Chapter 1:

Modern Network Security Threats

CCNA Security v2.0

Sadeq Alsoufi
 1.0 Introduction
1.1 Securing Networks
1.2 Network Threats
1.3 Mitigating Threats
1.4 Summary

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
 Upon completion of this section, you should be able to:
• Describe the current network security landscape.

• Explain how all types of networks need to be protected.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Networks are routinely under attack .

Norse Dark is a company which maintains an interactive display of current network

attacks on honeypot servers, to help comprehend the gravity of the situation.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Common network security terms:
• Threat : potential for vulnerabilities to turn into network attack

• Vulnerability : weakness or flaw in the network.

• Mitigation : Action to reducing the severity of the vulnerability.

• Risk: it is potential of threat to exploit the vulnerabilities

Cisco Security Intelligence Operations

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
An attack vector is a path or other
means by which an attacker can gain
access to a server

An attack vector is defined as the

technique by means of which
unauthorized access can be gained to a
device or a network by hackers for
nefarious purposes.

Many attack vectors originate from

outside the corporate network and from
inside network

Internal threat can cause great damage

than external threat because the internal
user have a direct access to the network

Network security professionals must

implement tools and apply techniques
for mitigating both external and internal
threats

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Data is likely to be an organization’s most valuable asset. Data
like research and development data, sales data, financial data,
legal data...etc

Network security professionals must protect the organization’s

data.

Data loss or data exfiltration is when data is intentionally or

unintentionally lost, stolen, or leaked to the outside world. The
Various Data Loss Prevention (DLP) controls must be
implemented.

Vectors of data loss:

- Email/Webmail (instance message)
- Unencrypted Devices
( data is stored without encryption algorithm
on the devices )
- Cloud Storage Devices
(access is compromised )
- Removable Media
- Hard Copy
- Improper Access Control
(stolen/weakness password )

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
All networks are targets.

Campus Area Networks

consists of interconnected
LANs within a limited
geographic area.

Network professionals must

implement various network
security techniques to protect
the organizations’ assets
from outside and inside
threats.

Connections to untrusted
networks must be checked
in-depth by multiple layers of
defense before reaching
enterprise resources.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
 It is important that all types of networks, regardless of size, are protected.

An attacker may want to use

someone's Internet connection for
free, use the Internet connection
for illegal activity, or view financial
transactions, such as online
purchases.

Home networks and SOHOs are

typically protected using a
consumer grade router, such as
a Linksys home wireless router.

These routers provide basic

security features to adequately
protect inside assets from the
outside attackers.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Organizations must
ensure secure
transport for the data
in motion as it travels
between sites.

The main site is

protected by an
Adaptive Security
Appliance (ASA),
which provides stateful
firewall features and
establishes secure
Virtual Private Network
(VPN) tunnels to
various destinations.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Data center networks are typically housed in an off-site facility to store sensitive or proprietary
data. These sites are interconnected to corporate sites using VPN technology with ASA devices
and integrated data center switches.

Today’s data centers store vast quantities of sensitive, business-critical information; therefore,
physical security is critical to its operation.
Data center physical security can be divided into two areas:

Outside perimeter security:

• On-premise security officers

• Fences and gates

Physical security not only protects access to the
• Continuous video surveillance
premise but also protects people and equipment.
• Security breach alarms

Inside perimeter security:

• Electronic motion detectors

• Security traps

• Continuous video surveillance

• Biometric access and exit sensors

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Virtualization is the foundation of Cloud computing. Without it, Cloud computing, as it is most-widely
implemented, would not be possible.
Cloud computing separates the application from the hardware. Virtualization separates the OS from the
hardware.
Cloud computing allows organizations to use services such as data storage or Cloud-based applications,
to extend their capacity or capabilities without adding infrastructure.
The actual Cloud network consists of physical and virtual servers which are commonly housed in data
centers.

