Introduction to

Cybersecurity
CH {1}

the need for

cybersecurity
 What is Cybersecurity?
The connected electronic information network has become an integral part of our daily lives. All
types of organizations, such as medical, financial, and education institutions, use this network
to operate effectively. They utilize the network by collecting, processing, storing, and sharing
vast amounts of digital information. As more digital information is gathered and shared, the
protection of this information is becoming even more vital to our national security and economic
stability.

Cybersecurity is the ongoing effort to protect these networked systems and all of the data
from unauthorized use or harm. On a personal level, you need to safeguard your identity, your
data, and your computing devices. At the corporate level, it is everyone’s responsibility to
protect the organization’s reputation, data, and customers. At the state level, national security,
and the safety and well-being of the citizens are at stake.
 Data on your
computing
devices

Education
Medical data
data

Where is Your
Data?
Your data

Your identity Employment

Information Financial
online data
 Types of Organizational Data
Traditional Data
Corporate data includes personnel information, intellectual properties, and financial data. The personnel
information includes application materials, payroll, offer letters, employee agreements, and any
information used in making employment decisions. Intellectual property, such as patents, trademarks and
new product plans, allows a business to gain economic advantage over its competitors. This intellectual
property can be considered a trade secret; losing this information can be disastrous for the future of the
company. The financial data, such as income statements, balance sheets, and cash flow statements of a
company gives insight into the health of the company.

Internet of Things and Big Data

With the emergence of the Internet of Things (IoT), there is a lot more data to manage and secure. IoT is a
large network of physical objects, such as sensors and equipment that extend beyond the traditional
computer network. All these connections, plus the fact that we have expanded storage capacity and
storage services through the cloud and virtualization, lead to the exponential growth of data. This data has
created a new area of interest in technology and business called “Big Data". With the velocity, volume, and
variety of data generated by the IoT and the daily operations of business, the confidentiality, integrity and
availability of this data is vital to the survival of the organization.
 CI
A
Confidentiality, integrity and availability, known
as the CIA triad is a guideline for information
security for an organization. Confidentiality
ensures the privacy of data by restricting
access through authentication encryption.
Integrity assures that the information is Confidentiality
Integrity
Availability
accurate and trustworthy. Availability ensures
that the information is accessible to
authorized people.
HashCalc
 Amateurs 

Hackers 

Types of Attackers
Organized Hackers
 Internal Security Threats

 Mishandle confidential data

 Threaten the operations of internal servers or network infrastructure devices

 Facilitate outside attacks by connecting infected USB media into the corporate computer system

 Accidentally invite malware onto the network through malicious email or websites
 What is Cyberwarfare?
Cyberspace has become another important
dimension of warfare, where nations can carry
out conflicts without the clashes of traditional
troops and machines. This allows countries
with minimal military presence to be as strong
as other nations in cyberspace. Cyberwarfare
is an Internet-based conflict that involves the
penetration of computer systems and
networks of other nations. These attackers
have the resources and expertise to launch
massive Internet-based attacks against other
nations to cause damage or disrupt services,
such as shutting down a power grid.
stuxnet virus
 Finding Security Vulnerabilities
 Software vulnerabilities
Software vulnerabilities are usually introduced by errors in the operating system or application code, despite all the
effort companies put into finding and patching software vulnerabilities, it is common for new vulnerabilities to surface.
Microsoft, Apple, and other operating system producers release patches and updates almost every day. Application
updates are also common. Applications such as web browsers, mobile apps and web servers are often updated by the
companies or organizations responsible for them.
In 2015, a major vulnerability, called SYNful Knock, was discovered in Cisco IOS. This vulnerability allowed attackers to
gain control of enterprise-grade routers, such as the legacy Cisco 1841, 2811, and 3825 routers.

