Virus, worm and Trojan Horse
In order for ABC Corporation to succeed in its business environment, it must secure its resources, networks and employees. Security is a broad topic that comprises of both the physical security of the buildings, infrastructure, computing devices, networks and finally employees. As Network Solutions, we are going to provide the best security architecture solutions for ABC Corporation so that its resources can be protected from intentional or unintentional attacks.
A virus is a type of malware that replicates itself by adding copies into computer programs, data files, boot sector of the hard drive. When the replication process succeeds the affected computer is said to be infected. Viruses execute harmful activities on the infected hosts including data corruption, access of private company data and using all the available memory finally halting the operation of the host.
Worms are special type of viruses that can replicate themselves and utilize the available memory but cannot attached itself to other programs.
A Trojan horse is a program that carries harmful or malicious code and can gain access to the operating system while appearing to execute a desirable function. It drops the malicious code allowing backdoor access to the infected computer and ultimately making it run slowly. Trojan horses may steal information or harm the infected host but does not attempt to inject themselves into other files like viruses. In order to combat the threats employees must ensure that the following measures are executed;
Antimalware programs
They are normally referred as anti-virus. They are programs designed to analyze files and programs for known patterns/nature of data that make up data or programs indicating malicious code. The signature scanning is achieved via multi-tiered approach where the entire hard drive of the computer is scanned sequentially during rest periods. Any file accessed is scanned immediately to control dormant code in a file that has not been scanned from becoming activated. A malicious code found is either quarantined or deleted or deleted from the system.
New or modified malwares may be undetected because signature based scanning does not have a signature for such a malware or anti-malware signatures may not be up to date. In this instance to counter the effects, sophisticated anti-malware programs have been developed to monitor known malicious behavioral patterns in addition to signature based scanning.
For Trojan horses, employees should not install any program without the consent of the administrator. Trojan horses are displayed as drive-by downloads that pop up and promise the user of a specific function. However, they are used by hackers to remotely access the targeted host for varied operations such as data theft, electronic money theft, distributed DoS, crashing among others.
Attacks
Distributed internet attacks (DDoS) involve multiples of compromised systems attack on a single target consequently causing a denial of service for users of the system. Incoming messages are flooded to the target system thereby forcing it to shut down and deny other system users resources.
Examples are hacking of company networks through DoS to cause disruption of services or damage credibility.
Mobile users can suffer from man-in-the-middle attacks where a legitimate users puts themselves in the middle of the conversation or pose as one of the recipients.
OS hardening
OS hardening is done to eliminate all the possible threats.
For server hardening, the guest accounts are disabled while administrator accounts are changed regularly.
Unused Ports
Unused ports are used by attackers to probe strengths and weaknesses of a network. Because the path the packets are travelling can reveal the information about the network topology, attackers try to slip in malicious code to computers. In order to protect attacks from unused ports security software have been developed to automatically reject data packets addressed to unused ports. The best the organization can do is to implement this software.
DMZ, NAT, tunneling protocols, VLANs, and sub-netting
NAT is a packet filter that prevents unrequested incoming traffic from reaching the network devices. It is used to control traffic flow that can harm the VPN network.
DMZ
Demilitarized zones add an additional layer of security to the organizations network because any attacker can only access the external-facing components of the network instead of the whole network. Thus, DMZ is worth implementing.
Tunneling refers to the encapsulation of a packet from a single protocol within the datagram of a second protocol. VPN utilizes PPTP to encapsulate IP packets over the internet.
Sub-netting is the practice of dividing the network into multiple networks. Logical addressing structures allows for selective IP routing via routers across multiple networks. Sub-netting is a security feature that improves security in a network.
Hardening Networks
Unneeded services should be turned off to protect the network from possible attacks. For Cisco routers, the following services can be disabled; tcp small-servers, udp small-servers, no ip source-route, finger protocol and no ip identd.
HIDS AND NIDS
Intrusion detection tools are classified into two; host intrusion detection and network intrusion detection systems. The principal roles of these tools are to provide round the clock monitoring and communication systems that detect, alert and block suspicious traffic on a critical network.
Host intrusion detection systems are security methods used in computers and network management. In HIDS, anti-threat applications such as spyware-detection programs, antivirus software’s and firewalls are installed on every networks computer. This is applicable in two-way access platforms such as the internet and gathers information from various sources and analyses it to identify possible areas of attacks. HIDS is, therefore, suitable for business critical hosts and servers in a DMZ that are compromised more frequently.
HIDS operates by utilizing a number of variables on the host system namely; CPU usage, system processes, file access and integrity checking and registry entries among others. Thus, it has the capability to utilize system properties such as logs, system services and registry events for detection and analysis. However, it has a disadvantage of utilizing much of the system resources since it runs on the host. In addition, by the time the HIDS systems detects an attack, the damage is already done.
NIDS are deployed as a dedicated component on a network segment and are usually deployed as a single or on multiple locations as per the user needs. It works by comparing the captured network data to a file of known malicious signatures and if it finds a match, NIDS sends an alert based on its security configuration.
NIDS is classified as signature based and anomaly-based. Signature based detection utilize valid network data and signatures to detect and analyze suspicious and unwanted traffic. Anomaly based systems filters and alerts when the network traffic is incorrect or abnormal. Our intrusion detection systems employ more than one signature in a NIDS library. This gathers for proprietary industrial controller data transmitted between discrete devices and often flagged in anomaly-based systems.
Network- based intrusion and detection systems have an advantage of wide coverage where the entire network can be covered using a single NIDS. In addition, it has minimal install/upgrade effects on the network and avoids DoS that has the capability of affecting the host. It also has the benefits of identifying network layer errors as well as the independent operating environment.
On the flip side, NIDS depend on the latest signature updates and most tools on the market fail to detect new or variations in the signature patterns used by the attackers. For this reason, our tools are frequently updated to detect new patterns in attack signatures thereby guaranteeing the safety of your systems.
It is understood that the deployment of HIDS and NIDS on critical devices and networks is a crucial step for your business or individual needs. A tailor-made and correct choice will provide you with the best protective and preventive measures for your organization to facilitate quicker response and better forensic data for your security purposes. We provide these solutions and services together with validated updates and signatures as part of dispatch subscription so that they can be implemented in the best method that suits your needs.
Wireless connectivity
Wireless Local Area Networks (WLANs) are used in the range of a few tens of meters up to a kilometer and are favorable for ABC Corporation. They use public frequency bands and are, therefore, free to install and use them. Also, there are Wireless Personal Area Networks (WPANs) such as Bluetooth which utilizes free frequency bands and replaces cables in a limited area usually a few meters. The two types of network protocols need to be secured.
Security is a significant concern for wireless networks especially when multiple users are utilized. A user cannot ascertain that there is no eavesdropping of traffic in a network forwarding node. Likewise, it is difficult to authenticate if the other person on the other side is really whom he claims to be. Security features such as authentication, integrity and confidentiality are applicable to wireless networks the same way it is for many public communication networks. However, the issue of trust is more pronounced in wireless networks than other networks. Since the medium cannot be trusted, the only viable security measure is the use of cryptography methods. Cryptography relies on the use of key management system to create trusted relationships between keys without the employment of trusted third party certification mechanisms. The challenge still lies in the choice of cryptographic keys that every wireless node in a network chooses and whether such keys hold the trusted public keys or certificates that can be accepted by other nodes and parties. Trust issues delegated between wireless devices lead to the establishment of trusted relationships which can be extended from arbitrating nodes to other members in the group.
Access control
Control measures need to be instituted to guard access of information within the company. The following guidelines may be applied;
The company will provide connection to network for the purpose of research and production. Network access should be used for production purposes alone. Employees will be granted access to permitted networks while other networks will only be accessed after specific authorization has been granted.
Authentication for external connection
All remote users will be authenticated in order to access information resources such as financial transactions and customer details. The Chief Security Officer will be responsible for providing this service .
Remote diagnostic Port Protection
Modems attached to systems are protected from unauthorized use by disconnecting diagnostic ports not in use. Third party users must be authenticated before accessing devices through remote ports.
Network segregation
A risk assessment based on the cost and the impact of routing and gateway technology is performed to grant third parties necessary controls to access networks (Michael E. Whitman, 2011).
New networks that are developed and tested are segregated from the rest of the ABC internal network through firewalls to eliminate the effects of malfunctioned software.
Confidential information should be segregated and assigned different servers.
Wireless network policy
Wireless networks at ABC should be restricted to lock out intruders and third parties.
Computers connected via wireless technology should be restricted to the company’s residence.
Mobile computing
User and password management
The registration and deregistration process in all ABC Corporation departments will be to manage user accounts. The process must be done in a way that ensures safe usage and storage of all company’s information throughout the life cycle of the user.All persons utilizing multi-user information database shall be provided with a User ID and private password which should not be shared under any circumstance. Likewise, access rights shall be removed or modified upon the exit of an employee or the changer of department. The following password rules must be adhered to;
All user passwords shall be kept confidential and stored securely. Users should use their passwords in a way that promote good security practices.
All passwords are considered company’s confidential information. They should not be shared with any other persons including administrators.
An account that is suspected to be compromised should be reported to the Information security department immediately
Shared passwords should be changed regularly and should not be used for more than 90 days. For temporary passwords the change should be effected after the first log in
Systems should be configured such that after 5 unsuccessful logins it locks user accounts. Administrators will reset locked accounts.
Passwords should not be written down on any material or stored in the company computers.
System password rules
Application accounts must use passwords with high composition requirements and should be changed regularly. SNMP should be configured in another mode other than ‘’public’’ or “private” and make use of keyed hashes when available.
Password composition
All system level passwords must comprise of 7 alphanumerical characters that are not sequential and should consist of uppercase and lowercase letters (S. H. Von Solms, 2009).
Internal and external remote access
An integrated VPN network is recommended for WAI solution. The network infrastructure will support both intranet-based, extranet-based as well as the remote-access VPN. Intranet based VPNs connects the organizational diverse locations with the headquarters. Connectivity is essentially for file and application sharing. IPSec is mostly used to create this kind of networks. For remote connections, telecommuters are enabled to access the organizations pool of resources through a dial up service via a local internet connection. Remote users will be required to dial up a local internet connection which will initiate a secure IPSec-based VPN connection to the organization.
VPN- based extranets are accommodated in this scenario. In order to effectively manage collaborative production between the two WAI branches and the supply chain, IPSec capable devices are integrated with existing Internet connection to result in extranet connections.
External users will be authenticated before they are allowed to connect to the company resources. The administrator will check external laptops given to the sales force to ascertain company approved patches and antivirus. As part of the configurations, the administrator will determine the public facing IPs of the server or the Fully Qualified Domain Name of the server. All the mobile telecommuters will be registered and allowed direct access through the DirectAccess settings in the Group Policy Object.
VPN protocols
PPTP is the most widely used VPN protocol among users and is a product of Microsoft. However, it does not provide encryption to implement security measures.
L2TP is the same as PPTP in terms of encryption but does provide confidentiality and data integrity. It is a product of Microsoft and Cisco.
IPsec is a VPN protocol used for encryption and is particularly favored for securing internet protocol communications.
Finally, SSL is a VPN protocol accessible via web browser, thus, it does not neeed any software installation. It however restrict users to specific applications instead of allowing access to the whole network.
I recommend IPsec for ABC Corporation. This is because IPSec is an open framework of standards used by IEFT to data authentication, privacy and user authentication in a public network. Internet VPNs uses this method extensively to ensure that users are whom they claim they are. IPSec will be deployed on the network layer of the VPN meaning that it is independent of all other applications on the network. ABC is thus able to secure its network using IPSec without the need to coordinate security on all other application. Given the diverse nature of all the branches and the headquarters, every entity will deploy IPSec independently on its network without hampering its operation and communication with the rest.
Authentication protocols
There are numerous authentication protocols that can be implemented for ABC Incorporation. The organization has chosen an IPsec protocol and in that sense can authenticate through the following protocols;
- Password Authentication Protocol
- Challenge Handshake Authentication Protocol CHAP
- Microsoft CHAP
- Microsoft CHAP version 2
- EAP
The recommended authentication protocols for ABC include EAP, MS-CHAPv2 and MS-CHAP. MS-CHAP is more secure uses domain login among other features. MS-CHAPv2 goes further by adding increased encryption size keys. EAP authentication provides strong solution for Microsoft users.
Physical security
The security of buildings and other infrastructure is essential to the continuity of business. Buildings should be secured from intruders through security identification tags. Every employee of the company will display a tag to the security personnel manning the buildings. Likewise, security passes will be issued to be used in doors and entrance. The building should have sufficient fire extinguishers situated on all floors to be used during possible fire outbreaks.
References
Brian Caswell, J. B. (2008). Snort 2.1 Intrusion Detection, Second Edition. Syngress.
Ciampa, M. D. (2011). Security+ Guide to Network Security Fundamentals. Cengage Learning.
Kizza, J. M. (2009). A guide to computer network security. Springer.
Sarkar, S. K. (2012). Wireless Sensor and Ad Hoc Networks Under Diversified Network Scenarios. Artech House.
Shah, Z. H. (2013). Windows Server 2012 Hyper-V: Deploying the Hyper-V Enterprise Server Virtualization Platform. Packt Publishing Ltd.
.