Chapter 3 - 02 - Discuss Network Security Fundamentals_fax_ocred.pdf

Full Transcript

Leértified Cybersecurity Technician Network Security Fundamentals Module o Exam 212-82 Flow Discuss Information Security Fundamentals Discuss Network Security Fundament als eproduction is Strictly Prohibited Network security helps organizations in implementing necessary preventative measures to protect their IT infrastructure from misuse, unauthorized access, informat ion disclosure, unauthor ized access or modification of data in trans it, destruction, etc., thereby providing a secure environment for the users, computer s, and programs to perform their regular functions. This section discusses the goal of netw ork defense, principles of information assurance, benefits and challenges of network defe nse, types of network defense approach es, types of network security controls, and elements of network defense. Module 03 Page 418 Certified Cybersecurity Technician Copyri ght © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Pro Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Essentials of Network Security O A completely secure and robust network can be designed with proper implementation and configuration of network security elements Elements of Network Security Network Security Controls Essentials of Network Security A completely secure and robust network can be designed with proper implementation and configuration of network security elements. Network security relies on three main security elements: * Network Security Controls Network security controls are the security features that should be appropriately configured and implemented to ensure network security. These are the cornerstones of any systematic discipline of security. These security controls work together to allow or restrict the access to organization’s resources based on identity management. = Network Security Protocols Network security protocols implement security related operations to ensure the security and integrity of data in transit. The network security protocols ensure the security of the data passing through the network. They implement methods that restrict unauthorized users from accessing the network. The security protocols use encryption and cryptographic techniques to maintain the security of messages passing through the network. = Network Security Devices Network security appliances are devices that are deployed to protect computer networks from unwanted traffic and threats. These devices can be categorized into active devices, passive devices, and preventative devices. It also consists Threat Management (UTM) which combines features of all the devices. Module 03 Page 419 of Unified Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Goal of Network Defense @ The ultimate goal of network defense is to protect an organization’s information, systems, and network infrastructure from unauthorized access, misuse, modification, service denial, or any degradation and disruptions ) (174 \ Organizations rely on information assurance (IA) principles to attain defense-in-depth security. Information Assurance (lA) principles act as enablers for an organization’s security activities to protect and defend the organizational network from security attacks Goal of Network Defense Different types of unauthorized or illegal activities may include interrupting, damaging, exploiting, or restricting access to networks or computing resources and stealing data and information from them. The implementation of numerous security measures, by itself, does not guarantee network security. For example, many organizations assume that deploying a firewall, or multiple firewalls, on the network is sufficient to protect their infrastructure from a variety of threats. However, attackers can bypass such security measures to gain access to systems. Thus, it is important to ensure comprehensive network defense to prevent and mitigate various types of threats. The goal of comprehensive network defense is to deploy continual and defense-in-depth security, which involves predicting, protecting, monitoring, analyzing, detecting, and responding to unauthorized activities such as unauthorized access, misuse, modification, service denial, and any degradation or disruption in the network, and to guarantee the overall security of the network. Organizations rely on information assurance (lA) principles to attain defense-in-depth security. Module 03 Page 420 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Information Assurance (IA) Principles Confidentiality O Availability O Ensures information is not disclosed to unauthorized parties S N Authorized User MCannot listen to or ew the information e o N Ensures information is available to authorized parties without any disruption Dot g > Services unavailable 3 to authorized users : seessssesesessessessesssessssssassed = x Integricy Authorized User : Server Man in the Middle. Integrity Q Ensures information is not modified or tampered with by unauthorized parties Authorized User A b4 & Man in the Middle Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited Information Assurance (IA) Principles (Cont’d) Non-repudiation Q Ensures that a party in a communication cannot deny sending the message Authentication QO Ensures the identity of an individual is verified by the system or service Transfer amount 500 to User........................................................) User denies transaction Authorized User (L L All Rights Reserved. Reproduction is Strictly Prohibited. Information Assurance (IA) Principles Information assurance (lA) principles act as