Security Risk Analysis for Intrusion Detection and Prevention of Cybercrime - Report Example

? Security Risk Analysis for Intrusion Detection and Prevention of Cybercrime This paper conducts security risk analysis taking in view military radar satellite communication systems. The paper will take an insight into working procedure for satellite communications systems and the vulnerabilities of the communication network to possible intrusion and cybercrime activities. The risk involved will be analyzed in the military network with regards to cybercrime and their effects discussed. The paper examines Intrusion Detection methods and suggests steps taken to curtail vulnerabilities in the system. Source determination and intrusion prevention procedures will be discussed as per the level of threat they pose. Data and alert correlation in the military network and the future of intrusion detection and prevention methods are touched upon. The paper recommends appropriate procedures to control the threats and reduce the vulnerability of the system to lower the level and make them acceptable keeping in mind the military network and the sensitivity of data protection in this case. Top five risks are analyzed and briefly reviewed. Current federal legislation and the standards based on securing and preventing cybercrime will be analyzed. Steps will be recommended to implement and maintain the strategy proposed. Risk analysis terms Security risk analysis also referred called risk assessment, is a basic requirement of any organization. Essentially, controls and expenditures are largely commensurate with the risks to that an organization posses. Many conventional means for conducting a security risk analysis are turning out to be more indefensible in terms of criticality, flexibility and usability. Qualitative Risk Analysis It is the most pervasively used approach to security risk analysis. No probability data is required and only estimates of potential loss are used. Elements of qualitative risk analysis: Vulnerabilities – These are factors that make a system prone to attack or make an intrusion more likely to succeed or have an impact. For example, flammable material. Threats – What could go wrong or something/ situations that can attack the information system. For instance, fraud or fire. Controls – The countermeasures put up by management for vulnerabilities. They include preventive control, detective controls, deterrent controls etc. Security Risk Analysis for Intrusion Detection and Prevention of Cybercrime The satellite communication systems form the backbone of net centric warfare for the US Military and give it considerable advantage over others. The close integration of the communication system and its distribution to local level commanders puts this system far ahead of other armies as by (Bufkin 2011) “This is unique feature of this system – no other department of defense satellite system can relay information from the satellite all the way down to war fighters, portable communications packs and handheld radios”. The system, however, like any other is not perfect and present some vulnerabilities in its operation. The modern communication systems have evolved and are far more secure than their predecessors. The interception methods have evolved along with these advancements and therefore security and threats are circling in an infinite loop. Both are constantly evolving. Contrary to popular opinion, cybercrime is a risk to all industries including military networks. If intrusion detection methods are not effective, cybercrimes results in security breaches long before the victims become aware that the systems are compromised. In case of military networks, the stakes are very high as the data includes sensitive information that may even include strategic plans, communication infrastructure details and even present situation reports. Any of these if intercepted can jeopardize complete communication network and leave military in a blackout. As per Foreign Affairs, Defense and Trade Division in 2008 “while the threat of cyber attack is less likely to appear than conventional physical attack, it could actually prove more damaging because it could involve disruptive technology that might generate unpredictable consequences that give an adversary unexpected advantages”. Communication being of vital importance in a battlefield is prone to interception and even jamming. Intrusion and cyber warfare form part of electronic warfare in any military conflict. Quantitative Risk Analysis This kind employs two basic elements; probability that an event can occur and the loss that could be incurred should the risk occurs. It uses a single figure produced from the elements listed. The figure is called the Estimated Annual Cost or Annual loss Expectancy. It is computed for an event by multiplying the probability by the potential loss. Therefore, ranking events by order is theoretically possible and consequently make decisions based on the ranking (Carr 2009). The main drawbacks of this kind of risk analysis are the association with inaccuracy and unreliability of data. Probability is seldom precise and may promote complacency in some cases. Additionally, countermeasures and controls often handle a number of events and potential events themselves which are often interrelated. Risk Analysis After evaluating the system above the main threat to this network is to the radio communication network utilized to connect satellite uplink site with local channels. These channels mostly being HF (High