Module 03 - Network Security Fundamentals_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 3 - 01 - Discuss Information Security Fundamentals - 02_ocred.pdf
- Certified Cybersecurity Technician Network Security Controls PDF
- Chapter 16 - 01 - Discuss Network Troubleshooting - 05_ocred_fax_ocred.pdf
- Certified Cybersecurity Technician Risk Management PDF
- IAT-2 Syllabus and Question Bank CNS 2023-24 PDF
- ITS Examination for Cybersecurity PDF
Full Transcript
Module - 03 Network Security Fundamentals Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 F wol Module Objectives G B/ e o e e Understanding the Fundamentals of Information Security Overview of the National Institute of Standards and Technology (NIST) Cybersecurity Frame...
Module - 03 Network Security Fundamentals Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 F wol Module Objectives G B/ e o e e Understanding the Fundamentals of Information Security Overview of the National Institute of Standards and Technology (NIST) Cybersecurity Framework Understanding the Fundamentals of Network Security Understanding the Principles of Information Assurance (IA) Understanding the Different Types of Network Defense Approaches Understanding the Elements of Network Defense Copyright © by EC cIL All Rights Reserved. Reproductionis Strictly Prohibited Module Objectives With the increase in the usage of emerging technology, it has become increasingly important to secure information and data being processed online. As the Internet and computer networks are continually growing, network security has become a challenging task for organizations. Every organization requires a stable and efficient network security architecture that protects their critical assets and information systems from evolving threats. This module starts with an overview of the fundamentals of information security. It provides insight into information assurance (lA) principles. Later, the module discusses various types of network defense approaches. The module controls and network defense elements. ends with a brief discussion on network security At the end of this module, you will be able to: = Understand the fundamentals of information security = Understand the National Institute of Standards and Technology (NIST) cybersecurity framework = Understand the fundamentals of network security = Describe the principles of information assurance (1A) = Understand the different types of network defense approaches = Explain the elements of network defense Module 03 Page 405 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. R LyLersecurity Technician Network Security Fundamentals Module 9 Exam 212-82 Flow Discuss Network Security Fundamentals NETWORK SECURITY This section introduces the nee d for security; elements of information security; the functionality, and usability tria security, ngle; NIST cyb ersecurity framew ork ; security challenges; and impact of information security attacks. Module 03 Page 406 Certified Cybersecurity Technici an Copyright © by EC-Council All Rights Reserved. Reproduction ic Stric Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Information security is a state of well-being of information and infrastructure in which the possibility of v ¥ ,and i L All Rights Reserved. Reproduction ks Strictly Prohibited. What is Information Security? Information security is “the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable.” Information security refers to the protection or safeguarding of information and information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction. Module 03 Page 407 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Need for Security Evolution of technology, focused on ease @ of use Rely on the use of computers for accessing, providing, or just storing information @ Increased network environment and @ network-based applications Direct impact of security breach on the corporate asset base and goodwill ,// @ @.‘ @ OQ Increasing complexity of computer infrastructure administration and management Copyright © by Y [ PYTig L All € Rights Reserved. Reproductionis Strictly Prohibited Need for Security Today, organizations are increasingly getting networked, as information is exchanged at the speed of thought. Also, the evolution of technology, focused on ease of use. Routine tasks rely on the use of computers for accessing, providing, or just storing information. However, as information assets differentiate the competitive organization from others of its kind, so do they register an increase in their contribution to the corporate capital? There is a sense of urgency on behalf of the organization to secure these assets from likely threats and vulnerabilities. The subject of addressing information security is vast and it is the endeavor of this course to give the student a comprehensive body of knowledge required to secure the information assets under his/her consideration. This course assumes that organizational policies exist that are endorsed from the top-level management and that business objective and goals related to the security have been incorporated as part of the corporate strategy. A security policy is the specification of how objects in a security domain are allowed to interact. The importance of security in the contemporary information and telecommunications scenario cannot be overemphasized. There are myriad reasons for securing ICT infrastructure. The evolution of computers has transcended from the annals of universities to laptops and PDAs. Initially, computers were designed to facilitate research, and this did not place much emphasis on security as these resources, being scarce, were meant for sharing. The permeation of computers into the routine workspace, and daily life, see more control being transferred to computers and a higher dependency on them for facilitating important routine tasks. This further increased the usage of network environment and network-based applications. Any disruption meant loss of time, money, and sometimes-even loss of life. Also, the increasing complexity of computer infrastructure administration and management is showing direct impact of security breach on the corporate asset base and goodwill. Module 03 Page 408 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Elements Exam 212-82 of Information Security Confidentiality @ Integrity Assurance that the information is accessible only to those authorized to have access o e The trustworthiness of data or resources in terms of preventing improper or unauthorized changes Ruthenticity 0 Availability Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users Non-Repudiation Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine A guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited l Elements of Information Security Information security relies on five authenticity, and non-repudiation. = major elements: confidentiality, integrity, availability, Confidentiality Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs). * Integrity Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data). = Availability Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered machines, antivirus software (DDoS) prevention systems. Module 03 Page 409 to combat malware, and distributed denial-of-service Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals = Exam 212-82 Authenticity Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents. * Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation. Module 03 Page 410 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 The Security, Functionality, and Usability Triangle Level of security in any system can be defined by the strength of three components: Moving the ball towards Functionality security means less functionality and usability (Features) Security (Restrictions) Copyright © by EC meil Al Rights Reserved. Reproductionis Strictly Prohibited I The Security, Functionality, and Usability Triangle Technology is evolving at an unprecedented rate. As a result, new products that are reaching the market focus more on ease-of-use than on secure computing. Though technology was originally developed for “honest” research and academic purposes, it has not evolved at the same pace as users’ proficiency. Moreover, in this evolution, system designers often overlook vulnerabilities during the intended deployment of the system. However, adding more built-in default security mechanisms allows users more competence. It is becoming difficult for security professionals to allocate resources, exclusively for securing systems, with the augmented use of computers for an increasing number of routine activities. This includes the time needed to check log files, detect vulnerabilities, and apply security update patches. As routine