The total cost of ownership (TCO) is not a concept unique to the information security field. TCO refers to the total monetary and lab or costs associated with purchasing, installing, and supporting IT hardware and software, calculated over a specific time period.The aim of TCO analysis is to identify, quantify, and ultimately, reduce the overall costs associated with ownership of networked assets. We have to consider about basically two types of costs. There are,
Hard costs
Hard cots are tangible and easily accounted and include items such as the purchase price of the asset, implementation fees, upgrades, maintenance contracts, support contracts, and disposal costs.
Soft costs
soft costs are related to management, support, training, hidden costs, and downtime.
a). Calculate the TCO for the current system
Web Servers (9)
12000*9
=
108000
Database servers(3)
26000*3
=
78000
Tech support for web servers for 5 years
1200*5
=
6000
Tech support for database servers for 5 years
2600*5
=
13000
Cost for 4 administrators for 5 years
(40000*4)*5
=
800000
Total coat ownership for this system
1005000
Annualized Loss Expectancy (ALE)
The annualized loss expectancy (ALE) is a formula that helps to calculate the potential financial loss from perceived threats. ALE calculation determines which assets hold the greatest value, prioritize the protection of those assets, and determine which security measures will best benefit the business.
Annualized Loss Expectancy ALE = SLE*ARO
Single loss expectancy (SLE)
The Single Loss Expectancy is the expected monetary loss every time a risk occurs. The Single Loss Expectancy, Asset Value (AV), and exposure factor (EF).
Single loss expectancy SLE = AV * EF
Annualized rate of occurrence (ARO)
Annualized rate of occurrence is the estimated frequency with which a particular threat may occur each year.
b). Calculate the ALE
Part 1- Calculating the Asset Value
Annual Turn over
=
700000000
0.2% from TCO cause of reconfiguration and lost works
=
2010
20% from TCO cause of website offline and not detecting faults
=
201000
Assest value
700203010
Part 2- calculating Exposure Factor
EF = ( Lost potential business hours/ total hours)*100
EF = (4/8760)*100
EF = 0.0456%
Part 3- Calculating SLE
Single lost expectancy = Asset value * EF
SLE = (700203010*0.046)/100
SLE = 322093.3846
Calculating the Annualized loss Expectancy (ALE)
Annualized Loss Expectancy ALE = SLE*ARO
ALE = 322093.3846
ARO = 2
ALE = 322093.3846 * 2
ALE = 6,44,186.7692
c). Calculating the annual savings
Annual Savings = ALE - ( Web admin salary + Annual Security budget)
ALE = 6,44,186.7692
Web admin salary and Annual Security budget
According to the scenario, the company decided to novice a full time security administrator and they decided to adopt $ 32,000 for the annual security budget
Annual Savings = ALE - ( Web admin salary + Annual Security budget)
Annual Savings = 644186.7692 - (40000+ 32000)
Annual Savings = 5,72,186.7692
Task 02
Network Architecture
According to the scenario this energy company suffered from several attacks. They fed up with these attacks and they need high secured network for their company to protect their data and d give 100% service to their customers. When we look in to the network in the company, we have to consider about some major facts according to the nature of this organization. They have 8 web servers and 3 Database servers in contrast.
As a result of this, the company needs a network with more security. So, I'm going to suggest a network design for the company. I consider all their needs and design my network with more security.
C:\Users\Administrator\Desktop\roshen\Net Dia.jpg
I have used some hardware devices to implement more security in my network architecture. As a first thing I created a demilitarized zone (DMZ) using firewalls.
What is DMZ?
Demilitarized zone is a physical or logical sub network that contains and exposes an organization's external services to a larger unsecured network, usually the Internet.
A more secure approach is to use two firewalls to create a DMZ so I used two firewalls to implement DMZ zone. I configured first firewall allow traffic destined to the DMZ only and I configured the second firewall allows only traffic from the DMZ to the internal network. The first firewall also called as front-end firewall and other one called as back-end firewall. In addition, the front-end firewall handles a much larger amount of traffic than the back-end firewall. To add more security I used two firewalls provided by two different vendors.
Why I used two firewalls provided by two different vendors?
If an attacker decided to break through the front-end firewalls, attacker has to take more time to break through the back-end one if it is made by a different vendor. That's why I used two firewalls provided by two different vendors.
In addition to add more security to my network architecture I used two network intrusion detection system sensors in this design.
What is intrusion detection system sensors mean?
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a Management Station and there are three types of intrusion detection systems.
