CERT Australia Network Threat Risk Assessment - Case Study Example

CERT Australia Network Threat Risk Assessment Name Institution Table of Contents Executive Summary 3 CERT Australia Network Threat Risk Assessment 4 Introduction 4 Forms of Cyber Attacks 5 Active Attacks 5 Passive Attacks 6 Network Security for Wireless Sensor Networks 7 Situational Crime Prevention 8 Countermeasures against the Network Threats 10 Cryptography 10 Digital Signatures 10 Virtual Local Area Networks 12 Access Lists 13 Firewalls 14 Conclusion 15 References 17 Executive Summary This is a report on the possible cyber threats that CERT Australia is likely to experience on the launch of a new policy to the public. CERT Australia works with other government agencies such as the Cyber Security Operations Centre to deliver its mandate. It also collaborates with other Computer Emergency Response Teams across the world to exchange information on emergent cyber threats. These working arrangements enable CERT Australia to determine the appropriate computer security advice and policies to develop for the public. The solutions that fit into the Situational Crime Prevention approach are also discussed. It also determines the appropriate countermeasures to adopt when fighting cybercrime. CERT Australia Network Threat Risk Assessment Introduction Australia has put in place the necessary measures to achieve cyber security. The central organisations to these are Cyber Security Operations Centre and Computer Emergency Response Team (CERT). Varied agencies contribute to the running of these organisations. CERT integrates cyber security measures to protect the Australian society, giving a harmonised point of coordination. CERT Australia strives to provide information access on cyber threats to the public such as vulnerabilities, and advise persons controlling important national infrastructure on how to defend against online attacks. It also creates a single point of contact for Australia to liaise with other CERT internationally. Since its inception in 2010, CERT Australia has been sharing information and collating responses related to cyber security to improve information security in the Australian society. It coordinates with the Cyber Security Operations Center to give situational awareness, developing cyber security crisis management plans, conducting cyber security tests, and enhancing coordination between government, private business, national and international players (Australia, 2012). CERT Australia intends to release a new cyber security policy in the near future to counter new threats identified in the digital space. This report examines the possible cyber-attacks that the information system administrators should expect. The countermeasures that can be used against such counter-attacks is also highlighted and their position in the Situational Crime Prevention network. Finally, an analysis of the current laws that limit the established countermeasures is made with an evaluation of how the problem fits in the international scope. Forms of Cyber Attacks There are varied threats that a computer host may be exposed to due to its connection to a network. A cracker may randomly test a computer security system to steal data. Alternatively, a person may steal the credit numbers of varied people and sell them for personal gain. Network attacks may be executed as either passive or active attacks. Active Attacks Active attacks are characterized by attempts to bypass or break through a secured computer system. CERT Australia indicates that sending viruses, Trojan horses, and worms to a remote host using a network channel may be effectively execute such attacks. Some examples of active network attacks include man-in-the-middle attacks, denial-of service attacks, brute force attacks, botnet attacks, browser attacks, SSL attacks, smurf attacks, and ping flooding. A man-in-the-middle attack is where a third party intercepts messages and sends fake messages between two parties without any of the communicating parties realizing that they are dealing with an impersonator. A denial of service attack is one that aims at making a computing resource unavailable for access by the users. This can be done by sending an overload of requests for service to the server. CERT Australia reiterates that the requests would end up crashing the system. A new model for this attack is to adopt a distributed approach in executing the attacks such that several computers are used to flood requests to the server through coordination (Newson, 2005). Brute force attacks use a trial-and-error basis to try to break through an authentication system such as a password. Browser attacks spread downloadable malware into users’ computers to corrupt them or steal information. Botnet attacks involve the use of several compromised computers under centralised control to spread spam mail, execute click-fraud, and effect DDoS. Passive Attacks A passive attack is more about the monitoring of any sensitive communication being sent over a network without proper encryption. For instance, clear-text passwords may sniffed during their transmission over a network. Types of passive network attacks include wiretapping, port scanning, and idle scanning. Network security measures may be categorized under four broad categories. These are integrity reinforcement, authentication, non-repudiation, and confidentiality. Confidentiality defines the need to keep information only within the reach of authorized persons. Third parties need not to access any communication between specified parties who have established trust. Authentication entails establishing the veracity of the identity for the person one is communicating with before allowing access to a computer system or computing resources. Non-repudiation is more about proving the exact communication made between hosts using digital signatures so that one does not deny the exact details of a given communication (Newson, 2005). Finally, reinforcement of integrity preserves the originality of computing resources such as files and messages in transit. This principle would