Académique Documents
Professionnel Documents
Culture Documents
Name
Date
Requirements. Network security assessments are often limited to patch management and
antiviral software, but these solutions often expose networks to vulnerability. It is critical, then,
Proposed Solution. Using a dedicated vulnerability scanner will be necessary. These are
devices, which “frequently include port scanners,” which scan a specified set of ports on a given
remote host, as well as serve to test the “service offered at each port” for known vulnerabilities
[7]. Because these processes -- as with the Nessus Vulnerability Scanner, which is free and open-
source -- stand to “connect with the ports and test them out in quick succession,” they stand to
potentially “overwhelm” company systems, causing them to crash [7]. As a result, it will be
necessary to mount such security scans no more often than once a month or quarter.
alternative means. Though scans can pose certain threats to the systems upon which they are
mounted (in the form of crashing), these efforts are nonetheless worthwhile.
B. Security Policy
generalized norms, such measures are often deficient when it comes to addressing explicit
network threats [20]. These deficiencies must be rectified through the establishment of a written
Proposed Solution. A written network security policy will pertain to a range of factors,
including (1) Computer acceptable use, including over “desktop, mobile, home PCs, and
servers,” (2) Password protection, as pertains to “rules for choosing passwords,” as well as
enforcement thereof, (3) Email, to cover appropriate use of email sent from company addresses
or received at any given company email system, (4) Internet, pertaining to specific choice of
browser (and their configuration), as well as any restrictions on websites which can be visited by
employees, (5) Mobile computing and portable storage, regarding authorized devices to be used
in such a matter, (6) Remote access, which will outline policy pertaining to “who can access
what information from which locations under what circumstances,” and (7) An incident response
plan, which pertains to security incidents, and who is “responsible for enforcing applicable local
laws,” as well as “who speaks for the company” in the event of a network security failure or data
breach [20].
implementation of a robust -- and explicit -- network security policy. The terms and specific
implementation of such policies will be considered in greater detail in the following sections.
C. Risk Management
Requirements. It will also be necessary to draft and implement an explicit network risk
management plan. The purpose of such a plan is to establish policies by which “appropriate
activities” are undertaken to mitigate risks associated with information resources, whether
basis” [8].
Proposed Solution. This plan will be predicated upon establishing a list of centrally
managed information and network resources whose ‘risk levels’ -- or ‘sensitivity’ to attack -- are
of greatest concern. This will involve the analysis and listing of assets which are “acquired,
managed, and retired,” to facilitate the maintenance of stated and explicit standards by which risk
levels can be reduced [8]. Qualitative risk assessment must also be mounted to identify (1)
Inherent risk, defined as “raw risk…[which] does not take into consideration mitigating
controls,” as well as (2) Residual risk, which regards the “impact the risk [caused] by
implementing mitigating controls,” to develop a robust “corrective action plan” for all
circumstances [8}.
procedures, the importance of risk mitigation highlights the necessity of establishing a discrete --
and explicit -- plan for the reduction of network risk based upon explicit vulnerable resources..
Requirements. Network security attack can pose present threats to the continuity of
organizational operations, meaning that threats to network integrity are just as grave as
“traditional threats, such as severe weather or supply-chain disruptions” [1]. Because business
continuity is so often the product of IT policy maintenance, it will be necessary to establish and
implement an IT-focused network security plan which focuses explicitly upon business
continuity [1].
Proposed Solution. This plan must identify all “critical IT processes, data, and
locations,” which support the organization’s IT and network-focused infrastructure for the
maintenance of “revenue, customer information, trade secrets” and other pertinent information
[1]. Once such elements have been identified, explicit plans will be established by which “secure
work-arounds or redundancy” can be secured in the event of attack, by which stakeholders will
be able to gain access to such critical systems rapidly [1], Once established, these continuity-
focused procedures will then be “thoroughly tested” in order to ensure their efficacy and
feasibility,
Justification. Network security is only as robust as its capacity to be restored in the event
of failure, and business continuity protection are critical to this effort. As with the previous
by testing of the capacity of network security to restore access after network or IT failure..
