Network - Security and Design Report

Question: Write a report on the network, security and design. Answer: 6.1.2. The task of requirements analysis is the first step in the design of any system, including software systems. Its aim is to clearly identify, understand and record all aspects of the proposed system, including the stakeholders of the system, which can possibly be addressed before development actually begins, including a number of foreseeable contingencies. This process is generally conducted in three broad steps gathering requirements, analyzing requirements, and documenting requirements. Requirements gathering refers to the process of contacting various stakeholders and undergoing rigorous rounds of questioning and probing to accurately gather all the requirements of the project. First, the stakeholders of a project need to be identified. Once all stakeholders are identified, the requirements need to be coaxed out of them. It is important to note that the stakeholders themselves are not considered fully reliable for accurately detailing their requirements, and thus many techn iques need to be employed to infer the actual requirements while eliminating intentional or unintentional fallacies. Of particular note are those cross-functional requirements that can only be identified when multiple stakeholders are allowed to hold a mediated discussion. The list of requirements thus gathered needs to be further analyzed and refined, eliminating redundancies and focusing on core aspects. The goals of the project need to be used to put these requirements into context. Finally, the requirements are arranged into a presentable document which contains such details as clearly outlined goals, project scope, use cases, and other information representation tools that clearly delineate the requirements of the project in an unambiguous, precise manner. 6.1.3 Recommended key stakeholders: the board members, the Chief Executive Office, the Chief Technology Officer, the Chief Information Security Officer, the Chief Finance Officer, the Customer Support Coordinator, the Database Administrator, the Market Research Analyst, the Network System Administrator, and the Legal Advisor. 6.1.4 Should different levels of privileges provided to control access? Can each user have a personal password? Should the security features cover: System access, Feature access, Database field access, Master file changes, Standing data? Should security allow for read and read/write access to be specified separately? Is there a clear indication in the system or manuals as to how the data is backed-up and recovered? If system failure occurs part way through a batch or transaction, should the operator have to re-input the batch or only the transaction being input at the time of the failure? How should the system handle dates - (e.g. 2 digits, 4 digits)? What levels of encryption can be/are required to be applied when transactions or data are passed across the Internet (e.g. 40 bit, 128 bit)? What is the expected operational life-cycle of the system, and how are future updates, replacements or disposal activities to be carried out? What information will the system store, how is it obtained, and how is it to be disposed? What hardware devices will be involved in the system and where will they be located (on-site, off-site)? What level of security will the various hardware devices have? What network protocols will the system be expected to be compatible with? What is the desired infrastructure of the network (LAN, WLAN, VPN, etc.)? What all types of devices will the users of the network require to be able to connect to the network (on-site workstations, personal mobile devices, etc.)? 6.2 Risks, Vulnerabilities and Controls 6.2.1 Denial-of-Service Attacks: These are one of the most malevolent and widespread type of attacks that any organization must guard against. Denial-of-Service (DoS) attacks are very easy to launch, difficult to guard against, and can become nearly impossible to trace back to the attacker. The basic idea behind a DoS attack is to flood a network with so many requests for resource allocation that the corresponding requests from those users on the network who need to genuinely utilize those resources cannot gain access to the resources. Thus, a number of network resources and services end up becoming inaccessible to their intended users. Unauthorized Access: This is a broad term that refers to a situation where a network user is able to access network resources that the user should not have been able to access on account of any number of reasons. Typically, this takes the form of sensitive company data being accessed by unauthorized third-parties or malicious users. Alternately, core company resources reserved for special purposes or only usable as per specific guidelines can be inappropriately used if an unauthorized user gains access to them. Spoofing: In these attacks, the identity of a user is stolen in that an attacker is able to conduct actions that may be potentially harmful to the system in some way while masquerading as the user whose identity was stolen. Potentially Unwanted Programs: This is a broad classification of a range of programs that do not necessarily pose a risk to security of a system but can instead result in unwanted consequences for the operation of a business. For instance, joke programs that can cause distractive animations to pop-up on a computer screen can impair productivity and cause a significant loss of time and business for a company while the program is being removed. Zombie Agents: A class of malware called trojans can cause infected systems to become zombie agents slave systems which can be remotely instructed to conduct covert attacks on other systems without the knowledge of the system owner. These are often used for conducting widespread Distributed DoS (DDoS) attacks on organizations, can cause the owners of infected systems to become unwitting accomplices in an attack. 