activities consume system professionals’ time, leaving less time for vigilant administration, there is little time to deploy measures and secure computing resources on a regular and innovative basis. This fact has increased the demand for dedicated security professionals to constantly monitor and defend ICT (Information and Communication Technology) resources. Originally, to “hack” meant to possess extraordinary computer skills to explore hidden features of computer systems. In the context of information security, hacking is defined as the exploitation of vulnerabilities of computer systems and networks and requires great proficiency. However, today there are automated tools and codes available on the Internet that make it possible for anyone, who possesses the will, to succeed at hacking. However, mere compromise of system security does not denote hacking success. There are websites that insist on “taking back the Internet” as well as people who believe that they are doing everyone a favor by posting details of their exploits. In reality, doing so serves to hamper the skill level required to become a successful attacker. Module 03 Page 411 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 The ease with which system vulnerabilities can be exploited has increased while the knowledge curve required to perform such exploits has decreased. The concept of the elite “super attacker” is an illusion. However, the fast-evolving genre of “script kiddies” is largely comprised of lesser-skilled individuals having second-hand knowledge of performing exploits. One of the main impediments contributing to the growth of security infrastructure lies in the unwillingness of exploited or compromised victims to report such incidents for fear of losing the goodwill and faith of their employees, customers, or partners, and/or of losing market share. The trend of information assets influencing the market has seen more companies thinking twice before reporting incidents to law enforcement officials for fear of “bad press” and negative publicity. The increasingly networked environment, with companies often using their websites as single points of contact across geographical boundaries, makes it critical for security professionals to take countermeasures to prevent exploits that can result in data loss. This is why corporations need to invest in security measures to protect their information assets. Level of security in any system can be defined by the strength of three components: * Functionality: The set of features provided by the system. = Usability: The GUI components used to design the system for ease of use. = Security: Restrictions imposed on accessing the components of the system. The relationship between these three components is demonstrated by using a triangle because increase or decrease in any one of the components automatically affects the other two components. Moving the ball towards any of the three components means decreasing the intensity of other two components. The diagram represents the relationship between functionality, usability, and security. For example, as shown in the figure, if the ball moves towards Security it means increased security and decreased Functionality and Usability. If the ball is in the center of the triangle, then all the three components are balanced. If the ball moves towards usability it means an increased Usability and decreased Functionality as well as Security. For any implementation of security controls, all the three components have to be considered carefully and balanced to get acceptable functionality and usability with acceptable security. Moving the ball towards security means less Functionality (Features) functionality and usability Security Usability (Restrictions) (GUY) Figure 3.1: Security, Functionality, and Usability Triangle Module 03 Page 412 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 NIST Cybersecurity Framework (CSF) O NIST brought all stakeholders together to form a community to design a Cybersecurity Framework (CSF) that addresses all the security risks and supports continuous business operations NIST CSF Functions and Categories Identify % Asset Management Protect < “* Business Environment 2 % Governance % Risk Assessment * Risk Management Strate, 8y Identity Management and Access Control e Training. Detect «+ Data Security «+ Information Protection Recover «» Anomalies and Events ++ Response Planning “* Recovery Planning %+ Continuous Security < Communications ** Improvements i < Analysis " +» Monitoring. Respond % Detection Processes Processes and Procedures. < Maintenance “* Protective Technology ‘Q“ o o Communications % Mitigation % Improvements [e] 0 @] |'_°]| fl https://www.nist.gov Copyright © by EC-{ cil All Rights Reserved. Reproduction is Strictly Prohibited. NIST Cybersecurity Framework (CSF) Source: https://www.nist.gov The ever-growing cyber threat landscape is forcing organizations to be alert in tackling evolving cyber threats in order to secure their business infrastructure and deliver continuous services to their customers. To assist enterprises in managing cybersecurity risks, NIST brought all stakeholders together to form a community to design a Cybersecurity Framework (CSF) that addresses all the security risks and supports continuous business operations. CSF includes best practices, guidelines, and industry standards that assist enterprises in handling risks. CSF consists of a set of key components such as the following. = Core It offers a set of operations or activities that help in attaining the desired security outcomes. It includes industry standards, practices, guidelines, operations, functions, and results that interact with cybersecurity activities. = Tiers They are different levels of implementations that help in assessing and planning cybersecurity activities. They offer segment-wise approaches for enterprises to deal with cybersecurity risks. = Profiles They are used to determine how standards, practices, guidelines, functions, and their categories should be aligned with the business needs, risk tolerance, and resources. A profile allows enterprises to build a roadmap to minimize security risks. Module 03 Page 413 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals * Exam 212-82 |mplementation Guidelines They propose common techniques to adopt the NIST CSF. It defines common information flow and decisions at different levels within an enterprise to manage risks. Functions and Categories of NIST CSF The following framework functions are not defined to create a serial path or attain the required end state; rather, they are recommended to be performed simultaneously and uninterruptedly to create operational conditions that help in addressing security risks. = |dentify: This function deals with designing an enterprise understanding to handle cybersecurity risks including data, people, assets, systems, and other capabilities. The operations in the identify function are important aspects for the productive use of the framework. Being aware of the business context, resources used for different functions, and associated cyber risks can allow enterprises to concentrate and prioritize their risks as well as improve risk management plans to run business effectively. The subdivisions or categories of this function include the business environment, governance, asset management, risk assessment, and risk management strategy. * Protect: This function involves designing and implementing proper protection methods to ensure critical service delivery. The function provides the capability to restrict and control the impact of critical cybersecurity incidents. The subdivisions or categories of this function include awareness training, information protection processes and procedures, identity management and access control, data security, maintenance, and protective technology. = Detect: This function entails the design and implementation = of suitable operations to discover unexpected cybersecurity events across a network. This function provides the ability to discover cybersecurity events without any delay. The subdivisions or categories of this function include continuous security monitoring, anomalies and events, and detection processes. Respond: This function involves the design and implementation of suitable operations to respond based on detected cybersecurity events. This function allows controlling the impact of critical cybersecurity events. The subdivisions or categories of this function include communications, mitigation, response planning, analysis, and improvements. = Recover: This function deals with designing and implementing suitable operations to support strategies for defense and reinstitute services that were