As an aspiring network professional, it’s important to have a solid foundation in various network security concepts and principles. Designing, building, and maintaining networks is quite awesome within the industry, but hackers are always looking for new ways to compromise organizations and steal their data. Network professionals design a network with network security principles and technical controls to prevent and mitigate cyber-attacks and threats to help safeguard the assets of the company.
In this chapter, you will understand the need for network security principles and how they are used to help prevent various cyber-attacks and threats. Additionally, you will explore various techniques that are commonly implemented within large organizations to improve the authentication process between users and systems. Lastly, you will explore security and business risk management techniques that are used to help organizations identify and mitigate various types of risks.
In this chapter, we will cover the following topics:
Let’s dive in!
Network security focuses on the techniques, policies, and security controls that are implemented within an organization’s network infrastructure to prevent various types of malicious activities, threats, and cyber-attacks. Without network security solutions, anyone, whether it’s an employee or a guest user, can intentionally or unintentionally perform malicious activities on the network that can cause damage to systems and data loss.
While threat actors are the typical people who will perform intentional cyber-attacks on a network, the trusted employees within the organization can perform unintentional actions, such as inserting a malware-infected USB drive into their work computer/systems without knowing the USB drive contains malware. Sometimes, an employee who is unaware of various threats may click a malicious link within a phishing email that’s created by hackers. Hence, network security professionals need to consider the risks that are involved if the organization’s assets are left unprotected.
Before implementing network security solutions and countermeasures to mitigate and prevent cyber-attacks and threats, it’s important to identify the assets within the organization. Assets are simply anything that has value or is valuable to the organization. Without being able to identify the assets within a company, network security professionals will not be able to properly implement the best countermeasures and security controls to protect the asset from threats.
The following are the three categories of assets:
In the field of network security, various types of security controls and countermeasures are commonly implemented to mitigate and prevent cyber-attacks and threats while protecting tangible and intangible assets, as well as people, within a company. To further understand the network security concepts, next, you will take a deep dive into exploring the pillars of information security and how they work together to protect data, systems, networks, and people.
Information security focuses on protecting the most valuable asset of any organization: data. Data is created each day by users on computers, servers, networking devices, and even security appliances. Data is created in many ways such as a user creating a document on their computer to write a letter to another person, creating a spreadsheet that helps forecast future financial projections for the later months, and even creating an email message. Networking devices and security appliances generate logs, which contain important information about various transactions and causes of errors that occurred on the network that will be helpful to network and security professionals for troubleshooting issues.
Overall, data is created very often on systems, and we don’t even realize it anymore as many organizations and people around the world have adapted to using digital technologies in their everyday lives. For instance, a computer with a word processing application was used to create and help develop the contents of this book while the author typed his thoughts using his keyboard. For each new document, file, or email created on a system such as a computer or a server, new data is created and written to the storage drives of the device.
Organizations store a lot of data that contains confidential information such as details that can be used to identify people; this type of data is commonly referred to as personally identifiable information (PII). The following are examples of PII:
Additionally, healthcare providers store their patients’ details on their systems, which can be used to profile a specific patient. This type of data is commonly referred to as protected health information (PHI). The following are examples of PHI:
Nowadays, threat actors are developing more sophisticated malware such as ransomware, a type of crypto-malware that is designed to encrypt all the data on a system except for the operating system files and presents a payment window to the victim. By encrypting all the data on the system, the threat actor is holding your data hostage and requesting a ransom to be paid within a specific time frame; otherwise, the data will be wiped from the system. This technique is quite intelligent because threat actors can simply create ransomware and unleash it on the internet to compromise any connected systems that are vulnerable. Keep in mind that when ransomware infects a system, the threat actor can exfiltrate your data and sell it on the dark web.
