M05 - Managing Network Security

Hardware and Network Servicing
Level-IV
Based on November 2023, Curriculum Version - II
Module Title: - Manag Network Security

Module code: EIS HNS4 M05 1123
Nominal duration: 45 Hours
Prepared by:- Ministry of Labor and Skill
November, 2023
Ababa, Ethiopia
Contents
Acknowledgment .............................................................................................................................. iii
Acronym ........................................................................................................................................... iv
Unit One : Define a Process for Designing Security ......................................................................... 1
1.1. Network Security Design Process .......................................................................................... 2
Self – Check 1.................................................................................................................................... 7
Unit Two: Threats to network security .............................................................................................. 8
2.2. Attacks of network security .................................................................................................... 9
2.2. Network vulnerabilities .........................................................................................................11
2.3. Threat model ......................................................................................................................... 13
Self - Check 2 .................................................................................................................................. 16
Unit Three: Analyze security risks .................................................................................................. 17
3.1. Elements of risk management ........................................................................................... 18
3.2. Assets that require protection ........................................................................................... 21
3.3. Creating a risk management plan ..................................................................................... 24
Self – Check 3.................................................................................................................................. 26
Unit Four: Create a security design ................................................................................................. 27
4.1. Attacker scenarios and threats .............................................................................................. 28
4.2. Designing security measures ................................................................................................ 30
4.3. Obtaining feedback on the designed security measures ....................................................... 33
4.4. Developing security policies ................................................................................................ 34
Self – Check 4.................................................................................................................................. 37
Unit Five: Design and implement responses to security incidents ................................................. 38
5.1. Auditing and incident response procedure............................................................................ 39
5.2. Document security incidents ................................................................................................ 41
5.3. Implement configurations for incident ................................................................................. 43
5.4. Test and Sign Off incident resolution process ...................................................................... 46
Self – Check 5.................................................................................................................................. 49
Reference ......................................................................................................................................... 50
Developers Profile ........................................................................................................................... 51
Page ii of 57 Author/Copyright: Managing Network Security Level- III Version 1

Ministry of Labor and Skills November, 2023
Acknowledgment
Ministry of Labor and Skills wish to extend thanks and appreciation to the many representatives
of TVET instructors and respective industry experts who donated their time and expertise to the
development of this Teaching, Training and Learning Materials (TTLM)
Page iii of 57 Author/Copyright: Managing Network Security Level- III Version 1

Acronym
RBAC - Role-Based Access Control
IDPS - Intrusion Detection and Prevention System
VPN - Virtual Private Network
SIEM - Security Information and Event Management
SMS - Short Message Service
DD - Distributed Denial of Service
SSL - Secure Sockets Layer
SQL - Structured Query Language
XSS - Cross-Site Scripting
DOM - Document Object Model
DNS - Domain Name System
MFA - Multi-Factor Authentication
HTTPS - Hypertext Transfer Protocol Secure
HTTP - Hypertext Transfer Protocol
TLS - Transport Layer Security
WPA - Wi-Fi Protected Access
GDPR - General Data Protection Regulation
HIPAA - Health Insurance Portability and Accountability Act
PCI DSS - Payment Card Industry Data Security Standard
IP - Internet Protocol
DHCP - Dynamic Host Configuration Protocol
LAN - Local Area Network
WAN - Wide Area Network
API - Application Programming Interface
CSRF - Cross-Site Request Forgery
KPI - Key Performance Indicator
EDR - Endpoint Detection and Response
IAM - Identity and Access Management
Page iv of 57 Author/Copyright: Managing Network Security Level- III Version 1
Introduction to the Module
A network is composed of interconnected devices, such as computers, servers and wireless
networks. Many of these devices are susceptible to potential attackers. Network security involves
the use of a variety of software and hardware tools on a network or as software as a service. Security
becomes more important as networks grow more complex and enterprises rely more on their
networks and data to conduct business.
Network security encompasses all the steps taken to protect the integrity of a computer network
and the data within it. Network security is important because it keeps sensitive data safe from
cyber-attacks and ensures the network is usable and trustworthy. Successful network security
strategies employ multiple security solutions to protect users and organizations from malware and
cyber-attacks, like distributed denial of service.
This module is designed to meet the industry requirement under the Hardware and Networking
service occupational standard, particularly for the unit of competency: Manage Network Security
This module covers the units:
• Process for designing security
• Threats to network security
• Analysis of security risks
• Create a security design
• Security incidents and Responses to security incidents
Learning Objective of the Module
• Define a process for designing security
• Identify threats to network security
• Analyze security risks
• Create a security design
• Design and implement responses to security incidents
Page v of 57 Author/Copyright: Managing Network Security Level- III Version 1

Module Instruction
For effective use of this module trainees are expected to follow the following module instruction:
1. Read the information written in each unit
2. Accomplish the Self-checks at the end of each unit
3. Perform Operation Sheets which were provided at the end of units
4. Do the “LAP test” given at the end of each unit and
5. Read the identified reference book for Examples and exercise
Page vi of 57 Author/Copyright: Managing Network Security Level- III Version 1

Unit One : Define a Process for Designing Security
This unit is developed to provide you the necessary information regarding the following content
coverage and topics:
• Basic Concept of Network security design
• Network security design phases
This unit will also assist you to attain the learning outcomes stated in the cover page. Specifically,
upon completion of this learning guide, you will be able to:
• Design Network security
• Explain Network security design phases
Page 1 of 57 Author/Copyright: Managing Network Security Level- III Version 1

1.1. Network Security Design Process
1.1. Introduction to network security design
Network security design is a strategic approach to creating a secure and resilient network
infrastructure. It involves planning, implementing, and managing various security measures to
protect data, systems, and communication within a network. Here's an introduction to key
considerations in network security design:
1. Risk Assessment:
• Identify and evaluate potential risks and threats to the network. This includes
understanding the value of assets, potential vulnerabilities, and the likelihood of various
security incidents.
2. Security Goals and Objectives:
• Define clear security goals and objectives aligned with the organization's overall business
objectives. These may include confidentiality, integrity, availability, and compliance with
industry regulations.
3. Defense-in-Depth Strategy:
• Implement multiple layers of security controls to create a defense-in-depth strategy. This
approach involves using a combination of technologies, policies, and procedures to
mitigate risks at various levels.
4. Segmentation:
• Divide the network into segments to contain and isolate potential security incidents.
Segmentation helps prevent lateral movement of attackers within the network and limits
the impact of security breaches.
5. Access Controls:
• Enforce strong access controls by implementing authentication and authorization
mechanisms. This includes user access policies, role-based access control (RBAC), and
least privilege principles.
6. Data Encryption:
• Use encryption protocols to protect sensitive data during transmission and storage. This is
crucial, especially for data traversing public networks or stored in the cloud.
7. Firewall Configuration:
• Deploy firewalls strategically to control and monitor incoming and outgoing network
traffic. Consider both hardware and software firewalls to provide a comprehensive defense
against unauthorized access.
8. Intrusion Detection and Prevention Systems (IDPS):
• Integrate IDPS to detect and respond to potential security incidents in real-time. These
systems can analyze network traffic, identify anomalies, and take proactive measures to
prevent or mitigate threats.
9. Virtual Private Networks (VPNs):

• Implement VPNs to secure remote access and communication over untrusted networks.
This is essential for protecting data as it travels between remote locations and the main
network.
10. Security Auditing and Monitoring:
• Establish continuous monitoring and auditing processes to detect and respond to security
events promptly. This includes the analysis of logs, alerts, and other indicators of
compromise.
11. Incident Response Plan:
• Develop a well-defined incident response plan that outlines the steps to be taken in the
event of a security incident. This includes roles and responsibilities, communication plans,
and strategies for recovery.
12. Vendor and Third-Party Security:
• Evaluate and ensure the security practices of third-party vendors and partners. This is
crucial to prevent security weaknesses introduced through external connections.
13. User Education and Awareness:

• Educate users about security best practices and potential threats. A well-informed user base
can serve as an additional layer of defense against social engineering and other user-centric
attacks.
14. Regular Security Assessments:
• Conduct regular security assessments, including penetration testing and vulnerability
scanning, to identify and address potential weaknesses in the network.
15. Scalability and Flexibility:
• Design the network security infrastructure to be scalable and adaptable to evolving threats
and business requirements.
Network security design is an ongoing process that requires regular review and adaptation to
address emerging threats and changes in the organizational landscape. By adopting a
comprehensive and proactive approach, organizations can create a robust network security
framework to safeguard their digital assets.

