You are a adviser who has been brought in by an energy company following a security breach, which took 4 hours to retrieve from. You discover that security breaches are non unheard of for this company and it had already suffered two 2-hour outages this twelvemonth before the current onslaught. The company has a web site that allows clients to upload readings, make payments and report/track mistakes. It must be on-line 24×7. The undermentioned five undertakings relate back to this company.
Undertaking 1 – 20 Marks
Entire Cost of Ownership and Annualized Loss Expectancy
The company has 9 web waiters, bing $ 12,000 each, and 3 database waiters, bing $ 26,000 each. These waiters have a lifetime of five old ages. The one-year support contracts on these are $ 1200 and $ 2600 severally. The company employs two full-time web decision makers, a parttime web decision maker working 2-days a hebdomad and an substructure decision maker at $ 40,000 full-time tantamount per annum each. Their one-year turnover is $ 700m. It is estimated that it costs them 0.2 % of the TCO for their system in each breach due to reconfiguration, lost work and delayed development. This is in add-on to any lost net incomes and web outages due to the web site being offline and non observing mistakes, which is estimated to be 20 % .
Calculate the TCO for the current system.
Calculate the ALE for this system.
To forestall such breaches, you have estimated that the company requires a full-time security decision maker and they need to follow an one-year security budget of $ 32,000 for hardware and package ( the annualized wage for this decision maker would be the same as for the others ) . Calculate its one-year nest eggs if it implemented your recommendations.
( Do n’t bury to compose your justification for each of the stairss. )
Calculate the TCO for the current system
TCO, Total Cost of Ownership refers to the cost of installing, IT hardware and package and labour cost. Harmonizing to undertaking 1:
9 web waiters cost per twelvemonth ( 9×12000 ) /5 = 21600
3 web waiters cost per twelvemonth ( 3×26000 ) /5 = 15600
Annual support contracts cost 1200+2600 = 3800
Labor cost for 2 full clip web decision maker, 1 2-day portion clip web decision maker, 1 substructure decision maker & gt ; 40000×3+40000x ( 102/365 ) = 131178
Entire Cost of Ownership = 21600+15600+3800+131178
= $ 172178
Calculate the ALE for this system
ALE represents for Annualized Loss Expectancy.
SLE represents for Single loss anticipation
ARO represents for Annualized rate of happening
ALE is used to cipher the possible fiscal loss from some cognizant menaces.
ALE = SLE x ARO
SLE = 172178 ten 0.2 % = 34435.6
4/8760 = 0.046 %
( 700m + 34435.6 ) x 0.046 % = 322016 ( SLE )
Twice a twelvemonth = 200 %
ALE = 332016 ten 200 % = 644032
Undertaking 2 – 20 Marks
Suggest an ideal web architecture for the company. You are expected to supply a basic web diagram and full account and justification for any constituents you include. Make non worry about internal workstations ; concentrate on the architecture for the web application platform.
Network is a group of two or more computing machines system linked together. There are several computing machine webs such as local-area webs ( LANs ) , wide-area webs ( WANs ) aˆ¦etc. In each computing machine web, they include so many web equipments. Each web equipment has its ain function in the web. The common equipments are firewall, router, web switch, hub, web interface or called this to lan card and web overseas telegram. Beside the physical web hardware, a web besides includes protocol. Protocol is a set of regulations and signals which computing machines are utilizing to pass on in the web. About the web architecture, it can be loosely classified as peer-to-peer and client waiter architecture.
Base on Energy Company information, they have dark web waiters and three database waiters chiefly in their company computing machine web. How to organize a web architecture which has a higher security degree to protect the web waiters and database waiters? I have below suggestion.
First of all, I will propose that there are two subnets in the Energy Company web. One subnet is 192.168.1.x/255.255.255.0 and the other is 192.168.2.x/255.255.255.0. It must hold a ISP web router linking to Internet. After this ISP router, It must hold a firewall to protect the whole company web.
What is firewall and its map?
Firewall is hardware web equipment or a package which is used to barricade unauthorised cyberspace entree to internal web while allowing authorised entree petition. Firewall likes a gate between a protected web and an unprotected cyberspace web.
There are several types of firewall techniques. It can filtrate the package which is go throughing through the web and let or reject it establish on the defined regulations. It can use the security regulations to specific applications such as FTP and Telent. It can stop all packages or messages which are go throughing through and conceal the true web reference. ( 1. Wikipedia – firewall 2010 )
So, this firewall plays a really of import function within a web. Due to the importance, the system decision maker may necessitate to see. First of wholly, system decision maker must guarantee to reexamine the firewall regulations on a regular footing. Second, system decision maker need to reexamine the firewall device in a agenda. Last but non least, system decision maker needs to analyse the overall web architecture and procure the exposure on the web.
