CompTIA CYSA+ CS0-002 – Network Architecture and Segmentation Part 1

1. Asset and Change Management (OBJ 2.1)

Asset and change management. In this lesson, we’re going to focus on asset and change management and why this is important to the security of your networks. Now, if you’re like most people, you might go, Jason, why does asset and change management affect the security of our networks? After all, that’s something that those service management folks do. I’m an information security. I’m a cybersecurity person. I don’t have to worry about that. Well, it is really important, important for us to know what is on our network. Because if we don’t know what’s on our network, how are we going to defend it? And that’s why asset and change management is so important to us and that’s why it’s in the objectives for the exam. So we’re going to briefly talk about these two topics. We’re going to talk about asset tagging and we’re going to talk about change management.

When I talk about asset tags, what are those? Well, if you’ve ever worked in a large corporate network, you’ve probably seen an asset tag. This is the practice of assigning an ID to an asset and then associating that ID with those entries inside an inventory database. This way I can know how many computers I have, how many monitors I have, how many desktops I have, how many servers I have, and they’re all tracked in a database. So if you go up to your computer at work and you look on there, there might be a barcode and it just says Asset ID. Now this can be something that can be a barcode that can be scanned, or it can be something like a radio frequency ID tag that’s attached to the device. Either way, it’s acceptable. It just depends on how your organization wants to do it.

Either of these methods will work and it just gives you a way to inventory those assets. Because if I have a computer and I downloaded a bunch of information to it and now that computer is missing, that’s an issue and that’s really an inventory issue. But it could have cybersecurity effects to us because somebody can now access that data or use that lost laptop to connect to our network. And so we want to make sure we’re tracking all of our things. Now when we have these asset tags, they’re going to correlate with the asset records for that particular thing. So if I have a laptop, it might contain things like vendor documentation, configuration information, and warranty information for that asset. And that’s why these things are so important and so helpful to us.

Now, we want to take it a step further though, because just knowing what is out there and owned by the organization isn’t enough. We also want to make sure we control that information and we control what those assets look like and how they’re configured. And that’s when we get into change management. Now, change management is the process through which changes to the configuration of information systems are monitored and controlled as part of your organization’s overall configuration management efforts. Now this is important because as you have a device and you have a new laptop and you’ve scanned it in and you’ve tagged it and you’ve put it on the network, you now know what that state is, that is the initial state of it.

But over time we’re going to change the status of that device because we’re going to install new software, we’re going to change configurations, we’re going to install patches and things like that. And all of that needs to be documented. Each individual component should have a separate document or a database record that describes its initial state and all of those subsequent changes. This way we know exactly what any asset on the network looks like and how it’s properly configured. Now as you start looking at this information and change management, what are we going to really focus on? Well we’re going to focus on a lot of different pieces of information including the configuration information, the patches that are installed, the backup records for that asset and any incident reports or issues that may have been reported.

Because again that could all be information that we can use as part of our investigation and to know the state of that particular asset. Change management is going to ensure that all of the changes that we do are planned and controlled. We do this because it helps us minimize risk of causing a service disruption. So if I know that this particular server has two power supplies in it and one of them has failed three months ago and this server is four years old, what does that tell me? It’s possible that we might need to change and replace that other power supply because it could fail too. And so we can keep track of this stuff as part of our asset management and our change management. In addition to that, anytime we want to do a change we need to schedule that change. And that’s why change management helps us get the approvals we need.

Now if we’re going to deal with the change they have to be categorized in some way and normally they’re going to be categorized according to the potential impact and level of risk they could cause. We have changes that are major changes or significant changes or minor changes or even normal changes. And based on which of these categories it is, it’s going to require a different level of approval. For instance, if it’s a normal change or a minor change you might just do that through a supervisory approval. If you’re going to do something that’s a significant or major change it might need to go higher up in the organization. Now how do you request a change? Well we have this thing called an RFC. An RFC is a request for change.

Now an RFC is essentially just a document and this document is going to list the reason for a change and the procedures to implement that change. So if I want to install Windows 2016 on this old Windows 2012 server, I’m going to list that. We need to do it because 2012 is now end of life and we want to move to something newer. So we’re going to move to a Windows 2016 or even something newer than that. We’ll tell that’s the reason for the change. Then what are the procedures to implement that change? Well, here are the 15 steps that we’re going to take and this is the amount of downtime we’re going to need. And here’s our plan that if something goes wrong, how we’re going to roll back and all of those things will be incorporated into this request for change.

