Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Assessing and Mitigating IT Security Risks, Study notes of Computer Security

An overview of the tools and techniques for identifying and assessing it security risks, as well as the organizational policies and solutions to protect critical business data and equipment. It covers topics such as network security, firewall configuration, intrusion detection systems (ids), and the potential impact of incorrect configurations. The document also discusses the use of dmz, static ip, and nat to improve network security, and emphasizes the importance of regular data backups, strong password policies, and security audits to enhance an organization's overall cybersecurity posture. The comprehensive coverage of it security threats, mitigation strategies, and best practices makes this document a valuable resource for junior staff members, it professionals, and anyone interested in enhancing their organization's cybersecurity.

Typology: Study notes

2021/2022

Uploaded on 06/06/2023

tufdjkbndjnb
tufdjkbndjnb 🇸🇬

1 document

1 / 39

Toggle sidebar

Related documents


Partial preview of the text

Download Assessing and Mitigating IT Security Risks and more Study notes Computer Security in PDF only on Docsity! Higher Nationals in Computing Unit 5: Security ASSIGNMENT 1 Learner’s name ID: Class: Subject code: 1623 Assessor name: NGUYEN NGOC TU Assignment due: Assignment submitted: ASSIGNMENT 1 FRONT SHEET Qualification BTEC Level 5 HND Diploma in Computing Unit number and title Unit 5: Security Submission date Date Received 1st submission Re-submission Date Date Received 2nd submission Student Name Student ID Class Assessor name TU NGUYEN Student declaration I certify that the assignment submission is entirely my own work and I fully understand the consequences of plagiarism. I understand that making a false declaration is a form of malpractice. Student’s signature Grading grid P1 P2 P3 P4 M1 M2 D1 x x x x LO1 Assess risks to IT security. LO2 Describe IT security solutions. Assignment Brief and Guidance: Assignment scenario You work as a trainee IT Security Specialist for a leading Security consultancy in Vietnam called FPT Information security FIS. FIS works with medium sized companies in Vietnam, advising and implementing technical solutions to potential IT security risks. Most customers have outsourced their security concerns due to lacking the technical expertise in house. As part of your role, your manager Jonson has asked you to create an engaging presentation to help train junior staff members on the tools and techniques associated with identifying and assessing IT security risks together with the organizational policies to protect business critical data and equipment. Tasks In addition to your presentation, you should also provide a detailed report containing a technical review of the topics covered in the presentation. Your presentation should: • Identify the security threats FIS secure may face if they have a security breach. Give an example of a recently publicized security breach and discuss its consequences • Describe a variety of organizational procedures an organization can set up to reduce the effects to the business of a security breach. • Propose a method that FIS can use to prioritize the management of different types of risk • Discuss three benefits to FIS of implementing network monitoring system giving suitable reasons. • Investigate network security, identifying issues with firewalls and IDS incorrect configuration and show through examples how different techniques can be implemented to improve network security. • Investigate a ‘trusted network’ and through an analysis of positive and negative issues determine how it can be part of a security system used by FIS. Your detailed report should include a summary of your presentation as well as additional, evaluated or critically reviewed technical notes on all of the expected topics. Learning Outcomes and Assessment Criteria (Assignment 1): Learning Outcome Pass Merit Distinction LO1 P1 Identify types of security threat to organisations. Give an example of a recently publicized security breach and discuss its consequences. P2 Describe at least 3 organisational security procedures. M1 Propose a method to assess and treat IT security risks. D1 Investigate how a ‘trusted network’ may be part of an IT security solution. LO2 P3 Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS. P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can improve Network Security. M2 Discuss three benefits to implement network monitoring systems with supporting reasons. Table of Contents Table of Contents Unit 5: Security ASSIGNMENT 1 ........................................................................................................ 1 Assignment Brief 1 (RQF) ................................................................................................................. 3 Higher National Certificate/Diploma in Computing ................................................................................ 3 P1 Identify types of security threat to organisations.Give an example of a recently publicized security breach and discuss its consequences. ............................................................................................... 1 TYPES OF SECURITY THREATS TO ORGANIZATIONS .................................................................................... 1 An organization must have physical security control measures in place to protect computer systems from the aforementioned physical threats. ...................................................................................... 1 1. COMPUTER VIRUSES ....................................................................................................................................................... 2 2. DENIAL-OF-SERVICE (DOS) ATTACKS............................................................................................................................... 2 3. PHISHING......................................................................................................................................................................... 2 4. SQL INJECTION ................................................................................................................................................................ 2 5. ROOTKIT .......................................................................................................................................................................... 3 6. MALWARE ....................................................................................................................................................................... 3 7. RANSOMWARE ................................................................................................................................................................ 3 8. DATA BREACH ................................................................................................................................................................. 3 9. CARELESS EMPLOYEES OF ORGANIZATION .................................................................................................................... 4 WHAT ARE THE RECENT SECURITY BREACHES? LIST AND GIVE EXAMPLES WITH DATES:.............................. 4 DISCUSS THE CONSEQUENCES OF THIS BREACH: ........................................................................................ 5 1. Reputational Damage................................................................................................................................................. 5 2. Operational downtime ............................................................................................................................................... 5 3. Legal Action ................................................................................................................................................................ 6 4. Loss of sensitive data ................................................................................................................................................. 6 P2 Describe at least 3 organizational security procedures. ................................................................ 7 ORGANIZATIONAL SECURITY PROCEDURE: ................................................................................................ 8 1. Implement your CyberSecurity strategy from the top-down ......................................................................................... 8 2. Create polices for the allocation of internal IT Resources .............................................................................................. 8 3. Network Security............................................................................................................................................................. 8 4. Protect your endpoints/servers ...................................................................................................................................... 8 5. Train your personnel ....................................................................................................................................................... 9 6. Create polices for the allocation of internal IT Resources .............................................................................................. 9 7. Network Security........................................................................................................................................................... 10 8. Protect your endpoints/servers .................................................................................................................................... 10 9. Train your personnel Users should be aware of the ideas behind the implementation of security measures, what threats are out there and what should raise their suspicion – simple things like: .......................................................... 11 10. Remote/Home Users controls .................................................................................................................................... 11 11. Monitoring .................................................................................................................................................................. 11 12. Test The only way to really know your security level is protecting your organization, is to regularly test it! ........... 12 P a g e | 2 1. COMPUTER VIRUSES A virus is a software program that can spread from one computer to another computer or one network to another network without the user’s knowledge and performs malicious attacks. It has capability to corrupt or damage organization’s sensitive data, destroy files, and format hard drives. HOW DOES A VIRUS ATTACK? There are different ways that a virus can be spread or attack, such as: Clicking on an executable file Installing free software and apps Visiting an infected and unsecured website Clicking on advertisement Using of infected removable storage devices, such USB drives Opening spam email or clicking on URL link Downloading free games, toolbars, media players and other software. 2. DENIAL-OF-SERVICE (DOS) ATTACKS Denial-of-Service is an attack that shut down a machine or network or making it inaccessible to the users. It typically flooding a targeted system with requests until normal traffic is unable to be processed, resulting in denial-of-service to users. HOW DOES DOS ATTACK? It occurs when an attacker prevents legitimate users from accessing specific computer systems, devices or other resources. 3. PHISHING Phishing is a type of social engineering attack that attempt to gain confidential information such as usernames, passwords, credit card information, login credentials, and so more. HOW DOES PHISHING ATTACK? In a phishing email attack, an attacker sends phishing emails to victim’s email that looks like it came from your bank and they are asked to provide your personal information. The message contains a link, which redirects you to another vulnerable website to steal your information. So, it is better to avoid or don’t click or don’t open such type of email and don’t provide your sensitive information. 4. SQL INJECTION SQL injection is type of an injection attack and one of the most common web hacking techniques that P a g e | 3 allows attacker to control the back-end database to change or delete data. HOW DOES SQL INJECTION ATTACK? It is an application security weakness and when an application fails to properly sanitize the SQL statements then attacker can include their own malicious SQL commands to access the organization database. Attacker includes the malicious code in SQL statements, via web page input. 5. ROOTKIT Rootkit is a malicious program that installs and executes malicious code on a system without user consent in order gain administrator-level access to a computer or network system. There are different types of Rootkit virus such as Bootkits, Firmware Rootkits, Kernel-Level Rootkits and application Rootkits. 6. MALWARE Malware is software that typically consists of program or code and which is developed by cyber attackers. It is types of cyber security threats to organizations which are designed to extensive damage to systems or to gain unauthorized access to a computer. HOW DOES MALWARE ATTACK? There are different ways that a malware can infect a device such as it can be delivered in the form of a link or file over email and it requires the user to click on that link or open the file to execute the malware. This type of attack includes computer viruses, worms, Trojan horses and spyware. 7. RANSOMWARE Ransomware is type of security threats that blocks to access computer system and demands for bitcoin in order to access the system. The most dangerous ransomware attacks are WannaCry, Petya, Cerber, Locky and CryptoLocker etc. HOW DOES RANSOMWARE INSTALL? All types of threats typically installed in a computer system through the following ways: When download and open a malicious email attachment Install an infected software or apps When user visit a malicious or vulnerable website Click on untrusted web link or images 8. DATA BREACH P a g e | 4 A data breach is a security threat that exposes confidential or protected information and the information is accessed from a system without authorization of the system’s owner. The information may involve sensitive, proprietary, or confidential such as credit card numbers, customer data, trade secrets etc. 9. CARELESS EMPLOYEES OF ORGANIZATION Employees are the greatest security risk for any organization, because they know everything of the organizations such as where the sensitive information is stored and how to access it. In addition to malicious attacks, careless employees are other types of cyber security threats to organizations. Example of a recently publicized security breach and discuss its consequences. Sina Weibo Date: March 2020 Impact: 538 million accounts Details: With over 500 million users, Sina Weibo is China’s answer to Twitter. However, in March 2020 it was reported that the real names, site usernames, gender, location, and -- for 172 million users -- phone numbers had been posted for sale on dark web markets. Passwords were not included, which may indicate why the data was available for just ¥1,799 ($250). Weibo acknowledged the data for sale was from the company, but claimed the data was obtained by matching contacts against its address book API. It also said that since doesn't store passwords in plaintext, users should have nothing to worry about. This, however, doesn’t tally as some of the information being offered such as location data, isn’t available via the API. The social media giant said it had notified authorities about the incident and China’s Cyber Security Administration of the Ministry of Industry and Information Technology said it is investigating. WHAT ARE THE RECENT SECURITY BREACHES? LIST AND GIVE EXAMPLES WITH DATES: • April 2022: Block Confirms Cash App Data Breach In an SEC filing made on April 4, Block (the company formerly known as Square) acknowledged that Cash App had been breached by a former employee in December of 2021. The leak included customers’ names, brokerage account numbers, and other data, such as portfolio value and stock trading activity. Block has not been forthcoming about how many customers were affected in total, but the company is contacting over 8 million customers to inform them about the incident. Based on what they’ve said so far, no other personally identifiable information or account credentials were leaked in the incident. • March 2022: Microsoft Breached by Lapsus$ Hacker Group On March 20, 2022, the hacker group Lapsus$ posted a screenshot to their Telegram channel indicating that they had breached Microsoft. The screenshot was taken within Azure DevOps, a collaboration software created by Microsoft, and indicated that Bing, Cortana, and other projects had been compromised in the breach. On March 22, Microsoft issued a statement confirming that the attacks had occurred. In it, they asserted that no customer data had been compromised; per Microsoft’s description, only a single account was hijacked, and P a g e | 7 • Back up data regularly Back up data regularly to limit risks Enterprises apply information security measures to ensure information safety and limit risks. To avoid unforeseen risks, businesses should back up their data regularly, especially with customer information, business status information or business secrets, etc. This way, if something goes wrong, the organization can easily recover and minimize system downtime. Advice for businesses to backup to the cloud instead of traditional physical devices. • Use strong passwords, 2-layer security It is a fact that many users (employees) still use passwords that are simple, easy to remember and easy to guess. This enhances the ability to reveal passwords, potentially exposing information. To improve security, users should pay attention to set strong passwords (hard to guess including uppercase, lowercase, alphanumeric and special characters; do not use personal information to set the password). password,...). Besides using strong passwords, 2-layer security also needs to be applied. This will be the second layer of protection, enhancing the security of the account. • Be careful when using free software and applications Free software and applications can be "bait" containing malicious code to infiltrate computers and steal data. So a simple but effective enterprise information security solution is to be wary of free software. • Split intranet In order to facilitate management, the enterprise intranet should be divided into several zones. Each zone will have its own protection plan. This way if something goes wrong, only one subnet branch is affected locally. • Use information security solutions from a professional company Besides the above solutions, for really effective security, businesses need to integrate solutions of needs and purposes. The application of appropriate enterprise information security solutions is essential in the digital age. Don't let the situation of "losing cows to build a stable" because the damage of the attacks will have a lasting impact on the business of the organization. It's time for businesses to set aside a certain budget for security. It will really become a profitable investment when it helps to keep the business stable and efficient. P2 Describe at least 3 organizational security procedures. P a g e | 8 ORGANIZATIONAL SECURITY PROCEDURE: 1. Implement your CyberSecurity strategy from the top-down Devise a security strategy, make sure Directors and Management understand the importance of your organization’s IT Network Security. The fundamental thing about security is knowing the risks involved and understanding what needs to be secured, namely what are your valuables/assets. Only after a thorough risk assessment has been carried out can a proper security strategy then be formed and implemented. The importance of cyber-security should be something that senior management understands and supports, resulting in a top-down approach to implementation. 2. Create polices for the allocation of internal IT Resources Once the importance of security issues is fully understood by management, organizations can then begin to create and implement polices on how to use, manage and allocate company resources to tackle cyber security. It is vital to then develop and enforce policies and procedures for employees to follow, this will impact: • The allocation of company IT resources – allowed and prohibited expenditure • Change management procedures to be implemented across all IT systems and related policies • Reevaluate risk and security posture at regular intervals 3. Network Security Have a network design with a strong focus on cyber-security. Segment your network on logical system based zones so you can isolate/segregate critical business systems and be able to apply network security controls to them – firewall/inspect traffic between those zones. Protect your Internet Edge but also internal traffic (east- west), cover the most used vectors of attack (email, web) Pay special attention to wireless connectivity – use strong authentication based on individual credentials or personal certificates, strong encryption (AES) and proper guest/BYOD access. Plan carefully, home and remote users access – they should have equal security controls as users on corporate networks. Have a central point for system monitoring (SIEM) that is integrated within your environment and provides a single point that holds all relative logs/events for your systems. Monitor your network/user activity with qualified staff. Fine tune your IPS systems to use relative to your network environment security rules/signatures and to produce relevant alarms. Act on the alarms promptly. Secure both user/management and physical access to your network assets. Apply only secure configuration using the vendor/standard recommended best practices. Have a lifecycle policy in place – aka review/renew security controls/equipment at regular intervals. Finally, ensure you have an up to date network diagram with HLD/LLD documents. 4. Protect your endpoints/servers Always use legitimately supported software and hardware. Create and maintain a policy for patching and updates – keep up to date with patches and security updates. P a g e | 9 Devise and maintain a hardware and software repository – know what you have in your network. Centrally manage your endpoint from OS and software point of view. Limit user rights to make changes to endpoint security: • Never give normal users full access (admin) • Limit execution controls/change configuration • Create safe-lists of allowed software • Disable unnecessary services • Disable unnecessary nerinheral devices and removable media access • Disable auto-run capability if removable media access is deemed necessary Accessing sensitive information should be done in a secure manner – proper access controls should be in place – secure and robust authentication mechanisms, use two-factor authentication for sensitive access, encryption for data in transit and rest. Monitoring of how sensitive data is handled and transferred should also be in place. Use endpoint protection mechanism (Anti-Virus, Anti-Spyware, Software, Firewalls) which support centralised management and can be integrated with your network security controls and monitoring tools. Regularly backup all important data in a safe manner (encrypt and secure data in rest in motion) – this mitigates the effects of ransomware attacks. In case of a breach, have a plan to restore normal network operations for different scenarios but also remember to include steps for gathering data for forensic investigations to take place in the aftermath. 5. Train your personnel Users should be aware of the ideas behind the implementation of security measures, what threats are out there and what should raise their suspicion – simple things like: • Non-solicited mails with strange hidden links – aka “Think before you click campaign” • File attachment with general but well-sounding names 1. Implement your CyberSecurity strategy from the top-down Devise a security strategy, make sure Directors and Management understand the importance of your organization’s IT Network Security. The fundamental thing about security is knowing the risks involved and understanding what needs to be secured, namely what are your valuables/assets. Only after a thorough risk assessment has been carried out can a proper security strategy then be formed and implemented. The importance of cyber-security should be something that senior management understands and supports, resulting in a top-down approach to implementation. 6. Create polices for the allocation of internal IT Resources Once the importance of security issues is fully understood by management, organizations can then begin to create and implement polices on how to use, manage and allocate company resources to tackle cyber security. The allocation of company IT resources – allowed and prohibited expenditure Change management procedures to be implemented across all IT systems and related policies P a g e | 12 12. Test The only way to really know your security level is protecting your organization, is to regularly test it! Security tests should cover all parts of your environment and should be performed on procedures/processes, network equipment, endpoint systems and personnel. • Formal security audits that look at procedures and if they are being followed/enforced • Automated vulnerability assessments – usually performed every 2-3 months and done internally • Penetration tests – external annual security tests that usually give the most accurate information for the company’s security posture and effectiveness of all security measures deployed • Social engineering tests on personnel – attempts to get employees to discard sensitive information to none-authorised people either via phone or in person or to get physical access to company restricted areas. DISCUSSION ON INCIDENCE RESPONSE POLICY: The Incident Response policy is as follows: Management responsibilities and procedures should be established to ensure a quick, effective, and orderly response to Security and Privacy Incidents. The objectives for Security and Privacy Incident management should be agreed upon with management, and it should be ensured that those responsible for Security Incident management understand the organization’s priorities for handling Security and Privacy Incidents. Security and Privacy Events should be reported through appropriate management channels as quickly as possible. Personnel and contractors using the organization’s information systems and services are required to note and report any observed or suspected Security Weakness or Vulnerability in systems or services. Security and Privacy Events should be assessed, and it should be decided if they are to be classified as Security or Privacy Incidents. Security and Privacy Incidents should be responded to in accordance with documented Incident Response procedures. Knowledge gained from analyzing and resolving Security and Privacy Incidents should be used to reduce the likelihood or impact of future incidents. Procedures should be defined and applied for the identification, collection, acquisition, and preservation of information, which can serve as evidence. Awareness should be provided on topics such as: How the program works, expectations How to report Security and Privacy Incidents, who to contact P a g e | 13 Constraints imposed by non-disclosure agreements. Communication channels should be established well in advance of a Security or Privacy Incident. Include all necessary parties in relevant communication: SIRT members Senior Management iCIMS Personnel In the event a Security or Privacy Incident, Data Controllers, government bodies, PII Principals, and other necessary parties should be notified in a reasonable timeframe, and in compliance with regulatory and other applicable requirements and guidance. At no time should investigations into Security or Privacy Events or Incidents be unreasonably obstructed. Any obstruction of an investigation into a Security or Privacy Event or Incident must immediately be reported to senior leadership for resolution. Obstruction of an investigation may result in disciplinary action, up to and including termination. P3 Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS. 3.1 Briefly firewall and policies, its usage and advantages in a network. What is a Firewall There are basically two types of Firewalls. They are software and hardware Firewall. A firewall is a software or hardware that filters all network traffic between your computer, home network, or company network and the internet. As shown in figure 1 the firewall usually sits between a private network and a public network or the internet. As shown in figure 1 a firewall is kept in the boundary of the privet network and the public network or internet. Firewall policies allow you to block or allow certain types of network traffic not specified in a policy exception. A policy also defines which firewall features get enabled or disabled. Assign a policy to one or multiple firewall profiles. OfficeScan comes with a set of default policies, which you can modify or delete. With Active Directory integration and role-based administration, each user role, depending on the permission, can create, configure, or delete policies for specific domains. The default firewall policies are as follows: Policy Name Security level Client settings Exceptions Recommend use All access Low Enable firewall None Use to allow clients unrestricted P a g e | 14 Access to the network Cisco trust agent for cisco NAC Low Enable firewall Allow incoming and outgoing UDP traffic through port 21862 Use when clients have a Cisco Trust Agent (CTA) Installation Communication ports for trend micro control manager Low Enable firewall Allow all incoming and outgoing TCP/UDP traffic through ports 80 and 10319 Use when clients have an MCP agent installation ScanMail for Microsoft exchange console Low Enable firewall Allow all incoming and outgoing TCP traffic through port 16372 Use when clients need to access the ScanMail console InterSacn messaging security suite (IMSS) console Low Enable firewall Allow all incoming and outgoing TCP traffic through port 80 Use when clients need to access the IMSS console Also create new policies if you have requirements not covered by any of the default policies All default and user-created firewall policies display on the firewall policy list on the Web console Uses of Firewall Firewall is an essential component in the system. It can be present in any form, software, hardware or as a cloudcomputing mechanism. The following are the uses of a firewall that must be understood by a user to guard her/his system. 1. Prevents the Passage of Unwanted Content There’s no limitation to bad and unwanted content over the internet. Such unwanted content can easily penetrate the system unless a strong firewall is in place. Most of the operating systems will have a firewall that will effectively take care of undesired and malignant content from the internet. Whenever a new system is employed for use, it must be checked by the user if a firewall exists or not, and if not, then the third party firewall can be installed. 2. Prevents Unauthorized Remote Access Today, in the world, numerous unethical hackers are there, who are making constant efforts to acquire access to vulnerable systems. The ignorant user is never aware of who can access his system. A strong firewall prevents any sort of possibility of a prospective unethical hacker getting remote access into a system. Such remote access is purely unauthorized and can be intended for destructive purposes too. P a g e | 17 When your computer has firewall protection, everything that goes in and out of it is monitored. The firewall monitors all this information traffic to allow ‘good data’ in, but block ‘bad data’ from entering your computer. Firewalls use one or a combination of the following three methods to control traffic flowing in and out of the network: Packet filtering The most basic form of firewall software uses pre-determined security rules to create filters – if an incoming packet of information (small chunk of data) is flagged by the filters, it is not allowed through. Packets that make it through the filters are sent to the requesting system and all others are discarded. Proxy service A firewall proxy server is an application that acts as an intermediary between systems. Information from the internet is retrieved by the firewall and then sent to the requesting system and vice versa. Firewall proxy servers operate at the application layer of the firewall, where both ends of a connection are forced to conduct the session through the proxy. They operate by creating and running a process on the firewall that mirrors a service as if it were running on the end host, and thus centralise all information transfer for an activity to the firewall for scanning. Stateful inspection The most modern method of firewall scanning, that doesn't rely on the memory-intensive examination of all information packets is ‘stateful inspection’. A ‘stateful’ firewall holds significant attributes of each connection in a database of trusted information, for the duration of the session. These attributes, which are collectively known as the ‘state’ of the connection, may include such details as the IP addresses and ports involved in the connection and the sequence numbers of the packets being transferred. The firewall compares information being transferred to the copy relevant to that transfer held in the database – if the comparison yields a positive match the information is allowed through, otherwise it is denied. There are two types of firewalls: software and hardware. P a g e | 18 Figure 1: Firewalls Hardware firewalls are built into network devices such as routers and can protect every single machine on a network and require little configuration to work effectively. They use packet filtering techniques to examine the header of a packet, determining his source and destination and then, comparing the data to a set of predefined rules, they decide whether to drop the packet or forward it to the next step or to its destination. Software firewalls are the most popular network protection method for home users. They usually come as standalone applications or as part of a complete anti virus protection software, such as the firewall can also protect against Trojan or Worm applications and allows various options of control over its functions and features. A reliable software firewall should run in the background of your computer and leave a small print on overall performance by using few of its resources. The firewall software must be regularly updated to keep up with the latest technological improvements and provide effective protection against the latest network attack tactics. BullGuard Internet Security includes a state-of-the-art firewall protection engine and provides security updated every 2 hours to ensure the safest online experience possible. You can try award- winning firewall protection from BullGuard for free by downloading the BullGuard Internet Security pack. P a g e | 19 3.3 Diagrams the example of how firewall works Figure 2: Diagram firewall 3.4 Define IDS, its usage, show with diagrams examples An intrusion detection system (IDS) is a device or software application that monitors a network for malicious activity or policy violations. Any malicious activity or violation is typically reported or collected centrally using a security information and event management system. Some IDS’s are capable of responding to detected intrusion upon discovery. These are classified as intrusion prevention systems (IPS). IDS Detection Types There is a wide array of IDS, ranging from antivirus software to tiered monitoring systems that follow the traffic of an entire network. The most common classifications are: Network intrusion detection systems (NIDS): A system that analyzes incoming network traffic. Host-based intrusion detection systems (HIDS): A system that monitors important operating system files. There is also subset of IDS types. The most common variants are based on signature detection and anomaly detection. Signature-based: Signature-based IDS detects possible threats by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. This terminology originates from antivirus software, which refers to these detected patterns as signatures. Although signature- based IDS can easily detect known attacks, it is impossible to detect new attacks, for which no pattern is available. Anomaly-based: a newer technology designed to detect and adapt to unknown attacks, primarily due to the explosion of malware. This detection method uses machine learning to create a defined model of trustworthy activity, and then compare new behavior against this trust model. While this approach enables the detection of previously unknown attacks, it can suffer from false positives: previously unknown legitimate activity can accidentally be classified as malicious. IDS Benefits P a g e | 22 Enterprises need to look at the state of their firewall security and identify where holes might exist. By addressing these misconfiguration issues, organizations can quickly improve their overall security posture and dramatically reduce their risk of a breach. P4 Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can improve Network Security 4.1 Define and discuss DMZ: What is a Demilitarized Zone Network? In computer security, common setups used for small and medium networks include a firewall that processes all the requests from the internal network (LAN) to the Internet, and from the Internet to the LAN. This firewall is the only protection the internal network has in these setups; it handles any NAT (Network Address Translation), by forwarding and filtering requests as it sees fit. For small companies, this is usually a good setup. But for large corporations, putting all servers behind a firewall is not as effective. That’s why perimeter security networks (also called demilitarized zone networks or DMZs) are used to separate the internal network from the outside world. This way, outsiders can access the public information in the DMZ, while the private, proprietary information is kept safely behind the DMZ, into the internal network. This way, in case of a security breach, the attackers will only be able to access the servers in the DMZ network. This can be annoying and can lead to downtime, but at least the sensitive information is kept safe. Here are a few examples of services that you can keep in the Demilitarized Zone Network: webservers with public information; the front-end of your application (the back-end should be kept safely behind the DMZ); mail servers; authentication services; services like HTTP for general public usage, secure SMTP, secure FTP, and secure Telnet; VoIP servers; VPN endpoints; application gateways; test and staging servers. Why use a Demilitarized Zone Network? A DMZ server will secure your internal network from external access. It does so by isolating the public services (requiring any entity from the Internet to connect to your servers) from the local, private LAN machines in your network. The most common method of implementing such a divider is by setting up a firewall with 3 network interfaces installed. The first one is used for the Internet connection, the second for the DMZ network, and the third for the private LAN. Any inbound connections are automatically forwarded to the DMZ server because the private LAN doesn’t run any services and is not connectible. That’s how configuring a demilitarized zone network helps isolate the LAN from any Internet attacks. How do you configure a Demilitarized Zone Network? P a g e | 23 First of all, you need to decide what services will run on each machine. The DMZ server is usually on a different network segment, both physically and logically. This means that you need to use a separate machine to host the services you want to make public (such as DNS, web, mail, etc.). From a connectivity point of view, the DMZ will be located on a different subnet than the LAN. To build a Demilitarized Zone Network, you need a firewall with three network interfaces: one for untrusted networks (Internet), one for the DMZ, and one for the internal network. All servers you want to connect to the outside network you’ll put in the DMZ network, and all servers containing critical data you’ll put behind the firewall. While configuring the firewall, you should put tight restrictions on the traffic towards your internal network, but you can be less restrictive with traffic DMZ Next, you should provide NAT for the computers on the LAN in order to enable Internet access for the client hosts. You should also enable clients to connect to the servers in the DMZ. Here’s what the final setup should look like: P a g e | 24 Figure 4: DMZ single firewall This configuration is also known as the three legged model to take security up a notch, you can also use two firewalls (the back-to-back model). In this setup, one of the firewalls will allow traffic destined to the DMZ only, while the other only allows traffic to the DMZ from the internal network. This provides an extra layer of security because two devices need to be compromised for an attacker to gain access to your internal network. Here’s what a Demilitarized Zone Network with two firewalls looks like: Figure 5: DMZ dual firewall Hardening the DMZ servers Computers in the Demilitarized Zone Network obviously need to be hardened as much as possible, given that they will be in the first line, right behind the firewall. P a g e | 27 static or dynamic external IP address. Network Address Translation is used as an Internet security measure, by never using the sender’s IP address for Internet access. Network Address Translation technology was developed as a solution for the ever-increasing need for more IPv4 addresses. Certain ranges of IP addresses (described in RFC 1918) are designated as internal only, in other words, not routable over the Internet. Anyone can use those addresses for private networks, reducing the number of public addresses that must be purchased. NAT Advantages The main advantage of NAT is that it can prevent the depletion of IPv4 addresses. It conserves the public IPv4 address by allowing the privatization of intranets. NAT save the addresses using application portlevel multiplexing. With Port Address Translation, the hosts with private IPv4 addresses can share a single public IPv4 address for all external communications. Network Address Translation (NAT) also provides increased flexibility when connecting to the public Internet. We can implement a backup pool, and load-balancing pools to ensure reliable public network connections. If a network uses a public IP address, first the administrator will get an address space as a network grows, the chance of getting IP addresses from the same IP address class is minimal and even zero. But in case of using private address and NAT for external traffic using some addresses, an organization does not have to purchase IP addresses for every computer in use there is a significant cost saving due to using the process of Network Address Translation. Network Address Translation (NAT) allows to use your own private IPv4 addressing scheme and prevent the internal address changes in case of changing the service provider. Network Address Translation (NAT) provides additional security by masking the original source and destination addresses. The private networks do not advertise their addresses or internal topology, therefore, are secure when used in conjunction with NAT to gain controlled external access. What Does NAT Do? NAT is like the receptionist in a large office. Let's say you have left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put her through. The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that she is looking for you, the receptionist checks a lookup table that matches your name with your extension. The receptionist knows that you requested this call, and therefore forwards the caller to your extension. Developed by Cisco, Network Address Translation is used by a device (firewall, router or computer that sits between an internal network and the rest of the world. NAT has many forms and can work in several ways: Static NAT P a g e | 28 - Mapping an unregistered IP address to a registered IP address on a one-to-one basis. Particularly useful when a device needs to be accessible from outside the network. Figure 6: static NAT In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110. Dynamic NAT - Maps an unregistered IP address to a registered IP address from a group of registered IP addresses. Figure 7: Dynamic NAT In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150. Overloading - A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. This is known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT. P a g e | 29 Figure 8: Overloading NAT In overloading, each computer on the private network is translated to the same IP address (213.18.123.100), but with a different port number assignment. Overlapping - When the IP addresses used on your internal network are registered IP addresses in use on another network, the router must maintain a lookup table of these addresses so that it can intercept them and replace them with registered unique IP addresses. It is important to note that the NAT router must translate the "internal" addresses to registered unique addresses as well as translate the "external" registered addresses to addresses that are unique to the private network. This can be done either through static NAT or by using DNS and implementing dynamic NAT. Figure 9: Overlapping NAT The internal IP range (237.16.32.xx) is also a registered range used by another network. Therefore, the router is translating the addresses to avoid a potential conflict with another network. It will also translate the registered global IP addresses back to the unregistered local IP addresses when information is sent to the internal network. The internal network is usually a LAN (Local Area Network), commonly referred to as the stub domain. A stub domain is a LAN that uses IP addresses internally. Most of the network traffic in a stub domain is local, so it doesn't travel outside the internal network. A stub domain can include both registered and unregistered IP addresses. Of course, any computers that use unregistered IP addresses must use Network Address Translation to communicate with the rest of the world.