Annual Potential Loss Application Attack Threat - Case Study Example

?Insert Network diagram (current status) Figure Physical building Figure: 2 This kind of basic architectural implementationonly offers two thin layers of protection. It is widely accepted that the more layers of protection the more the security, in this kind of network architecture. An intruder only needs to compromise just one server to get access into the web resources in the system. Risk 1 This basic infrastructure does not provide protection against application attacks like injections and buffer overflow because the only source of security is the network firewalls. Application attacks are gaining popularity. Networked based fire walls will not be able to effectively keep the system secure from this kind of attack. Though some firewalls in networks have application firewall capabilities, most are considered to be underpowered by experts, providing less protection than the available firewalls that are single purpose. Actually, network firewalls have no capacity what so ever to protect against custom web applications (Eschenauer and Gligor, 1). This nature of a network security infrastructure leaves the organizations web resources at risk with dire consequences on the organization Quantitative risk analysis regarding the network architecture Asses Value Asset Value Cost of maintenances Profits to the company Worth in competition Recovering cost Acquisition cost Firewalls 4,000 100 per month 10,000 per month 2,000 1,000 5,000 Web server 5,000 100 per month 10,000 per month 2,000 1,000 7,000 Database Server 5,000 100 per month 10,000 per month 2,000 1,000 7,000 Table: 1 Estimate of potential Loss per Threat The table below shows the estimate potential loss per threat Asset Cost of physical damage Cost of loss in productivity Cost if information is disclosed Cost if critical devices fail Firewalls 4,000 10,000 120,000 10,000 Web server 5,000 15,000 1,000 15,000 Database Server 5,000 30,000 200,000 10,000 Table: 2 Application attacks can also be used to gain access into various departments in an organization, For instance gaining access into a database administrator, financial controller, or system administrator can provide an attacker access to information to these departments which may be having information that may contain passwords for credit card numbers which can be used to steal identity, or have dire financial implications to an organization or a company. Risk factor two Another issue is that the basic implementation has its default use of well-known UDP and TCP and ports for communication. Unfortunately for this organization’s Web applications are packaged-solutions, hence the organization is unable to makes change to the prescribed ports. Therefore, systems in the demilitarized zones (DMZ) will be compromised; it is easy for the attacker to compromise the systems because of the default TCP/UDP portals. In addition, systems in the demilitarized zones experience little to no monitoring or security-controls. Only one server that will be compromised before an intruder to access the Web applications Because of these shortfalls, the basic architectural technique no longer gives the kind or level of security currently being required by online cash transfer companies like VISA Cardholder-Information-Security- Program (CISP) and Payment-Card-Industry (PCI) security standards, Federal-Information-System-Management-Act (FISMA), GLBA, SOX and more other regulatory and industry-security standards engaged in this compliance effort. Risk Factor 3 Physical factors like act of nature, earth quakes, floods and fires often cause irreversible damage on networking hardware. Some of these calamities are unpredictable, and can cause extensive damage in an organization’s network system with great loses, damaged equipments can result to loss of sensitive data and information, negatively affecting productivity with end effect being heavy losses on an organization. Another physical factor that poses security threats to the network system is unauthorized access to where the various devices and equipments are stored Established Annual potential loss application attack threat Assets Threat SLE (single loss expectancy) SLE Annualized rate of occurrence ARO Annualized Loss Expectancy ALE Servers Application Attack and physical attack 15,000 0.2 3,000 information Application Attack and physical attack 200,000 0.2 40, 000 Customer info Application Attack and physical attack 500,000 0.2 100,000 Table: 3 Quantitative Risk analysis If an attacker would gain access into the organization’s network using application , can carry out a variety of attacks including service denial, injections and buffer over flows, that are aimed at slowing down or totally crippling a web system, this applications can be configured to various servers useless. This kind of an effect on a system, serving an organization handling sensitive and vital transactions or procedures will experience great loss in productivity and to a great extend translate into company losses. More so, sensitive data or information (regarding company strategies, competition, client information or other kind of sensitive database) can be illegally obtained Proposed Network Infrastructure that offers enhance network security Figure: 3 The proposed Secure Physical infrastructure