ensure that any alteration done on a message exchanged between two hosts in a network is detected. CERT Australia recommends that before one builds a computer network, they should conduct a risk analysis to understand the areas that make the information system vulnerable. When hosting a system on a web server, the risk of attack is much higher than when the systems are running on local hosts within private networks. Conducting an information systems security risk analysis would also allow for the development of business continuity plans, response plans and risk mitigation plans. By mapping out possible risks early enough, there is increased chance of preparedness. Security vulnerabilities in information systems can easily escalate using multiple channels that may be causally related. A security risk analysis model can be relied to establish any causality between risk factors. Network Security for Wireless Sensor Networks Wireless Sensor Networks hold a strategic importance in the development of the Internet of Things, as they create some layer of virtual access to information from automated manufacturing and industrial applications. However, the integration of varied sensor networks always brings along some information security challenges at the network level. It is critical to explore the importance of device and application security in the quest to integrate wireless sensor networks. Network security challenges still deter most integration efforts. They include challenges in achieving data privacy, and difficulties in achieving system integration for varied security mechanisms. Wireless sensor nodes that are connected directly to the internet are affected by security vulnerabilities like Denial of Service attacks; need for user authorization and authentication; and the need for enhanced security applied along the communication channel (Newson, 2005). Other issues include accountability, achieving proper application functionality, hardware compatibility, and network redundancy. Supervisory Control and Data Acquisition systems have central control systems and substations that are remotely situated on Remote Terminal Units. These systems are being considered to solve some of the challenges affecting the Internet of Things. All the network layers handle network security in a comprehensive framework. CERT Australia reiterates that every layer should contribute a particular function that would work towards the delivery of network security. For instance, wiretapping into the network may trigger countermeasures such as sealing optical fibres in gas tubes such that when they are broken, alarms go off. The data link layer may be used to provide data encryption and decryption. Internet Protocol security and firewalls may then be placed in the network layer to control flow of packets. The transport layer may then use process-to-process encryption, leaving the common functions of authentication, and non-repudiation to be implemented by the application layer (Australia, 2012). Situational Crime Prevention Information security is a key concern for most organisations due to the increased levels of threats, both internally and externally. There are varied ways for analysing the cyber threats. The SKRAM model follows the skills, the knowledge, motives, access and resources possessed by the perpetrators of the cybercrime. Legitimate employee skills got from the daily tasks may be used illegitimately for personal gain. This is often the case, especially when the employees understand the existing vulnerabilities within the information system. Companies may strive to stem insider threat by screening their workforce, assigning every user with definite information security responsibilities, creating awareness programmes, and defining security policies (Willison, & Siponen, 2009). A better approach to analyse the perspective of the perpetrators of insider cybercrime can be understood within the realms of criminology. Situational Crime Prevention (SCP) is a framework that focuses on the specific criminal act and then defines measures to prevent the commission of the insider criminal act. Notably, this framework is more concerned with the criminal act as opposed to the potential causes of the criminal act (Reyns, 2010). Employing the SCP framework may help organisations to prevent cybercrime through elimination of opportunities of crime. After understanding the circumstances in the criminal settings, suitable mechanisms can be adopted to alter the setting in order to counter the threat. An SCP approach will prevent the crime form happening rather than waiting to punish detect or apprehend criminals. It may involve making the crime less rewarding or difficult to accomplish. Ultimately, the approach discourages criminals through their own rational choice. One would think about the potential gain against the potential risk, loss or failure and decide not to commit the crime. Situational Crime Prevention applied in network security involves studying situational circumstances within the network, making it costly and risky to execute network attacks, and reducing instances that would provoke the users to commit cybercrime. It is also important to safeguard the information systems to reduce the offender’s perception about the susceptibility of the system. This eventually dissuades them from committing cybercrime as the consequences weigh them down (Reyns, 2010). Increasing the effort may be done by using restricted access such as requirement of login details and definition of a maximum number of login attempts. Firewalls, encryption and database protection are also helpful in increasing the amount of effort required to commit the crime. The other option under SCP is to increase the risk of penetrating the network. Steps that can be taken to meet this end include checking the employees given privileged database access to ascertain their background, using biometric identification for access, using cameras in sensitive workstations such as automated teller machines, and tracking user action such as the history of their keystrokes (Reyns, 2010). Alternatively, the