CHAPTER 4

Protecting The Network,

Endpoint Security and Analysis
By:

SITI ROHANI BINTI SUKAIMI

 Discuss approaches to network
security defense

Discuss access control as a method

LEARNING of protecting a network.

OUTSCOMES Perform various intelligence sources

to locate current security threats

Discuss endpoint vulnerability

assessment information.
4.1 DISCUSS APPROACHES TO NETWORK SECURITY DEFENSE
 DEFENSE-IN-DEPTH
• Cybersecurity risk consists of the
following:
• Assets - Anything of value to an
organization that must be
protected including servers,
infrastructure devices, end
devices, and the greatest asset,
data.
• Vulnerabilities - A weakness in a
system or its design that could
be exploited by a threat.
• Threats - Any potential danger
to an asset.
 DEFENSE-IN-DEPTH
IDENTIFY ASSETS
• Many organizations only have a general idea of the
assets that need to be protected.
• All the devices and information owned or managed
by the organization are the assets.
• Assets constitute the attack surface that threat actors
could target.
• Asset management consists of:
• Inventorying all assets.
• Developing and implementing policies and
procedures to protect them.
• Identify where critical information assets are stored,
and how access is gained to that information.
 DEFENSE-IN-DEPTH
IDENTIFY VULNERABALITIES
• Identifying vulnerabilities includes answering the following
questions:
• What are the vulnerabilities?
• Who might exploit the vulnerabilities?
• What are the consequences if the vulnerability is
exploited?
• For example, an e-banking system might have the following
threats:
• Internal system compromise
• Stolen customer data
• Phony transactions
• Insider attack on the system
• Data input errors
• Data center destruction
 DEFENSE-IN-DEPTH
IDENTIFY THREATS
• Using a defense-in-depth approach to identify assets might include a topology with the following
devices:
• Edge router – first line of defense; configured with a set of rules specifying which traffic it allows or
denies.
• Firewall – A second line of defense; performs additional filtering, user authentication, and tracks
the state of the connections.
• Internal router – a third line of defense; applies final filtering rules on the traffic before it is
forwarded to its destination.
 DEFENSE-IN-DEPTH
SECURITY ONION AND SECURITY ARTICHOKE APPROACHES
• The security onion analogy illustrates a layered approach to
security.
• A threat actor would have to peel away at a network’s defense
mechanisms one layer at a time.
• However, with the evolution of borderless networks, a security
artichoke is a better analogy.
• Threat actors may only need to remove certain “artichoke
leaves” to access sensitive data.
• For example, a mobile device is a leaf that, when
compromised, may give the threat actor access to sensitive
information such as corporate email.
• The key difference between security onion and security
artichoke is that not every leaf needs to be removed in order to
get at the data.
 SECURITY POLICIES
BUSINESS POLICY
• Policies provide the foundation for network security by defining
what is acceptable.
• Business policies are the guidelines developed by an
organization that govern its actions and the actions of its
employees.
• A organization may have several guiding policies:
• Company policies - establish the rules of conduct and the
responsibilities of both employees and employers.
• Employee policies - identify employee salary, pay
schedule, employee benefits, work schedule, vacations,
and more.
• Security policies - identify a set of security objectives for a
company, define the rules of behavior for users and
administrators, and specify system requirements.
 SECURITY POLICIES
SECURITY POLICY
• A comprehensive security policy has a number of benefits:
• Demonstrates an organization’s commitment to security.
• Sets the rules for expected behavior.
• Ensures consistency in system operations, software and
hardware acquisition and use, and maintenance.
• Defines the legal consequences of violations.
• Gives security staff the backing of management.
• A security policy may include one or more of the items shown in
the figure.
• An Acceptable Use Policy (AUP) is one of the most common
policies and covers what users are allowed and not allowed to
do on the various system components.
 SECURITY POLICIES
BYOD POLICY
• Many organizations support Bring Your Own Device (BYOD),
which enables employees to use their own mobile devices to
access company resources.
• A BYOD policy should include:
• Specify the goals of the BYOD program.
• Identify which employees can bring their own devices.
• Identify which devices will be supported.
• Identify the level of access employees are granted when
using personal devices.
• Describe the rights to access and activities permitted to
security personnel on the device.
• Identify which regulations must be adhered to when using
employee devices.
• Identify safeguards to put in place if a device is
compromised.
 SECURITY POLICIES
BYOD POLICY (cont.)
• The following BYOD security best practices help mitigate BYOD
risks:
• Password protected access for each device and account.
• Manually controlled wireless connectivity so the device
only connects to trusted networks.
• Keep software updated to mitigate against the latest
threats.
• Back up data in case device is lost or stolen.
• Enable “Find my Device” locator services that can
remotely wipe a lost device.
• Provide antivirus software.
• Use Mobile Device Management (MDM) software to
enable IT teams to implement security settings and
software configurations on all devices that connect to
company networks.
 SECURITY POLICIES
REGULATORY AND STANDARD COMPLIANCE
• Compliance regulations and standards define what
organizations are responsible for providing, and the liability if
they fail to comply.
• The compliance regulations that an organization is obligated to
follow depend on the type of organization and the data that
the organization handles.
• Specific compliance regulations will be discussed later in the
course.
4.2 DISCUSS ACCESS CONTROL AS A METHOD OF
PROTECTING A NETWORK
 ACCESS CONTROL CONCEPTS
COMMUNICATION SECURITY: CIA
• Information security deals with protecting information and
information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction.
• The CIA triad consists of:
• Confidentiality - only authorized entities can access
information.
• Integrity - information should be protected from
unauthorized alteration.
• Availability - information must be available to the
authorized parties who require it, when they require it.
 ACCESS CONTROL CONCEPTS
ACCESS CONTROL MODELS
• Basic access control models include the following:
• Mandatory access control (MAC) – applies the strictest
access control, enabling user access based on security
clearance.
• Discretionary access control (DAC) – allows users to control
access to their data as owners of that data.
• Non-Discretionary access control – access is based on
roles and responsibilities; also known as role-based access
control (RBAC).
• Attribute-based access control (ABAC) – access is based
on attributes of the resource accessed, the user accessing
it, and environmental factors, such as time of day.
 AAA USAGE AND OPERATION
AAA OPERATION
• Authentication, Authorization, and Accounting (AAA) is a
scalable system for access control.
• Authentication - users and administrators must prove
that they are who they say they are.
• Authorization - determines which resources the user can
access and which operations the user is allowed to
perform.
• Accounting - records what the user does and when
they do it.
 AAA USAGE AND OPERATION
AAA AUTHENTICATION
• Two common AAA authentication methods include:
• Local AAA Authentication - This method authenticates
users against locally stored usernames and passwords.
Local AAA is ideal for small networks.
• Server-Based AAA Authentication – This method
authenticates against a central AAA server that
contains the usernames and passwords for all users.
Server-based AAA authentication is appropriate for
medium-to-large networks.
• The process for both types are shown on the next slide.
 AAA USAGE AND OPERATION

