Chapitre 10 - Managing A Secure Network

Chapter 10: Managing
a Secure Network
CCNA Security
Presentation_ID 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 10: Objectives
In this chapter, you will:
Describe the high-level considerations for ensuring that a network is secure.
Describe the benefits of risk management and the measures to take to optimize risk management.
Define and describe the components, technologies and devices of the Cisco SecureX Architecture.
Describe the five product families used in the SecureX Architecture.
Describe the overarching concepts of operations security.
Describe the core principles of operations security.
Describe the purpose of and the techniques used in network security testing.
Describe the tools used in network security testing.
Describe business continuity planning and disaster recovery.
Configure the Cisco Secure Copy feature.
Describe the SDLC.
Describe the five phases of the SDLC.
Describe the goals of a security policy.
Describe the structure of a security policy.
Describe the standards, guidelines, and procedures of a security policy.
Describe the roles and responsibilities entailed within a security policy.
Describe the concepts of security awareness and how to achieve security awareness through education and training.
Describe ethical guidelines and laws for network security.
Describe how to respond to a security breach.
Chapter 10
10.0 Introduction
10.1 Principles of Secure Network Design
10.2 Security Architecture
10.3 Operations Security
10.4 Network Security Testing
10.5 Business Continuity Planning and Disaster Recovery
10.6 System Development Life Cycle
10.7 Developing a Comprehensive Security Policy
10.8 Summary
10.1 Principles of Secure
Network Design
Ensuring a Network is Secure
Secure End-to-End Network Approach
Secure network devices with AAA, SSH, role-based CLI, syslog, SNMP,
and NTP. Secure services using AutoSecure and one-step lockdown.
Secure End-to-End Network Approach Cont.
Protects network endpoints, such as workstations and servers, against

viruses, Trojan Horses, and worms with Cisco NAC, Cisco IronPort, and
Cisco Security Agent.
Uses Cisco IOS Firewall and accompanying ACLs to secure resources

internally while protecting those resources from outside attacks.
Supplements Cisco IOS Firewall with Cisco IPS technology to evaluate

traffic using an attack signature database.
Protects the LAN by following Layer 2 and VLAN recommended practices

and by using a variety of technologies, including BPDU guard, root guard,
PortFast, and SPAN.
Where are all of these security approaches documented?
Security Policies
Created and maintained to mitigate existing
and new kinds of attacks.
Enforce a structured, informed, consistent
approach to securing the network.
Designed to address the following:
Business needs
Threat Identification
Risk analysis
Security needs
Industry-recommended practices
Security operations
Security Policies Cont.
Business needs:
What does the organization want to do with the network?
What are the organizational needs?
Threat identification - What are the most likely types of threats
given the organizations purpose?
Risk analysis:
What is the cost versus benefit analysis of implementing various
security technologies?
How do the latest security techniques affect the network
environment and what is the risk if they are not implemented?
Security Policies Cont.
Security needs:
What are the policies, standards, and guidelines needed to address
business needs and risks?
Industry-recommended practices:
What are the reliable, well-understood, and recommended security
practices that similar organizations currently employ?
Security operations:
What are the current procedures for incident response, monitoring,
maintenance, and auditing of the system for compliance?
Avoid Wrong Assumptions
There are guidelines to help you avoid making wrong assumptions:
Expect that any aspect of a security system might fail.
Identify any elements that fail-open. Fail-open occurs when a
failure results in a complete bypass of the security function
Try to identify all attack possibilities.
Use top-down analysis of possible system failures, which involves
evaluating the simplicity and probability of every attack on a
system.
Known an attack tree analysis.
Avoid Wrong Assumptions Cont.
Evaluate the probability of exploitation. Focus on the resources
that are needed to create an attack, not the obscurity of a
particular vulnerability.
Assume that people make mistakes.
Attackers might not use common and well-established techniques
to compromise a system..
Check all assumptions with other people. Peers might have a
fresh perspective on potential threats and their probability.
Threat Identification and Risk Analysis
Identifying Threats
When identifying threats, it is important to ask two questions:
1. What are the possible vulnerabilities of a system?
2. What are the consequences if system vulnerabilities are exploited?
Risk Analysis in IT
Risk analysis is the systematic
study of uncertainties and
risks. It identifies the risks,
determines how and when
those risks might arise, and
estimates the impact (financial
or otherwise) of adverse
outcomes.
After the threats are evaluated
for severity and likelihood, the
information is used in a risk
analysis.
Risk Analysis in IT Cont.
The first step in developing a risk analysis is to evaluate each
threat to determine its severity and probability.
For example, threats in an e-banking system may include:
Internal system compromise
Stolen customer data
Phony transactions if external server is breached
Phony transactions using a stolen customer PIN or smart
card
Insider attack on the system
Data input errors
Data center destruction
After the threats are evaluated for severity and likelihood, this
information is used in a risk analysis.
There are two types of risk analysis in information security:
Quantitative Risk Analysis - Uses a mathematical model that
assigns a monetary figure to the value of assets, the cost of
threats being realized, and the cost of security implementations.
Qualitative Risk Analysis - Can be used when the risk
assessment must either be done in a relatively short time, under
a tight budget, or when relevant data or lack of expertise is not
readily available.
Various ways of conducting qualitative risk analysis exist.
One method uses a scenario-based model.
This approach is best for large cities, states, and countries because
it is impractical to try to list all the assets, which is the starting point
for any quantitative risk analysis.
For example, by the time a typical national government lists all of its
assets, the list would have hundreds or thousands of changes and
would no longer be accurate.
With qualitative risk analysis, research is exploratory and cannot
always be graphed or proven mathematically. It focuses mostly
on the understanding of why risk is present and how various
solutions work to resolve the risk.
Single Loss Expectancy Quantitative Risk Analysis
Quantitative risk analysis relies on specific formulas to

