We have been tasked by the CIO to draft a report identifying potentially malicious attacks, threats, and vulnerabilities specific to our organization. Further, the CIO would like us to briefly explain each item and potential impact it could have on the organization.
Malicious Network Attacks
“Network attack is usually defined as an intrusion on your network infrastructure that will first analyze your environment and collect information in order to exploit the existing open ports or vulnerabilities – this may include as well unauthorized access to your resources” (Symantec, 2013). We will first have to analyze the potential attacks we need to protect against, and the potential impact those attacks could have on the network. The majority of threats we will encounter are classified as viruses, hacks, and blended attacks. 1. Viruses. “A Virus is a program that is activated by attaching copies of itself to executable objects. Viruses can reach your computer from other infected computers, via data medium (CD, DVD, etc.) or through a network (local or Internet).” (Symantec, 2013). Due to the shear frequency of virus attacks, we shall list them number one. According to a Department of Trade and Industry (DTI) survey, 72% of all companies received infected e-mails or files last year and for larger companies this rose to 83% (Vernon, 2004). The potential impact of the network becoming infected with a virus could be devastating.
File destruction, file corruption, disabling user programs, loss of critical data and overloading the network are just a few of the potential impacts of a virus. Viruses can be introduced in to the network in many ways. Employees downloading /using unauthorized programs, opening and executing infected email attachments, bringing infected files from home on a thumb drive or CD, accessing the network with their smart phone, etc. According to a survey of IT mangers conducted by SupportSoft, 75% said their companies “are not adequately protected from, or able to prevent, computer virus attacks”, and 74% said their companies are hit monthly with one or more computer viruses. (SupportSoft, 2005)
2. Hacking. Despite the continuing problem of Denial of Service (DOS), and Dedicated Denial of Service (DDoS) attacks, the latest threat is SQL injection attacks.
This type of attack takes advantage of improper coding of web applications that allow outside users (hackers) to inject SQL commands that allow access to the company’s database. This results in secure information being confused with non secured information. In other words, passwords, classified or proprietary information is confused with public information such as product details or contacts by the database, allowing hackers to access the secure information. A report by the Center for Strategic and International Studies in Washington estimated that it cost the global economy $300 billion a year and cyber insurance is the fastest-growing specialty insurance ever – worth around $1.3b billion a year in the US. (Lawson, 2014). It is not only the cost of information that should be considered, but also the cost of lost employee productivity, network downtime, and increased IT personnel cost.
3. Blended Attack.
A blended threat is a “multi-pronged attack against networked computers. Symantec describes a blended threat as an attack that combines viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack. Blended threats are designed to propagate quickly, like worms, but instead of relying on a single-attack vector (such as email), blended threats are designed to use whatever propagation path exists.” (Piscitello, n.d.).
A blended threat usually takes over the administrative privileges on the computer and is thus able in theory to “perform any operation available, thus enabling keystroke logging; file copying, removal or modification; communications monitoring and modification; and unauthorized service operation” (Piscitello, n.d.). The use of the Bring Your Own Device (BYOD) policy by many companies, has led to the escalation of blended attacks due to the often lackadaisical approach that most users take concerning mobile phone security. With a lack of anti-virus and anti-malware software installed, these devices post a real security risk when connected to the company network. With most employees using their mobile device for both work and private use, stored business contacts and texts could be compromised.
Security Controls (Personnel)
All three of the network risks identified above pose not only the threat of malicious attacks, but also the threat of data theft and loss. We must mitigate the risk to our network and the intellectual property and highly sensitive data contained within that network. The first step would be to conduct a review or audit of our user and network security policies. An annual user training session should be instituted containing the following basic policies: – No installation of unauthorized software on company machines.
– Never provide someone else your user name or password.
– Log off of the computer when not in use
– Never provide intellectual or sensitive information to unknown users, especially through email.
– Never open email attachments, especially executable files, from unknown sources.
– Implement a strong password policy with mandatory changing of passwords within certain timeframes.
These company policies can help mitigate internal threats that can occur by accident or intentionally. Users should also be trained in the identification of malware and the proper reporting procedures after it has been identified. All IT personnel should have knowledge of the latest threats and responses to those threats. If it is identified that IT personnel require additional training/certification, this should be provided if financially feasible.
Security Controls (Hardware/Software)
The first step would be to conduct a thorough audit of network security hardware and software. A reconnaissance and probing test could be performed with Zenmap GUI (Nmap) to identify security deficiencies such as open ports. The best defense against malicious attacks is a multi-layered approach. A Host Intrusion Detection System (HIDS) to complement the Network Intrusion Detection System (NIDS) should be installed. An additional NIDS should be installed inside the firewall which would detect any attacks that may get by the firewall. Host computers connected to the internet should be isolated from the rest of the network. We should also harden our software/hardware, which is a configuration where unnecessary services are turned off and protected ones are left running. A review of the anti-virus and anti-malware software should be done.
All software should be up to date with the latest virus/malware definitions and updates. Perform virus and malware scans on all network devices and computers on a consistent basis. Wireless Access Points (WAP) should have the latest encryption installed to ensure only authorized users have access. A BOYD security policy should be implemented, whereas all mobile devices under the BOYD program are susceptible to the same security policies as company assets. A policy much like Cisco has implemented should be considered.
Their policy requires all users to have at least a four-digit PIN, and the device to have an auto-lock setting that triggers in 10 minutes or less. Cisco also reserves the right to wipe any device remotely if it’s lost or stolen. The company controls corporate data on its network, using a combination of security access PINs, encryption tools and read-only features that prevent highly confidential data from being copied, downloaded or emailed. It also uses monitoring tools to scan all Web requests for malicious content if a device starts behaving strangely, the IT team can quarantine it or kick it off the network. (Gale, 2013).
With an ever evolving, infinite amount of threats to a network, there are many available solutions to attempt to mitigate that risk. Training personnel on best security practices, creating a secure network with firewalls including intrusion detection and anti-virus/malware software, to performing security audits will help ensure the best possible defense against a malicious attack against the network.
Gale, S. F. (2013, April 2). BYOD Brings Security Risks for Companies. Retrieved July 14, 2014, from workforce: http://www.workforce.com/articles/byod-brings-security-risks-for-companies Lawson, A. (2014, May 23). Businesses need to wake up and smell the hackers. Retrieved July 23, 2014, from The Independent: http://www.independent.co.uk/news/business/analysis-and-features/businesses-need-to-wake-up-and-smell-the-hackers-9422300.html Piscitello, D. (n.d.). What is a blended threat? Retrieved July 23, 2014, from The Security Skeptic: http://securityskeptic.typepad.com/the-security-skeptic/what-is-a-blended-thr