This exercise earns Merit points in cyber security. This exercise covers how to use the network safely, how to write academic papers, security risks, perceptions of cyber attacks, and stakeholders in cyber security solutions.
Identify types of security threat to organisations Give an example of a recently publicized
Define threats
The present-day security of data and information stored on computers and digital devices faces an unprecedented array of attack types, with the frequency of threats and assaults steadily increasing each day The sections within this segment delineate these various threats
Subsequent chapters will delve into network security principles and tools essential for thwarting or safeguarding against such attacks (Ciampa, 2015)
Software attacks encompass viruses, worms, Trojan horses, and other forms of malware Although often confused as interchangeable terms by consumers, it is crucial to recognize that they are distinct entities The only shared trait among them is their malicious nature, as they each operate in unique ways
Malware refers to software that infiltrates a computer system without the user's awareness or approval, carrying out undesired and typically detrimental activities In essence, malware utilizes a threat vector to introduce a malevolent "payload," which executes harmful functions upon activation Nevertheless, in common usage, malware serves as a broad term encompassing various destructive software programs (Ciampa, 2015)
Identify threats agents to organizations
Threat actors encompass individuals or entities that present a risk to an organization It's essential to identify these actors before proposing the appropriate countermeasures The effectiveness of the strategies to counter them largely relies on their accurate identification (Ciampa, 2015)
Below are several examples of threat actors that can jeopardize organizations:
• Hackers: Hackers refer to individuals or collectives aiming to achieve unauthorized entry into an organization's computer system or network by exploiting security weaknesses These hackers can engage in various activities, such as data theft, causing damage to computer systems or networks, or disrupting business activities
• Cyber criminals: Cybercriminals are individuals or groups with the intent to perpetrate unlawful actions through computers or computer networks Their activities encompass a wide range, including financial theft, fraudulent schemes, and the dissemination of malicious software
• Nation-state adversaries: Nation-state adversaries refer to governments or entities aiming to inflict harm upon other organizations or nations through the utilization of computers or computer networks These adversaries engage in various activities, such as espionage, acts of sabotage, or launching cyberattacks
• Physical threats: Physical threats entail risks that inflict damage upon a computer system or network through tangible methods, including causing harm to property, severing internet connections, or targeting electrical grids
• Social engineering threats: Social engineering threats encompass attempts to deceive users into divulging confidential information or engaging in detrimental actions Examples include phishing, spoofing, and attacks via social media
Dangers will impact all seven domains within a standard IT infrastructure:
The User Domain pertains to individuals utilizing an organization's information system The User Realm's role and objective involve facilitating users in accessing systems, applications, and data within the confines of their designated access privileges The responsibility of utilizing company IT resources lies with the staff members The Human Resources department of a company holds the accountability of conducting essential background checks on employees Specific measures need to be implemented for individuals who will be accessing sensitive information (David Kim, Michael G Solomon,
Within the User Domain, various threat agents pose risks to the organization, including:
• Users introducing personal CDs/USBs
• Intentional destruction of systems, applications, and data by users
• Disgruntled employees launching attacks or engaging in sabotage against the organization
• Employee involvement in blackmail or extortion
The Wide Area Network (WAN) Domain serves as the connection between remote locations As network expenses decrease, organizations are able to invest in quicker Internet and WAN connections The duties of the WAN Domain encompass both the physical components and the logical arrangement of routers and communication devices Among the divisions within an IT infrastructure, it stands as the second most challenging sector to safeguard (David Kim, Michael G Solomon, 2018)
Responsibilities within the WAN Domain are overseen by either the network engineer or the WAN group This encompasses both cognitive and physical aspects Network engineers and security experts implement the indicated security measures following established regulations It's worth noting that numerous organizations now opt for service providers to manage their WAN and routers due to the intricate nature of IP network engineering These services come with SLAs guaranteeing system availability and swift problem resolution In cases of WAN connection disruptions, customers can reach the service provider's network operations center (NOC) via a toll-free number
In terms of accountability, the IT network manager within your company bears the responsibility of maintaining, updating, and offering technical support for the WAN Domain Typically, the IT security director ensures the organization's compliance with WAN regulations
Within the WAN Domain (Internet), there exist threat agents that pose risks to organizations, including:
• Accessibility to open, public connections, accessible to anyone wishing to connect
• Clear text transmission of most Internet traffic
• Vulnerability to eavesdropping and malicious attacks
• Susceptibility to DoS, DDoS, TCP SYN flooding, and IP spoofing attacks
• Prone to data and information corruption, especially with inherently unsafe TCP/IP programs (like HTTP, FTP, TFTP)
• Receipt of Trojan, worm, and malicious software-laden emails from hackers and attackers
Furthermore, within the WAN Domain (Connectivity), there are threats agents as well, including:
• Mixing of WAN IP traffic on the same router and infrastructure as the service provider
• Maintenance of high WAN service availability
• Enhancement of WAN throughput and performance
• Potential malicious use of SNMP network management tools and protocols (ICMP, Telnet, SNMP, DNS, etc.)
