ASSISTANT PROFESSOR
READ ALL THE NOTES CHAPTER WISE
SUBJECT NAME:- MJ–15 (Th):- INFORMATION SECURITY
FOR B. Sc. IT.
SEM 6 F.Y.U.G.P.
Copyright © by Dr. Ajay kumar pathak
B. Sc. IT. SEMESTER 6 NOTES BASED ON NEP
SUBJECT : MJ–15 (Th): INFORMATION SECURITY
(To be selected by the students from)
UNIT 5 (UNIT NAME):- NETWORK SECURITY MANAGEMENT AND EMERGING TECHNOLOGIES
Objective: The objective of the course is to enable students to
· The objective of this course is to provide students with a comprehensive understanding of network security concepts and techniques. The course aims to develop students' skills in identifying network vulnerabilities, implementing security measures, and ensuring the confidentiality, integrity, and availability of networked systems.
Learning Outcome:- After completion of this course, a student will be able to–
· Understand the principles and concepts of network security.
· Identify potential security threats and vulnerabilities in networked systems.
· Implement security measures to protect network infrastructure.
· Apply encryption and authentication techniques to secure network communication.
· Analyze and respond to security incidents in networked environments
Semester Examination and Distribution of Marks
INTERNAL MARKS :- 25
(NO PRACTICAL IN THE MJ 15(INFORMATION SECURITY ))
End Semester Examination (ESE) : 75 Marks
-: NOTES READ FROM HERE :-
UNIT- 5 :- NETWORK SECURITY MANAGEMENT AND EMERGING TECHNOLOGIES
INTRODUCTION TO NETWORK SECURITY POLICY MANAGEMENT (NSPM):-
Network administrators and IT
teams use network security policy management to control their network
environments and protect their organizations against evolving threats. Network
security policy management streamlines security policy design and enforcement.
It applies rules and best practices to manage firewalls and other devices more
effectively, efficiently, and consistently.
Network security policy
management (NSPM) safeguards sensitive data and improves cybersecurity through
the development, implementation, and maintenance of security policies that
govern an organization’s IT infrastructure.
Network security management
allows an administrator to manage a network consisting of physical and virtual
firewalls from one central location. Administrators need network security
management solutions to get a high level of visibility into network behavior,
automate device configuration, enforce global policies, view firewall traffic,
generate reports, and provide a single management interface for physical and
virtual systems.
Network security policies help
manage::-
·
Acceptable use of
networks and systems
·
Response to
threats and security incidents
·
Application and
network access
·
Vulnerability (weakness)
monitoring and repairing by risk to the network
·
Proactive risk
mitigation (Modification )
TYPES OF NETWORK
SECURITY SOLUTIONS:-
i.
Firewalls:- These
devices and software applications analyze network traffic and apply rules to
allow or block data packets based on security policies, acting as a protective
barrier.
ii. Virtual Private Networks (VPNs):- VPNs establish
encrypted tunnels for remote users, ensuring secure data transmission over
public networks.
iii. Endpoint Security:- Solutions like antivirus software
and mobile device management (MDM) protect devices such as laptops, tablets,
and smartphones from potential threats.
iv. Network Access Control (NAC):- NAC systems
authenticate and authorize devices attempting to access the network, preventing
unauthorized connections.
v. Cloud Security Solutions:- With the rise of
cloud-based infrastructures, these solutions safeguard data stored in and
transferred through cloud environments.
vi. Threat Intelligence Platforms:- These platforms
provide real-time insights into emerging cyber threats, enabling organizations
to take proactive measures.
vii. Data Loss Prevention (DLP): DLP tools monitor and
control data transfers to prevent unauthorized sharing of sensitive
information.
BENEFITS / ADVANTAGES
OF NETWORK SECURITY:-
i.
Protection
Against Cyber Threats:- Network security solutions act as a robust shield,
protecting businesses from phishing scams, malware infections, and ransomware
attacks that could compromise operations.
ii. Ensures Business Continuity:- A secure network
minimizes disruptions by preventing cyber incidents that could halt daily
operations, ensuring seamless productivity.
iii. Safeguards Reputation:- Data breaches erode (Erode
means to gradually destroy ) trust and tarnish (means damaging of a reputation
) brand image. Effective security measures help maintain customer confidence
and credibility.
iv. Enhanced Productivity:- Security systems reduce the
risk of malware and unauthorized access, enabling employees to work without
interruptions caused by cyber incidents.
v. Data Integrity:- Network security ensures that
sensitive data remains accurate and unaltered by unauthorized entities,
preserving its value and reliability.
vi. Cost Savings:- Mitigating breaches reduces financial
losses related to data recovery, legal liabilities, and reputation management.
