There are many network devices and software programs that an organization can us

Question

There are many network devices and software programs that an organization can use to protect its network. Select a device or software that is currently used successfully. Describe the device or software, and explain how the typical organization uses the device to mitigate threats to the network. Explain why this would be your first choice if you could only afford one. Choose the posting of another student and respond by asking questions and agreeing or disagreeing with the other student’s choice. State your reasons for any disagreement.

Be sure to document your references using APA format.

Explanation / Answer

The nature of malicious code, or malware, (e.g., viruses, worms, bots) shifted recently from disrupting service to actively seeking financial gain. In the past, worms were designed primarily to propagate. The impact on victims and organizations was primarily a disruption of service resulting in loss of productivity and sometimes a loss in revenue. Now, many of the significant worms are designed to steal sensitive information such as credit card numbers, social security numbers, pin codes, and passwords and send the information to the attacker for nefarious purposes including identity theft. Unfortunately, attackers have become very adept at circumventing traditional defenses such as anti-virus software and firewalls. Even encrypted web transactions may not protect sensitive information if the user’s computer has been infected. Botnets are often the focal point for collecting the confidential information, launching Denial of Service attacks and distributing SPAM. A bot, short for robot, is an automated software program that can execute certain commands. A botnet, short for robot network, is an aggregation of computers compromised by bots that are connected to a central “controller.” Botnet controllers are often controlled from chat rooms and can be linked together to form even larger botnets. Botnets controlling tens of thousands of compromised hosts are common. Because malware writers are circumventing the basic security controls many organizations have implemented, the community needs to increase user awareness regarding cyber security issues in order to minimize the opportunity for sensitive information from “leaking out” of an organization. If a system is compromised, organizations need to improve the ability to minimize their damage. The purpose of this paper is to inform organizations of this rapidly growing problem and provide best-practice defense tactics.

WILL A FIREWALL PROTECT ME? An enterprise firewall between your internal network and the Internet provides one layer of protection for the internal computers. However, not all threats come through the “front door” of your organization’s network and through that firewall. Employee and consultant laptops that have been connected to public or home networks can become infected with malware. Once these users connect their computers, physically or through VPN connections, to your organization’s internal network they have effectively circumvented the Internet-facing firewall. Other possible “backdoors” that may allow worms to infect computers inside an Internet-facing firewall include users reading and downloading attachments from personal, external web-based email, employees using Instant Messaging (IM) or Internet Relay Chat (IRC) and users visiting web sites with malicious code. Phishing schemes (a combination of social engineering and HTML hyperlink trickery), spyware/adware, and DNS (Domain Name Service) cache poisoning can be used to trick users into visiting malicious web sites unintentionally. Upon visiting one of these web sites, the user’s web browser could automatically download or run malicious code, infecting the host computer and possibly other systems on the internal network.

WILL AN INTRUSION DETECTION/Prevention SYSTEM HELP ME? Yes. AnIDS (OR Intrusion Prevention System (IPS)) should be deployed on the network in an effort to find network attacks, to analyze and correlate these anomalies, and to react as needed. The use of IDS/IPS devices can help to answer the following questions: • Is the organization under attack? • What IP/network is the source? • What IP/network is the target? • Which attack, if known, is being executed? In a sense, an Intrusion Detection/Prevention System provides an ability to see the traffic coming and going across the network wires. Although an IDS/IPS is only as effective as the signatures it uses to detect intrusions, the network placement of the IDS/IPS sensors, and the analyst examining the IDS/IPS alerts, it is still a necessary and corroborative network device to add to an organization’s defense in depth strategy.

