Incident Report

Incident Report

Your Name

Institution

Executive Summary

Purpose of this paper is to provide Cyber Incident Report (CIR) for major media and entertainment company. Company has initiated a Bring Your Own Device (BYOD) policy which results in many security incidents. The BYOD policy of the company has increased the vulnerability of the company's network infrastructure. This paper will also provide the recommendation and new security policy which will ensure the overall safety of the company's network. Using a guideline by National Institute of Standard and Technology (NIST) for securing a Wide Area Network is used for designing wireless and BYOD security plan. In wireless and BYOD security plan, the standard configuration of each component of the company's WLAN network will be used. In addition to standardized configuration, the cyber kill chain framework is analyzed while designing the network security plan for the company. Next, a mechanism is designed to track the location of the company's assets. Layered security will be installed in the company's network infrastructure to slow down the attacker's penetration. MAC spoofing is a big threat as it is used by most individual who wants to damage the company. Sequence number analysis can be used to identify MAC spoofing or identity theft. The sequence number field of 802.11 frame header has a number field of 12 bits CITATION Heg16 \l 1033 (Hegde, 2016).

Company has an option of installing both wired and wireless network, both have their pros and cons. A wireless network gives ease of mobility and provides compatibility with the latest devices. A wired connection has no wireless access point, it difficult for an intruder to penetrate the system. The company's wireless network can be easily configured to shared keys using the WPA PSK protocol which offers 256 characters generated key for the access points. The company's network infrastructure can be easily made FIPS-1040-2 compliant, by using the WPA2 security protocol. The company's wireless traffic will be monitored by introducing intelligent monitoring of the system. intelligent monitoring will ensure the overall safety of the company's wireless network.

Cyber Security Incident Report

Cybersecurity incident report used to identify security threats with the network of the company. Moreover, the effects of these threats are also discussed in detail in CIR. There are six steps in CIR, each is explained in detail in this paper.

Wireless and BYOD Security Plan

The first step in CIR is to develop a wireless security plan for the company. The company's policy of BYOD will also be address in this wireless security plan. Guidelines for securing WAN by NIST in their publication 800-153 will be used in designing a company's security plan. According to BYOD, the devices that most employees will be connecting to the company's WLAN network are either laptops or smartphones. WLAN contains several components; Access Points (AP), Distribution System (DS), switches, company's devices, and client/employee devices. There should be a standardized security configuration for all of the WLAN components CITATION Mur12 \l 1033 (Murugiah Souppaya, 2012). A standardized security configuration will reduce the time of securing the system, reduce vulnerabilities in the network, improve system security, and will reduce effort while performing Security Assessment Report (SAR) and security audit.

Cyber-attacks are one of the key areas of network vulnerabilities. Using malicious or poor code may result in cyber-attack which can change system code or data. This will lead to an interruption, exposing system and data open to cybercrimes. A weak unmonitored system that lacks basic network security protocols is a prime target for cybercriminals (Skinner, 2000). An attacker can easily penetrate such a network and a data source. The cyber kill chain framework will be introduced in the network security plan to detect the level of threat and take necessary action against it. There are 8 stages in the cyber kill chain, each is associated with a different type of cyber-attack. In the first stage, the attackers assess the network to plan his attack. This stage of attack can be avoided by using a standardized security configuration CITATION TYa15 \l 1033 (T Yadav, 2015). In the next stage, the attacker intrudes the system and by taking advantage of security vulnerabilities. This step can be avoided by designing a secure WAN network with proper firewalls and security assessing software. The third stage in the cyber kill chain is exploitation, in this stage, the attackers make his moves by exploiting assessed vulnerabilities. The attacker sends malicious code to get a better grip on the system. In the next stage, the attacker needs extra privileges so that he can further take control of the system. It involves the user's interaction by manipulating them into breaking the security of a network. This can be avoided by educating employee who has excess to the company's network. A special protocol of communication will be introduced in the company's wireless security plan which avoids any incident of social engineering attack. In the next stage, the attacker got access to the network and he can easily penetrate within the system. This stage can be avoided by monitoring the system traffic at hubs, and gateways CITATION TYa15 \l 1033 (T Yadav, 2015). A network security tool can also be used to monitor and stops suspicious traffic within the network. The sixth stage is very important and requires a skilled person to counter the attacker’s moves. In this stage, the attacker leaves his false trails to confuse the IT team. There are testing mechanisms (black box, white box testing) available which will ensure that the system is secured cannot be fooled. In the seventh stages, the attackers jam the network traffic by Distributed Denial of Services (DDoS). The attacker creates a bot within the network and then send enough request by bots to overflow network capacity. This can be avoided by securing Ethernet connections within the company's network. The last and final stage of the cyber kill chain framework is the extraction of data from the compromised system. The company's wireless network and BYOD security will be designed in a way that will always prevent the attacker from getting to the last stage. Layered security will be installed in the company's network infrastructure to slow down the attacker’s penetration.