rewards for committing the crime can be reduced by imposing severe penalties for hackers, relaying real time information on compromised systems and sending immediate notification when one loses his/her credit cards. Reduction of provocative instances may involve leading organisational awareness campaigns amongst employees to embrace a responsible use policy. This would also reduce any excuses for the employees to commit cybercrime (Willison, & Siponen, 2009). Countermeasures against the Network Threats Cryptography This is a security mechanism that used ciphers to distort the message under transit such that when an unauthorized party taps it along the way, he or she would not make any meaning from it. Ciphers are transformations that change the bits or characters of a message to hide it. Ciphers do not consider the semantics or syntax of the message being sent. The plaintext is transformed using a private key to create a ciphertext that is to be conveyed over the network. When the receiver gets it, he or she would decrypt it using the public key. Varied types of ciphers include transposition ciphers and substitution ciphers. There is need to create redundancy in cryptography. It is also important to devise measures to counter any replay attacks. Some known cryptographic algorithms include the Advanced Encryption Standard, the Data Encryption Standard and Rijndael, and RSA (Newson, 2005). Digital Signatures These are electronic security schemes meant to achieve the following: allow the recipient of the message to establish the veracity of the claimed identity of the sender; ensure non-repudiation from the side of the sender; and ensure non-alteration of the message by the receiver. The various types of digital signatures include symmetric-key signatures and public key signatures. Digital signatures can be created by using one centralized and trusted authority. Every other user then holds a secret key (Forouzan, 2007). In a symmetric-key signature, suppose Alice needs to communicate with Bob, she would share a private/public combination with the central authority. Bob will also do the same. Therefore, Bob will not know the keys used by Alice. Alice sends an initial message KA (B, RA, t, P) with B as the identity of Bob, RA as some random number suggested by Alice, t as the timestamp for this specific message, P as the plaintext message and KA (B, RA, t, P) as the encrypted message using Alice’s key. The message is sent to a central authority, CA. CA would decrypt the message from Alice and send the message to bob as KB(A, RA, t, P, KCA(A, t, P)). This overall message to Bob has some signed message portion KCA (A, t, P)) and a plaintext portion containing Alice’s original message. CA encrypts all these using Bob’s public key. Public-Key signatures rely on the reversing property of encryption (E) and decryption (D) algorithms that E (D (P)) = P and D (E (P)) = P. If Alice’s public and private keys are EA and DA respectively, while Bob’s public and private keys are EB and DB respectively, then the digital signature will be implemented as follows. Suppose Alice wants to send a plaintext message to Bob and both know each other’s public key, she would first encrypt the plaintext message using her private key DA(P). She would then encrypt the resultant message using Bob’s pubic in order to send the message specifically to Bob EB(DA(P)). In order to decrypt the plaintext message, Bob would need to use his private key DA(P) then proceed to use Alice’s public key to decrypt the message and access the plaintext, P. Cryptography can also be used in authentication. In a two-way approach for authentication between Bob and Alice, Alice may start out by sending her identity A, to Bob. Doubting whether the person who sent the message is actually Alice, Bob sends out a random number to Alice RB . Alice is required to encrypt this random number with the common key she shares with Bob as a proof that it is indeed Alice communicating KAB (RB). Bob would believe that it is Alice communicating, since no other person knows the key KAB, and RB was randomly generated. Alice also sends a random number RA to Bob for him to encrypt it using the shared public key KAB (RA) so that she too is sure that it is Bob communicating. Virtual Local Area Networks When designing the network architecture, it is important to separate the intranet servers, public extranet servers, and individual user workstations falling under defined VLANs. This allows for an easier implementation of the organisation’s security policy. For example, the network administrators can define the layer 3 access lists to allocate permissions for resource access. Firewall rules also determine the direction of network traffic flow in an organisation’s network. The isolation of network management infrastructure like tftp servers, syslog servers and several workstations under a separate VLAN is also important in enhancing network security (Lippmann, Riordan, Yu, & Watson, 2012). The components in the network design should have a physical port in the management VLAN to improve the security of their transmissions. Alternatively, they should be connected with encryptions like IPsec and SSH to protect the messages in transit. Virtual Local Area Networks are also helpful in protecting networks against internal threats. Trunking may be used to implement VLAN connections at the layer 2 component in the switches. IEEE 802.1Q allows for the inter-switch connections for many VLANs. Both sides in the trunk between switches connecting multiple VLANs should have configurations for the same native LAN. Port security and DHCP snooping, enabling root guard, enhancing port security, and using dynamic ASP inspection can be used to prevent spoofing attacks. Switch device attacks can be prevented by disabling CDP on every port that is not in use, and using SSH and telnet coupled with vty ACLs. Traffic sent from servers in sensitive organisational sections as the financial department should not share the same channel with those traffic from other departments such as operations and sales. Implementing