You are a consultant who has been brought in by an energy company following a security breach, which took 4 hours to recover from. You discover that security breaches are not unheard of for this company and it had already suffered two 2-hour outages this year before the current attack. The company has a website that allows customers to upload readings, make payments and report/track faults. It must be online 24x7. The following five tasks relate back to this company.
Total Cost of Ownership and Annualized Loss Expectancy
The company has 9 web servers, costing $12,000 each, and 3 database servers, costing $26,000 each. These servers have a lifespan of five years. The annual support contracts on these are $1200 and $2600 respectively. The company employs two full-time web administrators, a part-time web administrator working 2-days a week and an infrastructure administrator at $40,000 full-time equivalent per annum each. Their annual turnover is $700m. It is estimated that it costs them 0.2% of the TCO for their system in each breach due to reconfiguration, lost work and delayed development. This is in addition to any lost earnings and network outages due to the website being offline and not detecting faults, which is estimated to be 20%.
Calculate the TCO for the current system.
Calculate the ALE for this system.
To prevent such breaches, you have estimated that the company requires a full-time security administrator and they need to adopt an annual security budget of $32,000 for hardware and software (the annualized salary for this administrator would be the same as for the others). Calculate its annual savings if it implemented your recommendations.
(Don't forget to write your justification for each of the steps.)
Calculate the TCO for the current system
TCO, Total Cost of Ownership refers to the cost of installation, IT hardware and software and labor cost. According to task 1:
9 web servers cost per year (9x12000)/5 = 21600
3 web servers cost per year (3x26000)/5 = 15600
Annual support contracts cost 1200+2600 = 3800
Labor cost for 2 full time web administrator, 1 2-day part time web administrator, 1 infrastructure administrator > 40000x3+40000x(102/365) = 131178
Total Cost of Ownership = 21600+15600+3800+131178
= $172178
Calculate the ALE for this system
ALE represents for Annualized Loss Expectancy.
SLE represents for Single loss expectancy
ARO represents for Annualized rate of occurrence
ALE is used to calculate the potential financial loss from some aware threats .
ALE = SLE x ARO
SLE = 172178 x 0.2% = 34435.6
4/8760 = 0.046%
(700m + 34435.6) x 0.046% = 322016 (SLE)
ARO
Twice a year = 200%
ALE = 332016 x 200% = 644032
Task 2 - 20 Marks
Network Architecture
Suggest an ideal network architecture for the company. You are expected to provide a basic network diagram and full explanation and justification for any components you include. Do not worry about internal workstations; concentrate on the architecture for the web application platform.
Network
Network is a group of two or more computers system linked together. There are several computer networks such as local-area networks (LANs), wide-area networks (WANs) …etc. In each computer network, they include so many network equipments. Each network equipment has its own role in the network. The common equipments are firewall, router, network switch, hub, network interface or called this to lan card and network cable. Beside the physical network hardware, a network also includes protocol. Protocol is a set of rules and signals which computers are using to communicate in the network. About the network architecture, it can be broadly classified as peer-to-peer and client server architecture.
Base on Energy Company information, they have night web servers and three database servers mainly in their company computer network. How to form a network architecture which has a higher security level to protect the web servers and database servers? I have below suggestion.
First of all, I will suggest that there are two subnets in the Energy Company network. One subnet is 192.168.1.x/255.255.255.0 and the other is 192.168.2.x/255.255.255.0. It must have a ISP network router connecting to Internet. After this ISP router, It must have a firewall to protect the whole company network.
Fig.1
What is firewall and its function?
Firewall is hardware network equipment or a software which is used to block unauthorized internet access to internal network while permitting authorized access request. Firewall likes a gate between a protected network and an unprotected internet network.
There are several types of firewall techniques. It can filter the packet which is passing through the network and allow or reject it base on the defined rules. It can apply the security rules to specific applications such as FTP and Telent. It can intercept all packets or messages which are passing through and hide the true network address. (1. Wikipedia - firewall 2010)
So, this firewall plays a very important role within a network. Due to the importance, the system administrator may need to consider. First of all, system administrator must ensure to review the firewall rules on a regular basis. Second, system administrator need to review the firewall device in a schedule. Last but not least, system administrator needs to analyze the overall network architecture and secure the vulnerability on the network.