• Continuous SNMP alerts and year-round security monitoring
Any apparatus that links to your network holds the potential to function as a workstation, encompassing devices like desktop computers, laptops, specialized terminals, and more Workstation PCs frequently come in the forms of thin clients or thick clients A thin client is software or a computer that operates within a network, devoid of a hard drive, relying entirely on a server for processing, data, and applications Thin clients are commonly utilized in environments such as libraries, schools, and large corporations In contrast, a thick client boasts hardware with richer features, including a hard drive, and manages data and applications locally, transmitting files to the server only for storage A thick client resembles a traditional PC Additionally, devices like personal digital assistants (PDAs), cellphones, and tablet computers can also serve as workstations (David Kim, Michael G Solomon, 2018)
The Work Station Domain shoulders responsibilities such as hardware configuration, system fortification, and verification of antivirus files to ensure the integrity of both data and user workstations The task of enforcing policy compliance within the Workstation Domain lies with the IT Security Director
Within the Work Station Domain, there exist threat agents that pose risks to organizations, including:
• Unauthorized access to applications, systems, and data
• Vulnerabilities within the operating systems of desktops or laptops
• Potential flaws or updates within desktop or laptop applications
• Presence of malware, encompassing viruses and malicious software
• Introduction of CDs, DVDs, or USBs containing personal files
• Users acquiring images, music, or videos
A cluster of computers interlinked with one another or connected to a shared medium constitutes a local area network (LAN) Various connection methods such as wires, fiber- optic cables, and radio waves can be employed for networking purposes LANs are typically organized based on departments or specific functions Once established, computers gain the ability to access systems, applications, potentially the Internet, and data (David Kim, Michael G Solomon, 2018)
Roles and responsibilities—The LAN Domain encompasses both logically configured services for users and the physical components of the network Oversight of physical elements includes tasks like managing cabling, network interface cards (NICs), LAN switches, and wireless access points (WAPs) The administration of the LAN system entails maintaining comprehensive lists of user accounts and their corresponding access rights In the LAN Domain, the implementation of two-step authentication might be necessary Similar to a gate requiring two keys, this method demands users to verify their identity twice, effectively reducing the risk of unauthorized physical entry
Management of the LAN Domain falls under the purview of the LAN support group, encompassing both cognitive and physical aspects
Accountability: The LAN manager holds the responsibility for optimizing the efficiency and dependability of data within the LAN Domain Generally, the Director of IT Security ensures the LAN Domain's adherence to established policies
Within the LAN Domain, there exist threat agents that pose risks to organizations, including:
• Ensuring data confidentiality within WLANs
• Adhering to LAN server configuration guidelines and standards
• Preventing unauthorized physical access to the LAN
• Curtailing unauthorized access to systems, applications, and data
• Addressing vulnerabilities in LAN server operating systems
• Managing vulnerabilities in LAN server application software and software patch updates
The LAN-to-WAN Domain marks the point at which the IT infrastructure connects to a wide area network and the Internet
Roles and responsibilities within the LAN-to-WAN Domain encompass both the physical components and the logical arrangement of security apparatus This domain represents one of the most challenging aspects of an IT system to secure, as security measures
Page 14 of 95 must be upheld while granting users the necessary access Managing the physical components is crucial to ensure uncomplicated service access, and the security appliances must be configured logically to align with policy definitions (David Kim, Michael G Solomon, 2018)
The network security team bears the responsibility for the LAN-to-WAN Domain, encompassing both cognitive and physical aspects Group members are tasked with implementing the prescribed security controls