 Hardware vulnerabilities
Hardware vulnerabilities are often introduced by hardware design flaws. RAM memory for example, is essentially
capacitors installed very close to one another. It was discovered that, due to proximity, constant changes applied to one
of these capacitors could influence neighbor capacitors. Based on that design flaw, an exploit called Rowhammer was
created. By repeatedly rewriting memory in the same addresses, the Rowhammer exploit allows data to be retrieved
from nearby address memory cells, even if the cells are protected.
Hardware vulnerabilities are specific to device models and are not generally exploited through random compromising
attempts. While hardware exploits are more common in highly targeted attacks, traditional malware protection and a
physical security are sufficient protection for the everyday user .
 Categorizing Security Vulnerabilities
Buffer overflow
When a malicious application accesses
memory allocated to other processes.
Non-validated
Data coming into a program with malicious
content, designed to force the program to
Race conditions behave in an unintended way
When the output of an event depends on
ordered or timed outputs
Weaknesses in security practices
When developers attempt to create their own
security applications
Access-control problems
Incorrectly regulating who does what and
what they can do with resources.
 Types of Malware
Spyware Adware
   

Scare
Bot 
ware 
Man-In-
Ransom The-
Rootkit  Mobile
ware 
Man-In- (MitMo)
The-
Virus 
Middle
(MitM)
Trojan
Worms 
horse 
 Symptoms of Malware
 There is an increase in CPU usage.
 There is a decrease in computer speed.
 The computer freezes or crashes often.
 There is a decrease in Web browsing speed.
 There are unexplainable problems with network connections.
 Files are modified.
 Files are deleted.
 There is a presence of unknown files, programs, or desktop icons.
 There are unknown processes running.
 Programs are turning off or reconfiguring themselves.
 Email is being sent without the user’s knowledge or consent.
 Social Engineering
Social engineering is an access attack that attempts to manipulate individuals into performing actions or
divulging confidential information. Social engineers often rely on people’s willingness to be helpful but also
prey on people’s weaknesses. For example, an attacker could call an authorized employee with an urgent
problem that requires immediate network access. The attacker could appeal to the employee’s vanity, invoke
authority using name-dropping techniques, or appeal to the employee’s greed.
These are some types of social engineering attacks:

 Pretexting - This is when an attacker calls an individual and lies to them in an attempt to gain access to
privileged data. An example involves an attacker who pretends to need personal or financial data in order
to confirm the identity of the recipient.
 Tailgating - This is when an attacker quickly follows an authorized person into a secure location.
 Something for Something (Quid pro quo) - This is when an attacker requests personal information from a
party in exchange for something, like a free gift.
 Wi-Fi Password
Cracking
Wi-Fi password cracking is the process of discovering the password used to protect
a wireless network. These are some techniques used in password cracking:

 Social engineering – The attacker manipulates a person who knows the

password into providing it.

 Brute-force attacks – The attacker tries several possible passwords in an

attempt to guess the password. If the password is a 4-digit number, for example,
the attacker would have to try every one of the 10000 combinations. Brute-force
attacks usually involve a word-list file. This is a text file containing a list of words
taken from a dictionary. A program then tries each word and common
combinations. Because brute-force attacks take time, complex passwords take
much longer to guess. A few password brute-force tools include Ophcrack,
L0phtCrack, THC Hydra, RainbowCrack, and Medusa.

 Network sniffing – By listening and capturing packets sent on the network, an
attacker may be able to discover the password if the password is being sent
unencrypted (in plain text). If the password is encrypted, the attacker may still be
able to reveal it by using a password cracking tool.
 Phishing
Phishing is when a malicious party sends a fraudulent email disguised as
being from a legitimate, trusted source. The message intent is to trick the
recipient into installing malware on their device, or into sharing personal
or financial information. An example of phishing is an email forged to look
like it was sent by a retail store asking the user to click a link to claim a
prize. The link may go to a fake site asking for personal information, or it
may install a virus.
Spear phishing is a highly targeted phishing attack. While phishing and
spear phishing both use emails to reach the victims, spear phishing
emails are customized to a specific person. The attacker researches the
target’s interests before sending the email. For example, an attacker
learns the target is interested in cars, and has been looking to buy a
specific model of car. The attacker joins the same car discussion forum
where the target is a member, forges a car sale offering and sends email
to the target. The email contains a link for pictures of the car. When the
target clicks on the link, malware is installed on the target’s computer
 Vulnerability Exploitation