Go back to the explanation of the network architecture. Firewall A has two access functions. One is Firewall A allow all connection to access into subnet 192.168.1.x. Each web server has their internal ip address. The administrator need set NAT (Network Address Translation) for the outbound to inbound. Firewall A has a role to route the connection to appropriate server only. Suppose internal IP will be hidden by NAT for outbound ip scanning. Second, Firewall A blocks all port expect port 80 in order to all web servers are used port 80 only. It is very secure that the administrator only keeps track the traffic from port 80. According to the firewall A rule set, there is not any connection from outbound to firewall B. By the protection of the web servers themselves, if they are apache web server, the setting (httpd conf file) could be adjusted to listen the port 80 only. By the windows platform, there is an firewall function from the network interface card. Administrator can enable the local area connection's firewall and only accept web port 80, SQL port 1433 and port 443.
Let discuss the firewall B. Behind this firewall, there is another subnet 192.168.2.x. All database servers will be placed there. There are some accesses rules also will be applied in firewall B. First rule, firewall B only allow port 1433 and port 433 connection from subnet 192.168.1.x to subnet 192.168.2.x database servers. Beside these two ports, all other ports have been rejected. So it is very high security level that there is not any connection from outside to the subnet 192.168.2.x beside the web servers SQL and SSL ports. The Same handling, administrator can set the local area network to enable the firewall and only access port 1433 and 443.
Network Switch
Besides the firewalls, there are some network switches in both subnets. Different from hub, switch could send the data to a specific port base on the connected device's hardware address directly. This is very smart that it can reduce overall network traffic.
By the security consideration, a cracker could use sniffer to listen the broadcast traffic if hub or bridge are the network device but switch could help to reduce this risk.
Router
Router is used to connect one network to another network. It will select a appropriate path and route the data/packet to the destination. There are several routing model. By the basic model, router will select the less number of nodes for the transfer path.
Router also has a security consideration because it is also a very important part in network architecture. To protect our router, we may need to check the device in a regular period. Second, administrator needs to update the latest patches to ensure the router is in the highest security level.
(2. NCC Internet Security 2008, David Mackey - router)
Demilitarized Zone (DMZ)
Someone calls this at least two separate firewalls separating two subnets to Demilitarizes Zone. One firewall connects to internet network and the other connects the internal network. This setting will limit the outbound access to the web servers and the internal network is protected in a second level. (3. NCC Internet Security 2008, David Mackey - DMZ)
912 words
Task 3 - 20 Marks
Security Testing
In order to understand the nature of the breaches of the company's network you will have to perform a security test and audit. Write a report on how you would test the security of a network including a description of the tools that you would use. Give some sample outputs from the tools that you suggest.
(Warning, do NOT use these tools on a live network.)
Network security audit is a must to do after build up your own network. This testing could help to find out the strengths and weaknesses in the network architecture. According to the finding out, administrator can adjust the security policy or setting to prevent the attacks. There are several terms to describe the type of testing such as ethical hacking or penetration test.
Under the ethical hacking, system administrator has been authorized and plays a role of the abuser who use any method to hack the network and find out the problem. If you know the problem earlier than the true abusers, you can prevent the problem be exploited. (4. NCC Internet Security 2008, David Mackey - Security Testing)
How to do the ethical hacking? The abusers may need to research some information about the network of that company. They may want to know the ip address of this company, which operation system this company has used, which port the firewall has been opened, which ip and port of the internal computer could be remote easily. The abusers may search the domain name of the company by some web such as Domain Search (www.domainsearch.com) or Whois (www.whois.net). These kinds of web sites will show the registered user name or company name and registered information. So the abusers can identify which domain name is their target.
After they can confirm the domain name, abuser can get the true IP address of this company but some network tools or "ping" in windows platform command prompt. Beside the domain searching. If the hacker know the web site link of this company, it means hacker get the domain name directly. Hackers can also search the web site search engine such as Google or Yahoo.