E. Access Controls
“also known as authorization,” maintain a ‘body’ of stakeholders who can access critical data,
“and for what purpose,” so such procedures must be robust and mandatory, but also
users [12].
employed. This involves procedures by which “endpoint devices” connected to the network are
identified, after which a NAC server initiates “authentication and security assessment” processes,
network-based scanning engine” [6]. If the device satisfies the security policy, as defined --
whether by password or by more robust software authentication -- then it will be granted access
area” until they can be authenticated, or they will be excluded from network access altogether
[6].
authorized users, the system will expose itself unnecessarily to attack or theft of data, no matter
how strong its other security measures. It is critical that such procedures be put into place.
overlooked by network administrators and IT and data security personnel, because of the vast
degree of focus which is often placed upon the creation and maintenance of “technology-oriented
security countermeasures” [14]. That said, a host of devices are exposed to physical theft or
attack, especially easily ‘removed’ devices such as “USB hard drives, laptops, tablets and
smartphones” [14]. In this way, the necessity of implementing physical data security is shown.
Proposed Solution. Network security must establish a dedicated team responsible for
threats, both to devices upon which critical data is kept, as well as to the facilities (physical
buildings) where they are maintained [14]. Though this policy might focus upon external
criminal threats, and establish “multiple layers of security [through which] such actors have to go
through” in order to prevent unauthorized access to a particular “asset,” they must also take into
account the fact that such threats can be posed by internal actors -- employees -- as well [14]. To
this end, denial must be implemented to counter all threats, both external and internal, and
through collusion, as through the use of “locked doors and vaults,” and physical intrusion
detection systems, such as “alarms,” and “cable locks” on protected computers and other systems
[14].
mitigate the threat posed by actors seeking to compromise critical systems in a physical manner.
Failure to mitigate this threat unnecessarily exposes network resources to intrusion risk.
people “accomplish tasks,” both at home and in their professional lives [4]. Though these devices
have expanded in their capabilities and productive potential, such expansion has carried
increased risk for their use as a “target for attackers,” especially through “malicious applications
with hidden functionality” which secretly “harvest user data” or facilitate criminal access to
systems [4].
controls” on mobile devices linked to an organizational intranet, or in the case of their loss or
theft [4]. A structured approach to ensuring mobile data security must be implemented, through
which all mobile devices used to connect to internal networks are logged and tested, in
procedures comprised of both “manual testing and automated reviews” of all employee-user
mobile devices, which will focus upon testing (1) Network accessibility, by which “availability
of internal web servers, FTP servers, database servers, and other critical infrastructure,”
especially those which should be inaccessible to the device [4]. This will be combined with (2)
Policy configuration, by which mobile devices are tested to determine whether end users have
“excessive rights or capabilities,” as through existing commercial tools, and through assessment,
through which testers attempt to “bypass or change policies,” especially those which pertain to
Justification. Mobile devices are network access points, the same as any other computer
used to connect to the internal network, and are just as prone to criminal use (if inadvertent),
meaning that they must be tested for their security as rigorously as any other network asset.
C. Perimeter Defenses
to be comprised from a range of factors, including (1) Applications which traverse “through
firewall policies,” by (2) Mobile devices, (3) IP-enabled devices which are “internal to the
network,” (4) External devices “allowed on the internal network temporarily,” (5) Wireless
access points that are “unknowingly deployed,” and (6) Direct internet access from devices [5].
As a result, it will be necessary to improve internal perimeter defenses in order to mitigate these
security threats.
These include (1) Passive monitoring tools, including vulnerability assessment applications as
considered, which can be useful in discovering “devices connected to the network,” and the
capabilities of such devices [5]. Scanners will be useful in analyzing the “configurations, patch
levels, operating systems, and installed applications” of such devices, to discover “vulnerabilities
that can be exploited by hackers” seeking to gain unauthorized network access, even with the
presence of a firewall [5]. In addition, (2) Active monitoring of network activity must be sought,
such as Anomaly Detection Software (ADS), employed to “look for patterns and events...like
unwanted IP structures and unknown communication patterns,” in order to ‘better define’ the
network perimeter in real-time, in order to track and detect security threats as they occur [5].
