Proposal for a Secure Network Architecture
IT Security Fundamentals
Events that Indicate an Attack Happened
Each computing device has a unique Internet protocol (IP) address that communicates and sends information across a network. The Internet is a broad network that is susceptible to hackers obtaining personal information and using the stolen identity maliciously. This occurred to StyleNet’s importer, Petrina, while she was on a trip in Belize to purchase merchandise for re-sale. At a local coffee shop, her identity was stolen through media access control (MAC) spoofing while using the coffee shop’s wireless network. MAC spoofing is when an address is altered and is made counterfeit in order to circumvent security mechanisms and impersonate routers and devices to protect the hacker (Anonymous, n.d.). Petrina’s computer, where she used her personal credit card for expenses, had its unique identity masked by a hacker who was able to gain her personal information to redirect merchandise purchases to a different location for their own benefit, and make additional transactions, as her credit card information was stored on her system.
It is difficult for a victim to have knowledge that an attack is happening. It is most often after the fact when the victim finds out an attack occurred. Petrina found fraudulent transactions on her credit card and electronic mails (e-mail) identified shipment of goods purchased was changed to a different location. Additionally, there were files altered on her system causing performance issues and some software not to work.
Impact of Security Related Procedural Failures as Root Cause
The value of procedural failures is high for individuals. Many people are not proactive and do not understand new threats, and ways to protect themselves against cyberattacks. According to Greenberg (2015), “Human error accounts for 52 percent of the root cause of security breaches” (para. 1). These failures resulted in carelessness, lack of expertise, and the knowledge gap between that of the victim or defender and the hacker. The cost can be catastrophic as the breach of information can cause poor relationships with vendors, damage reputations, pose opportunity losses, and have emotional distress for all victims involved (Unger, 2015). For Petrina, not only were her connections with the vendors compromised, but also her personal information stored on her device.
Cyberattacks and security breaches also have severe consequences on larger companies, such as the cyberattacks in 2015 against an international bank, an adultery website, and a health insurance company (Szoldra, 2015). Each of these hacks was not due to technical failures, but lack of procedures and processes in place to protect individual information, including social security numbers, addresses, and birthdays. The adultery site exposed individuals that were performing unethical activities and ruined many people’s reputation, credibility, and respect. The cybercriminals that infiltrated multiple financial firms accomplished their attack by infecting emails and uncovering methods to transfer millions of dollars to digital accounts they controlled (Szoldra, 2015). Cyberattacks are intrusive and can be devastating no matter the size of a company as it directly impacts individuals.
Impact of Security Related Technical Failures
Technical failures are an integral component to cyberattacks. Often times the root cause is due to the electronic communication service providers not having sufficient tracking. Natural causes, system failure, and third-party failures also impact technical failures and have significant consequences. National regulatory agencies and the European Union Agency for Network and Information Security (ENISA) are regulatory agencies where incidents should be reported for further investigation. ENISA has standards for Internet services and defines best practices for a functioning Internet market (ENISA, 2016). Outages and network failures occur from cyberattacks and have been reported to affect millions of users on an average incident (Constantin, 2013).
The most common root causes are hardware and software issues that include routers and local exchange points. At the coffee shop that Petrina became a cyber-victim, the network system was overloaded by the hacker, which has the biggest impact to users (Constantin, 2013). This can occur from distributed denial of service (DDoS) that makes the online service extremely slow or unavailable due to overwhelming traffic. There are four categories of these attacks. These are:
(Digital Track Map, 2016)
- occupying connections to make connections for others unavailable;
- consuming bandwidth making the connection extremely slow;
- sending multiple fragments of information to the victim, which reduces system performance; and
- overwhelming applications to generate low Internet surfing rates.
Petrina and many other users on the unsecured network became victims due to the system performance. The DDoS slowed the Internet giving the hackers the time they needed to get the information they wanted to have a successful cyberattack by using MAC spoofing.
Adversary Model for the Threat
Cybersecurity is causing extraordinary spending to develop methods and solutions to protect companies and individuals’ from data breaches. In bearing attacks from advanced adversaries, there are losses in the “engineering, science, and art in designing enterprise security architecture” (Invincea, 2015, p. 3). In order to design an effective architecture, an adversary security model is necessary to reflect on previous cyberattacks. It is at an abstract level that prepares for defending against a more broad scope area, which remains unprotected. This model assists in estimating how different architectures can withstand various attacks (Invincea, 2015). In developing a model, the following should be considerations:
- know your enemies and characterize them to anticipate threats;
- have an objective that has broken down goals;
- calculated risks based on tools, the likelihood, the impact, and safeguards; and
- an understanding of threat techniques used by cyber attackers.