To better understand how data can be vulnerable, the following are the various states of data you must know about:
The three pillars of information security are implemented in both administrative and technical security controls within organizations to help protect assets, including data from cyber-attacks and threats. The following are three elements are the pillars of information security:
When implementing confidentiality, integrity, and availability within an organization, it’s important to ensure there is a balance between each of the components to form the CIA triad, as shown in the following diagram:
Figure 14.1 – CIA triad
As shown in the preceding diagram, the CIA triad is usually drawn using a triangle, and at the end of each angle is one of the three elements – confidentiality, integrity, and availability. At the center of the CIA triad is a dot that represents an equal balance of each element. Some organizations may focus more on confidentiality and integrity, which reduces the availability (access) of resources to users on the network, including the employees. Hence, maintaining a good balance between the components will create great harmony.
A threat is simply defined as anything that has the potential to cause harm or damage to a system. Additionally, a threat has the potential to violate any component of the CIA triad, such as retrieving confidential data, altering a message during transmission, and even disrupting network services and resources. A vulnerability is described as a security weakness or design flaw within a system. Hackers typically use an exploit that can take advantage of the security weakness of their target, allowing the hacker to compromise the system. You can think of an exploit as code that is designed to take advantage of a security weakness on an application, firmware, or operating system. As you dive further into the field of network security, cybersecurity, and information security, you will discover many types of internal and external threats that can compromise the confidentiality, integrity, or availability of a system.
Additionally, zero-day vulnerabilities are found and exploited by threat actors before they are known by the vendor of the product. For instance, operating systems and software vendors perform continuous and rigorous security testing on their products to discover and resolve any security flaws before making them available to their customers. However, there have been times when threat actors were able to discover and exploit a security weakness on an application before the software vendor was made aware of the vulnerability and had time to resolve it. Sometimes, a software vendor may take a few days or even months to roll out a security update or patches to resolve the zero-day vulnerability, leaving their customers’ systems vulnerable and exploitable.
Whenever a new security vulnerability is discovered, it is commonly reported to the software vendor or directly to the Common Vulnerabilities and Exposures (CVE) and National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), which is assigned a unique CVE reference number that provides details about the security vulnerability, affected systems, and how it can be mitigated.
The following screenshot shows an example of the CVE details of the EternalBlue security vulnerability on the Microsoft Windows operating system:
Figure 14.2 – CVE details of a known vulnerability
Tip
To learn more about the newly reported vulnerability and CVE details, be sure to check out https://cve.mitre.org/.
The NIST NVD website usually contains additional details about the security vulnerability, such as the vulnerability scoring, which is based on the Common Vulnerability Scoring System (CVSS) calculator for creating a community-recognized vulnerability score. This determines the severity level of a security weakness.
Internal threats can create a greater impact within an organization compared to external threats. While many organizations focus on implementing various security solutions to protect their corporate networks from external threats on the internet, many IT professionals do not always apply the same level of security to their internal networks. Threat actors such as hackers are aware that the internal security within many organizations is weak or does not even exist at all. Hence, it’s easier to compromise an organization from the inside than to perform an external attack.
For instance, many organizations implement a next-generation firewall at their network perimeter to filter inbound and outbound traffic between their organization and the internet. Threat actors commonly craft phishing email messages, which are designed to trick a potential victim into clicking a malicious embedded link or execute the malicious attachment within the message. While firewalls are security appliances, they are unable to inspect inbound and outbound email traffic for new and emerging threats. Hence, phishing emails can easily go undetected by firewall appliances, which is why dedicated email security solutions are needed.
Next, you will explore various types of threats and malware that are common within the cybersecurity industry.
Malware is any type of malicious software that is designed to cause harm or data loss on a system. The following are a list of various type of malware:
There are so many types of malware in the industry and being able to identify each type is beneficial in understanding whether a system is compromised by a specific malware or another type of threat.
While there are many types of threats and cyber-attacks, threat actors are the people responsible for performing the cyber-attacks and creating the threats within the industry. The following is a list of various categories of threats actors and their motives:
Now that you’re familiar with various types of threats and threat actors, next, you will learn about the importance of implementing least privilege for users on a network and how role-based access control (RBAC) can provide an additional layer of security.