Network intrusion detection system (NIDS)
Host-based intrusion detection system (HIDS)
Perimeter Intrusion Detection System (PIDS)
In my network design I have used two network intrusion detection systems as external an internal. I have placed one network intrusion detection sensor outside of the network monitor and detect attacks directed from the Internet and the other one I placed as an internal network intrusion detection sensor. If an attacker passed the external sensor and firewall then attacker meets the internal network intrusion detection sensor and it will detect attacks which pass the security barriers. Furthermore network intrusion detection sensor act as a network sniffer Network intrusion detection sensors are capable of updating blacklist of some firewalls with the IP addresses that were used by attackers.
In addition I used Host-based intrusion detection sensors for each web server because Network intrusion detection sensor can detect malicious packets that are designed to be overlooked by a firewall simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host. So I think it will add more security to the company network.
The intrusion detection system manager is there to check sensors and log all the activities in its database. Through a console the security managers can connect to the IDS manager. Then they can react to any threat or situation.
According to my network plan, a packet comes through the internet first external network intrusion detection sensor will filter it. Then it has to pass firewall and enter to the DMZ zone. If an attacker passes the first barriers then an attacker will filter by external sensor. If everything right a packet will go to the web servers and it will filter by Host-based intrusion detection sensors. A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces. If everything going well a packet has to go back via back-end firewall.
Task 03
Security Testing
Today security testing get very important place in IT world. Simply, security testing is a process to determine that an information system protects data and maintains. Security testing has three significant benefits.
Audits that measure an IT environment against security best practices help to determine if existing security policies and controls are sufficient.
An unfortunate side effect of sitting inside fortified castle walls is that the defending organization does not have the same view as attackers.
A variety of tools compliance checking, security advisory service and IDS can identify the exposures that must be fixed.
In security testing, there are several stages and first the tester must gather information if the target system. To find out any and all related information about the target, a security tester looks for information about the company, its employees, and possibly systems and applications deployed and this information can help in crafting attack strategies and forming an overall view of what a stranger can learn about the company.
The company website
The company web site displays comprehensive information about the financial status of publicly held companies, company products, future direction, and the people who comprise the company. So any one can collect information easily using search engine
News groups
Newsgroups provide a wealth of information. In addition news groups are very important to system administrators to find answers via product documentation or technical support. So community of administrators have to answer their requests through this news groups. As a result of this testers can find vulnerabilities of the company from this news groups.
Other Sources of Information
There are more other sources to collect information about company. Search engines, such as Google, yahoo etc, TV, newspapers, magazine and Electronic Data Gathering, Analysis and Retrieval (EDGAR) are some of them.
In addition tester must find some technical aspects of the target company and it is not hard to find information about the company's network addresses, domain names, and other technical information to further the reconnaissance efforts.
Tester can use nslookup commend to find some information easily. This commend is used to query domain name service for obtain information about domain names and IP addresses. If tester enter a domain name, nslookup provide the IP address of the domain that tester entered.
As examples I entered www.google.com and www.idm.lk with nslookup.
C:\Users\Administrator\Desktop\123.jpg
In addition there are some more commends can use tester to break the defense.
Ping commend - Checks network connectivity to remote systems
Traceroute commend- Displays the route an IP packet follows in travelling from one system to another
Telnet - Administers remote systems
FTP - Transfers files between systems
Nbtstat - Displays NBT information about a Windows system
The ping utility is often used to check whether a computer is connected to the network and ping can quickly test the responsiveness of a target server and ensure that the server is operational in security testing.
C:\Users\Administrator\Desktop\Untitled.jpg
The traceroute utility allows a tester to view the route an IP packet follows in travelling from one host to another. traceroute command is actually executed by running this command: tracert.
Using the FTP client, a tester or attacker can connect to remote systems to determine if a valid FTP server is running. In addition the attacker may also be able to determine information about the remote system through the banner that is displayed on login.
The commend of nbtstat is included with most versions of Windows to display the Windows domain, logged on users, MAC address, and other information used in NetBT communications.
In addition tester can use additional tools to probe remote networks and systems.
Port scanners
A port scanner is a software application designed to probe a server or host for open ports and it used to find the opened holes in the network which attackers may use to break in. The drawback to port scanners is that system logs, NIDS logs, and firewall logs used on the target network can record a significant amount of network activity when the port scanner is in use.
Types of port scans:
Vanilla: the scanner attempts to connect to all 65,535 ports
Strobe: a more focused scan looking only for known services to exploit
Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall
UDP: the scanner looks for open UDP ports
Sweep: the scanner connects to the same port on more than one machine
FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan
Stealth scan: the scanner blocks the scanned computer from recording the port scan activities.