affected by cybersecurity events. This function supports the timely recovery of services to the normal condition or state to minimize the impact of security events. The subdivisions or categories of this function include communications, recovery planning, and improvements. Module 03 Page 414 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Security Challenges Z4b> Annd \\}-L/ QU Compliance to government laws and regulations Lack of qualified and skilled cybersecurity professionals Difficulty in centralizing security in a distributed computing environment Fragmented and complex privacy and data protection regulations Compliance issues due to the implementation of Bring Your Own Device (BYOD) policies in companies Relocation of sensitive data from legacy data centers to the cloud without proper configuration Copyright © by EC-C iL Al Rights Reserved. Reproductionis Strictly Prohibited Security Challenges The accelerating digitization has benefited the IT industry in all ways but, it has also paved way to sophisticated cyber-attacks and cyber security challenges. There is a need for security professionals in every organization to secure their sensitive and private data. The security professionals face many challenges and threats from the cyber-attackers who are disrupting their networks and assets. The following are some of the security challenges faced by security professionals and organizations: = Compliance to government laws and regulations = Lack of qualified and skilled cybersecurity professionals = Difficulty in centralizing security in a distributed computing environment = Difficulty in overseeing end-to-end processes due to complex IT infrastructure = Fragmented and complex privacy and data protection regulations = Use of a serverless architecture and applications that rely on third-party cloud providers = Compliance issues and issues with data removal and retrieval due to the implementation of Bring Your Own Device (BYOD) policies in companies = Relocation of sensitive data from legacy data centers to the cloud without proper configuration = Weak links in supply-chain management = Increase in cybersecurity risks such as data loss and unpatched vulnerabilities and errors due to the usage of shadow IT = Shortage of research visibility and training for IT employees Module 03 Page 415 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 R Financial losses faced by the organization may be direct or indirect Losses Loss of Confidentiality Results in the loss of trust in data or resources; damage to the corporation’s and Integrity reputation; and the loss of goodwill, and business credibility Damaged Customer Relationship 0 Loss of Business V~ Reputation =47 Legal and Compliance Issues Operational Impacts Impacts the organization’s relationships with its customers, leading to the loss of customers, a decrease in sales, and a drop in profits Hurts the business’s reputation, leading to loss of existing loyal customers as well as of the potential to attract new customers Results in negative publicity for the organization and affects the business’s performance L May disable the organization by disrupting the operations of an entire organizational network Copyright © by L Al Rights Reserved, Reproductionis Strictly Prohibited. Impact of Information Security Attacks Information security attacks are a major security concern for any organization, as they can have a severe impact on the organization’s assets, resources, financial records, and other confidential data. Information security attacks are carried out by attackers with various motives and objectives and may have a severe impact on network and system resources as well as other organizational elements. Following are the impacts that information security attacks can have on the organization: * Financial Losses Organizations can go through huge financial losses due to information security attacks. Financial losses faced by organizations can be either direct or indirect: direct losses refer to the amount of money businesses have to remunerate for professional services, covering lost contracts and downtime, while indirect losses refer to the money that will be allocated by the organization organizational infrastructure. = to hire new staff, train them, and upgrade the Loss of Confidentiality and Integrity Confidentiality and integrity are They assure that the information access and is sufficiently accurate may occur due to improper data the most essential elements of information security. is accessible only to those who are authorized to have for its purpose. Confidentiality and integrity breaches handling or a hacking attempt. This results in loss of trustworthiness of data or resources, goodwill, business credibility, and trust. Module 03 Page 416 damage to corporate reputation, and loss of Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals = Exam 212-82 Damaged Customer Relationship Trust is an important component that is required to establish customer relationship. Once an organization has been attacked, it causes permanent impact to organizational reputation and results in loss of trust among customers. This impacts the customer relationship and leads to loss of customers, decrease in sales, and drop in profits. = Loss of Business Reputation Data protection and security are fundamental components that are helpful in protecting business reputation and maintaining customer loyalty. Information security attacks diminish business reputation and lead to loss of the existing loyal customers as well as the potential to attract new customers. The impact of reputational damage can even affect suppliers, relationships with partners, investors, and other third parties. = Legal and Compliance Issues Organizations often face legal and compliance issues while dealing with security incidents. Managing the legal challenges of addressing information security is a complex process for organizations that impacts business reputation and public relations. Legal and compliance issues result in negative publicity for an organization and affect the business’s performance. = Operational Impacts Information security attacks may leave the organization disabled as they disrupt the working of an entire organizational network. They affect the operations of the organization by causing degradation in the quality of services, inability to meet service availability requirements, decrease in staff efficiency and productivity, and so on. Module 03 Page 417 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Leértified Cybersecurity Technician Network Security Fundamentals Module o Exam 212-82 Flow Discuss Information Security Fundamentals Discuss Network Security Fundament als eproduction is Strictly Prohibited Network security helps organizations in implementing necessary preventative measures to protect their IT infrastructure from misuse, unauthorized access, informat ion disclosure, unauthor ized access or modification of data in trans it, destruction, etc., thereby providing a secure environment for the users, computer s, and programs to perform their regular functions. This section discusses the goal of netw ork defense, principles of information assurance, benefits and challenges of network defe nse, types of network defense approach es, types of network security controls, and elements of network defense. Module 03 Page 418 Certified Cybersecurity Technician Copyri ght © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Pro Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Essentials of Network Security O A completely secure and robust network can be designed with proper implementation and configuration of network security elements Elements of Network Security Network Security Controls Essentials of Network Security A completely secure and robust network can be designed with proper implementation and configuration of network security elements. Network security relies on three main security elements: * Network Security Controls Network security controls are the security features that should be appropriately configured and implemented to ensure network security. These are the cornerstones of any systematic discipline of security. These security controls work together to allow or restrict the access to organization’s resources based on identity management. = Network Security Protocols Network security protocols implement security related operations to ensure the security and integrity of data in transit. The network security protocols ensure the security of the data passing through the network. They implement methods that restrict unauthorized users from accessing the network. The security protocols use encryption and cryptographic techniques to maintain the security of