1.2. Network Security Phases
Network security design typically involves several phases, each contributing to the development of
a robust and effective security infrastructure. These phases help organizations systematically plan,
implement, and manage their network security. Here are the key phases in network security design:
1. Requirements Analysis:
• Objective: Understand the organization's business objectives, regulatory
requirements, and the value of assets requiring protection.
• Activities:
• Conduct a risk assessment to identify potential threats and vulnerabilities.
• Define security goals and objectives.
• Gather requirements from stakeholders, including users, IT, and
management.
2. Design Planning:
• Objective: Develop a comprehensive plan for the network security design.
• Activities:
• Define the scope of the network.
• Establish the security architecture, including defense-in-depth strategies.
• Plan for network segmentation and access controls.
• Consider scalability and flexibility in the design.
3. Topology Design:
• Objective: Define the physical and logical layout of the network.
• Activities:
• Design the network topology to align with security goals.
• Identify critical assets and their placement within the network.
• Implement segmentation to isolate different network segments.
4. Security Control Selection:
• Objective: Identify and select appropriate security controls and technologies.
• Activities:

• Choose firewalls, intrusion detection and prevention systems, VPN solutions,
and other security appliances.
• Determine the use of encryption for data in transit and at rest.
• Select access control mechanisms and authentication methods.
5. Policy and Procedure Development:
• Objective: Establish security policies and procedures to guide implementation and
ongoing management.
• Activities:
• Develop user access policies.
• Create incident response plans.
• Define security policies related to data protection, usage, and acceptable use.
6. Implementation:
• Objective: Deploy the designed security controls and configurations.
• Activities:
• Install and configure firewalls, intrusion detection systems, VPNs, and other
security appliances.
• Implement access controls and encryption.
• Conduct thorough testing to ensure proper functionality.
7. Testing and Validation:
• Objective: Verify the effectiveness of the implemented security measures.
• Activities:
• Perform penetration testing to identify vulnerabilities.
• Conduct security audits and assessments.
• Validate that security controls align with the established policies.
8. Training and Awareness:
• Objective: Educate users and IT staff about security best practices.
• Activities:
• Provide training on security policies and procedures.

• Raise awareness about common security threats and social engineering
tactics.
• Ensure users understand their role in maintaining network security.
9. Monitoring and Management:
• Objective: Establish ongoing monitoring and management processes.
• Activities:
• Set up continuous monitoring of network activities.
• Implement security information and event management (SIEM) solutions.
• Develop incident response and management procedures.
10. Documentation and Reporting:
• Objective: Maintain detailed documentation and generate reports for stakeholders.
• Activities:
• Document the network security design, configurations, and policies.
• Generate regular reports on security metrics, incidents, and compliance.
11. Continuous Improvement:
• Objective: Continuously assess and improve the network security posture.
• Activities:
• Conduct regular security assessments and updates.
• Stay informed about emerging threats and technologies.
• Update security controls and policies as needed.
These phases form a cyclical process, as network security is an evolving field. Organizations should
regularly revisit and update their network security design to adapt to changing threats, technologies,
and business requirements.

Self – Check 1
Part I: True/False Questions:
1. Risk assessment involves evaluating potential risks and threats to the network, including
understanding the value of assets, potential vulnerabilities, and the likelihood of security
incidents.
2. Security goals and objectives should be defined in alignment with the organization's overall
business objectives and may include factors such as confidentiality, integrity, availability,
and compliance with industry regulations.
3. A defense-in-depth strategy in network security involves implementing multiple layers of
security controls, combining technologies, policies, and procedures to mitigate risks at
various levels.
Part II: Choice
1. Which of the following is a key purpose of strategically deploying firewalls in network
security?
A. Enhancing user authentication C. Controlling and monitoring network traffic
B. Encrypting sensitive data D. Managing incident response plans
2. What is the primary purpose of implementing VPNs in network security?
A. Enhancing firewall configurations C. Securing remote access and communication
B. Conducting security audits D. Managing incident response plans
Part III : Essay Questions:
1. Discuss the importance of using encryption protocols to protect sensitive data during
transmission and storage in network security. Provide examples of situations where data
encryption is crucial.
2. Outline the key components of a well-defined incident response plan in network security.
Discuss the roles and responsibilities, communication plans, and strategies for recovery
during a security incident.
3. Discuss the concept of continuous improvement in the context of network security design phases.

Unit Two: Threats to network security
• Attacks of network security
• Network vulnerabilities
• Threat model
• Explain Attacks of network security
• Identify Network vulnerabilities
• Identify Threat Model

2.2. Attacks of network security
2.2.1. Overview of Network security Attack
Network security attacks come in various forms, each aiming to exploit vulnerabilities in a system
or network to compromise its integrity, confidentiality, or availability. Here's an overview of some
common network security attacks:
1. Malware:
• Definition: Malicious software designed to harm or exploit systems.
• Types: Viruses, worms, trojan horses, ransomware, spyware.
• Impact: Unauthorized access, data theft, system disruption.
2. Phishing:
• Definition: Social engineering attack where attackers impersonate trustworthy
entities to trick individuals into revealing sensitive information.
• Forms: Email phishing, spear phishing, vishing (voice phishing), smishing (SMS
phishing).
• Impact: Unauthorized access, identity theft, financial loss.
3. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks:
• Definition: Overloading a system, network, or service with excessive traffic to
disrupt normal functioning.
• Impact: Service outage, network slowdown, loss of availability.
4. Man-in-the-Middle (MitM) Attacks:
• Definition: Intercepting and potentially altering communication between two
parties without their knowledge.
• Forms: Eavesdropping, session hijacking, SSL stripping.
• Impact: Data interception, unauthorized access.
5. SQL Injection:
• Definition: Exploiting vulnerabilities in web applications by injecting malicious
SQL code into input fields.
• Impact: Unauthorized access to databases, data manipulation.
6. Cross-Site Scripting (XSS):
• Definition: Injecting malicious scripts into webpages viewed by other users.
• Forms: Stored XSS, reflected XSS, DOM-based XSS.
• Impact: Cookie theft, session hijacking, defacement.
7. Zero-Day Exploits:
• Definition: Attacks that target undiscovered vulnerabilities (zero-day
vulnerabilities) before a patch or fix is available.
• Impact: Unauthorized access, data breaches, system compromise.
8. Brute Force Attacks:
• Definition: Repeatedly attempting various combinations of usernames and
passwords until the correct credentials are found.
• Impact: Unauthorized access, account compromise.
9. Eavesdropping (Packet Sniffing):
• Definition: Unauthorized interception and monitoring of network traffic.
• Impact: Unauthorized access to sensitive information.
10. DNS Spoofing:
• Definition: Redirecting DNS queries to malicious sites.
• Impact: Man-in-the-middle attacks, phishing, data theft.
11. Social Engineering:
• Definition: Manipulating individuals into divulging confidential information or
performing actions against their interests.
• Forms: Impersonation, pretexting, baiting.
• Impact: Unauthorized access, data breaches, compromised security.
12. Insider Threats:
• Definition: Malicious actions or negligence by individuals within an organization.
• Forms: Intentional data theft, accidental data exposure.
• Impact: Data breaches, compromised security.
To mitigate the risk of these network security attacks, organizations implement a
combination of technical controls (firewalls, intrusion detection/prevention systems,
encryption), security policies, user education, and regular security audits. Staying informed