such VLAN infrastructure may need one to first define VLANs along created subnets. Thereafter, the VLAN interface, the uplinks for the switches, and the ports for the hosts should be configured appropriately by following an a static IP addressing schema. Routing at the network core may also be used to isolate varied broadcast domains in order to improve network security and performance. This step would also eliminate sniffing attacks. Every subnet within the network should be under an Ethernet switch to creates isolated collision domains for each host, thereby improving performance. Switches also eliminate chances of sniff attacks. Network traffic that gets into a subnet can be checked by creating a policy that permits only the eligible ones. Access Lists Access lists and enhanced layer 3 design of network routers can also filter outbound traffic. Access lists can be defined during the installation of the information system. This step would help to protect the system against network attacks. Such a definition of access lists in the workstations subnet only allows for minimal inbound traffic and denies access for any other traffic as they are not servers to support frequent remote requests from clients. There is need to develop a trust model that would define the network sections that are less trusted against those that are more trusted. This would guide the decision on those components to be grouped together and those ones that should be separated. The access list can also be used to prevent spoofing attacks by filtering every traffic that leaves a particular subnet to identify any incorrect source address. Such addresses could be an indication of compromised hosts seeking to execute distributed denial of service attacks. In some cases, they be genuine instances of misconfigured machines. Network administrators can define the following commands for a subnet to filter network traffic. Firewalls Firewalls can be used along the connections of public extranet servers. Their purpose may be to screen network traffic that gets to the core router and to the various VLANs built within the network. Firewalls can be installed on top of workgroup switches to create VLANs for in varied network sections. Under this approach, all the related devices and hosts that have been classified as having similar security profiles are grouped together under a VLAN in order isolate them. Firewalls isolate the VLAN traffic from the other sections of the network, thereby providing enhanced security. Network infrastructure designs need to be secure enough to prevent attacks targeted at the network switches, the MAC Layer of the network components, VLAN vulnerabilities attack and spoofing attacks. The topology and positioning of the network hosts within a network also determines the overall level of network security. The other critical aspects necessary to achieve enhanced network security is the need to choose proper technologies –both software and hardware - and the proper configuration of every network component installed. The network architecture used should also be able to avert network attacks across the internet, and isolate mission critical resources from the rest of the network in order to prevent internal attacks. Other shared components of the network like an organisation’s DNS, web and mail servers to be protected. Intrusion detection systems can also be built in the network to detect cyber-attacks against a given network. There are various providers of network security solutions, both software and hardware. Some include Cisco switches, operating systems like Windows 8, Vista, firewall software like ZoneAlarm, antivirus software like Kaspersky, e-safe, and Norton. The problem with some of these products is that different vendors often create disparate and incompatible products. This makes it difficult to harmonize them and achieve maximum network security when building networks. The challenges that may be met when implementing fraud management in information systems include analysing large volumes of data to unearth fraud patterns. The other problem is that the fraud detection process should be done discreetly without delaying or disrupting the business process. In other cases, there is a possible risk that a fraud alarm may be raised falsely, based on the established fraud screening or preventive procedures put in place. Conclusion CERT Australia persistently strives to inform government and private organisations on the best countermeasures to apply in handling emerging cyber threats. It does this by collating knowledge on new threats detected and working with other Australian government agencies such as the Cyber Security Operations Centre to develop effective countermeasures. CERT Australia also makes international collaborative programs with peer CERT organisations operating in different countries around the world. So far, CERT Australia has managed to develop effective policies to deal with emergent cyber threats comprehensively. Its multi-structured working arrangements with the Australian agencies and international organisations promises to detect computer risks early enough and develop effective countermeasures before they devastate businesses and government agencies that use computer information systems. References Australia, C. E. R. T. (2012). Cyber crime and security survey report (pp. 123-140). Technical report. Lippmann, R. P., Riordan, J. F., Yu, T. H., & Watson, K. K. (2012).Continuous security metrics for prevalent network threats: introduction and first four metrics (No. MIT-LL-IA-3). MASSACHUSETTS INST OF TECH LEXINGTON LINCOLN LAB. Newson, A. (2005). Network threats and vulnerability scanners. Network Security, 2005(12), 13-15. Reyns, B. W. (2010). A situational crime prevention approach to cyberstalking victimization: Preventive tactics for Internet users and online place managers. Crime Prevention & Community Safety, 12(2), 99-118. Willison, R., & Siponen, M. (2009). Overcoming the insider: reducing employee computer crime through Situational Crime Prevention. Communications of the ACM, 52(9), 133-137. Read More