In the past, employees and data resources remained within a predefined perimeter that was
protected by firewall BUT today we have a BYOD so Cisco developed the Borderless Network.
Critical MDM ( mobile device management) functions for BYOD network:

• Data encryption
Components of a secure data center:
• Secure segmentation
• PIN enforcement (PIN lock)
• Threat defense
• Data wipe (data clearing remotely by MDM)
• Visibility VM-specific threats:
• Data loss prevention
• Hyperjacking
• Jailbreak/root detection
• Instant On activation
MDM features secure, monitor, and manage mobile devices, including
corporate-owned devices and employee-owned devices. • Antivirus storm

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 Upon completion of the section, you should be able to:
• Describe the evolution of network security.

• Describe the various types of attack tools used by hackers.

• Describe malware.

• Explain common network attacks.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
The term “hacker” has a variety of
meanings:

- A clever programmer .

- A network professional that uses

sophisticated programming skills to
ensure that networks are not
vulnerable to attack.

- A person who tries to gain

unauthorized access to devices on
the Internet.

- Individuals who run programs to

prevent or slow network access to
a large number of users, or corrupt
or wipe out data on servers.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
White Hat :
• A white-hat hacker who finds a security vulnerability would disclose it to the developer, allowing them to patch
their product and improve its security before it’s compromised. Various organizations pay “bounties” or award
prizes for revealing.

• They’re the “ethical hackers,” experts in compromising computer security systems who use their abilities for
good, ethical, and legal purposes rather than bad, unethical, and criminal purposes.

Black Hat:
• A black-hat hacker who finds a new zero day “ security vulnerability” would sell it to criminal organizations on
the black market or use it to compromise computer systems.

• They violate computer security for personal gain (such as stealing credit card numbers or harvesting personal
data for sale to identity thieves) or for pure maliciousness (such as creating a botnet and using that botnet to
perform DDOS attacks against websites they don’t like.)

Grey Hat:
• Grey hat hackers are a blend of both black hat and white hat activities. Often, grey hat hackers will look
for vulnerabilities in a system without the owner’s permission or knowledge. If issues are found, they will
report them to the owner, sometimes requesting a small fee to fix the issue. If the owner does not respond or
comply, then sometimes the hackers will post the newly found exploit online for the world to see.

• These types of hackers are not inherently malicious with their intentions; they’re just looking to get something
out of their discoveries for themselves.

• This type of hacking is still considered illegal because the hacker did not receive permission from the owner
prior to attempting to attack the system.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
• Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various
audio frequencies to manipulate phone systems.

• In the mid-1980s, computer dial-up modems were used to connect computers to networks.
Hackers wrote “war dialing” programs which dialed each telephone number in a given area in
search of computers then password-cracking programs were used to gain access.

Modern hacking titles:

• Script Kiddies: He is an unskilled individual who uses scripts or programs developed by

others to attack computer systems and networks and deface websites.

• Vulnerability Brokers

• Hacktivists: a person who breaks into a computer system in order to pursue a political or
social aim.One of hacktivist groups is Wikileaks . It is a hack for attention.
• Cyber Criminals : They are black hat hackers with the motive to make money using any
means necessary. They operate in an underground economy where they buy, sell, and trade
attack toolkits, zero day exploit code, botnet services, banking Trojans, keyloggers, and much
more.

• State-Sponsored Hackers : They are the newest type of hacker. These are government-
funded and guided attackers, ordered to launch operations that vary from cyber espionage to
intellectual property theft. Many countries sponsor these hackers but very few will publically
admit they exist.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Ethical hacking involves many different types of tools to test and keep the network and its data
secure.
To validate the security of a network and its systems, many network penetration testing tools have
been developed. However, many of these tools can also be used by black hat hackers for
exploitation.