enablers for an organization’s security activities to protect and defend its network from security attacks. They facilitate the adoption of appropriate countermeasures and response actions upon a threat alert or detection. Therefore, security professionals must use IA principles to identify data that is sensitive, and to counter events that may have security implications for the network. IA principles assist them in Module 03 Page 421 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 identifying network security vulnerabilities, monitoring the network for any intrusion attempts or malicious activity, and defending the network by mitigating vulnerabilities. Network defense activities should address the following IA principles to achieve defense-indepth network security: = Confidentiality: Confidentiality permits only authorized users to access, use or copy information. Authentication is crucial for confidentiality. If an unauthorized user accesses protected information, it implies that a breach of confidentiality has occurred. Cannot listen to or view the information Authorized User Server Man in theMiddIe Figure 3.2: Confidentiality * Integrity: Integrity protects data and does not allow modification, deletion, or corruption of data without proper authorization. This information assurance principle also relies on authentication to function properly. Cannot modify the information...................A.................) Authorized User Man in the Middle Figure 3.3: Integrity = Availability: Availability is the process of protecting information systems or networks that store sensitive request access. data, to make them available for the end users whenever they Services unavailable to authorized users Authorized User Server Figure 3.4: Availability Module 03 Page 422 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals * Exam 212-82 Non-repudiation: Non-repudiation is a service that validates the integrity of a digital signature’s transmission, starting from where repudiation grants access to protected signature is from the intended party. it originated information to where by validating it arrived. that the Non- digital Transfer amount 500 to User User denies transaction Figure 3.5: Non-repudiation = Authentication: Authentication is a process of authorizing users with the credentials provided, by comparing them to those in a database of authorized users on an authentication server, to grant access to the network. It guarantees that the files or data passing through the network is safe. Figure 3.6: Authentication Module 03 Page 423 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Benefits QO O 0O Protect information assets Comply with government and industry specific regulations Ensure secure communication with clients and suppliers v B O Reduce the risk of being attacked O Gain competitive edge over competitor by providing more secure services Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited Network Defense Benefits Network security is crucial for all organizations, irrespective of size. It safeguards the system, files, data, and personal information, and protects them from unauthorized access. Apart from ensuring safety against hacking attempts and virus attacks, network security also provides the following indirect advantages and benefits. * |Increased Profits Keeping computer networks secure is critical for any organization. With the deployment of comprehensive network defense, the organization can prevent threats, attacks, and vulnerabilities, which could otherwise cause significant loss. This indirectly supports the organization in the earning of profits. It also allows organizations to gain competitive edge over competitor by providing more secure services. * Improved Productivity Network security can also help in improving the productivity of the organization. For example, it prevents employees from spending time on unproductive activities over the Internet such as browsing adult content, gaming, and gossip during office hours. These activities can be restricted with safe browsing techniques, consequently improving productivity. = Enhanced Compliance Network security spares organizations from incurring penalties for lack of compliance. Real-time monitoring of data flows helps organizations enhance their compliance posture. Module 03 Page 424 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals = Exam 212-82 (Client Confidence The knowledge that an organization’s systems and data are protected and safe enhances clients’ confidence and trust in the organization. This may translate into future purchases of other service offerings from the organization. Module 03 Page 425 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Challenges Distributed Computing Environments Q o Wwith the advancement in modern technology and to Q meet business requirements, foc Thraat merging eats Potential threats to the network evolve each day. are becoming technically and complex, potentially more sophisticated and leading to serious security vulnerabilities. Attackers exploit exposed security comp.romnse networ security O Organizations are failing to defend themselves Network security attacks networks are becoming vast vul ulnerab iliti.t es to Lack of Network Security Skills against rapidly increasing network attacks due to the lack of network better organized. security skills L';? (‘\—Y'_ aunern| o Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Defense Challenges Distributed Computing and to meet Environments: business requirements, With the advancement networks are in modern technology becoming vast and