Table of Contents
There is a server problem. The server is not responding properly. We did a vulnerability test to check for the problems in the server, the reaction time in different situations. Let us discuss the steps involved in assessing the vulnerabilities:
- The documentation of the process must be done.
- The required permissions to carry out the testing process must be obtained before going ahead.
- Different tools required for this have to be updated. They must have been lying for long and so they need to be updated in order to work with the latest technology.
- The tools that are going to be used will have to be configured for the system accordingly.
2. Executing the test
- Run the tools required to perform the test
- Data is sent in the form of packets. Data is split into packets where the destination address is put in the header of each packet. This way even if the packets are not sent sequentially, they can be reassembled in the destination computer.
3. Analysis for vulnerability
- Different devices in a network will be classified according to look, functionality, or anything else.
- Different resources are assigned priority.
- After identifying the different resources, create a threat list for ach resource that is possible sources of attack or possible things that could go wrong.
- In case of an attack crafting a strategy so that there is a clear idea of how to go about getting the system running in case of any failure or attack.
- This involves creating a comprehensive report on the source of the attack and the way the attack was dealt it and the measures taken to deal with it and prevent it.
- The way to fix the vulnerabilities that arise.
We used a vulnerability scanner called STAT which is a host based scanner. It is used to scan multiple systems in the network. Using this tool we came to know that there is a problem in the router. So we need to replace the router with a better one. Many times there may be problems in the network which even experts may not be able to identify. It is always better to use an application to perform a scan as there is less scope for making mistakes. We should minimise errors as much as possible and for that we must minimise human interaction with the equipment. (GURU99, 2018)
We have used the Ping tool to analyse the network. This tool performs a connection test to see if the connection is secure between the sender and the receiver. Internet Control Message Protocol (ICMP) is used. Here an echo request is sent to the receiver from the sender and the response time for the echo reply to come back is also noted. The ping command sends out multiple echo requests and the time taken for the echo reply to reach is noted for each case. Ping operation has been pre-installed into almost every operating system.
Let us look at some of the switches available for the ping command:
- Number: It is the number of times the echo request is sent. The default value is 4 for windows system and 5 for Unix systems.
- Timeout: It is the time the system waits for a response before it goes on to execute another task.
- Size: It specifies the size of the ping packet. It can be changed if required using this command.
- Until Stopped: The ping is run till it is stopped by the user.
We can locate the source of the problem by analysing the response times. In this case there was a problem with the router. The router was not forwarding the packets in the required time frame. It may be because there was some damage done to the hardware component of the router. Either ways, the router was slowing the network down and it has to be replaced. (PAESSLER, 2018)
When we want to disable any connection for a particular system on the network, then we should the network administrative rights. Once we have that then we can go to the list of IP addresses logged on the network and then remove that system from the network. That system will no longer be able to use that network.
We can also create a scenario where a group of systems are connected to each other but cannot access the internet. Again, this is the prerogative of the system administrator. When you play a game where you need LAN then you do not need the internet. You just need the systems to be connected to one another. There is a game called counter strike which used LAN to connect different player’s systems to each other. They do not need access to the internet in such a case.
Intruder detection system
We can change the settings to tell the IDS what to do when the attack takes place. A log can be kept of the time of the attack. This can be useful for future analysis. The IDS has to be regularly updated to clearly specify the things that constitute an attack. If regular updates do not take place, then an attack can happen and the IDS will not know that it is an attack. It will escape the attention of everyone in that case. (TechTarget, 2018)
The IDS should be located just inside the firewall. This way it will know attacks coming from outside the network. It will be slightly difficult to detect attacks from inside the network though. There can be sensors placed at many locations inside the network which will record the traffic, both incoming and outgoing. There will be central console of the IDS where all these data will be accumulated and analysed. This way it will know if there is any illicit traffic.
We can connect the IDS via the switch port present in routers. This way the IDS can access traffic at full speed. The log file should be very big so that it can successfully record all the data. The data has to be studies by a professional specifically employed for studying the IDS logs and decide which traffic is illicit. We need to get our OS and servers up to date before deploying IDS. We should create a separate network and not use the same network for handling IDS. This will lead to overlap. Over time the administrator will know which alert means what, so they can pay attention to different alerts and give priority accordingly.
The above screenshot depicts the working of an IDS system.
The above screenshot depicts an host based intrusion system.
There are different ways to detect threats from outside sources. Let us discuss a few of them:
- Signature based: In this case, the different signatures of known events are observed and if these events occur then appropriate defence mechanisms are initiated. This type of detection mechanism works for known threats. The problem with this is hackers always are working on releasing new types or viruses or threats and the system may not be able to identify it as it is something new. So it can still escape the detection system and attack the network.
- Anomaly based detection: Here an event is observed for a significant amount of time. So if there is any event happening with a deviation from the pattern observed, a threat alert is issued. This is done by comparing the current event with the previous event of the same type and looking out for any sort of deviation. A significant deviation can lead to a threat alert.
- Stateful Protocol Analysis: Here the protocol is observed for long period to program the definition into the threat detection system. A list of benign activities and harmful activities for that protocol is pre-programmed into the system. If there is any event that falls into the harmful category then a threat alert is issued. There has to be a line that defines the difference between normal and abnormal activity. That line is a number which also known as the threshold. Anything that is within the threshold is a normal activity and anything beyond the threshold is known as abnormal activity.
A good security policy should take care of the following aspects:
- Purpose: A clear purpose has to be defined. There should be nothing ambiguous.
- Compliance conditions: There will always be laws to follow wherever you are. So the laws that must be complied with must be listed.