6.2.2 There are two classifications for security controls: according to time of action and according to nature of control. The various types of control classified as per the time of action are: Preventive Control: These come in to action before an incident occurs and are put in place to prevent security incidents from occurring. Detective Control: These controls operate during an incident in progress and are used to identify the incident. Corrective Control: These controls are employed after an incident has occurred and are used for damage control. The classification of controls by their nature is as follows: Physical Controls: These are put in place to protect the physical hardware of the system from security breaches, such as secure housing compounds for servers and databases. Procedural Controls: This refers to security protocols, training manuals, standard operating procedures, and so on that relate to the various personnel involved in or associated with a system and aims to reduce chances of security breach or incidents arising out of the actions of these personnel. Technical Controls: Such controls deal with the technical aspects of how the system is designed and implemented, such as communication protocols, encryption algorithms, access control, etc. Compliance Controls: Examples of such controls are privacy laws, company policies, industry standards, etc. which aim to reduce security risks by ensuring that all vulnerable fronts are covered. 6.2.3 Phishing: A malicious attack in which a person receives communication from a seemingly authentic source such as a bank or insurance company, or the IT department of the victims workplace, requesting details that are otherwise considered personal and sensitive, for example passwords. Once the victim provides this information, the attacker misuses the sensitive information to conduct cyber-crimes. Preventing such attacks requires procedural controls such as effective employee training and awareness, as other control types can offer little help in such cases. In order to mitigate damage due to leaked passwords, organizations should implement strict access control policies to limit the amount of access a compromised user account has. Spyware: Spyware is malware that covertly installs itself on a computer system and monitors activity on the system or network, sending back such data to a malicious attacker or command server where it is analyzed and sensitive/important information is extracted. This information can later be used to conduct various types of cyber-attacks. Spyware installation can be prevented by employing good procedural controls so that employees dont accidentally install it in the first place. Moreover, technical controls such as ad-blockers, firewalls and packet filtering can further reduce the risk of spyware infiltration as well as mitigate damage. Backdoor Viruses: These malware try to infiltrate computer systems by various means, similar to spyware, but instead of passively collecting data they try to actively control the computer systems and use them to conduct various activities, many of which may be illegal such as DDoS attacks, or otherwise harmful to the owner of the system as well as others. Procedural and technical controls both need to be in place to prevent backdoor viruses from infiltrating systems as well as mitigating damage. Data Theft: Data can be literally stolen by stealing away or making illegal copies of the storage media used to store that data, such as backend databases of organizations. Even if the database is secure against any network based attacks, an attacker can still physically access the database and copy it if sufficient physical controls such as security checkpoints, computer surveillance, and locks are not in place. Once data theft occurs, there is little choice for damage mitigation as the theft may not even come into notice until it is too late. Packet Sniffing: It is possible for attackers to secretly intercept data packets used for communication in a network, especially over public networks, and then analyze the data within in order to gain the required information to break through a networks security mechanisms. To prevent this, it is necessary to adopt a number of technical controls such as network security protocols, data encryption and other cryptographic control mechanisms, as well as some procedural controls such as password policies and key management policies. The same controls, if implemented correctly, can double over for mitigation measures. 