Chapter 2 Monitoring and Diagnosing Networks
ISO (International Organization for Standardization) Standards
"ISO/IEC 27001:2013 - Information technology - Security techniques - Information security management systems - Requirements": specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. ---------------------------------- The requirements set out by ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations , regardless of type, size or nature
The Eight Principles of NIST Special Publication 800-14
1. Computer security supports the mission of the organization. 2. Computer security is an integral element of sound management. 3. Computer security should be cost effective. 4. System owners have security responsibilities outside their own organizations. 5. Computer security responsibilities and accountability should be made explicit. 6. Computer security requires a comprehensive and integrated approach. 7. Computer securities will be periodically reassessed. 8. Computer security is constrained by societal factors.
Secure Configuration Guidelines and Benchmark for Operating Systems (5 steps)
1. Make certain that the operating system is patched. without updating the operating system itself, and other security measures will be less effective. 2. Turn off any unneeded services, accounts, or other methods of accessing the system. 3. Turn on sufficient logging to allow you to audit the system and to understand what has occurred on the operating system. 4. If the operating system has an inherent firewall, turn it on and see that it is properly configured. 5. Run appropriate anti-malware software package and antivirus software package.
The 14 Practice areas of NIST Special Publication 800-14
1. Policy 2. Program Management 3. Risk Management 4. Lift Cycle Planning 5. Personnel/User Issues 6. Preparing for Contingencies and Disasters 7. Computer Security Incident Handling 8. Awareness and Training 9. Security Considerations in Computer Support and Operations 10. Physical and Environmental Security 11. Identification and Authentication 12. Logical Access Control 13. Audit Trails 14. Cryptography
Demilitarized Zone (DMZ)
A network segment between two firewalls. One is outward-facing, connected to the outside world, the other inward-facing, connected to the internal Network. Public facing servers, such as web servers, are often placed in a DMZ. Is an area where you can place a public server for access people whom you might not trust otherwise. By isolating a server in a DMZ, you can hide or remove access to other areas of your network. You can still access the server using your network, but others aren't able to access further network resources. This can be accomplished using firewalls to isolate your network. (Anytime you want to separate public information from private information, a DMZ is an acceptable option)
Honeynet
A network that functions in the same manner as a honeypot. (So a fake network segment meant to be a trap for a attackers to attack instead of attacking the real network)
Virtual Private Network (VPN)
A private data network that creates secure connections, or "tunnels," over regular Internet lines through a public network. VPN connection logically appears to be a part of the local network. VPNs are used to make connections between private networks across a public network. The only way connection is "guaranteed" to be secure is by using tunneling protocol (such as PPTP) and an encryption system (such as IPSec). Typically use a tunneling protocol, such as Layer 2 Tunneling protocol, IPSec, or Point-to-Point Tunneling protocol (PPTP). (A pure VPN connection appears as a dedicated wired connection between the two network ends) (A VPN Concentrator is a hardware device used to create remote Access VPN. The concentrator creates encrypted tunnel sessions between host, and many use two-factor authentication for additional security.)
Extranet
A private network (like an intranet, but presents more security issues) that uses Internet technologies to share business information with select corporate partners or key customers by giving direct access to your internal network. --------------------------- You need to make sure the outside party is complying with your security policies and standards, then you have to segment that extranet so that it cannot be a bridge to access the rest of your network. Extranets are a good example of network security being accomplished by network segmentation.
Firewalls
Are one of the first lines of defense in a network. Basic purpose of a firewall is to isolate one network from another. Firewalls Function as one or more of the following: • Packet filter • Proxy firewall • Stateful packet inspection firewall
For the purposes of the exam, whenever you see VPN, associate it with what?
Associate it with encryption and that it only allows authorized remote users
IT Security Life Cycle Phase 6: Closeout
At some point, whatever was implemented in Phase 4 will be concluded. Often this is when a system is replaced by a newer and better system.
IT Security Life Cycle Phase 1: Initiation
At this point of the organization is looking into implementing some IT Security service, device, or process.
ISO 27018 Standard
Closely related to ISO 27017. ISO 27018 defines privacy requirements in a cloud environment - particularly how the customer and cloud provider must protect personally identifiable information (PII).
Software-Defined Networking (SDN)
Essentially, the entire network is virtualized. This allows you relatively easy segmentation of the network. It also allows the administrator to place virtualized security devices and any place that he or she wishes. (This also allows for a much cheaper costing network over buying all the hardware)
NIST 800-30 Standard
For how to conduct risk assessments. (risk management guide for information technology)
IDS vs. IPS
IDS: are only for detection, analyzing, and monitoring network traffic, when such a problem is detected, an IDS alerts the administrator but doesn't take any other action. IPS: proactively deny network traffic based on a security profile if that packet represents a known security threat. Detects, records, reports, and Prevents/stop the threat. (live in the same area of the network as a firewall, between the outside world and the internal network) (what is now called IPS was formerly known as an active IDS)
IT Security Life Cycle Phase 4: Implementation
In this phase, the IT security service, device, or process is implemented.