Imagine if, one day, all the employees within your organization had the same user privileges as each other. This would imply the customer service representatives have the same user privileges on their systems as the IT manager and senior members of staff, without any security restrictions to prevent unauthorized changes on their computers. To reduce these security risks, the principle of least privilege is applied to everyone to ensure a user has only enough user privileges on their systems to perform their daily duties while meeting the organization’s goals and objectives.
Additionally, rotation of duties helps detect and reduce any fraudulent activities within an organization. This technique ensures each employee is rotated between different job functions every few months. Therefore, if a specific employee is performing unethical or fraudulent tasks within their current job over a certain period, it may be unnoticeable. However, when the new employee assumes the role of the previous one, the unethical practices will be noticeable, and management can determine the source of the issue.
Another common strategy within large organizations is using separation of duties to ensure no single employee has all the privileges to make a major technical change to a system. Separation of duties requires two different people who can use their combined knowledge to complete a major technical change on a system. For instance, the person who is responsible for modifying the configurations on the firewall should not be the same person who is authorizing those changes; there should be two people for this. This concept prevents a single person from taking over the system or network within an organization.
Sometimes, the human resource and management team suspects an employee is performing unethical or malicious activities on the network. By enforcing mandatory vacation, the employee will need to a take leave of absence from the workplace, where they will be unable to access the systems and networks while away. This allows the organizations to determine whether the employee is responsible for unethical or malicious activities on the network.
Lastly, RBAC is a type of access control method that is based on a user’s job role and duties within the company. This access control ensures the user has the necessary privileges to perform their job efficiently and nothing more. IT professionals can implement this technical security control within their organization by leveraging the Group Policy Object (GPO) role within Active Directory Domain Service (AD DS) on Microsoft Windows Server. GPOs allow IT professionals to create security policies by indicating the permissions a user has on a company-owned system. For instance, if you want to prevent all users within the organization from accessing the Control Panel area or the Settings menu within the Microsoft Windows operating system, using a GPO allows you to configure this restriction and roll out the policy to all domain user accounts on the network. Within the enterprise versions of Microsoft Windows, IT professionals can create local GPOs on individual systems that will be applied to any user who logs into the computer.
While cyber-attacks and threats are increasing each day and the need for cybersecurity professionals and solutions are increasing, organizations are starting to realize there are no prior warnings or indications their company is the next target until it’s too late and their systems are compromised. While many organizations are already investing in acquiring cybersecurity solutions such as threat detection and prevention application and security appliances such as firewalls, they also need to understand the importance of implementing a multi-layered approach to improve their defenses against new and emerging threats.
While many organizations think they don’t need cybersecurity solutions, hackers target anyone and any organization, despite the size of the company. For instance, if a small, private medical practitioner has a few computers within the office to perform daily business transactions and tasks, consider the network infrastructure that’s used to interconnect these systems to share resources. The business may be using a small wired or wireless network; however, does the network have any security features and solutions implemented to prevent external and internal threats?
It’s important to understand not all cyber-attacks and threats originate from the internet or externally. However, many organizations think a network-based firewall is enough to protect their assets and safeguard their systems and users from hackers and other threats. The downside is the network-based firewall is simply a single layer of security that can only filter traffic that passes through the device.
The following diagram shows a network-based firewall that’s filtering inbound and outbound traffic:
Figure 14.3 – Network-based firewall
While having a network-based firewall implemented between the internet and the internal network, it’s important to understand that there are other types of threats and attacks that cannot be prevented or mitigated by a security appliance such as a firewall. What if the organization has a wireless network? Does the wireless router or Access Point use the latest wireless standard and is configured with a complexity password? Are there any unauthorized users who are connected to the wireless network? These are just some of the many questions we need to think about when considering the security of a wireless network.