Once the adversary types and tactics are identified, a security model can be established. The National Institute of Standards and Technology (NIST) have a foundational framework that can be utilized by governments and companies of all sizes. The areas of the framework include Identify, Protect, Detect, Respond, and Recover (Invincea, 2015). This is a high-level start for developing a model. The adversary security model remains high-level; however, it defines three sub-categories within the NIST framework. Invincea (2015) defines these as:
For Petrina and the coffee shop, the adversary model is scoped on a smaller scale and focuses more on protecting and recovery. Invincea (2015) has ‘playbook’ examples that model situations based on the three subcategories. For small business, the external network and endpoint defenses focus on protection. The response and recovery focuses on the product vendors to assist in the recovery from the attacker. While this is not a full coverage adversary model, it is very costly for small businesses to have funding for detection methods in the external network defense category, and identification defenses such as remote access to its open wireless fidelity (Wi-Fi) sharing location. It could be wise for the coffee shop to notify users that while they are using the free Wi-Fi, personal information may become public and it is advised to not use personal information or perform Internet transactions while utilizing the service.
- external network defenses such as firewalls, routers, security, monitoring;
- endpoint defenses such as data encryption, anti-virus protection, remote access; and
- response and recovery methods from product vendors.
Security Failure Based on Influences in the System Life Cycle
To be most effective, security requirements should be integrated early in a system life cycle. These initial requirements may be vague such as password requirements, frequency of password change requirements, password length requirements, data encryption, and spam detection tools. However, this often neglects the security that causes malicious penetration to be disastrous. As part of the system development lifecycle (SDLC), it is important for system engineers to perform analysis of any potential security failures. One approach is a top-down approach called fault tree analysis that starts by identifying the goals of any attacker. (Alagarsamy & Mahizharuvi, 2011). Documentation of multiple approaches and alternative ways attackers can circumvent methods to achieve data breaches are integrated in a linear waterfall approach (Fahlsing et al., 2008). This method is ideal, but is not always clearly scoped across multiple systems. Waterfall is a process of evaluating requirements, designing, implementation, verifying, and performing maintenance. A security failure can occur if not scoped, but then addressed during the maintenance phase when re-evaluation or implementing new security measures due to an attack have occurred.
In complex systems that can be distributed across multiple environments and executables, it becomes more difficult to protect, as they are not as controllable to detect attack paths and disengage software from attackers. Problems in “concurrency, fault tolerance, and recovery are magnified when dealing with large distributed systems” (Alagarsamy & Mahizharuvi, 2011, p. 257). Concurrency of processes is the execution order of a program or algorithm that can have steps performed in different orders, but should have the same outcome. For example, controlling the concurrency of processes poses high security risks in form of DDoS by overloading or locking processes. This can happen at any point of the system life cycle, from hardware to any application and create a deadlock.
Another example is a breach in security with the service-oriented architecture (SOA) that occurs from passing data from one service to another. This may have been a contributing factor to the cyberattack at the coffee shop in Belize. While the attack was happening, the hacker was able to retrieve transactional data. During the SDLC, it is challenging to determine resources and tools such as intrusion detection systems (IDSs), to evaluate the SOA and vulnerability and risks (Fahlsing et al., 2008). This type of security failure is not necessarily due to a hacker, but the underlying complexity of the system.
Secure Architecture for a Small Business Application
Security architecture typically supplements a “schedule of tasks that identifies expected outcomes, establishes project timelines, provides estimates of resource requirements, and identifies key project dependencies” (Fahlsing et al., 2008, p. 8). The objectives for designing a secure architecture is to define specific goals such as accessing confidential data without leaving a trace. This is achievable by enforcing availability, integrity, and confidentiality of information in the system architecture. The security at the coffee shop should include:
- traffic control; and
- node and address control.
The authentication server validates the identity of the user and notifies the provider. In this instance, the Internet provider of the shop identifies any user in the coffee shop. The authentication server restricts unauthorized devices defined by an access control. To prevent MAC spoofing, the authorization by the client is given a unique port in which only the user can pass information through the authenticator (Matusa, 2016). MAC access control is obtained by matching the user’s MAC address and stores that information to a database to ensure valid authorization. This web-based access control is an easy authentication method that secures browsing the Internet by blocking access to other users.
Ports, MAC addresses, and the applications used, monitors traffic control. This does not prevent MAC spoofing by sending fake messages across the network. The Institute of Electrical and Electronic Engineers (IEEE) has standards for authentication, authorization, and traffic control (MacKenzie, 2015). Remote Authentication Dial-In User Server (RADIUS) is a networking protocol standard that manages access to the Internet via wireless networks. A dynamic host configuration protocol (DHCP) can control the distribution of IP addresses automatically that compares hardware addresses to the MAC address for security (MacKenzie, 2015). This additionally provides dynamic node and access control.
In addition, network intrusion detection systems (NIDS) and firewalls should be part of the security architecture. NIDS are strategically placed in various network locations to activate warnings for suspicious activity and possible intrusions (Jenkins, 2003). It sees network traffic prior to entering a firewall, which stabilize the infrastructure by allowing controlled access to and from the Internet. The cost of NIDS sensors is economical and offers real-time analysis of suspicious or malicious information (Jenkins, 2003).