Travel back to the account of the web architecture. Firewall A has two entree maps. One is Firewall A allow all connexion to entree into subnet 192.168.1.x. Each web waiter has their internal information science reference. The decision maker demand set NAT ( Network Address Translation ) for the outbound to inbound. Firewall A has a function to route the connexion to allow waiter merely. Suppose internal IP will be hidden by NAT for outbound information science scanning. Second, Firewall A blocks all port expect port 80 in order to all web waiters are used port 80 merely. It is really unafraid that the decision maker merely keeps track the traffic from port 80. Harmonizing to the firewall A regulation set, there is non any connexion from outbound to firewall B. By the protection of the web waiters themselves, if they are apache web waiter, the scene ( httpd conf file ) could be adjusted to listen the port 80 merely. By the Windowss platform, there is an firewall map from the web interface card. Administrator can enable the local country connexion ‘s firewall and merely accept web port 80, SQL port 1433 and port 443.
Let discourse the firewall B. Behind this firewall, there is another subnet 192.168.2.x. All database waiters will be placed at that place. There are some entrees regulations besides will be applied in firewall B. First regulation, firewall B merely let port 1433 and port 433 connexion from subnet 192.168.1.x to subnet 192.168.2.x database waiters. Beside these two ports, all other ports have been rejected. So it is really high security degree that there is non any connexion from exterior to the subnet 192.168.2.x beside the web waiters SQL and SSL ports. The Same handling, decision maker can put the local country web to enable the firewall and merely entree port 1433 and 443.
Besides the firewalls, there are some web switches in both subnets. Different from hub, switch could direct the information to a specific port base on the affiliated device ‘s hardware reference straight. This is really smart that it can cut down overall web traffic.
By the security consideration, a cracker could utilize sniffer to listen the broadcast traffic if hub or span are the web device but switch could assist to cut down this hazard.
Router is used to link one web to another web. It will choose a appropriate way and route the data/packet to the finish. There are several routing theoretical account. By the basic theoretical account, router will choose the less figure of nodes for the transportation way.
Router besides has a security consideration because it is besides a really of import portion in web architecture. To protect our router, we may necessitate to look into the device in a regular period. Second, decision maker demands to update the latest spots to guarantee the router is in the highest security degree.
( 2. NCC Internet Security 2008, David Mackey – router )
Demilitarized Zone ( DMZ )
Person calls this at least two separate firewalls dividing two subnets to Demilitarizes Zone. One firewall connects to internet web and the other connects the internal web. This scene will restrict the outward entree to the web waiters and the internal web is protected in a 2nd degree. ( 3. NCC Internet Security 2008, David Mackey – Demilitarized zone )
Undertaking 3 – 20 Marks
In order to understand the nature of the breaches of the company ‘s web you will hold to execute a security trial and audit. Write a study on how you would prove the security of a web including a description of the tools that you would utilize. Give some sample end products from the tools that you suggest.
( Warning, do NOT utilize these tools on a unrecorded web. )
Network security audit is a must to make after construct up your ain web. This testing could assist to happen out the strengths and failings in the web architecture. Harmonizing to the happening out, decision maker can set the security policy or puting to forestall the onslaughts. There are several footings to depict the type of proving such as ethical hacking or incursion trial.
Under the ethical hacking, system decision maker has been authorized and plays a function of the maltreater who use any method to chop the web and happen out the job. If you know the job earlier than the true maltreaters, you can forestall the job be exploited. ( 4. NCC Internet Security 2008, David Mackey – Security Testing )
How to make the ethical hacking? The maltreaters may necessitate to research some information about the web of that company. They may desire to cognize the ip reference of this company, which operation system this company has used, which port the firewall has been opened, which ip and port of the internal computing machine could be distant easy. The maltreaters may seek the sphere name of the company by some web such as Domain Search ( www.domainsearch.com ) or Whois ( www.whois.net ) . These sorts of web sites will demo the registered user name or company name and registered information. So the maltreaters can place which sphere name is their mark.
After they can corroborate the sphere name, maltreater can acquire the true IP reference of this company but some web tools or “ Ping ” in Windowss platform bid prompt. Beside the sphere searching. If the hacker know the web site nexus of this company, it means hacker acquire the sphere name straight. Hackers can besides seek the web site hunt engine such as Google or Yahoo.