complex, potentially leading to serious security vulnerabilities. Attackers exploit exposed security vulnerabilities to compromise network security. Emerging Threats: Potential threats to the network evolve each day. Network security attacks are becoming technically more sophisticated and better organized. Lack of Network Security Skills: Organizations are failing to defend themselves against rapidly increasing network attacks due to the lack of network security skills. In addition to the broad categories of challenges discussed in the above, a security professional may face following challenges in maintaining the security of network: Protecting the network from attacks via the Internet. Protecting public servers such as web, e-mail, and DNS servers. Containing damage when a network or system is compromised. Preventing internal attacks against the network. Protecting highly important and sensitive information like customer databases, financial records, and trade secrets. Developing manner. guidelines for security professionals to handle the network in a secure Enabling intrusion detection and logging capabilities. Module 03 Page 426 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Types of Network Defense Approaches Preventive Approaches @.. @ Retrospective Approaches Consist of methods or techniques that are used to avoid threats or attacks on Consist of methods or techniques that examine the causes for attacks, and contain, remediate, eradicate, and recover from the target network damage caused by the attack on the target network Reactive Approaches x. Proactive Approaches Consist of methods or techniques that are used to make informed Consist of methods or techniques that are used to detect attacks on the target decisions on potential attacks in the future on the target network network Types of Network Defense Approaches There are four main classifications of security defense techniques used for identification and prevention of threats and attacks in the network. = Preventive Approach: The preventive approach essentially consists of methods techniques that can easily prevent threats or attacks in the target network. or The preventive approaches mainly used in networks are as follows: = o Access control mechanisms such as a firewall. o Admission control mechanisms such as NAC and NAP. o Cryptographic applications such as IPsec and SSL. o Biometric techniques such as speech or facial recognition. Reactive Approach: The reactive approach is complementary to the preventive approach. This approach addresses attacks and threats that the preventative approach may have failed to avert, such as DoS and DDoS attacks. It is necessary to implement both preventive and reactive approaches to ensure the security of the network. Reactive approaches include security monitoring methods such as IDS, SIMS, TRS, and IPS. = Retrospective Approach: The retrospective approach examines the causes for attacks in the network. These include: o Fault finding mechanisms such as protocol analyzers and traffic monitors. o Security forensics techniques such as CSIRT and CERT. o Post-mortem analysis mechanism including risk and legal assessments. Module 03 Page 427 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals = Exam 212-82 Proactive Approach: The proactive approach consists of methods or techniques that are used to inform decision making for countering future attacks on the target network. Threat intelligence and risk assessment are examples of methods that can be used to assess probable future threats on the organization. The methods in this approach facilitate in the implementation of preemptive security actions and measures against potential incidents. Module 03 Page 428 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Continual/Adaptive Security Strategy 0 @® l‘_njo] O Organizations should adopt adaptive security strategy, which involves implementing all the four network security approaches O The adaptive security strategy consists of four security activities corresponding to each security approach Protect Detect Includes a set of prior countermeasures taken towards eliminating all the possible vulnerabilities of the network Involves continuous monitoring of network and identifying abnormalities and their origins Respond Preaict Involves a set of actions taken to contain, eradicate, mitigate, and recover from the impact of attacks on the network Involves identifying most likely attacks, targets, and methods prior to materialization of a potential attack Copyright © by EE-£ cll ANl Rights Reserved, Reproduction is Strictly Prohibited Continual/Adaptive Security Strategy (Cont’d) 7> Risk and Vulnerability Assessment » Protect Y Predict w~ Attack Surface Analysis » Threat Intelligence Respond ~ 7 Incident Response Defense-in-depth Security Strategy * Protect endpoints * Protect network * Protectdata Detect » Continuous Threat Monitoring Continual/Adaptive Security Strategy The adaptive security strategy prescribes that continuous prediction, prevention, detection, and response actions must be taken to ensure comprehensive computer network defense. = Protection: This includes a set of prior countermeasures taken towards eliminating all the possible vulnerabilities on the network. It includes security measures such as security policies, physical security, host security, firewall, and IDS. Module 03 Page 429 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Detection: Detection involves assessing the network for abnormalities such as attacks, damages, unauthorized access attempts, and modifications, and identifying their locations in