about emerging threats and continuously updating and patching systems are crucial
components of a robust network security strategy.
Figure 1 Figure that shows Network Security
2.2. Network vulnerabilities
Network vulnerabilities refer to weaknesses or flaws in a computer network's security that

can be exploited by attackers to compromise the confidentiality, integrity, or availability of
the network and its data. Identifying and addressing these vulnerabilities is crucial for
maintaining a secure and resilient network. Here are some common network
vulnerabilities:
1. Weak Passwords:
• Passwords that are easy to guess or are not strong enough can be exploited by
attackers. It's essential to enforce strong password policies and use multi-factor
authentication (MFA) where possible.
2. Outdated Software and Patching:
• Failure to update and patch operating systems, applications, and network devices
can leave vulnerabilities open for exploitation. Regularly applying security patches
helps address known vulnerabilities.
3. Unsecured Network Protocols:

• Insecure or outdated network protocols may expose sensitive information to
eavesdropping. It's important to use secure protocols (e.g., HTTPS instead of HTTP)
and disable deprecated protocols.
4. Lack of Encryption:
• Failure to encrypt sensitive data during transmission or storage can expose it to
unauthorized access. Implementing encryption protocols, such as SSL/TLS for data
in transit and encryption for stored data, is crucial.
5. Unsecured Wireless Networks:
• Open or poorly configured Wi-Fi networks can be exploited by unauthorized users.
Employ strong encryption (WPA3), use complex passwords, and regularly update
Wi-Fi passwords.
6. Insufficient Access Controls:
• Inadequate access controls can lead to unauthorized access or privilege escalation.
Implement the principle of least privilege, regularly review user access levels, and
ensure proper user authentication.
7. Misconfigured Firewalls and Routers:
• Improperly configured firewalls and routers may allow unauthorized access to the
network. Regularly review and update firewall rules to ensure they align with
security policies.
8. Phishing Attacks:
• Social engineering attacks, such as phishing, can exploit human vulnerabilities to
gain unauthorized access. Employee training and awareness programs are essential
to mitigate the risks associated with phishing.
9. Malware and Viruses:
• Malicious software can exploit vulnerabilities to infiltrate a network. Employ anti-
malware tools, keep them updated, and regularly scan for malware.
10. Unrestricted Physical Access:
• Physical access to network infrastructure can lead to unauthorized manipulation.
Restrict physical access to network devices and secure server rooms.

11. Denial-of-Service (DoS) Attacks:
• DoS attacks can disrupt network services by overwhelming them with traffic.
Implementing DoS protection measures and having redundancy in critical services
can help mitigate these attacks.
Regular security audits, vulnerability assessments, and penetration testing are essential for
identifying and addressing network vulnerabilities. Additionally, staying informed about
emerging threats and best practices in cybersecurity is crucial for maintaining a secure
network environment.
2.3. Threat model
A network security threat model is a systematic approach to identifying and understanding

potential security threats to a network. Developing a threat model helps organizations
anticipate, prioritize, and mitigate potential risks to their network infrastructure. Here are key
components and steps involved in creating a network security threat model:
1. Asset Identification:
• Identify and enumerate all assets within the network. This includes hardware (servers,
routers, switches), software (applications, operating systems), data (sensitive
information), and human resources.
2. Threat Enumeration:
• Enumerate potential threats and vulnerabilities that could impact the network. Consider
external and internal threats, including malicious actors, malware, insider threats, and
natural disasters.
3. Vulnerability Assessment:
• Conduct a thorough vulnerability assessment to identify weaknesses in the network. This
involves scanning systems and applications for known vulnerabilities and weaknesses in
configurations.
4. Risk Assessment:

• Evaluate the likelihood and potential impact of identified threats. Assign risk levels based
on the combination of the threat's likelihood and impact. This helps prioritize the
mitigation efforts.
5. Attack Surface Analysis:
• Analyze the network's attack surface, which includes all points where an attacker could
potentially gain unauthorized access. This involves understanding entry points,
interfaces, and potential weak links in the network.
6. Security Controls Evaluation:
• Evaluate the effectiveness of existing security controls, such as firewalls, intrusion
detection systems, access controls, and encryption mechanisms. Identify any gaps or
areas where controls can be strengthened.
7. Incident Response Planning:
• Develop an incident response plan outlining the steps to be taken in the event of a
security incident. This includes detection, containment, eradication, recovery, and

lessons learned.
8. User and Access Controls:
• Assess user authentication and access controls. Ensure that the principle of least
privilege is implemented, and regularly review and update user access levels.
9. Data Protection:
• Implement measures to protect sensitive data, both in transit and at rest. This includes
encryption, data classification, and access controls.
10. Network Monitoring:
• Implement comprehensive network monitoring to detect unusual or suspicious activities.
Use intrusion detection and prevention systems to identify and respond to potential
security incidents.
11. Patch Management:
• Establish a robust patch management process to ensure that all systems and software are
regularly updated with the latest security patches.
12. Physical Security:

• Consider physical security aspects, such as access to server rooms, data centers, and
networking equipment. Restrict physical access to prevent unauthorized tampering.
13. Security Awareness Training:
• Conduct regular security awareness training for employees to educate them about security
best practices, social engineering threats, and the importance of reporting suspicious
activities.
14. Regulatory Compliance:
• Ensure that the network security measures align with relevant regulatory requirements
and industry standards. This includes GDPR, HIPAA, PCI DSS, etc.
• Regularly revisit and update the threat model to account for changes in technology,
business processes, and emerging threats. Network security is an evolving field, and
continuous improvement is essential.
By systematically addressing these components, organizations can create a comprehensive
network security threat model that helps them proactively manage and mitigate potential
risks to their network infrastructure

Self - Check 2
Part I : True/False Questions:
1. Malware includes types such as viruses, worms, trojan horses, ransomware, and spyware.
2. Phishing attacks can take the form of vishing, which involves voice interactions.
3. Denial-of-Service (DoS) attacks aim to increase the availability of network services.
4. Man-in-the-Middle attacks may involve SSL stripping as one of their forms.
Part II : Multiple-Choice Questions:
1. Which type of attack involves overloading a system with excessive traffic to disrupt
normal functioning?
A) Phishing
B) Denial-of-Service (DoS)
C) Man-in-the-Middle
D) SQL Injection
2. What is the primary impact of Cross-Site Scripting (XSS) attacks?
A) Unauthorized access
B) Data manipulation
C) Cookie theft and session hijacking
D) System disruption
3. Which vulnerability involves exploiting weaknesses in web applications by injecting
malicious SQL code into input fields?
A) Weak Passwords
B) SQL Injection
C) Outdated Software
D) Phishing
1.Explain the potential impact of a Zero-Day Exploit on a network. How can organizations
prepare for such attacks?
2.Discuss the role of user and access controls in network security. How does the principle
of least privilege contribute to a more secure network environment?
3.Describe the steps involved in an effective incident response plan. How does it contribute
to minimizing the impact of security incidents on a network?