Penetration testing tools:

• Password crackers • Forensic ( to sniff out any trace of evidence
existing in a particular computer system )
• Wireless hacking
• Debuggers (debugging tool is a computer
• Network scanning and hacking
program that is used to test and debug other
• Packet crafting (the art of creating a packet programs (the "target" program)
according to various requirements to carry out attacks
• Hacking operating systems (kali Linux)
and to exploit vulnerabilities in a network. Like Netcat)
• Encryption
• Packet sniffers

• Rootkit detectors (Directory/file integrity checker) • Vulnerability exploitation

• Fuzzers to search vulnerabilities (are tools • Vulnerability Scanners

used by hacker attempting to discover a
computer system’s security )

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 Network hacking attacks:
• Eavesdropping : This is when a hacker captures and “listens” to network traffic. This attack is
also referred to as sniffing or snooping.

• Data modification

• IP address spoofing

• Password-based

• Denial-of-service

• Man-in-the-middle

• Compromised-key (If a hacker obtains a secret key, that key is referred to as a compromised
key. A compromised key can be used to gain access to a secured communication without the
sender or receiver being aware of the attack.)

• Sniffer : A sniffer is an application or device that can read, monitor, and capture network data
exchanges and read network packets.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
A virus is malicious code that is attached to executable files which are often legitimate
programs.
It require end user activation and can lay dormant for an extended period and then
activate at a specific time or date.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Trojan horse is malware that carries out malicious operations under the guise of a
desired function. A Trojan horse comes with malicious code hidden inside of it.

Unlike a computer virus, a Trojan horse is not able to replicate itself, nor can it
propagate without an end user's assistance.

Trojan horses are usually classified

according to the damage that they cause
or the manner in which they breach a
system,
Classifications:
• Security software disabler :

Stops antivirus programs or firewalls from functioning.

• Remote-access
Proxy : use the victim's computer as the source device
• Data-sending: providing with with sensitive to launch attacks and perform other illegal activities.
data FTP : enables unauthorized file transfer services
on end devices.
• Destructive: This corrupts or deletes files. DoS : slows or halts network activity.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Worms replicate themselves by independently exploiting vulnerabilities in networks.
Worms usually slow down networks.
Whereas a virus requires a host program to run, worms can run by themselves.

Initial Code Red Worm Infection

Code Red Worm Infection 19 Hours

Later

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Most worm attacks consist of three 1.
components: Propagate
for 19 days

• Enabling vulnerability

A worm installs itself using an exploit mechanism, such

as an email attachment, an executable file, or a Trojan
horse, on a vulnerable system.
4.
Code Red 2.
Launch DoS
• Propagation mechanism
Repeat the
cycle
Worm attack for
next 7 days
Propagation
After gaining access to a device, the worm replicates
itself and locates new targets.

• Payload
3.
Stop and go
Any malicious code that results in some action is a dormant for
payload. Most often this is used to create a backdoor to a few days
the infected host or create a DoS attack.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 Ransomware It is a
type of malicious software
designed to block access to a
computer system until a sum of
money is paid.

Spyware It is used to
gather information about a user
and send the information to
another entity, without the user’s
consent. Scareware It is a malicious computer programs designed to
trick a user into buying and downloading unnecessary and potentially
Adware This malware dangerous software, such as fake antivirus protection.
typically displays annoying pop-ups
to generate revenue for its author. Phishing is the attempt to obtain sensitive information such
as usernames, passwords, and credit card details (and sometimes,
indirectly, money), often for malicious reasons, by masquerading as a
trustworthy entity in an electronic communication.

Rootkits is a collection of computer software, typically

malicious, designed to enable access to a computer or areas of its
software that would not otherwise be allowed (for example, to an
unauthorized user) while at the same time masking its existence or
the existence of other software.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Malware is a means to get a payload delivered. When it is delivered and installed, the
payload can be used to cause a variety of network related attacks.

To mitigate attacks, it is useful to first categorize the various types of attacks.