determine the value of the risk decision variables.
These include formulas that calculate the:
Asset Value (AV)
Exposure Factor (EF)
Single Loss Expectancy Quantitative Risk Analysis Cont.
Single Loss Expectancy (SLE) - Represents the expected loss from a single occurrence of
the threat.
Asset Value (AV) - Includes the cost of development or purchase price, deployment, and
maintenance.
Exposure Factor (EF) - An estimate of the degree of destruction that could occur.
Annualized Loss Expectancy (ALE) - Addresses the cost to the organization if it does
nothing to counter existing threats.
Annualized Rate of Occurrence (ARO) - Estimates the frequency of an event and is used
to calculate the ALE.
Flood threat
Exposure Factor is: 60 percent
AV of the enterprise is: $10,000,000
SLE is: $10,000,000 * .60

SLE is equal to: $ 6,000,000
Data entry error

Exposure Factor is: .001 percent
AV of the enterprise is: $1,000,000
SLE is: $1,000,000 * .00001

SLE is equal to: $ 10
Annualized Rate of Occurrence Quantitative Risk Analysis
Annualized Loss Expectancy Annualized Rate of Occurrence
Data entry error

SLE is: $ 10
ARO is: 125,000
ALE is: $10 * 125,000

ALE is equal to: $ 1,250,000
Annualized Rate of Occurrence Quantitative Risk Analysis Cont.
Annualized Loss Expectancy Annualized Rate of Occurrence
Flood threat
SLE is: $ 6,000,000
ARO is: .01
ALE is: $ 6,000,000 * .01

