Table of Contents
Page | 1
1 Chapter 1 Modern network Security Threats
1.1 Section 1.0 Introduction
1.1.1 Topic 1.0.1 Introduction
1.1.1.1 Page 1.0.1.1 Introduction
• Upon completion of this chapter you will be able to:
o Describe the evolution of network security.
o Describe the various drivers for network security technologies and applications.
o Describe the major organizations responsible for enhancing network security.
o Describe a collection of domains for network security.
o Describe network security policies.
o Describe computer network viruses.
o Describe computer network worms.
o Describe computer network Trojan Horses.
o Describe the techniques used to mitigate viruses, worms, and Trojan Horses.
o Explain how reconnaissance attacks are launched.
o Explain how access attacks are launched.
o Explain how Denial of Service (DoS) attacks are launched.
o Describe the techniques used to mitigate reconnaissance attacks, access attacks, and DoS attacks.
o Explain how to secure the three functional areas of Cisco routers and switches.
Network security is now an integral part of computer networking. Network security involves protocols,
technologies, devices, tools, and techniques to secure data and mitigate threats. Network security solutions
emerged in the 1960s, but did not mature into a comprehensive set of solutions for modern networks until the
2000s.
Network security is largely driven by the effort to stay one step ahead of ill-intentioned hackers. Just as medical
doctors attempt to prevent new illness while treating existing problems, network security professionals attempt to
prevent potential attacks while minimizing the effects of real-time attacks. Business continuity is another major
driver of network security.
Network security organizations have been created to establish formal communities of network security
professionals. These organizations set standards, encourage collaboration, and provide workforce development

opportunities for network security professionals. Network security professionals should be aware of the resources
provided by these organizations.
The complexity of network security makes it difficult to master all it encompasses. Different organizations have
created domains that subdivide the world of network security into more manageable pieces. This division allows
professionals to focus on more precise areas of expertise in their training, research, and employment.
Network security policies are created by companies and government organizations to provide a framework for
employees to follow during their day-to-day work. Network security professionals at the management level are
responsible for creating and maintaining the network security policy. All network security practices relate to and are
guided by the network security policy.
Just as network security is composed of domains of network security, network attacks are classified so that it is
easier to learn about them and address them appropriately. Viruses, worms, and Trojan horses are specific types of
network attacks. More generally, network attacks are classified as reconnaissance, access, or denial of service (DoS)
attacks.
Mitigating network attacks is the job of a network security professional. In this chapter, you will master the
underlying theory of network security, which is essential before beginning an in-depth practice of network security.
The methods of network attack mitigation are introduced here, and the implementation of these methods comprises
the remainder of this course.
Page | 2
1.2 Section 1.1 Fundamental Principles of a Secure Network
1.2.1 Topic 1.1.1 Evolution of Network Security
1.2.1.1 Page 1.1.1.1 Code Red Worm Attack
In July 2001, the Code Red worm attacked web servers globally, infecting over 350,000 hosts, as shown in the
figure. The worm not only disrupted access to the infected servers, but also affected the local networks hosting the
servers, making them very slow or unusable. The Code Red worm caused a denial of service to millions of users.
If the network security professionals responsible for these Code Red-infected servers had developed and
implemented a security policy, security patches would have been applied in a timely manner. The Code Red worm
would have been stopped and would only merit a footnote in network security history.
Network security relates directly to an organization's business continuity. Network security breaches can disrupt
e-commerce, cause the loss of business data, threaten people’s privacy, and compromise the integrity of
information. These breaches can result in lost revenue for corporations, theft of intellectual property, and lawsuits,

and can even threaten public safety.
Maintaining a secure network ensures the safety of network users and protects commercial interests. To keep a
network secure requires vigilance on the part of an organization’s network security professionals. Network security
professionals must constantly be aware of new and evolving threats and attacks to networks, and vulnerabilities of
devices and applications. This information is used to adapt, develop, and implement mitigation techniques.
However, security of the network is ultimately the responsibility of everyone who uses it. For this reason, it is the job
of the network security professional to ensure that all users receive security awareness training. Maintaining a
secure, protected network provides a more stable, functional work environment for everyone.
Page | 3
1.2.1.2 Page 1.1.1.2 Evolution of Security Threats
“Necessity is the mother of invention.” This saying
applies perfectly to network security. In the early days of
the Internet, commercial interests were negligible. The
vast majority of users were research and development
experts. The Internet did not implement security
measures, but early users rarely engaged in activities that
would harm other users.
Early on, networking involved connecting people and
machines through communications media. The job of a
networker was to connect devices to improve a user’s
ability to communicate information and ideas. The early
users of the Internet did not spend much time thinking
about whether or not their online activities presented a
threat to the network or to their own data.
When the first viruses were unleashed and the first DoS attack occurred, the world began to change for
networking professionals. To meet the needs of users, network professionals learned techniques to secure networks.
The primary focus of many network professionals evolved from designing, building, and growing networks to
securing existing networks.
Today, the Internet is a very different network compared to its beginnings. More people are relying on the
network for their personal, financial and business needs. This information must be protected. However, attack tools