the network. It includes the regular monitoring of network traffic using network monitoring and packet sniffing tools. Responding: Responding to incidents involves actions such as identifying incidents, finding their root causes, and planning a possible course of actions for addressing them. It includes incident response, investigation, containment, impact mitigation, and eradication steps for addressing the incidents. It also includes deciding whether the incident is an actual security incident or a false positive. Prediction: Prediction involves the identification of potential attacks, targets, and methods prior to materialization to a viable attack. Prediction includes actions such as conducting risk and vulnerability assessment, performing attack surface analysis, consuming threat intelligence data to predict future threats on the organization. Predict » Protect Risk and Vulnerability Assessment » » Attack Surface Analysis » Threat Intelligence Respond 7 Defense-in-depth Security Strategy * Protect endpoints = Protect network = Protect data Detect Incident Response » Continuous Threat Monitoring Figure 3.7: Continual/Adaptive Security Strategy Module 03 Page 430 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Security Controls: Administrative Security Controls O The management implements administrative access controls to ensure the safety of the organization Examples of Administrative Security Controls 01 ’ Regulatory framework Compliance 02 | Security policy 03 ’ Employee Monitoring and Supervising 04 | Information Classification 05 | Security Awareness and Training Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited Network Security Controls Administrative Security Controls Administrative security controls are management limitations, operational and accountability procedures, and other controls that ensure the security of an organization. The procedures prescribed in administrative security control ensure the authorization and authentication of personnel at all levels. Components of an administrative security control includes: = Regulatory framework compliance = Security policy = Employee monitoring and supervising * Information classification = Separation of duties » Principle of least privileges = Security awareness and training Module 03 Page 431 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Security Controls: Physical Security Controls Q This is a set of security measures taken to prevent unauthorized access to physical devices Examples of Physical Access Controls (Al il Locks Fences U Badge system [ Security guards o Biometric system Lighting Motion detectors Mantrap doors (e Closed-circuit TVs Copyright © by E o5 Alarms il All Rights Reserved. Reproduction is Strictly Prohibited. Physical Security Controls Appropriate physical security controls can reduce the chances of attacks and risks in an organization. Physical security controls provide physical protection of the information, buildings, and all other physical assets of an organization. Physical security controls are categorized into: = Prevention Controls These are used to prevent unwanted or unauthorized access to resources. They include access controls such as fences, locks, biometrics, and mantraps. = Deterrence Controls These are used to discourage the violation of security policies. They include access controls such as security guards and warning signs. = Detection Controls These are used to detect unauthorized access attempts. They include access controls such as CCTV and alarms. Module 03 Page 432 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Examples of Physical Access Controls: 1l Locks Biometric system Fences Lighting U Badge system Motion detectors Ll Security guards T Closed-circuit TVs & Mantrap doors © Alarms Figure 3.8: Physical Security Controls Module 03 Page 433 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Security Controls: Technical Security Controls g?_ e QO This is a set of security measures taken to protect data and systems from unauthorized personnel Examples of Technical Security Controls oL O o Ruthorization Access Controls Security Protocols Network Security Devices Technical Security Controls Technical security controls are used for restricting access to devices in an organization to protect the integrity of sensitive data. The components of technical security controls include: = System access controls: System access controls are used for the restriction of access to data according to sensitivity of data, clearance level of users, user rights, and permissions. = Network access controls: Network access controls offer various access control mechanisms for network devices like routers and switches. = Authentication and authorization: Authentication and authorization ensure that only users with appropriate privileges can access the system or network resources. * Encryption and Protocols: Encryption and protocols protect the information passing through the network and preserve the privacy and reliability of the data. = Network Security Devices: Network security devices such as firewall and IDS are used to filter and detect malicious traffic, thus protecting the organization from threats. = Auditing: Auditing refers to the tracking and examining of the activities of network devices in a network. This mechanism helps in identifying weaknesses in the network. Module 03 Page 434 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Elements: Technology O Appropriate selection of technology, well-defined operations, and skilled people are required for effective implementation of security strategies. %+ Selecting appropriate technology is crucial, as improper selection of technology can %+ Example questionnaire for facilitating appropriate selection of technology: provide a false sense of security e' ". Is a centralized or a distributed access mechanism ' Which type of firewalls, IDS, antivirus, | more suitable for the network? @ etc., are required for the network? iy > Which type of encryption algorithm should be used? ©. @ What type of password complexity should s be adopted? , Should critical servers be placed on a separate segment? Network Defense Elements Technology, operations and people are major elements of network security. These elements play an important role in achieving appropriate defense-in-depth network security for the organization. Technological implementations are by themselves not sufficient to guarantee the security of the network. Well-defined operations are needed in order to configure these technologies, and skilled individuals who can perform these operations are necessary. The combination of these elements enables the achievement of defense-in-depth security. Technology Selecting appropriate technology is crucial, as improper selection of technology may provide a false sense of security. A security professional must consider the following factors regarding technology: = The existing network topology = The appropriate selection of security technologies = Proper configuration of each component The following technology: = = is an example questionnaire for facilitating an appropriate selection of Which type of firewalls, IDS, antivirus, etc., are required for the network? Which type of encryption algorithm should be used? = |sacentralized or a distributed access mechanism more suitable for the network? = What type of password complexity should be adopted? = Should critical servers be placed on a separate segment? Module 03 Page 435 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Elements: Operations E’ Operations O Technological implementations are by themselves not sufficient, they should be supported by well-defined operations O Examples of operations: ] OOOP®OOOOO Creating and enforcing security policies Creating and enforcing standard network operation procedures Planning business continuity Configuration control management Creating and implementing incident response processes Planning disaster recovery Providing security awareness and training Enforcing security as culture Copyright © by EC- il All Rights Reserved. Reproduction is Strictly Prohibited. Operations The following are some examples of operations that a security professional must conduct to ensure organization security. Creating and enforcing security policies: Security professionals need written security policies to monitor and manage a network efficiently. These policies set appropriate expectations regarding the use and administration of information assets on a network. Security policies describe what to secure on the network and the ways to secure them. Creating and enforcing standard network operating procedures: Standard network operating procedures are instructions intended to document routine network activity. Security professionals should rely on these procedures to ensure efficiency and security of the network. The main goal of network operating procedures is to conduct the network operations correctly and consistently. Planning business continuity and disaster recovery: There are various threats and vulnerabilities to which businesses are exposed such as natural disasters, acts of terrorism, accidents or sabotage, outages due to application errors, and hardware or network failures. Planning for business continuity and disaster recovery involves proactively devising mechanisms to prevent and manage the consequences of a disaster, thereby limiting it to a minimal extent. Configuration control management: Security problems due to the lack of configuration control management involves initiating, authorizing proposals for change to a system. Module 03 Page 436 professionals encounter numerous management capabilities. Configuration preparing, analyzing, evaluating, and Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Configuration control management includes: = o Device hardware and software inventory collection. o Device software management. o Device configuration collection, backup, viewing, archiving, and comparison. o Detection of changes to configuration, hardware, or software. o Configuration change implementation to support change management. Creating and implementing incident response processes: Security professionals create and implement an incident response process by planning, communication, and preparation. Incident preparation readiness ensures quick and timely response to incidents. Security managers should determine whether to include law enforcement agencies during incident response or not, as this may affect the organization positively or negatively. = Conducting forensics activities on incidents: Computer forensics investigators examine incidents and conduct forensic analysis by using various methodologies and tools to ensure that the computer network system is secure in an organization. While conducting forensics activities on incidents, people responsible for network management should: = o Ensure that the professionals they hire are prepared to conduct forensic activities. o Ensure that their policies contain clear statements about forensic considerations. o Create and maintain procedures and guidelines for performing forensic activities. o Ensure that the organization’s security policies and procedures