Finally, perimeter defenses can be rendered more robust through the thorough management of
(3) Logs, which must be evaluated “constantly and consistently,” and though it might be partially
through correlation, in order to identify patterns which are potentially indicative of threat [5].
Justification. Though network security at the ‘perimeter’ is often protected by firewall
alone, so security policies must adopt passive and active monitoring of all network activity, to
reduce the chance of threat or attack that might ‘bypass’ even the strongest of perimeter
firewalls.
Requirements. Firewalls are the most common means by which boundary protection is
undertaken, typically through design which “[allows] good traffic in,” without permitting “bad
traffic,” as through intrusion prevention and intrusion detection systems (IPS/IDS) employed
across the network {12]. Network security can be maintained locally, and physically, through
adopting network defense and boundary protection devices. Such devices aid in controlling the
“flow of information into and out of the internal operational network,” and in “protecting it from
malicious insiders, external entities with malicious intent,” or otherwise unauthorized access or
the “disclosure of sensitive information” [16]. Though software perimeter defense was
considered in the previous section, it must be complemented by the practice of “due diligence in
ensuring physical security” of any site or asset upon which boundary protection devices are
installed [16].
Proposed Solutions. Such systems are robust, especially in their capacity to detect
network traffic anomalies, as are signature-based systems, which analyze actions undertaken on
the network and “compare them to a database of signatures to determine if action should be
taken,” as in the case of anti-virus software. This work proposes implementing Snort, an open-
source “signature based [IPS/IDS]” to perform “protocol analysis as well as content matching,”
with high efficacy in detecting and acting upon a wide range of malicious activity, including
“buffer overflows, stealth port scans, CGI attacks, SMB probes and OS fingerprinting attempts”
[12].
Justification. Though this security system may apply any software-based network
defense devices (as augmented by the physical security of these systems), Snort is the best
solution, due to its open-source nature and support for both Windows and Linux operating
systems.
E. Host Defenses
well as “firewalls and mandatory access control,” though such methods typically fail to account
for “host flows” as well as from vulnerabilities which may result from “minor modifications to
host configurations” [17]. That said, such policies are frequently reactive in nature, and tend to
“[respond] to vulnerabilities as adversaries identify them” [17]. To this end, it will be necessary
defenses, but these often fail to meet any standard of proactivity. That said, the most efficacious
firewalls can follow “coarse-grained rules,” such as those which define which network ports and
associated services may be accessed, or “finer-grained” rules which enforce policy regarding
“which hosts are allowed to connect with [which] services” [10]. It is also recommended that this
organization enforce a type of host-based firewall, often called the “personal firewall,” which
will “dynamically adapt to the user’s network use,” in order to prevent attackers from entering
systems via a “previously unauthorized network path” without escaping detection [10].
Justification. Though robust network security might be maintained through perimeter
defense and IPS/IDS, these systems leave the ‘host’ user open to attacker compromise. Personal
firewalls offer a critical means by which this ‘final’ area of vulnerability can be corrected.
cryptography, has recently seen adoption [11]. These systems use algorithms in order to convert
“intelligible plaintext,” -- as in e-mail text -- into “unintelligible ciphertext,” and back again at
the secured point of destination [11]. They help to ensure that secured data, if ‘intercepted,’
means of (1) Issuing certificates, (2) Revoking certificates, (3) Publishing ‘Certificate
Directory Access Protocol (LDAP). Under this structure, the ‘certificate authority’ (CA) would
provide user keys to each public key user [11]. The maintenance of trust is critical between users
and CAs, and will be maintained through regular “audit of CA policies and procedures” and
adherence, to be employed at regular intervals [11]. ‘Transactions’ which employ PKI will be
in order to further ensure their validity. This will necessitate the augmentation of a PKI with a
“time-stamping service” [11]. Policies will be implemented by which keys are ‘backed up’ and
available for restoration in the event of “disk crash or virus attack,” and updated yearly, in order
to reduce network security and data risk exposure from keys that have been “unknowingly
compromised” [11].