Security risks associated with the network are the shutting down of a system, and the loss of sensitive data. These losses can be caused by computer viruses, rogue security software, Trojan horse, adware or spyware, network worm, DDoS attack, Rootkit, and SQL Injection attack. To address all security threats, the following key actions at stage 1 will be taken under the wireless security network plan.

Understand common attacks. Good knowledge of cyber-attacks which targets weak network can be very helpful.

Establish a list of potential vulnerabilities, and look for anything suspicious or unknown to your network

Use vulnerability and network scanning tool

In case of an attack, the company should be able to access the risk and should be able to take reliable actions in such events CITATION WSt12 \l 1033 (W Stallings, 2012).

Once the key security measures are established, a layered security strategy will be used to install or protect the company’s network. Followings are the measure which will help develop network defense plan.

Every Component of the system should use VPN cable.

Secure cables with a firewall

Install a firewall in every layer of the network. Separate firewall for each server, and each layer.

Install network security tool which will monitor the traffic within the server

Create strong passwords for every network devices

Only allow data to travel within the network in encrypted form

Install firewall management software

Strong authentication parameters, either Net Screen or F5 employ user-based authentication

For added security, access control and authentication should be as close to network as possible

Install NIC at the maximum number of junctions possible

Use network gateways even at endpoint access

These parameters/ measures are listed after careful understanding of NIST security testing guidelines publication 800-115All the parameters mentioned above a crucial for enterprise network security

Tracking Suspicious Behavior

It notified that an employee is showing suspicious behavior, his MAC address is showing irregular traffic in the network. Both the employee and the company's secure network are the company's assets. There are many solutions available to track an employee or company’s asset. If the employee is using the device provided by the company, it quite easy to track that device and customer's behavior. The problem arises in the current situation is the company's BYOD policy, an employee may be using his device to connect to the company's network. The company tracks its employee's location and his time stamps, but the employee must know that the company is tracking his device. There is an ethical and legal constraint that does not allow this kind of tracking. So what can be done to overcome these constraints is to add tracking policy in employee and employer agreement. And signing this agreement is mandatory to get a job. Once the tacking policy is agreed upon, a company can easily track its employee or asset. Employees activities which a company can monitor include his emails, internet browsing, apps usage, location tracking by access card, GPS tracking by vehicle, video/ audio surveillance within the facility, phone usage, and even computer screen recording. Computer screen monitor is used almost by every organization to monitor employee’s performance and his/ her hours of work. If the customer doing anything suspicious, a company can easily identify that by following a monitoring policy. According to the contract/ agreement, a company has a complete right to take any legal action against the client.

The technique used for changing the Media Access Control (MAC) address of the device is called MAC spoofing. In this technique, an Operating System (OS) and the network is fooled in believing the wrong MAC address of the device. There are many techniques and software available to serve this purpose in which a person can select a MAC address of his/ her choice. By changing a MAC address an individual can bypass company’s network router, servers, or access control list. For example, an employee has registered one of his devices to the company's network by giving its MAC address to an IT personal. An employee can use another device with a forged MAC address (same as his registered device) to the company’s network for harmful purposes. Network switches allow communication between two devices by using MAC address tables. If any MAC address is not present in the table, switches deny the transfer of data. An attacker can use a known MAC address to get access to the secured network using MAC spoofing. MAC spoofing is a kind of computer identity theft which can be used either for good or harmful purposes.