When the tester gives a range of IPs or a single IP for the search, the scanner detects the host and shows the ports. After the scan is finished and tester can check the opened and closed ports of the hostC:\Users\Administrator\Desktop\Port scanner.jpg
Vulnerability Scanners
Vulnerability scanners take port scanners to the next level. A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. However, if port scanners log a great deal of activity on remote systems, vulnerability scanners double that activity.
Scanning computer system for Vulnerabilities is an important part of a good security program. Such scanning will help a company identify potential entry points for intruders. In and of itself, however Vulnerability scanning will not protect our computer systems. Security measures must be implemented immediately after each vulnerability is identified. Vulnerability scanning will not detect legitimate users who may have inappropriate access nor will it detect an intruder who is already in our system as they look for weakness in configuration or patch levels.
Here there are some examples for Vulnerability scanners
C:\Users\Administrator\Desktop\roshen\Capture2.JPG
C:\Users\Administrator\Desktop\roshen\dashboard-244.png
C:\Users\Administrator\Desktop\roshen\penetrator_diagram_big.jpg
Another way to test the security is detecting the NIC (Network Interface Card) in promiscuous mode and detecting NICs in promiscuous mode can help detect unauthorized sniffers that may be running in the environment.
Monitor DNS Queries
The tester detects a system querying a DNS server for that IP address; he knows the requesting computer has a NIC operating in promiscuous mode.
Timing Tricks
The tester sends a steady stream of ICMP (Internet Control Message Protocol) echo requests to a handful of systems on the target network and records the response times for each system. So this will take time to response.
Sniffing
Sniffing, sometimes referred to as a network monitor or network analyzer, can be used legitimately by a network or system administrator to monitor and troubleshoot network traffic. This will helps testers as well as attackers to monitor the activities in side of the network. By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic.
There are some screen shots for sniffing tools. C:\Users\Administrator\Desktop\roshen\sniff_big.gif
C:\Users\Administrator\Desktop\roshen\colasoft_packet_sniffer_-_capsa_11093.gif
C:\Users\Administrator\Desktop\roshen\1437640861_6720783ff4_o.gif
C:\Users\Administrator\Desktop\roshen\sniffer.gif
Task 04
Intrusion Detection and Prevention
Today Intrusion detection gets very important place as a solution to the information security. Because of they are important tools in the information security arsenal to detect malicious activity. Therefore Intrusion detection products are tools to assist in managing threats and vulnerabilities in this changing environment.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.
Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Basically there are 3 types of intrusion detection systems. They are,
The Network Intrusion Detection
The Host Intrusion detection
Honey pots
The Network Intrusion Detection attempts to identify unauthorized, illicit, and anomalous behavior based solely on network traffic. The NIDS reads all the packets coming through the network and trying to match the malicious packets with the database of signatures in the NIDS has. If there is an exact match or possible match, the NIDS log the activity to the future references. Unlike intrusion detection system does not actively block network traffic. The role of a network IDS is passive, only gathering, identifying, logging and alerting.
In network intrusion detection system architecture, there are several components NIDS sensor, NIDS Manager, Database and the Console. The NIDS sensor is on the front line of network intrusion detection and responsible for monitoring the network and reporting suspicious activity back to the manager. NIDS sensors cannot detect malicious activity occurring within a particular computer and NIDS sensor requires both IDS software and customized hardware to work properly.
The NIDS manager is the second level of the network intrusion detection system architecture. The manager is getting the information, storing it in the database, and passing information on to the console. In some IDS architecture, the manager helps to maintain signatures and patch levels on the sensors.
The next level is consol. At the console the IT security managers or professionals get appropriate actions to the incoming threats
The Host Intrusion detection attempts to identify unauthorized, illicit, and anomalous behavior on a specific device. HIDS sensors do not monitor all the traffic on the network as, unlike NIDS sensors, but instead, listen to traffic on the host itself. Host-based ID involves not only looking at the communications traffic in and out of a single computer, but also checking the integrity of our system files and watching for suspicious processes and to get complete coverage at our site with host-based ID, we need to load the ID software on every computer.
Honey pots are probably one of the last security tools an organization should implement. They are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. Honey Pots can be setup inside; outside or in the DMZ of a firewall design or even in all of the locations in addition they are most often deployed inside of a firewall for control purposes and . If we use two or more honey pots in a single network, we call it a Honey net.
When we are talking about Intrusion detection there are basically 3 major intrusion detection methodologies. There are,
Layered Detection
Recording Activity
Distraction and Traps
In layered detection, the process is breaking to 4 layers. The first layer is typically responsible for monitoring the network and network devices. NIDS and honey pots can serve in this role by monitoring the traffic traversing the network.