Unit Three: Analyze security risks
• Elements of risk management
• Assets that require protection
• Creating a risk management plan
• Identify Elements of risk management
• Explain Assets that require protection
• Explain Creating a risk management plan

3.1.Elements of risk management
Network security risk management involves identifying, assessing, and mitigating potential risks
to the security of an organization's computer networks. Here are the key elements of network
security risk management:
1. Risk Identification:
• Definition: The process of identifying potential threats and vulnerabilities in the
network environment.
• Activities:
➢ Network assessments and audits
➢ Vulnerability scanning
➢ Threat intelligence analysis
• Outcome: A comprehensive list of potential risks specific to the network.
2. Asset Valuation:
• Definition: Evaluating the value of network assets, including hardware, software,
data, and intellectual property.
• Activities:
➢ Asset inventory and categorization
➢ Assigning value to critical assets
• Outcome: Prioritization of assets based on their importance to the organization.
3. Risk Assessment:
• Definition: Evaluating identified risks in terms of their likelihood and potential
impact on the network.
• Activities:
➢ Quantitative risk analysis (assigning numerical values)
➢ Qualitative risk analysis (subjective assessments)
➢ Risk matrices and heat maps
• Outcome: Prioritized list of network risks based on likelihood and impact.

4. Threat Modeling:
• Definition: Identifying potential threats and attack vectors to understand how
adversaries might exploit vulnerabilities.
• Activities:
➢ Analyzing network architecture
➢ Identifying entry points and weak links
➢ Considering potential attacker motivations
• Outcome: A model illustrating potential threats and attack scenarios.
5. Risk Mitigation and Controls:
• Definition: Developing and implementing strategies to reduce the impact or
likelihood of identified risks.
• Activities:
➢ Deploying security controls (firewalls, intrusion detection/prevention
systems)
➢ Encryption of sensitive data
➢ Regular patch management
• Outcome: Implemented measures to enhance network security.
• Definition: Developing a plan outlining the steps to be taken in the event of a
network security incident.
• Activities:
➢ Establishing an incident response team
➢ Defining incident categories and severity levels
➢ Conducting tabletop exercises
• Outcome: Documented incident response plan for efficient and effective response.
7. Continuous Monitoring:
• Definition: Regularly monitoring network activities to detect and respond to
potential security incidents.
• Activities:

➢ Network traffic analysis
➢ Intrusion detection and prevention
➢ Log analysis
• Outcome: Ongoing awareness of network security status.

• Definition: Educating users about security best practices and raising awareness
about potential risks.
• Activities:
➢ Security awareness training
➢ Phishing simulation exercises
➢ Communication of security policies
• Outcome: Informed and vigilant users contributing to network security.
9. Security Audits and Assessments:
• Definition: Conducting regular assessments and audits to evaluate the effectiveness
of security controls and policies.
• Activities:
➢ Penetration testing
➢ Compliance audits
➢ Security policy reviews
• Outcome: Identification of areas for improvement in network security measures.
• Definition: Documenting all aspects of network security risk management,
including assessments, mitigation plans, and incident responses.
• Activities:
➢ Maintaining risk registers and documentation
➢ Creating regular security reports
➢ Archiving historical security data
• Outcome: Comprehensive documentation for internal and external reporting.

• Definition: Ensuring that network security measures align with relevant regulatory
requirements and industry standards.
• Activities:
➢ Regular compliance assessments
➢ Keeping up-to-date with legal and regulatory changes
• Outcome: Adherence to applicable laws and standards.
By addressing these elements, organizations can establish a comprehensive network security risk
management program that helps protect their systems and data from potential threats and
vulnerabilities.
3.2.Assets that require protection
Identifying and protecting network assets is a crucial aspect of network security risk
management. Various assets within a network require protection to ensure the confidentiality,
integrity, and availability of information. Here are key network assets that typically need
safeguarding:
1. Hardware Assets:
• Servers: Critical systems that host applications, databases, and services.
• Routers and Switches: Network devices responsible for directing and controlling
data traffic.
• Firewalls: Devices that filter and control incoming and outgoing network traffic
based on predetermined security rules.
2. Software Assets:
• Operating Systems: The foundational software that manages hardware and
provides services for computer programs.
• Applications: Software programs and tools used for specific functions or tasks
within the network.
• Security Software: Antivirus, anti-malware, intrusion detection/prevention
systems, and other security tools.
3. Data Assets:

• Sensitive Data: Personally Identifiable Information (PII), financial data, intellectual
property, and other confidential information.
• Databases: Repositories of structured information accessed and manipulated by
applications.
4. Network Infrastructure:
• Cabling and Connectivity: Physical components that enable data transmission
between devices.
• Wireless Networks: Wi-Fi infrastructure providing connectivity without physical
cables.
• Virtual Private Networks (VPNs): Secure tunnels for remote access or connecting
geographically dispersed networks.
5. Endpoints:
• Computers and Workstations: Devices used by end-users to access the network
and its resources.
• Mobile Devices: Smartphones, tablets, and other portable devices accessing the
network.
6. Authentication Credentials:
• Usernames and Passwords: Access credentials for individuals accessing network
resources.
• Encryption Keys: Keys used to encrypt and decrypt sensitive data during
transmission.
7. Network Services:
• Domain Name System (DNS): Translates human-readable domain names into IP
addresses.
• Dynamic Host Configuration Protocol (DHCP): Allocates and manages IP
addresses in a network.
• Directory Services: Stores and organizes information about network resources,
users, and groups.
8. Communication Channels:

• Internet Connectivity: External connections providing access to the internet.
• Internal Networks: Local Area Networks (LANs), Wide Area Networks (WANs),
and other network segments.
• Server Rooms and Data Centers: Physical spaces housing critical network
infrastructure.
• Networking Equipment: Routers, switches, and other devices vulnerable to
physical tampering.
10. Monitoring and Logging Systems:
• Security Information and Event Management (SIEM): Aggregates and analyzes
security data.
• Logs and Audit Trails: Records of system and network activities for analysis and
troubleshooting.
11. Personnel Assets:
• Security Personnel: Individuals responsible for implementing and managing
security measures.
• System Administrators: Individuals managing and maintaining network
infrastructure.
12. Policies and Documentation:
• Security Policies: Guidelines and rules governing network usage and security
practices.
• Documentation: Records of configurations, procedures, and incident responses.
13. Backup Systems:
• Data Backups: Copies of critical data to recover from data loss or system failures.
• Disaster Recovery Systems: Plans and processes for resuming operations after a
catastrophic event.
14. External Services:
• Cloud Services: Third-party services hosted externally, such as Infrastructure as a
Service (IaaS) or Software as a Service (SaaS).

• Third-Party Connections: Partnerships or integrations with external entities.
When conducting a network security risk assessment, it's essential to identify, prioritize, and
protect these assets based on their importance to the organization's operations and goals. This
helps in creating effective risk management strategies and allocating resources where they are
most
3.3.Creating a risk management plan
Creating a Network Security Risk Management Plan involves a systematic approach to

identify, assess, and mitigate potential risks to the security of an organization's computer
networks. Below is a step-by-step guide to help you develop an effective Network Security
Risk Management Plan:
1. Define the Scope and Objectives:
• Clearly define the scope of the network security risk management plan.
• Identify the primary objectives, such as protecting sensitive data, ensuring system
availability, and preventing unauthorized access.
2. Identify and Classify Assets:
• List all network assets, including hardware, software, data, and personnel.
• Classify assets based on their criticality and importance to the organization.
3. Identify Threats and Vulnerabilities:
• Conduct a thorough assessment to identify potential threats and vulnerabilities.
• Consider external and internal threats, such as cyberattacks, insider threats, and natural
disasters.
4. Risk Assessment:
• Evaluate each identified risk in terms of likelihood and impact.
• Prioritize risks based on their potential impact on network security.
5. Risk Mitigation and Controls:
• Develop strategies to mitigate identified risks. This may include:
➢ Implementing security controls (firewalls, antivirus software, intrusion detection
systems).