For illustration, user can ping domain www.whois.net and the true information science has been shown 184.108.40.206
By the traceroute method:
In Windows bid & gt ; tracert, it can follow the whole modus operandi from the beginning to the finish. It will demo the routing modus operandi with IP reference besides. Hacker can think some routing information in this image and the true information science of this sphere has been shown besides.
Check web security by Telnet:
If a hacker know the sphere name or true IP reference, it can seek Telnet to remote entree the waiter to acquire some information.
Hackers can remote telnet by a sphere name or true IP at port 80. After connected, If it is a web waiter, you can see some html book in the bid prompt.
What information hackers can acquire in this hypertext markup language book? Hackers can cognize the web page file name, which file has been load after user POST/SUBMIT a value from the first web page, which script linguistic communication the web site has been used. Harmonizing to the book linguistic communication such as PHP, hacker can utilize the bug or failing of the PHP book insert into the text box and seek to interrupt into the web system. On the other manus, some private informations such as watchword will be stored in the session. If hacker can acquire this session and shop the watchword value, so the user history has been hacked.
After know the Domain and True IP reference, hackers will desire to cognize which web port the mark has been opened. Hackers can utilize some freeware port scanner such as SuperScan
Fig.6 ( 5. SuperScan )
SuperScan is a port scanner which has port scan map harmonizing to IP scope.
Beside the port scan, UDP scanning, TCP SYN scanning are the other characteristics.
The best that it is a freeware tool for user to download. ( SuperScan ) .
After the checking of SuperScan, if the mark has non good protect themselves and opening some non-use port, crackers can utilize them to make some remote onslaughts. For illustration, Pinging to dead and Denial of Service onslaught by this gap port to halt the mark normal service.
Network Vulnerability is besides an country which hackers will seek to interrupt into the system by its.
There is a free web exposure scanner called “ Nessus ” .
Fig 7 ( nessus interface )
By the Nessus characteristics list province, it can be
Credentialed and un-credentialed port scanning
Credentialed based spot audits for Windows and Unix platforms
Embedded web application exposure proving
SQL database constellation look intoing
Cisco router constellation look intoing
Checking outdated signatures of the anti-virus installed.
Nessus – characteristics list )
What the sphere name hackers got, What the web port hackers know it is opened, What web exposure the web site has, all information the hackers have got to derive a bridgehead to their mark. If we can cognize what the information hackers can acquire from our web, We can make the protection before the harm or loss occur.
We can utilize some tools to capture our web package traffic and cheque which country may take the job. There are some tools call “ tcpdump ” or “ windump ” . Tcpdump can capture the web traffic and demo the package item on a peculiar interface. They are one type of sniffer.
Harmonizing to the original thought, system decision maker usage sniffer to capture the package for trouble-shooting the net work job but crackers use it as a tool to make some onslaughts.
What web decision maker demand to make for good protecting the web?
Network decision maker demand to look into the log in firewall and other web contraption all the clip.
Network decision maker demand to upgrade the microcode of the web equipments to the latest version.
If there is any spot, update it at one time to work out the exposure.
Do web security trial once more if there is any new equipment has been added into the web.
Check the visible radiation on the web equipment see any unnatural lighting all of a sudden.
To forestall Denial of Service onslaught in web, firewall and router block the unnatural traffic.
Undertaking 4 – 20 Marks Intrusion Detection
Intrusion Detection and Prevention are really of import in a secure system, but the company presently does non hold any IDS. You are to do recommendations to the company about Intrusion Detection and Prevention. Including what type of information should be gathered during a breach.
What is Intrusion Detection?
Invasion sensing ( ID ) is a type of security tools for computing machines or web. Intrusion Detection System ( IDS ) , it can mention to devices, hardware, package which is chiefly for the sensing of malicious activity and analyzes information from some location in a computing machine or web. If there is any onslaughts from exterior, the IDS could cognize. If there is any onslaughts from the internal to outside, the IDS besides can cognize. Basically, IDS can split into two types. One is host-based invasion sensing system ( NIDS ) and the other is web invasion sensing system ( HIDS ) .
( 7.What is IDS )
Network Based Intrusion Detection
In general, network-based IDS usage a web arranger which is running in assorted manner supervising all package across the web in real-time. How network-based IDS acquire the signature of an onslaught? Network-based IDS will look into the form, look or byte codification to see if there is any unnatural.
Second, NIDS will maintain checking to the threshold crossing. Third, by the statistic analysis, NIDS will cognize which connexion is unnatural. To confront an onslaught, NIDS will alarm the decision maker or end the connexion straight harmonizing to the NIDS scene.
