Home > Articles > Certification > Cisco Certification > CCNP Security / CCSP

Identifying Cisco Network Threats

To become a Cisco Certified Security Professional you need to understand all kinds of threats to your network. Learn to identify threats by their origin and by their type.
This chapter is from the book

Terms you'll need to understand:

  • Script kiddies

  • Reconnaissance

  • Ping sweep

  • Port scan

  • Target discovery

  • Eavesdropping

  • Packet sniffer

  • Social engineering

  • Resource overload

  • Distributed denial of service

Techniques you'll need to master:

  • Finding threat information

  • Analyzing threat types

If nothing could ever go wrong, we wouldn't need to worry about protecting those network assets. But, of course, things do go wrong, and many of those things are related to security threats. In Chapter 2, "Information Assets," we said that you need to be able to identify just what your information assets are, what you need to protect them from, and what tools you might have available to do that job—and do it while keeping the network usable by the ordinary user. This is where we look at what you're protecting those information assets from. Cisco breaks out threats by their origin and by their type.


Threats can originate from inside or outside your network. That is actually not always an easy line to draw, though, as we'll see.

Internal Threats

When the SAFE Blueprint discusses the origin of threats (internal versus external), it repeats the perception that most threats actually originate inside the network instead of penetrating your perimeter from the outside. Although that has historically been true, it could be changing. Every year, the FBI and the Computer Security Institute conduct and then publish a survey on the threats large organizations actually faced in the previous year. The percentage of incidents that originate outside the network is now essentially equal to the number originating inside the network. You might have heard about this or seen it written in industry publications. For the purposes of taking the test, however, you should be prepared to say that the majority of threats originate inside the network rather than coming from external sources.

What or who are these internal threats? People, of course, but it helps to narrow the most likely candidates rather than simply assuming that all people inside your network are threats. Of course, in some very security-conscious networks, everyone must be considered a potential suspect, but even there, some people are more likely candidates than others. Who among these people on the inside are likely to cause problems?

  • Current employees with dubious intentions

  • Current employees with unauthorized activities

  • Employees who mismanage their environment

  • Contractors who fit these same descriptions

Bad Intentions

Why would employees or contractors want to hurt the company, especially when jobs are tight? There are as many reasons as there are people: Someone might have a grudge for a promotion that he felt was deserved but went to someone else; another person might think that by creating a problem, she'll be a hero for finding and fixing it. At least in this category, you can confidently say that the person intended to do the enterprise harm (even if the goal might have been to fix it later). Likewise, someone who has done something wrong (embezzling or stealing from inventory, for instance) might want to limit the visibility of that wrong by removing evidence of the actions. Some employees, of course, will never be satisfied; no matter what management does to accommodate them, they will remain disgruntled.

Unauthorized Activities

So many stories have arisen of employees or departed contractors hosting illicit Web sites, or even web-based businesses, on a company's network that it's easy to become blasé about the entire idea. But it remains true: People do use corporate resources to host pornographic Web sites and to host music and movie files for peer-to-peer swapping. People do use their corporate email accounts to buy or sell items on EBay or other auction sites. As this was written, yet another article appeared on IDG.net reporting that more than three quarters of business networks checked had unauthorized peer-to-peer networking software installed, and no company with more than 500 PCs had none. Unauthorized uses also include hosting other businesses, some of which might be legal under authorized circumstances, or hosting personal sites.

Outside audits regularly uncover evidence of these activities, and people are even fired for having done them. Yet the next audit might find that another entrepreneur has taken the departed first business operator's place, with a new and improved set of activities. The problem here is less the intent to do harm (because harm raises interest in what's going on and draws unwelcome management attention) than it is that these activities introduce code that IT does not know is operating. The code might have vulnerabilities that can be exploited if the customers—or even browsers—include hackers.

One other related factor to remember is this: Allowing unauthorized hosting makes a business look incompetent in managing its own affairs, which is very bad for its image in front of the public. If that unauthorized activity includes illegal business, such as pornography or peer-to-peer file sharing, the business can be held legally liable for allowing it to happen. That could prove very expensive.


These are not the pointy-haired bosses of Dilbert fame; they are otherwise well-intentioned persons (employees or contractors) who make changes to their operating environment. Those changes can introduce holes in an otherwise well-guarded network. An example is an employee who likes to get a little more work done after hours from home and installs a package such as pcAnywhere for operating his desktop remotely. pcAnywhere is a commercial product, not malware, but if it is operating and IT doesn't know about it, it can create an opening in perimeter security that a hacker can exploit. Many employees, including less-experienced system administrators who should know better, or contractors use Instant Messaging or Internet Relay Chat without authorization. This, too, creates openings for malware. Many worms are now entering networks via chat because antivirus packages do not scan every object that enters; they scan only those that enter via email. Full- system virus scans will eventually catch the malware (if definition files are kept current), but cleanup is much harder than prevention. Again, there is probably no intent to cause harm, but an exposure is created by the addition of unmaintained or unauthorized software. That doesn't begin to address those who add a modem to dial in....

