Security Principles

Security Principles
 Types of Data
At rest
In motion

 Security Terms & Design Guidelines

 CIA Triad
Confidentiality : Hiding data from unauthorized individuals/systems
Integrity : Aims to prevent data from being corrupted
Availability : Ensures that data continues to be available at a required level
 Security Principles
 Principle of Least Privilege
Very granular Access Control
 Defense in Depth
Relying on multiple mechanisms and technologies to protect the environment
 Separation of Duties
Requiring more than one person to complete a particular operation
 Accounting/Auditing
Keeping record about network activities
 Security Principles
 Security Terms
Asset (anything valuable)
Threat (what we protect against)
Vulnerability (exploitable weakness)
Risk (a potential for compromising an asset)
Countermeasure (a method of reducing risk)
Risk Management
Used to identify, assess, prioritize and monitor risks
Its goal is to eliminate or minimize risks
 Security Principles
 Asset Classification
Needed to distinguish between more/less important assets
Helps better secure them

 How do we classify?
Value, replacement cost, age, usefulness

 Classification Categories : Governmental vs Public

Unclassified, Sensitive but unclassified (SBU), Confidential, Secret, Top Secret
Public, Sensitive, Private, and Confidential
 Security Principles
 Vulnerability Classification
To find better countermeasures

 Vulnerability Categories
Physical access to the equipment for unuauthorized personnel
Human factors
Hardware and Software vulnerabilities
Incorrect Designs
Misconfigurations
Weaknesses in Protocols
 Security Principles
 Countermeasure Classification
To know our weapons

 Countermeasure Categories
Physical (enforcing physical security)
Technical/Logical (software/hardware solutions)
Administrative (Policies, Procedures, Guidelines and Standards)
Security Threats
 Security Threats
 Threats
Anything that can harm our systems
In general it might be an attacker or a piece of software

 Attacker Types
Hackers
Criminals
Terrorists
Disgruntled employees
Competitors
Foreign governments
 Security Threats
 Common Attack Methods
Reconnaissance (network discovery)
Social Engineering (fouling/tricking people)
Privilege Escalation (getting more access)
Code Execution (activating malicious code)
Backdoors (software installed to allow remote access in the future)
Covert Channels (hidden communication channel)
Trust Exploitation (utilizing an existing policy to obtain more access)
Man in The Middle aka “MiTM” (when an attacker puts himself into a session)
 Security Threats
 Common Attack Methods
Denial of Service “DoS” (making a device/system unusable)
Distributed DoS “DDoS” (a DoS performed by multiple attackers, e.g. BotNet)
Password Guessing/Cracking
Dictionary Attack (password guessing with a dictionary)
Brute-Force Attack (trying all possible combinations of a password)
IPS Fundamentals
 IPS Fundamentals
 Intrusion Sensors
Intrusion Detection System (IDS)
Able to detect attacks
Analyzes a copy of real traffic
Intrusion Prevention System (IPS)
Able to detect and stop attacks
Works on real data packets (inline)

 IPS Fundamentals
 Sensor Deployment Modes
Promiscous/Passive
SPAN, RSPAN or Network Tap
No delay, can’t become a bottleneck
Inline
L2
L3 (e.g. FirePOWER)
Throughput and/or latency might be an issue
Fail Open vs Fail Close
 Sensor Platforms
 Network-Based Sensors (NIPS)
Physical appliances, such as FirePOWER 7000/8000
ASA/IOS module, such as IOS IPS AIM or ASA FirePOWER
 Host-Based Sensors (HIPS)
Originally deployed using Agents installed on endpoints and Monitor Systems
Currently often deployed in Cloud
The Cloud is accessed through the Connectors installed on endpoints
Has some advantages over NIPS
Full visibility into encrypted traffic
Able to detect attacks that don’t generate any network traffic
Might be hard to deploy and monitor
 Attack Detection Strategies
 Signatures
Set of rules/conditions describing an attack
An attack must be already known and signatures must be kept up-to-date
 Anomaly Detection
Initially learns patterns of normal network activities (baseline profile)
This profile is then constantly compared to current activities
 Policy-Based
Traffic detected outside the configured policy triggers an alarm
Configuring a policy might be challenging and time consuming
 Reputation-Based
Traffic is evaluated based on reputation of IP addresses, URLs and domain
names
 Sensor Actions
 A sensor can respond to an attack by taking certain action(s)
Alert/Alarm : generates a log
Drop : „kills” malicious packet(s)
Block : session, all traffic from the attacker or traffic between attacker and
victim
Reset : disconnects a TCP session
Shun : asking other devices to block malicious traffic