For example, user can ping domain www.whois.net and the true ip has been shown 131.103.218.176
Fig.2
Fig.3
By the traceroute method:
In Windows command > tracert, it can trace the whole routine from the source to the destination. It will show the routing routine with IP address also. Hacker can guess some routing information in this picture and the true ip of this domain has been shown also.
Check network security by Telnet:
If a hacker know the domain name or true IP address, it can try Telnet to remote access the server to get some information.
Fig.4
Fig.5
Hackers can remote telnet by a domain name or true IP at port 80. After connected, If it is a web server, you can see some html script in the command prompt.
What information hackers can get in this html script? Hackers can know the web page file name, which file has been load after user POST/SUBMIT a value from the first web page, which script language the web site has been used. According to the script language such as PHP, hacker can use the bug or weakness of the PHP script insert into the text box and try to break into the web system. On the other hand, some private data such as password will be stored in the session. If hacker can get this session and browse the password value, then the user account has been hacked.
Port Scanner
After know the Domain and True IP address, hackers will want to know which network port the target has been opened. Hackers can use some freeware port scanner such as SuperScan
Fig.6 (5. SuperScan)
SuperScan is a port scanner which has port scan function according to IP range.
Beside the port scan, UDP scanning, TCP SYN scanning are the other features.
The best that it is a freeware tool for user to download. (SuperScan).
After the checking of SuperScan, if the target has not well protect themselves and opening some non-use port, crackers can use them to do some remote attacks. For example, Ping to dead and Denial of Service attack by this opening port to stop the target normal service.
Network Vulnerability
Network Vulnerability is also an area which hackers will try to break into the system by its.
There is a free network vulnerability scanner called "Nessus".
Fig 7 (nessus interface)
By the Nessus features list state, it can be
Credentialed and un-credentialed port scanning
Credentialed based patch audits for Windows and Unix platforms
Embedded web application vulnerability testing
SQL database configuration checking
Cisco router configuration checking
Checking out-of-date signatures of the anti-virus installed.
Nessus - features list)
Foothold
What the domain name hackers got, What the network port hackers know it is opened, What network vulnerability the web site has, all information the hackers have got to gain a foothold to their target. If we can know what the information hackers can get from our network, We can do the protection before the damage or loss occur.
We can use some tools to capture our network packet traffic and check which area may lead the problem. There are some tools call "tcpdump" or "windump". Tcpdump can capture the network traffic and show the packet detail on a particular interface. They are one type of sniffer.
According to the original idea, system administrator use sniffer to capture the packet for troubleshooting the net work problem but crackers use it as a tool to do some attacks.
What network administrator need to do for well protecting the network?
Network administrator need to check the log in firewall and other network appliance all the time.
Network administrator need to upgrade the firmware of the network equipments to the latest version.
If there is any patch, update it at once to solve the vulnerability.
Do network security test again if there is any new equipment has been added into the network.
Check the light on the network equipment see any abnormal lighting suddenly.
To prevent Denial of Service attack in network, firewall and router block the abnormal traffic.
978 words
Task 4 - 20 Marks Intrusion Detection
Intrusion Detection and Prevention are very important in a secure system, but the company currently does not have any IDS. You are to make recommendations to the company about Intrusion Detection and Prevention. Including what type of information should be gathered during a breach.
What is Intrusion Detection?
Intrusion detection (ID) is a type of security tools for computers or network. Intrusion Detection System (IDS), it can refer to devices, hardware, software which is mainly for the detection of malicious activity and analyzes information from some location in a computer or network. If there is any attacks from outside, the IDS could know. If there is any attacks from the internal to outside, the IDS also can know. Basically, IDS can divide into two types. One is host-based intrusion detection system (NIDS) and the other is network intrusion detection system (HIDS).
(7.What is IDS)
Network Based Intrusion Detection
In general, network-based IDS use a network adapter which is running in mixed mode monitoring all packet across the network in real-time. How network-based IDS get the signature of an attack? Network-based IDS will check the pattern, expression or byte code to see if there is any abnormal.
Second, NIDS will keep checking to the threshold crossing. Third, by the statistic analysis, NIDS will know which connection is abnormal. To face an attack, NIDS will alert the administrator or terminate the connection directly according to the NIDS setting.
What is Strengths of the Network-based intrusion detection systems?