are much more sophisticated, and highly automated, requiring less technical knowledge to use them than in the
past. Drag the red figure across the timeline to view the relationship between sophistication of attack tools versus
the technical knowledge required to use them.
The job of a network security professional includes ensuring that appropriate personnel are well-versed in
network security tools, processes, techniques, protocols, and technologies. It is critical that network security
professionals manage the constantly evolving threats to networks.
Page | 4
1.2.1.3 Page 1.1.1.3 Evolution of Network Security Tools
The evolution of network security tools.
2010 Cisco Security Intelligence Operations
2006 Cisco Zone-Based Policy Firewall
1999 First IPS
1998 Snort IDS
1997 RealSecure IDS
1995 NetRanger IDS
1994 Check Point Firewall
1991 DCE SEAL Application Layer Firewall
1989 AT&T Bell Labs Stateful Firewall
1988 DCE Packet Filter Firewall
As network security became an integral part of everyday operations, devices dedicated to particular network
security functions emerged.
One of the first network security tools was the intrusion detection system (IDS), first developed by SRI
International in 1984. An IDS provides real-time detection of certain types of attacks while they are in progress. This
detection allows network security professionals to more quickly mitigate the negative impact of these attacks on
network devices and users. In the late 1990s, the intrusion prevention system (IPS) began to replace the IDS solution.
IPS devices enable the detection of malicious activity and have the ability to automatically block the attack in real-
time.
In addition to IDS and IPS solutions, firewalls were developed to prevent undesirable traffic from entering
prescribed areas within a network, thereby providing perimeter security. In 1988, Digital Equipment Corporation
(DEC) created the first network firewall in the form of a packet filter. These early firewalls inspected packets to see if

they matched sets of predefined rules, with the option of forwarding or dropping the packets accordingly. Packet
filtering firewalls inspect each packet in isolation without examining whether a packet is part of an existing
connection. In 1989, AT&T Bell Laboratories developed the first stateful firewall. Like packet filtering firewalls,
stateful firewalls use predefined rules for permitting or denying traffic. Unlike packet filtering firewalls, stateful
firewalls keep track of established connections and determine if a packet belongs to an existing flow of data,
providing greater security and more rapid processing.
The original firewalls were software features added to existing networking devices, such as routers. Over time,
several companies developed standalone, or dedicated firewalls that enable routers and switches to offload the
memory and processor-intensive activity of filtering packets. Cisco’s Adaptive Security Appliance (ASA) is available as
a standalone context-aware firewall. For organizations that do not require a dedicated firewall, modern routers, like
the Cisco Integrated Services Router (ISR), can be used as sophisticated stateful firewalls.
Traditional security relied on the layering of products and using multiple filters. However, as threats became
more sophisticated, these filters were required to look deeper into network and application layer traffic. Security
requirements included more dynamic updates of information and quicker response times to threats. For this reason,
Cisco designed the Security Intelligence Operations (SIO). SIO is a cloud-based service that connects global threat
information, reputation-based services, and sophisticated analysis to Cisco network security devices to provide
stronger protection with faster response times.
Page | 5
1.2.1.4 Page 1.1.1.4 Threats to Networks
As shown in the figure, in addition to dealing with threats from outside of the network, network security
professionals must also be prepared for threats from inside the network. Internal threats, whether intentional or
accidental, can cause even greater damage than external threats because of direct access to, and knowledge of, the
corporate network and data. Despite this fact, it has taken more than 20 years after the introduction of tools and
techniques for mitigating external threats to develop tools and techniques for mitigating internal threats.
A common scenario for a threat originating from inside the network is a disgruntled employee with some
technical skills and a willingness to do harm. Most threats from within the network leverage the protocols and
technologies used on the local area network (LAN) or the switched infrastructure. These internal threats fall into two
categories: spoofing and DoS.
Spoofing attacks are attacks in which one device attempts to pose as another by falsifying data. There are
multiple types of spoofing attacks. For example, MAC address spoofing occurs when one computer accepts data