Sequence number analysis can be used to identify MAC spoofing or identity theft. The sequence number field of 802.11 frame header has a number field of 12 bits CITATION Heg16 \l 1033 (Hegde, 2016). Securing sequence number field and store their values in the TCP header will protect the network from MAC spoofing. In addition, Multiple Input Multiple Output (MIMO) antenna technology along with Channel State CITATION Heg16 \l 1033 (Hegde, 2016) Information (CSI) can be used to prevent identity theft like MAC spoofing. Although it is more expensive to apply MIMO antenna technology, it is a more effective solution against identity theft incidents.

Continuous Improvement Plan

Previously it was believed that the wired network is more secure as compared to their wireless counterpart. This is because in a wired network the attacker has to physically temper the system to penetrate through the network. Radio transmission is used for carrying data in a wireless network which makes it difficult to contain. This makes easy for an individual to peak through a network while sitting in the range of the wireless network. Pros and Cons of both network will be discussed in this section. One of the biggest advantages of a wired network is that it cannot be easily penetrated by an intruder. As there is no wireless access point available for this kind of connection, an external intrusion is impossible. Moreover, it is easy to monitor and manage the number of connected devices. The biggest cons of a wired network are installing cables, jumpers, connectors, and no mobility. A wireless network gives ease of mobility and provides compatibility with the latest devices. The following table will further explain the pro and cons of both network types.

Sr. No

Category

Wired Network

Wireless network

1.

Setup

Can be difficult and expensive to setup

Upgrading to wireless can also be expensive and difficult

2.

Security

More secure as compare to wireless

Less secure. Information and bandwidth can be accessed by an intruder

3.

Connection Speed

Mostly faster than wireless

Usually slower than wired

4.

Business

Not convenient for employee, can be accepted for traditional office with limited usage

Easily mobility not only helps employees but also clients in business dealings.

5.

Cables

Lots of ports and cables are needed

Fewer cables and no untidy cabling issues

6.

Sharing files

Transfer speed is fast but file sharing is limited to a certain number of devices

Much easier sharing of files as no need to be connected to a network via cable

7.

Freedom of movement for the user

Limitation in movement due to connection is established using cables and ports

Freedom of movement within the range of the network

There are various types of network parameters; Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and, Wi-Fi Protected Access II (WPA2). WEP is the most common type of security protocol for a wireless network. WEP had many vulnerabilities, with an increase in computing power exploiting those vulnerabilities becomes easier. WPA was the replacement of the old WEP protocol providing more security and customizability. Temporal Key Integrity Protocol (TKIP) and message integrity check is the most significant security feature of WPA protocol. Like WEP, WPA also became vulnerable with time. The most significant improvement of WPA2 is the mandatory usage of Advanced Encryption Standard (AES) algorithms and Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP). It usually requires 2 to 14 hours of effort to penetrate through a WPA2 security protocol.

Company's wireless network can be easily configured to shared keys using the WPA PSK protocol which offers 256 characters generated key for the access points. This Federal Information Processing Standard (FIPS) publication 140-2 issued by NIST is used to approve cryptography modules. According to FIPS 140-2 publication, it is necessary for a company to secure cryptographic modules for added security within their network. Wi-Fi network with the ability of 802.11i/ WPA2 can be complied with FIPS-140-2 standards by using AES and CCMP. The company's network infrastructure can be easily made FIPS-1040-2 compliant, by using the WPA2 security protocol. The hardware already supports WPA2, no additional equipment needs to be installed for the purpose.

There are many wireless protocols which include Wi-Fi, Bluetooth, and Ultra-wideband (UWB). Wi-Fi is a type of WLAN that uses 802.11 specifications. The biggest pro of this technology is its high speed and mobility. Due to being visible and has a range of access in 3D space, Wi-Fi can be vulnerable to cyber-attacks. The next protocol for wireless communication is Bluetooth technology. It is a wireless protocol that helps in exchanging data between mobile and fixed devices using short-wavelength over a short distance CITATION SDh07 \l 1033 (Dhawan, 2007). One of the biggest advantages of Bluetooth technology is its portability. The biggest con of this technology is it's short-range, the connected devices have to be in distance with each other. UWB is also wireless protocol which allows transfer of data over short distance. Advantage of this technology is wide spectrum of frequency band, high speed, and low power consumption. Although the range of UWB is wider than a Bluetooth technology but it is still short as compared to Wi-Fi CITATION SDh07 \l 1033 (Dhawan, 2007). Wireless Application Protocol (WAP) is also a type of wireless technology. Wi-Fi and UWB can be suitable for the company, combination of both can be used in the network infrastructure.