List type of threats that organizations will face
This section we will explore computer viruses A computer virus is a malicious code that self- replicates on a computer without human involvement It has the ability to infect executable program files or data files, including macro viruses written in macro scripts It is essential to note that "virus" and "malware" are sometimes incorrectly used interchangeably, despite a
Page 16 of 95 virus being just one form of malware Numerous file types on Microsoft Windows have the potential to be susceptible to a virus infection Figure 3 enumerates several of the 70 diverse file types found on Microsoft Windows that have the potential to be infected by a virus (Ciampa, 2015)
Figure 3: Windows file types that can be infected
A worm is a malicious program that propagates across computer networks by exploiting vulnerabilities in applications or operating systems Once it gains access to a computer, it seeks out other vulnerable systems within the network to infect
An example of an early worm occurred in 1988, impacting approximately 10% of internet- connected devices at that time It capitalized on a misconfiguration and attempted to ascertain user passwords Early worms primarily aimed at rapid dissemination without causing significant damage However, modern worms can be more pernicious, leaving behind a harmful payload on infected systems, similar to viruses These actions may involve deleting files or enabling remote control of the computer by an attacker
The primary distinction between viruses and worms lies in their replication behavior Viruses reproduce solely on the host computer and do not spread to other computers, whereas worms self-replicate and disseminate from one computer to another via networks (Ciampa, 2015)
A computer Trojan horse, often referred to as a Trojan, is a type of executable program that deceives users by appearing harmless while carrying out malicious actions For instance, a user might download a program advertised as a calendar application, but upon installation, it not only sets up the calendar but also secretly installs malware This malicious software scans the
Page 17 of 95 system for sensitive data like credit card numbers and passwords, connects to a remote system through the network, and then transmits the stolen information to the attacker
Unlike viruses that infect systems without user awareness or consent, a Trojan program is knowingly installed on the computer by the user The true danger lies in the Trojan's ability to conceal its malevolent payload (Ciampa, 2015)
Figure 4: Difference between viruses, worms and Trojans
We will discuss a particular kind of malware that possesses the ability to evade detection, specifically focusing on hidden malware associated with music CDs In 2005, Sony BMG Music Entertainment gained attention when it covertly installed concealed software on computers playing their music CDs This software, known as a rootkit, was intended to prevent CD copying The rootkit established a hidden directory, installed its own device driver on the computer, redirected normal functions to Sony's routines, and remained hidden from users and the system
A rootkit comprises a collection of software tools used to hide the actions or presence of other types of software, whether harmless or malicious Initially, the term "rootkit" referred to modified tools in the UNIX operating system that enabled attackers to gain root privileges and conceal malicious software Today, rootkits are not limited to UNIX systems and are found across various operating systems
Figure 5: Computer infected with rootkit
Rootkits can manipulate the operating system to disregard evidence of their malicious activities For instance, they might replace or modify operating system files to present false information to scanning software, ensuring that the malicious files stay concealed This grants the rootkit control over the computer, making it untrustworthy for users as it disguises its operations (Ciampa, 2015)
Various categories of malware are specifically crafted to obtain essential data from the user's computer and transfer it to the attacker Such malware comprises spyware, adware, and ransomware
Spyware is a broad term referring to software that covertly monitors users, gathering information without their knowledge or consent According to the Anti-Spyware Coalition, spyware encompasses tracking programs installed on computers without adequate notice, consent, or user control This software utilizes the computer's resources, including pre-existing programs, to collect and share personal or sensitive data Figure 6 provides a list of various technologies employed by spyware (Ciampa,