 Blacklist, Whitelist
Evaluated before sensor policies (signatures, rules, reputation etc.)
Statically pre-configured list of bad (or good -> whitelist) IP addresses
Blacklist can be downloaded dynamically from Cisco
 Sensor Decision Classification
 Sensor decisions are classified based on their correctness
„True” means that behavior was correct, „False” that it was not
All „False” events require signature/policy tuning
„Positive” means that a signature fired, „Negative” that it did not
Summary
True Positive : offending traffic caused a signature to fire (OK)
True Negative : normal traffic did not trigger a signature (OK)
False Positive : a signature fired for normal traffic (WRONG)
False Negative : the attack went undetected (WRONG)
 NGIPS
 FirePOWER is an example of Next-Generation IPS
Analyzes network traffic in real time looking for threats
Threats are identified based on Cisco Talos Security Intelligence signatures

 FireSIGHT Management Center

A central management platform for all FirePOWER appliances/modules and
more
Aggregates and correlates information from all managed devices
Available as a physical or virtual appliance
Email Security
 Email Threats
 Email is commonly used as an attack vector
SPAM
Unsolicited and unwanted messages
Malicious email
Embedded : contains malware (attachment)
Direct : Phishing (acting as a trusted party to obtain confidential data)
Whaling (target : senior executives)
Vishing (over-the-phone attack)
 Email Security Appliance (ESA)
 ESA is an advanced solution designed to control SMTP traffic
Primary functions of ESA include email security and policy enforcement
Email Security
Reputation Filtering, Outbreak Filtering, AMP with Cisco Talos intelligence & more
Policy Enforcement
Inbound e-mail control and rate-limiting
Outbound e-mail control and high-performance delivery
Including Data Loss Prevention (DLP) and Encryption
Content filtering
 ESA Deployment
 On-premise
C- and X- series appliances
Recommended design : DMZ
One or two interfaces (+inside)

 Virtual ESA
ESAV

 Hybrid
Cloud for inbound, on-premise for outbound traffic
 Email Security Appliance (ESA)
 Email Exchange
Emails are generally forwarded based on the destination domain name
Information about the organization’s mail server is stored in a DNS „MX”
record
The „A” lookup must be still used to find an IP address of the SMTP server
If „MX” record does not exist, the „A” lookup is performed on the domain itself
Inbound vs Outbound exchange
Web Security
 Web Security Appliance
 Web Security Appliance (WSA)
Combination of a fast Web Proxy and an advanced content filtering solution
Designed for HTTP[S] and FTP
Strong caching, inspection, policy enforcement and anti-malware capabilities
Relies on multiple engines and technologies
 WSA Security Components
URL Filtering
Application Visibility and Control (AVC)
Anti-malware scanning
L4 Traffic Monitor (L4TM)
HTTPS Decryption
 WSA Deployment
 Web Proxy
Explicit Forward
Requires re-configuration of clients’ browsers (manually or by using a PAC file)
WSA placement is arbitrary
Transparent
Completely transarent to the end users
Traffic is redirected by a router/ASA/L4 switch using WCCPv2
Recommended design : Internet Edge Distribution Layer (ASA’s inside interface)
 L4TM
Requires the traffic (TCP) to be redirected to the WSA
SPAN/RSPAN, Hub or Network Tap
 Cloud Web Security
 Cloud Web Security (CWS)
Software-as-a-Service (SaaS) implementation of a WSA
No maintanance and support required
Very similar functionality (except for FTP support)
Traffic must be redirected to the CWS cloud so it can be inspected by the SIO
engines
Explicit Forward
Addresses of Cloud Proxies are provided based on the location and deployment size
Cloud Connectors
ISR G2 routers, ASA firewalls and WSA
AnyConnect (mobile and remote users)
Endpoint Security
 Endpoint Security
 Endpoints (PCs, laptops, mobile etc.) are critical to every organization
Often contain important or highly sensitive data

 Endpoint protection tools

Anti-virus (and possibly additional anti-malware) software
Personal firewall
Cisco Advanced Malware Protection (AMP)
Hardware or software encryption
Host-based IPS (HIPS)
 Endpoint Security
 Malware is an umbrella term referring to unwanted software
Some sources consider Adware and Spyware as a different category
Commonly mitigated with an anti-virus/anti-malware software
Designed to protect against and to detect/remove existing malware
 Adware
Created to deliver (usually unwanted) advertisments
 Spyware
Gathers information about user and its habits
Most malicious spyware collects key strokes or credit card data
 Ransomware
Blocks access to the PC or certain files demanding money to unlock it
 Endpoint Security
 Virus
Remains inactive until infected file gets executed, which causes :
Replication to other local, non-local (external media) or remote (network) files
Damage to an infected PC (file removal, performance issues, black screens, etc.)
 Worm
Self-replicating virus
No user activation needed
Spreads by exploiting vulnerabilities found in operating systems or
applications
 Trojan
Non-replicating software pretending to be a legitimate application or program
Commonly used as a Backdoor
 Endpoint Security
 Most anti-virus/anti-malware programs uses different detection
methods
Signatures
Cannot detect Day-0 (unpublished) threats
Heuristics
Predicting the outcome of code execution (Sandboxes)
Behavioral Analysis
Executing and monitoring a suspicious code
If the process starts behaving maliciously it gets classified as malware
Capable of detecting some Day-0 attacks