support the use of forensic tools. Providing security awareness and training: Some threats to network security originate from within the organization. These threats can be from uninformed users who may harm the network by visiting websites infected with malware, responding to phishing e- mails, storing their login information in an unsecured location, or even providing sensitive information over the phone when exposed to social engineering. Security managers must ensure that the company’s employees do not commit costly errors that can affect network security. They should institute company-wide security awareness training initiatives including training sessions, security awareness websites, helpful hints via e-mail, or posters. These methods can ensure that employees have a good understanding of the company’s security policies, procedures and best practices. = Enforcing security as culture: Security professionals should enforce security as a culture in the organization, which can help proliferate an awareness of behaviors that compromise security and educate employees to change such behavior. The culture within an organization can have a significant influence on the emergence of risks, and the degree to which varying control approaches are successful. Module 03 Page 437 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Elements: People O People are a crucial element of any organization’s network security O Appropriate technology and well-defined operations cannot replace skilled people, who are required to implement the technology and manage well-defined operations People involved in the network security include: | S ' Hetiopeien e i — ] v Incident Handling and Response (IH&R) Team s Computer Forensics Investigation Team Copyright © by EC-{ L All Rights Reserved. Reproductions Strictly Prohibited People People are a crucial element of any organization’s network security. The degree to which people embody a culture of security can significantly influence that organization’s ability to protect key assets. Specifically, the people involved in network defense are responsible for maintaining, repairing, and managing network and computer systems to improve their performance. People involved in the network security include: » Network Defense Team * |Incident Handling and Response (IH&R) Team = Computer Forensics Investigation Team Module 03 Page 438 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Network Exam 212-82 Defense Team O Network defense teams explore and solve network problems logically and consistently and monitor the network for vulnerabilities before an outsider can exploit it O These people use network security technologies and operations to design and implement a robust and secure network —a Network Administrator Network Security Manages the entire network in an organization Administrator Fix, control, and monitor the security solutions of an organization Network Security Engineer Develops the countermeasures required for network and technology related issues in an organization Security Architect Supervises the implementation of the computer and network security in an e Security Analyst Evaluate the efficiency of the security measures implemented in an organization Network Technician Manages the hardware and software components of an organization’s network organization Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Network Defense Team Network monitor network network. defense teams explore and solve network problems logically and consistently and the network for vulnerabilities before an outsider can exploit it. These people use security technologies and operations to design and implement a robust and secure People involved in the network defense team include: * Network Administrator: The network administrator manages the entire network in an organization. They coordinate all systems and software and help in the smooth functioning of the organization’s network. * Network Security Administrator: The network security administrator is responsible for maintaining the security of the network system in an organization. They fix, control, and monitor the security solutions of an organization. * Network Security Engineer: The network security engineer mainly develops the countermeasures required for network and technology related issues in an organization. They monitor and manage issues pertaining to IT. = Security Architect: The security architect supervises the implementation of the computer and network security in an organization. Their role is to implement network and computer security in an efficient manner. = Security Analyst: The security analyst maintains the privacy and integrity of the internal network in an organization. They evaluate the efficiency of the security measures implemented in an organization. * Network Technician: The network technician manages the hardware and software components of an organization’s network. They fix issues related to these components. Module 03 Page 439 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 = End User: The end user refers to the people who use the end product deployed by an organization. The end user accesses the developed products through devices such as desktop computers, laptops, tablet computers, and smart phones. = Leadership: An informed leadership can help an organization in taking exemplary decisions regarding the security of the network and systems in an organization. They are required to be proactive in finding the weaknesses and strengths in a network. Module 03 Page 440 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Incident