Exploiting vulnerabilities is another common method of infiltration. Attackers will scan computers to gain
information about them. Below is a common method for exploiting vulnerabilities:

Step 1. Gather information about the target system. This could be done in many different ways such as a port
scanner or social engineering. The goal is to learn as much as possible about the target computer.

Step 2.One of the pieces of relevant information learned in step 1 might be the operating system, its version,
and a list of services running on it.

Step 3. When the target’s operating system and version is known, the attacker looks for any known
vulnerabilities specific to that version of OS or other OS services.

Step 4. When a vulnerability is found, the attacker looks for a previously written exploit to use. If no exploits have
been written, the attacker may consider writing an exploit.
 DoS
Denial-of-Service (DoS) attacks are a type of network attack. A DoS attack results
in some sort of interruption of network service to users, devices, or applications.
There are two major types of DoS attacks:

 Overwhelming Quantity of Traffic - This is when a network, host, or

application is sent an enormous quantity of data at a rate which it cannot handle.
This causes a slowdown in transmission or response, or a crash of a device or
service.

 Maliciously Formatted Packets - This is when a maliciously formatted packet

is sent to a host or application and the receiver is unable to handle it. For
example, an attacker forwards packets containing errors that cannot be
identified by the application, or forwards improperly formatted packets. This
causes the receiving device to run very slowly or crash.

DoS attacks are considered a major risk because they can easily interrupt
communication and cause significant loss of time and money. These attacks are
relatively simple to conduct, even by an unskilled attacker.
 DDoS
A Distributed DoS Attack (DDoS) is similar to a DoS
attack but originates from multiple, coordinated
sources. As an example, a DDoS attack could
proceed as follows:

An attacker builds a network of infected hosts, called

a botnet. The infected hosts are called zombies. The
zombies are controlled by handler systems.

The zombie computers constantly scan and infect

more hosts, creating more zombies. When ready, the
hacker instructs handler systems to make the botnet
of zombies carry out a DDoS attack.
 SEO Poisoning
Search engines such as Google work by ranking pages and
presenting relevant results based on users’ search queries.
Depending on the relevancy of web site content, it may
appear higher or lower in the search result list. SEO, short for
Search Engine Optimization, is a set of techniques used to
improve a website’s ranking by a search engine. While many
legitimate companies specialize in optimizing websites to
better position them, a malicious user could use SEO to make
a malicious website appear higher in search results. This
technique is called SEO poisoning.

The most common goal of SEO poisoning is to increase traffic

to malicious sites that may host malware or perform social
engineering. To force a malicious site to rank higher in search
results, attackers take advantage of popular search terms.
 What is a Blended Attack?
Blended attacks are attacks that use multiple techniques
to compromise a target. By using several different attack
techniques at once, attackers have malware that are a
hybrid of worms, Trojan horses, spyware, keyloggers,
spam and phishing schemes. This trend of blended
attacks is revealing more complex malware and placing
user data at great risk.

The most common type of blended attack uses spam

email messages, instant messages or legitimate websites
to distribute links where malware or spyware is secretly
downloaded to the computer. Another common blended
attack uses DDoS combined with phishing emails. First,
DDoS is used to take down a popular bank website and
send emails to the bank's customers, apologizing for the
inconvenience. The email also directs the users to a
forged emergency site where their real login information
can be stolen.
 What is Impact Reduction?
 Communicate the issue. Internally employees should be informed of the problem and called to action.
Externally, clients should be informed through direct communication and official announcements.
Communication creates transparency, which is crucial in this type of situation.

 Be sincere and accountable in case the company is at fault.

