Professional Documents
Culture Documents
a Secure Network
CCNA Security
Presentation_ID
Cisco Confidential
Describe the benefits of risk management and the measures to take to optimize risk management.
Describe the purpose of and the techniques used in network security testing.
Describe the concepts of security awareness and how to achieve security awareness through education and training.
Presentation_ID
Cisco Confidential
Chapter 10
10.0 Introduction
10.1 Principles of Secure Network Design
10.2 Security Architecture
10.3 Operations Security
10.4 Network Security Testing
10.5 Business Continuity Planning and Disaster Recovery
10.6 System Development Life Cycle
10.7 Developing a Comprehensive Security Policy
10.8 Summary
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Secure network devices with AAA, SSH, role-based CLI, syslog, SNMP,
and NTP. Secure services using AutoSecure and one-step lockdown.
Presentation_ID
Cisco Confidential
Cisco Confidential
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Cisco Confidential
Presentation_ID
Cisco Confidential
10
Security Policies
Created and maintained to mitigate existing
and new kinds of attacks.
Enforce a structured, informed, consistent
approach to securing the network.
Designed to address the following:
Business needs
Presentation_ID
Threat Identification
Risk analysis
Security needs
Industry-recommended practices
Security operations
Cisco Confidential
11
Presentation_ID
Cisco Confidential
12
Industry-recommended practices:
Security operations:
Presentation_ID
Cisco Confidential
13
Presentation_ID
Cisco Confidential
14
Presentation_ID
Cisco Confidential
15
Identifying Threats
Presentation_ID
Cisco Confidential
16
Risk Analysis in IT
Presentation_ID
Cisco Confidential
17
Cisco Confidential
18
Presentation_ID
Cisco Confidential
19
Presentation_ID
Cisco Confidential
21
Single Loss Expectancy (SLE) - Represents the expected loss from a single occurrence of
the threat.
Asset Value (AV) - Includes the cost of development or purchase price, deployment, and
maintenance.
Exposure Factor (EF) - An estimate of the degree of destruction that could occur.
Annualized Loss Expectancy (ALE) - Addresses the cost to the organization if it does
nothing to counter existing threats.
Annualized Rate of Occurrence (ARO) - Estimates the frequency of an event and is used
to calculate the ALE.
Presentation_ID
Cisco Confidential
22
Presentation_ID
Cisco Confidential
23
.001 percent
$1,000,000
SLE is:
$1,000,000 * .00001
SLE is equal to:
$ 10
Presentation_ID
Cisco Confidential
24
Flood threat
SLE is:
ARO is:
$ 6,000,000
.01
ALE is:
$ 6,000,000 * .01
ALE is equal to:
$ 60,000
Presentation_ID
Cisco Confidential
25
$ 10
125,000
ALE is:
$10 * 125,000
ALE is equal to:
$ 1,250,000
Presentation_ID
Cisco Confidential
26
Presentation_ID
Cisco Confidential
27
Presentation_ID
Cisco Confidential
28
Risk Management
Presentation_ID
Cisco Confidential
29
Presentation_ID
Cisco Confidential
30
Presentation_ID
Cisco Confidential
31
Operations Security
Operations security is concerned with the day-to-day practices
necessary to first deploy and later maintain a secure system.
It starts with the planning and implementation process of a
network.
Presentation_ID
Cisco Confidential
33
Presentation_ID
Cisco Confidential
34
Presentation_ID
Cisco Confidential
35
Separation of Duties
Is the most difficult and sometimes
the most costly control to achieve.
SoD states that no single
individual has control over two or
more phases of a transaction or
operation.
Presentation_ID
Cisco Confidential
36
Rotation of Duties
Presentation_ID
Cisco Confidential
37
Trusted Recovery
Systems eventually fail!
Presentation_ID
Cisco Confidential
38
Presentation_ID
Cisco Confidential
39
Presentation_ID
Cisco Confidential
40
Presentation_ID
Cisco Confidential
41
Cisco Confidential
42
Presentation_ID
Cisco Confidential
43
Network scanning
Presentation_ID
Includes software that can ping computers, scan for listening TCP
ports and display which types of resources are available on the
network.
