1.0 Security Concepts

1.0 Security Concepts

1.1 Common Security Principles

Section 1.1 CSP Notes

The user's behavior can pose a security risk and training users is a key part of a comprehensive security policy.

1.1a Describe confidentiality, integrity, availability (CIA)

Confidentiality: Only authorized users and systems can access sensitive information.
- Two types of data:
  - Data in motion: Data moving across the network.
    - Can be protected via encryption prior to transmission. Can also use network segmentation to isolate sensitive data on its own network.
  - Data at rest: Data is stored and not in motion.
Integrity: Only authorized users and systems have made modifications to data. If data is corrupted, it means there was a failure of integrity.
Availability: If the network or its data are not available to authorized users, the impact may be significant to companies and users who rely on that network as a business tool. A DoS attack or a general network failure is a failure of availability. This generally leads to a loss of revenue.

1.1b Describe SIEM technology

Security Inventory and Event Management
Receives information from logs and centralizes the collection and analysis of the data.
Log sources for SIEM can include the following:
- Application logs
- Antivirus logs
- Operating system logs
- Malware detection logs
In order to prevent an exhausting of available resources, limit the amount of information collected by determining what is actually needed.
SIEM should be implemented when:
- More visibility into network events is desired
- Faster correlation of events is required
- Compliance issues require reporting to be streamlined and automated
- It needs help prioritizing security issues
Advantages
- Identifies network threats in real time
- Enables quick forensics
- Has a GUI-based dashboard
- Enables administrators to study the root causes of errors
Disadvantages
- Potentially complex deployment
- Costly
- Can generate many false positives
- May not provide visibility into cloud assets

1.1c Identify common security terms

Asset: Anything this is valuable to a company. Includes tangible and intangible items. This is important to define because knowing what, where, and the value of what you're trying to protect, can aid in determining what the cost and time would be in protecting such items.
Vulnerability: An exploitable weakness in a system or its design that can be found in applications, OSs, and protocols. These are discovered daily.
Threat: Any potential danger to an asset.
- Latent: An existing unrealized threat.
- Realized: A known threat that is actively attacking a system and successfully accesses something or compromises your security against an asset.
- Malicious actor: The entity that takes advantage of vulnerability.
- Threat agent or threat vector: The path used by a malicious actor to perform an attack.
Countermeasure: A safeguard that mitigates a potential risk.
Risk: The potential for unauthorized; access to, compromise, destruction, or damage to an asset.

1.1d Identify common network security zones

Zone: A logical area where devices with similar trust levels reside.
A zone can have many interfaces assigned to it.
An interface can only have one zone assigned to it.
Self zone: The default zone for any packets directed to the router. Any packets leaving the router, that were initiated by the router, are also considered to be leaving the self zone. By default, any traffic to or from the self zone is allowed, but this policy can be changed.
Administrator-created zones don't allow traffic between the interfaces in different zones, by default. Any traffic, by default, is allowed between interfaces in the same zone.
Zone pair: A configuration on the router that allows interfaces to communicate that are in different zones.
Inside zone: A LAN facing zone, for internal users.
Outside zone: A WAN facing zone, for Internet access.
DMZ: A WAN and LAN facing zone. For a WAN, it is read-only, and for a LAN, there would be more administrative access allowed. Usually used for a web server.

1.2 Common Security Threats

1.2a Identify common network attacks

Distributed Denial-of-Service attacks (DDoS)
- Direct DDoS: The malicious source is the one that sends packets to its victim
- Reflected DDoS: Spoofed packets that are triangulated from an innocent third-party. The response of the victim is to respond to the third-party instead of back towards the attacker.
- Amplification attacks: Same as reflected attacks, with the addition of larger packets.

1.2b Describe social engineering

The act of using an ignorant employee, etc. to gain unauthorized access to a system, building, property, etc.
Common forms of social engineering:
- Phishing: Masking an email as legitimate in order to get the responder to reveal personal or sensitive information such as bank account numbers or username/passwords.
- Malvertising: Utilizing malicious ads on trusted websites to redirect the victims browser to a site hosting malware.
- Phone scams: An attempt through a phone call to convince employees to divulge sensitive information about themselves or others.

1.2c Identify malware

Packet captures: Collecting, storing, and analyzing the raw packets that are traversing the network.
Snort: An open source intrusion detection and prevention technology developed by the founder of Sourcefire (now a part of Cisco). The Snort engine consists of threat identification, detection, and prevention components that combine to reassemble traffic, prevent evasions, detect threats, and output information about advanced threats while minimizing false positives and missing legitimate threats (false negatives).
NetFlow: Using a base set of parameters, a flow is created to help trace back a malware to its source. Flows are manually created with an expiration. Additionally, flows contain a set of predefined parameters such as source IP address, source port, destination IP address, destination port, IP protocol, ingress interface, and type of service (ToS).
IPS events: Intrusion Prevention Systems (IPS) mainly use signature-based methods to detect and alert the presence of malicious activity on the network. An IPS will not prevent malicious activity though.
Advanced Malware Protection (AMP): Cisco AMP is designed for Cisco FirePower network security appliances. It provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats. AMP helps to identify inconspicuous attacks by continuously analyzing and monitoring files after they've entered the network, utilizing retrospective security alerts to help administrators take action during and after an attack, and provides multisource indications of compromise to aid in the correlation of discrete events for better detection.
NGIPS: The Cisco FirePower next-generation intrusion prevention system (NGIPS) solution provides multiple layers of advanced threat protection at high inspection throughput rates. The NGIPS threat protection solution is centrally managed through the Cisco FireSight Management Center and can be expanded to include additional features such as AMP, application visibility and control, and URL filtering.