6.2.4 US-CERT Alerts: https://www.us-cert.gov/ncas/alerts Intel Securities (formerly McAfee) Security Bulletin: https://www.mcafee.com/in/threat-center/product-security-bulletins.aspx Symantec Security Response: https://www.symantec.com/security_response/ 6.2.5 A number of researchers and security analysts worldwide are constantly studying various protocols, algorithms, software, platforms, etc. for security vulnerability. Often, a security vulnerability is found by someone and published publically, resulting in the vulnerability becoming known to potential cyber criminals. Thus, there arises a period of risk during which the vulnerability can be exploited since the developer is still working on a security fix and the fix also needs time to be deployed. The period of time between the publication of the vulnerability and the fixing of the vulnerability is referred to as Zero Day. 6.2.6 Security can never be foolproof and the only way to mitigate risk is to constantly revise, update and upgrade security measures. Just as attackers are constantly trying to expose security flaws, security experts must also constantly work to uncover these vulnerabilities before attackers do and then work on a solution. Therefore, keeping the security system up-to-date is the only way to mitigate this risk. 6.3 Incident Detection and Response 6.3.1 As per data obtained from the Australian Law Reform Commission, currently there is no legal provision for mandatory reporting of incidents of data breach imposed on any agency or organization in Australia. The Privacy Act (1988) only imposes a requirement for agencies to take reasonable steps to safeguard any personal information they hold. The Australian Government has, however, recently invited public comment and recommendations for a bill that encompasses mandatory reporting of data breaches by organizations. 6.3.2 A generic procedure based on the given set of procedures can be derived and summarized into 6 steps, as follows: Preparation: For any given threat, it is necessary to gather all possible information on how the threat affects the system. Using this information, gather data about the system to be secured and identify the points at which various security measures need to be employed depending on the task of prevention, control, or damage mitigation. Identification: Counter-measures for a threat can only be taken after the threat has been completely identified, which includes the scope, targets, intentions, and victims of the attack or threat. In order to accomplish this, a number of sources of information should be consulted and the data compiled for analysis. Containment: In order to reduce the damage a threat or attack can cause, it is necessary to quarantine or isolate it. The exact details of this process are slightly dependent on the type of threat, but the overall procedure is the same compartmentalize the threat and ensure that it cannot affect more sub-systems than it already has. Remediation: Once a threat has been isolated, it can be removed from the system according to the nuances of the threat itself. Some threats can be removed simply by deleting the source files of the threat or applying security fixes to the platform or network, while others require detailed and careful repair of system files along with removal of malicious code. Recovery: Resume normal operation of the system in an organized, controlled manner, making sure that all system dependencies and sub-systems are working correctly and no artefacts of the threat or its mitigation measures have been left. Aftermath: Document the details of the threat, such as attack vectors, damage report, recovery measures, threat response, etc. in order to ensure that security can be upgraded to prevent future attacks of a similar nature. 6.4Security Baseline Penetration Testing: This is a type of testing technique employed to check the robustness of the security measures placed on a system by assuming the role of a malicious attacker and trying to breach the security system, all the time keeping track of the actions taken and the system response. Penetration testing is generally conducted after a security system is deemed to have been completely installed, as a final check before deployment. Penetration testing may be conducted by the same team as that which designed the security system or a separate team of specialists. It may also be conducted as either a white box test or a black box test. Penetration tests may attempt cycle through a number of attack vectors and combine low risk vulnerabilities, in order to test the scalability, automated response, and detection capability of the security system as well as document operational impact of breaches and test the need for additional investment in security. Online Auditing: Auditing in the network security sense refers to activities such as control assessment and risk assessment which aim to keep track of the changes in a system and provide management with sufficient information about the system to make various decisions, such as detection of an active threat or a network security breach. Online auditing refers to the application of remote administration and automation technology to shift this task to a continuous background process so that the relevant information is collected and processed continuously without affecting the actual operation of the system. Online auditing systems work to provide information in real-time or almost real-time. Of course, auditing is not limited to network security vulnerabilities and can be extended to record almost any sort of information for the organizations internal purposes. 