messages passing through the network. = Network Security Devices Network security appliances are devices that are deployed to protect computer networks from unwanted traffic and threats. These devices can be categorized into active devices, passive devices, and preventative devices. It also consists Threat Management (UTM) which combines features of all the devices. Module 03 Page 419 of Unified Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Goal of Network Defense @ The ultimate goal of network defense is to protect an organization’s information, systems, and network infrastructure from unauthorized access, misuse, modification, service denial, or any degradation and disruptions ) (174 \ Organizations rely on information assurance (IA) principles to attain defense-in-depth security. Information Assurance (lA) principles act as enablers for an organization’s security activities to protect and defend the organizational network from security attacks Goal of Network Defense Different types of unauthorized or illegal activities may include interrupting, damaging, exploiting, or restricting access to networks or computing resources and stealing data and information from them. The implementation of numerous security measures, by itself, does not guarantee network security. For example, many organizations assume that deploying a firewall, or multiple firewalls, on the network is sufficient to protect their infrastructure from a variety of threats. However, attackers can bypass such security measures to gain access to systems. Thus, it is important to ensure comprehensive network defense to prevent and mitigate various types of threats. The goal of comprehensive network defense is to deploy continual and defense-in-depth security, which involves predicting, protecting, monitoring, analyzing, detecting, and responding to unauthorized activities such as unauthorized access, misuse, modification, service denial, and any degradation or disruption in the network, and to guarantee the overall security of the network. Organizations rely on information assurance (lA) principles to attain defense-in-depth security. Module 03 Page 420 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Information Assurance (IA) Principles Confidentiality O Availability O Ensures information is not disclosed to unauthorized parties S N Authorized User MCannot listen to or ew the information e o N Ensures information is available to authorized parties without any disruption Dot g > Services unavailable 3 to authorized users : seessssesesessessessesssessssssassed = x Integricy Authorized User : Server Man in the Middle. Integrity Q Ensures information is not modified or tampered with by unauthorized parties Authorized User A b4 & Man in the Middle Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited Information Assurance (IA) Principles (Cont’d) Non-repudiation Q Ensures that a party in a communication cannot deny sending the message Authentication QO Ensures the identity of an individual is verified by the system or service Transfer amount 500 to User........................................................) User denies transaction Authorized User (L L All Rights Reserved. Reproduction is Strictly Prohibited. Information Assurance (IA) Principles Information assurance (lA) principles act as enablers for an organization’s security activities to protect and defend its network from security attacks. They facilitate the adoption of appropriate countermeasures and response actions upon a threat alert or detection. Therefore, security professionals must use IA principles to identify data that is sensitive, and to counter events that may have security implications for the network. IA principles assist them in Module 03 Page 421 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 identifying network security vulnerabilities, monitoring the network for any intrusion attempts or malicious activity, and defending the network by mitigating vulnerabilities. Network defense activities should address the following IA principles to achieve defense-indepth network security: = Confidentiality: Confidentiality permits only authorized users to access, use or copy information. Authentication is crucial for confidentiality. If an unauthorized user accesses protected information, it implies that a breach of confidentiality has occurred. Cannot listen to or view the information Authorized User Server Man in theMiddIe Figure 3.2: Confidentiality * Integrity: Integrity protects data and does not allow modification, deletion, or corruption of data without proper authorization. This information assurance principle also relies on authentication to function properly. Cannot modify the information...................A.................) Authorized User Man in the Middle Figure 3.3: Integrity = Availability: Availability is the process of protecting information systems or networks that store sensitive request access. data, to make them available for the end users whenever they Services unavailable to authorized users Authorized User Server Figure 3.4: Availability Module 03 Page 422 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals * Exam 212-82 Non-repudiation: Non-repudiation is a service that validates the integrity of a digital signature’s transmission, starting from where repudiation grants access to protected signature is from the intended party. it originated information to where by validating it arrived. that the Non- digital Transfer amount 500 to User User denies transaction Figure 3.5: Non-repudiation = Authentication: Authentication is a process of authorizing users with the credentials provided, by comparing them to those in a database of authorized users on an authentication server, to grant access to the network. It guarantees that the files or data passing through the network is safe. Figure 3.6: Authentication Module 03 Page 423 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Benefits QO O 0O Protect information assets Comply with government and industry specific regulations Ensure secure communication with clients and suppliers v B O Reduce the risk of being attacked O Gain competitive edge over competitor by providing more secure services Copyright © by All Rights Reserved. Reproductionis Strictly Prohibited Network Defense Benefits Network security is crucial for all organizations, irrespective of size. It safeguards the system, files, data, and personal information, and protects them from unauthorized access. Apart from ensuring safety against hacking attempts and virus attacks, network security also provides the following indirect advantages and benefits. * |Increased Profits Keeping computer networks secure is critical for any organization. With the deployment of comprehensive network defense, the organization can prevent threats, attacks, and vulnerabilities, which could otherwise cause significant loss. This indirectly supports the organization in the earning of profits. It also allows organizations to gain competitive edge over competitor by providing more secure services. * Improved Productivity Network security can also help in improving the productivity of the organization. For example, it prevents employees from spending time on unproductive activities over the Internet such as browsing adult content, gaming, and gossip during office hours. These activities can be restricted with safe browsing techniques, consequently improving productivity. = Enhanced Compliance Network security spares organizations from incurring penalties for lack of compliance. Real-time monitoring of data flows helps organizations enhance their compliance posture. Module 03 Page 424 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals = Exam 212-82 (Client Confidence The knowledge that an organization’s systems and data are protected and safe enhances clients’ confidence and trust in the organization. This may translate into future purchases of other service offerings from the organization. Module 03 Page 425 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Challenges Distributed Computing Environments Q o Wwith the advancement in modern technology and to Q meet business requirements, foc Thraat merging eats Potential threats to the network evolve each day. are becoming technically and complex, potentially more sophisticated and leading to serious security vulnerabilities. Attackers exploit exposed security comp.romnse networ security O Organizations are failing to defend themselves Network security attacks networks are becoming vast vul ulnerab iliti.t es to Lack of Network Security Skills against rapidly increasing network attacks due to the lack of network better organized. security skills L';? (‘\—Y'_ aunern| o Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Network