Figure 6: Technologies used by spyware
Adware is a form of malware that delivers advertising content in an unexpected and unwelcome manner to users After installation, it commonly presents advertising banners, popup ads, or opens new web browser windows at random times Users often dislike adware due to several reasons:
Adware may display objectionable content, such as gambling sites or pornography
Frequent popup ads can disrupt a user's productivity
Popup ads can slow down a computer or even lead to crashes and data loss
Unwanted advertisements can be a nuisance to users
Ransomware is among the most recent and rapidly expanding forms of malware It works by disabling a user's device until a ransom is paid One variation of ransomware locks the user's computer and presents a message purportedly from a law enforcement agency This message, designed with official-looking visuals, accuses the user of illegal actions like downloading pornography and demands an immediate fine payment online, requiring the entry of a credit card number The computer remains "held hostage" and locked, except for the numeric keys on the keyboard, until the ransom is paid Figure 2-6 illustrates a ransomware message from the Symantec website in its Security Response Center (Ciampa, 2015)
What are the recent security breachs? List and give examples with dates
On March 20, 2022, the hacker group Lapsus$ claimed to have breached Microsoft and shared a screenshot of their alleged infiltration on their Telegram channel The screenshot, obtained from Azure DevOps, a Microsoft collaboration platform, suggested that their intrusion had affected Bing, Cortana, and other projects
Microsoft confirmed the attacks on March 22 through a statement They clarified that only one account was compromised, and their security team quickly halted the attack before Lapsus$ could delve deeper into their systems
In their statement, Microsoft's security team characterized Lapsus$ as a "large-scale social engineering and extortion effort targeting several enterprises, with some potential harmful aspects." They revealed that they had been closely monitoring Lapsus$ before the incident, implying prior research on the group
On the other hand, Lapsus$ consistently emphasizes their financial motives, stating,
"Remember, our primary aim is money, and our motivations are not political." They seem to exploit insider threats and have recently released a message encouraging tech workers to breach their own companies (Abrams, 2022)
4.2 Block Confirms Cash App Data Breach on April 2022
In an SEC statement on April 4, 2022 Block (formerly known as Square) disclosed that Cash App experienced a security breach in December 2021, caused by a former
Page 21 of 95 employee The breach led to the exposure of customers' identities, brokerage account numbers, and other information, including portfolio value and stock trading activities
While the total number of affected consumers has not been specified by Block, they are currently in the process of notifying more than 8 million customers about the incident
As per the information disclosed so far, no other personally identifiable data or account credentials were compromised as a result of the breach (Cowley, 2022)
4.3 Former Amazon Employee Convicted for Capital One Breach on June, 2022
In June 2022, Paige Thompson, a former Amazon employee, was convicted for her involvement in the 2019 Capital One breach While working at Amazon Web Services, Thompson exploited her knowledge of cloud server vulnerabilities at Capital One and more than 30 other companies Overall, she stole personal information from over 100 million individuals, including names, dates-of-birth, and social security numbers
The defense team portrayed Thompson as an ethical hacker who sought to alert companies about vulnerabilities before malicious actors could exploit them However, the U.S Department of Justice disagreed, highlighting that Thompson failed to notify the breached companies, bragged about the incident on hacker forums using the alias
"erratic," and profited from the breach by installing cryptomining software on many of the hacked servers As assistant U.S attorney Andrew Friedman emphasized in his closing arguments, "She wanted data, she wanted money, and she wanted to brag."