ALE is equal to: $ 60,000
Quantitative Risk Analysis
It is necessary to perform a quantitative risk analysis for all
threats identified during the threat identification process.
Then prioritize the threats and address the most serious threat
first to enable management to focus resources where they do the
most good.
Risk Management and Risk Avoidance
Methods of Handling Risks
When the threats are identified and the risks are assessed, a
protection strategy must be deployed to protect against the risks.
There are two very different methods to handle risks:
Risk management - Deploys protection mechanisms to reduce
risks to acceptable levels.
Risk avoidance - Eliminates risk by avoiding the threats altogether.
Risk Management
Method deploys protection mechanisms to reduce risks to
acceptable levels.
Risk management is perhaps the most basic and the most difficult
aspect of building secure systems, because it requires a good
knowledge of risks, risk environments, and mitigation methods.
Risk Management Cont.
Not all mitigation techniques are implemented based on the risk
versus cost formula used in the quantitative risk analysis:
Internal system compromise
Stolen customer data
Phony transactions if external server is broken into
Phony transactions using a stolen customer PIN or smart card
Insider attack on the system Data input error
Data center destruction
Risk Management Cont.
Using the risk avoidance approach, a company might decide
against offering e-banking services as it is deemed too risky.
Such an attitude might be valid for some military organizations,
but is usually not an option in the commercial world.
Organizations that can manage the risks are traditionally the most
profitable.
10.2 Security Architecture
Introducing the Cisco SecureX Architecture
Borderless Networks
Today, Internet worms and other security threats spread across
the world in a matter of minutes requiring that the security system,
and the network itself, react instantaneously.
Consumer endpoints, such as iPhones, BlackBerrys, netbooks,
and thousands of other devices, are becoming powerful
substitutes for, or complements to, the traditional PC.
More people use these devices to access enterprise information.
SecureX Security Architecture
Designed to provide effective security for any user, using any
device, from any location, and at any time.
Uses a high-level policy language that can describe the full
context of a situation, including who, what, where, when, and
how.
With highly distributed security policy enforcement, security is
pushed closer to where the end user is working, anywhere on the
planet. This architecture is comprised of five major components:
Scanning engines
Delivery mechanisms
Security Intelligence Operations (SIO)
Policy management consoles
Next-generation endpoints
SecureX Security Architecture Cont.
Centralized Context-Aware
A context-aware scanning element does more than just examine packets
on the wire.
It looks at external information to understand the full context of the
situation: the who, what, where, when, and how of security.
These scanning elements are available as standalone appliances,
software modules running in a router, or an image in the cloud.
They are managed from a central policy console that uses a high level to
build context aware policies.
A context-aware policy uses a simplified descriptive business language
to define security policies based on five parameters:
The persons identity
The application in use
The type of device being used for access
The location
The time of access
Centralized Context-Aware
Cisco Security Intelligence Operations
Delivers real-time global threat intelligence.
Worlds largest cloud-based security ecosystem, using almost a
million live data feeds from deployed Cisco email, web, firewall,
and IPS solutions.
Cisco SIO weighs and processes the data, automatically
categorizing threats and creating rules using more than 200
parameters.
Rules are dynamically delivered to deployed Cisco security
devices every three to five minutes.
Cisco Security Intelligence Operations Cont.
Solutions for the Cisco SecureX Architecture
SecureX Products
Cisco Secure Edge and Branch
The goal of the Cisco secure edge and branch is to deploy
devices and systems to detect and block attacks and exploits,
and prevent intruder access.
With firewall and intrusion prevention in standalone and
integrated deployment options, organizations can avoid attacks
and meet compliance requirements.
Cisco Secure Edge and Branch Cont.
Secure Email and Web
Cisco secure email and web solutions protect an organization
from evolving email and web threats.
They reduce costly downtime associated with email-based
spam, viruses, and web threats, and are available in a variety of
form factors, including:
On- premise appliances - Includes Cisco IronPort email security
and IronPort web security appliances
Cisco ScanSafe Cloud Web Security
SecureX Products
Secure access technologies enforce network security policies,
secure user and host access controls, and control network access
based on dynamic conditions.
Secure Mobility
Cisco secure mobility solutions promote highly secure mobile
connectivity with VPN, wireless security, and remote workforce
security solutions that extend network access safely and easily to
a wide range of users and devices.
Secure Data Center and Virtualization
Cisco secure data center and virtualization solutions protect high-
value data and data center resources with threat defense, secure
virtualization, segmentation, and policy control.
Network Security Services
The security industry is always changing.
The next few years prove to be a period of significant change,
driven by three major trends:
Consumerization of the endpoint
Increasing use of high-definition video conferencing
Adoption of cloud computing
Network Security Services Cont.
10.3 Operations Security
Introducing Operations Security
Operations Security
Operations security is concerned with the day-to-day practices
necessary to first deploy and later maintain a secure system.
It starts with the planning and implementation process of a
network.
During these phases, the operations team proactively analyzes
designs, identifies risks and vulnerabilities, and makes the
necessary adaptations.
After a network is set up, the actual operational tasks begin,
including the continual day-to-day maintenance of the environment.
Operations Security Team
The responsibilities of the operations team pertain to everything
that takes place to keep the network, computer systems,
applications, and the environment up and running in a secure and
protected manner.
The operations team usually has the objectives of preventing
reoccurring problems, reducing hardware failures to an
acceptable level, and reducing the impact of hardware failure or
disruption.
Operations Security Team Cont.
To ensure a secure working environment within the operations
department, certain core principles should be integrated into the
day-to-day activities:
Separation of duties
Rotation of duties
Trusted recovery
Change and configuration controls
Principles of Operations Security
Separation of Duties
Is the most difficult and sometimes
the most costly control to achieve.
SoD states that no single
individual has control over two or
more phases of a transaction or
operation.
Instead, responsibilities are
assigned in a way that
incorporates checks and
balances.
This makes a deliberate fraud
more difficult to perpetrate
because it requires a collusion of
two or more individuals or
parties.
Rotation of Duties
Trained individuals are given a specific
assignment for a certain amount of time
before moving to a new assignment.
A peer review is built into the practice of
rotation of duties. For example, when
five people do one job in the course of
the week, each person reviews the work
of the others.
Rotation of duties also prevents
boredom and gives individuals a greater
breadth of exposure to the entire
network operation and creates a strong
and flexible operations department.
Trusted Recovery
Systems eventually fail!
Therefore a process for recovery
must be established.
Back up data on a regular basis.
Backing up data is standard