Defense Challenges Distributed Computing and to meet Environments: business requirements, With the advancement networks are in modern technology becoming vast and complex, potentially leading to serious security vulnerabilities. Attackers exploit exposed security vulnerabilities to compromise network security. Emerging Threats: Potential threats to the network evolve each day. Network security attacks are becoming technically more sophisticated and better organized. Lack of Network Security Skills: Organizations are failing to defend themselves against rapidly increasing network attacks due to the lack of network security skills. In addition to the broad categories of challenges discussed in the above, a security professional may face following challenges in maintaining the security of network: Protecting the network from attacks via the Internet. Protecting public servers such as web, e-mail, and DNS servers. Containing damage when a network or system is compromised. Preventing internal attacks against the network. Protecting highly important and sensitive information like customer databases, financial records, and trade secrets. Developing manner. guidelines for security professionals to handle the network in a secure Enabling intrusion detection and logging capabilities. Module 03 Page 426 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Types of Network Defense Approaches Preventive Approaches @.. @ Retrospective Approaches Consist of methods or techniques that are used to avoid threats or attacks on Consist of methods or techniques that examine the causes for attacks, and contain, remediate, eradicate, and recover from the target network damage caused by the attack on the target network Reactive Approaches x. Proactive Approaches Consist of methods or techniques that are used to make informed Consist of methods or techniques that are used to detect attacks on the target decisions on potential attacks in the future on the target network network Types of Network Defense Approaches There are four main classifications of security defense techniques used for identification and prevention of threats and attacks in the network. = Preventive Approach: The preventive approach essentially consists of methods techniques that can easily prevent threats or attacks in the target network. or The preventive approaches mainly used in networks are as follows: = o Access control mechanisms such as a firewall. o Admission control mechanisms such as NAC and NAP. o Cryptographic applications such as IPsec and SSL. o Biometric techniques such as speech or facial recognition. Reactive Approach: The reactive approach is complementary to the preventive approach. This approach addresses attacks and threats that the preventative approach may have failed to avert, such as DoS and DDoS attacks. It is necessary to implement both preventive and reactive approaches to ensure the security of the network. Reactive approaches include security monitoring methods such as IDS, SIMS, TRS, and IPS. = Retrospective Approach: The retrospective approach examines the causes for attacks in the network. These include: o Fault finding mechanisms such as protocol analyzers and traffic monitors. o Security forensics techniques such as CSIRT and CERT. o Post-mortem analysis mechanism including risk and legal assessments. Module 03 Page 427 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals = Exam 212-82 Proactive Approach: The proactive approach consists of methods or techniques that are used to inform decision making for countering future attacks on the target network. Threat intelligence and risk assessment are examples of methods that can be used to assess probable future threats on the organization. The methods in this approach facilitate in the implementation of preemptive security actions and measures against potential incidents. Module 03 Page 428 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Continual/Adaptive Security Strategy 0 @® l‘_njo] O Organizations should adopt adaptive security strategy, which involves implementing all the four network security approaches O The adaptive security strategy consists of four security activities corresponding to each security approach Protect Detect Includes a set of prior countermeasures taken towards eliminating all the possible vulnerabilities of the network Involves continuous monitoring of network and identifying abnormalities and their origins Respond Preaict Involves a set of actions taken to contain, eradicate, mitigate, and recover from the impact of attacks on the network Involves identifying most likely attacks, targets, and methods prior to materialization of a potential attack Copyright © by EE-£ cll ANl Rights Reserved, Reproduction is Strictly Prohibited Continual/Adaptive Security Strategy (Cont’d) 7> Risk and Vulnerability Assessment » Protect Y Predict w~ Attack Surface Analysis » Threat Intelligence Respond ~ 7 Incident Response Defense-in-depth Security Strategy * Protect endpoints * Protect network * Protectdata Detect » Continuous Threat Monitoring Continual/Adaptive Security Strategy The adaptive security strategy prescribes that continuous prediction, prevention, detection, and response actions must be taken to ensure comprehensive computer network defense. = Protection: This includes a set of prior countermeasures taken towards eliminating all the possible vulnerabilities on the network. It includes security measures such as security policies, physical security, host security, firewall, and IDS. Module 03 Page 429 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Detection: Detection involves assessing the network for abnormalities such as attacks, damages, unauthorized access attempts, and modifications, and identifying their locations in the network. It includes the regular monitoring of network traffic using network monitoring and packet sniffing tools. Responding: Responding to incidents involves actions such as identifying incidents, finding their root causes, and planning a possible course of actions for addressing them. It includes incident response, investigation, containment, impact mitigation, and eradication steps for addressing the incidents. It also includes deciding whether the incident is an actual security incident or a false positive. Prediction: Prediction involves the identification of potential attacks, targets, and methods prior to materialization to a viable attack. Prediction includes actions such as conducting risk and vulnerability assessment, performing attack surface analysis, consuming threat intelligence data to predict future threats on the organization. Predict » Protect Risk and Vulnerability Assessment » » Attack Surface Analysis » Threat Intelligence Respond 7 Defense-in-depth Security Strategy * Protect endpoints = Protect network = Protect data Detect Incident Response » Continuous Threat Monitoring Figure 3.7: Continual/Adaptive Security Strategy Module 03 Page 430 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Security Controls: Administrative Security Controls O The management implements administrative access controls to ensure the safety of the organization Examples of Administrative Security Controls 01 ’ Regulatory framework Compliance 02 | Security policy 03 ’ Employee Monitoring and Supervising 04 | Information Classification 05 | Security Awareness and Training Copyright © by L All Rights Reserved. Reproduction is Strictly Prohibited Network Security Controls Administrative Security Controls Administrative security controls are management limitations, operational and accountability procedures, and other controls that ensure the security of an organization. The procedures prescribed in administrative security control ensure the authorization and authentication of personnel at all levels. Components of an administrative security control includes: = Regulatory framework compliance = Security policy = Employee monitoring and supervising * Information classification = Separation of duties » Principle of least privileges = Security awareness and training Module 03 Page 431 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Security Controls: Physical Security Controls Q This is a set of security measures taken to prevent unauthorized access to physical devices Examples of Physical Access Controls (Al il Locks Fences U Badge system [ Security guards o Biometric system Lighting Motion detectors Mantrap doors (e Closed-circuit TVs Copyright © by E o5 Alarms il All Rights Reserved. Reproduction is Strictly Prohibited. Physical Security Controls Appropriate physical security controls can reduce the chances of attacks and risks in an organization. Physical security controls provide physical protection of the information, buildings, and all other physical assets of an organization. Physical security controls are categorized into: = Prevention Controls These are used to prevent unwanted or unauthorized access to resources. They include access controls such as fences, locks, biometrics, and mantraps. = Deterrence Controls These are used to discourage the violation of security policies. They include access controls such as security guards and warning signs. = Detection Controls These are used to detect unauthorized access attempts. They include access controls such as CCTV and alarms. Module 03 Page 432 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Examples of Physical Access Controls: 1l Locks Biometric system Fences Lighting U Badge system Motion detectors Ll Security guards T Closed-circuit TVs & Mantrap doors © Alarms Figure 3.8: Physical Security Controls Module 03 Page 433 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Security Controls: Technical Security Controls g?