Security Appliances

Security appliances can be standalone devices like a router or software tools that are run on a
network device. They fall into six general categories:

1. Routers-used to interconnect various network segments together and also provide basic
traffic filtering capabilities.
2. Firewalls- is a network security device that monitors and filters incoming and outgoing
network traffic based on an organization's previously established security policies
3. Intrusion prevention systems- IPS systems use a set of traffic signatures that match
and block malicious traffic and attacks.
4. Virtual private networks-VPN systems let remote employees use a secure encrypted
tunnel from their mobile computer and securely connect back to the organization’s
network.
5. Antimalware or antivirus-use signatures or behavioral analysis of applications to
identify and block malicious code being executed.

Firewalls

A firewall is designed to control or filter which communications are allowed in and which are
allowed out of a device or network.

Types:

1. Network layer firewall-This filters communications based on source and destination IP

addresses.
2. Transport layer firewall-Filters communications based on source and destination data
ports, as well as connection states.
3. Application layer firewall-Filters communications based on an application, program or
service.
4. Context aware firewall-Filters communications based on the user, device, role,
application type and threat profile.
5. Proxy server-Filters web content requests like URLs, domain names and media types.
6. Reverse proxy server-Placed in front of web servers, reverse proxy servers protect,
hide, offload and distribute access to web servers.
7. Network address translation (NAT) firewall-This firewall hides or masquerades the
private addresses of network hosts.
8. Host based firewall-Filters ports and system service calls on a single computer
operating system.

Port scanning

Port scanning is a process of probing a computer, server or other network host for open ports. It
can be used maliciously as a reconnaissance tool to identify the operating system and services
running on a computer or host, or it can be used harmlessly by a network administrator to verify
network security policies on the network.
Intrusion Detection and Prevention Systems

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are security
measures deployed on a network to detect and prevent malicious activities.

Protection against malware

One way of defending against zero-day attacks and advanced persistent threats (APTs) is to
use an enterprise-level advanced malware detection solution, like Cisco’s Advanced Malware
Protection (AMP) Threat Grid.
Benefits Of Cisco's Threat Grid:
1. Secure operations center team-The Threat Grid allows the Cisco Secure Operations
Center team to gather more accurate, actionable data.
2. Incidence response team-The Incidence Response team therefore has access to
forensically sound information from which it can more quickly analyze and understand
suspicious behaviors.
3. Threat intelligence team-Using this analysis, the Threat Intelligence team can
proactively improve the organization’s security infrastructure.
4. Security infrastructure engineering team-Overall, the Security Infrastructure
Engineering team is able to consume and act on threat information faster, often in an
automated way.

Security best practices:

1. Perform risk assessment-Knowing and understanding the value of what you are
protecting will help to justify security expenditures.
2. Create a security policy-Create a policy that clearly outlines the organization’s rules,
job roles, and responsibilities and expectations for employees.
3. Physical security measures-Restrict access to networking closets and server
locations, as well as fire suppression.
4. Human resource security measures-Background checks should be completed for all
employees.
5. Perform and test backups-Back up information regularly and test data recovery from
backups.
6. Maintain security patches and updates-Regularly update server, client and network
device operating systems and programs.
7. Employ access control-Configure user roles and privilege levels as well as strong user
authentication.
8. Regularly test incident response-Employ an incident response team and test
emergency response scenarios.
9. Implement a network monitoring, analytics and management tool-Employ an
incident response team and test emergency response scenarios.
10. Implement network security devices-Employ an incident response team and test
emergency response scenarios.
11. Implement a comprehensive endpoint security solution-Use enterprise level
antimalware and antivirus software.
12. Educate users-Provide training to employees in security procedures.
13. Encrypt data-Encrypt all sensitive organizational data, including email.
Behavior-based security
Behavior-based security is a form of threat detection that involves capturing and analyzing the flow of
communication between a user on the local network and a local or remote destination. Any changes in
normal patterns of behavior are regarded as anomalies, and may indicate an attack.

Types:

1. Honeypots-honeypot is a behavior-based detection tool that lures the attacker in by appealing

to their predicted pattern of malicious behavior. Once the attacker is inside the honeypot, the
network administrator can capture, log and analyze their behavior so that they can build a
better defense.
2. Cisco’s cyber threat defense solution archicture- this security behavior-based detection and
indicators to provide greater visibility, context and control. The aim is to know who is carrying
out the attack, what type of attack they are performing and where, when and how the attack is
taking place.

