< All Chief Information Security Officer (CISO) Notes

richardb8006 | Chief Information Security Officer (CISO) | Module 6 - Information Security Technology

By: richardb8006 | Related Course: Chief Information Security Officer (CISO) | Published: February 7, 2018 | Modified: February 10, 2018
Join Cybrary

NotepadModule 6 - Data in transit

In this lesson we will look at data in transit; data moving from one location to another.

Traditionally protocols haven’t been designed with security integrated.  Using IPv4 as an example; what is built in to secure IPv4?  The answer is nothing.  There is no built-in element of security wit IPv4.

Consequently, we’re using a protocol for the movement of data across the internet that has no built-in security.  Conversely, IPv6 has been designed with security it is integrated with IPSEC (IP Security), a protocol that is part of the IPv6 protocol.  IPv6 was designed to be secure.

Important points:

  • Most protocols and software are inherently insecure
  • We need a new philosophy and support from upper management

IPv4 versus Iv6:

  • IPv4 was not designed to be secure
  • IPV6 was designed fully integrated with IPSEC

Unfortunately, there doesn’t appear to be any rush to move over to IPv6.  Most organizations are firmly rooted in IPv4 (an inherently insecure protocol).  What this means is that we’re going to have to find means to make IPv4 more secure.  Fortunately, we can take IPSEC and make it backward compatible for IPv4.

NotepadModule 6 - NAT and Configuration management

In this lesson, you will cover NAT (network address translation) and its subset: PAT (port address translation).  The idea is that your local area network is hidden behind a firewall or some other screening device, and then is connected out to the internet (which poses quite a threat to our internal environment).  We need to make sure we have multiple layers of defense in protecting our internal network from the external network.

Originally NAT was a one-to-one mapping; for every internal host that you had, you would have an external IP address.

Important facts about NAT/PAT:

  • It is a proxy that works without special software and is transparent to the end users
  • It will remap IP addresses, allowing you to use private addresses internally and map them to public IP addresses
  • NAT allows multiple private addresses to share one public address

The problem with NAT by itself is; for every internal host, you will need the same number of external interfaces.

Nat has a subset: PAT, which allows you to have one public interface and numerous internal hosts.  Ultimately what NAT does is; it intercepts traffic, strips the source address from the traffic and replaces it with its own external IP address as the source.

The lesson will close with a discussion on configuration management.

  • It’s defined by ISC2 as “a process of identifying and documenting hardware components, software, and the associated settings.”
  • The goal is to move beyond the original design to a hardened, operationally sound configuration
  • Identifying, controlling, accounting for and auditing changes made to the baseline TCB
  • Will control changes and test documentation through the operational life cycle of a system
  • Implemented hand in hand with change control
  • Essential to disaster recovery

NotepadModule 6 - Single Sign On SSO

In this lesson course, participants will become familiar with the concept of a secure single sign-on (SSO).

In the early days of information technology, someone may have to sign on to multiple systems individually using distinct credentials, creating time inefficiency and the potential for information insecurity through the use of simple passwords, or by writing passwords down.

A domain structure is based on the concept of single sign-on (SSO).  In SSO; the user provides credentials in return for a token, which will contain a list of the groups you have membership in.  When you access a device your token (your group memberships) are compared against the access control list on that device; if you are on the list, then you’ll be granted access to the device.

SSO pros:

  • Ease of use for end users
  • Centralized control
  • Ease of administration

SSO cons

  • Single point of failure
  • Standards necessary
  • Keys to the kingdom (if someone gets access to a password then they have access many resources)

Technology is moving toward the concept of a super sign on: we log in to one authentication server and we get an authentication token that is capable of traversing trusts throughout many different domains/organizations.

NotepadModule 6 - Technology intro

In this lesson, instructor Kelly Handerhan will introduce you module 6; covering the actual information security technology itself.

Main points covered will include:

  • The CISO does not need to be a technical expert in order to perform the CISO role competently
  • The CISO does need the ability to intelligently understand and discuss current technologies
  • Being technically savvy increases both the competency, and the perceived competency of the CISO
  • A technical skillset  helps the CISO bridge the gap between the technicians and executive management

You will also receive an overview of secure network design concepts:

  • Separation of trust
  • Firewalls
  • NAT
  • Single Sign On
  • Configuration management

NotepadModule 6 - Trusted vs untrusted

This lesson will cover the security principle: separation of trust using the Clark-Wilson Security Model: “keep users out of your stuff, or they’ll break it.”  She will detail examples of various interfaces used to do that.

Instructor Kelly Handerhan will also detail the different ways technology is used to keep untrusted networks separate from trusted networks.

  • Firewalls: allow/block traffic based on rules called ACLs (access control lists).
  • Static Packet Filters: base decisions on source/destination IP address and port.
  • Stateful Inspection: Knowledge of who initiated the session. It can block unsolicited replies.
  • Protocol Anomaly firewalls: can block traffic based on syntax being different than the RFC would specify.
  • Application Proxies/Kernel Proxies: make decisions on content, active directory integration, certificates, and time.

Separation of trust

There are several security models and one of the most used is the Clark Wilson security model. The Clark Wilson principle is that trusted is protected from untrusted. Or; keep users out of your stuff or they will break it.

  • Clark wilson security model (keep users out of your stuff or they will break it)
  • Areas of trust

Firewalls: allow/block traffic based on rules called ACL’s (Access Control Lists)

  • Static Packet Filters: Base decisions on source/destination IP address and port
  • Stateful inspection. Knowledge of who initiated the session. Can block unsolicited replies.
  • Protocol anomaly firewalls: can block traffic based on syntax being different than the RFC would specify
  • Application proxies/kernel proxies: Make decisions on content, active directory integration, certificates, time


NotepadModule 6 - VLAN's

Instructor Kelly Handerhan continues the discussion about ways to separate trusted and untrusted networks, focusing on the advantages of using VLANs versus routers.

A VLAN: is the concept of creating multiple broadcast domains (subnets) on a single switch.

Important points to remember:

  • A VLAN is much cheaper than a router
  • A VLAN is much easier to configure than a router
  • A VLAN will provide the same isolation as a router
  • VLANs are often implemented on a layer 3 switch

< All Chief Information Security Officer (CISO) Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 568 / December 14, 2019
How do I Get MTA Certified?
Views: 1140 / December 12, 2019
How much does your PAM software really cost?
Views: 1584 / December 10, 2019
How Do I Get into Android Development?
Views: 1967 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?