These were the first two—and only—characters transferred between University of California, Los Angeles (UCLA) and Stanford Research Institute (SRI) when the very first ARPANET link was established between these two locations in 1969. It was an attempt to send the LOGIN command, but the system crashed. Who would have guessed that this was the birth of one of the most important tools of modern times: the Internet? Nevertheless, ARPANET continued to evolve and grow into an international network. By early 1990, especially with the invention of the World Wide Web (WWW) by Tim Berners-Lee, the Internet became an integral part of our lives. Initially ARPANET and then the Internet were designed to be government and government-body networks. The focus of early development was primarily inter-connectivity and reliability. Security was not top-of-mind for what was to be a closed network. Hence, most of the protocols the Internet is made up of do not have security built in.
As the Internet and networking in general grew in prominence, so did the opportunities for malicious actors to profit from them. Security was layered on to existing protocols by means of other protocols or security products. Adding security to these protocols would change them significantly. In addition, the cost and time needed to implement such new protocols were problematic. You don’t have to look further than IPv6 to understand how difficult it is to switch to newer protocols. Even though we have run out of assignable public IPv4 addresses, the shift to IPv6 is far from over. So, we are left with adding layers of security to our networks, and malicious actors are usually a few steps ahead of us.
With the advent of the Internet of Things (IoT), cloud computing, and bring-your-own-device (BYOD) initiatives, among other advances, our networks have changed drastically in recent times. IoT and BYOD have shifted the landscape from known and controlled devices connecting to networks to unknown and uncontrolled devices. With more applications moving to the cloud, a large percentage of traffic now bypasses the corporate intranet and goes through the Internet. As the landscape changes, the threats evolve. In 2016–2017, for example, we saw a big increase in IoT device availability and usage, but we also realized that most of these devices do not have any security built into them. It didn’t take long for someone to capitalize on that and create a botnet out of IoT devices. For example, the Mirai malware, which attacks IoT devices, was responsible for the biggest distributed denial-of-service (DDoS) attack yet known; the victim received close to 1 TB of traffic per second.
Cisco’s chairman, John Chambers, famously said, “There are only two types of companies: those that have been hacked, and those who don’t know they have been hacked.” The security problems and targets are not difficult to find either. Breaking into a network is seriously lucrative. In fact, it is so profitable that Cisco’s security research group, Talos, found that there is a 9-to-5 attack pattern in most cases. That is, malicious actors work the same hours as the good guys! To understand how high the stakes are for both sides, consider these two examples:
The U.S. FBI estimates the losses attributable to the GameOver Zeus malware to be at least $100 million. More than 1 million devices were infected worldwide, and it took years and resources from 10 countries to eventually take it down.
The CryptoLocker ransomware is estimated to have netted $27 million in ransom within two months of its release.
With critical systems such as banking, healthcare, and utilities becoming more connected, our security challenges have increased over the years. On the other hand, the malicious actors have evolved from early-day hackers whose intentions were mostly curiosity and bravado to modern-day hackers whose intentions range from financial gain to espionage and beyond. To effectively secure against these threats, it is important to understand not only what we are securing and how we are securing it but also who we are securing against.
Know Thy Enemy
To quote one of my favorite authors, Sun Tzu, “Know thy self, know thy enemy. A thousand battles, a thousand victories.” This advice applies well to network security. Understanding the threat to your network is a very big part of securing it. Hence, it is important to understand who you are securing your network against. Most malicious actors who will target your network fall into one of these categories:
Black-hat hacker: The term hacker originally meant someone who exploited the weakness of systems in the spirit of exploration and curiosity. The media now uses it as a catch-all term to describe all malicious cyber actors. They are in fact referring to black-hat hackers, also known as crackers. These are people or groups that exploit the weaknesses of a system for profit. They commonly use known exploits, social engineering attacks such as phishing, and malware such as rootkits and Trojans to get inside a network.
Script kiddies: This is a derogatory term used to describe black-hat hackers who use easily available scripts and programs in their attacks. Simple denial-of-service (DoS) attacks, web server hacking using XSS, and SQL injections are favorites of script kiddies.
Organized criminal outfits: Criminal organizations have recently realized the revenue potential of cyber attacks. These actors are very well organized, with a strong arsenal of attacks as well as physical presence for money laundering around the world. The most infamous example is the Business Club, which was responsible for the GameOver Zeus malware.
Nation-state actors: Possibly the most sophisticated group on this list, nation-state actors are sponsored by governments. Their activities include espionage, attacks on infrastructure, and surveillance. These activities are done in the interest of the nation-state sponsoring them. Their arsenal includes undisclosed zero-days, highly sophisticated malware, and state-of-the-art social engineering tools. Stuxnet, an early example of malware targeting a physical infrastructure, is alleged to be the product of nation-state actors.