6.5.1 Three potential product and configuration security vulnerabilities: Cross Site Scripting (XSS): https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 This is for the setup of the OWASP structure with the inclusion of the cross site scripting structure. Remote File Inclusion (RFI): https://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion The inclusion of the projects for the webappsec with handling all the remote standards. Local File Inclusion (LFI): https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion These are for the handling of the Owasp with proper testing of the local file structural setup. Best practices: https://sucuri.net/website-firewall/stop-website-attacks-and-hacks The attacks are based on the stopping of the website with the hacking setup. Alternate products: Apache Server: apache.org/ FileZilla Server: https://filezilla-project.org/ Lighttpd Server: https://www.lighttpd.net/ They are better because they are open source and more security measures are available. They are also available for all the platform and not just Windows. Proposed changes: Upgradation of system Firewall installation Removal of server from DMZ Check for more robust software Possible installation of a platform independent system 6.5.2 Three potential product and configuration security vulnerabilities: DoS: digitalattackmap.com/understanding-ddos/ These are for handling the digital mapping as well as understanding the data value. Buffer Overflow: https://www.owasp.org/index.php/Buffer_Overflow The overflow of the buffer rate is set under the owasp system with the hold of the different structural setups. Data corruption: https://www.techopedia.com/definition/14680/data-corruption The data corruption has been directed to the techopedia standard with the hold of the different security features. Best Practices: https://searchsecurity.techtarget.com/tip/FTP-security-best-practices-for-the-enterprise Alternate products: SmartFTP: https://www.smartftp.com/ CuteFTP: cuteftp.com/products.aspx Globalescape: https://www.globalscape.com/ They are better because they are open source and more security measures are available. They are also available for all the platform and not just Windows. Proposed changes: Encryption in file transfer Use of more robust system Possible use of platform independent system Use of a dedicated file server Updating the current system 6.5.3 Three potential product and configuration security vulnerabilities: Buffer Overflow: https://www.owasp.org/index.php/Buffer_Overflow Cache Poisoning: https://www.owasp.org/index.php/Cache_Poisoning DoS: digitalattackmap.com/understanding-ddos/ Best Practices: https://technet.microsoft.com/en-us/library/cc959288.aspx Alternate products: Google DNS: https://code.google.com/speed/public-dns/ OpenDNS: https://www.opendns.com/ Advantage DNS: https://www.dnsadvantage.com/ They are better because they are open source and more security measures are available. They are also available for all the platform and not just Windows. Proposed changes: Change of standalone server to a web server Addition of external domain name to all servers to make it accessible Updating the current system Use of platform independent system Use of authorization in server 6.5.4 Three potential product and configuration security vulnerabilities: Email Injection: https://resources.infosecinstitute.com/email-injection/ Malware: pctools.com/security-news/what-is-malware/ Spamming: https://spam.abuse.net/overview/whatisspam.shtml Best practices: getvero.com/resources/guides/email-marketing-best-practices/ Alternate products: Claws Mail: https://www.claws-mail.org/ Thunderbird: https://www.mozilla.org/en-US/thunderbird/ Zimbra Desktop: https://www.zimbra.com/products/desktop.html They are better because they are open source and more security measures are available. They are also available for all the platform and not just Windows. Proposed changes: Outlook is bulky, and hence, more lighter and robust system should be used. The server should be placed in a secure zone. The web access should be made through dedicated email server. Open source client should be used. Platform independent client should be used. 6.5.5 Three potential product and configuration security vulnerabilities: DoS: https://www.cvedetails.com/cve/CVE-2005-3673/ Heap based buffer overflow: https://www.cvedetails.com/cve/CVE-2004-0699/ Buffer overflow: https://www.cvedetails.com/cve/CVE-2004-0469/ Best practices: cisco.com/c/en/us/about/security.../firewall-best-practices.html Alternate products: GlassWire: https://www.glasswire.com/ TinyWall: https://tinywall.pados.hu/ Gufw: https://gufw.org/ They are better because they are open source and more security measures are available. They are also available for all the platform and not just Windows. Proposed changes: Use of same firewall across all system and network. Use of open source system. Use of platform independent system. Use of a robust system, so that speed can be increased for the system. Renewal of firewall. Reference Cai, H. L., Deng, L. Y. Q., Xue, T. M., Yu, X. (2015). Research and design of NVT plug-in module-based network security detection system. Ferreira, D., Kostakos, V., Beresford, A. R., Lindqvist, J., Dey, A. K. (2015, June). Securacy: an empirical investigation of Android applications' network usage, privacy and security. InProceedings of the 8th ACM Conference on Security Privacy in Wireless and Mobile Networks(p. 11). ACM. Shin, S., Wang, H., Gu, G. (2015). A First Step Toward Network Security Virtualization: From Concept To Prototype.Information Forensics and Security, IEEE Transactions on,10(10), 2236-2249. Porras, P. A., Cheung, S., Fong, M. W., Skinner, K., Yegneswaran, V. (2015, February). Securing the Software Defined Network Control Layer. InNDSS. Sadeghi, A. R., Wachsmann, C., Waidner, M. (2015, June). Security and privacy challenges in industrial internet of things. InProceedings of the 52nd Annual Design Automation Conference(p. 54). ACM. Vasilakos, A. V., Li, Z., Simon, G., You, W. (2015). Information centric network: Research challenges and opportunities.Journal of Network and Computer Applications,52, 1-10. Attipoe, A. E., Yan, J., Turner, C., Richards, D. (2016). Visualization Tools for Network Security.Electronic Imaging,2016(1), 1-8.Networking.