Frequency) or VHF (Very High Frequency) are prone to jamming or electronic interference from an enemy present in range of the wireless network. According to Department of Navy “Emissions are extremely susceptible to interception and analysis and may disclose classified information” (2006). These can also be intercepted (listened to) in case they are using plain frequencies. The data after transferring is passed to a central network. This network is a more conventional computer network and is vulnerable to cyber attacks and intrusion by unauthorized users. These threats can be in shape of Trojans, viruses, worms, botnets etc. According to Foreign Affairs, Defense and Trade Division “The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking attacks and vulnerabilities of US critical infrastructure” (2008). To list top five risks present to the military system under considerations would be: The top five risks connected with satellite communications are Intrusion, Meaconing, Interference, physical security and Jamming. Vulnerabilities and threats can be given values based on relative frequency and how they affect the system. By its nature, physical security is high risk since enemies have to know the features and capabilities of the particular system to exploit the vulnerabilities that they come with. Evaluation process of the risk value of the system during development can start at the middle level and as the system under evaluation is rolled out, the risk exposure to the system would grow. Meaconing refers to intercepting and rebroadcasting signals to confuse communications between the sender and receiver. Signal deception can be low but cautions and safety zones should be integrated in the system to overcome this threats and vulnerabilities. Channel hopping is one of the safety techniques that can be integrated into the system in the design and testing stages. Penetrating the system using hacking and cracking processes is referred to as intrusion. Hardening, an industry term referring to securing against intrusion, will help mitigate and manage these attacks. Encryption, passwords, intrusion detection systems, patch management and intrusion protection systems are among the processes that need to be identified and managed in these mitigation efforts. The jamming technique prevents RF signals from being delivered to the receiver. The broadband RF broadcasts aimed at the system can destroy the equipment and disable communications. This would result to a Dos (Denial of service) attack on the system. Security of HF/VHF radio communications network, Interception of SATCOM (UHF) signal between satellites and uplink/downlink sites, Botnets (network of infected PCs with automated tools), unauthorized network intrusion in military network and the usual culprits in any linked network that includes Trojans, worms and viruses that can allow for any unauthorized program to execute without user knowledge. These have been identified by considering the organizations exposure to uncertainty. This has required intimate knowledge of the market of operation, the social, legal, cultural and political environment where the companies exist. The risks have been profiled and given significance raring to each risk and hence the idea of prioritizing a risk has been borne. Methodology to conduct risk analysis Risk analysis involves a series of steps applied to determine the severity of a risk. The steps include, threat assessment, impact assessment, risk mitigation and vulnerability assessment. The key words used in risk analysis methodologies are; indentifying, elimination, controlling, or minimizing uncertain occurrences (Gragido and Pirc 2011). The aforementioned methodology can be termed as Risk Management process. Threat assessment covers the identification of threats; human, natural and environmental. It points out the possible threats and outlines a ranking system that weighs and prioritizes risk with the associated threat. Vulnerability assessment uses tools such as penetration testing, scanners and operational and management audit controls. These too can be weighed and prioritized the same way based on risk and the effect on the system operation. Impact assessment examines each of the vulnerabilities and compares their impact on the system under assessment. The impact that is then associated assists in defining the risk using qualitative or quantitative risk assessment. Risk Evaluation In order to analyze possible security vulnerabilities, we must consider a typical satellite communication procedure and components. The satellites uses radio frequency in UHF (Ultra High Frequency) band (SATCOM). Like any radio signal in the air, it is susceptible to interception. This signal in uplink or downlink is prone to intrusion. This is only the case if the satellite is used in direct communication i.e. uplinked directly through a communication device and down linked directly to the final target device. In some cases, however, the threat is increased as the communication is done indirectly through a mid channel broadcaster that acts as a repeater or organizer of the communication channel. Before we continue, the network therefore, has at least three communication units. The sending unit, satellite and the receiving unit. This scenario is mostly limited to individual tasks for example GPS positioning. A true radar satellite communication system will be utilizing local radio communication network linked with central uplink to satellite and then the receiving unit again linked with radio network