Following ten hours of deliberation, a Seattle jury found Thompson guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer However, she was not found guilty of access device fraud and aggravated identity theft Thompson could face a potential sentence of up to 45 years in prison
Capital One was also held accountable for the incident as their security practices were found to be lacking The Office of the Comptroller of Currency fined Capital One $80 million, and the company settled an additional class action lawsuit for $190 million (Heiligenstein, 2023)
Discuss the consequences of this breach
5.1 Microsoft were hacked by Lapsus$ extortion group on March, 2022
Microsoft has verified that a member of their staff fell victim to the Lapsus$ hacking group, enabling the threat actors to gain access to and pilfer parts of the company's source code The Lapsus$ gang subsequently released 37GB of stolen source code from Microsoft's Azure DevOps server, which includes source code for several internal projects like Bing, Cortana, and Bing Maps The breach also impacted some of Microsoft's customers and partners, including Okta6 This incident may lead to several potential consequences:
• Microsoft's intellectual property and trade secrets could be exposed or exploited by competitors or malicious actors
• The breach and the ransom demand may tarnish Microsoft's reputation and erode trust among stakeholders
• Microsoft's customers and partners could face security risks or legal liabilities if their data or systems were compromised in the hack
• Microsoft might face regulatory investigations or lawsuits for failing to safeguard its data or timely notify its stakeholders about the breach (Abrams, 2022)
5.2 Block Confirms Cash App Data Breach on April 2022
Cash App experienced a data breach when a former employee downloaded reports containing some U.S customer information The company, now known as Block (formerly Square), disclosed that 8.2 million of its current and former customers were impacted The compromised data included names, email addresses, phone numbers, account numbers, and transaction histories Block promptly informed the affected customers and offered them free identity protection services
Potential consequences of the breach may include:
• The customers' personal and financial information could be misused by the hackers or third parties for identity theft, fraud, phishing, or other malicious purposes
• Customers may lose trust in Cash App's security measures, leading them to switch to alternative payment services or platforms
• The company might face legal actions, regulatory investigations, fines, or penalties from authorities or customers due to its failure to safeguard the data or timely notify about the breach (Cowley, 2022)
The company's reputation could suffer, resulting in the loss of revenue, customer loyalty, and market share as a consequence of the breach
5.3 Former Amazon Employee Convicted for Capital One Breach on June, 2022
Ms Thompson used her hacking skills to steal the personal information of more than
100 million people, and hijacked computer servers to mine cryptocurrency She exposed about 120,000 Social Security numbers and 77,000 bank account numbers
The breach of CapitalOne’s cloud data, much of it stored on Amazon’s cloud, was one of the biggest hacks of the decade by size alone but also because of the sensitivity of the financial information CapitalOne’s security chief was replaced a short time after the breach became public, and in 2020, the banking giant was fined $80 million by U.S federal regulators and ordered to improve its cybersecurity defenses and was later
Page 23 of 95 ordered by a judge to pay close to $200 million in class action damages CapitalOne made $28.6 billion in revenue during 2019, the year of its breach (Heiligenstein, 2023)
Suggest solutions to organizations
6.1 Microsoft were hacked by Lapsus$ extortion group on March, 2022
Addressing the consequences of a significant cyber-attack like the one Microsoft faced requires a comprehensive and well-planned approach Here are some steps that Microsoft could take to mitigate the impact of the Lapsus$ hacking incident and enhance their cybersecurity measures:
• Strengthen Cybersecurity Defenses: o Conduct a thorough review of existing cybersecurity measures and infrastructure to identify vulnerabilities and weaknesses o Implement multi-factor authentication (MFA) for all accounts to reduce the risk of unauthorized access o Regularly update and patch software and systems to address known vulnerabilities o Enhance monitoring and detection capabilities to identify and respond to potential threats more effectively
• Improve Insider Threat Mitigation: o Review internal security policies and access controls to minimize the risk of insider threats o Conduct regular security awareness training for employees to educate them about potential risks and ways to avoid falling victim to social engineering tactics o Implement a system to flag and investigate suspicious activities within the organization promptly
• Collaborate with Law Enforcement: o Work closely with law enforcement agencies to investigate the hacking incident and bring the perpetrators to justice o Share relevant information about the attack with law enforcement to aid in the investigation
• Engage in Transparent Communication: o Be transparent with customers, partners, and stakeholders about the security incident and its impact o Provide timely updates on the steps taken to address the breach and prevent future occurrences o Rebuild trust by demonstrating a commitment to cybersecurity and protecting data
• Strengthen Legal and Regulatory Compliance:
Page 24 of 95 o Review and update data protection and privacy policies to ensure compliance with relevant laws and regulations o Cooperate with regulatory authorities and provide necessary information during any investigations
• Enhance Incident Response and Contingency Plans: o Review and improve the incident response plan to handle future cybersecurity incidents more effectively o Test the plan through regular simulations and exercises to ensure preparedness o Develop a robust contingency plan to minimize the impact of potential future attacks