 Provide details. Explain why the situation took place and what was compromised. It is also expected that the
company take care of the costs of identity theft protection services for affected customers.

 Understand what caused and facilitated the breach. If necessary, hire forensics experts to research and learn
the details.

 Apply what was learned from the forensics investigation to ensure similar breaches do not happen in the future.

 Ensure all systems are clean, no backdoors were installed, and nothing else has been compromised. Attackers
will often attempt to leave a backdoor to facilitate future breaches. Make sure this does not happen.

 Educate employees, partners, and customers on how to prevent future breaches.

 Protect Your Computing Devices

Keep the Use Manage Protect All

Firewall On Antivirus Your Your
and Operating Devices
Antispyware System and
Browser
 Protecting Your Data

 Use Wireless Networks Safely

 Use Unique Passwords for Each Online Account

 Use Passphrase Rather Than a Password

 Encrypt Your Data

 Back up Your Data

 Deleting Your Data Permanently

 Do Not Share Too Much on Social Media

 Two Factor Authentication
Popular online services, such as Google, Facebook,
Twitter, LinkedIn, Apple and Microsoft, use two factor
authentication to add an extra layer of security for account
logins. Besides the username and password, or personal
identification number (PIN) or pattern, two factor
authentication requires a second token, such as a:

 Physical object - credit card, ATM card, phone, or fob

 Biometric scan - fingerprint, palm print, as well as

facial or voice recognition

Even with two factor authentication, hackers can still gain

access to your online accounts through attacks such as
phishing attacks, malware, and social engineering.
 Web Browser Privacy
Anyone with physical access to your computer, or your
router, can view which websites you have visited using
web browser history, cache, and possibly log files. This
problem can be minimized by enabling the in-private
browsing mode on the web browser. Most of the popular
web browsers have their own name for private browser
mode:
 Microsoft Internet Explorer: InPrivate
 Google Chrome: Incognito
 Mozilla Firefox: Private tab / private window
 Safari: Private: Private browsing

With private mode enabled, cookies are disabled, and

temporary Internet files and browsing history are removed
after closing the window or program.
 Firewall
Types
A firewall is a wall or partition that is designed to prevent
fire from spreading from one part of a building to another.
In computer networking, a firewall is designed to control,
or filter, which communications are allowed in and which
are allowed out of a device or network.

 Network Layer Firewall – filtering based on source

and destination IP addresses

 Transport Layer Firewall –filtering based on source

and destination data ports, and filtering based on
connection states

 Application Layer Firewall –filtering based on

application, program or service
 Firewall
Types
 Context Aware Application Firewall – filtering based
on the user, device, role, application type, and threat
profile

 Proxy Server – filtering of web content requests like

URL, domain, media, etc.

 Reverse Proxy Server – placed in front of web

servers, reverse proxy servers protect, hide, offload,
and distribute access to web servers

 Network Address Translation (NAT) Firewall – hides

or masquerades the private addresses of network
hosts

 Host-based Firewall – filtering of ports and system

service calls on a single computer operating system
 Port Scanning
Port-scanning is a process of probing a computer, server or
other network host for open ports. In networking, each
application running on a device is assigned an identifier
called a port number. This port number is used on both ends
of the transmission so that the right data is passed to the
correct application. Port-scanning can be used maliciously
as a reconnaissance tool to identify the operating system
and services running on a computer or host, or it can be
used harmlessly by a network administrator to verify
network security policies on the network.

For the purposes of evaluating your own computer

network’s firewall and port security, you can use a port-
scanning tool like Nmap to find all the open ports on your
network. Port-scanning can be seen as a precursor to a
network attack and therefore should not be done on public
servers on the Internet, or on a company network without
permission .
 Port Scanning
To execute an Nmap port-scan of a computer on your local
home network, download and launch a program such as
Zenmap, provide the target IP address of the computer you
would like to scan, choose a default scanning profile, and
press scan. The Nmap scan will report any services that are
running (e.g., web services, mail services, etc.) and port
numbers. The scanning of a port generally results in one of
three responses:

 Open or Accepted – The host replied indicating a service

is listening on the port.