Some scanning software can also detect usernames, groups, and
shared resources.
Network administrators can use this information to strengthen their
networks.
Cisco Confidential
44
Password cracking
Presentation_ID
Cisco Confidential
45
Integrity checkers
Virus detection
Presentation_ID
Cisco Confidential
46
Cisco Confidential
47
Presentation_ID
Cisco Confidential
48
Nmap
Presentation_ID
Cisco Confidential
49
Nmap Cont.
Presentation_ID
Cisco Confidential
50
SuperScan
Presentation_ID
Cisco Confidential
51
SuperScan Cont.
Presentation_ID
Cisco Confidential
52
Presentation_ID
Cisco Confidential
53
Presentation_ID
Cisco Confidential
54
Disaster Recovery
Presentation_ID
Cisco Confidential
55
Recovery Plans
Presentation_ID
Cisco Confidential
56
Redundancy
Warm site:
Physically redundant facilities, but software and data are not stored and
updated on the equipment.
Depending on how much software and data is involved, it can take days
before operations are ready to resume.
Cold site:
Presentation_ID
Cisco Confidential
57
Secure Copy
Secure Copy
The primary goal of disaster recovery is to restore the network to
a fully functional state.
Two of the most critical components of a functional network are
the router configuration and the router image files.
Every disaster recovery plan should include backup and retrieval
of these files.
Because an organization's network configuration includes private
or proprietary information, these files must be copied in a secure
manner.
The secure copy (SCP) feature provides a secure and
authenticated method for copying router configuration or router
image files.
Presentation_ID
Cisco Confidential
58
Secure Copy
Presentation_ID
Cisco Confidential
59
Secure Copy
Presentation_ID
Cisco Confidential
60
Secure Copy
Presentation_ID
Cisco Confidential
61
Secure Copy
Presentation_ID
Cisco Confidential
62
Secure Copy
Presentation_ID
Cisco Confidential
63
Secure Copy
Presentation_ID
Cisco Confidential
64
Secure Copy
Presentation_ID
Cisco Confidential
65
Secure Copy
Presentation_ID
Cisco Confidential
66
10.7 Developing a
Comprehensive
Security Policy
Presentation_ID
Cisco Confidential
76
Presentation_ID
Cisco Confidential
77
Security Policy
A security policy is a set of security objectives for a
company, rules of behavior for users and administrators,
and system requirements.
These objectives, rules, and requirements collectively
ensure the security of a network and the computer systems
in an organization.
A security policy is a constantly evolving document based
on changes in technology, business, and employee
requirements.
Presentation_ID
Cisco Confidential
78
Security Policy
A comprehensive security policy has a number of benefits:
Demonstrates an organizations commitment to security
Sets the rules for expected behavior
Ensures consistency in system operations, software and hardware
acquisition and use, and maintenance
Defines the legal consequences of violations
Gives security staff the backing of management
Security policies are used to inform users, staff, and managers of an
organizations requirements for protecting technology and information
assets
A security policy also specifies the mechanisms that are needed to
meet security requirements and provides a baseline from which to
acquire, configure, and audit computer systems and networks for
compliance.
Presentation_ID
Cisco Confidential
79
Security Policy
A security policy may include the following:
Identification and Authentication Policies Specifies authorized persons that can have
access to network resources and verification
procedures.
Password Policies - Ensures passwords meet
minimum requirements and are changed
regularly.
Acceptable Use Policies - Identifies network
applications and usages that are acceptable to
the organization. It may also identify
ramifications if this policy is violated.
Remote Access Policies - Identifies how
remote users can access a network and what is
accessible via remote connectivity.
Network Maintenance Policies - Specifies
network device operating systems and end user
application update procedures.
Incident Handling Procedures - Describes how
Presentation_ID security incidents are handled.
2008 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
80
Presentation_ID
Cisco Confidential
81
Security Policy
Hierarchy
Presentation_ID
Cisco Confidential
82
Governing Policy
The governing policy outlines the companys overall
security goals for managers and technical staff.
It covers all security-related interactions among business
units and supporting departments in the company.
