Protecting the

Organization
Cybersecurity Devices
and Technologies
Security Appliances
Routers

While routers are primarily used to interconnect

various network segments together, they usually
also provide basic traffic filtering capabilities.
This information can help you define which
computers from a given network segment can
communicate with which network segments.
Firewalls

Firewalls can look deeper into the network

traffic itself and identify malicious behavior
that has to be blocked. Firewalls can have
sophisticated security policies applied to
the traffic that is passing through them.
Intrusion prevention systems

IPS systems use a set of traffic

signatures that match and block
malicious traffic and attacks.
Virtual private networks

VPN systems let remote employees use

a secure encrypted tunnel from their
mobile computer and securely connect
back to the organization’s network.
Antimalware or antivirus

These systems use signatures or

behavioral analysis of applications to
identify and block malicious code from
being executed.
Firewalls
Firewalls

In computer networking, a firewall is

designed to control or filter which
communications are allowed in and
which are allowed out of a device or
network.
Firewalls

A firewall can be installed on a single computer

with the purpose of protecting that one computer
(host-based firewall) or it can be a standalone
network device that protects an entire network of
computers and all of the host devices on that
network (network-based firewall).
Firewall Types
Network layer firewall

This filters communications based on

source and destination IP addresses.
Transport layer firewall

Filters communications based on source

and destination data ports, as well as
connection states.
Application layer firewall

Filters communications based on an

application, program or service.
Context aware layer firewall

Filters communications based on the

user, device, role, application type and
threat profile.
Proxy Server

Filters web content requests like URLs,

domain names and media types.
Reverse Proxy Server

Placed in front of web servers, reverse

proxy servers protect, hide, offload and
distribute access to web servers.
Network Address Translation
(NAT) Firewall

This firewall hides or masquerades the

private addresses of network hosts.
Host-Based Firewall

Filters ports and system service calls on

a single computer operating system.
QUIZ
Placed in front of web servers, reverse
proxy servers protect, hide, offload and
distribute access to web servers.
Filtering communications based on the
user, device, role, application type and
threat profile.
Filters ports and system service calls on
a single computer operating system.
Filtering web content requests like
URLs, domain names and media types.
Filtering communications based on an
application, program, or service.
Filtering communications based on source
and destination data ports, as well as
connection states.
Hides or masquerades the private
addresses of network hosts.
Filtering communications based on
source and destination IP addresses.
Port Scanning
Port Scanning

Port-scanning is a process of probing a computer,

server or other network host for open ports.
Port Scanning

The port scan reported an ‘open’ state response.

This means that the service running on the
network can be accessed by other network
devices. Therefore, if the service contains a
vulnerability, it can be exploited by an attacker.
Intrusion Detection and Prevention
Systems
Intrusion Detection and Prevention Systems

Intrusion detection systems (IDSs) and intrusion

prevention systems (IPSs) are security measures
deployed on a network to detect and prevent
malicious activities.
Intrusion Detection and Prevention Systems
Real-Time Detection
Protecting Against Malware
Protecting Against Malware

How do you provide defense against the constant presence

of zero-day attacks, as well as advanced persistent threats
(APT) that steal data over long periods of time? One
solution is to use an enterprise-level advanced malware
detection solution that offers real-time malware detection.
Protecting Against Malware

Network administrators must constantly monitor the network for

signs of malware or behaviors that reveal the presence of an
APT. Cisco has an Advanced Malware Protection (AMP) Threat
Grid that analyzes millions of files and correlates them against
hundreds of millions of other analyzed malware artifacts.
Secure Operation Center Team

The Threat Grid allows the Cisco

Secure Operations Center team to
gather more accurate, actionable
data.
Incidence Response team

The Incidence Response team therefore

has access to forensically sound
information from which it can more
quickly analyze and understand
suspicious behaviors.
Threat Intelligence team

Using this analysis, the Threat

Intelligence team can proactively
improve the organization’s security
infrastructure.
Security Infrastructure
Engineering team

Overall, the Security Infrastructure

Engineering team is able to consume
and act on threat information faster,
often in an automated way.
Security Best Practices
Perform a Risk Assessment

Knowing and understanding the value of what

you are protecting will help to justify security
expenditures.
Create Security Policy

Create a policy that clearly outlines the

organization’s rules, job roles, and responsibilities
and expectations for employees.
Physical Security Measures