What is Strengths of the Network-based invasion sensing systems?
NIDS is set into some critical entree points for look intoing or capturing the web traffic. As a consequence, NIDS do non necessitate a package for the care. It means that you can salvage so much cost of the ownership if you are in an endeavor environment. Second, NIDS can look into the package headings. It means that NIDS can assist to observe some types of onslaught such as denial-of-service and TearDrop. By looking of the warhead, web decision maker can declare some unnatural traffic and happen out the ground. Third, NIDS is capturing the unrecorded web so all the activity will be log into it. It is really hard for an aggressor to take the grounds. Forth, NIDS is suited to use for any operating system.
Host-Based Intrusion Detection
HIDS has ability to understand the onslaughts and give out a suited defend action. Audit logs is still to utilize in this invasion sensing.
What is the strengths of host base invasion sensing systems
First, due to the maintaining log characteristic, host-based direction sensing can analyse. Second, HIDS can supervise some particular activities in the system. For illustration, decision maker can merely supervise some chief system files and their execution position. Third, some equipment will non traverse the web such as keyboard. This sort of onslaught can non be detected by network-based invasion sensing but host-based sensing system can. Forth, HIDS has a speedy response if it has detected some unnatural activities. Fifth, HIDS can put in into the bing hardware such as file waiter. It means that there is no demand to purchase an excess hardware for the HIDS merely.
HIDS installed into each web waiters
Harmonizing to the suggested web architecture, I would wish to suggest adding two web invasion sensing detectors as demoing in figure 8 and add one IDS director in the subnet 192.168.2.x. Besides this, host-based invasion sensing system will be installed into each web waiters. The sensor1 which behind the router connected to the Internet show onslaughts from the Internet. The other detector ( sensor2 ) is behind the 192.168.1.x firewall which individuality the onslaught perforating into the web from exterior. We can besides add one web invasion sensing sensor3 into the internal subnet 192.168.2.x for the detection of unnatural activity from exterior to the internal web
Sensor1 is used to supervise the traffic from cyberspace to subnet one.
Sensor2 is used to capture or supervise the traffic which is coming into the first subnet.
Sensor3 is used to verifying any unnatural traffic or activities in the internal subnet.
What type of information should be gathered during breach?
Each detector will hold log for the day-to-day traffic. Log besides is a good installation for the bar of onslaughts. It is because hackers will cognize their illegal activity will be marked down so they will non make the onslaught. Before onslaught, decision maker can forestall it by look intoing log twenty-four hours by twenty-four hours. Administrator can happen out some unnatural visual aspect screening in the log. After the onslaught, log could be a strong grounds to turn out the truth in the instance. We can state it is Log Analysis. So, every system ‘s log is really of import. To maintain log in a safety topographic point, suggest salvaging logs into a separate country such as a log sever in the same subnet. Log analysis is easy to make or you can merely looking all your logs daily.
If you need read a big sum of logs, some analysis tools could assist you. This sort of tools could assist you understand which is good or bad. On the other manus, you can make some scene for place the onslaught and bespeak it.
Information collected from Web waiter
If person attempt to entree the web system illicitly, the detector will observe a figure of them with a same IP reference in a short period.
Fig. 9 ( net waiter information collect )
Beside this, some hackers will utilize SQL injections for the hacking method. You will see some log as
Fig. 10 ( net waiter information collect )
By the login fail log, you can see if there are some logs which do the login measure in so many times within a short period and it is failure. By the incoming IP reference, decision maker can barricade it in the hereafter.
Undertaking 5 – 20 Marks Encoding
The information that the company holds includes personal inside informations of their clients. They are disquieted that this information could fall into the aggressor ‘s custodies. The company wants to implement encoding to procure this information. You are tasked with researching a suited solution and doing a recommendation. Try to believe about what type of algorithms are needed for the informations.
Harmonizing to the map of the web in Energy Company, their clients can upload metre reading, make payment and repot/track mistakes. In the payment procedure, it must affect so many sensitive personal informations such as client ‘s individuality card figure, birthday, recognition card figure aˆ¦etc. All this information must be protected in a safety manner during the payment procedure or in the database. In the Energy Company web architecture, there are dark web waiters which are placed into first subnet and three database waiters are in subnet two. To divide two portion, one connexion will affect external and internal. One connexion merely affect internal to internal.
We may discourse the affecting external connexion foremost. It should utilize a more security method to protect the package directing to outside ( Internet ) . This package contains client ‘s of import private informations. If the package has been captured by hacker in Internet without any encoding, the hacker can shop the content of package straight.
First of wholly, we can use Secure Socket Layer ( SSL ) and Transport Layer Security ( TLS ) to protect the connexion from client ‘s computing machine to Web waiter.
What is SSL/TLS?
Secure Socket Layer and Transport Layer Security are cryptanalytic protocols that provide security for communications over web such as Internet. TLS and SSL encrypt the sections of web connexions at the Application Layer to guarantee unafraid end-to-end theodolite at the Transport Layer.
( 8.wikipedia TLS )
Secure Socket Layer ( SSL )
Secure Socket Layer is developed by Netscape. It is for conveying private thing through the Internet. What is the construct of SSL? It is utilizing two keys to code informations. One is a public key and the other is private key. Everyone can acquire the public key and the private key merely direct to the receiver. In SSL connexion, the web nexus will get down as hypertext transfer protocol: //xxxxx. A unafraid connexion is created by SSL between a waiter and a client. HTTPS is for conveying single message firmly. So they are combined to utilize for directing informations out firmly. You can believe that there is a tunnel between the web waiters and energy company client ‘s web browser. All the informations will be protect and encrypted. Although hacker can capture the SSL connexion and packages, they can non read the content of the informations straight under SSL.
Fig. 11 ( SSL construct )
The transmittals between two computing machines involve the public key and certification. User can swear the certification because it is come from a sure party. On the other manus, the certification is in a valid position and has a relationship with the site from which it ‘s coming. From the TLS, symmetric key will be encrypted utilizing the public key from the browser. When a secure session is created between two computing machines, one computing machine creates a symmetric key and direct it to other computing machine utilizing symmetric-key encoding.
SSL supports a assortment of different cryptanalytic algorithms. Another of import portion is cipher which is used in the hallmark between the waiter and the client. There are so many cipher suite such as Data Encryption Standard ( DES ) , Digital Signature Algorithm ( DSA ) , Key Exchange Algorithm ( KEA ) , Message Digest algorithm ( MD5 ) , RSA ( a public-key algorithm for both encoding and hallmark, Secure Hash Algorithm ( SHA-1 ) aˆ¦etc Now we are common to utilize Triple-DES ( DES apply three times ) .
For the highest security ground to protect the client ‘s private informations, the strongest cypher suite is extremely recommended to utilize. Which one is the strongest cypher suite? They are Triple DES, SHA-1.
Triple DES supported by SSL which support 168-bit encoding. It applies a criterion key three times so the processing clip besides plus 3 besides. Due to the big size of cardinal, the velocity is non every bit fast as RC4. Its cardinal size may larger than the other cypher suites about 3.7 plus the 50 power of 10.
The other is SSL Handshake. It combines a public key and symmetric cardinal encoding method. Let us to travel through the SSL handshake measure now. First, the client will direct cypher scene, generated informations and other information to the waiter. Second, the waiter does the same action to the client but the waiter besides will direct its ain certification to the client of the client has requested. Third, after receive the information from the waiter, client will seek to make the hallmark. If authentication measure is fail, the connexion can non be established. Forth, if the hallmark is win, the client will make the premaster secret in the session. The public key will be used for the encoding and direct the encrypted information to the waiter. Fifth, the waiter will utilize its ain private key for the decoding. Sixth, the waiter and the client will bring forth session keys by the mater secret. These session key are symmetric keys which are used for the encoding and decoding. At the terminal, both waiter and client will direct a message and inform others that future messages will be encrypted with the session keys. After that, the SSL handshake measure is completed.
( 9. Introduction of SSL )
This encoding algorithm is defined to utilize the same key for both encoding and decoding.
It is a fast and efficient method to make the encoding but it besides has a disadvantage. If person want to direct a encrypted electronic mail to another 1, the receiving system besides need the same key to decode the electronic mail. The Question is, How to go through the key to the receiving system by through by Internet? So, there is another Encoding type called Asymmetric Encryption.
This encoding algorithm is used two cardinal, one key to code the plaintext and the other for decrypt. In asymmetric encoding, Public-Key Infrastructure ( PKI ) is rather utile for protecting the client ‘s informations. In PKI, it may affect Digital Certificate. This certification is used to place the mark. In theory, each individual has an indistinguishable digital certification and print their public key. On the other manus, each organisation has a digital certification to turn out their function because the certification will be issued by a third-party. This truth third-party is the Certificate Authority ( CA ) . CA will verify the company and issued the certification after blessing. So, if the payment method can treat with the certification, energy company can place the client function and the client truth that the payment is treating in the existent Energy company. This is besides a extremely security method.
( 10. NCC Internet Security 2008, David Mackey – Encoding )