Now again, if it’s a small change that might be a normal or a minor change, those can be approved at very low levels in the organization. But when you get up to a major or a significant change, these are going to require approval from your Change Advisory Board known as the Cab. Now, a Change Advisory Board is essentially a group of leaders in the organization that have the technical and management know how to look at these changes and decide when they’re going to occur based on the schedule and if they should occur based on the risk. Now, the risk isn’t just cybersecurity though. The risk is also business. And so we have to weigh the business impact versus the risk to the systems. And based on that, we’ll determine when and if those changes will get approved.

Now, this is all part of change management and that’s what we’re talking about here because all of these things have to be coordinated. When we have a change, we want to engage with our stakeholders. We want to talk with them and say, why do you need this change? And see if there’s a good reason for it. If they have a good change reason, then we’re going to plan for that change. We’re going to make sure we’re improving that change process over time to make it faster and more resilient. We’re also going to make sure we have the right team on board and we’re going to execute those changes in a methodical way. And as we do that, we’re going to measure all of that. Why? Because we want to make sure we’re meeting the goals that we set out.

If we said this change was going to take five minutes to implement and it took us 5 hours, we need to know that because that’s going to affect our planning for future iterations. And so change management is crucial for us to be able to have good security in our network. Now, anytime you’re going to submit a change like an RFC, you need to accompany that with a rollback or remediation plan. Now what are these? Well, this says that if something goes wrong, can we go back to the way we were and get back to the old good state because we know before we made the change things are working fine. And so if I went and tried to upgrade something or install a patch and it broke something, can I roll back to the pre patch state? I can do that.

That means we can then get there, think about how we’re going to fix this problem and then we can move forward with the change again during the next window. Now that brings another idea up, which is called a maintenance window. Now, many networks have scheduled maintenance windows and they use these for authorized downtime. So most companies will have something that looks like a Saturday night window from midnight to 04:00 A. m. Because most companies are closed on Saturdays, right? And so if you’re closed, you’re not going to affect the business. This if you shut down that network. So they’ll use that as a maintenance window and that’s the time that you’re going to schedule all of the changes that need to be done.

Now, this is great for the business folks, but it kind of stinks for us it folks because a lot of us end up having to work overnight shifts to be as part of these maintenance windows. But again, that’s just part of the job. So when you have these maintenance windows, there might be 4 hours that we know we have that we can have downtime. So part of the CAB’s job is to schedule what changes will happen during that four hour window. And that’s why knowing how long something is going to take is really important as well. Now for the exam, let me give you a couple of quick tips. You need to think through how you might install a patch or other type of change. And this comes down to change management. For example, if there’s a brand new critical vulnerability that just came out today at 11:00 A. m., are you going to cause a disruption to the network if you stop everything and install it right now? Or are you going to stop and analyze the risk to your business and your network and then decide, hey, we should wait for an emergency maintenance window that we might be able to get approved for tonight at 09:00? Or do you say, you know what, forget it, we’ll just wait till Saturday for our regularly scheduled maintenance window. Now, all three of these may be the right answer. It really does depend though, because this is all about risk management. In general, though, if you’re dealing with a critical risk, you’re going to want to get that fixed sooner, but you also don’t want to cause business interruption. So you’re going to have to get approval for something like a special emergency window. Now that’s actually going to be probably the best plan here.

Why? Because that’s going to give you today to plan the change, to get everybody on board, to get the team members together to have a rollback plan in case something goes wrong, and even test that patch in a staging or test environment first. Then when people come in for the emergency maintenance window, we know we have the patch, we know it works, and we know what our rollback plan is. So that is balancing the risk versus reward. Now, for the exam, I always want you to think about measuring risk. Don’t jump to conclusions and immediately patch things just because a critical patch was available from the vendor. You have to weigh the benefits of a more secure network now versus the loss of productivity that you might face if you take down the network to patch it.