practice in most IT departments.
Being prepared for system failure
is also an important part of
operations security:
Back up critical data on a
regular basis.
Evaluate who has access to the
files to back them up and what
kind of access they have.
Secure the backup media.
Configuration and Change Control
Ensures that standardized methods and procedures are used to
efficiently handle all changes.
It should address three major components:
The processes in place to minimize system and network disruption
Backups and reversing changes that go badly
Guidance on the economic utilization of resources and time
A few suggestions are recommended to accomplish configuration
changes in an effective and safe manner:
Ensure that the change is implemented in an orderly manner with
formalized testing.
Ensure that the end users are aware of the coming change when
necessary.
Analyze the effects of the change after it is implemented.
Configuration and Change Control Cont.
Step 1. Apply to introduce the change.
Step 2. Catalog the proposed change.
Step 3. Schedule the change.
Step 4. Implement the change.
Step 5. Report the change to the relevant parties.
10.4 Network Security
Testing
Introducing Network Security Testing
Network Security Testing
Network security testing is testing that is performed on a network
to ensure all security implementations are operating as expected.
Testing is typically conducted during the implementation and
operational stages.
During the implementation stage, security testing is conducted on
specific parts of the security system.
After a network is fully integrated and operational, a Security Test
and Evaluation (ST&E) is performed. ST&E is an examination or
analysis of the protective measures that are placed on an
operational network.
Tests should be repeated periodically and whenever a change is
made to the system. Test more frequently on critical information
or hosts that are exposed to constant threat.
Network Security Tests
Many tests can be conducted to assess the operational status of
the system:
Penetration testing
Network scanning
Vulnerability scanning
Password cracking
Log review
Integrity checkers
Virus detection
Network Security Tests Cont.
Penetration testing
Network penetration tests, or pen testing, simulate attacks from
malicious sources.
The goal is to determine the feasibility of an attack and possible
consequences if one were to occur.
Network scanning
Includes software that can ping computers, scan for listening TCP
ports and display which types of resources are available on the
network.
Some scanning software can also detect usernames, groups, and
shared resources.
Network administrators can use this information to strengthen their
networks.
Vulnerability scanning
Includes software that can detect potential weaknesses in the
tested systems.
These weaknesses can include misconfiguration, blank or default
passwords, or potential targets for DoS attacks.
Some software allows administrators to attempt to crash the system
through the identified vulnerability.
Password cracking
Includes software that is used to test and detect weak passwords
that should be changed.
Password policies should include guidelines to prevent weak
passwords.
Log review
System administrators should review security logs to identify
potential security threats.
Abnormal activity should be investigated using filtering software to
scan lengthy log files.
Integrity checkers
An integrity checking system detects and reports on changes in the
system.
Most of the monitoring is focused on file system. However, some
checking systems can report on login and logout activities.
Virus detection
Virus detection software can be used to identify and remove
computer viruses and other malware.
Applying Network Test Results
Network security testing results can be used in several ways:
To define mitigation activities to address identified vulnerabilities
As a benchmark to trace the progress of an organization in
meeting security requirements
To assess the implementation status of system security
requirements
To conduct cost and benefit analysis for improvements to system
security
To enhance other activities, such as risk assessments,
certification and authorization (C&A), and performance
improvement efforts
As a reference point for corrective action
Network Security Testing Tools
Network Testing Tools
Nmap - Discovers computers and services on a computer network, thus
creating a map of the network
SuperScan - Port scanning software designed to detect open TCP and UDP
ports, what services are running on those ports, and run queries, such as
whois, ping, traceroute, and hostname lookups