• Monitor Dark Web and Hacking Forums: o Keep an eye on dark web and hacker forums to monitor any potential threats or discussions related to the company o Proactively respond to any indications of future attacks targeting the organization
• Strengthen Partnerships and Information Sharing: o Collaborate with other tech companies and organizations to share threat intelligence and best practices in cybersecurity o Engage with industry forums and organizations to stay updated on emerging threats and security trends
• Invest in Cybersecurity Research and Development: o Allocate resources to research and development for innovative cybersecurity technologies and solutions o Stay ahead of cybercriminals by constantly upgrading and improving security measures
By implementing these measures, Microsoft can demonstrate its commitment to cybersecurity, protect its intellectual property, rebuild trust among stakeholders, and enhance its resilience against future cyber threats It's important to note that cybersecurity is an ongoing process, and continuous vigilance and improvement are essential to staying ahead of evolving threats
6.2 Block Confirms Cash App Data Breach on April 2022
Addressing the consequences of a data breach is a critical task for Block (formerly Square) to protect its customers and reputation Here are some steps the company could take to mitigate the impact of the breach and strengthen its cybersecurity measures:
• Conduct a Thorough Investigation: o Conduct a detailed investigation to understand the extent and cause of the data breach fully
Page 25 of 95 o Identify the specific vulnerabilities that led to the breach and address them to prevent similar incidents in the future
• Notify and Assist Affected Customers: o Continue notifying all affected customers promptly about the breach and the types of data exposed o Offer free identity protection services, credit monitoring, or other appropriate assistance to help customers safeguard their personal and financial information
• Enhance Cybersecurity Measures: o Evaluate and upgrade the company's cybersecurity infrastructure and protocols to better safeguard customer data o Implement robust access controls and authentication mechanisms to prevent unauthorized access to sensitive information o Encrypt customer data, both in transit and at rest, to add an extra layer of protection
• Conduct Security Awareness Training: o Conduct security awareness training for all employees to educate them about the risks of data breaches and the importance of safeguarding sensitive information o Reinforce the need to follow best practices in data security and handling customer data responsibly
• Strengthen Insider Threat Mitigation: o Review and improve the company's insider threat mitigation strategies to prevent data breaches caused by employees or former employees o Limit access to sensitive information to only essential personnel, and monitor access to detect any suspicious activities
• Engage with Regulatory Authorities: o Cooperate fully with regulatory authorities and law enforcement agencies during any investigations into the data breach o Provide all necessary information and documentation as required by the authorities
• Transparent Communication: o Maintain open and transparent communication with customers, stakeholders, and the public regarding the incident and the actions taken to address it
Page 26 of 95 o Provide regular updates on the progress of investigations and security enhancements
Describe at least 3 organisational security procedures (P2)
Change Control Procedures
Change control procedures are designed to enforce adherence to the correct steps when implementing changes, thereby preventing issues like scope creep, where unauthorized modifications can infiltrate a system These procedures also safeguard against problems arising from inadequate oversight, insufficient testing, or changes made without proper authorization In FIGURE 8, a sequential representation of change control procedures is depicted (David Kim, Micheal G Solomon, 2018)
• Request—In the initial phase of the process, it is crucial to document all intended alterations comprehensively and formally present the change request to the change control committee for evaluation Under no circumstances should any modifications be made to the system without obtaining proper approval
• Impact assessment—The stage of impact assessment involves analyzing the consequences of the change on the budget, resources, and security of the system or project
• Approval—The approval phase, or in certain instances, the disapproval phase, entails the official examination and acceptance or rejection of the change by the change control committee
• Build/test—The build/test phase involves the physical implementation or construction of the approved change document Subsequently, it is imperative to conduct thorough
Page 29 of 95 testing to verify that the change does not create unforeseen issues for other systems or components This testing process may encompass regression testing and a comprehensive evaluation of the modified product's security aspects
• Implement—After conducting the necessary testing and granting approval for implementation, you can proceed to schedule the installation process During this phase, the implementation adheres to a sound separation of duties, ensuring that no individual can make the change without undergoing appropriate review and supervision The last step involves notifying management of the successful completion of the change
• Monitor—In this phase, it is essential to oversee all systems diligently, verifying the proper functioning of the system, program, network, and other resources Addressing user concerns or requests should be done according to your organization's problem resolution protocols Through monitoring, potential requirements for future changes may be identified, thus initiating a fresh cycle of the change control process.