The second layer is monitoring the hosts in the computer system. Honey pots can also help organizations to understand what system attacks are being directed against them.
The third layer is the analysis of the data collected by the intrusion detection devices over time and the fourth layer is current news, such as traditional media, Web sites, and newsgroups that offer information about current attacks or increases in malicious activity.
In Recording Activity, many intrusion detection tools and devices record malicious activity. If an attack is successful, the attacker often tries to erase evidence and destroy the local logging records. Then if a system is compromised, the attacker should not be able to erase the activity recorded on the remote IDS server; therefore it is necessary to have a special remote IDS log server to record all the activity logs.
Distraction and Traps, this function is very useful. We use distraction techniques to distract the attacker from the system and catch attacker. Honey pots can function in this way to ultimately distract a potential abuser and buy time for an efficient response.
Network intrusion detection systems; gather network traffic for analysis and detection. These systems intercept packets as they travel across the network between hosts and in addition intercepted packets are analyzed by comparison with a database of known signatures and by searching for anomalous activity that suggests inappropriate behaviour. So we can minimize threats by using s network intrusion detection system. Therefore I recommend the network intrusion detection system is the most appropriate method for this company.
During a breach, NIDS or HIDS give alert to the console and console collect and gathered information and ready to answer to the breach. Before answering the attack console has to identify is this a real attack or a false positive. False positive means there is no actual malicious activity but the IDS shows there is a malicious activity. Then security manger collects more details about attack. In which time of period happen this breach and which are interact with the servers several times in the breach period. So far collect information about IPs. Is there is anonymous IPs and have to consider if there are so many packet transfer unnecessarily in same IP address. In addition in during breach can use some additional tools such as port scanners and sniffers to gather more information like incoming shell codes, scripts or unwanted packets.
These are the information we gathered during a breach. After collect this and consider about information, security manager can get a relevant reaction.
Task 05
Encryption
Encryption is the primary mechanism for communication security. It will certainly protect information in transit. Encryption might even protect information that is in storage by Encrypting files. However, legitimate users must have access to these files. The Encryption system will not differentiate between legitimate and illegitimate users if both present the same keys to the Encryption algorithm. Therefore, Encryption by itself will not provide security. There must also be controls on the Encryption keys and the system as a whole.
Data encryption schemes generally fall in two categories. There are symmetric encryption and asymmetric encryption.
Symmetric encryption
Symmetric encryption is the oldest and best-known technique. In this method both encryption and decryption processers are done by a one secret key and this method is also called single key-encryption or one key-encryption. A secret key can be a number, a word, or just a string of random letters. Secret key is applied to the information to change the content in a particular way. There are basic two types of symmetric algorithms. There are,
Stream cipher
Block cipher
Stream ciphers encrypt the bits of information one at a time - operate on 1 bit of data at a time. It means encrypt data bit-by-bit.
Block cipher is a symmetric cipher which encrypts information by breaking it down into blocks and then encrypting data in each block. A block cipher encrypts data in fixed sized blocks (commonly of 64 bits).
Here there are some examples for symmetric encryption algorithms.
AES/Rijndael
Blowfish
CAST5
DES
IDEA
RC2
RC4
RC6
Serpent
Triple DES
Twofish
As a result of breaking symmetric encryption, weak passwords, remembering passwords and secret keys exchanging and storing Symmetric encryption can be becomes damage. It means above I mentioned thins are the vulnerabilities of Symmetric encryption. In addition symmetric encryption algorithms are security and high speed. This is the main advantages of symmetric encryption algorithms.
Asymmetric encryption
Asymmetric Encryption is also known as Public Key Cryptography, since users typically create a matching key pair, and make one public while keeping the other secret.
Here there are some examples for Asymmetric Encryption algorithms.
RSA
DSA
PGP
Asymmetric encryption is little bit slower than symmetric encryption. But the drawback of the symmetric encryption is the both ends need the same key to encrypt and decrypt.
Symmetric encryption algorithms require that both the sender and the receiver agree on a key before they can exchange messages securely but the Asymmetric encryption algorithms use a different key for encryption and decryption, and the decryption key cannot be derived from the encryption key. That is a main difference between symmetric and asymmetric encryption
My Recommendation
Asymmetric encryption is the two parties don't need to have already shared their secret in order to communicate using encryption and that both authentication and non-repudiation are possible. So working with a single key is better than and productive than working with multiple keys. Therefore I suggest a symmetric encryption algorithm as more suitable algorithms for this company.