➢ Regularly updating and patching systems.
➢ Implementing encryption for sensitive data.
➢ Establishing and enforcing strong access controls.
• Develop an incident response plan outlining the steps to be taken in the event of a
security incident.
• Define roles and responsibilities for incident response team members.
• Conduct tabletop exercises to test the effectiveness of the plan.
7. Continuous Monitoring:
• Implement continuous monitoring mechanisms to detect and respond to security
incidents in real-time.
• Utilize intrusion detection systems, log analysis, and network traffic monitoring.
• Implement security awareness training programs for employees.
• Conduct phishing simulation exercises to educate users about social engineering risks.
• Establish clear communication channels for reporting security concerns.
9. Security Audits and Assessments:
• Conduct regular security audits and assessments to evaluate the effectiveness of security
controls.
• Perform penetration testing and vulnerability assessments.
By following these way, organizations can develop a robust Network Security Risk
Management Plan that addresses potential threats and vulnerabilities, thereby enhancing the
overall security posture of their networks. Regular reviews and updates ensure the plan remains
effective in the ever-evolving landscape of cybersecurity threats.

Self – Check 3
Part I : True or False Questions:
1. Risk Identification involves assigning numerical values to potential threats and
vulnerabilities.
2. Asset Valuation includes prioritizing assets based on their importance to the organization.
3. Threat Modeling focuses on developing and implementing strategies to reduce the impact
of identified risks.
4. Continuous Monitoring involves conducting tabletop exercises to test the incident response
plan.
Part II : Choice Questions:
1. Which activity is associated with Risk Assessment?
A. Security awareness training C. Encryption of sensitive data
B. Quantitative risk analysis D. Establishing an incident response team
2. What is the outcome of Threat Modeling?
A. Prioritized list of network risks
B. Implemented measures to enhance network security
C. A model illustrating potential threats and attack scenarios
D. Documented incident response plan
3. Which is considered a Hardware Asset?
A. Security Policies
B. Operating Systems
C. Servers
D. Encryption Keys
1. Explain the significance of Asset Valuation in the context of network security risk
management.
2. Describe the steps involved in creating a comprehensive Incident Response Plan. Highlight
the key elements that should be included in the plan for an efficient response to network
security incidents.

Unit Four: Create a security design
• Attacker scenarios and threats
• Designing security measures
• Obtaining feedback
• Developing security policies
• Identify Attacker scenarios and threats
• Design security measures
• Obtain feedback
• Develop security policies

4.1. Attacker scenarios and threats
Certainly, let's explore more attacker scenarios and threats across various dimensions of
cybersecurity:
1. Social Engineering:
• Scenario: Attackers exploit human psychology to manipulate individuals into
divulging confidential information or performing actions that may compromise
security.
• Threats: Phishing, pretexting, baiting, quid pro quo, and other social engineering
techniques can lead to unauthorized access, data breaches, and system
compromise.
2. Credential Stuffing:
• Scenario: Attackers use previously stolen usernames and passwords to gain
unauthorized access to user accounts.
• Threats: Unauthorized access, identity theft, and potential for lateral movement
within a network.
3. Brute Force Attacks:
• Scenario: Attackers systematically try all possible combinations of passwords
until the correct one is found.
• Threats: Unauthorized access, account takeover, and potential compromise of
sensitive information.
4. Physical Security Threats:
• Scenario: Attackers gain access to physical infrastructure, such as data centers
or server rooms, to compromise network security.
• Threats: Theft of hardware, unauthorized access, and potential disruption of
services.
5. Wi-Fi Eavesdropping:
• Scenario: Attackers intercept and monitor Wi-Fi communications to gain
unauthorized access or gather sensitive information.

• Threats: Eavesdropping, unauthorized access to data, and potential compromise
of user credentials.
6. USB-based Attacks:
• Scenario: Attackers use infected USB drives to introduce malware or gain
unauthorized access to systems.
• Threats: Malware infection, data theft, and potential compromise of network
security.
7. Web Application Vulnerabilities:
• Scenario: Attackers exploit vulnerabilities in web applications to gain
unauthorized access, manipulate data, or launch other attacks.
• Threats: SQL injection, cross-site scripting (XSS), and other web application
vulnerabilities can lead to data breaches and unauthorized access.
8. Supply Chain Attacks:
• Scenario: Attackers compromise the supply chain, injecting malicious code or
hardware during the production process.
• Threats: Compromised software or hardware, potential for widespread data
breaches or system compromise.
9. Insecure APIs:
• Scenario: Attackers exploit vulnerabilities in application programming
interfaces (APIs) to gain unauthorized access or manipulate data.
• Threats: Unauthorized access to sensitive data, data manipulation, and potential
disruption of services.
10. IoT Exploitation:
• Scenario: Attackers target vulnerabilities in Internet of Things (IoT) devices to
gain access to networks or launch attacks.
• Threats: Unauthorized access, data breaches, and potential disruption of
connected systems.
11. File Upload Vulnerabilities:

• Scenario: Attackers exploit flaws in systems that allow file uploads, uploading
malicious files to compromise servers or applications.
• Threats: Execution of malicious code, potential compromise of server integrity.
12. Cross-Site Request Forgery (CSRF):
• Scenario: Attackers trick users into performing unintended actions on web
applications where they are authenticated.
• Threats: Unauthorized actions on behalf of the victim, potentially leading to data
manipulation or loss.
These scenarios underscore the importance of a holistic cybersecurity strategy, incorporating
technical controls, user education, and proactive threat detection to effectively mitigate the diverse
range of threats posed by attackers. Regular risk assessments and staying informed about emerging
threats are also crucial elements of a robust cybersecurity posture
4.2. Designing security measures
Designing effective security measures involves implementing a combination of technical controls,

policies, and practices to safeguard an organization's assets, including data, systems, and networks.
Here's a comprehensive guide on designing security measures:
1. Risk Assessment:
• Identify and assess potential risks and vulnerabilities to your organization's assets.
• Prioritize risks based on their potential impact and likelihood of occurrence.
• Consider external and internal threats, including natural disasters, human errors, and
malicious activities.
2. Security Policies and Procedures:
• Develop comprehensive security policies and procedures that cover areas such as
data protection, access controls, incident response, and acceptable use.
• Ensure policies are communicated, understood, and enforced across the
organization.
3. Access Controls:
• Implement the principle of least privilege, ensuring that users and systems have the
minimum level of access needed to perform their duties.

• Use strong authentication mechanisms, such as multi-factor authentication (MFA),
to enhance access security.
4. Encryption:
• Encrypt sensitive data at rest, in transit, and during processing.
• Use strong encryption algorithms to protect confidential information from
unauthorized access.
5. Network Security:
• Deploy firewalls, intrusion detection and prevention systems, and secure gateways
to monitor and control network traffic.
• Segment networks to limit the lateral movement of attackers.
6. Endpoint Security:
• Use endpoint protection solutions to detect and prevent malware and other malicious
activities on devices.
• Keep endpoint software, including operating systems and antivirus programs,
updated regularly.
7. Security Patching:
• Regularly update and patch software, operating systems, and firmware to address
known vulnerabilities.
• Establish a patch management process to ensure timely and comprehensive updates.
• Develop and regularly test an incident response plan outlining steps to take in the
event of a security incident.
• Assign roles and responsibilities, and establish communication protocols during
incidents.
9. Security Awareness Training:
• Educate employees on security best practices, including recognizing phishing
attempts, using strong passwords, and safeguarding sensitive information.
• Conduct regular security awareness training sessions.