Data
Syn Flood Modification

Smurf
Attack

Reconnaissance
Access
DoS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Reconnaissance is known as information gathering.
Hackers use reconnaissance (or recon) attacks to do unauthorized discovery and
mapping of systems, services, or vulnerabilities.

These are some of the techniques used

by malicious hackers conducting
reconnaissance attacks:
• Initial query of a target

• Ping sweep of the target network

• Port scan of active IP addresses

• Vulnerability scanners

• Exploitation tools

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Access attacks exploit known vulnerabilities in authentication services, FTP
services, and web services to gain entry to web accounts, confidential
databases, and other sensitive information.
A few reasons why hackers use access attacks:
• To retrieve data

• To gain access

• To escalate access privileges

A few types of access attacks include:

• Password

• Trust exploitation

• Port redirection

• Man-in-the-middle

• Buffer overflow

• IP, MAC, DHCP spoofing

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Two major sources of DOS attacks:

- Maliciously formatted packet

this causes the receiving device to
crash or run very slowly.

- Overwhelming quantity of traffic:

this is when a network, host or
application is unable to handle
enormous quantity of data .Causing
crash system or slow performance.

Types of DOS:
ping of death
smurf attack
TCP SYN flood

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
A Denial of Service (DoS) attack is different from a DDoS attack. The DoS attack
typically uses one computer and one Internet connection to flood a targeted system or
resource. The DDoS attack uses multiple computers and Internet connections to flood
the targeted resource.
a DDoS attack could proceed as follows:
1. Hacker builds a network of infected machines
• A network of infected hosts is called a botnet.
• The compromised computers are called zombies.
• Zombies are controlled by handler systems.

2. Zombie computers continue to scan and infect more targets

3. Hacker instructs handler system to make the botnet of zombies
carry out the DDoS attack

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
 Upon completion of this section, you should be able to::
• Describe methods and resources to protect the networks.

• Describe a collection of domains for network security.

• Explain the purpose of the Cisco SecureX Architecture.

• Describe the techniques used to mitigate common network attacks.

• Explain how to secure the three functional areas of Cisco routers and switches.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Network Security Professionals are responsible for maintaining data assurance for an
organization and ensuring the integrity and confidentiality of information

Regardless of job titles, network security professionals must always stay one step ahead
of the hackers:
•They must constantly upgrade their skill set to keep abreast of the latest threats.
•They must attend training and workshops.
•They must subscribe to real-time feeds regarding threats.
•They must peruse security websites on a daily basis.
•They must maintain familiarity with network security organizations.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Network security professionals must collaborate with professional colleagues frequently.
This includes attending workshops and conferences that are often affiliated with,
sponsored by, or organized by, local, national, or international technology organizations.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
In addition to preventing and denying malicious traffic, network security professionals
must also ensure that data is protected.
Cryptography, the study and practice of hiding information, is used extensively in
modern network security.
Cryptography ensures three components of information security:

Confidentiality:
Uses encryption
to encrypt and
hide data.

Components
of
Cryptography
Availability:
Integrity:
Assures data is
accessible. Uses hashing
algorithms to
Guaranteed by
ensure data is
network hardening
unaltered during
mechanisms and
operation.
backup systems.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 Network professional must understand network security and also be familiar with the
organizations dedicated to network security, as well as the 12 network security
domains.
• Domains provide a framework for discussing network security.
• There are 12 network security domains specified by ISO/IEC27002:
• Risk assessment

• Security policy

• Organization of information security

• Asset management

• Human resources security

• Physical and environmental security

• Communications and operations management

• Information systems acquisition, development, and maintenance

• Access control

• Information security incident management

• Business continuity management

• Compliance
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
 Security Policy screenshot

Network security policy is a broad, end-to-end

document designed to be clearly applicable to
an organization’s operations. It is used to aid in
network design, convey security principles and
facilitate network deployments.

A security policy is a formal statement of the

rules by which people that are given access to
the technology and information assets of an
organization, must abide.