Remote Configuration Management (550)

Process of maintaining and organizing information of all the components of company’s network is called remote configuration management. Network management database helps the company to upgrade, modify, expand, and repair company’s network remotely. The data base has network address, IP address, and location of hardware devices CITATION CEP92 \l 1033 (Perkins, 1992). Moreover, information about updates, versions, programs and setting of hardware devices which are installed within the network infrastructure of the company. Keeping above in mind, the company can use remote network managers in its network infrastructure to increase productivity of the system. Any failure in the network can also be monitored easily using remote network configuration. As there is a different format for every network device, network configuration can ease the process of saving different configurations. To fix a certain hardware or software failure within the network, remote network configuration manager can save time and effort. The data is mostly stored in central servers for the purpose of remote configuration manager. There are many tools available for the remote network configure management, vendor-specific tool will be more suitable for our company’s network. In remote configure management, system administration can be used to reduce downtime of a network. Moreover, the accountability and visibility of network also improves with remote configuration management. Following are the benefits our company can achieve by installing remote network configuration:

Easily archiving of details in network configuration changes.

If the system updating causes system to shutdown, it can easily be downgraded to previous settings and software.

Changes made in one hardware does not affect other device.

Network security will be optimized.

Configuration and change management generally causes error; this can be reduced by using remote configuration management.

Systematic process of upgrading, expansion, repair, and maintenance in the network

It is observed that there is an unknown device connected to the company’s network. This can be detected by either by Sequence number analysis or from Dynamic Host Configuration Protocol (DHCP) client tables. If any unknown device’s IP address or MAC address is detected in the DHCP table, MAC address of the device can be easily blocked by simply using access point configuration. Advance network securing tools which are suggested earlier can also be used for this purpose. Once the MAC address is blocked, the device will no longer show in DHCP client table. This will ensure that the user or the device has been completely removed from the network. In addition, IP scan of the network will also show the list of the IP addresses connected to the network. If the fixed IP addresses are assigned to each device and its information is store configuration database, an unknown IP address will be easily detected. Remote configuration management can be used to obtain the MAC address of that IP user. Once the MAC address is obtained, it can also be blocked using remote configuration management.

Employ Misconduct (488)

There is a report of an employee using an ad-hoc wireless network within the company’s network. Furthermore, there has been multiple logins during unofficial duty hours. As the motive of this particular employee is not known, in this section ad-hoc network will be explained and how they can be a threat to a WAN network of the company. An ad-hoc network can help number of devices to directly communicate with each other. An ad-hoc network can easily bypass network gateways and routers. In an ad-hoc network devices can send data using single access point. Now to explain how an employ can use ad-hoc to threaten the company WAN. Using Windows 7 or other latest operating systems, a user has an option to create his laptop an access point using option of ad-hoc or hotspot connections CITATION CEP01 \l 1033 (Perkins, Ad hoc networking, 2001). An employ has been using his laptop to create a wireless access point. And more untrusted devices can be connected to the company’s network using his laptop as an access point. This has happened due to company’s BYOD program; the device an employee is using is not the property of the company. We will give an employ a benefit of doubt, maybe be just want to connect his other device to have an excess to internet connection. In this case any external hacker can first penetrate virtual Wi-Fi created by an employ, and eventually the intruder will have excess to company’s network. As the device is the property of an employee, company cannot simply block ad-hoc connection and put administrative password on the employee’s device. To prevent this from happening, company’s network should have correct IDS/IPS system installed which will deny ad-hoc networks. Each wireless adapter of the network should be configured for infrastructure mode. In infrastructure mode only a central device and server manages the traffic. In addition, a wireless ad-hoc network requires same Service Set Identifier (SSID) and channel. To prevent an employee form creating an ad-hoc connection, each network adopter in WAN of the company should have unique SSID. Traffic of a suspicious employee’s laptop can be observed to detect if there is any ad-hoc connection created by that employee or not. If the employ has created an ad-hoc connection, there will be other devices attached to his network and unusual pattern of traffic can confirm the presence of ad-hoc connection even if the employee is hiding his signals. In case of hidden SSID, most devices will show that there is a hidden wireless connection in the region. Getting a SSID of a hidden network is not a difficult task. And if there are no hidden networks detected which means that SSID is not broadcasting, similar technique of monitoring a traffic of devices to detect any unusual behavior can be used. It can easily be validating that the user is using his device as an ad-hoc connection during unofficial duty hours by just looking at his traffic at those hours