CHALLENGES OF NETWORK
SECURITY:-
i.
Evolving Threat
Landscape:- Cybercriminals are constantly developing advanced tactics, such as
zero-day vulnerabilities and social engineering attacks, making it difficult to
stay ahead.
ii. Budget Constraints:- Many small and mid-sized
businesses face limited resources, hampering their ability to deploy
comprehensive security measures.
iii. Complexity in Management:- Modern networks often
consist of diverse devices, applications, and users, making it challenging to manage
security consistently across all endpoints.
iv. Insider Threats:- Both intentional and accidental
actions by employees can lead to security breaches, highlighting the need for
continuous monitoring and education.
v. Shadow IT:- Employees using unauthorized applications
or devices increase the risk of vulnerabilities within the network.
vi. Third-Party Risks:- Vendors or partners with
inadequate security practices can serve as gateways for attackers to infiltrate
the primary network.
NETWORK SECURITY RISK
MANAGEMENT:-
Security risk
management is the structured practice of identifying, assessing,
prioritizing, and mitigating risks that could compromise an organization’s
systems, data, applications, and operations. It sits at the intersection of
cybersecurity, information security, and enterprise risk management, helping
organizations make informed decisions about where to invest time, budget, and
controls.
At its core, security risk
management is about reducing uncertainty. Not eliminating risk entirely, that’s
fantasy. Instead, it’s about understanding what could go wrong, how bad it
could get, and what to do about it before attackers force your hand.
Security risk management is the
ongoing process of protecting an organization’s digital and physical assets by
evaluating threats, vulnerabilities (weakness) , and potential business
impacts. It applies across IT security risk management, application security
risk management, cloud security risk management, and broader enterprise
security risk management programs.
This discipline combines risk assessment, risk monitoring, and clearly defined response strategies to manage cyber security risk in a measurable, repeatable way. Rather than reacting to incidents after damage is done, security risk management focuses on prevention, prioritization, and flexibility.
NETWORK SECURITY MANAGEMENT BENEFITS:-
(1) Network security management systems enable the smooth roll-out of Endpoint Detection
Response tools. EDR (Endpoint Detection and Response) tools work on every
network node. They track traffic passing through endpoints, checking for
malicious agents or suspicious behavior. Firewall defenses via automated
patching. Firewalls must remain current to meet emerging threats. Deploying
updates as they become available secures every endpoint.
The same update management
benefits apply to malware and virus scanners. Both security functions should be
present and updated for every network endpoint
(2) Cost benefits:- Many core security tasks are time-consuming and
expensive. Automation reduces the resources required to carry out basic tasks.
This results in significant cost savings when aggregated on an enterprise-wide
scale.
Administrators can propagate
updates in seconds to every server or remote working laptop. They can scan
devices to check for any security gaps.
(3) Threat monitoring and neutralization:- Centralized management panels allow network
administrators complete visibility. Managers can track data crossing network
edges as well as internal network traffic.
Detection tools at the network
edge protect against intrusions and malicious agents. Real-time traffic
monitoring detects suspicious access requests. Managers can neutralize attacks
before they reach a critical stage.
(4) Streamlined data recovery and crisis
response:- Data monitoring covers all
network assets. This enables efficient data recovery policies when attacks
occur or storage solutions malfunction. Network managers can regulate Recovery
Point Objectives for system-wide and focused data recovery. They can also
easily toggle Recovery Time Objectives. Comprehensive network traffic
visibility aids disaster response teams. Data from real-time security
monitoring forms an invaluable part of incident response reports. It feeds into
future risk management strategies, avoiding future attacks.
(5) Secure cloud access:- Next-generation
network security management systems feature cloud optimization. Many companies
rely on cloud data centers and containers to hold sensitive data. They must
protect this data to meet compliance goals. Traditional perimeter defenses are
inadequate when protecting many cloud-based assets. Network security management
solves this problem.