 Anti-virus/anti-malware software should be always kept up-to-date

 Endpoint Security
 Personal Firewall
Only protects an endpoint on which it was installed
Integrated into most modern operating systems
Especially important for mobile devices (hotels, airports) and VPN users (Split
Tunneling)
 Endpoint Security
 Advanced Malware Protection (AMP) offers before/during/after
protection
Before (File Reputation)
Sending file’s fingerprint to the SIO Cloud for analysis
During (File Sandboxing)
Real-time analysis of unknown (potentially harmful) files
After (File Retrospection)
Non-stop analysis of files and traffic allowed into the network
 AMP Deployment
ASA with FirePOWER, ISR routers, ESA or WSA integration
AMP for Endpoints (Windows, MAC, Linux and mobile Connectors)
AMP Private Cloud
 Endpoint Security
 Encryption
Protects individual files or entire disks
Especially useful for mobile users
Device loss or equipment theft
Encryption key should be properly secured and archived
Losing the key equals to losing the encrypted data
 Encryption Options
OS built-in utilities (e.g. macOS X)
Third-party software/hardware
Bit Locker
Special USB drives
802.1x Authentication
 802.1x Authentication
 IEEE 802.1x is a L2 authentication mechanism
Before authentication only EAPOL packets are allowed
Wired 802.1x Cisco’s implementations allow STP and optionally CDP (IP Phones)
Extensible Authentication Protocol (EAP) allows to exchange any authentication data
Authorization is performed using downloadable ACLs (dACLs) or VLANs

 802.1x components
Supplicant (client software)
Authenticator (policy enforcement)
Switch / Access Point (AP)
Authentication Server (RADIUS)
 802.1x Authentication
 The Process
Authentication starts on a reception of EAP Request Identity frame
The frame is sent periodically, when a port goes up or upon reception of EAP START
Authenticator acts as a proxy between supplicant (EAPOL) and RADIUS server
EAP data is encapsulated using two RADIUS EAP-specific attributes
Authentication method is negotiated
Authentication is performed
OK : Access-Accept with authorization data -> EAP Success
FAIL : Access-Reject -> EAP Failure
Deny access, then after dot1x timeout quiet-period re-authenticate
Wired networks : use next authentication method or assign an Auth-Fail VLAN
 802.1x Authentication
 Configuration (wired networks)
Enable AAA (aaa new-model)
Define RADIUS server (radius-server host or radius server name)
Enable 802.1x globally (dot1x system-auth-control)
Configure 802.1x method list (aaa authentication dot1x default)
Configure a switchport
Enable access mode (switchport mode access)
Activate 802.1x (authentication port-control auto)
Make sure port is acting as Authenticator (dot1x pae authenticator)
Bring Your Own Device
(BYOD)
 Bring Your Own Device (BYOD)
 BYOD allows employees to use their personal devices in corporate
network
Flexible and convenient but not secure
Broad access methods like public hot spots, mobile (3G/4G), wireless, wired, VPN
Higher potential for malware, insecure OS etc.

 Cisco’s BYOD components

BYOD devices (latptops, tablets, phones etc.)
Identity Services Engine (ISE)
AAA and policy enforcement
Network Access Devices
Wireless LAN Controller (WLC), AP, Integrated Services Router (ISR), ASA
 Bring Your Own Device (BYOD)
 Cisco’s BYOD components
AnyConnect Mobility Client
VPN and 802.1x client
Cloud Web Security (CWS)
Web traffic scanning
Authentication Database (e.g. AD)
Often combined with a One Time Password (OTP) server, such as RSA ID
Certificate Authority
PKI for BYOD devices
 Bring Your Own Device (BYOD)
 Mobile Device Management (MDM) manages & monitors BYOD
devices
Policy enforcement
Strong passwords
PIN lock
Data encryption
Data Loss Prevention (DLP)
Remote data removal
Stolen or lost device
Detection of OS modification/tampering attempts
Automatically blocks network access
 Bring Your Own Device (BYOD)
 MDM deployments
On-premise
MDM server is located physically within the DC or on the Internet Edge (DMZ)
Configuration and maintanance is performed locally
More secure (intellectual property)
Cloud-based
Hosted by an external provider
Easier to deploy
Less secure