Figure: 4 Physical security implementation on of the proposed network infrastructure The room that contains sensitive hardware should be restricted to only authorised personnel by implementing secure access cards on the door room and reinforcing the doors with steel. The new off site back ups location should be manned by security personnel and access protocols should be established. A high barbed fence should be implemented around offsite facility Proposed Network Infrastructure functionalities Implementing a multiple featuring application firewalls, will reduce threats from application based attacks like buffer over flows ,injections and other application based attacks that often go without being handled or even undetected by convectional network fire walls. The proposed architecture uses two demilitarized zone one being available to the public and the other remains private. The servers in the public demilitarized zone only have application user interface logic that does not have any application that process logic. The server functioning in the private demilitarized zone have the actual application that process logic which link to the system in the inside for any additional processing. Servers in the demilitarized zone are isolated from the systems that host the logic application in the demilitarized zone. Providing the organization create more defined rules that will keep the system secure from application based attacks. The proposed architecture will also use two internal LANs: One is an internal LAN having the employee accessible server and systems which do not store vital information and another LAN that is secret with encrypted information to guard against information theft, identity theft and other types of fraud. Lastly default protocols for HTTPS and HTTP (TCP 80 and 443) will be used in the public demilitarized zone and not standard TCP and UDP port will be used to do all other connections for required services. This cuts down in the possibility that outside attackers accidentally identify information-assets through standard port injection-attacks. In the proposed Architecture all components will be managed through a complete- managed and monitoring system that will be implemented in a protected management LAN, which consist of intrusion prevention/detection systems, DNS, Kerberos servers, Syslogs servers and all these severs firewalled from the demilitarized zone and the secure LAN so that there can be better control and protection. Users of the organization’s web application can transact through the demilitarized zone or process through the public demilitarized zone, depending the application being used. To guard against physical damage from natural cases or fire a backup system should be set with all servers having offsite back up servers that will take over if the primary system goes down. Proposed network architecture security configuration The following are the primary architectural components that will protect various systems, but the interaction configuration and managements of the components is what will provide a secure web environment and monitor the network architecture. Intrusion Detection System The proposed secure architecture will implement both network based and host based intrusion detection systems, and the key is to implement and properly manage and monitor them. At the least, a network based intrusion detection system (NIDS) will monitor all subnets that are critical in the demilitarized zones and secure LAN. This allows the detection of any net work based attacks or unexpected anomalies in network traffic. Additional NIDs can be positioned on other segments in the network. However this might call for a significant amount of tuning to reduce false positive alerts and few more other issues. In addition to the network based intrusion detection system, a host based Intrusion detection system (HIDS) can be implemented on all servers in the demilitarized zones, all the servers within the secure LAN and any other server that will be processing sensitive information in the Internal Local Area Network. The host based Intrusion detection system will detect file changes, brute force or any attack focused on a specific server. The entire network based intrusion detection system and a host based Intrusion detection system. Send information to the intrusion detection console system located in the management LAN which will track and monitor the network. Time-servers Time servers are often ignored but important. This server will ensure that there is proper functioning and analyzing of the System log server (Syslog). Determining the time standard to be used on the network is therefore important. For big, international organizations, all devices found in a network infrastructure like switches, routers firewall and servers usually apply the (UTC) Universal Coordinated Time, which is similar to the Greenwich Mean Time. This aspect is important because, time zones that are consistent and time keeping approach for all devices become vital when diagnosing or identifying when an attack is taking place against multiple device in different areas in a network. Use of UTC will allow all events to be logged in the same timeframe without the necessity of converting Zones. System Log Servers (Syslogs servers) Syslogs servers are also over looked, they