 Closed, Denied, or Not Listening – The host replied

indicating that connections will be denied to the port.

 Filtered, Dropped, or Blocked – There was no reply from

the host.
 Security Appliances

Today there is no single security appliance or piece of

technology that will solve all network security needs.
Because there is a variety of security appliances and tools
that need to be implemented, it is important that they all
work together. Security appliances are most effective when
they are part of a system.

Security appliances can be stand-alone devices, like a

router or firewall, a card that can be installed into a network
device, or a module with its own processor and cached
memory. Security appliances can also be software tools that
are run on a network device. Security appliances fall into
these general categories:
 Security
Appliances
Routers - Cisco Integrated Services Router
(ISR) routers, have many firewall capabilities VPN - Cisco security appliances are equipped
besides just routing functions, including traffic with a Virtual Private Network (VPN) server and
filtering, the ability to run an Intrusion Prevention client technologies. It is designed for secure
System (IPS), encryption, and VPN capabilities .encrypted tunneling
.for secure encrypted tunneling

Malware/Antivirus - Cisco Advanced Malware

web and email security
Firewalls - Cisco Next Generation Firewalls Protection (AMP) comes in next generation
have all the capabilities of an ISR router, as well Cisco routers, firewalls, IPS devices, Web and
as, advanced network management and Email Security Appliances and can also be
.analytics .installed as software in host computers

Other Security Devices – This category

IPS - Cisco Next Generation IPS devices, are includes web and email security appliances,
.dedicated to intrusion prevention decryption devices, client access control
.servers, and security management systems
 Detecting Attacks in Real Time
Software is not perfect. When a hacker exploits a flaw in a piece of software before the creator can fix it, it is
known as a zero-day attack. Due to the sophistication and enormity of zero-day attacks found today, it is
becoming common that network attacks will succeed and that a successful defense is now measured in how
quickly a network can respond to an attack. The ability to detect attacks as they happen in real-time, as well as
stopping the attacks immediately, or within minutes of occurring, is the ideal goal. Unfortunately, many companies
and organizations today are unable to detect attacks until days or even months after they have occurred.

 Real Time Scanning from Edge to Endpoint - Detecting attacks in real time requires actively scanning for
attacks using firewall and IDS/IPS network devices. Next generation client/server malware detection with
connections to online global threat centers must also be used. Today, active scanning devices and software
must detect network anomalies using context-based analysis and behavior detection.

 DDoS Attacks and Real Time Response - DDoS is one of the biggest attack threats requiring real-time
response and detection. DDoS attacks are extremely difficult to defend against because the attacks originate
from hundreds, or thousands of zombie hosts, and the attacks appear as legitimate traffic, as shown in the
figure. For many companies and organizations, regularly occurring DDoS attacks cripple Internet servers and
network availability. The ability to detect and respond to DDoS attacks in real-time is crucial.
 Protecting Against Malware
How do you provide defense against the constant presence
of zero-day attacks, as well as advanced persistent threats
(APT) that steal data over long periods of time? One
solution is to use an enterprise-level advanced malware
detection solution that offers real-time malware detection.

