Triple DES is a 168-bit (3 × 56-bit) encryption process. DES, or Data Encryption Standard, is a symmetric key encryption algorithm using a block-cipher method.

Cisco advanced malware protection (AMP) is designed for Cisco FirePOWER network security appliances. It provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats.

A form of reflected attacks in which the response traffic (sent by the unwitting participants) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim).

The amount of damage an attack can cause. It is used as one property of a signature inside an IPS/IDS.

The list of methods to be used for authentication (RADIUS, TACACS, enable password, Kerberos, vty line, or local database).

The list of methods to be used for authorization (RADIUS, TACACS, Kerberos, local database, or to pass if already authenticated). Used to specify what the authenticated user is authorized to do.

This promotes the concept of using class maps and policy maps to identify and provide specific treatment for traffic.

CA Certificate authority.  

CCP Cisco Configuration Professional.

CCP Cisco Configuration Professional. A web-based router administration tool with a GUI.

Groups of routers presented together in CCP as a community of devices. A way to organize the devices being managed within CCP.

 The client is designed to protect users on computer-based or mobile platforms, providing a solution to encrypt IP traffic, including TCP and UDP.

Note:Clientless SSL VPNs only provide a way to encrypt TCP-based applications.

But Cisco AnyConnect Secure Mobility Client provides a full-tunnel VPN capability to encrypt TCP, UDP, and other protocols.

This special type of class map defines specific classes and types of traffic to be used for further inspection in zone-based firewalls on IOS routers.

Security enforcement that involves the observation of users and roles in addition to things like interface-based controls. An example is an ACS providing full access to an administrator who is logged in from his local computer, but restricted access when that same user is logged in through a remote device or through a smartphone.

The control plane of a device handles packets that are generated by the device itself or that are used for the creation and operation of the network itself. Control plane packets always have a receive destination IP address and are handled by the CPU in the network device route processor.

Level 0 (user) and level 15 (enable) are predefined; anything in between (1–14) is custom privilege level.

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted DHCP servers.

An encrypted hash that uniquely identifies the sender of a message and authenticates the validity and integrity of the data received. Signing is done with the private key of the sender, and validation of that signature (done by the receiver) is done using the public key of the sender.

The attacks occur when the source of the attack generates the packets, regardless of protocol, application, and so on that are sent directly to the victim of the attack.

A signature that is enabled. A signature needs to be both enabled and nonretired to be used by an IPS/IDS.

is an IEEE standard for converting a 48-bit MAC address into a 64-bit host address in IPv6 networks. Used for stateless autoconfiguration.

A malicious program designed to “exploit” or take advantage of a single vulnerability or set of vulnerabilities.

used to verify data integrity and authenticity of a message.

A digital certificate assigned to a device, host, person, or e-mail in a PKI infrastructure offering a concept of validated identity.

The Cisco ISE is a critical piece to the Cisco BYOD solution. It is the cornerstone of the authentication, authorization, and accounting (AAA) requirements for endpoint access, which are governed by the security policies put forth by the organization.

What happens during IKE Phase 1?

Internet Key Exchange Phase 1

 The negotiation of the parameters for the IKE Phase 1 tunnel, including hash, DH group, encryption, and lifetime.

 A free community-based antivirus software maintained by Cisco Sourcefire.

Intrusion prevention systems, primarily using signature matching, can alert administrators about an attack on the network and can prevent the initial packet from entering the network.

IPsec is the suite of protocols used to protect the contents of Layer 3 IP packets. ESP is the primary protocol used to encapsulate the Layer 3 packets 

This protocol can be used for gathering/managing information from an LDAP-accessible directory/database. An example of its use is having a AAA server use an LDAP request to Active Directory to verify the credentials of a user.

 LLDP was developed by Cisco and others within the Internet and IEEE community as a new, standardized discovery protocol, 802.1AB. Similar to CDP, LLDP defines basic discovery capabilities and was enhanced to specifically address the voice application.