packets based on the MAC address of another computer.
DoS attacks make computer resources unavailable to intended users. Attackers use various methods to launch
DoS attacks.
As a network security professional, it is important to understand the methods designed specifically for targeting
these types of threats and ensuring the security of the LAN.
Page | 6
1.2.1.5 Page 1.1.1.5 Encryption and Cryptography
In addition to preventing and denying malicious traffic, network security also requires that data stay protected.
Cryptography, the study and practice of hiding information, is used pervasively in modern network security. Today,
each type of network communication has a corresponding protocol or technology designed to hide that
communication from anyone other than the intended user.
Network data can be encrypted (made unreadable to unauthorized users) using various cryptography
applications. The conversation between two IP phone users can be encrypted. The files on a computer can also be
encrypted. These are just a few examples. Cryptography can be used almost anywhere that there is data
communication. In fact, the trend is toward all communication being encrypted.
Cryptography ensures data confidentiality, which is one of the three components of information security:
confidentiality, integrity, and availability. Information security deals with protecting information and information
systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Encryption provides
confidentiality by hiding plaintext data, as shown in Figure 1. Data integrity, meaning that the data is preserved
unaltered during any operation, is achieved by the use of hashing mechanisms. Availability, which is data
accessibility, is guaranteed by network hardening mechanisms and backup systems.
Evolution of Data Protection Technologies.
2009 Group Encrypted Transport VPN (GET VPN)
2005 SSL VPN
2002 Dynamic Multipoint VPN
2001 Remote-Access IPsec VPN
2000 MPLS VPNs
1999 SSH
1996 Site-to-Site IPsec VPNs
1993 Cisco GRE Tunnels

Page | 7
1.2.2 Topic 1.1.2 Drivers for Network Security
1.2.2.1 Page 1.1.2.1 The Hacker
The word ‘hackers’ has a variety of meanings. For many, it means Internet programmers who try to gain
unauthorized access to devices on the Internet. It is also used to refer to individuals who run programs to prevent or
slow network access to a large number of users, or corrupt or wipe out data on servers. But for some, the term
hacker has a positive interpretation as a network professional that uses sophisticated Internet programming skills to
ensure that networks are not vulnerable to attack. Good or bad, hacking is a driving force in network security.
From a business perspective, it is necessary to minimize the effects of hackers with bad intentions. Businesses
lose productivity when the network is slow or unresponsive. Business profits are impacted by data loss and data
corruption.
The job of a network security professional is to stay one step ahead of the hackers by attending training and
workshops, participating in security organizations, subscribing to real-time feeds regarding threats, and perusing
security websites on a daily basis. The network security professional must also have access to state-of-the-art
security tools, protocols, techniques, and technologies. Network security professionals should have many of the
same traits as law enforcement professionals. They should always remain aware of malicious activities and have the
skills and tools to minimize or eliminate the threats associated with those activities.
Hacking has the unintended effect of creating a high demand for network security professionals. However,
relative to other technology professions, network security has the steepest learning curve and requires a
commitment to continuous professional development.
Page | 8
1.2.2.2 Page 1.1.2.2 Evolution of Hacking
Evolution of hacking timeline
1970
• Phone Freaks
1980
• Wardialing
1988
• First internet worm
1993

• First Def. Con Hacking Conference
1994
• First 5-year Federal Prison sentence for Hacking
1995
• Kevin Mitnick initially sentenced to 4 years in prison for hacking credit card accounts.
• SATAN Released
1997
• First Malicious Scripts Released and Used by Less Educated Hackers (Script Kiddies).
• Nmap Published
1998
• Wardriving
2002
• Melissa Virus Creator Gets 20 Months in Federal Prison
2006
• Vishing, Smishing
2009
• First malicious iPhone worm
2011
• Script kiddies hacked the NBC News Twitter account posting fake updates related to terrorist
attacks.
Hacking started in the 1960s with phone freaking, or phreaking, which refers to using various audio frequencies
to manipulate phone systems. Phreaking began when AT&T introduced automatic switches to their phone systems.
The AT&T phone switches used various tones, or tone dialing, to indicate different functions, such as call termination
and call dialing. A few AT&T customers realized that by mimicking a tone using a whistle, they could exploit the
phone switches to make free long-distance calls.
As communication systems evolved, so did hacking methods, as shown in the figure. Wardriving became popular
in the 1980s with the use of computer modems. Wardriving programs automatically scanned telephone numbers
within a local area, dialing each one in search of computers, bulletin board systems, and fax machines. When a
phone number was found, password-cracking programs were used to gain access.
Wardriving began in the 1990s and is still popular today. Wardriving refers to users gaining unauthorized access