Local AAA Authentication Server-Based AAA Authentication

 AAA USAGE AND OPERATION
AAA ACCOUNTING LOGS
• Accounting provides more security than just authentication.
• AAA servers keep a detailed log of exactly what the authenticated user does on the device.
 AAA USAGE AND OPERATION
AAA ACCOUNTING LOGS (cont.)
• The various types of accounting information that can be
collected include:
• Network Accounting - captures information such as packet
and byte counts.
• Connection Accounting - captures information about all
outbound connections.
• EXEC Accounting - captures information about user shells
including username, date, start and stop times, and the
access server IP address.
• System Accounting - captures information about all system-
level events.
• Command Accounting - captures information about
executed shell commands.
• Resource Accounting - captures "start" and "stop" record
support for calls that have passed user authentication.
4.3 PERFORM VARIOUS INTELLIGENCE SOURCES TO LOCATE
CURRENT SECURITY THREATS
 INFORMATION SOURCES
NETWORK INTELLIGENCE COMMUNITY
• Threat intelligence organizations such as CERT,
SANS, and MITRE offer detailed threat
information that is vital to cybersecurity
practices.
 INFORMATION SOURCES
CISCO CYBERSECURITY REPORTS
• Cisco offers their Cybersecurity Report annually,
which provides an update on the state of security
preparedness, expert analysis of top vulnerabilities,
factors behind the explosion of attacks using
adware and spam, and more.
 INFORMATION SOURCES
SECURITY BLOGS AND PODCASTS
• Security blogs and podcasts help cybersecurity
professionals understand and mitigate emerging
threats.
 THREAT INTELLIGENCE SERVICES