Which of the following is not a component of an IP packet that a firewall rule can use for filtering purposes?
Intent
ISO 27017 (and it's 7 controls)
Is guidance for cloud security. It does apply the guidelines of ISO 27002 to the cloud but then adds seven new controls. CLD.6.3.1 This is an agreement on shared or divided security responsibilities between the customer and cloud provider. CLD.8.1.5 This control addresses how assets are returned or removed from the cloud when the contract is terminated. CLD.9.5.1 This control states that the cloud provider must separate the customers' virtual environment from other customers or outside parties. CLD.9.5.2 This control states that the customer and the cloud provider both must ensure the virtual machines are hardened. CLD.12.1.5 It is solely the customer's responsibility to define and manage administrative operations. CLD.12.4.5 The cloud provider's capabilities must enable the customer to monitor their own cloud environment. CLD.13.1.4 The virtual Network environment must be configured so that it at least meets the security policies of the physical environment.
OS hardening
Is making the OS as secure as you can before adding in antivirus, firewalls, and so forth. It includes patching the system, shutting down unneeded services and accounts, disabling all default passwords using least functionality/privilege, and removing unneeded software
Special Publication 800-82, Revision 2, Guide to Industrial Control System (ICS) Security
Is specific to Industrial control systems. Industrial systems include SCADA (Supervisor Control and Data Acquisition) and PLCs (Primary Logic Controllers). Examines the threats to these systems in detail. The standard disgusting memes how to develop a comprehensive security plan for such systems. The plan includes firewall issues, Network segregation, Network protocols, and security controls for mitigating threats to Industrial systems.
Easiest way to create a DMZ?
Is to use a firewall that can transmit in three directions: 1. To the internal network. 2. To the external world (Internet) 3. To the public information that you're sharing (the DMZ)
Defense in Depth
It simply means that it should never be the case that your security is either own primarily focused on your network's borders. Security should be extended throughout the network. One method for accomplishing defense-in-depth it is to ensure that each device (server, workstation, router, switch, and so forth) is securely configured. Another method is to use Network segmentation.
Packet Filter Firewall
Looks at packet addresses and admit or denies packets going in or out of the network; pretty fast; default in personal computers Passes or blocks traffic to specific address is based on the type of application. The packet filter doesn't analyze the data of a packet; it designs weather to pass at based on the packet's addressing information. (This type of of filtering is included in many routers) Filter packet based on source/destination IP and port based on security setting of the firewall. If a received packet request asks for a port that isn't authorized, the filter will either reject the request or simply ignore it. Many packet filters can also specify which IP addresses can request which ports and allow or deny them based on the security settings of the firewall.
IT Security Life Cycle Phase 5: Operations
Phase 5 is the only going operation and maintenance of the security service, device, or process that was implemented in Phase 4.
NIST Special Publication 800-12
Provides a broad overview of computer security. It primarily deals with areas of security controls. One of the most important features is that emphasizes the need to address and computer security throughout the System Development Life Cycle.
Where to place Security Devices?
Should already be aware that you need a firewall at your network's perimeter. Now, additionally, place a firewall at every junction of a network zone. Each segment of your network should be protected by a firewall. Make sure to turn on firewall capabilities in modern switches and routers as well as other products that have basic filtering capabilities and make sure they are properly configured. Along with the firewall, know about Correlation Engines: these are applications that will get firewall logs, often from divers firearms, and attempt to correlate the entries to understand possible attacks. (make sure correlation engine can access and examine the firewall logs) For Intrusion Detection/Prevention Systems, there must be collectors or sensors in every network segment. Without them, the IDS/IPS will be blind to activity in that segment
A firewall that keeps a record of the state of a connection between an internal computer and an external device is using what technology below?
Stateful packet filtering
Network Segmentation accomplishes 2 goals:
The First is that the only to treat security differently in each of the zones based on the security needs of that zone. The Second is the ability to my barriers, such as firewalls, between the zones.
Software-Defined Network (SDN)
The entire network, including all security devices, is virtualized.
IT Security Life Cycle Phase 3: Solution
This is where various solutions are evaluated and one or more is selected.
IT Security Life Cycle Phase 2: Assessment
This phase involves determining and describing the organization's current security posture. It is recommended that this phase use quantifiable metrics.
Proxy Firewall
Thought of as an intermediary between your network and any other network. Are used to to process request from an outside Network the proxy firewall exams that data and make some rule-based decisions about whether the request should be forwarded or refused. The proxy intercepts all the packets and reprocesses them for use internally. This process includes hiding IP addresses. The proxy firewall provides better security than the packet filtering because of the increased intelligence that a proxy firewall offers. Requests from internal network users are routed through the proxy. The proxy, in turn, repackages the request and sends it along, thereby isolating the user from the external network.