Network administrators must constantly monitor the network

for signs of malware or behaviors that reveal the presence
of an APT. Cisco has an Advanced Malware Protection
(AMP) Threat Grid that analyzes millions of files and
correlates them against hundreds of millions of other
analyzed malware artifacts. This provides a global view of
malware attacks, campaigns, and their distribution. AMP is
client/server software deployed on host endpoints, as a
standalone server, or on other network security devices
 Security Best Practices
 Perform Risk Assessment – Knowing the value of what you are protecting will help in justifying security expenditures.
 Create a Security Policy – Create a policy that clearly outlines company rules, job duties, and expectations.
 Physical Security Measures – Restrict access to networking closets, server locations, as well as fire suppression.
 Human Resource Security Measures – Employees should be properly researched with background checks.
 Perform and Test Backups – Perform regular backups and test data recovery from backups.
 Maintain Security Patches and Updates – Regularly update server, client, and network device operating systems and
programs.
 Employ Access Controls – Configure user roles and privilege levels as well as strong user authentication.
 Regularly Test Incident Response – Employ an incident response team and test emergency response scenarios.
 Implement a Network Monitoring, Analytics and Management Tool - Choose a security monitoring solution that
integrates with other technologies.
 Implement Network Security Devices – Use next generation routers, firewalls, and other security appliances.
 Implement a Comprehensive Endpoint Security Solution – Use enterprise level antimalware and antivirus software.
 Educate Users – Educate users and employees in secure procedures.
 Encrypt data – Encrypt all sensitive company data including email.
 Botnet

A botnet is a group of bots, connected through the Internet,

with the ability to be controlled by a malicious individual or
group. A bot computer is typically infected by visiting a
website, opening an email attachment, or opening an
infected media file.

A botnet can have tens of thousands, or even hundreds of

thousands of bots. These bots can be activated to distribute
malware, launch DDoS attacks, distribute spam email, or
execute brute force password attacks. Botnets are typically
controlled through a command and control server.

Cyber criminals will often rent out Botnets, for a fee, to third
parties for nefarious purposes.
 The Kill Chain in Cyberdefense
The attacker performs
The attacker gathers The attacker sends the  Malware and backdoors malicious actions like
information about the exploit and malicious are installed on the information theft, or executes
target. payload to the target by target. additional attacks on other
email or other method. devices from within the
network by working through
the Kill Chain stages again.

Command
 Reconnaissance  Weaponization  Delivery  Exploitation  Installation and Control  Action

The attacker creates an The exploit is  Remote control of the

exploit and malicious executed. target is gained through a
payload to send to the command and control
target. channel or server.
 Behavior-Based Security

Behavior-based security is a form of threat detection that does not rely on known malicious signatures, but
instead uses informational context to detect anomalies in the network. Behavior-based detection involves
capturing and analyzing the flow of communication between a user on the local network and a local, or
remote destination. These communications, when captured and analyzed, reveal context and patterns of
behavior which can be used to detect anomalies. Behavior-based detection can discover the presence of
an attack by a change from normal behavior.

 Honeypots - A Honeypot is a behavior-based detection tool that first lures the attacker in by appealing
to the attacker’s predicted pattern of malicious behavior, and then, when inside the honeypot, the
network administrator can capture, log, and analyze the attacker’s behavior. This allows an
administrator to gain more knowledge and build a better defense.

 Cisco’s Cyber Threat Defense Solution Architecture - This is a security architecture that uses
behavior-based detection and indicators, to provide greater visibility, context, and control. The goal is to
know who, what, where, when, and how an attack is taking place. This security architecture uses many
security technologies to achieve this goal.
 NetFlow

NetFlow technology is used to gather information about data flowing through a

network. NetFlow information can be likened to a phone bill for your network
traffic. It shows you who and what devices are in your network, as well as when
and how users and devices accessed your network. NetFlow is an important
component in behavior-based detection and analysis. Switches, routers, and
firewalls equipped with NetFlow can report information about data entering,
leaving, and travelling through the network. Information is sent to NetFlow
Collectors that collect, store, and analyze NetFlow records.

NetFlow is able to collect information on usage through many different

characteristics of how data is moved through the network, as shown in the figure.
By collecting information about network data flows, NetFlow is able to establish
baseline behaviors on more than 90 different attributes.
 CSIRT
Many large organizations have a Computer Security
Incident Response Team (CSIRT) to receive, review, and
respond to computer security incident reports. The
primary mission of CSIRT is to help ensure company,
system, and data preservation by performing
comprehensive investigations into computer security
incidents. To prevent security incidents, Cisco CSIRT
provides proactive threat assessment, mitigation
planning, incident trend analysis, and security
architecture review.