NIDS is set into some critical access points for checking or capturing the network traffic. As a result, NIDS do not need a software for the maintenance. It means that you can save so much cost of the ownership if you are in an enterprise environment. Second, NIDS can check the packet headers. It means that NIDS can help to detect some types of attack such as denial-of-service and TearDrop. By looking of the payload, network administrator can adjudge some abnormal traffic and find out the reason. Third, NIDS is capturing the live network so all the activity will be log into it. It is very difficult for an attacker to remove the evidence. Forth, NIDS is suitable to apply for any operating system.
Host-Based Intrusion Detection
HIDS has ability to understand the attacks and give out a suitable defend action. Audit logs is still to use in this intrusion detection.
What is the strengths of host base intrusion detection systems
First, due to the keeping log feature, host-based instruction detection can analyze. Second, HIDS can monitor some special activities in the system. For example, administrator can only monitor some main system files and their executing status. Third, some equipment will not cross the network such as keyboard. This kind of attack cannot be detected by network-based intrusion detection but host-based detection system can. Forth, HIDS has a quick response if it has detected some abnormal activities. Fifth, HIDS can install into the existing hardware such as file server. It means that there is no need to buy an extra hardware for the HIDS only.
HIDS installed into each web servers
IDS Manager
Fig.8
According to the suggested network architecture, I would like to propose adding two network intrusion detection sensors as showing in figure 8 and add one IDS manager in the subnet 192.168.2.x. Besides this, host-based intrusion detection system will be installed into each web servers. The sensor1 which behind the router connected to the Internet show attacks from the Internet. The other sensor (sensor2) is behind the 192.168.1.x firewall which identity the attack penetrating into the network from outside. We can also add one network intrusion detection sensor3 into the internal subnet 192.168.2.x for the detecting of abnormal activity from outside to the internal network
Sensor1 is used to monitor the traffic from internet to subnet one.
Sensor2 is used to capture or monitor the traffic which is coming into the first subnet.
Sensor3 is used to verifying any abnormal traffic or activities in the internal subnet.
What type of information should be gathered during breach?
Each sensor will have log for the daily traffic. Log also is a good facility for the prevention of attacks. It is because hackers will know their illegal activity will be marked down then they will not do the attack. Before attack, administrator can prevent it by checking log day by day. Administrator can find out some abnormal appearance showing in the log. After the attack, log could be a strong evidence to prove the truth in the case. We can say it is Log Analysis. So, every system's log is very important. To keep log in a safety place, suggest saving logs into a separate area such as a log sever in the same subnet. Log analysis is easy to do or you can just looking all your logs daily.
If you need read a large amount of logs, some analysis tools could help you. This kind of tools could help you understand which is good or bad. On the other hand, you can do some setting for identify the attack and indicate it.
Information collected from Web server
If someone try to access the web system illegally, the sensor will detect a number of them with a same IP address in a short period.
Fig. 9 (web server information collect)
Beside this, some hackers will use SQL injections for the hacking method. You will see some log as
Fig. 10 (web server information collect)
By the login fail log, you can see if there are some logs which do the login step in so many times within a short period and it is failure. By the incoming IP address, administrator can block it in the future.
896 words
Task 5 - 20 Marks Encryption
The information that the company holds includes personal details of their customers. They are worried that this information could fall into the attacker's hands. The company wants to implement encryption to secure this information. You are tasked with researching a suitable solution and making a recommendation. Try to think about what type of algorithms are needed for the data.
According to the function of the web in Energy Company, their customers can upload meter reading, make payment and repot/track faults. In the payment process, it must involve so many sensitive personal data such as customer's identity card number, birthday, credit card number …etc. All this data must be protected in a safety way during the payment process or in the database. In the Energy Company network architecture, there are night web servers which are placed into first subnet and three database servers are in subnet two. To separate two part, one connection will involve external and internal. One connection just involve internal to internal.
We may discuss the involving external connection first. It should use a more security method to protect the packet sending to outside (Internet). This packet contains customer's important private data. If the packet has been captured by hacker in Internet without any encryption, the hacker can browse the content of packet directly.