(6) More efficient IT performance:- Bringing network protection tools together also
benefits general IT performance. IT teams have limited resources and many
responsibilities. Automating simple tasks enables IT experts to focus on
strategic goals.
(7) Network simplification and performance
benefits:- Centrally managed network
security contributes to streamlining network architecture and boosting
performance.
Automated endpoint protection
and threat monitoring limits the need for manual inputs. Automated updates save
time and reduce human error. This reduces downtime due to security
misconfigurations.
Robust network security
management also identifies redundant security processes. Security teams can
remove antivirus or firewall filters where they are not required. This
eliminates potential traffic bottlenecks.
SECURITY INCIDENT
RESPONSE AND HANDLING ((SIR/IH (INCIDENT HANDLING) ) :- Incident response (sometimes called cybersecurity
incident response).
It refers to an organization’s
processes and technologies for detecting and responding to cyberthreats,
security breaches or cyberattacks. A formal incident response plan enables
cybersecurity teams to limit or prevent damage. The goal of incident response
is to prevent cyberattacks before they happen and minimize the cost and
business disruption resulting from any cyberattacks that occur. Incident
response is the technical portion of incident management, which also includes
executive, HR and legal management of a serious incident.
Ideally, an organization
defines incident response processes and technologies in a formal incident
response plan (IRP) that specifies how different types of cyberattacks should
be identified, contained and resolved.
AWS (Amazon Web Services) Security
Incident Response helps you prepare for, respond to, and recover from security
events faster and more effectively. The service streamlines every step of the
security incident response lifecycle through automated security finding
monitoring and triage, AI-powered investigation, and containment capabilities.
When specialized expertise is required, Security Incident Response gives you
direct 24/7 access to Security Incident Response engineers, who respond to your
request within minutes. This powerful combination of automation and expertise
enables you to confidently scale your security operations, so you can focus on
innovation and growth.
STEPS FOR SECURITY INCIDENT
RESPONSE PLAN:-
(1) Preparation:- Preparation is the most crucial phase in the incident
response plan, as it determines how well an organization will be able to
respond in the event of an attack. It requires several key elements to have
been implemented to enable the organization to handle an incident:-
i.
Policy:- Provides
a written set of principles, rules, or practices within an organization and is
a crucial action that offers guidance as to whether an incident has occurred.
ii. Response plan/strategy:- The response plan needs to
include the prioritization of incidents based on organizational impact, from
minor incidents like a single workstation failing to a medium risk like a
server going down, and high-risk issues like data being stolen from a
department. This can help build the case for management buy-in and gain
resources required to handle an incident effectively.
iii. Communication:- Having a communication plan is vital
to ensuring the entire CSIRT (Computer Security Incident Response Team) knows
who to contact, when, and why. Not having a plan will likely delay the response
time and result in the wrong people being contacted.
iv. Documentation:- This is a vital step in an incident
response plan. Documenting the incident assists the organization in providing
evidence in the event the incident is considered a criminal act. It also
facilitates learning lessons for the future. Everything the CSIRT does must be
documented and be able to answer any potential who, what, when, where, and why
questions.
v. Team:- The CSIRT needs to be comprised of people from
different disciplines and departments across the organization, not just
technical or security teams.
vi. Access control: -The CSIRT also needs to have the
appropriate permissions to perform their roles. For example, having permission
to access networks and systems to mitigate problems and having that permission
removed when it is no longer needed.
vii. Tools:- Software and hardware are crucial to helping
the CSIRT investigate an incident. This can range from anti-malware programs
and laptops to screwdrivers. All of the tools required must be contained in a
"jump bag."
viii.Training:- Training is crucial to ensuring a team is
prepared to tackle a security incident. It is recommended to have regular
drills so all CSIRT members know their duties as and when an incident occurs.
(2) Identification:- The
second phase deals with detecting and determining whether an incident has
occurred. Information such as error messages and log files must be gathered
from various sources, including interruption detection systems and firewalls,
to make this decision. If an incident has occurred, it should be reported as
quickly as possible to give the CSIRT enough time to collect evidence and
prepare for the next steps. CSIRT members also need to be notified and begin
the incident response plan process.