are important in that they capture system Log information from all network devices like routers, firewalls, servers, switches and other critical operating systems. System log servers can be installed in pairs, but these devices gather a large volume of information, hence coordinating that volume of information in between servers can generate a problem. Hence typically many organizations have only 1U server which is attached to a large NAS network attached Storage via a (SAN) storage area network device so that there is enough storage space. All vital devices should transmit their System log information to the server so that that information can b e recorded and further analysis carried out on it. The vital systems should be logging successful and failed events as much as possible. Only with this measure can a full picture of event occurrence be maintained for diagnostic and analysis purposes. Firewall(s) Configuring the network and the firewall applications is important, Rules should be configured to establish restrictions and control for both the inbound and outbound traffic. For instance, the network firewall located in the demilitarized zone can be configured for only the inbound and outbound TCP 80 and 443 communications to the respective IP addresses of the HTTPS and HTTP servers. Then all other protocols and ports should be closed, since they will not be required between the public and private demilitarized zones. As an example only port 62134 should be open, this will restrict communication to the IP addresses of the involved servers (Guerrero Zapata and Asokan, 10). Between the private demilitarized zone and the internal LAN, only ports the ports that are necessary for communication with various servers should remain open and should also be restricted to specific IP addresses of those servers. And only the ports necessary for communication with the SQL server should remain open and restricted to only that firewall placed between the secure LAN and internal LAN IP address. Application firewalls should be configured in correspondence to the various executing web based applications. Unlike their network firewall counterparts, specific recommendations for rules are difficult if not impossible to create for these devices because there is a wide variety of application protocols and implementation, but, in general terms, all attacks that feature misuse of various application protocols will be blocked. DNS (Domain Naming Service) Servers DNS severs are purely for internal use only. All external requests for DNS will be forwarded to the Internet Service provider (ISP) for further forwarding or resolution. Because threats faced by the DNS servers, it is preferable that the ISP’s DNS servers be utilized for public DNS. While this can develop timing issues regarding DNS changes, when ecommerce systems have been implemented and have began production, DNS changing is rare Secure-LAN servers Severs within a secure LAN give their own level of security storage of only encrypted information. However this is just part of the functionality. The key to secure servers in when LAN employ the “reach motel” concept, in this concept information will flow in, encrypted and then stored but does not flow in absence of an act of God. Additionally, an extremely limited number of network and system administration and application processes access these servers and secure-LAN. Application processes that have access those these servers are monitored and restricted to make sure that only the appropriate information flow will be processed. After the information is approved, it is decrypted for the need of processing. Those outflows are seriously restricted by the firewall, documented in detail, and then approved by the management. Kerberos-Servers All servers being used in the application process should be using Kerberos for authentication, in addition, if possible make all individual sessions of transaction will generate their own Kerberos keys to secure and encrypt all communication. Utilization of Kerberos servers will reduce the chance of the man-n-the-middle attacks, session hijacking and packet sniffing and provides extra security level by encrypting all communications between the systems, so that on a scenario where an attacker gains some way into the internal network will find all communication secured and encrypted. Enhancing the Proposed Network architecture A number of enhancements will increase the security level given by the base level proposed architecture. These enhancements which will add even more layers of security to the basic proposed network architecture with greater concern for security. The enhancements include; using of multiple subnets, applying virtual Local Area Networks. Utilizing virtual Machine Technology and System log/IPS/IDS correlation Engines (Capkun, Hubaux, and Butty?an, 30). Works Cited Capkun, S. Hubaux and Butty?an, L. “Mobility Helps Security in Ad Hoc Networks.” In Proceedings of MobiHoc, 2003, 30. Print Eschenauer, L. and Gligor, V. “A key-management scheme for distributed sensor networks.” In Proceedings of the 9th ACM conference on Computer and Communications Security, 2002, 2. Print Guerrero, M., Apata, Z. and Asokan, N. “Securing Ad Hoc Routing Protocols.” In Proceedings of the ACM Workshop on Wireless Security (WiSe), 2002, 10. Print Read More