Incident handling Procedures
Incident handling is a systematic approach used by organizations to manage and respond to cybersecurity incidents effectively The process involves various stages, each with its specific objectives and actions (David Kim, Micheal G Solomon, 2018)
Let's go through each step:
This stage involves establishing a robust incident response plan before any incidents occur Key activities include: o Creating an incident response team (IRT): Assembling a team of individuals with specific roles and responsibilities in incident response, including technical experts, management representatives, legal counsel, and communication specialists o Defining the incident categories and severity levels: Creating a taxonomy of incident types and their corresponding levels of severity to ensure appropriate responses o Identifying critical assets and systems: Identifying the most valuable assets and systems within the organization to prioritize their protection and response o Developing incident response procedures: Creating detailed step-by-step procedures for each type of incident that may occur, outlining actions to be taken by the response team o Conducting training and exercises: Regularly training the incident response team and conducting simulated exercises to test the effectiveness of the response plan
This stage involves recognizing and determining if an incident has occurred Key activities include: o Incident detection: Employing security monitoring tools, intrusion detection systems, and other technologies to detect and alert potential incidents o Incident validation: Verifying the authenticity and impact of the incident to eliminate false positives o Logging and documentation: Collecting relevant logs and data related to the incident for analysis and future reference
Once an incident has been identified and validated, the incident response team must be notified promptly Key activities include: o Internal communication: Notifying the incident response team and relevant stakeholders within the organization about the incident o External communication (if required): For significant incidents or those that involve third-party organizations, notifying external entities such as law enforcement, partners, or customers may be necessary
In this stage, the incident response team takes action to mitigate and contain the incident Key activities include: o Containment: Isolating affected systems or segments to prevent the incident from spreading further o Eradication: Identifying the root cause of the incident and removing all traces of the threat from the affected systems o Recovery: Restoring affected systems and data to normal operation
After the incident has been contained and eradicated, the organization focuses on returning to normal operations and conducting a post-incident analysis Key activities include: o Business continuity: Ensuring that critical business processes are restored and operational o Lessons learned: Conducting a thorough post-incident analysis to identify weaknesses in the response process and update the incident response plan accordingly
Page 31 of 95 o Documentation: Recording all actions taken during the incident response process, including the incident details, actions taken, and lessons learned
Documentation is essential throughout the incident handling process It involves creating and maintaining records of all relevant incident-related information, including: o Incident details: The time and date of the incident, the type of incident, the affected systems, and any initial actions taken o Actions taken: A comprehensive record of all steps taken during the identification, containment, eradication, and recovery stages o Analysis and findings: The results of the post-incident analysis, including the root cause of the incident and any identified vulnerabilities o Lessons learned: A summary of the key takeaways and recommendations for improving the incident response plan
Effective documentation ensures that the organization has a historical record of incidents, enabling better analysis and learning from past experiences It also assists in legal and regulatory compliance and can be used for training purposes
In summary, incident handling is a structured process consisting of preparation, identification, notification, response, recovery, and follow-up steps Each stage plays a crucial role in mitigating the impact of cybersecurity incidents and improving the organization's overall security posture Proper documentation throughout the process ensures a comprehensive understanding of incidents and enables continuous improvement in incident response capabilities.