While some organizations or small businesses think their network or systems do not contain any valuable data, all data is valuable to threat actors. For instance, a small medical practitioner may be using a laptop, computer, or tablet to store patients’ information. If a threat actor were to compromise the laptop and steal the patients’ data, they may be able to identify many patients and disclose their medical history to the public. As a result, the patients will be the victim because their PHI was stolen due to a lack of security controls, meeting compliance, or a lack of diligence of security of the patients’ data by the medical provider. However, the medical provider is also the victim as their systems and networks were compromised by a threat actor.
As you may realize already, a single layer of security is not sufficient. A Defense in Depth approach is the concept of implementing multiple layers of security, which is designed to reduce the attack surface that the threat actor can exploit using a vulnerability while improving the security posture of an organization. For instance, rather than implementing only a network-based firewall to protect all the internal assets of an organization, using a Defense in Depth approach, you should implement Endpoint Detection and Response (EDR) applications on users’ computers, enforce inbound and outbound email filtering for email-based threats, implement inbound and outbound web filter for web-based attacks, best practices for wireless security, and so on.
A Defense in Depth approach ensures an organization is fortified to prevent internal and external threats, it’s resilient against new cyber-attacks and threats, reduces the attack surface, and improves the security posture of the entire organization while using a multi-layered approach.
While some organizations have a flat network, where all devices are on the same physical and logical network, implementing a Virtual Local Area Network (VLAN) within the network can help create and enforce logical network segmentation within the organization. Therefore, each organizational department, such as Sales, HR, Accounting, and so on, can be placed on their own, unique VLAN on the network. Implementing network segmentation improves not only the network performance but the network security too.
The following diagram shows the concept of VLANs on a network:
Figure 14.4 – VLANs on a network
As shown in the preceding diagram, there are many devices connected to the same physical network but the devices within their own organizational departments, such as Sales, HR, and IT, are on their own VLAN and IP subnet.
Additionally, many organizations have network-based firewalls that are filtering inbound and outbound traffic between their internal corporate network and the internet. However, the organizations may have a few servers that need to be accessible from users on the internet. Placing the servers on the internal network creates a major security risk as users from the internet will be able to access the internal network, which isn’t good. However, creating a screened subnet, previously known as a Demilitarized Zone (DMZ), allows security professionals to create a semi-trusted area on their network with strict rules to allow specific users and traffic types into the screened subnet.
The following diagram shows the concept of a screened subnet or DMZ:
Figure 14.5 – Screened subnet
As shown in the preceding diagram, the screened subnet (or DMZ) contains all the publicly accessible servers within the organization, allowing users from the internet to access these systems. When implementing a network-based firewall, it’s important to understand the importance of security zones:
The security zones and security levels play an important role within the firewall as it determines how traffic is filtered by default between each of the security zones based on the security levels:
However, firewalls do not prevent an unauthorized user or device from connecting to the internal wired or wireless network as the firewall was simply designed to filter traffic between networks. Using Network Access Control (NAC), defined by IEEE 802.1X, enforces port-based access control. Therefore, whenever a user connects a device to the wired or wireless network, the NAC system prompts the user to enter valid user credentials, which will be used to validate the identity of the user and their device, assign policies that define what the user is allowed to do while on the network, and generate logs for accountability of the user’s actions while authenticated to the network.
The following shows a NAC system and its components on a network:
Figure 14.6 – NAC system
As shown in the preceding diagram, three essential components are part of a NAC solution. The supplicant is the client device that is connected to the wired or wireless network. Once the supplicant (computer) is connected to the network, the user will be prompted to enter their user credentials. The authenticator is the network switch, wireless router, or Access Point on the network, which is the intermediary device that allows the supplicant to access the network. The authentication server is the server and performs Authentication, Authorization, and Accounting (AAA) on the network. The user credentials, policies, and logs are created on the authentication server.