GFI LANguard - Network and security scanner which detects vulnerabilities
Tripwire - Assesses and validates IT configurations against internal policies,
compliance standards, and security best practices
Nessus - Vulnerability scanning software, focusing on remote access,
misconfiguration passwords, and DoS against the TCP/IP stack
L0phtcrack - Password auditing and recovery application
Metasploit - Provides information about vulnerabilities and aids in penetration
testing and IDS signature development
Nmap
Nmap is a low-level scanner that has an array of excellent features
which can be used for network mapping and reconnaissance.
Classic TCP and UDP port scanning - Searches for different
services on one host.
Classic TCP and UDP port sweeping - Searches for the
same service on multiple hosts.
Stealth TCP and UDP port scans and sweeps - Similar to
classic scans and sweeps, but harder to detect by the target
host or IPS.
Remote operating system identification - This is also known
as OS fingerprinting.
Nmap Cont.
SuperScan
SuperScan is a Microsoft Windows port scanning tool.
SuperScan version 4 has a number of useful features:
Adjustable scanning speed
Support for unlimited IP ranges
Improved host detection using multiple ICMP methods
TCP SYN scanning
UDP scanning (two methods)
Simple HTML report generation
Source port scanning
Fast hostname resolving
Extensive banner grabbing
Massive built-in port list description database
IP and port scan order randomization
A selection of useful tools, such as ping, traceroute, and whois
Extensive Windows host enumeration capability
SuperScan Cont.
10.5 Business Continuity
and Business
Planning
Continuity Planning and Disaster Recovery
Business Continuity Planning
Business continuity planning addresses the continuing operations
of an organization in the event of a disaster or prolonged service
interruption that affects the mission of the organization.
These plans address:
An emergency response phase
A recovery phase
A return to normal operation phase
Business continuity planning may include plans, such as:
Moving or relocating critical business components and people to a
remote location while the original location is being repaired.
Using different channels of communication to deal with customers,
shareholders, and partners until operations are returned to normal.
Continuity Planning and Disaster Recovery
Disaster Recovery
Disaster recovery is the process of regaining access to the data,
hardware, and software necessary to resume critical business
operations after a natural or human-induced disaster.
It includes plans for coping with the unexpected or sudden loss of
key personnel.
Recovery Plans and Redundancy
Recovery Plans
When planning for disaster
recovery and business
continuity, the first step is
identifying the possible types of
disasters and disruptions.
Not all disruptions to business
operations are equal.
A good disaster recovery plan
considers the magnitude of the
disruption, recognizing that
there are differences between
catastrophes, disasters, and
minor incidents.
Recovery Plans and Redundancy
Redundancy
Large organizations might require a redundant facility if some
catastrophic event results in facility destruction.
Hot sites:
A completely redundant facility with almost identical equipment.
Warm site:
Physically redundant facilities, but software and data are not stored
and updated on the equipment.
A disaster recovery team is required to physically go to the redundant
facility and get it operational.
Depending on how much software and data is involved, it can take
days before operations are ready to resume.
Cold site:
An empty datacenter with racks, power, WAN links, and heating,
ventilation, and air conditioning (HVAC) already present, but no
equipment.
Secure Copy
Secure Copy
The primary goal of disaster recovery is to restore the network to
a fully functional state.
Two of the most critical components of a functional network are
the router configuration and the router image files.
Every disaster recovery plan should include backup and retrieval
of these files.
Because an organization's network configuration includes private
or proprietary information, these files must be copied in a secure
manner.
The secure copy (SCP) feature provides a secure and
authenticated method for copying router configuration or router
image files.
Secure Copy
Secure Copy Cont.
Secure Copy
SCP Server Configuration
Because SCP relies on SSH for secure transport, before enabling
SCP, you must correctly configure SSH, and the router must have
an RSA key pair.
To configure the router for server-side SCP, perform these steps:
Step 1. Enable AAA with the aaa new-model global configuration