to networks via wireless access points. This is accomplished using a wireless-enabled portable computer or PDA.
Password-cracking programs are used to authenticate, if necessary, and there is even software to crack the
encryption scheme required to associate to the access point.
Other threats have evolved over time. These include network scanning tools such as Nmap, John the Ripper, Cain
and Abel and SATAN, as well as remote system administration hacking tools such as Back Orifice. Network security
professionals must be familiar with all of these tools.
Page | 9
1.2.2.3 Page 1.1.2.3 First Network Attacks
Transactions worth trillions of dollars are conducted over the Internet on a daily basis, and the livelihoods of
millions of people depend on Internet commerce. For this reason, criminal laws are in place to protect individual and
corporate assets. There are numerous cases of individuals who have had to face the court system due to these laws.
First Virus
Melissa Email Virus - March, 1999. Below is the actual email as distributed.
From: ******
Subject: Important Message From ******
To: (50 names from alias list)
Here is that document you asked for don’t show anyone else ;-)
Attachment: LIST.DOC
First Worm
The Morris Internet Worm
All the following events occurred on the evening of Nov. 2, 1988.
6:00 PM At about this time the Worm is launched.
8:49 PM The Worm infects a VAX 8600 at the University of Utah (cs.utah.edu). 9:09 PM – The Worm
initiates the first of its attacks to infect other computers from the infected VAX.
9:21 PM The load average on the system reaches 5. (Load average is a measure of how hard the
computer system is working. At 9:30 at night, the load average of the VAX was usually 1. Any
load average higher than 5 cause’s delays in data processing.)
9:41 PM The load average reaches 7.
10:01
PM

The load average reaches 16.
10:06
PM
At this point there are so many worms infecting the system that no new processes can be
started. No users can use the system anymore.
10:20
PM
The system administrator kills off the worms.
10:41
PM
The system is re-infected and the load average reaches 27.
10:49
PM
The system administrator shuts down the system. The system is subsequently restarted.
11:21
PM
Re-infestation causes the load average to reach 37.
Page | 10
First Spam
First Spam on ARPAnet- 1978. Below is the actual spam message as distributed on ARPAnet.
To: Everyone
From:
Subject: Presentation Today
DIGITAL WILL BE GIVING A PRODUCT PRESENTATION OF THE NEWEST MEMBERS OF THE DECSYSTEM-
20 FAMILY; THE DECSYSTEM-2020, 2020T, 2060, AND 2060T. THE DECSYSTEM-20 FAMILY OF COMPUTERS
HAS EVOLVED FROM THE TENEX OPERATING SYSTEM AND THE DECSYSTEM-10 <PDP-10> COMPUTER
ARCHITECTURE. BOTH THE DECSYSTEM-2060T AND 2020T OFFER FULL ARPANET SUPPORT UNDER THE
TOPS-20 OPERATING SYSTEM. THE DECSYSTEM-2060 IS AN UPWARD EXTENSION OF THE CURRENT
DECSYSTEM 2040 AND 2050 FAMILY. THE DECSYSTEM-2020 IS A NEW LOW END MEMBER OF THE
DECSYSTEM-20 FAMILY AND FULLY SOFTWARE COMPATIBLE WITH ALL OF THE OTHER DECSYSTEM-20

MODELS.
WE INVITE YOU TO COME SEE THE 2020 AND HEAR ABOUT THE DECSYSTEM-20 FAMILY AT THE TWO
PRODUCT PRESENTATIONS WE WILL BE GIVING IN CALIFORNIA THIS MONTH. THE LOCATIONS WILL BE:
TUESDAY, MAY 9, 1978 - 2 PM
HYATT HOUSE (NEAR THE L.A. AIRPORT)
LOS ANGELES, CA
THURSDAY, MAY 11, 1978 - 2 PM
DUNFEY'S ROYAL COACH
SAN MATEO, CA
(4 MILES SOUTH OF S.F. AIRPORT AT BAYSHORE, RT 101 AND RT 92)
A 2020 WILL BE THERE FOR YOU TO VIEW. ALSO TERMINALS ON-LINE TO OTHER DECSYSTEM-20
SYSTEMS THROUGH THE ARPANET. IF YOU ARE UNABLE TO ATTEND, PLEASE FEEL FREE TO CONTACT THE
NEAREST DEC OFFICE FOR MORE INFORMATION ABOUT THE EXCITING DECSYSTEM-20 FAMILY.
First DoS Attack
Mafiaboy DoS Attack - February, 2000. Below is an article describing the sentencing of Mafiaboy shortly
after conviction of the DoS Attack.
'Mafiaboy' Sentenced to 8 Months. Wired News Report 09.13.01
"Mafiaboy," the Canadian teenager who launched a denial of service attack that paralyzed many of the
Internet’s major sites for one week in February 2000, will be spending the next eight months in a youth
detention center. Judge Gilles Ouellet, who presided over the trial in Quebec's Youth Court, handed down
the ruling on Wednesday. Ouellet said that the 17-year-old had committed a criminal act when he
attacked Yahoo, eBay and Amazon and other major Internet sites. "This is a grave matter. This attack
weakened the entire electronic communication system," Ouellet told the court. "And the motivation was
undeniable, this adolescent had a criminal intent." Prosecutor Louis Miville-Deschenes said that he hoped
the sentence would send “a strong message to the hacker world." Mafiaboy will also serve one year of
probation after his release from the detention center. During his probation he will be allowed to attend
school and have a part-time job. He was also ordered by Ouellet to donate $250 to charity. Mafiaboy's
real name has not been released by the court, due to the Canadian law that protects the identity of
offenders under 18 years of age. Defense lawyer Yan Romanowski said that his client was shocked and
saddened by his sentence and is considering an appeal. "He hoped the judge had understood that he had