1.2d Classify the vectors of data loss/exfiltration

Intellectual property (IP): This consists of any type of data or documentation that is the property of an organization and has been created or produced by employees of the organization. IP often refers to the designs, drawings, and documents that support the development, sale, and support of an organization's productions.
Personally Identifiable Information (PII): This information includes names, dates of birth, addresses, and social security numbers.
Credit/debit cards: Credit card information is highly sought out by malicious actors.

1.3 Cryptography concepts

Page 87

1.3.a Describe key exchange

VPN (Virtual Private Network)
- Used to provide encryption, authentication, data integrity, and antireplay for network traffic.
Types of VPNs
- IPsec: Implements security of IP packets at L3 and can be used for site-to-site VPNs and RAVPNs.
- SSL: Implements security of TCP sessions over encrypted SSL tunnels and can be used for RAVPNs. (HTTPS too).
- MPLS: MPLS and MPLS L3 VPNs are provided by a SP to allow a company with two or more sites to have logical connectivity between the sites using the SP network for transport. There is no encryption by default, but IPsec could be used to encrypt the data over a L3 VPN connection.
Two Main Types of VPNs
- RAVPNs: A VPN connection for a PC to a corporate system, for example. Can use IPsec or SSL for encryption.
- Site-to-site VPNs: Used for two or more sites that want to securely connect together.

Main Benefits of VPNs

Confidentiality
Data Integrity
Authentication
Antireplay protection

Confidentiality

Data is private between parties
If both the sender and receiver know the key used to encrypt the data, they can decrypt that data.

Data Integrity

Data is unaltered from end-to-end.
If the VPN session is compromised and undetected, then the data integrity suffers.

Authentication

Validate that the data hasn't been modified in transit.
Sessions can be authenticated in many ways, to include:
- Pre-shared keys used for authentication only
- Public and private key pairs used for authentication
- User authentication (in combination with RAVPNs)

Antireplay Protection

Duplicate VPN packets means that someone is trying to use an already authenticated session to hijack that session.
- Antireplay protection prevents duplicate packets from being authenticated after the first authenticates successfully.

Cryptography Basic Components

Page 91
Confidentiality is a function of encryption
Data integrity is a function of hashing

Ciphers and Keys

Ciphers

A set of rules, aka an algorithm, about how to perform encryption or decryption.
Common methods that ciphers use are:
- Substitution: replace one character with another.
- Polyalphabetic: Similar to substitution, but instead of using a single alphabet, it could use multiple alphabets and switch between them by some trigger character in the encoded message.
- Transposition: Uses many different options, including the rearrangement of letters.

Keys

Instructions for how to reassemble the charactes.
OTP is an example of a key that is used only once. (Not one-time password)

Block and Stream Ciphers

Page 92

Block Ciphers

A symmetric key cipher that operates on a group of bits called a block. A block cipher encryption algorithm may take a 64-bit block of plain text and generate a 64-bit block of cipher text. With this type of encryption, the same key to encrypt is also used to decrypt. Examples of symmetrical block cipher algorithms include the following:
- AES
- 3DES
- Blowfish
- DES
- IDEA
Block ciphers may add padding in cases where there is not enough data to encrypt to make a full block size.

Stream Ciphers

A stream cipher is a symmetric key cipher where each bit of plaintext data to be encrypted is done 1 bit at a time against the bits of the key stream, aka a cipher digit stream. The resulting output is called a ciphertext stream.

Symmetric and Asymmetric Algorithms

Symmetric

aka symmetric cipher.
Uses same key to encrypt/decrypt data.
Both devices need the key/s to encrypt/decrypt that data.
112 - 256 bits is a typical key length.
128 bit keys are considered fairly safe, but longer is better.
Low CPU usage

Asymmetric

An example of an asymmetric algorithm is public key algorithms.
Two different keys used, one as the public key and the other is the private key.
The public and private keys make up a key pair.
Very high CPU usage to lock and unlock key pairs.
Public key: is published and available to anyone.
Private key: only known by the key owner or device.
Examples:
- RSA
  - Mainly used for authentication.
  - aka public key cryptography standard (PKCS) #1.
  - Key length 512 - 2048.
  - 1024 is min. key size for good security.
- DH
  - Diffie-Hellman key exchange protocol.
  - Allows two devices to negotiate and establish shared secret keying material over an untrusted network.
  - The DH algorithm is asymmetrical, while the keys generated by it are symmetrical that can be then used with symmetrical algorithms such as 3DES or AES.
- ElGamal
  - Similar to DH.
  - Add more detail.

Table of Contents

1.0 Security Concepts

1.1 Common Security Principles

Section 1.1 CSP Notes

1.1a Describe confidentiality, integrity, availability (CIA)

1.1b Describe SIEM technology

1.1c Identify common security terms

1.1d Identify common network security zones

1.2 Common Security Threats

1.2a Identify common network attacks

1.2b Describe social engineering

1.2c Identify malware

1.2d Classify the vectors of data loss/exfiltration

1.3 Cryptography concepts

1.3.a Describe key exchange

Main Benefits of VPNs

Confidentiality

Data Integrity

Authentication

Antireplay Protection

Cryptography Basic Components

Ciphers and Keys

Ciphers

Keys

Block and Stream Ciphers

Block Ciphers

Stream Ciphers

Symmetric and Asymmetric Algorithms

Symmetric

Asymmetric