(3) Containment:- Once a threat has been identified, the organization
must limit and prevent any further damage. There are several necessary steps to
help them mitigate an incident and prevent the destruction of evidence.
i.
Short-term
containment:- This aims to limit the damage as quickly as possible. It can be
as simple as isolating infected machines to taking down production servers and
routing all traffic to failover servers.
ii. System backup:- Forensic software must capture an
image of affected systems as they were during the incident to preserve evidence
and understand how they were compromised.
iii. Long-term containment:- This step sees the affected
systems temporarily fixed to ensure they can continue to be used while
rebuilding clean systems. The primary focus is for accounts or backdoors left
by attackers to be removed and security patches to be installed.
(4) Eradication:- This phase sees the removal and restoration of systems
affected by the security incident. As in all phases of the plan, documentation
is crucial to determining the cost of man-hours, resources, and overall impact
of the attack. The organization also must ensure that malicious content has
been removed from affected systems and systems have been thoroughly cleaned to
prevent the risk of reinfection (Reinfection refers to a new infection that
occurs after a person has fully recovered from a previous infection of the same
type ).
(5) Recovery:- This phase helps organizations carefully bring
affected systems back into the production environment and ensures another
incident does not occur. Systems must be tested, monitored, and validated as
they move back into production so they are not reinfected by malware or
compromised. Important decisions here include:-
i. The time and date that operations are restored. System operators and owners must make the final decision based on the CSIRT’s (Computer Security Incident Response Team) advice
ii. How to test and verify that compromised systems are
clean and fully functional
iii. The duration that abnormal behaviors are monitored
iv. Tools used to test, monitor, and validate system
behavior
(6) Post-incident review:- Throughout each phase of the incident response
process, the CSIRT collects evidence of the breach and documents the steps it
takes to contain and eradicate the threat. At this stage, the CSIRT reviews
this information to better understand the incident and gather “lessons learned.”
The CSIRT seeks to determine the root cause of the attack, identify how it
successfully breached the network, and resolve vulnerabilities so that future
incidents of this type don't reoccur.
CREATING AN EFFECTIVE
CYBERSECURITY INCIDENT RESPONSE TEAM (CSIRT):-
(1) Technical Experts :-
i.
Cybersecurity Experts:– These professionals should have
certifications such as CISSP (Certified Information Systems Security
Professional) or CISA (Certified Information Systems Auditor). They should also
have deep experience in identifying, analyzing, and mitigating various types of
cyber threats.
ii. Forensics Specialists:-
These individuals should have knowledge and experience in digital forensics,
including collecting, preserving, and analyzing digital evidence.
Certifications such as EnCE (EnCase Certified Examiner) are desirable.
iii. Infrastructure
Experts:- All IT consists of
infrastructure. It does not matter if it is on-premise or in the cloud. Having
expertise in the applicable technical stack is of outmost importance to be able
to handle any kind of incidents. These individuals must understand the
technical landscape as good as the technology vendor’s engineers so that they
can troubleshoot even the most complex issues and find smart work arounds to
“impossible” problems.
iv. Incident Managers:-
These professionals should have experience in managing and coordinating
incident response efforts. They’ll be responsible for overseeing the entire
incident response process, ensuring that all necessary steps are taken and that
the incident is resolved efficiently. Certifications such as GCIH (GIAC
Certified Incident Handler / Global Information Assurance Certification) or
CISM (Certified Information Security Manager) are beneficial.
(2) Non-Technical Experts:-
i.
Legal Experts:- Having professionals with legal expertise,
including knowledge of cyber laws and regulations, is crucial. They should be
able to navigate legal obligations, liaise with international lawyers and
authorities, and minimize legal risks. Experience in law enforcement or working
with law enforcement agencies is beneficial.
ii. Communication
Specialists:- These individuals should
have strong communication and crisis management skills. They’ll be responsible
for guiding internal and external communications during cyber incidents. They
ensure timely, transparent, and effective communication with stakeholders.
Experience in public relations or crisis management is valuable.
iii. Crisis Managers:- Knowing
and understanding how to prioritize and lead when things are at their worst is
this role’s signum. These individuals become a support to the organization’s
management. They continually enhance their experience and knowledge by guiding
hundreds of organizations through severe breaches. They ensure that the crisis
management team’s focus stays on the incident’s consequences. They don’t stray
into the problem itself, which is the incident response team’s responsibility.