learned his lesson and that detention was not a proper remedy in these circumstances," Romanowski
said. "Detention is too much as far as I am concerned," Romanowski added. The maximum sentence
Mafiaboy could have received was two years in detention. Prosecutor Louis Miville-Deschenes had asked
the court to sentence Mafiaboy to one year of detention. "We think it is a reasonable ruling. It sends a
strong message to hackers that they will get caught if they do things like that," Miville-Deschenes told
reporters after court was dismissed.
Page | 11
The first virus was an email virus by the name of the Melissa virus. It was written by David Smith of Aberdeen,
New Jersey. This virus resulted in memory overflows in Internet mail servers. David Smith was sentenced to 20
months in federal prison and a $5,000 fine. Click the First Virus button to see a sample of this email.
Robert Morris created the first Internet worm with 99 lines of code. When the Morris Worm was released, 10
percent of Internet systems were brought to a halt. Robert Morris was charged and received three years’ probation,
400 hours of community service, and a fine of$10,000. Click the First Worm button to learn about some of the
events that occurred when this worm was introduced.
Spamming is the use of messaging technologies such as email and test messaging to send unsolicited bulk
messages. The first spam message distributed on the Advanced Research Projects Agency Network (ARPAnet) was in
1978.Click the First Spam button to view the actual spam messages that was distributed.
A DoS attack is an attempt to make a service or machine unavailable to its intended users. Click the First DoS
Attack button from more information on the Mafiaboy DoS attack in February 2000.
When hackers use their creativity for malicious purposes, such as attacks via spam, DoS, or breaking into
accounts, they often end up going to jail and paying large fines. They also lose access to the very environment in
which they thrive.
Page | 12
1.2.2.4 Page 1.1.2.4 Network Security Professionals
As a result of hacker exploits, the sophistication of hacker tools, and government legislation, network security
solutions developed rapidly in the 1990s. By the late 1990s, many sophisticated network security solutions had been
developed for organizations to strategically deploy within their networks. With these solutions came new job
opportunities and increased compensation in the field of network security. The figure shows common network
security specialist job roles.
The annual income for a network security professional is on the high end of the scale for careers in technology

because of the depth and breadth of knowledge required. Network security professionals must constantly upgrade
their skill set to keep abreast of the latest threats. The challenge of gaining and maintaining the necessary
knowledge often translates into a shortage of network security professionals.
Network security professionals are responsible for maintaining data assurance for an organization and ensuring
the integrity and confidentiality of information. A network security professional might be responsible for setting up
firewalls and intrusion prevention systems as well as ensuring encryption of company data. Implementing enterprise
authentication schemes is another important task. The job entails maintaining detailed logs of suspicious activity on
the network to use for reprimanding or prosecuting violators. As a network security professional, it is also important
to maintain familiarity with network security organizations. These organizations often have the latest information on
threats and vulnerabilities.
Page | 13
1.2.3 Topic 1.1.3 Network Security Organizations
1.2.3.1 Page 1.1.3.1 Network Security Organizations
Network security professionals must collaborate with professional colleagues more frequently than most other
professions. This includes attending workshops and conferences that are often affiliated with, sponsored, or
organized by local, national, or international technology organizations, as shown in the figure.
• Three of the more well-established network security organizations are:
o SysAdmin, Audit, Network, Security (SANS) Institute
o Computer Emergency Response Team (CERT)
o International Information Systems Security Certification Consortium ((ISC)
2
pronounced as "I-S-C-
squared")
A number of other network security organizations are also important to network security professionals.
InfoSysSec is a network security organization that hosts a security news portal, providing the latest breaking news
pertaining to alerts, exploits, and vulnerabilities. The Mitre Corporation maintains a list of common vulnerabilities
and exposures (CVE) used by prominent security organizations. Forum of Incident Response and Security Teams
(FIRST) is a security organization that brings together a variety of computer security incident response teams from
government, commercial, and educational organizations to foster cooperation and coordination in information
sharing, incident prevention and rapid reaction. Finally, the Center for Internet Security (CIS) is a nonprofit enterprise