_ e QO This is a set of security measures taken to protect data and systems from unauthorized personnel Examples of Technical Security Controls oL O o Ruthorization Access Controls Security Protocols Network Security Devices Technical Security Controls Technical security controls are used for restricting access to devices in an organization to protect the integrity of sensitive data. The components of technical security controls include: = System access controls: System access controls are used for the restriction of access to data according to sensitivity of data, clearance level of users, user rights, and permissions. = Network access controls: Network access controls offer various access control mechanisms for network devices like routers and switches. = Authentication and authorization: Authentication and authorization ensure that only users with appropriate privileges can access the system or network resources. * Encryption and Protocols: Encryption and protocols protect the information passing through the network and preserve the privacy and reliability of the data. = Network Security Devices: Network security devices such as firewall and IDS are used to filter and detect malicious traffic, thus protecting the organization from threats. = Auditing: Auditing refers to the tracking and examining of the activities of network devices in a network. This mechanism helps in identifying weaknesses in the network. Module 03 Page 434 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Elements: Technology O Appropriate selection of technology, well-defined operations, and skilled people are required for effective implementation of security strategies. %+ Selecting appropriate technology is crucial, as improper selection of technology can %+ Example questionnaire for facilitating appropriate selection of technology: provide a false sense of security e' ". Is a centralized or a distributed access mechanism ' Which type of firewalls, IDS, antivirus, | more suitable for the network? @ etc., are required for the network? iy > Which type of encryption algorithm should be used? ©. @ What type of password complexity should s be adopted? , Should critical servers be placed on a separate segment? Network Defense Elements Technology, operations and people are major elements of network security. These elements play an important role in achieving appropriate defense-in-depth network security for the organization. Technological implementations are by themselves not sufficient to guarantee the security of the network. Well-defined operations are needed in order to configure these technologies, and skilled individuals who can perform these operations are necessary. The combination of these elements enables the achievement of defense-in-depth security. Technology Selecting appropriate technology is crucial, as improper selection of technology may provide a false sense of security. A security professional must consider the following factors regarding technology: = The existing network topology = The appropriate selection of security technologies = Proper configuration of each component The following technology: = = is an example questionnaire for facilitating an appropriate selection of Which type of firewalls, IDS, antivirus, etc., are required for the network? Which type of encryption algorithm should be used? = |sacentralized or a distributed access mechanism more suitable for the network? = What type of password complexity should be adopted? = Should critical servers be placed on a separate segment? Module 03 Page 435 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Elements: Operations E’ Operations O Technological implementations are by themselves not sufficient, they should be supported by well-defined operations O Examples of operations: ] OOOP®OOOOO Creating and enforcing security policies Creating and enforcing standard network operation procedures Planning business continuity Configuration control management Creating and implementing incident response processes Planning disaster recovery Providing security awareness and training Enforcing security as culture Copyright © by EC- il All Rights Reserved. Reproduction is Strictly Prohibited. Operations The following are some examples of operations that a security professional must conduct to ensure organization security. Creating and enforcing security policies: Security professionals need written security policies to monitor and manage a network efficiently. These policies set appropriate expectations regarding the use and administration of information assets on a network. Security policies describe what to secure on the network and the ways to secure them. Creating and enforcing standard network operating procedures: Standard network operating procedures are instructions intended to document routine network activity. Security professionals should rely on these procedures to ensure efficiency and security of the network. The main goal of network operating procedures is to conduct the network operations correctly and consistently. Planning business continuity and disaster recovery: There are various threats and vulnerabilities to which businesses are exposed such as natural disasters, acts of terrorism, accidents or sabotage, outages due to application errors, and hardware or network failures. Planning for business continuity and disaster recovery involves proactively devising mechanisms to prevent and manage the consequences of a disaster, thereby limiting it to a minimal extent. Configuration control management: Security problems due to the lack of configuration control management involves initiating, authorizing proposals for change to a system. Module 03 Page 436 professionals encounter numerous management capabilities. Configuration preparing, analyzing, evaluating, and Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Configuration control management includes: = o Device hardware and software inventory collection. o Device software management. o Device configuration collection, backup, viewing, archiving, and comparison. o Detection of changes to configuration, hardware, or software. o Configuration change implementation to support change management. Creating and implementing incident response processes: Security professionals create and implement an incident response process by planning, communication, and preparation. Incident preparation readiness ensures quick and timely response to incidents. Security managers should determine whether to include law enforcement agencies during incident response or not, as this may affect the organization positively or negatively. = Conducting forensics activities on incidents: Computer forensics investigators examine incidents and conduct forensic analysis by using various methodologies and tools to ensure that the computer network system is secure in an organization. While conducting forensics activities on incidents, people responsible for network management should: = o Ensure that the professionals they hire are prepared to conduct forensic activities. o Ensure that their policies contain clear statements about forensic considerations. o Create and maintain procedures and guidelines for performing forensic activities. o Ensure that the organization’s security policies and procedures support the use of forensic tools. Providing security awareness and training: Some threats to network security originate from within the organization. These threats can be from uninformed users who may harm the network by visiting websites infected with malware, responding to phishing e- mails, storing their login information in an unsecured location, or even providing sensitive information over the phone when exposed to social engineering. Security