with main headquarters. The communication system without ground radio communication as per (Macke 2010). The tactical wireless network uses IP like protocols and applications that have been tailored for operation. The IP network cloud is based on standard IP protocols fiber optic communication links, and standard security mechanisms. In this military communications system the main threat is from the enemy looking to intercept the radio signal in the air. This signal is prone to interception more because of larger coverage area in a military network. According to Freebersyser “As the network grows security aspects begin to become more important to consider across multiple horizontal protocol layers and for varying application context”. Therefore, intrusion in this case can be done from a greater distance. Risk Standards No system is perfect and they always have some vulnerability. These can be exploited and used to extract classified information either tactical or strategic. The wide coverage area mentioned above creates more opportunities for cyber attacks (Andress and Winterfield 2011). The system also combines different networks i.e. radio network, satellite network and then traditional computer network. Information can be intercepted from any of these networks. To avoid interception the network traffic has to be monitored carefully. Since the network is military and fluid information is key in net centric warfare, the standards for acceptance has to be set very high. The system however, is most vulnerable during its radio communication HF/VHF transmission stage. It can be intercepted or even jammed by interference from a stronger source signal. Some leakages from this network have to be accepted. The satellite SATCOM UHF band is in similar way vulnerable to interception. This channel however is safer because of smaller wavelength and therefore needs equipment set precisely and is a targeted wavelength. It can be intercepted but the equipment has to be in close proximity of linking sites. Tolerance for interception should be limited in this case. The third network is the computer network. It is prone to cyber attacks and intrusion. Intrusion in this network can be critical. The tolerance level for this network must be zero. The network should be isolated. Network traffic has to be monitored critically and is the key to finding any source of intrusion. The hazards of intrusion into a military communication system are the biggest threat to US national security. The intrusion detection systems in the past have been unreliable and ineffective. As a normal passive measure to guard against these general vulnerabilities encryption (both radio communication and network) is most commonly used prevention method used in the military. It is a passive measure and can only delay potential cyber attacks and intrusions. With increasing cyber attacks threats, intrusion detection systems are evolving and becoming more effective. Harms from intrusion attacks may include deliberate attacks that render a system unusable, accessing unauthorized information or manipulating such information. The system basically detects activity in network traffic that may or may not be an intrusion. Intrusion detection is typically one part of an overall protection system that is installed around a system or device. It is not a standalone protection measure. There has been need for professional associations that can apply independent authority towards risk management. The authority applied should in the very least cover consumer protection measures; risk management to prevent accidents, professional education and insurance requirements on risk where professionals can claim damages. There is a limit place on the amount payable for harm as covered by the scheme. All states in the U.S agreed to implement consistent professional standards legislation at a ministerial summit in Adelaide held on the 6th of Aug 2003. Prevention Strategy To form prevention strategy for this satellite communication network we must start the threats and vulnerabilities in the system from the basics (radio communication) to the collection of information in the data centre or network. These apply two main concerns that the information is passed on without any interception in wireless phase and then protection of this information in the cyber space. Encryption / Frequency Hopping For the protection of data in the wireless state we must use two most effective methods. These are frequency hopping and encryption. Frequency hopping changes and oscillates frequencies in transmitting and receiving stations as per a set of defined values. This makes it hard for the interceptor to trace unless the hopping pattern is known. Data encryption when used along with frequency hopping makes radio communication most reliable and safest in current scenario. According to Popovski, Yomo and Prasad (2006) “Spread spectrum signals are highly resistant to narrowband interference. The process of recollecting a spread signal spreads out the interfering signal, causing it to recede into background. These signals are difficult to intercept. An eavesdropper would only be able to intercept the transmission if hopping sequence was known”. However, the encryption key and hopping pattern must be kept safe and protected. To guard against this slidex and griddle keys are used to decipher. This is an additional step towards protection of data. This method applies both to UHF and HF/VHF frequency bands. Intrusion Prevention and Detection Systems To guard against