that develops security configuration benchmarks through a global consensus to reduce the risk of business and e-
commerce disruptions.
Page | 14
1.2.3.2 Page 1.1.3.2 SANS Institute
SANS was established in 1989 as a cooperative research and education organization, as shown in the figure. The
focus of SANS is information security training and certification. SANS develops research documents about various
aspects of information security.
SANS relies upon a range of individuals that include: auditors, network administrators, and chief information
security officers, to share lessons and solutions to various challenges. At the heart of SANS are security practitioners
from different global organizations, corporations, and universities working together to help the entire information
security community.
SANS resources are largely free upon request. This includes the popular Internet Storm Center, the Internet’s
early warning system; NewsBites, the weekly news digest; @RISK, the weekly vulnerability digest; flash security
alerts; and more than 1,200 award-winning, original research papers.
SANS develops security courses that can be taken to prepare for Global Information Assurance Certification
(GIAC) in auditing, management, operations, legal issues, security administration, and software security. GIAC
validates the skills of network security professionals, ranging from entry-level information security to advanced
subject areas. This can include auditing, intrusion detection, incident handling, firewalls and perimeter protection,
data forensics, hacker techniques, Windows and UNIX operating system security, and secure software and
application coding.
Page | 15
1.2.3.3 Page 1.1.3.3 CERT
CERT is part of the U.S. federally funded Software Engineering Institute (SEI) at Carnegie Mellon University. CERT
is chartered to work with the Internet community in detecting and resolving computer security incidents. The Morris
Worm motivated the formation of CERT at the directive of the Defense Advanced Research Projects Agency (DARPA).
The CERT Coordination Center (CERT/CC) focuses on coordinating communication among experts during security
emergencies to help prevent future incidents.
CERT responds to major security incidents and analyzes product vulnerabilities. CERT works to manage changes
relating to progressive intruder techniques and to the difficulty of detecting attacks and catching attackers. CERT
develops and promotes the use of appropriate technology and systems management practices to resist attacks on

networked systems, to limit damage, and to ensure continuity of services.
• CERT focuses on five areas:
o Software assurance
o Secure systems
o Organizational security
o Coordinated response
o Education and training
As shown in the figure, CERT disseminates information by publishing articles, research and technical reports, and
papers on a variety of security topics. CERT works with the news media to raise awareness of the risks on the
Internet and the steps that users can take to protect themselves. CERT works with other major technology
organizations, such as the global Forum for Incident Response and Security Teams (FIRST) and Internet Engineering
Task Force (IETF), to increase the commitment to security and survivability. CERT also advises U.S. government
organizations, such as the National Threat Assessment Center, the National Security Council, and the Homeland
Security Council.
Page | 16
1.2.3.4 Page 1.1.3.4 (ISC)
2
(ISC)
2
, shown in Figure 1, provides vendor-neutral education products and career services in more than 135
countries. Its membership includes over 75,000 certified industry professionals worldwide.
The mission of (ISC)
2
is to make the cyber world a safer place by elevating information security to the public
domain, and supporting and developing network security professionals around the world.
(ISC)
2
develops and maintains the (ISC)2 Common Body of Knowledge (CBK). The CBK defines global industry
standards, serving as a common framework of terms and principles that (ISC)
2

credentials are based upon. The CBK
allows professionals worldwide to discuss, debate, and resolve matters pertaining to the field.
Most notably, (ISC)
2
is universally recognized for its four information security certifications, including one of the
most popular certifications in the network security profession, the Certified Information Systems Security
Professional (CISSP).These credentials help to ensure that employers with certified employees maintain the safety of
information assets and infrastructures.
(ISC)
2
promotes expertise in handling security threats through its education and certification programs. As
members, individuals have access to current industry information and networking opportunities unique to its
network of certified information security professionals.
1.2.3.4.1 Security certifications offered by (ISC)
2
Systems Security Certified Practitioner (SSCP)
The SSCP Certification is only available to qualified candidates who subscribe to the (ISC) code of ethics
and pass the SSCP Certification examination based on the relevant SSCP Common Body of Knowledge
(CBK).
Candidates must also be able to prove at least one-year experience in one of the seven domains that
comprise the SSCP Certification:
• Access Controls
• Administration
• Audit and Monitoring
• Risk, Response and Recovery
• Cryptography
• Data Communications
• Malicious Code/Malware
Certification and Accreditation Professional (CAP)
CAP was co-developed by the U.S. Department of State’s Office of Information Assurance and (ISC).