The focus here is always to ensure the endurance and continuity of the business
and all its stakeholders.
SECURITY INCIDENT HANDLING
(SIH):-
Security Incident Handling is a
systematic process used by organizations to identify, analyze, control, and
recover from security incidents that threaten computer systems, networks, or
data. It is a very important concept in Cybersecurity and Information Security
because modern organizations depend heavily on digital systems and must protect
them from cyber attacks.
A security incident refers to
any event that violates or threatens the confidentiality, integrity, or
availability of information systems. These three principles are often called
the CIA (Confidentiality, Integrity, and Availability ) Triad in information
security.
Security Incident Handling
ensures that when such incidents occur, the organization can quickly detect the
problem, reduce the damage, investigate the cause, restore systems, and prevent
the same incident from happening again.
In simple words, Security
Incident Handling is the process of managing and responding to cyber attacks or
security problems in a proper and organized way.
Example to Understand Security
Incident Handling:-
Consider a large online
shopping company that stores customer data such as names, addresses, and
payment details. One day the security system detects that someone is trying to
log in to the company database using thousands of password attempts.
Step 1: Detection:- The monitoring system detects unusual
login attempts from a suspicious IP address.
Step 2: Investigation:- The security team checks the logs and
realizes that a hacker is trying to perform a brute-force attack.
Step 3: Containment:- The security team blocks the IP address
and temporarily locks the targeted accounts.
Step 4: Eradication:- They remove any malicious scripts that
the attacker may have placed on the system.
Step 5: Recovery:- Systems are restored to normal operation
and users are asked to reset their passwords.
Step 6: Prevention:- The company implements two-factor
authentication and stronger password policies.
This entire process is known as
Security Incident Handling.
TYPES OF SECURITY
INCIDENT HANDLING (TYPES OF SECURITY INCIDENTS):-
Security incidents can occur in
many forms depending on how the attack happens. The most common types include:
1. Malware Incident
2. Phishing Attack
3. Unauthorized Access Incident
4. Denial of Service Attack
5. Data Breach Incident
6. Insider Threat Incident
7. Web Application Attack
(1) Malware Incident:- A malware incident occurs when malicious software
enters a computer system and starts performing harmful activities such as
stealing information, damaging files, or spying on users. Malware includes
viruses, worms, trojans, ransomware, and spyware.
(2) Phishing Attack Incident:- A phishing incident occurs when attackers try to trick users into revealing sensitive information such as passwords, credit card numbers, or login credentials by pretending to be a trusted organization.
(3) Unauthorized Access Incident:- Unauthorized access
happens when someone gains access to a system, network, or data without proper
permission.
(4) Denial of Service (DoS) Attack;- A Denial of Service
attack occurs when attackers flood a server or network with a huge amount of traffic
so that legitimate users cannot access the service.
(5) Data Breach Incident:- A data breach happens
when confidential or sensitive information is accessed or stolen by
unauthorized people.
(6) Insider Threat Incident:- An insider threat
occurs when a trusted employee or insider misuses their authorized access to
harm the organization.
(7) Web Application Attack:- A web application
attack targets vulnerabilities in websites or web applications. One common
example is SQL injection attack.
EMERGING TECHNOLOGIES
IN NETWORK SECURITY:-
Emerging
Technologies in Network Security means the new and advanced technologies that
are being developed and
used to protect computer networks, systems, and data from cyber attacks. As
cyber threats are increasing every day, traditional security methods like only
firewalls or antivirus are not enough. Therefore, new technologies are being
introduced to detect, prevent, and respond to cyber threats more intelligently
and quickly.
In
simple words, Emerging Network Security Technologies are modern security
solutions that use advanced tools such as Artificial Intelligence, Machine
Learning, cloud security systems, and advanced encryption to protect networks
from hackers, malware, and unauthorized access.
For
example, suppose a company uses a normal firewall to protect its network. A
hacker may still bypass it by using advanced malware. But if the company uses
modern technologies like AI-based security systems, the system can
automatically detect unusual behavior in the network and block the attack
immediately. This is why emerging technologies are becoming very important in
network security.
