Chapter 1: Understanding Network Security Principles

Cisco Press

1 2 3 4 5 Page 2
Page 2 of 5

Table 1-2 Government and Military Data Classification Example

Data Category

Description

Unclassified

Data that has few or no privacy requirements

Sensitive but unclassified (SBU)

Data that could cause embarrassment but not constitute a security threat if revealed

Confidential

Data that has a reasonable probability of causing damage if disclosed to an unauthorized party

Secret

Data that has a reasonable probability of causing serious damage if disclosed to an unauthorized party

Top-secret

Data that has a reasonable probability of causing exceptionally grave damage if disclosed to an unauthorized party

NOTE In the U.S., Executive Order 12958 (available at http://www.whitehouse.gov/news/releases/2003/03/20030325-11.html) states that the U.S. government shall classify classified information into one of three levels: (1) Confidential, (2) Secret, and (3) Top-Secret.

Organizational Classification Model

Table 1-3 provides an example of an organizational data classification model.

Table 1-3 Organizational Data Classification Example

Data Category

Description

Public

Information made available to the public (for example, through marketing materials)

Sensitive

Data that could cause embarrassment but not constitute a security threat if revealed

Private

Organizational information that should be kept secret and whose accuracy should be maintained

Confidential

Sensitive organizational information (for example, employee records) that should be protected with great care

Data Classification Characteristics

Table 1-4 offers a few characteristics by which data can be classified.

Table 1-4  Data Classification Characteristics

Characteristic

Description

Value

How valuable the data is to the organization

Age

How old the data is

Useful life

How long the data will be considered relevant

Personal association

How personal the data is

When determining a classification approach, define how many classification levels you need. Having too many classification levels can prove difficult to administer, whereas having too few classification levels lacks the granularity needed to classify a wide spectrum of data. As part of documenting your classification approach, you should also indicate who is responsible for securing data classified using your defined security levels.

NOTE Some occasions necessitate the release of classified data. Such occasions include the need to comply with a court order, when working with certain government agencies, and when the release of the information is ordered by senior management.

Classification Roles

Different members of an organization must assume different roles to ensure the proper protection of classified data. Examples of these roles include the following:

  • Owner

    • Initially determines the classification level

    • Routinely reviews documented procedures for classifying data

    • Gives the custodian the responsibility of protecting the data

  • Custodian

    • Keeps up-to-date backups of classified data

    • Verifies the integrity of the backups

    • Restores data from backups on an as-needed basis

    • Follows policy guidelines to maintain specific data

  • User

    • Accesses and uses data in accordance with an established security policy

    • Takes reasonable measures to protect the data he or she has access to

    • Uses data for only organizational purposes

Controls in a Security Solution

As just mentioned, the work of actually securing data is the responsibility of the custodian. However, if security is applied only through technical means, the results will not be highly effective. Specifically, because most attacks originating inside a network are not technical attacks, nontechnical mitigation strategies are required to thwart them. Cisco defines three security controls contained in a more all-encompassing security solution:

  • Administrative controls are primarily policy-centric. Examples include the following:

    • Routine security awareness training programs

    • Clearly defined security policies

    • A change management system, which notifies appropriate parties of system changes

    • Logging configuration changes

    • Properly screening potential employees (for example, performing criminal background checks)

  • Physical controls help protect the data’s environment and prevent potential attackers from readily having physical access to the data. Examples of physical controls are

    • Security systems to monitor for intruders

    • Physical security barriers (for example, locked doors)

    • Climate protection systems, to maintain proper temperature and humidity, in addition to alerting personnel in the event of fire

    • Security personnel to guard the data

  • Technical controls use a variety of hardware and software technologies to protect data. Examples of technical controls include the following:

    • Security appliances (for example, firewalls, IPSs, and VPN termination devices)

    • Authorization applications (for example, RADIUS or TACACS+ servers, one-time passwords (OTP), and biometric security scanners)

NOTE Because this book focuses on Cisco-based security solutions, most of the mitigation strategies presented use technology controls.

Individual administrative, physical, and technical controls can be further classified as one of the following control types:

  • Preventive: A preventive control attempts to prevent access to data or a system.

  • Deterrent: A deterrent control attempts to prevent a security incident by influencing the potential attacker not to launch an attack.

  • Detective: A detective control can detect when access to data or a system occurs.

Interestingly, each category of control (administrative, physical, and technical) contains components for these types of controls (preventive, deterrent, and detective). For example, a specific detective control could be one of the following:

  • An administrative control, such as a log book entry that is required by a security policy

  • A physical control, such as an alarm that sounds when a particular door is opened

  • A technical control, such as an IPS appliance generating an alert

Responding to a Security Incident

Many deterrent controls might display warnings such as “Violators will be prosecuted to the fullest extent of the law.” However, to successfully prosecute an attacker, litigators typically require the following elements to present an effective argument:

  • Motive: A motive describes why the attacker committed the act. For example, was he a disgruntled employee? Also, potential motives can be valuable to define during an investigation. Specifically, an investigation might begin with those who had a motive to carry out the attack.

  • Means: With all the security controls in place to protect data or computer systems, you need to determine if the accused had the means (for example, the technical skills) to carry out the attack.

  • Opportunity: The question of whether the accused had the opportunity to commit the attack asks if the accused was available to commit the attack. For example, if the accused claims to have been at a ball game at the time of the attack, and if witnesses can verify this statement, it is less likely that the accused did indeed commit the attack.