Analyze Wireless Traffic

The last step CIR is to analyze traffic of wireless network. Pre-captured files of wireless traffic from company’s network is provided to analyze the network. These pre-captured files can be used to monitor employee activities. By comparing pre-captured files with the current traffic will helps detect and suspicious or malicious behavior. Analyzing traffic of the network. Main purpose of analyzing wireless traffic is to ensure that data is secured and no intruder is infiltrating through company’s traffic. Most effective way to monitor wireless traffic is to use network configuration management and authenticated access. This will ensure reliable monitoring of the traffic and will secure data transmission. Authentication access also allows the company to keep record of the logins and addresses of the devices which are connected to the company’s network. Adding secure logins will further enhance the security of the network. Most companies encrypt their data before transferring between different devices which ensures the safety of wireless traffic. Virtual Private Network (VPN) and point to point encryption are used serving the purpose disguising the traffic from the attacker. Last frontier of securing a wireless network and its traffic is company’s administration. Administration has to maintain the security of the network by taking various steps after the installation of secure wireless network CITATION Bau04 \l 1033 (Bauer, 2004). The steps include regular monitoring of the access logs and regular monitoring of the network traffic. Regular monitoring can help in detecting any fault in system, network penetration, data breach, unwanted access logs, and MAC spoofing. Moreover, careful monitoring can also help in identifying an employ who is violating the company’s network policy. To install an intelligent traffic monitoring system in the company’s network, thee different components has to be installed. First component is the monitoring unit which monitors the traffic at different points within the network. Next component in intelligent monitoring system is the storing unit. Company’s storage servers can be used for the purpose of storing traffic logs. The most important part of the monitoring system is to install an intelligent forecasting unit. This forecasting will help in identifying a threat or fault within the system and will also enhances the performance of the system. Forecasting unit has complete access to the stored logs, it can predict that what can go wrong or what kind of demand is needed at specific time. Installing this kind of smart system will require efforts and time. There are many vendors who are providing such an intelligent monitoring solution which can be very expensive.

References

BIBLIOGRAPHY Bauer, B. (2004). Network traffic monitoring. Google Patent. Retrieved from https://patents.google.com/patent/US20040047356A1/en

Dhawan, S. (2007). Analogy of promising wireless technologies on different frequencies: Bluetooth, wifi, and wimax. IEEE.

Hegde, A. (2016, January 1). MAC Spoofing Detection and Prevention. International Journal of Advanced Research in Computer and Communication Engineering, 5(1), 230,231. Retrieved from https://ijarcce.com/wp-content/uploads/2016/02/IJARCCE-55.pdf

Murugiah Souppaya, K. S. (2012). Guidelines for Securing. Gaithersburg: National Institute of Standards and Technologies. Retrieved from https://content.umuc.edu/file/86d36d98-d23a-4001-ac03-91ab25dd1b47/1/NISTGuidelinesforSecuringWirelessLocalAreaNetworksWLANsSpecialPublication800-153.pdf

Perkins, C. (1992). Network address management for a wired network supporting wireless communication to a plurality of mobile users. Google Patents.

Perkins, C. (2001). Ad hoc networking.

T Yadav, A. R. (2015). Technical Aspects of Cyber Kill Chain. International Symposium on Security in Computing and Communication.

W Stallings, L. B. (2012). Computer security: principles and practice.