A type of malicious code that is injected to a legitimate application. An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the system.

1. mailers and mass-mailer worms 

2. malvertising 

1. A type of worm that sends itself in an e-mail message.

2. This is the act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.

MD5 hashing is applied to the authentication of routing updates between routers to ensure the integrity of routing protocol updates. MD5 route authentication is available for OSPF, EIGRP, RIPv2, and BGP.

A newer technique using the class map and policy map framework to bring about all sorts of manipulations or additional functions to a router. This is what the ASA refers to when using class maps, policy maps, and the service policy commands. On an IOS router, these are referred to as C3PL components.

New keys within DH are not based on seeds from previous keys when PFS is enabled, further increasing security. PFS is associated only with IKE Phase 2.

1. PKCS#10 Public Key Cryptography Standards #10  
2. PKCS#12 Public Key Cryptography Standards #12
3. PKCS#7 Public Key Cryptography Standards #7 

1. Public Key Cryptography Standards #10 is a file format used when sending certificate requests to a CA.
2.  Public Key Cryptography Standards #12 is a file format used to store private keys with accompanying public key certificates.
3. Public Key Cryptography Standards #7 is used by a CA to distribute digital certificates.

A scalable architecture that includes software, hardware, people, and procedures to facilitate the management of digital certificates.

1. policy map 

2. policy map type inspect 

1. The portion of MPF or C3PL that defines what actions occur to traffic belonging to each class.

2. The policy map type is associated with Zoned-Based Firewalls on the IOS. The ASA also has specific purpose policy maps for deep packet inspection.

1. qualitative 

2. quantitative 

1. A method of risk assessment that uses a scenario model, including expert opinion.

2.    A method of risk assessment that uses a mathematical model based on data.

A type of malware that compromises a system and then often demands a ransom from the victim to pay the attacker for the malicious activity to cease or for the malware to be removed from the affected system.

SCEP was created to facilitate large-scale deployments of PKI, by automating the process of authenticating and enrolling with a CA that supports SCEP. This is a Cisco-sponsored protocol and is supported by some, but not all, other vendors.

The output of this command displays the IP prefixes of the packets that will be received and handled by the control plane (CPU) of the device.

The output of this command provides the status of the policy that has been applied to the control plane.

is the original security method for HTTPS. Although succeeded by TLS, this term is still widely used and assumed. This is a secure alternative to HTTP.

What is the difference between standard/extended ACLs? 

Comparing the entry point of a packet’s source address against the routing table and making sure the ingress interface matches what the egress interface would be to reach the source of the packet. If the interface does not match, the router assumes the source address is bogus (spoofed) and can drop the packet.

It employs four colors to indicate different degrees of sensitivity and the corresponding sharing considerations to be applied by the recipients.

Red

Amber

Green

White

Administrative:  Administrative controls could involve items such as background checks for users

Physical: controls are exactly what they sound like,

Logical: often referred to as technical controls.

What is a Man-in-the-Middle Attack?

Its results when attackers place themselves in line between two devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them.

Note:This can happen at Layer 2 or Layer 3.

The main purpose is eavesdropping, so the attacker can see all the traffic.

the attacker spoofs Layer 2 MAC addresses to make the devices on a LAN believe that the Layer 2 address of the attacker is the Layer 2 address of its default gateway. This is called ARP poisoning

Frames that are supposed to go to the default gateway are forwarded by the switch to the Layer 2 address of the attacker on the same network

To mitigate this risk, you could use techniques such as dynamic Address Resolution Protocol (ARP) inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.

The attacker could also implement the attack by placing a switch into the network and manipulating the Spanning Tree Protocol (STP) to become the root switch (and thus gain the ability to see any traffic that needs to be sent through the root switch). You can mitigate this through techniques such as root guard and other spanning-tree controls 

A man-in-the-middle attack can occur at Layer 3 by a rogue router being placed on the network and then tricking the other routers into believing that the new router has a better path. This could cause network traffic to flow through the rogue router and again allow the attacker to steal network data. You can mitigate attacks such as these in various ways, including routing authentication protocols and filtering information from being advertised or learned on specific interfaces.