• Implement physical security measures, such as access controls, surveillance, and
secure entry points, to protect physical assets like servers and data centers.
11. Monitoring and Logging:
• Implement robust monitoring systems to detect and alert on suspicious activities.
• Maintain detailed logs for auditing and forensic purposes.
12. Vendor Security:
• Assess and monitor the security practices of third-party vendors and service
providers.
• Ensure that vendors comply with security standards and adhere to your
organization's security policies.
13. Security Testing:
• Conduct regular security assessments, including penetration testing and
vulnerability scanning, to identify and address security weaknesses.
14. Backup and Disaster Recovery:
• Implement regular data backups and test the restoration process.
• Develop a comprehensive disaster recovery plan to ensure business continuity in the
event of a catastrophic event.
• Stay informed about relevant data protection regulations and industry standards.
• Ensure that security measures align with legal and regulatory requirements
applicable to your organization.
• Regularly review and update security measures in response to evolving threats and
changes in the business environment.
• Conduct periodic security audits to assess the effectiveness of implemented
measures.
Remember that security is an ongoing process, and a proactive approach is crucial for adapting to
new threats and vulnerabilities. Regularly reassessing risks, updating security measures, and
fostering a culture of security awareness contribute to a robust cybersecurity posture.

4.3. Obtaining feedback on the designed security measures
Obtaining feedback on the designed security measures is a crucial step in ensuring their
effectiveness and identifying areas for improvement. Here's a structured approach to gather
feedback:
1. Stakeholder Involvement:
• Involve key stakeholders, including IT personnel, security teams, executives, and
end-users, in the feedback process.
• Ensure representation from different departments and levels within the organization.
2. Feedback Sessions:
• Conduct regular feedback sessions to gather insights from stakeholders.
• Schedule one-on-one interviews, focus groups, or workshops to discuss specific
aspects of the security measures.
3. Anonymous Surveys:
• Distribute anonymous surveys to employees to collect candid feedback.
• Ask questions about the usability, effectiveness, and any observed challenges with
the security measures.
4. Incident Response Evaluations:
• Evaluate the effectiveness of the incident response plan through simulated exercises.
• Gather feedback on the clarity of procedures, effectiveness of communication, and
overall response time.
5. Monitoring and Logging Reviews:
• Review the effectiveness of monitoring and logging systems.
• Analyze incidents or near-incidents to assess whether the monitoring tools provided
adequate visibility.
6. Testing and Assessment Feedback:
• Collect feedback from security testing, including penetration tests and vulnerability
assessments.
• Evaluate the responsiveness of the organization to identified vulnerabilities and the
effectiveness of remediation efforts.
7. User Training Assessments:
• Assess the impact of security awareness training on end-users.
• Test user knowledge through simulated phishing exercises and evaluate their ability
to apply security best practices.
8. Key Performance Indicators (KPIs):
• Define and track key performance indicators related to security measures.
• Monitor metrics such as incident response time, successful phishing prevention
rates, and the frequency of security awareness training completion.

9. Incident Debriefings:
• Conduct post-incident debriefings to understand what worked well and where
improvements can be made.
• Encourage open communication to identify areas for enhancement.
10. Third-Party Assessments:
• Engage external security experts for third-party assessments.
• Obtain objective insights into the effectiveness of security controls and adherence
to industry best practices.
11. Regulatory Compliance Audits:
• Conduct audits to ensure compliance with relevant regulations and standards.
• Use audit findings to identify gaps and improve security measures.
12. Continuous Improvement Discussions:
• Foster a culture of continuous improvement by regularly discussing feedback and
potential enhancements.
• Encourage collaboration among stakeholders to address identified issues.
13. Documentation Review:
• Review documentation related to security measures, including policies, procedures,
and incident reports.
• Ensure that documentation is up-to-date and aligns with the current security
landscape.
14. Technology Updates:
• Stay informed about emerging technologies and threat landscapes.
• Evaluate whether security measures need adjustments based on technological
advancements or changes in attack vectors.
15. Post-Implementation Reviews:
• Conduct post-implementation reviews for new security measures.
• Solicit feedback on the deployment process, any disruptions caused, and the overall
effectiveness of the implemented solution.
By systematically gathering feedback through various channels, organizations can gain a
comprehensive understanding of the strengths and weaknesses of their security measures. This
feedback-driven approach allows for continuous improvement and helps organizations stay
adaptive to evolving security challenges
4.4. Developing security policies
Developing security policies is a crucial step in establishing a comprehensive and effective
cybersecurity framework for an organization. Below is a step-by-step guide to help you in the
process of developing security policies:

1. Understand Organizational Needs:
• Objective: Clearly define the purpose and goals of the security policies.
• Action:
➢ Engage with key stakeholders, including executives, IT personnel, legal, HR, and other
relevant departments.
➢ Identify and understand the specific security needs and challenges faced by the
organization.
• Objective: Ensure that security policies align with relevant regulatory requirements and
industry standards.
• Action:
➢ Identify applicable laws, regulations, and industry standards that govern your
organization.
➢ Ensure that security policies address compliance requirements.
3. Risk Assessment:
• Objective: Identify and prioritize security risks that need to be addressed.

• Action:
➢ Conduct a comprehensive risk assessment to identify potential threats and vulnerabilities.
➢ Prioritize risks based on their impact and likelihood.
4 Data Classification:
• Objective: Categorize and protect sensitive information based on its importance and
sensitivity.
• Action:
➢ Classify data into different categories (e.g., public, internal, confidential).
➢ Develop policies for handling and protecting each category.
5. Access Control Policies:

• Objective: Ensure that access to resources is controlled and follows the principle of least
privilege.
• Action:
➢ Define user roles and access levels.
➢ Implement policies for granting and revoking access based on job responsibilities.
6. Authentication and Password Policies:
• Objective: Establish guidelines for secure user authentication.
• Action:
➢ Define password complexity requirements.
➢ Promote the use of multi-factor authentication (MFA).
7. Network Security Policies:
• Objective: Secure the organization's network infrastructure.
• Action:
➢ Implement firewall rules and intrusion detection/prevention systems.
➢ Define policies for secure wireless networking and network segmentation.
8. Endpoint Security Policies:
• Objective: Ensure the security of end-user devices.
• Action:
➢ Specify requirements for antivirus software and endpoint protection.
➢ Establish policies for encryption and secure configuration of endpoints.
• Objective: Provide guidelines for responding to and mitigating security incidents.
• Action:
➢ Develop an incident response plan with clearly defined roles and responsibilities.
➢ Include procedures for reporting and handling incidents.
By following this way, organizations can develop a set of comprehensive security policies that are
tailored to their specific needs, promote a secure culture, and effectively mitigate potential risks.
Regularly revisiting and updating these policies ensures that they remain relevant and aligned with
the evolving cybersecurity landscape.

Self – Check 4
Part I - True/False Questions:
1. Phishing is a social engineering technique that may lead to unauthorized access and data
breaches.
2. Credential stuffing involves using previously stolen usernames and passwords to gain
3. Brute force attacks systematically try all possible combinations of passwords to gain
Part II - Multiple-Choice Questions:
1. What is a key component of feedback sessions?
A. Incident response evaluations

B. Anonymous surveys
C. Security patching
D. Continuous improvement discussions
2. Why are incident response evaluations important for feedback?
A. To assess network security

B. To evaluate the effectiveness of monitoring systems
C. To understand what worked well and areas for improvement
D. To review documentation related to security measures
3. What is the objective of risk assessment in developing security policies?
A. To develop comprehensive security policies
B. To ensure regulatory compliance
C. To identify and prioritize security risks
D. To conduct incident response evaluations
Part III - Essay Questions:
1. Discuss the significance of social engineering in cybersecurity.

2. Explain the key steps involved in designing effective security measures for an organization.
3. Describe the feedback mechanisms outlined in the document for obtaining insights into the
effectiveness of security measures.