The CAP credential is used as a measure of the knowledge, skills and abilities of personnel involved in
assessing risk and establishing security requirements, as well as ensuring that information systems
possess appropriate security measures.
Certified Secure Software Lifecycle Professional (CSSLP)
The CSSLP is the newest certification from (ISC), and is the only certification in the industry that ensures
security is considered throughout the entire software lifecycle.
It centers around seven domains:
• Secure Software Concepts
• Secure Software Requirements
• Secure Software Design
• Secure Software Implementation/Coding
• Secure Software Testing
• Software Acceptance
• Software Deployment, Operations, Maintenance and Disposal
Page | 17
Certified Information Systems Security Professional (CISSP)
The CISSP was the first credential in the field of information security, accredited by the ANSI to ISO
Standard 17024:2003.
For CISSP credential, in addition to five years of experience, professional experience must be in two or
more of 10 defined (ISC) CISSP domains:
• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography
• Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

Page | 18
1.2.3.5 Page 1.1.3.5 RSS
US-CERT RSS Feed
In addition to the websites of the various security organizations, one of the most useful tools for the network
security professional is Really Simple Syndication (RSS) feeds.
RSS is a family of XML-based formats used to publish frequently updated information, such as blog entries, news
headlines, audio, and video. RSS uses a standardized format. An RSS feed includes complete or summarized text, plus
metadata, such as publishing dates and authorships.
RSS benefits professionals who want to subscribe to timely updates from favored websites or to aggregate feeds
from many sites into one place. RSS feeds can be read using a web-based RSS reader, typically built into a web
browser. The RSS reader software checks the user’s subscribed feeds regularly for new updates and provides an
interface to monitor and read the feeds. By using RSS, a network security professional can acquire up-to-date
information on a daily basis and aggregate real-time threat information for review at any time.
For example, the US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-
impact types of security incidents being reported to the US-CERT, as shown in the figure. A text-only RSS feed is
available here. This feed reports at all hours of the day and night, with information regarding security advisories,
email scams, backup vulnerabilities, malware spreading via social network sites, and other potential threats.
Note: The Chrome browser does not support RSS feeds by default. An RSS extension must be used to view RSS feeds.
Page | 19
1.2.4 Topic 1.1.4 Domains of Network Security
1.2.4.1 Page 1.1.4.1 Network Security Domains
It is vital for a network security professional to understand the drivers for network security, be familiar with the
organizations dedicated to network security, and have an understanding of the various network security domains.
Domains provide an organized framework to facilitate learning about network security.
There are 12 network security domains specified by the International Organization for Standardization
(ISO)/International Electro technical Commission (IEC). Described by ISO/IEC 27002, these 12 domains serve to
organize, at a high level, the vast realm of information under the umbrella of network security. These domains have
some significant parallels with domains defined by the CISSP certification.
Page | 20
Security Policy

A document that addresses the constraints and behaviors of members of an organization and often
specifies how data can be accessed and what data is accessible by whom.
Information Security Incident Management
This describes how to anticipate and respond to information security breaches.
Compliance
This describes the process of ensuring conformance with information security policies, standards, and
regulations.
Access Control
This describes the restriction of access rights to networks, systems, applications, functions, and data.
Risk Assessment
This is the first step in the risk management process. It determines the quantitative and qualitative
value of risk related to a specific situation or recognized threat.
Organization of information security
This is the governance model set out by an organization for information security.
Information Systems Acquisition, Development and Maintenance
This describes the integration of security into applications.
Communications and Operations Management
This describes the management of technical security controls in systems and networks.
Human Resources Security
This addresses security procedures relating to employees joining, moving within, and leaving an
organization.
Asset Management
This is an inventory of and classification scheme for information assets.
Physical and Environmental Security
This describes the protection of the computer facilities within an organization.
Business Continuity Management
This describes the protection, maintenance, and recovery of business-critical processes and systems.
The 12 domains are intended to serve as a common basis for developing organizational security standards and
effective security management practices, and to help facilitate communication between organizations.
Page | 21

1.2.4.2 Page 1.1.4.2 Security Policy
The 12 domains of network security provide a convenient separation for the elements of network security. While it is
not important to memorize these 12 domains, it is important to be aware of their existence and formal declaration
by the ISO. They will serve as a useful reference in your work as a network security professional.
One of the most important domains is the security policy domain. A security policy is a formal statement of the
rules by which people must abide who are given access to the technology and information assets of an organization,
as shown in the figure. The concept, development, and application of a security policy are critical to keeping an
organization secure. It is the responsibility of a network security professional to weave the security policy into all
aspects of business operations within an organization.
Page | 22
1.2.5 Topic 1.1.5 Network Security Policies
1.2.5.1 Page 1.1.5.1Network Security Policy
The network security policy is a broad, end-to-end document designed to be clearly applicable to an
organization’s operations. The policy is used to aid in network design, convey security principles, and facilitate
network deployments.
The network security policy outlines rules for network access, determines how policies are enforced, and
describes the basic architecture of the organization’s network security environment. Because of its breadth of
coverage and impact, it is usually compiled by a committee, as shown in the figure. It is a complex document meant
to govern items, such as data access, web browsing, password usage, encryption, and email attachments.
When a policy is created, it must be clear what services must be made available to specific users. The network
security policy establishes a hierarchy of access permissions, giving employees only the minimal access necessary to
perform their work.
The network security policy outlines what assets should be protected and gives guidance on how they should be
protected. This will then be used to determine the security devices and mitigation strategies and procedures that
should be implemented on the network. One possible guideline that administrators can use when developing the
security policy, and when determining various mitigation strategies, is the Cisco SecureX architecture.
Page | 23
1.2.5.2 Page 1.1.5.2 Cisco SecureX Architecture
The Cisco SecureX architecture is designed to provide effective security for any user, using any device, from any
location, and at any time. This new security architecture uses a higher-level policy language that takes into account