And so by balancing that and going, you know what, it’s already 11:00. I can afford to wait until 09:00 at night. And in the meantime, we’re going to set up some additional monitoring and we’re going to make sure we’re protecting the network and see if anybody’s trying to exploit this particular vulnerability. Then at 09:00, when everybody’s gone home, that’s a good time for us to take down the network, run those patches and bring it back up. So these are the kind of things you have to think through. It’s not just clear cut and dry of there’s a critical vulnerability, let’s patch it. That’s not always the right answer. So so keep that in mind for the exam because these are the type of things I see students get tripped up on on the exam and lose points.

2. Network Architecture (OBJ 2.1)

Network architecture. In this lesson we’re going to focus on three main types of network architectures and really these are the three areas that we need to think about. These are physical networks, virtual private networks, and software defined networking. Now, when we talk about physical networks, this refers to the cabling, the switch ports, the router ports and wireless access points that are supplying cabled and wireless network access, access and connectivity to you. This is what you’re going to be thinking about when you think about a network. Traditionally you go and say, I have a network in my house. And so you go over and look at your switch or you look at your wireless access point. That is the physical network.

Now, when you’re dealing with a physical network, one of the things you have to worry about is if somebody can break into your network and then intercept your communications. So we’ve talked before about port monitoring and we’ve talked about the ability to look at all the traffic going across your network and we do that for cyber defense. Well, if an attacker can do that, they can eavesdrop on all your conversations. And so this would be something you want to be able to prevent. How can you prevent that? Well, you need to make sure you have all the physical security controls in place because these physical security controls are important to protecting your physical network architecture.

This includes things like doors and walls and windows and making sure you have monitoring cameras and guards and fences. All of that physical security stuff keeps people out of touching your network and keeps that physical network architecture secure. For example, I have a device called a WiFi pineapple. It’s a very small device and this can actually be a rogue device. If I’m doing a penetration testing your network, I can come into your area, I can plug in my WiFi Pineapple into one of your switch ports and then I now have access across your entire network because I now have taken your physical network and expand it into the wireless domain.

And so if I drive in late at night into the parking lot, I can get that wireless signal and now reach into your network and see all your information. So this is the idea of why you need to make sure you’re looking for these rogue devices. In a physical network it’s a little bit easier to find rogue devices because you can actually look in your closets and go, hey, I don’t remember installing that piece of gear and it’s sitting here. That might be a rogue device, but when you start dealing with virtual things like we’ll talk about later, it gets a little bit more tricky. Now the next area we’re going to talk about is virtual private networks or VPNs. VPNs are secure tunnels that are created between two endpoints connected via an unsecured network.

Normally this is going to be over the Internet, so for example, if I’m sitting in a hotel room and I want to get back to my office’s network, I can connect over a VPN, create a secure tunnel through the Internet, and then I have now extended my corporate network into this hotel room over that WiFi connection. That’s the idea of using a VPN. When you use a VPN, you can use things like IPsec SSH or Secure Shell or Transport Layer Security TLS all three of these are forms of VPN. And I know you already know this because you’ve passed your A plus exam, you’ve passed your network plus exam, and you’ve passed your security plus exam. So the idea of a VPN should not be new to you. Now when you try to connect with a VPN, VPNs are going to use authentication and authorization mechanisms to help control that access.

So this is one of the places that a cyber security analyst can be looking to see how we’re letting other people into our networks. And we can make sure we have tight controls there by using VPNs. So VPNs in general are a really good thing for security. Now what are one of the things that we have to worry about though when we’re dealing with a VPN? Well, as I said, I’ve got my remote computer here and I’m now tunneling over the Internet, which is an unsecured network, into our corporate private network. Now where is the vulnerability here? If you’re thinking it’s the Internet, it’s actually not that big of a vulnerability because we’re using end to end encryption. That’s not really the vulnerable place here.

Really the vulnerability that I worry about as a cybersecurity analyst when I’m dealing with VPNs is that remote computer. Why? Because what we have just done is we’ve extended the physical boundary of our network from our corporate presence across the Internet to some other location. So I might be sitting in a hotel room all the way across the ocean. Now I have access to my corporate network, I’m dialed in through this VPN, I’m connected through this VPN. So I might take my remote computer and I go on a trip. I’m sitting in my hotel, I connect over the VPN through the Internet back to the home network. Everything is secure end to end encryption.