AAA is a framework that improves network security within an organization. AAA uses the following authentication protocols:
Wireless networks that use IEEE 802.1X NAC commonly use Extensible Authentication Protocol (EAP), a network authentication framework that is designed to securely handle the authentication messages between systems over a wireless network. EAP is commonly seen on wireless networks that use Enterprise mode with a RADIUS server compared to Personal mode with a Pre-Shared Key (PSK).
The following are variations of EAP:
While NAC solutions are designed to enforce port-based access control to wired and wireless networks, companies add the following types of controls within their network to improve the network security while creating a Defense in Depth approach:
Furthermore, some organizations implement a honeypot, which is a type of computer system that is configured and implemented on a network to catch or trick threat actors into thinking it’s a real system. A honeypot intends to lure attackers using a decoy such as mimicking a real production system on the network. When the attacker attempts to compromise and exploit the honeypot, cybersecurity professionals capture the data that’s generated from specialized security monitoring tools on the honeypot, which indicates the attacker’s action – that is, what the person is trying to do.
The data collected from a honeypot provides insights into the following:
By implementing Defense in Depth within organizations, they can move closer to creating a zero-trust network. Zero trust simply focuses on not trusting anything or anyone until it’s properly authenticated on the network. Can you imagine the security risks that are involved when a user connects their mobile device to a company’s network? If the company’s network does not support AAA or does not have any threat detection and prevention systems, malware on the user’s device can spread onto the network and compromise the critical servers.
Having completed this section, you have learned about various network security concepts, such as the importance of the CIA triad, various types of threats and threat actors, and the importance of Defense in Depth. Next, you will explore various authentication methods that can be implemented on a network.
As humans, we can simply look at someone and recognize whether a person is a relative, friend, colleague, stranger, or foe. The human mind allows us to retain memories that contain details about what we see each day, such as recognizing a co-worker entering the office building each morning and greeting you. Likewise, security guards, who are present at various entry points on a compound or building, validate whether a person is an employee or a customer. Eventually, the security guards will become familiar with the employees of an organization and recognize their faces quickly.
Computer systems and their technologies are continuously advancing to help improve the lives of many people around the world while helping organizations improve their business operations and automation. Since many organizations rely strongly on computers to help perform many business processes and procedures, IT professionals need to ensure authorized people are using company-owned systems. For instance, what if an unauthorized user within the organization gained access to a computer system that is responsible for the Heating, Ventilation, and Air Conditioning (HVAC) system for the data center? What will the impact be if the user shuts down the cooling system?
Computer systems are different from the human mind and need processes to determine and validate the identity of a user before allowing them to access the resources of the system. By implementing authentication, IT professionals can configure various key elements that are used to identify a valid user on the system, such as a username and password combination. Whenever a user attempts to access the system, they are prompted to enter something that is known only to the valid user onto the system, such as a valid username and password. If the user credentials are correct, the system allows the user to access the resources. However, if the user credentials are inaccurate, the system restricts access and does not trust the user. You can think of authentication as a set of processes that are used by a system to validate the identity of a user.
Authentication plays an important role in computer systems in today’s world, especially with the continuous increase in cybercrime that’s happening each day. It has become an industry norm to ensure authentication is enabled on all systems within organizations, simply to reduce the risk of an unauthorized user gaining access to a system.
The following are various authentication factors:
Typically, when a person acquires a new computer, laptop, or smartphone, they will enable authentication to ensure an unauthorized user is unable to access the contents and resources on the device. Similarly, network professionals will configure a local user account with a password to restrict unauthorized users from accessing their networking devices. Since the user account is created locally on the computer or networking device, whenever a user wants to access the system, they will need to enter their user credentials, which are checked against the local database. This database determines whether the account is valid. This method is commonly referred to as local authentication as the user credentials are created on the local system only.
If the same user attempts to log into another computer or a networking device, a valid user account needs to be created on the other systems too. The benefit of using local authentication is the computer system can quickly query its local database to determine whether the username and password combination exists or not. However, the downside is that the user account needs to exist on each system that the user needs access to. Therefore, if the user credential is changed on one device, it must be changed on all devices. Using AAA with NAC allows network professionals to implement a centralized authentication server that’s running RADIUS, allowing networking devices to query the authentication server whenever a user attempts to log into a system.