Hacktivists: Internet activists, or hacktivists, are groups of hackers who engage in activities to promote a political agenda. Their activities are designed to gather media attention, and they are quick to claim credit for their attacks. Defacing websites, executing DDoS attacks, and leaking documents or database contents are the most common activities for this group. Anonymous and LulzSec have been two of the most notable hacktivist groups in recent times.
Cyber terrorists: The primary focus of these actors is to create fear through their activities. They are usually motivated by religious or political beliefs and are associated with known terrorist outfits. They attack infrastructure, steal data such as identities of government employees, and deface websites with propaganda. Their skill levels can range from script kiddies to highly skilled black-hat hackers, but they are rarely as sophisticated as nation-state actors.
Insider threats: Insider threats are attackers who are part of your organization. Common sources of insider threats are disgruntled employees looking to exact revenge for perceived wrongdoing. These actors may not be as skilled at attacking a network as the other groups discussed here, but because they exploit the trust and access they already have, their actions are far more damaging. For example, a network admin can easily re-configure routers and switches on his or her last day at work to bring down the whole network. Similarly, a database admin can wipe whole databases and their backups and cause massive losses for an organization. These threats are often more possible and damaging than any that originate from outside the organization.
This list of potential threats is not exhaustive, but it provides you with a good understanding of what you face. It is important to recognize that these actors and their methods evolve continuously and at a fast pace—and so should your skills and your defenses against them. Defense is what the entirety of this series focuses on, but again, it is important to understand what you are protecting. Without the combined knowledge of the adversary and the self, you will not be able to choose the best defense.
Know Thy Self
What defines a threat? Is a robber a threat to an empty bank? A robber is not a threat in this case because there is nothing to steal. It is the presence of something valuable that makes a threat credible. The value and nature of a valuable define the risk posed by a threat, the nature of the threat, and the cost of defense. Similarly, you cannot define a threat to your network until you define the assets that you have to protect, the risks to those assets, and the costs of protecting or not protecting them. This analysis of an organization’s assets and risks is done when creating a security policy. Before we look at security policies, we need to define the key components of network security:
Threat: A threat is a person or tool that can cause harm to an asset. The threat actors discussed in the preceding section or any tools such as viruses, worms, and other malware they use are collectively called a threat.
Vulnerability: A weakness or flaw in an asset or environment that a threat can exploit is called a vulnerability. For example, failing to password-protect your computer creates a vulnerability that may allow a threat to access documents stored on it.
Risk: The potential loss or damage that can result from a threat due to a vulnerability is called the risk. For example, if a threat shuts down your website, then the risk is the loss of revenue during and after the event.
Mitigation: The measures taken to reduce a risk to an asset is called mitigation. All mitigation actions reduce risk and change the threat. For example, using a password to protect access to your computer mitigates the risk of unauthorized access by a threat.
The key take-away here is that a risk can never be eliminated. Mitigation will always change the vulnerability, risk, and threat to an asset. For example, a computer protected by password is vulnerable to brute-force password cracking. This can be mitigated by a stronger password, but the computer will be vulnerable to unauthorized access through the security flaws in the operating system—and so on. Generally, a risk is mitigated only to the point where the cost of mitigation does not outweigh the risk itself. At that point, a risk is accepted instead of being mitigated.
As organizations get more reliant on technology and connectivity, their vulnerabilities and risks increase. In addition, changes in technology bring changes in risks, too. It is difficult for an organization to keep track of its assets and risks. Organizations also have to comply with various industry regulations and legislations, failing which they can be subject to severe penalties. This is where a security policy can help. A security policy is a high-level document that defines the organizational security requirements, principles, and practices created by executive-level management. The policy practically defines what security means for the organization. It contains sets of rules governing the security of assets, information, and people. It is important to remember that a security policy is very high level and does not contain implementation specifics. For example, a security policy may state that encryption is required for certain information but not that it requires 3DES for encryption. This level of detail allows flexibility in adopting new technology without requiring frequent changes to the security policy. The implementation details of a security policy are left to lower-level documents, such as procedures and guidelines.
Note While a security policy is much wider in scope, the discussion in this chapter is limited to network security.
While creating a security policy is an involved and time-consuming process, it can generally be broken down into five steps:
- Step 1. Identify all assets that need to be protected.
- Step 2. Identify risks and threats associated with each asset.
- Step 3. Identify a risk mitigation strategy for each asset.
- Step 4. Document and communicate findings to all stakeholders.
- Step 5. Monitor and review continuously.