the full context of a situation - who, what, where, when and how. With highly distributed security policy
enforcement, security is pushed closer to where the end user is working.
• This architecture includes the following five major components:
o Scanning Engines
o Delivery Mechanisms
o Security Intelligence Operations (SIO)
o Policy Management Consoles
o Next-generation Endpoint
Scanning Engines
These are the foundation of security enforcement and can be viewed as the workhorses of policy
enforcement. They are the proxies or network-level devices that examine content, identify applications,
and authenticate users. A scanning engine can be a firewall/IPS, a proxy, or an interesting fusion of the
two. Scanning engines can run multiple layers of anti-malware signatures, behavioral analyses, and
content inspection engines.
Delivery Mechanisms
These are the mechanisms by which scanning elements are introduced into the network. This includes the
traditional network appliance, a module in a switch or a router, or an image in a Cisco security cloud.
Security Intelligence Operations (SIO)
The “brains” that distinguish good traffic from malicious traffic. The Cisco SIO encompasses multi-terabyte
traffic monitoring databases, thousands of servers in multiple data centers, and hundreds of engineers
and technicians with a single purpose — identifying and stopping malicious traffic.
Policy Management Consoles
These consoles are separate from the scanners that enforce policy. By separating policy creation and
management from enforcement, it is possible to have a single point of policy definition that spans
multiple enforcement points such as email, instant messaging, and the Web.
Next-generation Endpoint
This is the critical piece that ties everything together. The next-generation endpoint can be any of a
multitude of devices. Regardless of the endpoint type, all connections coming on or off of it must be
routed by the device through one of the network-based scanning elements previously described.
Page | 24

1.2.5.3 Page 1.1.5.3 Cisco SecureX Product Categories
Increased user mobility, the influx of consumer devices, and movement of information to non-traditional
locations has created complexities for securing the IT infrastructure. Deploying piecemeal security solutions can lead
to duplicated efforts and inconsistent access policies, and requires increased integration and staffing to support.
Cisco SecureX products work together to provide effective security for any user, using any device, from any
location, at any time. This is one of the primary reasons for relying on the Cisco SecureX architecture to help shape
the security policy.
Five major product categories of the SecureX architecture.
Secure Edge and Branch
Cisco ASA 5500 Series Adaptive
Security Appliance
Cisco Intrusion Prevention
System
Integrated Security on the ISR G2
Combines firewall, VPN, optional
content security, and intrusion
prevention.
Identifies and stops malicious
traffic, worms, viruses, and
application abuse.
Delivers firewall, intrusion
prevention, VPN, and content
filtering.
Secure Email and Web
Cisco IronPort Email Security
Appliance
Cisco IronPort Web Security
Appliance
Cisco ScanSafe Cloud Web
Security

Fights spam, viruses, and blended
threats for organizations of all
sizes.
Integrates web-usage controls,
data security, reputation and
malware filtering.
Analyzes web requests for
malicious, inappropriate, or
acceptable content.
Secure Access
Cisco Identity Services Engine Network Admission Control
Appliance
Cisco Secure Access Control
System
Applies policy-based access
control.
Enforces network security
policies by allowing access only
to trusted devices.
Controls network access based
on dynamic conditions and
attributes.
Secure Mobility
VPN Services for Cisco ASA
Series
Cisco Adaptive Wireless IPS
Software
Cisco AnyConnect Secure
Mobility Solutions
Provides remote access for up to

10,000 SSL or true IPsec
connections.
Provides automated wireless
vulnerability and performance
monitoring.
Provides an intelligent, smooth,
and reliable connectivity
experience.
Secure Data Center
Cisco ASA 5585-X Adaptive
Security Appliance
Cisco Catalyst 6500 ASA Services
Module
Cisco Virtual Security Gateway
Combines a proven firewall,
comprehensive intrusion
prevention, and VPN.
Combines full-featured switching
with best-in-class security.
Integrates with Cisco Nexus
1000V virtual switch hypervisors.
Page | 25