TYPES OF EMERGING
TECHNOLOGIES IN NETWORK SECURITY:-
(1) Artificial Intelligence (AI) in Network
Security:- Artificial Intelligence is one of the most powerful emerging
technologies in network security. AI allows security systems to analyze large
amounts of network data and identify suspicious activities automatically.
Traditional security systems depend on predefined rules, but AI systems can
learn patterns of normal behavior and detect abnormal activities.
For
example, imagine a bank network where employees usually log in between 9 AM and
6 PM. If someone tries to log in at 2 AM from another country, the AI-based
security system can immediately recognize this as unusual behavior and block
the access.
Another
example is email security. AI systems can analyze thousands of emails and
detect phishing attacks (A phishing attack is a form of social engineering
where cybercriminals impersonate trusted entities—such as banks, colleagues, or
popular websites—via email, text, or phone to steal sensitive data.). If a
suspicious email tries to trick employees into revealing passwords, the AI
system can automatically flag or block that email before it reaches the user.
Because
of its ability to learn and adapt, AI is widely used in intrusion detection
systems, threat analysis tools, and security monitoring platforms.
(2) Machine Learning (ML) for Threat
Detection:- Machine Learning is a subset of AI that focuses on training computers to
learn from data and improve over time without being explicitly programmed. In
network security, machine learning helps systems analyze network traffic
patterns and detect malicious activities such as malware, ransomware, and
unauthorized access.
For
example, suppose a company network normally transfers about 2GB of data per
day. Suddenly, the system detects a device sending 50GB of data to an unknown
server. A machine learning system can recognize this unusual pattern and alert
the security team that a possible data theft is happening.
Another
example is malware detection. Traditional antivirus software detects only known
viruses. However, ML-based security tools can identify new unknown malware by
analyzing their behavior rather than relying only on virus signatures.
This
technology is very useful in detecting zero-day attacks, which are attacks that
exploit unknown vulnerabilities.
(3) Blockchain Technology in Network
Security:- Blockchain is another emerging technology that is being used to improve
network security. Blockchain is a distributed and decentralized digital ledger
where data is stored in blocks and connected in a chain.
The
main advantage of blockchain is that data stored in the blockchain cannot
easily be changed or hacked because it is distributed across many computers.
For
example, consider a system where network logs are stored using blockchain
technology. If a hacker tries to modify the logs to hide their attack, it will
be very difficult because every block is connected and verified by other nodes
in the network.
Another
example is secure data sharing. In industries like healthcare, blockchain can
securely store patient records and allow only authorized users to access them. This
ensures both security and transparency.
(4) Cloud Security Technologies:- Cloud Computing has
become very popular, and therefore protecting cloud networks has become very
important. Cloud security technologies are emerging solutions designed to
protect cloud environments, data, and applications.
For example, many companies store their data
on cloud platforms instead of local servers. Cloud security tools monitor cloud
networks to detect unauthorized access, malware attacks, and data breaches.
Another
example is Cloud Access Security Broker (CASB). CASB works as a security
layer between users and cloud services. It ensures that only authorized users
can access sensitive data stored in the cloud.
Cloud security technologies also provide
features such as:
·
Data encryption
·
Access control
·
Threat monitoring
·
Data loss prevention
(5) Internet of Things (IoT) Security:- Internet of Things refers to networks of
connected devices such as smart cameras, smart TVs, smart home systems, and
industrial sensors.
Since
IoT devices are connected to the internet, they can become targets for cyber
attacks. Therefore, IoT security technologies are emerging to protect these
devices and networks.
For
example, imagine a smart home system where devices such as security cameras,
smart lights, and smart locks are connected to the internet. If a hacker gains
access to the network, they could control these devices.
IoT
security systems protect these devices by using device authentication,
encryption, and network monitoring.
Another
example is in industries where smart sensors monitor machines. If hackers
manipulate these sensors, they could cause serious damage. IoT security
technologies help detect such attacks and prevent unauthorized control.
THE END UNIT 5
( NETWORK
SECURITY MANAGEMENT AND EMERGING TECHNOLOGIES )
No comments:
Post a Comment
PLEASE DO LEAVE YOUR COMMENTS