management
• The Public Key Infrastructure (PKI) is an example of a
trusted third-party system referred to as certificate
authority (CA).
• The CA issues digital certificates that authenticate the
identity of organizations and users.
• These certificates are also used to sign messages to
ensure that the messages have not been tampered
with.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Authorities and the PKI Trust System
The Public Key Infrastructure
• PKI is needed to support
large-scale distribution and
identification of public
encryption keys.
• The PKI framework facilitates
a highly scalable trust
relationship.
• It consists of the hardware,
software, people, policies,
and procedures needed to
create, manage, store,
distribute, and revoke digital
certificates.
• The figure shows the main
elements of the PKI.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Authorities and the PKI Trust System
The PKI Authorities System
• Many vendors provide CA servers as a
managed service or as an end-user product.
• Organizations may also implement private
PKIs using Microsoft Server or Open SSL.
• CAs issue certificates based on classes
which determine how trusted a certificate is.
• The class number is determined by how
rigorous the procedure was that verified the 4
identity of the holder when the certificate
was issued.
• The higher the class number, the more
trusted the certificate.
• Some CA public keys are preloaded, such as
those listed in web browsers.
Class Description
Used for testing in situations in which no
0
checks have been performed.
Used by individuals who require verification of
1
email.
Used by organizations for which proof of
2
identity is required.
3 Used for servers and software signing.
Used for online business transactions
between companies.
Used for private organizations or government
5
security.
Note: An enterprise can also implement PKI
for internal use. PKI can be used to
authenticate employees who are accessing
the network. In this case, the enterprise is its
own CA. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Authorities and the PKI Trust System
The PKI Trust System
• PKIs can form different topologies of trust which are as follows:
• Single-Root PKI Topology: The simplest is the single-root PKI topology. The root CA issues
all the certificates to the end users within the same organization. On larger networks, PKI
CAs may be linked using two basic architectures:
• Cross-certified CA topologies: A peer-to-peer model in which individual CAs establish
trust relationships with other CAs by cross-certifying CA certificates.
• Hierarchical CA topologies: The root CA (highest level CA), can issue certificates to end
users and to a subordinate CA.

Single-Root PKI Cross-certified CA Hierarchical CA Topologies

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Topology Topologies
Authorities and the PKI Trust System
Interoperability of Different PKI Vendors
• Interoperabilitybetween a PKI and its
supporting services is a concern because
many CA vendors have proposed and
implemented proprietary solutions.
• To address this interoperability concern, the
IETF published the Internet X.509 Public
Key Infrastructure Certificate Policy and
Certification Practices Framework (RFC
2527).
• The X.509 version 3 (X.509 v3) standard
defines the format of a digital certificate.
Note: LDAP and X.500 are protocols that are
used to query a directory service, such as
Microsoft Active Directory, to verify a username
and password.
X.509v3 Applications
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Authorities and the PKI Trust System
Certificate Enrollment, Authentication and Revocation
• All systems that leverage the PKI must have the CA’s public key, called the self-signed
certificate. Only a root CA can issue a self-signed certificate.
• The CA public key verifies all the certificates issued by the CA and is vital for the proper
operation of the PKI.
• Certificate must sometimes be revoked. For example, a digital certificate can be revoked if key
is compromised or if it is no longer needed.
• Here are two of the most common methods of revocation:
• Certificate Revocation List (CRL) - A list of revoked certificate serial numbers that have been
invalidated because they expired. PKI entities regularly poll the CRL repository to receive the
current CRL.
• Online Certificate Status Protocol (OCSP) - An Internet protocol used to query an OCSP server
for the revocation status of an X.509 digital certificate. Revocation information is immediately
pushed to an online database.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
21.5 Applications and Impacts
of Cryptography

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Applications and Impacts of Cryptography
PKI Applications
The following provides a short list of common uses of PKIs:
• SSL/TLS certificate-based peer authentication
• Secure network traffic using IPsec VPNs
• HTTPS Web traffic
• Control access to the network using 802.1x authentication
• Secure email using the S/MIME protocol
• Secure instant messaging
• Approve and authorize applications with Code Signing
• Protect user data with the Encryption File System (EFS)
• Implement two-factor authentication with smart cards
• Securing USB storage devices

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Applications and Impacts of Cryptography
Encrypted Network Transactions
• Threat actors can use SSL/TLS to introduce
regulatory compliance violations, viruses, malware,
data loss, and intrusion attempts in a network.
• Other SSL/TLS-related issues may be associated with
validating the certificate of a web server. When this
occurs, the web browsers will display a security
warning. PKI-related issues associated with security
warnings include:
• Validity date range - The X.509v3 certificates
specify “not before” and “not after” dates. If the
current date is outside the range, the web browser
displays a message.
• Signature validation error - If a browser cannot validate
the signature on the certificate, there is no assurance that
the public key in the certificate is authentic.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
Applications and Impacts of Cryptography
Encryption and Security Monitoring
• Network monitoring becomes more challenging when packets are encrypted.

• As HTTPS introduces end-to-end encrypted HTTP traffic (via TLS/SSL), it is not as easy to
peek into user traffic.
• Security analysts must know how to circumvent and solve these issues. Here is a list of some
of the things that a security analyst could do:
• Configure rules to distinguish between SSL and non-SSL traffic, HTTPS and non-HTTPS
SSL traffic.
• Enhance security through server certificate validation using CRLs and OCSP.
• Implement antimalware protection and URL filtering of HTTPS content.
• Deploy a Cisco SSL Appliance to decrypt SSL traffic and send it to intrusion prevention
system (IPS) appliances to identify risks normally hidden by SSL.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
Applications and Impacts of Cryptography
Encryption and Security Monitoring
• Cryptography is dynamic and always changing. A security analyst must maintain a good
understanding of cryptographic algorithms and operations to be able to investigate
cryptography-related security incidents.
• There are two main ways in which cryptography impacts security investigations.

• First, attacks can be directed to specifically target the encryption algorithms themselves.

• After the algorithm has been cracked and the attacker has obtained the keys, any encrypted
data that has been captured can be decrypted by the attacker and read, thus exposing
private data.
• Secondly, the security investigation is also affected because data can be hidden in plain sight
by encrypting it.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Labs

CyberOps Associate v1.0

21.1.6 Lab - Hashing Things Out

21.2.10 Lab - Encrypting and Decrypting Data Using OpenSSL

21.2.11 Lab - Encrypting and Decrypting Data Using a Hacker Tool

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80