managers must ensure that the company’s employees do not commit costly errors that can affect network security. They should institute company-wide security awareness training initiatives including training sessions, security awareness websites, helpful hints via e-mail, or posters. These methods can ensure that employees have a good understanding of the company’s security policies, procedures and best practices. = Enforcing security as culture: Security professionals should enforce security as a culture in the organization, which can help proliferate an awareness of behaviors that compromise security and educate employees to change such behavior. The culture within an organization can have a significant influence on the emergence of risks, and the degree to which varying control approaches are successful. Module 03 Page 437 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Network Defense Elements: People O People are a crucial element of any organization’s network security O Appropriate technology and well-defined operations cannot replace skilled people, who are required to implement the technology and manage well-defined operations People involved in the network security include: | S ' Hetiopeien e i — ] v Incident Handling and Response (IH&R) Team s Computer Forensics Investigation Team Copyright © by EC-{ L All Rights Reserved. Reproductions Strictly Prohibited People People are a crucial element of any organization’s network security. The degree to which people embody a culture of security can significantly influence that organization’s ability to protect key assets. Specifically, the people involved in network defense are responsible for maintaining, repairing, and managing network and computer systems to improve their performance. People involved in the network security include: » Network Defense Team * |Incident Handling and Response (IH&R) Team = Computer Forensics Investigation Team Module 03 Page 438 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Network Exam 212-82 Defense Team O Network defense teams explore and solve network problems logically and consistently and monitor the network for vulnerabilities before an outsider can exploit it O These people use network security technologies and operations to design and implement a robust and secure network —a Network Administrator Network Security Manages the entire network in an organization Administrator Fix, control, and monitor the security solutions of an organization Network Security Engineer Develops the countermeasures required for network and technology related issues in an organization Security Architect Supervises the implementation of the computer and network security in an e Security Analyst Evaluate the efficiency of the security measures implemented in an organization Network Technician Manages the hardware and software components of an organization’s network organization Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Network Defense Team Network monitor network network. defense teams explore and solve network problems logically and consistently and the network for vulnerabilities before an outsider can exploit it. These people use security technologies and operations to design and implement a robust and secure People involved in the network defense team include: * Network Administrator: The network administrator manages the entire network in an organization. They coordinate all systems and software and help in the smooth functioning of the organization’s network. * Network Security Administrator: The network security administrator is responsible for maintaining the security of the network system in an organization. They fix, control, and monitor the security solutions of an organization. * Network Security Engineer: The network security engineer mainly develops the countermeasures required for network and technology related issues in an organization. They monitor and manage issues pertaining to IT. = Security Architect: The security architect supervises the implementation of the computer and network security in an organization. Their role is to implement network and computer security in an efficient manner. = Security Analyst: The security analyst maintains the privacy and integrity of the internal network in an organization. They evaluate the efficiency of the security measures implemented in an organization. * Network Technician: The network technician manages the hardware and software components of an organization’s network. They fix issues related to these components. Module 03 Page 439 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 = End User: The end user refers to the people who use the end product deployed by an organization. The end user accesses the developed products through devices such as desktop computers, laptops, tablet computers, and smart phones. = Leadership: An informed leadership can help an organization in taking exemplary decisions regarding the security of the network and systems in an organization. They are required to be proactive in finding the weaknesses and strengths in a network. Module 03 Page 440 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Incident Handling and Response (IH&R) Team &) A centralized IH&R team will perform vulnerability analysis, establish well-defined security policies, detect indicators of compromise, handle legal issues, manage public relations, and provide proper reports regarding the incident People Involvedin an IH&R Team Information Security Officer (1SO) Responsible for all IH&R activities in the context of overall organizational information security Incident Manager (IM) Analyze and review incident handling processes from managerial and technical perspectives Incident Coordinator Connect different 'stakeholders affected by incidents, such as the incident handling team, the legal team, the human resources team, clients, and vendors Forensic Investigator Responsible for maintaining forensics readiness across an organization and implementing effective IH&R Threat Researcher Supplement security analysts by researching threat intelligence data System Administrator Responsible for working and security of systems Network Administrator Analyze network logs, gather logs of suspicious activity, and help in the detection of incidents at a primary level Internal Auditor Ensure that an organization complies with the regulations, business standards, and laws of its regions of operation Financial Auditor Responsible for calculating the costs involved in an incident Human Resource Responsible for analyzing the human aspects of the disaster and conducting post-event counseling Public Relations Serves as a primary media contact Incident Handling and Response (IH&R) Team An IH&R team is a group of technically skilled people capable of carrying out various functions, such as threat intelligence, evidence analysis, and user investigations. Having a trained IH&R team in an organization reduces not only the losses caused by incidents, but also response time the probability of similar attacks occurring in the future. A centralized IH&R team managed by an incident handler will perform vulnerability analysis, establish well-defined security policies, detect indicators of compromise, handle legal issues, manage public relations, and provide proper reports regarding the incident. People involved in an IH&R team include: Information Security Officer (1SO) An 1SO governs the security posture of an organization and bears responsibility for all IH&R activities in the context of overall organizational information security. The officer is responsible for setting IH&R goals, approving the process, granting permissions, and contacting the stakeholders and other management authorities of the organization. The 1SO must and incident guidance and their actions head all the members of the IH&R team, including the incident manager handler. The officer is also responsible for providing incident handling training to security team members across the organization, evaluating and consequences, and suggesting corrective actions to perfect incident handling. Incident Manager (IM) The IM is responsible for managing all IH&R activities. The IM must be a technical expert with a clear understanding of and experience with handling security issues. The IM will Module 03 Page 441 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 focus on incidents as well as analyze and review incident handling processes from managerial and technical perspectives. He or she must drive the IR team to encourage focused incident containment and recovery. * |Incident Coordinator Incident coordinators connect different stakeholders affected by incidents, such as the incident handling team, the legal team, the