- Last test date: The data the device was last checked with this policy has to be recorded.
- Last update date: There are always regular updates in every policy or software. The date the policy was last updated has to be recorded.
- Contact: The contact details of the person who created the policy so that doubts if any can be cleared by that person itself. This ensures that there is no ambiguity.
A security policy should be customised for a particular network. A thorough study has to be done for any network carefully studying the components of the network, the vulnerable areas in the network and the speed of the network at different loads. After thoroughly analysing the network and identifying the strengths and weaknesses, a security policy can be made. In any company with over 1000 employees there will always be many users. So there should be a network administrator for each department who can grant aces levels of different levels to users in their own department. There can be an overall network administrator who can revoke the rights of the network administrators of different departments if there is a breach of some sort. This ensures that all the employees have access to the information that they need and nothing more than that. There will be a log containing the time and the information that the employee accessed. In case of a breach, the logs can be analysed to find out the person responsible for it.
The security policy that we create should focus on the following things:
- Scope of the policy: The devices that the policy is supposed to secure or the network the policy is supposed to safeguard has to be mentioned.
- Players: The people who will be implementing the terms of the policy have to be mentioned.
- Confidentiality: The information pertaining to any client should never be disclosed to anyone else without prior approval of the owner of the data. It should be absolutely confidential.
- Data Integrity: The data stored should never be altered. It should be kept as the client left it.
- Availability: The data should be available whenever required and it should be made available to only the people required.
- Purpose: There should be a clear purpose for which the policy is being made.
- Policy Compliance: The policy should be framed within the guidelines that it has to be made.
A system administrator can give different levels of access to different users. Some of them may be able to see highly confidential data while most of the users will not be able to do that. This way you get the work done by revealing only the essential information to the employees.
a.) You can change the settings of the internet router blocking all the port 80 traffic in the network. This will ensure that the computers will not be able to browse the internet. (Blegen, 2014)
b.) 192.168.10.7 and 192.168.10.8 can be exempted from the router settings that we have just changed to allow them to access the internet. The IP addresses we enter in the router will not be able to use the internet. We do not have to enter the above IP addresses if we want to give internet access to them.
c.) We can use the Intruder detection system to detect the presence of any illicit signals. The log sheet will be monitored continuously to prevent any hacker from gaining access to the network and using it for their own interests.
d.) We can go control panel and change the settings accordingly, or we can change the personal settings of that individual application itself.
e.) The services control manager panel is used to manage windows services. There is a list of all the services followed by the description, status and type of service. You can start, stop, resume, delay and pause these services at your discretion. You will need to have administrative privileges to do that.
f.) Remote user’s access to the internal areas of the network can be restricted by the following steps:
- Go to control panel, go to system and security, then go to system.
- Then open remote settings in the left pane. A systems dialogue property box will open
- If we want to disable remote desktop, click on don’t allow connections to this computer.
Nmap is used to detect devices present within the range of the network. We will test a simple class c network. In the NMap command, the switch has to be specified. (INFOSEC, 2018)
This command is used to send packets of different types within the range of the network and then note the devices the respond.
There are scans done to determine which all ports are open. Let us discuss some of the commands:
-sS: A stealth TCP scan is performed.
-sT: A full TCP scan is performed.
-sU: A UDP scan is performed.
-p: It tells NMap which ports to scan.
There is a command to determine the type of OS.
The output looks like this:
Here ports 135, 3389, 53, 139, 445, 111 and 593 are open. Using command line we can type a command to get the list of ports that are free or not being used.
Here they are specifying that port 53, port 88 and port 111 are in use for some task or the other. We can get a list of the ports currently being used through command line.
While sending and receving data , the encryption process used is specified. They have used rsa encryption which is assymetric encyption algorithm. Here two keys are used, one network key and another private key. The public key will be send to the other machine and the private key will with the sender itself. So the sender will receive the reply and decrypt it using their private key.
The algorithm used for message transfer is RSA as specified in the above screenshot.
Nmap basically intercepts IP packets and analyses it to determine the available hosts, the operating system used by the host, the services offered by the host. There are some screenshots on some of the projects above.
We are using a network vulnerability tool called as Nexpose.
It is used to identify services which are active, ports that are open and applications that are running on the machine. It will scan the system for vulnerabilities by looking at the attributes of different applications that are installed on the system. It detects vulnerabilities and malware.
There are many other vulnerability tools and each one has different capabilities. You will need to pick any tool based on the tests that you want to carry out.
The system should be safe and secure from hackers as they can use the information for their own personal gain. IF hackers are able to penetrate big establishments, then they can cause a lot of monetary damage as well. There should be a firewall and a security expert hired by all companies who are bound to make losses if their network is hacked.
Every hacker who enters the system illegally laves a trace. If their patterns are analysed by a security expert, they can be traced. However the expert should be skilful enough to analyse the patterns.
The above screenshots show the workings of nexpose.
Blegen, C., 2014. Wi-Findings. [Online]
Available at: http://blog.dlink.com/how-to-block-devices-from-your-home-network/
GURU99, 2018. Vulnerability
Testing: Process, Assessment, Tools, Scanner. [Online]
Available at: https://www.guru99.com/vulnerability-testing.html
INFOSEC, 2018. INFOSEC
Available at: https://resources.infosecinstitute.com/nmap/#gref
PAESSLER, 2018. PAESSLER.
Available at: https://www.paessler.com/it-explained/ping
TechTarget, 2018. TechTarget.
Available at: https://searchsecurity.techtarget.com/definition/intrusion-detection-system