Today’s malware uses multiple methods to hide and disguise itself making identification and eradication extremely difficult. From hiding processes from the Operating System to using encrypted network traffic over common out-bound network ports (e.g. HTTP, DNS, FTP), malware coders are building their software smarter and more stealthy with each new version. Some worms attempt to disable or corrupt anti-virus and personal firewall software so that when a new vendor signature file is pushed out, it may fail to detect and clean the malware. Infected computers may attempt to join a botnet using IRC or web-based protocols to get instructions from the controlling server(s) of that network. These directions can include installing hidden key-logging software, performing covert network scans, performing a DoS (denial of service) attack, or participating in a DDoS (distributed denial of service) attack, and installing other malicious code onto that computer that may act as a “middle-man” hiding evidence of the compromise from AV scanners, firewalls and even experienced administrators. Worms may hide outgoing communications to its controlling computer by using random or nonstandard outbound ports for service protocols such as: IRC, FTP (File Transfer Protocol) and TFTP (Trivial File Transfer Protocol). It is not sufficient for an organization to block IRC traffic by only blocking ports 6666/TCP and 6667/TCP (the well-known ports for IRC). In fact, some recent variants have begun using port 80/TCP, which is the same port used for browsing web sites. Selecting a port used for normal business, combined with the trend for worms to encrypt their communications, makes it even more difficult for administrators to identify network traffic as malicious. Botnets typically contact a controller via its domain name (e.g., controller.no-ip.info). These network names are usually registered through a DDNS (Dynamic Domain Name System) service, making it difficult to trace the attacker. In responding to an infection, it is not sufficient to block the IP address of the bot-controlling server since the infected system(s) are trying to access the controller via its domain name (e.g. controller.no-ip.info). When a botnet controller is discovered and taken off-line, the attacker attaches a different IP address to the controlling domain name. Therefore, the bots previously attached to discovered controller can establish a connection to the new controlling host. In most cases, the controlling computers are machines that were previously compromised by the attacker.

WHAT CAN I DO? Protecting your organization from these growing threats can be difficult and requires multiple layers of defenses, otherwise known as defense in depth. As every organization is different, this strategy should therefore be based on a balance between protection, capability, cost, performance, and operational considerations. Defense in depth for most organizations should at least consider the following two areas: (1) protecting the enclave boundaries and (2) protecting the computing environment.

Enclave Boundary The enclave boundary is the point at which the organization’s network interacts with the Internet. For the purpose of this article, the focus will center on firewall and intrusion detection/prevention systems usage. 1. Firewalls The main purpose of a firewall is access control. By limiting inbound (from the Internet to the internal network) and outbound communications (from the internal network to the Internet), various attack vectors can be reduced. Acceptable inbound communication types for the organization need to be explicitly defined in the firewall policies. As the firewall is usually one of the first lines of defense, access to the firewall device itself needs to be strictly controlled. Conversely, the firewall also needs to be configured for authorized outbound network traffic. In the case of a compromised host inside the network, outbound or egress filtering can contain that system and prevent it from communicating outbound to their controller – as in the case with bot-nets. Often times, firewalls default to allowing any outbound traffic, therefore, organizations may need to explicitly define the acceptable outbound communication policies for their networks. In most cases the acceptable outbound connections would include: • SMTP to any address from only your SMTP mail gateway(s); • DNS to any address from an internal DNS server to resolve external host names; • HTTP and HTTPS from an internal proxy server for users to browse web sites; • NTP to specific time server addresses from an internal time server(s); • Any ports required by AV, spam filtering, web filtering or patch management software to only the appropriate vendor address(es) to pull down updates; and • Anything else where the business case is documented and signed off by appropriate management. 2. Intrusion Detection Systems The goal of an IDS (intrusion detection system) is to identify network traffic in near real time. Most IDSs use signatures to detect port scans, malware, and other abnormal network communications. The ideal placement of an IDS is external to the organization as well as internally, just behind the firewall. This way, an organization will have visibility to the traffic approaching the organization as well as the traffic that successfully passed through the firewall. Conversely, there will be visibility on internal traffic trying to communicate external to the network – particularly useful for situations where malicious activity originates from inside the firewall.

WHAT IF I AM COMPROMISED? The notion of becoming compromised is not really a question of “if”; but more a question of “when.” No one system or network is completely impenetrable, so it is extremely important to have sound incident response procedures in place so that when the inevitable happens, all parties involved know how to handle the situation. The manner in which an organization handles an incident will be highly tailored to that organization. Procedures should be based on the incident response policy inside the SOPs (Standard Operating Procedures) of that organization. An SOP delineates the specific technical processes, techniques, checklists, and forms used by the incident response team and the organization as a whole. SOPs should be comprehensive and detailed to ensure that the priorities of the organization are reflected in response operations. In addition, following these standardized responses should minimize errors, particularly those that might be caused by the increased tempo and stress occurring while responding to an incident. Finally, SOPs should be tested to validate their accuracy and usefulness, and then distributed to all team members.

While some malware writers are becoming more skillful in the code they are developing, there are protections that organizations can deploy prior to an infection to mitigate this threat. Organizations that develop, deploy, monitor, and test security tools throughout their network and information security policies that govern these devices, will be better able to avoid compromises and, in the event they do get infected, a faster recovery.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.