Recommendation for Network Management and Security Tools
It is important for a company to have a holistic view of their network. As cybercrime is a massive threat, businesses need implementation of security tools to best protect themselves and customers. The coffee shop should have the following network security toolset to achieve their goals. These are intrusion detection and prevention systems, anti-malware, and mobile device management (FedTech, 2013).
Intrusion detection (IDS) and prevention systems (IPS) detect threats from malware, viruses, worms and other potential attack types. These tools monitor and detect suspicious activity. These are not always cheap, and often require a lot of maintenance. However, Snort is an open source toolkit that is at no monetary cost and has standard detection methods to assist a company in learning about malicious activities. It has the capability to be modified by writing new rules that detect other malware that the company may identify (Vossen, 2016). This can be useful when the coffee shop wants to watch traffic that is unusual and alert when the situation happens.
Anti-malware is similar to IDS as the software protects against similar infections. It is a broader term that identifies replicable and malicious spreading code. Commonly used applications such as Adobe Flash and Acrobat Reader are targets that hackers can access. Best practices include IP blacklisting and data loss prevention tools (FedTech, 2013).
Mobile device management is becoming increasingly popular as the technical world is using more mobile devices for computing. The software does similar functions for protection, but is specific to securing and tracking mobile devices, the applications, and the data. The downside is that there is training to implement the tool on the server side and to interact with users mobile devices. A small coffee shop typically does not have the expertise to implement this tool and will maintain focus on the security for personal computing hardware.
Alagarsamy, K., & Mahizharuvi, P. (2011). A security approach in system development life cycle. International Journal of Computer Technology and Applications, 2(2), 253-257.
Anonymous. (n.d.). Detecting and preventing MAC spoofing. Infoexpress website. Retrieved September 10, 2016 from https://infoexpress.com/content/practical/142
Constantin, L. (2013, August 20). Cyberattacks second most common cause of severe EU wired Internet outages. Network World website. Retrieved from http://www.networkworld.com/article/2169192/lan-wan/cyberattacks-second-most-common-cause-of-severe-eu-wired-internet-outages-in-2012.html
Devost, M. (2003). Threat assessment and cyberterrorism. Terrorism Research Center. Black Hat website. Retrieved from https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-parker.pdf
Digital Track Map. (2016). Types of DDoS attacks. Digital Track Map website. Retrieved September 9, 2016 from http://www.digitalattackmap.com/understanding-ddos/
European Union Agency for Network and Information Security [ENISA]. (2016). About ENISA. ENISA website. Retrieved September 9, 2016 from https://www.enisa.europa.eu/about-enisa
Fahlsing, J., Gulick, J., Kissel, R., Rossman, H., Scholl, M., & Stine, K. (2008, October). Security considerations in the system development life cycle. National Institute of Standards and Technology Publication, 2. Retrieved from http://dx/doi.org/10.6028/NIST.SP.800-64r2
FedTech. (2013, September 23). Six network security tools every agency needs. Fed Tech Magazine online. Retrieved from http://www.fedtechmagazine.com/article/2013/09/6-network-security-tools-every-agency-needs
Greenberg, A. (2015, April 1). Human error cited as leading contributor to breaches, study shows. SC Magazine online. Retrieved from http://www.scmagazine.com/study-find-carelessness-among-top-human-errors-affecting-security/article/406876/
Invincea. (2015). Know your adversary: An adversary model for mastering cyber-defense strategies [White paper]. Retrieved from http://www.ten-inc.com/presentations/invincea1.pdf
Jenkins, S. (2003, April 3). Secure network architecture: Best practices for small business and government entities. SANS Institute. Retrieved from https://www.giac.org/paper/gsec/2833/secure-network-architecture-practices-small-business-government-entities/104797
MacKenzie, H. (2015, March 18). Industrial Ethernet switches enhance cyber security at no cost [Blog post]. The Right Signals website. Retrieved from http://www.belden.com/blog/industrialsecurity/Industrial-Ethernet-Switches-Enhance-Cyber-Security-at-No-Cost-Part-2.cfm
Matusa, R. (2016). D-Link network security solutions. D-Link Corporation. Retrieved September 12, 2016 from http://slideplayer.com/slide/6448730/
Szoldra, P. (2015, December 29). The nine worst cyberattacks in 2015. Tech Insider. Retrieved from http://www.techinsider.io/cyberattacks-2015-12/#hackers-breached-the-systems-of-health-insurer-anthem-inc-exposing-nearly-80-million-personal-records-1
Unger, L. (2015). Breaches to customer account data. Computer and Internet Lawyer, 32(2), 14-20.
Vossen, J.P. (2016). Why Snort makes IDS worth the time and effort. Tech Target online. Retrieved September 13, 2016 from http://searchsecurity.techtarget.com/tip/Why-Snort-makes-IDS-worth-the-time-and-effort