CISCO TALOS
• Threat intelligence services allow the exchange of
threat information such as vulnerabilities, indicators
of compromise (IOC), and mitigation and detection
techniques.
• The Cisco Talos collects information about active,
existing, and emerging threats. Talos then provides
to its subscribers comprehensive protection against
these attacks and malware
 THREAT INTELLIGENCE SERVICES

FireEye
• FireEye is another security company that offers
services to help enterprises secure their networks.
• FireEye offers emerging threat information and
threat intelligence reports.
 THREAT INTELLIGENCE SERVICES

AUTOMATED INDICATOR SHARING

• Automated Indicator Sharing (AIS) is program which
allows the U.S. Federal Government and the private
sector to share threat indicators.
• AIS creates an ecosystem where, as soon as a
threat is recognized, it is immediately shared with
the community.
 THREAT INTELLIGENCE SERVICES

COMMON VULNERABALITIES AND EXPOSURES

DATABASE
• Common Vulnerabilities and Exposures (CVE) is a
database of vulnerabilities that uses a standardized
naming scheme to facilitate the sharing of threat
intelligence.
 THREAT INTELLIGENCE SERVICES

THREAT INTELLIGENCE COMMUNICATION STANDARDS

• Cyber Threat Intelligence (CTI) standards such as
STIX and TAXII facilitate the exchange of threat
information by specifying data structures and
communication protocols:
• Structured Threat Information Expression (STIX) -
specifications for exchanging cyber threat
information between organizations.
• Trusted Automated Exchange of Indicator
Information (TAXII) – specification for an
application layer protocol that allows the
communication of CTI over HTTPS. TAXII is
designed to support STIX.
4.4 DISCUSS ENDPOINT VULNERABILITY ASSESSMENT
INFORMATION
 NETWORK & SERVER PROFILING
NETWORK PROFILING
• Network and device profiling provides statistical
baseline information that can serve as a
reference point for normal network and device
performance.
• Elements of network profile:
• Session duration
• Total throughput
• Critical asset address space
• Typical traffic type

Elements of a Network Profile

 NETWORK & SERVER PROFILING

SERVER PROFILING
• A server profile is a security baseline for a given server.
• Server profiling is used to establish the accepted operating state of
servers.
• The server profile elements are as follows:
• Listening ports
• Logged in users and accounts
• Service accounts
• Software environment
 NETWORK & SERVER PROFILING
NETWORK ANOMALY DETECTION

• Network behavior is described by a large amount

of diverse data such as the features of packet
flow, features of the packets themselves, and
telemetry from multiple sources.
• Big Data analytics techniques can be used to
analyze this data and detect variations from the
baseline.
• Anomaly detection can identify infected hosts on
the network that are scanning for other vulnerable
hosts.
• The figure illustrates a simplified version of an
algorithm designed to detect an unusual
condition at the border routers of an enterprise.
 NETWORK & SERVER PROFILING
NETWORK VULNERABILITY TESTING
• Network Vulnerability Testing includes Risk Analysis, Vulnerability Assessment and
Penetration Testing.
• The table lists examples of activities and tools that are used in vulnerability testing:

Activity Description Tools

Individuals conduct comprehensive Internal or external
Risk analysis analysis of impacts of attacks on core consultants, risk
company assets and functioning management frameworks
Patch management, host scans, port OpenVas, Microsoft
Vulnerability
scanning, other vulnerability scans and Baseline Analyzer, Nessus,
Assessment
services Qualys, Nmap
Use of hacking techniques and tools to
Metasploit, CORE Impact,
Penetration Testing penetrate network defenses and
ethical hackers
identify depth of potential penetration
 COMMON VULNERABILITY
SCORING SYSTEM (CVSS)
CVSS OVERVIEW

• The Common Vulnerability Scoring System (CVSS) is a

risk assessment tool designed to convey the common
attributes and severity of vulnerabilities in computer
hardware and software systems.