Next, you will learn about the importance of implementing multi-factor authentication (MFA) on systems to prevent unauthorized users from gaining access to systems and accounts.
Creating a user account on a computer or an online website is quite simple; fill in some identification details and create a username (identity) and password. Whenever you’re attempting to log into your online account, you’ll be prompted to enter your username and password. Once the user credentials match on the system, you’re authenticated. It’s that simple. However, configuring only a password, passphrase, or pin is one factor that’s used to validate your identity to the system. Simply put, if a hacker wants to compromise your email account, they can easily determine your username by looking at your email address. Then, the hacker will simply need to determine your password for the account. Once the password is retrieved, the hacker can access your account.
MFA is the concept of enabling additional layers of security on a user account to prevent hackers from performing account takeovers. With MFA implemented, a user will need to provide two or more authentication factors during the authentication process before the system allows the user access. For instance, when logging into your online email account, the website prompts you to enter your email address or username, as shown in the following screenshot:
Figure 14.7 – Google sign-in page
Next, the system prompts you to enter your password/passphrase to validate whether you’re the authorized user for the account, as shown in the following screenshot:
Figure 14.8 – Password page
If you’ve configured MFA, the system will prompt you to use the additional factor next. In this example, I’m using a physical security token and received the following prompt to insert the USB device:
Figure 14.9 – Additional security
With MFA enabled on a system, a user must enter more than one factor to prove their identity. This means that if a username and password of a victim are known to a hacker, the hacker is less likely to compromise the user account if MFA is turned on. Many people are also using authenticator apps on their mobile devices where the authentication code is changed every 20 to 30 seconds. Therefore, if a hacker wants to access an online account with MFA enabled that uses an authenticator code, the hacker will need to use a unique code from the app.
Kerberos is a network authentication that is commonly implemented on Microsoft Windows operating systems and allows client devices such as computers to authenticate to a Domain Controller on a network. Microsoft Windows Server supports the Active Directory Domain Service (AD DS) role, which allows an IT professional to create a logical security domain. This allows IT professionals to centrally manage the security privileges of all users, groups, and devices that belong to the domain.
Important note
Active Directory allows IT professionals to create users, groups, and computer accounts on Windows Server. This allows IT professionals to centrally manage the security of devices and assign policies to users on the domain.
Kerberos allows users on a Microsoft environment to authenticate once on the domain and access all the resources without the need to re-enter their user credentials whenever they need access to a new resource. This concept is commonly referred to as single sign-on (SSO). Additionally, SSO is commonly implemented on various online platforms. For instance, when a user logs into their Google account on the internet, the user can access all of Google’s products and services without having to register or re-authenticate when accessing other services from Google.
To get a better idea of how Kerberos works, let’s look at the three main components that all need to work together to ensure Kerberos provides SSO to users and systems on the network:
When a person enters their user credentials on a client computer that’s connected to a domain, the client computer converts the password into a New Technology LAN Manager (NTLM) version 2 hash. Then, it sends both the username and the NTLMv2 hash of the password within a Lightweight Directory Access Protocol (LDAP) packet to the Domain Controller. As you may recall, LDAP is a common network protocol that is used to perform operations such as read, write, and query, on a directory server for records. A common directory server is a Windows Server that is running the Active Directory role.
The following steps outline the Kerberos process:
Figure 14.10 – Kerberos phase 1
Figure 14.11 – Kerberos phase 2
Figure 14.12 – Kerberos phase 3
Figure 14.13 – Kerberos phase 4
Figure 14.14 – Kerberos phase 5
As you have seen in the preceding phases, the user authenticates only once to the Windows domain using Kerberos with SSO and does not need to re-authenticate to access resources on the domain.
Having completed this section, you have learned about authentication methods on networks. Next, you will discover risk management techniques that are commonly used by organizations.