mode command.
Secure Copy
SCP Server Configuration Cont.
Step 2. Define a named list of authentication methods, with the
aaa authentication login {default |list-
name} method1 [method2...] command.
Secure Copy
Step 3. Configure command authorization with the aaa
authorization {network | exec | commands
level} {default | list-name}
method1...[method4] command.
Secure Copy
Step 4. Configure a username and password to use for local
authentication with the username name [privilege
level] {password encryption-type password}
command. This step is optional if using network-based
authentication such as TACACS+ or RADIUS.
Secure Copy
Step 5. Enable SCP server-side functionality with the ip scp
server enable command.
Secure Copy
Secure Copy
10.6 System Development
Life Cycle
Introducing SDLC
System Life Cycle
Business continuity and disaster recovery plans are ever-
changing documents.
Evaluating system changes and adjusting plans are all part of a
system life cycle.
The term system can refer to a single device or a group of
devices that operate together within a network.
Introducing SDLC
Phases of SCLC
Five phases of the SDLC:
1. Initiation
2. Acquisition and development
3. Implementation
4. Operation and maintenance
5. Disposition
When using the SDLC to design a network, each phase should
include a minimum set of security requirements. This results in less
expensive and more effective security as compared to adding
security to an operational system after the fact.
Introducing SDLC
Phases of SCLC Cont.
Phases of the SDLC
Initiation
Security categorization - Define three levels (low, moderate, and
high) of potential impact on organizations or individuals if there is a
breach of security.
Preliminary risk assessment - Initial description of the basic
security needs of the system that defines the threat environment in
which the system operates.
Phases of the SDLC
Acquisition and
Development
Consists of the following tasks:
Risk assessment
Security functional
requirements
Security assurance
requirements
Security cost considerations
and reporting
Security planning
Security control development
Developmental security test
and evaluation
Phases of the SDLC
Implementation Phase
Consists of the following
tasks:
Inspection and
acceptance
System integration
Security certification
Phases of the SDLC
Operations and
Maintenance
tasks:
Configuration
management and
control
Continuous
monitoring
Phases of the SDLC
Disposition Phase
tasks:
Information preservation
Media sanitization
Hardware and software
disposal
10.7 Developing a
Comprehensive
Security Policy
Security Policy Overview
Secure Network Life Cycle
The Secure Network Life Cycle is a
process of assessment and re-evaluation
of equipment and security needs as the
network changes.
One important aspect of this ongoing
evaluation is to understand which assets
an organization must protect, even as
those assets are changing.
Determine what the assets of an
organization are by asking questions:
What does the organization have that
others want?
What processes, data, or information
systems are critical to the organization?
What would stop the organization from
doing business or fulfilling its mission?
Security Policy
A security policy may include the following:
Identification and Authentication Policies -
Specifies authorized persons that can have
access to network resources and verification
procedures.
Password Policies - Ensures passwords
meet minimum requirements and are
changed regularly.
Acceptable Use Policies - Identifies network
applications and usages that are acceptable
to the organization. It may also identify
ramifications if this policy is violated.
Remote Access Policies - Identifies how
remote users can access a network and what
is accessible via remote connectivity.
Network Maintenance Policies - Specifies
network device operating systems and end
user application update procedures.
Incident Handling Procedures - Describes
how security incidents are handled.
Security Policy Audience
The audience for the security policy is anyone who has access to
the network.
Internal audience includes various personnel, such as
managers and executives, departments and business units,
technical staff, and employees.
External audience is also a varied group that includes
partners, customers, suppliers, consultants, and contractors.
Structure of a Security Policy
Security Policy
Hierarchy
These documents are often broken into a hierarchical structure:
Governing policy - High-level treatment of the security guidelines that are important to the entire
company. Managers and technical staff are the intended audience. The governing policy controls all
security-related interactions among business units and supporting departments in the company.
Technical policy - Used by security staff members as they carry out security responsibilities for the
system. These policies are more detailed than the governing policy and are system-specific or issue-
specific. For example, access control and physical security issues are described in a technical policy.
End user policy - Covers all security topics that are important to end users. End users can include
employees, customers, and any other individual user of the network.
Governing Policy
The governing policy outlines the companys overall
security goals for managers and technical staff.