There are national and public CSIRT organizations like

the CERT Division of the Software Engineering Institute
at Carnegie Mellon University, that are available to help
organizations, and national CSIRTs, develop, operate,
and improve their incident management capabilities.
 Security Playbook

NetFlow technology is used to gather information about data flowing through a

network. NetFlow information can be likened to a phone bill for your network
traffic. It shows you who and what devices are in your network, as well as when
and how users and devices accessed your network. NetFlow is an important
component in behavior-based detection and analysis. Switches, routers, and
firewalls equipped with NetFlow can report information about data entering,
leaving, and travelling through the network. Information is sent to NetFlow
Collectors that collect, store, and analyze NetFlow records.

NetFlow is able to collect information on usage through many different

characteristics of how data is moved through the network, as shown in the figure.
By collecting information about network data flows, NetFlow is able to establish
baseline behaviors on more than 90 different attributes.
 Security Playbook

Technology is constantly changing. That means cyberattacks are evolving too. New vulnerabilities and attack
methods are discovered continuously. Security is becoming a significant business concern because of the
resulting reputation and financial impact from security breaches. Attacks are targeting critical networks and
sensitive data. Organizations should have plans to prepare for, deal with, and recover from a breach.

One of the best way to prepare for a security breach is to prevent one. There should be guidance on identifying
the cybersecurity risk to systems, assets, data, and capabilities, protecting the system by the implementation of
safeguards and personnel training, and detecting cybersecurity event as soon as possible. When a security
breach is detected, appropriate actions should be taken to minimize its impact and damage. The response plan
should be flexible with multiple action options during the breach. After the breach is contained and the
compromised systems and services are restored, security measures and processes should be updated to include
the lessons learned during the breach.

All this information should be compiled into a security playbook. A security playbook is a collection of repeatable
queries (reports) against security event data sources that lead to incident detection and response. Ideally the
security playbook must accomplish the following actions:
 Security Playbook

Detect Describe and Describe and Provide Correlate

Detect Detect
malware understand understand usable and events
suspicious irregular
infected inbound and inbound and quick access across all
network authenticatio
.machines outbound outbound to statistics relevant data
.activity .n attempts
.traffic .traffic .and metrics .sources
Tools for Incident Prevention and Detection

SIEM – A Security DLP – Data Loss Cisco ISE and

Information and Prevention Software TrustSec – Cisco
Event Management (DLP) is a software Identity Services
(SIEM) system is or hardware system Engine (Cisco ISE)
software that collects designed to stop and Cisco TrustSec
and analyzes sensitive data from enforce access to
security alerts, logs being stolen from or network resources by
and other real time .escaping a network creating role-based
and historical data access control
from security devices policies that segment
 on the network access to the network
(guests, mobile users,
employees) without
.added complexity
 IDS and IPS
An Intrusion Detection System (IDS), is either a dedicated network device, or one of
several tools in a server or firewall that scans data against a database of rules or
attack signatures, looking for malicious traffic. If a match is detected, the IDS will log
the detection, and create an alert for a network administrator. The Intrusion Detection
System does not take action when a match is detected so it does not prevent attacks
from happening. The job of the IDS is merely to detect, log and report.

The scanning performed by the IDS slows down the network (known as latency). To
prevent against network delay, an IDS is usually placed offline, separate from regular
network traffic. Data is copied or mirrored by a switch and then forwarded to the IDS
for offline detection. There are also IDS tools that can be installed on top of a host
computer operating system, like Linux or Windows.

An Intrusion Prevention System (IPS) has the ability to block or deny traffic based on
a positive rule or signature match. One of the most well-known IPS/IDS systems is
Snort. The commercial version of Snort is Cisco’s Sourcefire. Sourcefire has the
ability to perform real-time traffic and port analysis, logging, content searching and
matching, and can detect probes, attacks, and port scans. It also integrates with
other third party tools for reporting, performance and log analysis.