Man-in-the-Middle Attacks -general

To safeguard data in motion, one of the best things you can do is to use encryption for the confidentiality of the data in transit.

Using management protocols that have encryption built in, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS), is considered a best practice, and using VPN protection for cleartext sensitive data is also considered a best practice.

Used when info cannot be effectively acted upon by additional parties

Note: Recipients may not share info w/ outside parties

Used when info cannot be effectively acted upon by additional parties

Note: Recipients may not share info w/ outside parties

Used when info required support to be effectively acted upon, but carries risk to privacy, reputation, or operations

Note: Recipients may only share info w/ members of their own organization parties

Used when info is useful for the awareness of all participating organizations as well as peers in boarder sectors

Note: Recipients may share info w/ peer or partner organizations w/in sector, but not via publicly accessible channels

Network Security Threat Landscape

Financial:There are several different means in which attackers can make financial gains through their malicious actions.

 Disruption: Unfortunately, many individuals and groups exist solely to cause disruption to the core business of many organizations and institutions.

Geopolitical: Not surprisingly, there are groups affiliated with certain nation states that leverage the Internet to engage in cyber warfare.

Distributed Denial-of-Service Attacks

DDoS attacks can generally be divided into the following three categories:

Direct:  Direct DDoS attacks occur when the source of the attack generates the packets, regardless of protocol, application, and so on, that are sent directly to the victim of the attack.

Reflected: Reflected DDoS attacks occur when the sources of the attack are sent spoofed packets that appear to be from the victim, and then the sources become unwitting participants in the DDoS attacks by sending the response traffic back to the intended victim. UDP is often used as the transport mechanism because it is more easily spoofed

Amplification: Amplification attacks are a form of reflected attacks in which the response traffic (sent by the unwitting participants) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim).

            Defenses Against Social Engineering

Password management: 

Two-factor authentication: 

Antivirus/antiphishing defenses:

Change management:

Information classification:

Document handling and destruction:

Physical security:

Malware Identification Tools

Several factors make this identification particularly difficult:

    1. The sheer amount of malware 

2. Malware is often embedded in otherwise-trusted applications and sent over allowed protocols 

3. limited resources  to keep up with the massive amounts of traffic that traverse the network.

4.  use of encryption has, not surprisingly, added another layer of complexity( can't see into traffic)

Methods Available for Malware Identification

1. Packet captures:

2. Snort IDS/IPS

3. NetFlow:  often referred to as micro-analytical 

4. IPS events: 

5. Advanced Malware Protection: Cisco (AMP)

6. NGIPS: The Cisco FirePOWER 

What is NetFlow?

-Packet capture is often referred to as "micro-analytical" in terms of the granularity of data being analyzed, but

--NetFlow data is considered more of a macro-analytical approach.

-consists of the creation of buckets or flows of data that are based on a set of predefined parameters such as source IP address, source port, destination IP address, destination port, IP protocol, ingress interface, and type of service (ToS)

What is Advanced Malware Protection: Cisco Advanced Malware Protection (AMP)

 It is designed for Cisco FirePOWER network security appliances.

It provides visibility and control to protect against highly sophisticated, targeted, zero-day, and persistent advanced malware threats. 

Helps to identify inconspicuous attacks by continuously analyzing and monitoring files after they’ve entered the network, utilizing retrospective security alerts 

Provides multiple layers of advanced threat protection at high inspection throughput rates.

Centrally managed through the Cisco FireSIGHT Management Center

Can be expanded to include additional features such as AMP, application visibility and control, and URL filtering.