Depending on the size of the organization, the security policy can be one large document that covers all aspects, or it may be several individually focused policies. Because you are preparing for a Cisco exam, it is important to understand various areas of network security that should be part of a security policy, as defined by Cisco. With the definition of each policy, this chapter maps out Cisco products that help in implementing that policy to lay the groundwork for the later chapters. Remember that not every organization will have a need for all of these policies, and a security policy will not recommend a specific product because it is a high-level document. According to Cisco, the following areas of network security should be part of a security policy:
Network access control (NAC): A NAC policy defines how to control access to your network such that only the right person or device can get the right access at the right time. It also defines compliance requirements that devices should meet before access is granted. Identity Services Engine (ISE) is a Cisco product that can be used to implement this policy.
Antimalware: Malware is the primary threat vector in any network, so a policy to prevent, detect, and remediate malware is one of the most important security policies that an organization should have. Cisco’s Advanced Malware Protection (AMP) suite of products can be used to implement this policy.
Application security: Organizations require multiple applications to run their business. These applications may contain vulnerabilities that can be exploited. An application security policy defines the security requirements of these applications.
Behavioral analytics: This policy defines baselining and analytic requirements. Every network has baseline traffic patterns and user behavior. Malicious behavior can be identified by investigating deviations from the established baseline for any organization or network segment. The Stealthwatch product family from Cisco helps implement this policy.
Data loss prevention: Some information in any organization is meant for internal use only. Such data being sent outside the organization can cause irreparable harm. A data loss prevention policy defines the requirements around preventing loss of such data. Various Cisco security products, such as Web Security Appliance (WSA), Email Security Appliance (ESA), Firepower Next-Generation Firewall (NGFW), and Cloudlock can be used to implement this policy.
Email security: Email is the primary method of communication in and out of organizations. Email is also a primary threat vector for security breaches because it can facilitate phishing attacks as well as delivery of malware to the network. An email security policy defines acceptable use and security of email systems. Cisco ESA and Cloud Email Security combined with AMP can help implement this security policy.
Perimeter security: To meet operational requirements, the trusted internal network of an organization has to interface with untrusted networks such as the Internet or networks belonging to partners and vendors. A perimeter security policy defines how the perimeter of the trusted network is protected and how access is granted across to it. The Cisco Adaptive Security Appliance (ASA) and Firepower NFGW product families can be used to implement this policy.
Intrusion prevention: Intrusion refers to an active attempt to exploit a vulnerability or violate a policy in a network. An intrusion prevention policy defines the intrusion detection, prevention, and reporting requirements of the organization. Cisco Firepower Next-Generation IPS (NGIPS) and Firepower Next-Generation Firewall (NGFW) product families can help implement an intrusion prevention policy.
Mobile device security: Mobile devices, with their increasing presence and corporate applications support, introduce credible threats in a network. A mobile device security policy defines the security posture and access control requirements for corporate and employee-owned mobile devices in the network. Cisco ISE and Meraki mobile device management product lines can help implement this policy.
Network segmentation: Various segments on a network can require different security and access policies, generally based on the sensitivity of the systems and data residing in each segment. A network segmentation policy defines the requirements around segmenting different parts of the network. Cisco ISE, ASA, and Firepower NGFW, along with TrustSec, can be used to implement a network segmentation policy.
Security information and event management (SIEM): Logs, events, and alarms from various security solutions in a network provide useful information. Analyzing them can help validate existing prevention solutions as well provide feedback for improvement. Events reported by security solutions should be investigated to ensure that threats have been eliminated and to assess any loss. A SIEM policy defines the requirement around collection, storage, correlation, and analysis of security information as well as security event management. Cisco security products integrate with various SIEM products to help implement this policy.
Remote access: Employees, vendors, or partners often require access to applications from outside the corporate network. Branch or remote locations also need access to the corporate network or data center in order to conduct business. Using a virtual private network (VPN) is one way to provide such access. This policy defines the requirements around providing secure remote access to employees, vendors, partners, and remote locations. Cisco routers, Firepower NGFW, and ASA, along with the AnyConnect VPN client, can be used to implement this policy.
Web security: Web traffic accounts for the majority of traffic in the network and is also the second biggest threat vector. A web security policy defines the requirements around acceptable web use, security of web traffic, and prevention against web-based threats. Cisco WSA, Cisco Secure Internet Gateway (SIG) (formerly known as Cloud Web Security [CWS]), and Cisco Umbrella (formerly known as OpenDNS) can be used to implement a web security policy.
Wireless security: Switch ports providing access to a wired network are often protected by the physical security policies and measures employed by an organization. Because unauthorized persons will be prevented from entering a building, they will not be able to connect to the switch ports inside. Wireless network access, on the other hand, can cross physical security boundaries and hence presents a high risk. A wireless security policy defines the requirements around security and access control of the wireless network, including requirements related to wireless network access by employee-owned devices and guests. Cisco ISE can be used to implement a wireless security policy.
As you can see, defining assets, risks, and various requirements around security can be a challenging task. Even when broken down into simple steps and smaller pieces, creating a security policy is difficult. It is easier to know thy enemy than to know thy self! This is where security standards and frameworks come to the rescue.