Unit Five: Design and implement responses to security incidents
• Auditing and incident response procedure
• Documenting security incidents
• Implementing configurations for incident
• Testing and signing off
• Apply audit and incident response procedure
• Document security incidents
• Implement configurations for incident
• Test and sign off

5.1. Auditing and incident response procedure
Applying audit and incident response procedures involves implementing the outlined
processes in a systematic and consistent manner. Here's a step-by-step guide for applying
these procedures:
1. Apply Audit Procedure:
a. Risk Assessment:
• Regularly conduct risk assessments to identify potential threats and vulnerabilities.
• Use tools and methodologies to quantify and qualify risks.
b. Policy Review:
• Review and update information security policies based on the results of risk assessments
and changes in the organizational landscape.
• Communicate policy changes to relevant stakeholders.
c. Access Controls:
• Conduct periodic access reviews to ensure users have the appropriate level of access.
• Implement automated tools for access control monitoring.
d. Vulnerability Assessments:
• Schedule regular vulnerability assessments using reputable tools.
• Prioritize and remediate identified vulnerabilities based on risk assessments.
e. Incident Response Plan Review:
• Regularly review and update the incident response plan to align with emerging threats.
• Conduct tabletop exercises to ensure the plan is effective.
f. Compliance Checks:
• Regularly audit systems and processes to ensure compliance with relevant regulations.
• Document compliance status and address any non-compliance issues.
g. Security Awareness Training:
• Conduct ongoing security awareness training for employees.
• Utilize simulated phishing exercises to test and improve awareness.
h. Logging and Monitoring:
• Regularly review logs and implement automated alerting systems.

• Investigate and respond to anomalies or suspicious activities.
i. Physical Security Checks:
• Conduct regular physical security assessments.
• Ensure that security measures such as surveillance and access controls are effective.
j. Documentation:
• Maintain detailed records of audit activities, findings, and recommendations.
• Use documentation to track improvements over time.
2. Apply Incident Response Procedure:
a. Preparation:
• Ensure all incident response team members are familiar with their roles.
• Regularly update contact information for key team members.
b. Detection:
• Continuously monitor systems for signs of potential incidents.
• Use intrusion detection systems and anomaly detection tools.
c. Notification:
• Establish a clear and efficient communication plan for reporting and escalating
incidents.
• Provide training on incident reporting procedures to all employees.
d. Containment:
• Quickly isolate affected systems to prevent further damage.
• Implement temporary fixes to mitigate immediate threats.
e. Eradication:
• Identify and eliminate the root cause of the incident.
• Apply patches or updates to close vulnerabilities.
f. Recovery:
• Restore affected systems and data from backups.
• Validate the integrity and security of restored systems.
g. Post-Incident Analysis:
• Conduct a thorough review of the incident, documenting all actions taken.

• Identify lessons learned and areas for improvement in the incident response plan.
h. Documentation:
• Maintain detailed incident reports for future reference.
• Use documentation to improve the incident response plan and overall security posture.
i. Communication:
• Communicate effectively with internal and external stakeholders.
• Provide timely updates on the incident and steps taken for resolution.
j. Legal and Regulatory Compliance:
• Ensure compliance with legal and regulatory reporting requirements.
• Collaborate with legal teams to address any legal implications.
5.2. Document security incidents
Documenting security incidents is a crucial aspect of incident response. Comprehensive

documentation helps organizations analyze, learn from, and improve responses to
incidents. Below is a guide on how to document security incidents:
1. Incident Identification:
• Capture the date and time when the incident was first identified.
• Note how the incident was discovered (e.g., through automated alerts, user reports,
system logs).
2. Incident Description:
• Provide a detailed description of the incident, including the type of incident (e.g., data
breach, malware infection, unauthorized access).
• Specify the affected systems, networks, or data.
3. Incident Classification:
• Classify the incident based on severity levels (e.g., critical, high, medium, low).
• Use an incident classification framework that aligns with organizational policies.
4. Initial Response Actions:
• Document the initial actions taken to contain the incident.
• Specify the personnel or teams involved in the initial response.
5. Incident Impact:

• Assess and document the impact of the incident on confidentiality, integrity, and
availability of information assets.
• Quantify any data loss or system downtime.
6. Root Cause Analysis:
• Investigate and document the root cause of the incident.
• Identify vulnerabilities or weaknesses exploited by the attacker.
7. Containment and Eradication:
• Describe the steps taken to contain and eradicate the incident.
• Document any changes made to systems or networks during this process.
8. Recovery:
• Outline the recovery process, including system restoration and data recovery.
• Confirm the integrity and security of restored systems.
9. Lessons Learned:
• Identify and document lessons learned from the incident.
• Determine areas for improvement in incident response procedures.
10. Communication:
• Record all communication related to the incident, both internal and external.
• Document updates provided to stakeholders and any public relations efforts.
11. Legal and Regulatory Compliance:
• Document compliance with legal and regulatory reporting requirements.
• Record any legal actions taken or advice sought during the incident response.
12. Post-Incident Analysis:
• Summarize the post-incident analysis, including insights gained and improvements
recommended.
• Document any changes made to incident response procedures based on the analysis.
13. Timeline of Events:
• Create a chronological timeline of events from the identification of the incident to its
resolution.
• Include timestamps for key actions and milestones.

14. Incident Closure:
• Confirm that the incident is fully resolved before closing the documentation.
• Document the final status of the incident.
15. Storage and Access:
• Store incident documentation in a secure and accessible location.
• Ensure that authorized personnel can retrieve and review the documentation as needed.
• Use incident documentation as a basis for continuous improvement in security measures.
• Regularly review and update incident response procedures based on documented
experiences.
5.3. Implement configurations for incident
Implementing configurations for incident response involves setting up and configuring

various tools, technologies, and processes to enhance the organization's ability to detect,
respond to, and recover from security incidents. Below are key configurations to
consider:
1. Incident Detection and Logging:
• Logging Configuration:
➢ Enable comprehensive logging on systems, networks, and applications.
➢ Configure logs to capture relevant information, including authentication
attempts, system changes, and network activities.
• Centralized Logging:
➢ Implement a centralized logging system to aggregate logs from various
sources.
➢ Configure log retention policies for compliance and analysis.
2. Network Security Configurations:
• Intrusion Detection and Prevention Systems (IDPS):
➢ Configure IDPS to monitor network traffic for anomalies and known
attack patterns.

➢ Set up alerts and automated responses for suspicious activities.
• Firewall Rules:
➢ Define and enforce firewall rules to restrict unauthorized access to
networks and systems.
➢ Regularly review and update firewall configurations based on emerging
threats.
3. Endpoint Security Configurations:
• Antivirus and Anti-Malware Software:
➢ Ensure antivirus and anti-malware solutions are installed on all
endpoints.
➢ Configure regular scans and real-time protection features.
• Endpoint Detection and Response (EDR):
➢ Implement EDR solutions to monitor and respond to suspicious activities
on endpoints.
➢ Configure automated response actions for identified threats.
4. Access Controls:
• Identity and Access Management (IAM):
➢ Implement IAM policies to enforce the principle of least privilege.
➢ Regularly review and update user access permissions based on job roles.
• Multi-Factor Authentication (MFA):
➢ Enable MFA for critical systems and privileged accounts.
➢ Configure MFA policies to enhance authentication security.
5. Incident Response Platform Configurations:
• Incident Tracking System:
➢ Implement an incident tracking system to document and manage incidents.
➢ Configure categories, severity levels, and workflows for incident handling.
• Automated Incident Response (AIR) Tools:
➢ Integrate automated incident response tools to execute predefined actions in
response to specific events.