It covers all security-related interactions among business
units and supporting departments in the company.
Includes several components:
Statement of the issue that the policy addresses
How the policy applies in the environment
Roles and responsibilities of those affected by the policy
Actions, activities, and processes that are allowed (and not
allowed)
Consequences of noncompliance
Technical Policy
Technical policies are detailed documents that are used by
technical staff in the conduct of their daily security
responsibilities.
Technical policies are broken down into specified technical
areas, including:
General Policies
Telephony Policy
Email and Communications Policy
Remote Access Policy
Network Policy
Application Policy
End User Policies
End user policies cover all rules pertaining to information
security that end users should know about and follow.
End user policies might overlap with technical policies, but
may also include:
Identity Policy
Password Policy
Anti-Virus Policy
Standards, Guidelines, and Procedures
Security Policy Documents
The security policy documents are high-level overview
documents.
These include:
Standards documents
Guidelines documents
Procedures documents
Standard Documents
One of the most important security principles is consistency and
therefore it is necessary for organizations to establish standards.
Each organization develops standards to support its unique
operating environment.
Device configuration standards are defined in the technical
section of an organization's security policy.
Guideline Documents
Guidelines provide a list of suggestions on how to do things
better.
They are similar to standards, but are more flexible and are not
usually mandatory.
Guidelines can be used to define how standards are developed and
to guarantee adherence to general security policies.
A number of guidelines are widely available:
National Institute of Standards and Technology (NIST) Computer
Security Resource Center
National Security Agency (NSA) Security Configuration Guides
The Common Criteria Standard
Procedure Documents
Procedure documents are longer and more detailed than
standards and guidelines.
Procedure documents include implementation details, usually with
step-by-step instructions and graphics.
Procedure documents are extremely important for large
organizations to have the consistency of deployment that is
necessary for a secure environment.
Roles and Responsibilities
Organizational Reporting Structure
All persons in an organization, from the Chief Executive Officer
(CEO) to the newest hires, are considered end users of the
network and must abide by the organizations security policy.
Developing and maintaining the security policy is delegated to
specific roles within the IT department.
Common Executive Titles
Chief Executive Officer (CEO)
Is ultimately responsible for the success of an organization.
All executive positions report to the CEO.
Chief Technology Officer (CTO)
Identifies and evaluates new technologies and drives new
technology development to meet organization objectives.
Maintains and enhances the enterprise systems, while providing
direction in all technology-related to support operations.
Common Executive Titles
Chief Information Officer (CIO)
Responsible for the information technology and computer systems that
support enterprise goals, including successful deployment of new
technologies and work processes.
Small-to-medium-sized organizations typically combine the responsibilities
of CTO and CIO into a single position.
When an organization has both a CTO and CIO, the CIO is generally
responsible for processes and practices supporting the flow of information,
and the CTO is responsible for technology infrastructure.
Chief Security Officer (CSO)
Develops, implements, and manages the organizations security strategy,
programs, and processes associated with all aspects of business
operation, including intellectual property.
A major aspect of this position is to limit exposure to liability in all areas of
financial, physical, and personal risk.
Chief Information Security Officer (CISO)
Similar to the CSO, except that this position has a specific focus on IT
security.
CISO must develop and implement the security policy, either as the
primary author or management of authorship. In either case, the CISO is
responsible and accountable for security policy content.
Security Awareness and Training
Security Awareness Program
Where is the weakest link in any network infrastructure?
The User!
To help ensure the enforcement of the security policy, a security
awareness program must be put in place.
Security Awareness Program Cont.
A security awareness program usually has two major
components:
Awareness campaigns
Training and education
A good security awareness program:
Informs users of their IT security responsibilities.
Explains all IT security policies and procedures for using the IT
systems and data within a company.
Helps protect the organization from loss of intellectual capital,
critical data, and even physical equipment.
Must also detail the sanctions that the organization imposes for
noncompliance.
Should be part of all new hire orientation.
Awareness Campaigns
Awareness is not training. The
purpose of awareness presentations
is simply to focus attention on
security. Awareness presentations
are intended to allow individuals to
recognize IT security concerns and