Data Loss and Exfiltration  protection Methods

1. involves a combination of clearly communicated and effective security policies

2. employee education

3. the technologies to help ensure that the security policies put in place can be enforced.

centralized database where all the usernames and passwords are kept for authentication and what the individual users are allowed to do (the authorization portion of AAA)

use ACS for the authentication and authorization components

What Is ISE?

1. it is an identity and access control policy platform

2. it can validate that a computer meets the requirements of a company’s policy related to virus definition files, service pack levels, and so on before allowing the device on the network.

3.  can use ISE (in addition) for the posturing and policy-compliance checking for hosts.

The router acts as a client to the ACS server.

Note: Two main protocols may be used between the ACS server and its client

TACACS+(TACACS+ is Cisco proprietary) which encrypts each packet before it is sent on the network

RADIUS (is an open standard), which means that not only ACS supports it but also that other vendors -RADIUS encrypts only passwords, but not the whole packet being sent between the ACS server and the network device.

an Asset is anything of value to your company or organization

An assets value can be quantitative in dollar terms or qualitative

A vulnerability can be known or unknown okay, but it's basically a weakness in a system or a system design, or weakness in a protocol or a service that can be exploited by a threat or a threat agent

Note: if the vulnerability is theoretical and it hasn't been exploited, then we call that an unrealized threat or a latent threat

A threat is a potential danger to assets, okay. A threat is realized if it's identified by a specific vulnerability and it's exploited, okay, and that exploit is called a threat agent, it's the delivery system of that threat

Note: Not all assets have the same inherent value. The purpose of information classification is to provide the appropriate confidentiality, integrity, and availability.

Three main benefits to information classification.

1. It demonstrates the commitment of an organization to security.

2. It identifies the assets that are the most sensitive.

3. And it identifies which countermeasures apply to which information.

Public Sector: Unclassified, SBU or Sensitive but Unclassified, Confidential, Secret, and Top Secret.

Private Sector: Public, Sensitive, Private, and Confidential.

Criteria used for classification: Value, Age, Useful Life, Personal Association, Replacement Cost, and Liability.

Roles: Owner, Custodian, and User.

Confidentiality, Integrity, and Availability

CIA “triad”

Confidentiality: There are two types of data: data in motion as it moves across the network; and data at rest, when data is sitting on storage media

       Note: It means that only the authorized individuals/systems can view sensitive or classified information.

Integrity:Integrity for data means that changes made to data are done only by authorized individuals/systems.

Availability: This applies to systems and to data. If the network or its data is not available to authorized users—

        Note:The failure of a system, to include data, applications, devices, and networks, generally equates to loss of revenue.

Red

Amber

Green

White

Developed by US-CERT division to ensure that sensitive information is shared with the correct audience

Unclassified

SBU

Confidential

Secret

TopSecret

Public

Sensitive

Private

Confidential

Value

Age

Replacement Cost

Usefull Lifetime

Policy flaws

 Design errors

 Protocol weaknesses

 Misconfiguration

 Software vulnerabilities

 Human factors

 Malicious software

 Hardware vulnerabilities

 Physical access to network resources

Administrative:

Physical:

Logical:

What is an example of an Physical countermeasure?

 Physical security for the network servers, equipment, and infrastructure.

An example is providing a locked door between users and the wiring closet

What is an example of an Logical countermeasure?

 include passwords, firewalls, intrusion prevention systems, access lists, VPN tunnels, and so on.

often referred to as "technical controls."

Terrorists

[image] Criminals

[image] Government agencies

[image] Nation states

[image] Hackers

[image] Disgruntled employees

[image] Competitors

[image] Anyone with access to a computing device

Reconnaissance

Social Engineering

Privilege Escalation

Backdoors

Code Execution

When attackers place themselves "in line between" two devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them.

It can happen at Layer 2 or Layer 3.

Note:The main purpose is eavesdropping, so the attacker can see all the traffic.

How can you prevent MitM attacks at layer 2 and ARP poisoning?

With Dynamic Address Resolution Protocol (ARP) inspection (DAI) on switches to prevent spoofing of the Layer 2 addresses.