External Threats

If internal threats are people inside the network, external threats must be people outside the network, right? Remember, however, that when you break things down simplistically like this, much depends on where you draw the network boundary. For instance, if you draw the boundary at your edge, remote users are external. Even if they tunnel in, you might not necessarily extend the network boundary to their devices, especially if they are connecting via the Internet. You might want to keep thinking of them as external.

In this case, though, the external threat is not directly the person, who might or might not be the kind of person we would say fits the internal threat category (if accessing the network from inside). Instead, the external threat is the fact that the device used (whether a laptop for a mobile worker or a desktop for a teleworker) is significantly exposed to the outside world, especially the Internet. Unlike a host inside your perimeter (in your campus), this host might spend much of its time on the Internet without necessarily going through your security precautions. (There's a way around that, which we'll discuss when we cover some design alternatives in Chapters 11, "The Medium Network Implementation," and 12, "The Remote-User Design," but there are always disadvantages as well as advantages associated with choosing the alternatives.)

The courseware for Cisco's SAFE Implementation course also categorizes external threats as structured or unstructured. "Structure," in this context, refers to the degree of organization and planning, or the amount of method applied in the attack, as opposed to haphazard efforts that might seem almost random to an observer. Note that both structured and unstructured threats can be malicious in intent or can be the result of human clumsiness or error.

More conventional external threats are people outside your organization. Cisco categorizes them as follows:

  • Thrill-seekers

  • Competitors

  • Enemies

  • Spies

  • Thieves

  • Hostile former employees

  • Others

The thrill-seekers are often simply engaging in a social activity—seeing what they can find and/or trying to impress their friends; they generally pose an unstructured—but still dangerous—threat. Thrill-seekers might or might not have substantial skill; they are often (but not always) script kiddies: relatively unskilled users running scripts developed by skilled users that the script kiddies often do not understand. The clumsiness and ignorance of these thrill-seekers can cause significant damage if they manage to penetrate a network. Some of the more well-known scripted tools are L0phtcrack for password cracking and BackOrifice for exploiting vulnerabilities in Microsoft's Office suite of products.

Competitors, of course, exist everywhere in economic life, but business competitors can have a significant incentive to snoop in your network: It can save them millions of dollars if they can learn the lessons of your development without spending the money it cost you to learn them. Most businesses maintain a group to analyze their competition, using whatever information becomes available.

Spies are a threat to businesses as well as governments. Because of the high cost of developing new products and the intensity of competition, which leads to lower prices, corporate espionage is a problem to protect against. If you don't think corporate espionage really happens, consider first that Cisco thinks that it is serious (which makes it serious for the exam, of course). Second, take some time to read a few of the reference books listed at the end of the chapter. The stories in them have been sanitized to avoid lawsuits, but they are otherwise real.


So what exactly is the difference between competitors and spies? Cisco doesn't really say, but this might help: Competitors are in the same line of business (pharmaceuticals, mufflers, batteries, and so on), while spies are in the information business. Spies are usually third parties that obtain information for others; competitors are trying to obtain it for themselves. Either way, the hackers here generally pose a structured threat due to their greater skill and more organized effort.

Thieves are another group that has plagued business since there was such a thing as business. And the crime must pay (or, at least, be expected to pay) often enough to make it worthwhile to keep trying theft. What can be stolen via a network? Information such as credit card numbers or other data for perpetrating identity theft is always valuable. Surprisingly, information about the network can be valuable: If you can learn enough about the network devices, you might be able to control them and the traffic they carry. In short, if it can be used to create value for someone, it can be expected to be stolen at some point.

Hostile former employees (or contractors), such as current employees with a grudge, seek to damage the network or information assets for revenge. Sometimes they want to "get even" for whatever affronted them by stealing and selling information. What makes them different from outsiders is the likelihood that they have at least some inside information about the network—they start with an advantage over other outside threats.

Finally, Cisco provides the catchall category of "other." As one policeman said, whenever you think you've seen it all, you wake up one morning and realize that you haven't seen it all. A time will come when you will find a network threat that doesn't exactly fit any of the specific categories; that will be your example of the "other" group.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020