First of all, we can apply Secure Socket Layer (SSL) and Transport Layer Security (TLS) to protect the connection from customer's computer to Web server.
What is SSL/TLS?
Secure Socket Layer and Transport Layer Security are cryptographic protocols that provide security for communications over network such as Internet. TLS and SSL encrypt the segments of network connections at the Application Layer to ensure secure end-to-end transit at the Transport Layer.
(8.wikipedia TLS)
Secure Socket Layer (SSL)
Secure Socket Layer is developed by Netscape. It is for transmitting private thing through the Internet. What is the concept of SSL ? It is using two keys to encrypt data. One is a public key and the other is private key. Everyone can get the public key and the private key only send to the recipient. In SSL connection, the web link will start as https://xxxxx . A secure connection is created by SSL between a server and a client. HTTPS is for transmitting individual message securely. So they are combined to use for sending data out securely. You can think that there is a tunnel between the web servers and energy company customer's web browser. All the data will be protect and encrypted. Although hacker can capture the SSL connection and packets, they cannot read the content of the data directly under SSL.
Fig. 11 (SSL concept)
The transmissions between two computers involve the public key and certificate. User can trust the certificate because it is come from a trusted party. On the other hand, the certificate is in a valid status and has a relationship with the site from which it's coming. From the TLS, symmetric key will be encrypted using the public key from the browser. When a secure session is created between two computers, one computer creates a symmetric key and send it to other computer using symmetric-key encryption.
SSL supports a variety of different cryptographic algorithms. Another important part is cipher which is used in the authentication between the server and the client. There are so many cipher suite such as Data Encryption Standard (DES), Digital Signature Algorithm (DSA), Key Exchange Algorithm (KEA), Message Digest algorithm (MD5), RSA (a public-key algorithm for both encryption and authentication, Secure Hash Algorithm (SHA-1) …etc Now we are common to use Triple-DES (DES apply three times).
For the highest security reason to protect the customer's private data, the strongest cipher suite is highly recommended to use. Which one is the strongest cipher suite? They are Triple DES, SHA-1.
Triple DES supported by SSL which support 168-bit encryption. It applies a standard key three times so the processing time also plus 3 also. Due to the large size of key, the speed is not as fast as RC4. Its key size may larger than the other cipher suites approximately 3.7 plus the 50 power of 10.
The other is SSL Handshake. It combines a public key and symmetric key encryption method. Let us to go through the SSL handshake step now. First, the client will send cipher setting, generated data and other information to the server. Second, the server does the same action to the client but the server also will send its own certificate to the client of the client has requested. Third, after receive the information from the server, client will try to do the authentication. If authentication step is fail, the connection cannot be established. Forth, if the authentication is succeed, the client will create the premaster secret in the session. The public key will be used for the encryption and send the encrypted data to the server. Fifth, the server will use its own private key for the decryption. Sixth, the server and the client will generate session keys by the mater secret. These session key are symmetric keys which are used for the encryption and decryption. At the end, both server and client will send a message and inform others that future messages will be encrypted with the session keys. After that, the SSL handshake step is completed.
(9. Introduction of SSL)
Symmetric Encryption
This encryption algorithm is defined to use the same key for both encryption and decryption.
It is a fast and efficient method to do the encryption but it also has a disadvantage. If someone want to send a encrypted email to another one, the receiver also need the same key to decrypt the email. The Question is, How to pass the key to the receiver by through by Internet? So, there is another Encryption type called Asymmetric Encryption.
Asymmetric Encryption
This encryption algorithm is used two key, one key to encrypt the plaintext and the other for decrypt. In asymmetric encryption, Public-Key Infrastructure (PKI) is quite useful for protecting the customer's data. In PKI, it may involve Digital Certificate. This certificate is used to identify the target. In theory, each person has an identical digital certificate and publish their public key. On the other hand, each organization has a digital certificate to prove their role because the certificate will be issued by a third-party. This truth third-party is the Certificate Authority (CA). CA will verify the company and issued the certificate after approval. So, if the payment method can process with the certificate, energy company can identify the customer role and the customer truth that the payment is processing in the real Energy company. This is also a highly security method.
(10. NCC Internet Security 2008, David Mackey - Encryption)
1062 words