Control Diversity for security concerns
You should not rely on a single control to address any security threat. When implementing controls to mitigate any security issue, controls can be classified into one of the three categories: administrative, technical, and physical. Administrative controls are all the policies, procedures, and processes that are in place to support security. Technical controls involve software and hardware. Firewalls, VLANs, anti-malware, intrusion detection systems (IDS), and and intrusion prevention systems (IPS) are technical controls.
Information Security Management System (ISMS)
a broad term that applies to a wide range of systems used to manage information security.
Honeypot
a fake system designed to divert attacks from your real systems. it is often replete with logging and tracking to gather evidence. (Supposed to be a trap for attackers)
Stateful packet inspection (SPI)
a firewall that not only examines each packet but also remembers that recent previous packets.
Intranet
a private network designed for the exclusive use of computer users within an organization that cannot be accessed by users outside the organization
intrusion detection system (IDS)
a system that creates logs of all network traffic that was permitted to pass the firewall and then analyzes those logs for signs of attempted or successful intrusions. are only for detection, analyzing, and monitoring network traffic, when such a problem is detected, an IDS alerts the administrator but doesn't take any other action.
intrusion prevention system (IPS)
a system that monitors the network for possible intrusions and logs that activity and then blocks the traffic that is suspected of being an attack
personally identifiable information (PII)
any data and information that could identify a particular individual.
NIST Special Publication 800-14
describes security principles that could be addressed within security policies. The purpose of this document is to describe the eight principles and 14 practices that can be used to develop security policies. A significant part of this document is dedicated to auditing user activity on a network. Specific requirements include tracking user actions and, in the event of any investigation, the ability to reconstruct exactly what a user has done. Auditing, monitoring monitoring, and intrusion detection are heavily emphasized in the standard.
Stateful Packet Inspection Firewalls
examine each packet, and the chain of packets before and after it, including the entire conversation between client and server (Essentially it does what a packet filtering firewall does, but it also remembers what the recent previous packets from the same client contained) (Also referred to as Stateful Packet Inspection (SPI))
Network Segmentation
involves dividing your network into zones based on security needs. (For example: you might have zones for sale, a separate zone for technical support, might have his own for sales, and another zone for research) Each of these zones would have different technical needs. You can separate them by routers/switches or by using Virtual Local Area Networks (VLANs). Essentially, a VLAN is created when you configure a set of ports on a switch to behave like a separate Network. You have essentially segmented your network by creating a logical subnetwork segment.
ISA/IEC-62443
is a series of standards that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS).
NIST SP 800-53
is an important cybersecurity standard. organizes security measures into families of controls, such as risk management, access control, and incident response, and others. Also defines three levels of minimum security controls.
NIST 800-35 "Guide to Information Technology Security Services" (is what? Defines what?)
is an overview of information security. Defines the six (6) phases of the IT Security Life Cycle: Phase 1: Initiation Phase 2: Assessment Phase 3: Solution Phase 4: Implementation Phase 5: Operations Phase 6: Closeout
Wireless
is inherently less secure than a physically wired network. Segmentation becomes an even greater issue. The first issue is the wireless protection protocol being implemented. There are three choices: WEP, WPA, and WPA2. Know that these are listed in the order of increasing security (meaning WPA2 = most secure of the 3, so if at all possible, always choose WPA2). ----------------------------------- (When you have older computers that cannot support WPA2, this is one area where segmentation can be very helpful. The computers that cannot support WPA2 should be placed on a separate wireless network that is not connected to the primary wireless network. Also do segmenting of a wireless network like in a wired network by having zones based on sensitive and criticality of the data. also good to have an entire separate wireless network for guests to use and should only provide basic internet access.)
Zones (for network security)
one of the most basic aspects of network security is to segment your network into zones. Each zone has a different level of security (therefore if one zone is breached, only that zone is affected - the entire network is not necessarily vulnerable). At the simplest level, a network can be separated into zones based on security needs for different segments of the network. This requires you to classify the individual computers, systems, and data based on the sensitivity of the data and the criticality of the systems. Examples of different zones: Secure Zone, General Work Zone, Low Security Zone.
National Institute of Standards and Technology (NIST) (basic info)
source for many of the national standards in the United States. many published standards are related to cybersecurity. The NIST Cybersecurity Framework (NIST CSF) is a group of related standards that are designed to provide guidance on cybersecurity. Each standard is published as an NIST SP (special publication) with a numeric designation.
ISO 27002 Standard
widely used in cybersecurity. This standard recommends best practices for initiating, implementing, and maintaining information security management systems (ISMS).