human resources team, clients, and vendors. They play a vital role in coordinating between security teams and networking groups, facilitate communication, and keep everyone updated on the status of the incident. The incident coordinator should possess communication and technical skills and have a solid business sense of the organization’s operations. = Forensic Investigator Forensic investigators—experts organizations and law in enforcement the forensic agencies to investigation of investigate and incidents—help prosecute the perpetrators of cybercrimes. They are responsible for maintaining forensics readiness across an organization and implementing effective IH&R. They must also preserve and submit the evidence required to legally prosecute the attackers. = Threat Researcher Threat researchers supplement security analysts by researching threat intelligence data. They gather all details about prevalent incident and security issues and help spread its awareness among users. They also use this information to build or maintain a database of internal intelligence. = System Administrator System administrators look after the working and security of systems and can be very helpful in the IR process—they configure systems and provide and grant access. They can also help in gathering system information, separating the impacted systems from the network, and analyzing system data to detect and verify incidents. They can also facilitate containment and eradication by installing new patches and updates and by upgrading the systems across an organization. They system recovery, and analyzing system logs. = are also responsible for backup, Network Administrator Network administrators are responsible for examining a computer network’s traffic for signs of incidents or attacks, such as DoS, DDoS, firewall breaches, or other malicious forms of code. They install and use network sniffing and capturing tools as well as loggers to identify the network events involved in an attack. They must analyze network logs, gather logs of suspicious activity, and help in the detection of incidents at a primary level. They perform the actions necessary to block network traffic from a suspected intruder. Module 03 Page 442 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Internal Auditor Internal auditors must ensure that an organization complies with the regulations, business standards, and laws of its regions of operation. They must regularly audit the policies and procedures followed by the organization to maintain information security. They must also ensure that the organization’s systems, devices, and other network resources are up-to-date and compliant with industrial regulations. They must identify and report any security loopholes to management. Financial Auditor Financial auditors are responsible for calculating the costs involved in an incident, such as damages or losses caused by the incident and costs incurred by IH&R. Along these lines, they must notably estimate the cost of cyber insurance and claim it when required. Human Resource The human resources department is responsible for analyzing the human aspects of the disaster and conducting post-event counseling. Notably, it is responsible for tracking, recording, reporting, and compensating the organization’s human resources for all the billable hours related to performing duties throughout the event. It also ensures the submission of records as well as other information related to payroll and keeps track of the records of all injuries along with the investigation results relating to events. Moreover, it is responsible for counseling people after the event and notifying various people, as per organization policy. Public Relations This department serves as a primary media contact and thus informs media about an event. It updates the organization’s website information and monitors media coverage. Along these lines, it is responsible for stakeholder communication, including communications with: o The board o Foundation personnel o Donors o Grantees suppliers/vendors o Media Module 03 Page 443 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Computer Forensics Investigation Team @ Q The investigation team plays a major role in solving a case Q The team is responsible for evaluating the crime, evidence, and criminals People Involved in an Investigation Team Photographer Photographs the crime scene and the evidence gathered Incident Responder Responsible for the measures to be taken when an incident occurs Incident Analyzer Analyzes the incidents based on their occurrence Evidence Examiner/Investigator Examines the evidence acquired and sorts the useful evidence Evidence Documenter Documents all the evidence and the phases present in the investigation process Evidence Manager Manages the evidence in such a way that it is admissible in the court of law Evidence Witness Offers a formal opinion in the form of a testimony in the court of law Attorney Provides legal advice Copyright © by EC-{ L All Rights Reserved. Reproduction is Strictly Prohibited. Computer Forensics Investigation Team The investigation team plays a major role in solving a case. The team is responsible for evaluating the crime, evidence, and criminals. To find the appropriate evidence from a variety of computing systems and electronic devices, the following people may be involved: * Photographer: The photographer photographs the crime scene and the evidence gathered. They should have an authentic certification. This person is responsible for shooting all the evidence found at the crime scene, which records the key evidence in the forensics process. * Incident Responder: The incident responder is responsible for the measures taken when an incident occurs. This individual is responsible for securing the incident area and collecting the evidence that is present at the crime scene. They should disconnect the system from other systems to stop the spread of the incident to other systems. * Incident Analyzer: The incident analyzer analyzes the incidents based on the occurrence. They examine the incident as per its type, how it affects the systems, the different threats and vulnerabilities associated with it, etc. * Evidence Examiner/Investigator: The evidence examiner examines the evidence acquired and sorts it based on usefulness and relevance into a hierarchy that indicates the priority of the evidence. = Evidence Documenter: The evidence documenter documents all the evidence and the phases present in the investigation process. They gather information from all the people involved in the forensics process and document it in an orderly fashion, from incident occurrence to the end of the investigation. The information about the forensics process. Module 03 Page 444 documents should contain complete Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 = Evidence Manager: The evidence manager manages the evidence. They have all the information about the evidence, for example, evidence name, evidence type, time, and source of evidence. They manage and maintain a record of the evidence such that it is admissible in the court of law. = Expert Witness: The expert witness offers a formal opinion as a testimony in a court of law. Expert witnesses help authenticate the facts and other witnesses in complex cases. They also assist in cross-examining witnesses and evidence, as various factors may influence a normal witness. = Attorney: The attorney gives legal advice about how to conduct the investigation and address the legal issues involved in the forensic investigation process Module 03 Page 445 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals. ® Exam 212-82 % Module Summary This module discussed the fundamentals of information security It has covered the NIST cybersecurity framework It also discussed the fundamentals of network security Furthermore, this module discussed the principles of information assurance (lA) It also discussed the different types of network defense approaches Finally, this module presented an overview of network defense elements The next module discusses the identification, authentication, and authorization concepts in detail Module Summary This module discussed the fundamentals of information security. It covered the NIST cybersecurity framework and also discussed the fundamentals of network security. Furthermore, this module discussed the principles of information assurance (IA). It also discussed the different types of network defense approaches. Finally, this module presented an overview of network defense elements. The next module detail. Module 03 Page 446 discusses the identification, authentication, and authorization concepts in Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited.