Security Incident Event Management - Report Example

Full Paper Proposed Solution In the proposed solution, we have proposed a screened subnet along with a presence of a SecurityIncident Event Management device that will generate alerts based on the defined criteria and rules. We have added an extra layer of security for the organization. The circuit level gateway firewall that operates on session layer Circuit level Gateway/Firewall. (2007) at both ends will be deployed on different subnets for security starting from the physical layer to the application layer Nelson, M. (1998). However, the SIEM device needs to support the network layer traffic. Moreover, there are some limitations associated with the SIEM such as number of events per second to be generated, based on the logs being generated from the system and pulled by the SIEM agents Firewall. (2007). 2 Risk Assessment for Global Finance Incorporated based on ISO 27001 Risk Identification & Evaluation Threat No. Asset Value (V) Threat / Vulnerability Threat / Vulnerability Description Probability (P) Impact (M) Exposure (E=P*M) Criticality (E*V) Risk Rating Applied Security Control Risk Acceptance Level Risk Treatment Methodology Residual Risk Risk Owner Preventive Actions Corrective Actions Hardware-Physical 1 2 Hardware Failure Power Surge Outdated Hardware installed in machines. 1 2 2 4 Low Stabilizer have been installed UPS is also available to protect machines from power failed. Standard is maintained related to hardware installed in a machine to avoid incompatibility. 4 hours Backup hardware inventory maintained by Asset Coordinator. Asset list maintained by Asset Coordinator IT shall inspect machine Depending on the damages IT shall replace hardware If not repairable, machine shall be replaced by new one. If backup Hardware is not available then need to purchased new Hardware. IT Asset Coordinator 2 2 Fire Short Circuit 1 3 3 6 Low Cabling done through proper ducting. 0 minute circuit breakers and Stabilizer installed EOT/IT shall be notified. Fire extinguisher should be used where necessary. Power shall be switched off Damaged hardware shall be replaced with new one In-case machine is not repairable, replaced with new one Asset coordinator shall update inventory accordingly Machines may be directly connected to main power. IT 3 2 Theft 1 -unavailability of guard 2-Unavailability of CCTV Camera 1 2 2 6 Low 1) CCTV Camera logging. 2) Restricted Access to office premises. 3) 24x7 Guard available on main gate. 2 Day 1) Physical Intrusion detection system installed 2) Regular camera monitoring 3) backup guard trained to take guard in-case of unavailability IMT/Admin shall be notified. Backup will be installed. Camera recording will be reviewed. If anyone found guilty disciplinary action will be taken. No residual risk IT Asset Coordinator ADO 4 2 Earthquake 1-Building Structure Damage 2- Asset Damage Due to Jolts. 1 3 3 9 Medium No control can be applied as it is catastrophic disaster 7 Days Asset Shall be placed in such a way to lessen damage due to falling 1. Turn off the main power Turn off UPS and generators 2. If site not functional and emergency is declared then move to contingency site. The original risk remains as there is no remedial action for catastrophic disaster. IT 6 3 Configuration errors Unethical changes made 1 3 3 9 Medium No security controls applied 1 Day no preventive controls in place 1. printer shall be re-configured. No residual risk IT 7 3 Hardware Failure 1-Power Surge 2- Low Standard part installed 2 2 4 12 Medium No security controls applied 2 Day Stabilizer have been installed Legitimate vendor is used to reduce parts quality related issues IT shall be informed Asset coordinator shall provide backup printer. backup printer might not provide all functionality of original printer installed IT Asset Coordinator 8 3 Fire Short Circuit 1 3 3 9 Medium cabling done through proper ducting. 1 Day circuit breakers and Stabilizer installed Backup printer shall be installed Fire extinguishers shall be used to extinguish fire. In-case of heavy fire; if other printers are also not in functional state then there shall be no printer available. IT Asset Coordinator ADO 9 3 Theft 1 -unavailability of guard 2-Unavailability of CCTV Camera 1 2 2 6 Low 1) CCTV Camera logging. 2) Restricted Access to office premises. 3) 24x7 Guard available on main gate. 2 Day 1) Physical Intrusion detection system installed 2) Regular camera monitoring 3) Backup Printers 4) backup guard trained to take guard in-case of unavailability IMT/Admin shall be notified. backup printer will be installed. camera recording will be reviewed. If any one found guilty disciplinary action will be taken. No residual risk IT Asset Coordinator ADO 10 3 Earthquake 1-Building Structure Damage 2- Asset Damage Due to Jolts. 1 3 3 9 Medium No control can be applied as it is catastrophic disaster 7 Days Asset Shall be placed in such a way to lessen damage due to falling 1. Turn off the main power Turn off UPS and generators 2. If site not functional and emergency is declared then move to contingency site. the original risk remains as there is no remedial action for catastrophic disaster. IT 3 Vulnerabilities Vulnerabilities in network security are regarded as the “soft spots” that are evidenced in every network. These vulnerabilities exist in the network as well as individual devices that constitute the network. Networks are usually beset by one or sometimes all three of the primary vulnerabilities or weaknesses. They are as follows: ■ Technology weaknesses ■ Configuration weaknesses ■ Security policy weaknesses Each of these weaknesses will be examined in more detail, in the sections that follow. 3.1 Technological Weaknesses Computer and network technologies display intrinsic security weaknesses. TCP/IP protocol weaknesses, operating system weaknesses, and network equipment weaknesses are all examples of such weaknesses. Table 1-1 describes these three weaknesses. Weakness Description TCP/IP protocol weaknesses HTTP, FTP, and ICMP are not secure essentially. Simple Mail Transfer Protocol (SMTP), Simple Network Management Protocol (SNMP) and SYN floods are associated with the inherently vulnerable structure upon which TCP has been designed Operating System weaknesses Operating systems like the UNIX, Windows NT, 9x, 2K, XP and OS/2, Linux and Macintosh show security problems that need to be addressed. Network equipment weaknesses Various types of network equipment such as firewalls (Agnitum outpost persona firewall pro 2.0.2004), switches, routers; all have security weaknesses that must be acknowledged and safeguarded against. Those include the following weaknesses: a) Password protection b) Lack of authentication c) Routing protocols d) Firewall holes Table 1-1 3.2 Configuration Weaknesses Network administrators or network engineers are required to understand the configuration weaknesses and accurately configure their computing and network devices to counteract the common configuration weaknesses. Weakness How the Weakness Is Exploited Unsecured user accounts Insecure transmission of User account information might occur across the network, exposing usernames and passwords to scoopers as a result. System accounts with easily selected and guessed passwords This common issue is the result of badly chosen and easily guessed user passwords. Misconfigured Internet services This common problem occurs upon turning on JavaScript in web browsers which enables attacks by means of hostile JavaScript whilst accessing untrusted sites. Some complications also take place due to IIS, Apache, FTP and Terminal Services. Unsafe default settings within products The default settings in a number of products enable security holes. Misconfigured network equipment Significant security problems come about because of misconfigurations of the equipment itself. For instance, misconfigured routing protocols, certain access lists or even some SNMP community strings can open up large security holes. Remote-access controls, due to misconfiguration or lack of encryption, can also produce significant security Issues. The practice of leaving ports open on a switch (which could allow the introduction of non-company computing equipment) also do the same. Table 1-2 3.3 Security Policy Weaknesses Security policy weaknesses can give rise to unpredicted security threats. If users do not follow the security policy, the network, as a result, can pose security risks to the network. 4 Attacks Four primary classes of attacks are present: ■ Reconnaissance ■ Access ■ Denial of service ■ Worms, viruses, and Trojan horses 4.1 Reconnaissance The unauthorized discovery and mapping of systems, services, or vulnerabilities is referred to as Reconnaissance. It is also known as information gathering and it commonly manifests before an actual access or denial-of-service (DoS) attack. Reconnaissance is rather comparable to a thief casing a neighbourhood in search of vulnerable homes to break into, like easy-to-open doors, windows left open or just a vacant residence (Mitigating security threats by minimizing software attack surfaces.2008). 4.2 Access The ability with which an unauthorized intruder gains access to a device without having prior access to its account or password is called System access. For one, to enter or access systems that one does not have the right to access, commonly involves running a hack, script, or a tool that manipulates a known vulnerability of the system or application that is being attacked. 4.3 Denial of Service (DoS) When networks, systems, or services are disabled or corrupted with the intention of denying services to intended users, it is known as Denial of service. Under the DoS attack, the system either crashes or it slows down to the extent that it becomes practically unusable. A DoS can be also as basic as just deletion or corruption of information. While performing the attack simply, most instances involve running a hack or script. Prior access to the target is not necessary since a way to access it, is all that is normally required. DoS attacks are the most feared because of these reasons. 4.4 Worms, Viruses, and Trojan Horses Malicious software is inserted into a host to replicate itself; to damage a system or to corrupt it otherwise it serves to block services or access to networks, systems or services. Moreover, this kind of software allows sensitive information to be copied or echoed to other systems as well. A Trojan horse is employed on a commonly trusted screen to ask the user for sensitive information. For example, an attacker might prompt a user to type his username and password by means of logging in to a Windows box and running a program that looks like the true Windows logon screen to achieve this purpose. The program would then give the Windows error for bad password after sending the information to the attacker. The user would, as a result, log out and the correct Windows logon screen would appear. During this whole situation, the user would be none the wiser to the fact that his password had just been stolen. Unfortunately, the ever-changing nature of all these threats is making it worse—from the somewhat simple viruses of the 1980s to the more advanced and damaging viruses, DoS attacks, and hacking tools in recent years, all have become a bane to the online society. Today, not only are the hacking tools more powerful and widespread. There is also an advent of new threats including self-spreading blended worms like Slammer and Blaster and network DoS attacks. Previously, attacks took days, even weeks to spread. Those days are long gone as threats now spread worldwide in a matter of minutes. An example is the Slammer worm of January 2003 that spread far and wide in less than 10 minutes. The time expected for the next generations of attacks to spread is just mere seconds. These worms and viruses do not just spread mayhem by generating the volume of traffic responsible for overloading network resources but they also have the capacity to deploy damaging payloads to steal critical information or to erase hard drives. There is a strong concern that the dangers of tomorrow will be targeted directly upon infrastructure of the Internet. 5 Examples of Attacks Several types of attacks are employed today and a representative sample will be explored below in detail: 5.1 Reconnaissance Attacks Reconnaissance attacks comprise of the following: ■ Packet sniffers ■ Port scans ■ Ping sweeps ■ Internet information queries Ping sweeps around the target network usually enable the malicious attacker to ascertain which IP addresses are alive. The intruder then makes use of a port scanner to ensure which among the network services or ports are active on the live IP addresses. The intruder queries the ports using this information, so as to establish the application type and version of the OS as well as the type and version of operating system running on the target host. This information is the basis through which the intruder decides whether a potential vulnerability exists, to be exploited. Using software utilities like the “Ns lookup” and “Who is”, an attacker can easily find out the IP address space assigned to a given entity or corporation. The ping command informs the attacker about whichever IP addresses are alive. Packet sniffing and Network snooping are common terminologies for eavesdropping. Generically, eavesdropping is considered as listening in on a conversation, prying, spying or snooping. The information collected by eavesdropping can be utilized to pose other attacks to the network (Agnitum outpost persona firewall pro 2.0.2004). An instance of data vulnerable to eavesdropping is SNMP Version 1 community strings which are transmitted in clear text. An intruder gathers valuable data on network equipment configuration by eavesdropping on SNMP. One more example is capturing usernames and passwords as they cross a network. 5.2 Types of Eavesdropping A general procedure for eavesdropping on communications is a) TCP/IP or other protocol packets are firstly captured. b) Those contents are then, decoded using a protocol analyser or a utility. Two popular applications of eavesdropping are as follows: ■ Information gathering—Usernames, passwords, or credit card numbers and sensitive personal information as well as any other information that is carried in the packet is prone to network intruders’ identification by employing the method of eavesdropping. ■ Information theft—Network eavesdropping enables information theft. The theft can take place during the time of data transmission over an internal or external network. The network intruder obtains unauthorized access so as to steal data from networked computers. Such cases include using a computer to crack a password file or breaking into and eavesdropping upon financial institutions to obtain credit card numbers. 