Handling and Response (IH&R) Team &) A centralized IH&R team will perform vulnerability analysis, establish well-defined security policies, detect indicators of compromise, handle legal issues, manage public relations, and provide proper reports regarding the incident People Involvedin an IH&R Team Information Security Officer (1SO) Responsible for all IH&R activities in the context of overall organizational information security Incident Manager (IM) Analyze and review incident handling processes from managerial and technical perspectives Incident Coordinator Connect different 'stakeholders affected by incidents, such as the incident handling team, the legal team, the human resources team, clients, and vendors Forensic Investigator Responsible for maintaining forensics readiness across an organization and implementing effective IH&R Threat Researcher Supplement security analysts by researching threat intelligence data System Administrator Responsible for working and security of systems Network Administrator Analyze network logs, gather logs of suspicious activity, and help in the detection of incidents at a primary level Internal Auditor Ensure that an organization complies with the regulations, business standards, and laws of its regions of operation Financial Auditor Responsible for calculating the costs involved in an incident Human Resource Responsible for analyzing the human aspects of the disaster and conducting post-event counseling Public Relations Serves as a primary media contact Incident Handling and Response (IH&R) Team An IH&R team is a group of technically skilled people capable of carrying out various functions, such as threat intelligence, evidence analysis, and user investigations. Having a trained IH&R team in an organization reduces not only the losses caused by incidents, but also response time the probability of similar attacks occurring in the future. A centralized IH&R team managed by an incident handler will perform vulnerability analysis, establish well-defined security policies, detect indicators of compromise, handle legal issues, manage public relations, and provide proper reports regarding the incident. People involved in an IH&R team include: Information Security Officer (1SO) An 1SO governs the security posture of an organization and bears responsibility for all IH&R activities in the context of overall organizational information security. The officer is responsible for setting IH&R goals, approving the process, granting permissions, and contacting the stakeholders and other management authorities of the organization. The 1SO must and incident guidance and their actions head all the members of the IH&R team, including the incident manager handler. The officer is also responsible for providing incident handling training to security team members across the organization, evaluating and consequences, and suggesting corrective actions to perfect incident handling. Incident Manager (IM) The IM is responsible for managing all IH&R activities. The IM must be a technical expert with a clear understanding of and experience with handling security issues. The IM will Module 03 Page 441 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 focus on incidents as well as analyze and review incident handling processes from managerial and technical perspectives. He or she must drive the IR team to encourage focused incident containment and recovery. * |Incident Coordinator Incident coordinators connect different stakeholders affected by incidents, such as the incident handling team, the legal team, the human resources team, clients, and vendors. They play a vital role in coordinating between security teams and networking groups, facilitate communication, and keep everyone updated on the status of the incident. The incident coordinator should possess communication and technical skills and have a solid business sense of the organization’s operations. = Forensic Investigator Forensic investigators—experts organizations and law in enforcement the forensic agencies to investigation of investigate and incidents—help prosecute the perpetrators of cybercrimes. They are responsible for maintaining forensics readiness across an organization and implementing effective IH&R. They must also preserve and submit the evidence required to legally prosecute the attackers. = Threat Researcher Threat researchers supplement security analysts by researching threat intelligence data. They gather all details about prevalent incident and security issues and help spread its awareness among users. They also use this information to build or maintain a database of internal intelligence. = System Administrator System administrators look after the working and security of systems and can be very helpful in the IR process—they configure systems and provide and grant access. They can also help in gathering system information, separating the impacted systems from the network, and analyzing system data to detect and verify incidents. They can also facilitate containment and eradication by installing new patches and updates and by upgrading the systems across an organization. They system recovery, and analyzing system logs. = are also responsible for backup, Network Administrator Network administrators are responsible for examining a computer network’s traffic for signs of incidents or attacks, such as DoS, DDoS, firewall breaches, or other malicious forms of code. They install and use network sniffing and capturing tools as well as loggers to identify the network events involved in an attack. They must analyze network logs, gather logs of suspicious