Each day, people make decisions to mitigate and prevent various types of risks in their daily lives, workplaces, and organizations. In this context of network security, risk is defined as the likelihood/possibility that a threat actor can cause harm or damage to a system. IT professionals must be able to identify the assets that could be attacked and compromised by cyber-attacks and threats. As you may recall, assets are simply anything that has value to an organization and are usually tangible, intangible, and people (employees). By identifying the assets, security professionals will get a better idea of what needs to be safeguarded from potential threats.
Furthermore, IT professionals need to identify the various types of threats and threat actors and how they can potentially compromise the assets of the organization. A hacker will commonly perform reconnaissance to collect a lot of information about their target before launching an attack. The information that’s collected is used to create a profile about the target and determine the technical infrastructure of the target. Sometimes, during the reconnaissance phase, the threat actor may discover exposed security vulnerabilities that can be exploited. However, the hacker usually proceeds to perform various types of scanning to determine if additional security vulnerabilities exist on devices that belong to the target. A large number of vulnerabilities found during the reconnaissance and scanning phases is an indication of a large attack surface.
From a cybersecurity perspective, each vulnerability found on a system has a severity score/rating that is determined by vulnerability assessment tools using the CVSS calculator. The CVSS calculator allows cybersecurity professionals to determine the vulnerability score for any security weaknesses or flaws found on a system, helping cybersecurity professionals prioritize their focus on high-risk vulnerabilities that can have a huge impact if exploited compared to low-risk vulnerabilities. The vulnerability score provided by the CVSS calculator is acceptable within the cybersecurity industry among professionals and organizations.
Overall, the main objective of risk management is to implement processes, procedures, and controls to reduce the security risks that can impact or compromise the assets of a company.
Important note
The CVSS 3.1 calculator can be found at https://www.first.org/cvss/calculator/3.1 and https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.
The following are common risk response techniques:
Next, you will explore the importance of regular security risk assessments within organizations.
A security risk assessment helps organizations identify, assess, and even implement various security controls that are designed to prevent and resolve security vulnerabilities on their systems and networks. Can you imagine if organizations never performed security risk assessments on their infrastructure? There would be a lot of hidden security flaws in their applications, systems, and networks that can be exploited by hackers. For instance, many organizations around the world don’t realize their systems have been compromised until a few months have passed. This is why there’s a need for regular security risk assessments – to determine the current security posture with a gap analysis to indicate whether the number of security risks is reducing after each assessment and implementation of security controls.
Threat assessments allow cybersecurity professionals to research new, existing, and emerging threats in the industry to determine the future of cyber-attacks and the intention of threat actors. Since each type of threat actor has a unique motive for their attacks, it is important to understand their mindset and the type of tools being used to perform those attacks on targets. For instance, data is the most valuable asset to any organization, and it’s found everywhere. Understanding the strategies and tools that are used by hackers allows cybersecurity professionals to use the same tools and techniques with the intent to discover security vulnerabilities on their company’s systems, and then implement security controls to prevent a real cyber-attack from occurring. This involves taking a proactive approach to improving the security posture of the organization from threats.
The following are additional types of threats that can affect organizations:
A vulnerability assessment helps organizations identify the security vulnerabilities that exist on a system and determine their risk level. Since a security vulnerability is defined as the security weakness or flaw in a system that can be exploited by a threat actor such as a hacker, IT professionals must quickly discover these flaws and resolve them before a real hacker compromises their company. Additionally, vulnerability assessment tools help cybersecurity professionals test for specific vulnerabilities and help ensure systems are compliant with various industry security frameworks and standards. For instance, systems that are used to process payment cards must be Payment Card Industry Data Security Standard (PCI DSS)-compliant to ensure these systems meet the minimum level of security for data protection. Vulnerability assessments and tools assist in checking for compliance.