DAI

What is another layer2 MitM attack frequently used?

How is it mitigated?

manipulating the Spanning Tree Protocol (STP) to become the root switch (and thus gain the ability to see any traffic that needs to be sent through the root switch).

Cisco RootGuard

The network topology used to provide connectivity, data, applications, and services to users of an organization that are physically located at the corporate office (headquarters).

Note: CAN includes a module for each building in the campus, for the data center, for WAN Aggregation, and for the Internet Edge. Security with the Campus Area Network.

It provide a logical and physical location for data and applications that an organization prefers to have moved off-site

Note: It alleviates an organization from having to expend resources to operate, maintain, and manage the services that have been previously located within the organization’s purview.

It is a network that  contains the Unified Computing System (UCS) servers, voice gateways, and CUCM servers supporting the VoIP environment, all of which is provided network connectivity by a series of Nexus switches

Note: it is protected by a set of firewalls at the edge that filters all traffic ingressing and egressing.

The remote site will provide connectivity to the remote users through the use of WAN routers that find their way back to the WAN Aggregation module in the CAN via MPLS WANs

Note: users are provided network connectivity through the presence of access switches

A centralized application-level policy engine for physical, virtual, and cloud infrastructures.

It reduces administrative overhead and improve flexibility and operational efficiency

It provides detailed visibility and control of application and services within the virtual environment.

and it defines the concept of east-west versus north-south traffic.

What is the major challenge you have when trying to use physical appliances or firewall to protect a virtualized environment?

Financial

Disruption

Geopolitical

DDoS attacks can generally be divided into the following three categories

1. Direct: Direct DDoS attacks  are sent directly to the victim of the attack.

2. Reflected: Reflected DDoS attacksoccur when the sources of the attack are sent spoofed packets that appear to be from the victim, and then the sources become unwitting participants in the DDoS attacks by sending the response traffic back to the intended victim. --UDP is often used as the transport mechanism  

3.Amplification: Amplification attacks are a form of reflected attacks in which the response traffic (sent by the unwitting participants) is made up of packets that are much larger than those that were initially sent by the attacker (spoofing the victim).

It builds the actual IPsec tunnel. This includes negotiating the transform set for the IPsec SA.

 Phishing

Malvertising

Phone scams

Password management

Two-factor authentication

Antivirus/antiphishing defenses

Change management

Information classification

Document handling and destruction

Physical security

The sheer amount of malware that exists and is created on a daily basis is almost incomprehensible often making signature-based detection tools useless.

Malware is often embedded in otherwise-trusted applications and sent over protocols that are traditionally allowed through firewalls and access lists

Organizations have limited resources (both human and technology) to keep up with the massive amounts of traffic that traverse the network

increasing use of encryption has added another layer of complexity

Packet captures

Snort

NetFlow

IPS events

Advanced Malware Protection

NGIPS

System RAM, stores the running configuration

1."secure boot-image,"

2."secure boot-config"

What does the command secure boot-image do?

1. It enables the secure boot -image feature

2. It secures the running image

     a. maintained in flash, no longer can be   

         displayed by with the dir command.

    b. cannot be deleted via the command line

What does the command "secure boot-config" do ?

1.It copies running config to secured storage area

2. Secured IOS image and configuration is     called the 'secure bootset'

What is a Management Information Base(MIB) ?

1. A database of network management information that is used and maintained by a network management protocol, such as SNMP or CMIP.

2.  MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.

Test aaa

debug aaa

1. occur when the sources of the attack are sent spoofed packets that appear to be from the victim

  2. Responses are sent to the legitimate source 

Note: Often done via UDP

Phishing

Malvertising

Phone scams

It is Packet capture is often referred to as micro-analytical in terms of the granularity of data being analyzed.

it's based on a set of predefined parameters such as source IP address, source port, destination IP address, destination port, IP protocol, ingress interface, and type of service (ToS)