A Security Policy Template contains

a set of policies that are aimed at
protecting the interests of the
company. They safeguard hardware,
software, network, devices,
equipment and various other assets
that belong to the company. They also
enable to record breach of security
and help to mitigate them from further
occurrences.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
• Security policy is a set of objectives
for the company, rules of behavior for
the users and administrators and
requirements for system and
management that collectively ensure
the security
• The network security policy outlines rules
for network access, determines how
policies are enforced, and describes the
basic architecture of the organization’s
network security environment.
• The network security policy outlines what
assets should be protected and gives
guidance on how they should be
protected. This will then be used to
determine the security devices and
mitigation strategies and procedures that
should be implemented on the network.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
 In the analogy, a hacker would have to peel away at a network’s defense mechanisms
in a similar manner to peeling an onion. “Security Onion.”

The Borderless network has changed this analogy to the “Security Artichoke.” In this
analogy, hackers no longer have to peel away each layer. They only need to remove
certain ‘artichoke leafs’.

They only need to

remove certain
‘artichoke leafs’.
The bonus is that
each ’leaf’ of the
network may
reveal sensitive
data that is not
well secured. And
leaf after leaf, it all
leads the hacker to
more data.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
 It is a new context-aware security
architecture that enforces security
The Cisco SecureX Architecture™ is a next- policies across the entire
generation security framework that brings distributed network, not just at a
together flexible solutions, products, and services single point in the data stream.
to address and enforce consistent business policy It's an access control strategy.
throughout the distributed network.
It is a context-aware, network-centric
approach to security that enables: Server Edge
• Greater alignment of security policies with and Branch

business needs
• Integrated global intelligence
• Simplified security delivery Secure Data
Secure Email
• Consistent security Center and
Virtualization
and Web

It protects today’s borderless networks by

SecureX
providing effective security for any user, using
any device, from any location, and at any time.

Cisco SecureX products work together to Secure Secure

Access Mobility
provide effective security for any user, using
any device, from any location, at any time.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Cisco SecureX Architecture includes the following five major components :
• Scanning engines( can be firewall/IPS , proxy)

• Delivery mechanisms : These mechanisms by which scanning elements are introduced

into the networks like module in switch or router.
• Security intelligence operations (SIO):

( the “brains” that distinguish good traffic from malicious traffic.)

• Policy management consoles:

By separating policy creation and management from enforcement, it is possible to have a

single point of policy definition that spans multiple enforcement points such as email, instant
messaging and web. single point of policy definition that spans multiple enforcement points
such as email, instant messaging, and the Web.

• Next-generation endpoint

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco Security Intelligence Operations (SIO) is an advanced security infrastructure that provides threat
identification, analysis, and mitigation to continuously provide the highest level of security for Cisco customers.

The SIO is a Cloud-based service that connects global threat information, reputation-based services, and
sophisticated analysis, to Cisco network security devices.

It is the world’s largest Cloud-based security ecosystem, using almost a million live data feeds from
deployed Cisco ESA, WSA, ASA, and IPS solutions.

The researchers, analysts, and developers at SIO then weigh and process the data, automatically categorizing
threats and creating rules using more than 200 parameters. Rules are dynamically delivered to deployed Cisco
SecureX IPS, ESA, WSA, and ASA security devices every three to five minutes.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
 Best practices:
• Develop a written security policy.

• Educate employees about the risks of social engineering, and develop strategies to
validate identities over the phone, via email, or in person.

• Control physical access to systems.

• Use strong passwords and change them often.

• Encrypt and password-protect sensitive data.

• Implement security hardware and software.

• Perform backups and test the backed up files on a regular basis.

• Shut down unnecessary services and ports.

• Keep patches up-to-date by installing them weekly or daily to prevent buffer

overflow and privilege escalation attacks.

• Perform security audits to test the network.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Thank you.
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 73