Justification. Robust public key cryptography will provide a critical means by which
data can be secured in the network, thereby adding to its robustness and protecting it from attack.
necessitates the periodic updating of systems, as through patching of software. However, such
efforts may expose systems to security flaws and potential “spoofing and replay attacks,” as
through tampering with updates or in “replaying an old bitstream to downgrade the system,”
thereby demanding that protocols be implemented to secure such activities {3]. Because current
approaches to the standardization of security patching protocol are “ad hoc” in nature, it will be
necessary to establish a stated and explicit methodology to govern such network-host update
transactions [18].
be implemented [18]. This will require moving from security and update protocols which employ
“standard notation,” to those which employ a “formal specification language” which makes use
of “well-defined semantics,” and which can be analyzed using formal techniques, in order to
verify that the “desired security properties” it seeks will be upheld in the event of potential attack
(18]. Such ‘conversion’ and standardization of protocol will apply “code generation”
methodologies, in order to automate this process, and to mitigate the inherent risk of “human
error in interpretation” of the often ‘subtle’ semantics of security protocol specifications [18].
Software such as Sn2Spi will be used in this effort, as well as analyzed using any of the “formal
techniques applicable to Spi Calculus,” and then implemented using Spi2Java (or similar)
It will be necessary to remove the ‘human’ coding element from this equation, to ensure all
systems are limited in their exposure to security attack which takes advantage of critical security
updates.
C. File Encryption
data “into a secret code,” after which the security of files is maintained through the use of a
“secret key or password” which enables their decryption [9]. At present, 128-bit cryptography
has “emerged as the new digital standard” in such processes [9]. The requirements for algorithms
used in such security processes are high, and are dictated by U.S. federal regulation [15].
Institutes of Standard and Technology [NIST]” [15]. Any algorithms for file encryption must
“Elliptic Curve Cryptography [ECC]” algorithms [15]. In adhering to NIST standards and
session keys, and public keys used to establish trust (as augmented through regular audit of
security policy) must be “authenticated prior to use” [15]. Other modes of authentication include
their transmission via “cryptographically signed message,” or manual verification through use of
“public key hash [15]. Any cryptographic keys generated must be “seeded from an industry
standard random number generator,” and stored in a “secure manner” which prevents their lost,
Justification. As with PKI, all file encryption must be coordinated in a thorough manner.
Due to the range of NIST-advanced requirements, organizations must adhere to all applicable
law.
D. Hashing
which is used to index and retrieve database items, but has also seen much use in encryption
algorithms. Critically, when employed in encryption, they will not ensure “confidentiality” as
with NIST methods, but they will provide “verification that a message has not been altered” [19].
As a result, hashing is most useful in storage of passwords and other ‘static’ sensitive material.
material (passwords) through use of hash functions, three conditions must be satisfied: First, no
hash value should be “usable to determine the original input,” -- thereby risking the security of
any data, as with passwords -- and no hashing algorithm should be “run on the same input and
produce different hashes,” thereby reducing the usability of this method. Finally, steps must be
taken in order to avoid collision. This occurs during processes of computing the Message Digest
5 (MD5) or Secure Hash Algorithm (SHA), when “two different initialization vectors [produce]
the same hash value,” thereby reducing the security advantages offered by this methodology
[19]. In any case, hash functions represent a strong means by which the security of stored
passwords can be maintained, provided that network administrators adhere to these practice
recommendations.
Justification. This system must be reinforced by methods by which its ‘static’ elements,
such as passwords, are maintained. Hash-based encryption methods offer an effective means by
which this critical task can be performed, but they must not be used in file encryption processes.
Works Cited
[1] Britton, C. “Cybersecurity Considerations for Your Business Continuity Planning.” Internet: ‘
https://www.rockdovesolutions.com/blog/cybersecurity-considerations-for-your-
business-continuity-planning. 2017. [November 9, 2017].