What’s the vulnerability? Well, I’m sitting in a hotel room, and if I take that information from your corporate network and I’m reading it and I’m in an unsecured place like a hotel room, there’s a chance that somebody else could see what I’m doing. What if I’m sitting at an Internet cafe and they’re reading over my shoulder and they start seeing sensitive corporate documents? As far as your corporate network is concerned, my laptop is part of that corporate network, so I’m authorized to see that information. But the other eyeballs in the room that might be looking over my shoulder are not. And so this is one of those areas where VPNs are a great thing.

They give us a lot of remote capability. For instance, right now we’re going through the worldwide pandemic for COVID-19 and a lot of people are working from home and so they’re relying on these virtual private networks. But we just took that secure physical network and moved it into people’s houses where they can print off documents and their kids and their spouses can see it and their friends can see it. And so this is an area that you have to be concerned with and have the right precautions in place and the right policies in place. The next thing we’re going to talk about is software defined networking or SDNs. This is APIs and compatible hardware that allows for programmable network appliances and systems.

Essentially, we can take our physical networks and we can virtualize them. That’s how I like to think about software defined networking. Now when we deal with softwaredefined networking we can create really complex networks and these get really complex really quick because they have really expanded sizes, scope and the ability to rapidly change. One of the great things about software defined networks is that they can be changed automatically by the network itself using automation technologies. But that means we have rapid change and it’s hard for us as humans to keep up with it. Now, when we’re dealing with SDNs, there are three planes that we have to consider. There is the control plane, the data plane and the management plane.

And again, this is a review from Security Plus. Now when you’re dealing with the control plane, this makes decisions about how traffic should be prioritized and secured and where it should be switched to. So if you think about a router, a switch or a QoS device, these all operate at that control plane. Now when you start dealing with the data plane, this handles the actual switching and routing of the traffic and the imposition of access control lists or ACLs for security. So our control plane is making all the decisions of how the data should be moved, but it’s the data plane that’s actually moving that data around. And so these two things do work together and then we have the management plane.

Now the management plane is going to monitor traffic conditions and network status. It’s basically our oversight. It allows us to make the configuration changes to set up the things the way we want and make sure things work the way they need to. Now Sdn applications are used to define policy decisions on the control plane. So as you set up your software defined networks, you’re going to use the management plane to help define all those policy decisions that are going to go onto the control plane. And so these three things do work together and all three need to be working properly for this to work. Now, for the exam, you don’t need to know these three planes in depth at all. In fact, I would be very surprised if you saw any questions on these three planes because this is a review from Security Plus, but I wanted to bring it back up because it may have been a while since you’ve taken Security Plus and you may have forgotten about this stuff. Now, one of the great things about SDNs is they allow for fully automated deployments. This can allow provisioning of your network links, the appliances and even servers. So if you have a system and you need more capability, the system can detect that and actually spin up additional resources. That is the great thing about SDNs. Now, because of this capability, SDNs are critical when you’re dealing with high velocity or high availability architectures, or if you’re doing a lot of things in the disaster recovery space.

Now, because everything is software, it can also be easier for you to collect security data across the entire network because everything is software. It’s all just ones and zeros. So it’s easier for you to actually be able to detect the different traffic patterns and if they deviate from normal baselines, all of that is important for you to use as part of your SDNs. Now, for the exam, I want you to remember a couple of things here. Your physical networks, they need protection too. This can be done through physical boundaries and controls like locks, doors, walls, guards and fences. If you use a VPN, you’re able to create a physical extension from your network outside of your normal protected boundaries.

So keep that in mind. You have all the logical protections there, but you don’t have the physical protections anymore. So this is something you have to think about when you’re issuing out VPN access. Now, as for SDNs, it’s going to allow you to have this automatic deployment and disaster recovery. And this is great. And it gives you a lot of capability for you to gather security data because everything is just software code. But it can be a lot harder for your technicians and administrators to understand all of this. And it’s easier for virtual rogue devices to be placed inside the network without anybody noticing because they’re just a piece of code. And it’s harder to find that piece of code than it would be to physically look in your closet and see that extra piece of gear.

• Category: Uncategorized