Restrict access to networking closets and server

locations, as well as fire suppression.
Human Resources Security Measures

Background checks should be completed for all

employees.
Perform and test back up

Back up information regularly and test data

recovery from backups.
Maintain Security Patches and Updates

Regularly update server, client and network

device operating systems and programs.
Employ Access Control

Configure user roles and privilege levels as well

as strong user authentication.
Regular Test Incident Response

Employ an incident response team and test

emergency response scenarios.
Implement Network Security Devices

Use next generation routers, firewalls and other

security appliances.
Implement a Comprehensive Endpoint
Security Solution

Use enterprise level antimalware and antivirus

software.
Educate Users

Provide training to employees in security

procedures.
Encrypt Data

Encrypt all sensitive organizational data,

including email.
Behavior Approach
to Cybersecurity
Behavior-Based
Security
Behavior-based security

Behavior-based security is a form of threat

detection that involves capturing and analyzing
the flow of communication between a user on the
local network and a local or remote destination.
Honeypots

A honeypot is a behavior-based detection tool that lures the

attacker in by appealing to their predicted pattern of
malicious behavior. Once the attacker is inside the honeypot,
the network administrator can capture, log and analyze their
behavior so that they can build a better defense.
Cisco’s Cyber Threat Defense Solution
Architecture

This is a security architecture that uses behavior-

based detection and indicators, to provide greater
visibility, context, and control.
NetFlow
NetFlow

NetFlow technology is used to gather information

about data flowing through a network.
Penetration Testing
Penetration testing

Penetration testing, commonly known as pen

testing, is the act of assessing a computer system,
network, or organization for security
vulnerabilities.
The five-step of pen
test process
STEP 1. Planning

The pen tester gathers as much information as

possible about a target system or network, its
potential vulnerabilities, and exploits to use
against it.
STEP 2. Scanning

The pen tester carries out active reconnaissance to

probe a target system or network and identify
potential weaknesses which, if exploited, could
give an attacker access.
STEP 3. Gaining Access

The pen tester will attempt to gain access to a

target system and sniff network traffic, using
various methods to exploit the system.
STEP 4. Maintaining Access

The pen tester will maintain access to the target to

find out what data and systems are vulnerable to
exploitation.
STEP 5. Analysis And Report

The pen tester will provide feedback via a report

that recommends updates to products, policies and
training to improve an organization’s security.
Your Turn: Put the following steps in the
correct order
__ Gather as much information as you can without being detected.

__ Footprint through the network to find ways to intrude.

__ Identify potential exploitable vulnerabilities.

__Report your findings to the team.

__ Exploit any vulnerabilities identified in the network by

simulating an attack.
Impact Reduction
 Actions organizations should
take when a security breach is
identified
Communicate the Issue

Internally, all employees should be informed and a

clear call to action communicated.

Externally, all clients should be informed through

direct communication and official announcements.
Be Sincere and Accountable

Respond to the breach in an honest and genuine

way, taking responsibility where the organization
is at fault.
Provide the details

Be open and explain why the breach took place

and what information was compromised.
Find the Cause

Take steps to understand what caused and

facilitated the breach. This may involve hiring
forensics experts to research and find out the
details.
Apply Lessons learned

Make sure that any lessons learned from forensic

investigations are applied to prevent similar
breaches from happening in the future.
Check and check again

Attackers will often attempt to leave a backdoor to

facilitate future breaches. To prevent this from
happening, make sure that all systems are clean, no
backdoors are installed and nothing else has been
compromised.
Educate

Raise awareness, train and educate employees,

partners and clients on how to prevent future
breaches.
Risk Management
Risk management

Risk management is the formal process of

continuously identifying and assessing risk in an
effort to reduce the impact of threats and
vulnerabilities.
Risk Management
Process
Fame the Risk

Identify the threats that increase risk. Threats may

include processes, products, attacks, potential failure
or disruption of services, negative perception of an
organization’s reputation, potential legal liability or
loss of intellectual property.
Assess the Risk

Determine the severity that each threat poses.

Respond to the Risk

Develop an action plan to reduce overall

organization risk exposure, detailing where risk
can be eliminated, mitigated, transferred or
accepted.
Monitor the Risk

Continuously review any risk reduced through

elimination, mitigation or transfer actions.
Remember, not all risks can be eliminated, so you
will need to closely monitor any threats that have
been accepted.