[2] Carabott, E. “Why you need to run a vulnerability assessment.” Internet:
https://techtalk.gfi.com/vulnerability-assessment/, 2011. [November 9, 2017].
{3] Devic, F., Torres, L., and Badrignans, B., “Secure protocol implementation for remote
bitstream update preventing replay attacks on FPGA.” 2010. Internet:
http://ieeexplore.ieee.org/document/5694243/. [November 10, 2017].
[4] Ernst and Young. “Mobile device security: Undertsanding vulnerabilities and managing
risks.”
2012. Internet:
http://www.ey.com/Publication/vwLUAssets/EY_Mobile_security_devices/$FILE/EY_
Mobile%20security%20devices.pdf. [November 9, 2017].
[5] IBM. “Understanding IT Perimeter Security.” 2008. Internet:
http://www.redbooks.ibm.com/redpapers/pdfs/redp4397.pdf. [November 9, 2017].
[6] Joint Universities Computer Center Ltd. “Network Access Control.’ 2016. Internet:
https://ito.hkbu.edu.hk/pub/is_newsletter/professional/Issue_09_NAC/JUCC%20Newslet
ter-IT-9%20NAC.pdf, [November 9, 2017].
[7] Kak, A. “Port and Vulnerability Scanning, Packet Sniffing, Intrusion Detection, and
Penetration Testing.” Internet:
https://engineering.purdue.edu/kak/compsec/NewLectures/Lecture23.pdf, 2017,
[November 9, 2017].
[8] Lamar Institute of Technology. “Information Technology Risk Management Plan.” Internet:
http://www.lit.edu/depts/TechService/Docs/LIT%20Risk%20Management%20Plan%20v
er%202.31.pdf. 2012. [November 9, 2017].
[9] Lantronix. “Encryption and its Importance to Device Networking.” 2016. Internet:
https://www.lantronix.com/wp-content/uploads/pdf/Encryption-and-Device-
Networking_WP.pdf. [November 9, 2017].
[10] Nazario, J. Defense and detection strategies against Internet worms. Artech House, 2004.
{11] RSA Data Security. “Understanding Public Key Infrastructure.” 2014. Internet:
ftp://ftp.rsa.com/pub/pdfs/understanding_pki.pdf. [November 10, 2017].
[12] Russell, D. and Gangemi, G.T, Computer Security Basi Rice, B. “Automated Snort
Signature
Generation.” 2014. Internet:
http://commons.lib.jmu.edu/cgi/viewcontent.cgi?article=1314&context=master201019.
[November 10, 2017].
[14] Sans Institute. “Physical Security and Why it is Important.” Internet:
https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-
37120. 2016. [November 9, 2017].
[15] Sans Institute. “Acceptable Encryption Policy.” 2014. Internet:
https://www.sans.org/security-resources/policies/general/pdf/acceptable-encryption-
policy.
[November 9, 2017].
[16] State of Georgia. “Network Security -- Boundary Protection.” Internet:
https://gta.georgia.gov/psg/article/network-security-boundary-protection. [November 9,
2017].
[17] Talele, N., Teutsch, J., Jaeger, T., and Erbacher, R.F. “Using Security Policies to Automate
Placement of Network Intrusion Prevention.” Internet:
https://people.cs.uchicago.edu/~teutsch/papers/ESSOS_2013.pdf. [November 10, 2017].
[18] Tobler, B. “A structured approach to network security protocol implementation.” 2005.
Internet: http://pubs.cs.uct.ac.za/archive/00000281/01/ben-tobler-2005-12-thesis.pdf.
[November 10, 2017].
{19] Weaver, R., Weaver, D., and Farwood, D. Guide to Network Security and
Countermeasures.
Cengage, 2013.
[20] WatchGuard. “Producing Your Network Security Policy.” Internet:
https://www.watchguard.com/docs/whitepaper/securitypolicy_wp.pdf. 2007. [November
9, 2017].