Netflow

NetFlow technology is used to gather information about data flowing through a network,
including who and what devices are in the network, and when and how users and devices
access the network.
Penetration testing

Penetration testing, commonly known as pen testing, is the act of assessing a computer system, network
or organization for security vulnerabilities. A pen test seeks to breach systems, people, processes and
code to uncover vulnerabilities which could be exploited. This information is then used to improve the
system’s defenses to ensure that it is better able to withstand cyber-attacks in the future.

Steps:

1. Planning-The pen tester gathers as much information as possible about a target system
or network, its potential vulnerabilities and exploits to use against it. This involves
conducting passive or active reconnaissance (footprinting) and vulnerability research.
2. Scanning-The pen tester carries out active reconnaissance to probe a target system or
network and identify potential weaknesses which, if exploited, could give an attacker
access. Active reconnaissance may include:

 port scanning to identify potential access points into a target system

 vulnerability scanning to identify potential exploitable vulnerabilities of a
particular target
 establishing an active connection to a target (enumeration) to identify the user
account, system account and admin account.
3. Gaining access-The pen tester will attempt to gain access to a target system and sniff
network traffic, using various methods to exploit the system including:

 launching an exploit with a payload onto the system

 breaching physical barriers to assets
 social engineering
 exploiting website vulnerabilities
 exploiting software and hardware vulnerabilities or misconfigurations
 breaching access controls security
 cracking weak encrypted Wi-Fi.

4. Maintaining access-The pen tester will maintain access to the target to find out
what data and systems are vulnerable to exploitation. It is important that they
remain undetected, typically using backdoors, Trojan horses, rootkits and other
covert channels to hide their presence. When this infrastructure is in place, the
pen tester will then proceed to gather the data that they consider valuable.

5. Analysis and reporting-The pen tester will provide feedback via a report that recommends
updates to products, policies and training to improve an organization’s security.

Actions Organizations Should Take When a Security Breach Is Identified:

1. Communicate the issue

2. Be sincere and accountable
3. Provide the details
4. Find the cause
5. Apply lessons learned
6. Check and check again
7. Educate

CISCO’S CSIRT (COMPUTER SECURITY INCIDENT RESPONSE TEAM.

Many large organizations have a Computer Security Incident Response Team (CSIRT) to
receive, review and respond to computer security incident reports. Cisco CSIRT goes a step
further and provides proactive threat assessment, mitigation planning, incident trend
analysis and security architecture review in an effort to prevent security incidents from
happening.

Cisco’s CSIRT takes a proactive approach, collaborating with the Forum of Incident
Response and Security Teams (FIRST), the National Safety Information Exchange
(NSIE), the Defense Security Information Exchange (DSIE) and the DNS Operations
Analysis and Research Center (DNS-OARC) to ensure we stay up-to-date with new
developments.

There are several national and public CSIRT organizations, like the CERT Division of
the Software Engineering Institute at Carnegie Mellon University, that are available to
help organizations and national CSIRTs to develop, operate and improve their incident
management capabilities.

Security playbook

Is a collection of repeatable queries or reports that outline a standardized process for incident
detection and response?

It should:

1. Highlight how to identify and automate the response to common threats such as the
detection of malware-infected machines, suspicious network activity or irregular
authentication attempts.
2. Describe end clearly define inbound and outbound traffic.
3. Provide summary information including trends, statics and counts.
4. Provide usable and quick access to key statistics and counts.
5. Provide usable and quick access to key statistics and metrics.
6. Correlate events across all relevant data sources.

TOOLS FOR INCIDENT DETECTION AND PREVENTION

1. Security information and event management (SIEM) system-collects and analyzes security
alerts, logs and other real-time and historic data from security devices on the network to
facilitate early detection of cyber-attacks.
2. A data loss prevention (DLP) SYSTEM-is designed to stop sensitive data from being stolen from
or escaping a network. It monitors and protects data in 3 different states: data in use (data being
accessed by a user), data in motion (data traveling through a network), and data at rest (data
stored in a computer network or device).

Cisco’s ISE and TrustSec

Cisco Identity Services Engine (ISE) and TrustSec enforce user access to network resources by creating
role-based access control policies.