respond accordingly. In awareness
activities, the learner is the recipient
of information... Awareness relies on
reaching broad audiences with
attractive packaging techniques.
(NIST Special Publication 800-16)
Awareness Campaigns Cont.
There are several methods of
increasing security awareness:
Posters, newsletter articles, and
bulletins
Lectures, videos
Awards for good security
practices
Reminders, such as login
banners, mouse pads, coffee
cups, and notepads, etc.
Security Training Course
Security Training Course Cont.
An effective security training course requires proper planning,
implementation, maintenance, and periodic evaluation.
The life cycle of a security training course includes several steps:
Step 1. Identify course scope, goals, and objectives.
Step 2. Identify and educate training staff.
Step 3. Identify target audiences.
Step 4. Motivate management and employees.
Step 5. Administer the courses.
Step 6. Maintain the courses.
Step 7. Evaluate the courses.
Educational Program
Education integrates all the security skills and competencies of
the various functional specialties into a common body of
knowledge.
It adds a multidisciplinary study of concepts, issues, and principle,
both technological and social, and strives to produce IT security
professionals capable of vision and proactive response.
An example of an educational program is a degree program at a
college or university.
Laws and Ethics
Laws
A big reason for setting security policies and implementing awareness programs
is compliance with the law.
You must be familiar with the laws and codes of ethics that are binding for
Information Systems Security (INFOSEC) professionals.
Most countries have three types of laws:
Criminal law:
Concerned with crimes, and its penalties usually involve fines or
imprisonment, or both.
Civil law (also called tort):
Focuses on correcting situations in which entities have been harmed
and an economic award can help.
Imprisonment is not possible in civil law.
For example: suing for patent infringement.
Administrative law:
Involves government agencies enforcing regulations.
For example: a company might owe its employees vacation pay.
Laws and Ethics
Ethics
Ethics is a standard that is higher than the law.
It is a set of moral principles that govern civil behavior and are
often referred to as codes of ethics.
Ethical principles are often the foundation of many of the laws
currently in place.
Individuals that violate the code of ethics can face consequences
such as loss of certification, loss of employment, and even
prosecution by criminal or civil court.
Laws and Ethics
Ethics Cont.
The information security profession has a number of formalized
codes:
International Information Systems Security Certification
Consortium, Inc (ISC)2 Code of Ethics
Computer Ethics Institute (CEI)
Internet Activities Board (IAB)
Generally Accepted System Security Principles (GASSP)
Laws and Ethics
Code of Ethics
Code of Ethics Preamble
Safety of the commonwealth, duty to our principals, and to each other
requires that we adhere, and be seen to adhere, to the highest ethical
standards of behavior. Therefore, strict adherence to this Code is a
condition of certification.
Code of Ethics Canons
Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
Responding to a Security Breach
Motive, Opportunity, and Means
Different countries have different legal standards. In most
countries and courts, to successfully prosecute an individual, it is
necessary to establish motive, opportunity, and means.
Motive answers the question of why a person committed the
illegal act.
Opportunity answers the question of when and where the person
committed the crime.
Means answers the question of how the person committed the
crime.
Establishing motive, opportunity, and means is a standard for
finding and prosecuting individuals of all types of crimes.
Responding to a Security Breach
Collecting Data
The process of collecting data must be done precisely and
quickly.
When a security breach occurs, it is necessary to isolate the
infected system immediately.
After data is collected, but before equipment is disconnected, it is
necessary to photograph the equipment in place.
If security protocols are established and followed, organizations
can minimize the loss and damages resulting from attacks.
2012 Cisco and/or its affiliates. All rights reserved. 121

Chapitre 10 - Managing A Secure Network

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Chapitre 10 - Managing A Secure Network

Hochgeladen von

Copyright:

Verfügbare Formate

Chapter 10: Managing

Protects network endpoints, such as workstations and servers, against

Uses Cisco IOS Firewall and accompanying ACLs to secure resources

Supplements Cisco IOS Firewall with Cisco IPS technology to evaluate

Protects the LAN by following Layer 2 and VLAN recommended practices

Where are all of these security approaches documented?

Quantitative risk analysis relies on specific formulas to

SLE is: $10,000,000 * .60

Data entry error

SLE is: $1,000,000 * .00001

Annualized Loss Expectancy Annualized Rate of Occurrence

Data entry error

ALE is: $10 * 125,000

Annualized Loss Expectancy Annualized Rate of Occurrence

ALE is: $ 6,000,000 * .01

Backing up data is standard

Step 1. Enable AAA with the aaa new-model global configuration

Das könnte Ihnen auch gefallen