➢ Configure automated responses for common incident scenarios.
6. Communication and Notification:
• Communication Channels:
➢ Establish secure communication channels for incident reporting and
coordination.
➢ Configure notification systems for alerting relevant stakeholders during
incidents.
• Contact Lists:
➢ Maintain up-to-date contact lists for incident response team members and
key stakeholders.
➢ Configure automated notifications based on predefined escalation paths.
7. Incident Simulation and Training:
• Tabletop Exercises:
➢ Conduct regular tabletop exercises to simulate different incident
scenarios.
➢ Review and update configurations based on lessons learned from
simulations.
• Incident Reporting Templates:
➢ Create standardized incident reporting templates.
➢ Configure templates to capture essential information during incident
documentation.
• Access Controls for Incident Documentation:
➢ Implement access controls to restrict access to incident documentation.
➢ Define roles and permissions for personnel involved in incident
response.
• Review and Update Configurations:

➢ Regularly review and update configurations based on changes in the threat
landscape and organizational structure.
➢ Implement feedback from incident post-mortems to enhance configurations.
By implementing these configurations, organizations can strengthen their incident response

capabilities and better mitigate the impact of security incidents. Regular testing, updating, and
refinement of these configurations are essential components of a proactive and effective incident
response strategy.
5.4. Test and Sign Off incident resolution process
Testing and signing off on an incident involve validating that the incident response process was
effective, the security incident has been appropriately addressed, and the organization is ready to
resume normal operations. Here's a step-by-step guide for testing and signing off on an incident:
Testing the Incident Response:
1. Scenario Development:
• Create realistic scenarios based on different types of security incidents that could
impact the organization.
2. Tabletop Exercise:
• Conduct a tabletop exercise where incident response team members simulate
their responses to the identified scenarios.
• Discuss and validate the actions taken, communication protocols, and
coordination among team members.
3. Simulation Testing:
• Conduct more hands-on simulation testing, simulating an actual incident in a
controlled environment.
• Interact with real incident response tools, systems, and data as if it were a live
incident.
4. Evaluation:

• Assess the effectiveness of the incident response plan and the performance of
incident response team members.
• Identify any weaknesses, gaps, or areas for improvement in the incident response
process.
5. Documentation:
• Document the entire testing process, including the scenarios used, actions taken,
and observations.
• Record lessons learned and recommendations for improvement.
Signing Off on the Incident:
1. Resolution Confirmation:
• Verify that the root cause of the incident has been identified and effectively
addressed.
• Confirm that any vulnerabilities or weaknesses exploited by the incident have
been remediated.
2. Recovery Validation:
• Ensure that affected systems and data have been restored to their normal state.
• Validate the integrity and security of restored systems.
3. Post-Incident Analysis:
• Conduct a thorough post-incident analysis, reviewing the incident response
process and its effectiveness.
• Document insights gained, lessons learned, and improvements recommended for
future incidents.
4. Verification and Authorization:
• Verify the resolution and effectiveness of the incident response process with
relevant stakeholders.
• Obtain formal authorization or sign-off from management, indicating that the
incident is officially resolved.
5. Documentation:

• Document the final resolution of the incident, including the verification process
and sign-off.
• Maintain detailed records of the incident response, sign-off, and any
communication related to the incident.
6. Communication:
• Communicate the resolution and sign-off to all relevant stakeholders, including
internal teams and external parties if necessary.
• Provide any necessary updates on the incident, its resolution, and the measures
taken to prevent future occurrences.
• Use the documented insights and recommendations from the testing and sign-
off processes for continuous improvement.
• Update the incident response plan and associated configurations based on
lessons learned.
By systematically testing the incident response plan and subsequently signing off on the incident,
organizations can enhance their overall cybersecurity posture. These processes contribute to
continuous learning, improvement, and readiness for future security incidents.

Self – Check 5
Part I. True or False
1. Regularly conducting risk assessments is a key component of applying audit procedures for
information security.
2. An incident response plan should be regularly reviewed and updated to align with emerging
threats.
3. Simulated phishing exercises are effective for testing and improving employees' security
awareness.
4. Centralized logging systems are essential for aggregating logs from various sources for
analysis and compliance.
Part II. Multiple-Choice
1. What is the primary purpose of intrusion detection systems (IDPS) in the context of incident
response?
a. Monitor network traffic for anomalies and known attack patterns.
b. Restore affected systems and data from backups.
c. Conduct regular vulnerability assessments.
d. Document compliance with legal and regulatory requirements.
2. Which configuration measure is recommended to enforce the principle of least privilege?
a. Multi-Factor Authentication (MFA)
b. Logging Configuration
c. Identity and Access Management (IAM)
d. Incident Tracking System
3. What is the purpose of conducting a tabletop exercise in the incident response process?
a. Simulate an actual incident in a controlled environment.
b. Verify the resolution and effectiveness of the incident response process.
c. Assess the impact of the incident on confidentiality, integrity, and availability.
d. Review and validate the actions taken, communication protocols, and coordination
among team members.
4. Why is documentation important in the incident response process?
a. To create realistic scenarios for testing.
b. To maintain detailed records of audit activities.
c. To assess and document the impact of the incident.
d. To provide communication updates to stakeholders.

Reference
1. "Network Security Essentials" by William Stallings -
2. "Hacking: The Art of Exploitation" by Jon Erickson -
3. "Network Security: Private Communication in a Public World" by Charlie Kaufman, Radia

Perlman, and Mike Speciner.
4. "Firewalls and Internet Security: Repelling the Wily Hacker" by William R. Cheswick and
Steven M. Bellovin -
5. "CISSP All-in-One Exam Guide" by Shon Harris -.
6. "The Web Application Hacker's Handbook" by Dafydd Stuttard and Marcus Pinto -

Developers Profile
NO Name Qualif Field of Study Organization/ Institution Mobile E-mail
1 Zerihun Abate MSc ITM Sebata PTC 0911858358 zedoabata2017@gmail.com
2 Abebe Mintafa MSc ITM Ambo TVETC 0929362458 tolabula@gmail.com
3 Endale Bereket Bsc Co. Science M/G/M/B/P/T/C 0915439694 zesaron1221@gmail.com
4 Yinebeb Tamiru BSC Co. Science APTC 0936325182 yinebebtamiru07@gmail.com


M05 - Managing Network Security

Uploaded by

Copyright:

Available Formats

M05 - Managing Network Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

M05 - Managing Network Security

Uploaded by

Copyright:

Available Formats

Hardware and Network Servicing

Module Title: - Manag Network Security

Prepared by:- Ministry of Labor and Skill

Page ii of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page iii of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page v of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page vi of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 1 of 57 Author/Copyright: Managing Network Security Level- III Version 1

1.1. Introduction to network security design

Page 2 of 57 Author/Copyright: Managing Network Security Level- III Version 1

13. User Education and Awareness:

Page 3 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 4 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 5 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 6 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Part III : Essay Questions:

Page 7 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 8 of 57 Author/Copyright: Managing Network Security Level- III Version 1

2.2.1. Overview of Network security Attack

Page 10 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Figure 1 Figure that shows Network Security

2.2. Network vulnerabilities

Network vulnerabilities refer to weaknesses or flaws in a computer network's security that

Page 11 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 12 of 57 Author/Copyright: Managing Network Security Level- III Version 1

2.3. Threat model

A network security threat model is a systematic approach to identifying and understanding

Page 13 of 57 Author/Copyright: Managing Network Security Level- III Version 1

security incident. This includes detection, containment, eradication, recovery, and

Page 14 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 15 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 16 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 17 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 18 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 19 of 57 Author/Copyright: Managing Network Security Level- III Version 1

8. User Education and Awareness:

Page 20 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 21 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 22 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 23 of 57 Author/Copyright: Managing Network Security Level- III Version 1

3.3.Creating a risk management plan

Creating a Network Security Risk Management Plan involves a systematic approach to

Page 24 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 25 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 26 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 27 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 28 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 29 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Designing effective security measures involves implementing a combination of technical controls,

Page 30 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 31 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 32 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 33 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 34 of 57 Author/Copyright: Managing Network Security Level- III Version 1

• Objective: Identify and prioritize security risks that need to be addressed.

Page 35 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Page 36 of 57 Author/Copyright: Managing Network Security Level- III Version 1

Part II - Multiple-Choice Questions:

1. What is a key component of feedback sessions?

A. Incident response evaluations