network or cyber attacks (second network). Intrusion detection system need be used. This system as stated above detects intrusion by monitoring network traffic and is therefore not perfect. These systems are reinforced with intrusion prevention systems to make a strong defense against cyber attacks. The intrusion prevention system being passive is more effective against any intrusion. It also has a central management control. This system is a must in military network. It has the ability to deal with large volumes of data and near real time alerting capabilities that help reduce potential threats. Furthermore, intrusion prevention systems have automated responses, such as logging off a user, disabling user account or launching automated scripts. These systems also have built in forensic and reporting capabilities. To account for legal legislature for intrusion, in 1998, US Presidential Decision Directive 63 (PDD 63) established steps to increase the use of intrusion detection and prevention to protect national infrastructure. This also includes military information protection. Other countries also have their own legislature. Even though the standards and legislatures across the world are not unified, other countries have followed lead of US and made similar legislatures. The implementation of prevention or detection systems is not compulsory requirements, but they are necessary for protection of sensitive strategic data in case of military. Guard against intrusions has become critical part of a strong defense in depth security program. It is a proactive approach by implementing intrusion detection and prevention systems. Military becomes proactive for network and application layer vulnerabilities and can guard its sensitive systems by applying above mentioned systems. The weakness of this system however is the “Analysis” part. The intrusion systems can identify intrusion on basis of network traffic monitoring. Analysis of these activities is therefore crucial. For prevention, constituent parts of data and their interrelationships to identify any anomalous activity is key to identification of any intrusion. To use anomaly detection, we need statistical profile based on different algorithms in which the user behavior is base lined. Any behavior that falls outside of that classification is flagged as an anomaly. This reduces chance of human error in analysis of any possible intrusion activity. The best approach is the hybrid. That is human analysis and profile based analysis by AI. It can perform greater against complex attacks. To prioritize and filter sensitive military information for data collection, two separate systems can be formed. Attacks against sensitive information can be critical. The standards must be different for protection of critical information. These systems must be kept as isolated as possible. Any attack on these networks must be declared critical and unacceptable. Sandboxed approach may be used to protect critical information. This network must be under strict surveillance and given top priority. Threats of intrusion and cyber attacks and protection procedures are evolving with time. However, no system is perfect and there are always vulnerabilities against cyber attacks. Military information is particularly important and any attack against it is direct attack to National Security of US. Sensitive and strategic information has to be sandboxed and kept under critical surveillance systems. These needed to be minimum exposed to networks outside military. The threat to satellite communications do remain and prevention procedures are passive in nature. References Bufkin, M., DeKnopper, M., Heyman, J., Lesser, H., LaPann, J. & Rhodes, D. (2011). Milsat Magazine, October 2011, 10. Department of the Navy. (2006). US Marine Radio Operator’s Handbook (MCRP 3-40.3B). Washington, DC. Endorf, C. Scultz, E. & Mellander, J. (2006). Intrusion Prevention and Detection. California, CA: Brandon Nordin. Foreign Affairs, Defense and Trade Division. (2008). “Congressional Research Service report for Congress: Botnets, cybercrime and cyber terrorism.” Washington, DC: US Government Printing Office. Freebersyser, A. & Macker, J, (2009). “Realizing the Network Centric Warfare Vision: Network Technology Challenges and Guidelines.” Defense Advanced Research Agency Peiravi, A & M. (2010). “Internet security”. Journal of American Science, 6, 17-19. Pugliese, D. (2011). “Military satellite project sparks secrecy concerns”. Retrieved from http://www.montrealgazette.com/technology/Military+satellite+project+sparks+secrecy concerns/5741081/story.html. Popovdki, P., Yomo, H. & Prasad, R. (2006). “Strategies for adaptive frequency hopping in the unlicensed bands”. IEEE wireless communications. 1536. 60-61. Wadsworth, D.V. (2010). “Military communications satellite system multiplies UHF channel capacity for mobile users”. IEEE conference publishing. Piscataway, NJ: Hoes. Gragido, W., & Pirc, J. (2011). Cybercrime and espionage: An Analysis of subversive multi-vector threats.Maryland: Syngress. Andress, J., & Winterfeld, S. (2011). Cyber warfare: Techniques, tactics and tools for security practitioners.Maryland: Syngress. Engebreston, P. (2011). The Basics of hacking and penetration testing: Ethical hacking and penetration testing made easy. Maryland: Syngress. Kramer, F.D., Starr, H.S., &Wentz, L. (2009).Cyber power and national security. Washington, DC: Potomac Books Inc. Carr, J. (2009).Inside cyber warfare: Mapping the cyber underworld. New Jersey: O'Reilly Media. Read More