5.3 Tools Used to Perform Eavesdropping The tools used for eavesdropping are: ■ Network or protocol analysers ■ Packet acquiring utilities on networked computers 5.4 Methods to Counteract Eavesdropping Some of the most efficient methods for countering eavesdropping are mentioned below (Mitigating security threats by minimizing software attack surfaces.2008): ■ Implementation and enforcement of a policy ruling that prohibits the practice of protocols that are prone to eavesdropping ■ Use of encryption that satisfies the data security requisites of the organization without inflicting an undue burden on the users or the system resources ■ Use of switched networks 6 Encrypted Data for Protection against Reconnaissance Attacks Encryption offers protection to the data susceptible from eavesdropping attacks, password cracking and manipulation. A number of advantages of data encryption are as follows: ■ Every company perform financial transactions. They can be in for dire consequences, if observed by an eavesdropper. Encryption warrants that whenever sensitive data passes over a susceptible medium, it cannot be altered or overseen by an intruder. ■ Decryption is necessary after the data gets through to the router or other termination device present on the distant -receiving LAN where the destination host is located. ■ Cisco IOS network-layer encryption allows all intermediate routers and switches to advance the traffic like they do for any other IP packet by way of encrypting after the UDP or TCP headers so that only the IP payload data is encrypted. Payload-only encryption lets flow switching and all access list features to operate with the encrypted traffic same as with plain text traffic, thereby maintaining the desired quality of service (QoS) for all data. Most encryption algorithms can be cracked and their information can be exposed if the attacker has the time, desire, and resources to attempt the endeavour. A realistic objective for encryption is to make the procurement of information so work-intensive so as to not be an appealing and worthwhile effort for the attacker (Gharibi & Mirza, 2011). 7 Vulnerability Analysis One needs to recognize the current state of the network and organizational practices before incorporating new security solutions to an existing network. It should be done to verify their current compliance with the requirements. The analysis also provides an opportunity to identify probable improvements and the potential necessity to reformat a part of the system or to rebuild it from scratch to fully satisfy the requirements. This analysis can be broken down into the following steps (Krügel, 2002): 1. Policy identification 2. Network analysis 3. Host analysis 7.1 Policy Identification The designer should analyse an existing security policy to identify the security requirements. It will have some bearing on the design of the perimeter solution. Primarily, the designer should scrutinize two basic areas of the policy: ■ The policy should distinguish the assets that require protection. This enables the designer to supply the correct amount of protection for susceptible computing resources and allows identification of the flow of sensitive data in the network. ■ The policy should recognize possible attackers. This gives the designer insight into the degree of trust designated to internal and external users, preferably classified by more specific categories such as business partners, outsourcing IT partners or customers of an organization. It is imperative that the designer should be able to evaluate whether the policy was conceived using correct risk-assessment procedures. Like say, did the policy development incorporate all pertinent risks for the organization and not neglect important threats? The designer should also re-examine the policy mitigation procedures to decide whether they adequately alleviate foreseeable threats. This ensures that the designer will work with a policy which is up-to-date and complete. Organizations that require a high level of security assurance will call for defence-in-depth mechanisms to be implemented to avoid singular points of failure. The designer also ought to work with the organization to ascertain how much investment in security measures is suitable for the resources requiring protection. The result of policy analysis is given as: ■ The evaluation of policy precision and comprehensiveness ■ Recognition of feasible policy improvements that need to be created before the security application stage 8 Network Analysis Many industry best practices, tools, guides, and training are available to assist in secure network devices. These combine tools from Cisco including Cisco Output Interpreter, Auto Secure and also from innumerable web resources. Third-party resources comprise of the U.S. National Security Agency (NSA), Cisco Router Security Recommendation Guides, the Center for Internet Security (CIS) and the Router Audit Tool (RAT) for examining Cisco router and PIX Security Appliance configuration files. References Agnitum outpost persona firewall pro 2.0. (2004). District Administration, 40(2), 68-68. Gharibi, W., & Mirza, A. (2011). Software vulnerabilities, banking threats, botnets and malware self-protection technologies. International Journal of Computer Science Issues (IJCSI), 8(1), 236-241. Krügel, C. (2002). Service specific anomaly detection for aviation network intrusion detection 2012(3/14/2012), 3/14/2012. doi:10.1145/508791.508835 Mitigating security threats by minimizing software attack surfaces.(2008). Computer Economics Report, 30(5), 15-19. Firewall. (2007). Bloomsbury Business Library - Business & Management Dictionary, , 3113-3113. Nelson, M. (1998). Two faces for the firewall. InfoWorld, 20(41), 1. Circuit level Gateway/Firewall. (2007). Network Dictionary, , 99-99. Read More