Week 1 ====== 12/8 - 12/15 What I am learning. Topics Network Security Fundamentals & Concepts ---------------------------------------- - Author: Piotr Kaluzny - Site: INE - Length: 3h 21m Security Principles ------------------- Terms ~~~~~ Principle of Least Privilege Very granular access ctrl. The user/device is only allowed to perform its specific task or function and nothing more. 😊 Defense in Depth There are multiple systems in place to protect data/network. Firewall at the perimeter and ISE at that access layer. Separation of Duties More than 1 person is allowed to complete an operation. Example: Creating an admin account requires two users to complete. Asset Anything of value to an organization. Threat A person/place/action/environment that can impact or cause harm to an asset. Vulerability A weakness on a system. Risk A potential impact/compromise to an asset. Countermeasure A method of reducing risk. Risk MGMT Used to identify, assess, and prioritize and monitor risks. IDS/IPS Fundamentals -------------------- How IDS/IPS determine if an attack is done. Signature Set of rules/conditions that describe an attack. Signatures must be up-to-date to be effective. Anomaly Detection Initially learns patters of normal network activities. When the network activity changes it will alert/drop. Uses a baseline profile to compare network activities to. Policy-Based Traffic detected outside the congfigured policy will trigger an alarm. Configuration of policy may be cumbersome and require a lot of fine tuning. Reputation Based Traffic evaluated based on a 3rd party such as Talos to determine malicious IPs, URLs, and domain names. Sensor Actions ~~~~~~~~~~~~~~ Depends on either if IPS or IDS[^Further_Details]. Alert/Alarm Generate an log Drop Kill the malicious packet Block Block the session, all from the attacker or traffic seen between client and the attacker Reset Disconnect a TCP Session Shun ask another device to block the malicious traffic for instance with an ACL. Sensor Decision Classification ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *True* event was correct on the classification. *False* event was incorrectly classified and requires signature/policy tuning. *Positive* signature/policy alerted on the event. *Negative* Signature/policy did not alert on the event. Examples: - True Positive: Event was seen & alerted correctly. **GOOD** - This is the ideal outcome. The system is working as intended, and a genuine threat is identified and handled. - True Negative: Normal traffic did not trigger a signature.\ **GOOD** - This is the desired baseline state. The system correctly ignores benign activity, contributing to a smooth workflow and network performance. - False Positive: Signature alerted on **NORMAL** traffic. **WRONG** - This is a nuisance outcome. While not a security breach, frequent false alarms lead to “alert fatigue”—where security analysts become desensitized and may ignore critical alerts amidst the noise, wasting valuable time and resources. This often happens due to overly broad or poorly tuned rules. - False Negative: Attack went undetected. **WRONG** - This is the most dangerous outcome. A true intrusion is missed, and the security team is unaware of the breach. This can occur with zero-day exploits or new attack variants that don’t have a known signature.