Includes several components:
Statement of the issue that the policy addresses
How the policy applies in the environment
Roles and responsibilities of those affected by the policy
Actions, activities, and processes that are allowed (and not
allowed)
Consequences of noncompliance
Presentation_ID
Cisco Confidential
83
Technical Policy
Presentation_ID
Cisco Confidential
84
Presentation_ID
Cisco Confidential
85
Presentation_ID
Cisco Confidential
86
Standard Documents
Presentation_ID
Cisco Confidential
87
Guideline Documents
They are similar to standards, but are more flexible and are not
usually mandatory.
Guidelines can be used to define how standards are developed and
to guarantee adherence to general security policies.
Presentation_ID
Cisco Confidential
88
Procedure Documents
Procedure documents are longer and more detailed than
standards and guidelines.
Procedure documents include implementation details, usually with
step-by-step instructions and graphics.
Procedure documents are extremely important for large
organizations to have the consistency of deployment that is
necessary for a secure environment.
Presentation_ID
Cisco Confidential
89
Presentation_ID
Cisco Confidential
90
Presentation_ID
Cisco Confidential
91
Responsible for the information technology and computer systems that support enterprise
goals, including successful deployment of new technologies and work processes.
When an organization has both a CTO and CIO, the CIO is generally responsible for
processes and practices supporting the flow of information, and the CTO is responsible for
technology infrastructure.
Develops, implements, and manages the organizations security strategy, programs, and
processes associated with all aspects of business operation, including intellectual
property.
A major aspect of this position is to limit exposure to liability in all areas of financial,
physical, and personal risk.
Similar to the CSO, except that this position has a specific focus on IT security.
CISO must develop and implement the security policy, either as the primary author or
management of authorship. In either case, the CISO is responsible and accountable for
security policy content.
Presentation_ID
Cisco Confidential
92
Presentation_ID
Cisco Confidential
93
Awareness campaigns
Training and education
Presentation_ID
Cisco Confidential
94
Awareness Campaigns
Awareness is not training. The
purpose of awareness presentations
is simply to focus attention on
security. Awareness presentations
are intended to allow individuals to
recognize IT security concerns and
respond accordingly. In awareness
activities, the learner is the recipient
of information... Awareness relies on
reaching broad audiences with
attractive packaging techniques.
(NIST Special Publication 800-16)
Presentation_ID
Cisco Confidential
95
Lectures, videos
Presentation_ID
Cisco Confidential
96
Presentation_ID
Cisco Confidential
97
Presentation_ID
Cisco Confidential
98
Educational Program
Education integrates all the security skills and competencies of
the various functional specialties into a common body of
knowledge.
It adds a multidisciplinary study of concepts, issues, and principle,
both technological and social, and strives to produce IT security
professionals capable of vision and proactive response.
An example of an educational program is a degree program at a
college or university.
Presentation_ID
Cisco Confidential
99
Laws
A big reason for setting security policies and implementing awareness programs
is compliance with the law.
You must be familiar with the laws and codes of ethics that are binding for
Information Systems Security (INFOSEC) professionals.
Most countries have three types of laws:
Criminal law:
Administrative law:
Involves government agencies enforcing regulations.
Presentation_ID
Cisco Confidential
100
Ethics
Presentation_ID
Cisco Confidential
101
Ethics Cont.
The information security profession has a number of formalized
codes:
International Information Systems Security Certification
Consortium, Inc (ISC)2 Code of Ethics
Computer Ethics Institute (CEI)
Internet Activities Board (IAB)
Generally Accepted System Security Principles (GASSP)
Presentation_ID
Cisco Confidential
102
Code of Ethics
Code of Ethics Preamble
Safety of the commonwealth, duty to our principals, and to each other
requires that we adhere, and be seen to adhere, to the highest ethical
standards of behavior. Therefore, strict adherence to this Code is a
condition of certification.
Presentation_ID
Cisco Confidential
103
Presentation_ID
Cisco Confidential
104
Collecting Data
Presentation_ID
Cisco Confidential
105
106
Presentation_ID
Cisco Confidential
107