activity, and help in the detection of incidents at a primary level. They perform the actions necessary to block network traffic from a suspected intruder. Module 03 Page 442 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Internal Auditor Internal auditors must ensure that an organization complies with the regulations, business standards, and laws of its regions of operation. They must regularly audit the policies and procedures followed by the organization to maintain information security. They must also ensure that the organization’s systems, devices, and other network resources are up-to-date and compliant with industrial regulations. They must identify and report any security loopholes to management. Financial Auditor Financial auditors are responsible for calculating the costs involved in an incident, such as damages or losses caused by the incident and costs incurred by IH&R. Along these lines, they must notably estimate the cost of cyber insurance and claim it when required. Human Resource The human resources department is responsible for analyzing the human aspects of the disaster and conducting post-event counseling. Notably, it is responsible for tracking, recording, reporting, and compensating the organization’s human resources for all the billable hours related to performing duties throughout the event. It also ensures the submission of records as well as other information related to payroll and keeps track of the records of all injuries along with the investigation results relating to events. Moreover, it is responsible for counseling people after the event and notifying various people, as per organization policy. Public Relations This department serves as a primary media contact and thus informs media about an event. It updates the organization’s website information and monitors media coverage. Along these lines, it is responsible for stakeholder communication, including communications with: o The board o Foundation personnel o Donors o Grantees suppliers/vendors o Media Module 03 Page 443 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Computer Forensics Investigation Team @ Q The investigation team plays a major role in solving a case Q The team is responsible for evaluating the crime, evidence, and criminals People Involved in an Investigation Team Photographer Photographs the crime scene and the evidence gathered Incident Responder Responsible for the measures to be taken when an incident occurs Incident Analyzer Analyzes the incidents based on their occurrence Evidence Examiner/Investigator Examines the evidence acquired and sorts the useful evidence Evidence Documenter Documents all the evidence and the phases present in the investigation process Evidence Manager Manages the evidence in such a way that it is admissible in the court of law Evidence Witness Offers a formal opinion in the form of a testimony in the court of law Attorney Provides legal advice Copyright © by EC-{ L All Rights Reserved. Reproduction is Strictly Prohibited. Computer Forensics Investigation Team The investigation team plays a major role in solving a case. The team is responsible for evaluating the crime, evidence, and criminals. To find the appropriate evidence from a variety of computing systems and electronic devices, the following people may be involved: * Photographer: The photographer photographs the crime scene and the evidence gathered. They should have an authentic certification. This person is responsible for shooting all the evidence found at the crime scene, which records the key evidence in the forensics process. * Incident Responder: The incident responder is responsible for the measures taken when an incident occurs. This individual is responsible for securing the incident area and collecting the evidence that is present at the crime scene. They should disconnect the system from other systems to stop the spread of the incident to other systems. * Incident Analyzer: The incident analyzer analyzes the incidents based on the occurrence. They examine the incident as per its type, how it affects the systems, the different threats and vulnerabilities associated with it, etc. * Evidence Examiner/Investigator: The evidence examiner examines the evidence acquired and sorts it based on usefulness and relevance into a hierarchy that indicates the priority of the evidence. = Evidence Documenter: The evidence documenter documents all the evidence and the phases present in the investigation process. They gather information from all the people involved in the forensics process and document it in an orderly fashion, from incident occurrence to the end of the investigation. The information about the forensics process. Module 03 Page 444 documents should contain complete Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 = Evidence Manager: The evidence manager manages the evidence. They have all the information about the evidence, for example, evidence name, evidence type, time, and source of evidence. They manage and maintain a record of the evidence such that it is admissible in the court of law. = Expert Witness: The expert witness offers a formal opinion as a testimony in a court of law. Expert witnesses help authenticate the facts and other witnesses in complex cases. They also assist in cross-examining witnesses and evidence, as various factors may influence a normal witness. = Attorney: The attorney gives legal advice about how to conduct the investigation and address the legal issues involved in the forensic investigation process Module 03 Page 445 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.