The following are common vulnerabilities in systems:
Penetration testing is the technique used by authorized cybersecurity professionals with legal permission to simulate a real-world cyber-attack on the systems and networks that belong to an organization, using the same techniques and tools used by real hackers with the intent to discover hidden security vulnerabilities. At the end of a penetration test, the cybersecurity professional submits both an executive and technical report to the organization with details of any security vulnerabilities that were found during the time of the security assessment, from most critical to least. This will include details on how a real hacker will be able to compromise the vulnerabilities, and recommendations on how to prevent and mitigate the security risk.
Organizations use a penetration testing report to improve the security posture of their systems and networks that were tested by applying patches and updates, closing unused service ports, disabling unnecessary services, improving device configurations, and using secure network protocols for communication. It’s important to perform continuous testing on systems and networks within companies to ensure all backdoors and security flaws are fixed before a real hacker compromises them.
Posture assessment helps organizations determine the security risks on mobile devices that are connecting to the corporate network. For instance, an organization with a Bring Your Own Device (BYOD) policy may be allowing their employees to connect their devices, such as smartphones, tablets, and laptops, to the company’s wireless network. Since these personal devices are not managed by the organization’s IT team, there’s no way IT professionals can regularly implement operating systems and security updates on these devices.
Therefore, network and security professionals commonly implement security solutions such as the Cisco Identity Services Engine (ISE) to help determine the security posture of any connected device. The posture assessment checks each device to determine if it is trusted, whether the operating system is up to date, whether the device has an antimalware application, and the type of operating system. If the device has not been through the posture assessment, it is assigned to an isolated logical network, preventing the user and device from accessing the resources on the network.
Important note
Process assessment focuses on examining the existing business processes and procedures within the organization. This helps determine whether these processes are performing optimally with the expenses associated with each process to achieve the expected quality and goals.
Vendor assessment focuses on understanding and reducing the risks that are involved in working with a third-party vendor such as a service provider. There are many security concerns, such as whether the vendor has certified professionals to work on your equipment such as networking devices, security appliances, and servers within your organization. Additionally, it checks whether the vendor has a privacy policy for protecting their customer’s data and whether the vendor is meeting various industry compliance and standards. For instance, an engineer may be required to be certified in a specific information security certification before working on systems that are designed to protect data. Important organizations screen each vendor and ensure they meet all the requirements before conducting any business.
In this section, you learned about various security risk assessment types and how they can be used to help organizations to identify and reduce security vulnerabilities.
In this chapter, you learned about the CIA triad and how network professionals can use it to improve data security within their organizations. Additionally, you learned about various types of security risks and threats that can cause harm to systems and networks in many companies. Furthermore, you discovered various types of authentication methods and how they can be used to reduce account takeovers while preventing unauthorized access to systems.
I hope this chapter has been informative for you and is helpful in your journey toward learning networking and becoming a network professional. In the next chapter, Chapter 15, Exploring Cyberattacks and Threats, you will learn about various types of attacks and threats, as well as how to identify them.
The following is a short list of review questions to help reinforce your learning and help you identify areas that may require some improvement:
A. Availability
B. Integrity
C. Confidentiality
D. All of the above
A. Ransomware
B. Black hat
C. Trojan
D. DDoS
A. Zero-day
B. Day one attack
C. Exploit
D. Ransomware
A. Rootkit
B. Fileless virus
C. Boot sector virus
D. Polymorphic virus
A. APT
B. Hacktivist
C. Black hat
D. Insider
A. Implementing routers
B. Implementing switches
C. Implementing VLANs
D. Implementing bridges
A. IEEE 802.1Q
B. IEEE 802.1D
C. IEEE 802.1w
D. IEEE 802.1X
A. RADIUS
B. SSO
C. TACACS+
D. Kerberos
A. RADIUS
B. SSO
C. TACACS+
D. Kerberos
A. Vulnerability assessment
B. Posture assessment
C. Process assessment
D. Threat assessment
To learn more about the topics that were covered in this chapter, check out the following links:
18.223.237.131