Another challenge with prosecuting computer-based crime stems from the fragility of data. For example, a time stamp can easily be changed on a file without detection. To prevent such evidence tampering, strict policies and procedures for data handling must be followed. For example, before any investigative work is done on a computer system, a policy might require that multiple copies of the hard drive be made. One or more master copies could be locked up, and copies could also be given to the defense and prosecution for their investigation.

Also, to verify the integrity of data since a security incident occurred, you should be able to show a chain of custody. A chain of custody documents who has been in possession of the data (that is, the evidence) since a security breach occurred.

Legal and Ethical Ramifications

Some businesses must abide by strict government regulations for security procedures. Therefore, information security professionals should be familiar with a few fundamental legal concepts. For example, most countries classify laws into one of the following three types:

  • Criminal law applies to crimes that have been committed and that might result in fines and/or imprisonment for someone found guilty.

  • Civil law addresses wrongs that have been committed. However, those wrongs are not considered crimes. An example of civil litigation might involve patent infringement. Consequences to someone found to be in violation of a civil law might include an order to cease and desist the illegal activity and/or to pay damages.

  • Administrative law typically involves the enforcement of regulations by government agencies. For example, a company that misappropriated retirement funds might be found in violation of an administrative law. If a party is found to be in violation of an administrative law, the consequences typically are monetary, with the money being divided between the government agency and the victim.

In addition to legal restrictions, information security professionals should be bound by ethical guidelines. Ethical guidelines deal more with someone’s intent and conduct, as opposed to whether an act was technically legal.

Although the issue of ethics might seem more difficult to define, information security professionals have several formalized codes of conduct:

  • International Information Systems Security Certification Consortium, Inc. Code of Ethics

  • Computer Ethics Institute

  • Internet Activities Board (IAB)

  • Generally Accepted System Security Principles (GASSP)

Legal Issues to Consider

As a provider of network connectivity to customers, a service provider needs to be aware of potential liability issues. For example, if an e-commerce company lost a certain amount of business because of a service provider outage, the service provider might be found liable and have to pay damages.

Also, some countries are passing laws dictating how companies handle privacy issues. For example, the Notification of Risk to Personal Data Act in the U.S. requires companies and government agencies that conduct commerce between states to alert anyone whose personal data was revealed to someone not authorized to see it.

U.S. Laws and Regulations

With increased levels of terrorist activity on the Internet and an ever-increasing percentage of Internet connectivity for the world’s citizens, governments are forced to develop regulations and legislation covering information security. As a few examples, the U.S. government created the following regulations, which pertain to information security:

  • Gramm-Leach-Bliley Act (GLBA) of 1999: Did away with antitrust laws that disallowed banks, insurance companies, and securities firms from combining and sharing their information.

  • Health Insurance Portability and Accountability Act (HIPAA) of 2000: Provides assurance that the electronic transfer of confidential patient information will not be less secure than the transfer of paper-based patient records.

  • Sarbanes-Oxley (SOX) Act of 2002: Responded to corporate accounting scandals in an attempt to increase public trust in accounting and reporting practices.

  • Security and Freedom through Encryption (SAFE) Act: Permits any form of encryption to be used by people in the U.S.

  • Computer Fraud and Abuse Act: Developed to reduce malicious computing hacking, with an amendment to accommodate the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act.

  • Privacy Act of 1974: Protects the privacy of individuals and requires that they provide written permission for their information to be released.

  • Federal Information Security Management Act (FISMA) of 2002: Requires annual audits of network security within the U.S. government and affiliated parties.

  • Economic Espionage Act of 1996: States that the misuse of trade secrets is a federal crime.

International Jurisdiction Issues

A unique legal challenge for prosecuting information security offenses deals with jurisdictional issues. For example, an attacker in one country could launch an attack from a computer in another country that targets a computer in yet another country. The international boundaries that were virtually crossed could pose significant challenges to litigators.

Fortunately, governments are beginning to collaborate on such investigations and prosecutions. For example, organizations that share law enforcement information between countries include G8, Interpol, and the European Union.

Understanding the Methods of Network Attacks

You might have noticed that this book has thus far referred to computer criminals as “attackers” rather than “hackers.” This wording is intentional, because not all hackers have malicious intent, even though the term “hacker” often has a negative connotation. In this section, you will gain additional insight into the mind-set and characteristics of various hackers.

Additionally, you will be introduced to a variety of methods that attackers can use to infiltrate a computing system. To help mitigate such attacks, Cisco recommends the Defense in Depth design philosophy, which also is covered in this section, in addition to a collection of best practices for defending your network.

Vulnerabilities

A vulnerability in an information system is a weakness that an attacker might leverage to gain unauthorized access to the system or its data. In some cases, after a vulnerability is discovered, attackers write a program intended to take advantage of the vulnerability. This type of malicious program is called an exploit.

However, even if a system has a vulnerability, the likelihood that someone will use that vulnerability to cause damage varies. This likelihood is called risk. For example, a data center might be vulnerable to a fire breaking out in the building. However, if the data center has advanced fire suppression systems and hot standby backups at another physical location, the risk to the data is minimal.

When you make plans to address vulnerabilities, consider the varied types of vulnerabilities. For example, consider the following broad categories of vulnerabilities:

Related:
1 2 3 4 5 Page 2
Page 2 of 5
SD-WAN buyers guide: Key questions to ask vendors (and yourself)