• CVSS provides standardized vulnerability scores.

• It provides an open provides an open framework with

metrics to all users.

• CVSS helps prioritize risk.

• The Forum of Incident Response and Security Teams

(FIRST) has been designated as the custodian of the
CVSS to promote its adoption globally.
 COMMON VULNERABILITY
SCORING SYSTEM (CVSS)
CVSS METRIC GROUPS

• The CVSS uses three groups of metrics to assess

vulnerability.
• Base Metric Group: Represents the characteristics of
a vulnerability that are constant over time and across
contexts.
• Temporal Metric Group: Measures the characteristics
of a vulnerability that may change over time, but not
across user environments.
• Environmental Metric Group: Measures the aspects of
a vulnerability that are rooted in a specific
organization’s environment.
 COMMON VULNERABILITY
SCORING SYSTEM (CVSS)
THE CVSS PROCESS
• The CVSS process uses a tool called the CVSS v3.1 Calculator.
• The calculator is like a questionnaire in which the choices are made that describe the vulnerability for each metric
group.
• Later, a score is generated and numeric severity rating is displayed.
 COMMON VULNERABILITY
SCORING SYSTEM (CVSS)
THE CVSS PROCESS (cont.)

• After the Base Metric group is completed,

the Temporal and Environmental metric
values modify the Base Metric results to
provide an overall score.
 COMMON VULNERABILITY
SCORING SYSTEM (CVSS)
CVSS REPORT

• The higher the severity rating, the greater the potential impact of an exploit and the greater the
urgency in addressing the vulnerability.
• Any vulnerability that exceeds 3.9 should be addressed.
• The ranges of scores and the corresponding qualitative meaning is shown in the table:

Rating CVSS Score

None 0
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical 9.0 – 10.0
 COMMON VULNERABILITY
SCORING SYSTEM (CVSS)
COMMON VULNERABILITIES AND EXPOSURES
(CVE)

• CVE identifier provides a standard way to

research a reference to vulnerabilities.
• Threat intelligence services use CVE
identifiers, and they appear in various
security system logs.
• The CVE Details website provides a linkage
between CVSS scores and CVE
information.
 COMMON VULNERABILITY
SCORING SYSTEM (CVSS)
NATIONAL VULNERABILITY DATABASE

• This utilizes CVE identifiers and supplies

additional information on vulnerabilities
such as CVSS threat scores, technical
details, affected entities, and resources for
further investigation.
• The database was created and is
maintained by the U.S. government
National Institute of Standards and
Technology (NIST) agency.
 SECURE DEVICE MANAGEMENT
RISK MANAGEMENT

• Risk management involves the selection

and specification of security controls for an
organization.
• A mandatory activity in risk assessment is to
identify threats and vulnerabilities.
• Ways to respond to identified risks:
• Risk avoidance - Stop performing
the activities that create risk.
• Risk reduction - Take measures to
reduce vulnerability.
• Risk sharing - Shift some risk to
other parties.
• Risk retention - Accept the risk
and its consequences.
 SECURE DEVICE MANAGEMENT
VULNERABILITY MANAGEMENT

• Vulnerability management is a security

practice designed to proactively prevent the
exploitation of IT vulnerabilities.
• The steps in the Vulnerability Management Life
Cycle:
• Discover - Develop a network baseline.
Identify security vulnerabilities on a regular
automated schedule.
• Prioritize Assets - Categorize assets into
groups or business units, and assign a
business value based on their criticality to
business operations.
• Assess - Determine a baseline risk profile to
eliminate risks based on asset criticality,
vulnerability, threats, and asset
classification.
 SECURE DEVICE MANAGEMENT
VULNERABILITY MANAGEMENT (cont.)

• Report - Measure the level of business risk

associated with your assets according to your
security policies. Document a security plan,
monitor suspicious activity, and describe
known vulnerabilities.

• Remediate - Prioritize according to business

risk and address vulnerabilities in order of risk.

• Verify - Verify that threats have been

eliminated through follow-up audits.
 SECURE DEVICE MANAGEMENT
ASSET MANAGEMENT

• Tools and Techniques for Asset management:

• Automated discovery and inventory of the
actual state of devices
• Articulation of the desired state for those
devices using policies, plans, and procedures
in the organization’s information security plan
• Identification of non-compliant authorized
assets
• Remediation or acceptance of device state,
possible iteration of desired state definition
• Repeat the process at regular or ongoing
intervals
 SECURE DEVICE MANAGEMENT
MOBILE DEVICE MANAGEMENT

• Mobile devices cannot be physically controlled

on the premises of an organization.

• MDM systems, such as Cisco Meraki Systems

Manager, allows the security personnel to
configure, monitor and update a very diverse
set of mobile clients from the cloud
 SECURE DEVICE MANAGEMENT
CONFIGURATION MANAGEMENT

• Configuration Management: As defined by NIST, configuration management:

Comprises a collection of activities focused on establishing and maintaining the
integrity of products and systems, through control of the processes for initializing,
changing, and monitoring the configurations of those products and systems.
• Configuration tools : Puppet, Chef, Ansible, and SaltStack
 SECURE DEVICE MANAGEMENT
ENTERPRISE PATCH MANAGEMENT

• Patch management involves all aspects of

software patching, including identifying
required patches, acquiring, distributing,
installing, and verifying.
• Patch management is required by some
compliance regulations such as Sarbanes
Oxley (SOX) and the Health Insurance
Portability and Accountability Act (HIPAA).
 SECURE DEVICE MANAGEMENT
PATCH MANAGEMENT TECHNIQUE
Agent-Based:

• This requires a software agent to be running on

each host to be patched.
• The agent reports whether vulnerable software
is installed on the host.
• The agent communicates with the patch
management server and determines if
patches exist that require installation, and
installs the patches.
• Agent-based approaches are the preferred
means of patching mobile devices.
 SECURE DEVICE MANAGEMENT
PATCH MANAGEMENT TECHNIQUE
Agentless Scanning:

• Patch management servers scan the network

for devices that require patching.
• The server determines which patches are
required and installs those patches on the
clients.
• Only devices that are on scanned network
segments can be patched, which can be a
problem for mobile devices.
 SECURE DEVICE MANAGEMENT
PATCH MANAGEMENT TECHNIQUE
Passive Network Monitoring:

• Devices requiring patching are identified

through the monitoring of traffic on the
network.
• This approach is only effective for software
that includes version information in its network
traffic.
 INFORMATION SECURITY
MANAGEMENT SYSTEM
SECURITY MANAGEMENT SYSTEMS

• An Information Security Management System

(ISMS) consists of a management framework to
identify, analyze, and address information
security risks.

• ISMSs provide conceptual models that guide

organizations in planning, implementing,
governing, and evaluating information security
programs.
A General Model for Organizational Capability
• It incorporates the “plan-do-check-act”
framework, known as the Deming cycle.

• ISM is seen as an elaboration on People-

Process-Technology-Culture model of
organizational capability
 INFORMATION SECURITY
MANAGEMENT SYSTEM
ISO 27000

• ISO/IEC 27000 family of standards – internationally accepted standards that facilitate

business conducted between countries. The ISO 27001 - global, industry-wide
specification for an ISMS.
Plan Do Check Act
• Understand • Create and • Monitor • Continually
business implement risk exécution audit processes
objectives management • Compile • Continually
• Define activities plan reports improve
scope • Establish and • Support processes
• Access and enforce risk external • Take corrective
manage support management certification action
• Assess and define policies and audit • Take preventive
risk procedures action
• Perform asset • Train personnel,
management and allocate
vulnerability resources
assessment
 INFORMATION SECURITY
MANAGEMENT SYSTEM
NIST CYBERSECURITY FRAMEWORK

• NIST Cybersecurity Framework – is a set of standards designed to integrate existing

standards, guidelines, and practices to help better manage and reduce cybersecurity
risk.
• The below table describes the core functions in NIST Cybersecurity Framework:

Core Function Description

Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and
IDENTIFY
capabilities.
Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure
PROTECT
services.
Develop and implement the appropriate activities to identify the occurrence of a cybersecurity
DETECT
event.
RESPOND Develop and implement the appropriate activities to act on a detected cybersecurity event.
Develop and implement the appropriate activities to maintain plans for resilience and to restore
RECOVER
any capabilities or services that were impaired due to a cybersecurity event.