Anti-virus procedures
Anti-virus procedures are a set of steps or guidelines that outline how to effectively use and maintain antivirus software within an organization to protect against malware and other malicious threats These procedures are crucial for ensuring the antivirus solution operates optimally and provides maximum protection (Yasar, 2023)
Below are the typical steps involved in anti-virus procedures, along with explanations for each:
The first step is to install the antivirus software on all endpoints and servers within the organization Once installed, the antivirus solution should be configured based on the organization's security policies and requirements This includes setting up scan schedules, defining exclusion lists (if necessary), configuring quarantine options, and adjusting other relevant settings
Antivirus software relies on up-to-date virus definitions to detect and remove the latest threats Regularly updating the antivirus software ensures that it can identify new malware strains and protect against emerging threats Most modern antivirus
Page 32 of 95 solutions have automated update mechanisms to ensure that virus definitions are updated frequently
Regular system scanning is essential to detect and remove malware that may have slipped through the initial defenses Schedule periodic full system scans to thoroughly check all files and applications on endpoints and servers Additionally, consider running quick scans on a more frequent basis to catch any recently introduced threats
Enable real-time scanning and protection to monitor files and processes in real-time as they are accessed or executed Real-time protection can instantly block and quarantine malicious files or activities, preventing them from causing harm
Configure the antivirus software to automatically quarantine or isolate infected files, processes, or email attachments Quarantine allows security teams to review suspicious items and take appropriate actions, such as restoring clean files or permanently deleting infected ones
Define incident response procedures for handling severe infections or outbreaks that the antivirus software might not be able to handle automatically This includes the involvement of the incident response team, escalation procedures, and containment measures
Set up regular reporting and monitoring mechanisms to keep track of the antivirus software's performance, detected threats, and overall security status Monitoring helps ensure that the antivirus solution is working effectively and allows security teams to identify any potential issues that need attention
Educate employees about the importance of antivirus software and its role in protecting the organization's data and systems Train them on best practices for identifying and reporting potential security threats
Evaluate and Update Antivirus Software:
Periodically evaluate the effectiveness of the antivirus software and its ability to protect against the latest threats Consider conducting tests and assessments to verify the software's performance If needed, explore alternative solutions and update the antivirus software to a newer version
In conclusion, anti-virus procedures involve a series of well-defined steps to ensure the effective deployment, configuration, and maintenance of antivirus software to protect an organization's systems and data from malware and other security threats By
Page 33 of 95 following these procedures diligently, organizations can enhance their overall security posture and reduce the risk of successful cyberattacks.
Propose a method to assess and treat IT security risks (M1)
Discuss methods required to assess security threats? E.g., Monitoring tools
Vendor management involves overseeing the management of suppliers, also known as vendors The utilization of a vendor management tool can greatly simplify tasks related to order management, invoicing, contract handling, payment processing, and product deliveries
In the current business landscape, nearly every company engages with vendors, and employing an appropriate tool can optimize business operations and increase efficiency Through the integration of automation and real-time monitoring dashboards, the occurrence of errors can be significantly minimized
In today's competitive environment, many successful enterprises rely on cloud-based procurement software and utilities These solutions empower companies, enabling them to fulfill their duties proactively through efficient collaboration and effective management
Additionally, cloud-based solutions are user-friendly, cost-effective with minimal maintenance expenses, and offer regular security updates (Cflowapp, 2023) a Need for Vendor Management Tools
Vendor management tools play a crucial role for various reasons They assist businesses in the careful selection of appropriate vendors Additionally, practical vendor management tools can enhance the rapport between a company and its vendors, resulting in improved prospects Furthermore, when an organization requires a distinctive solution, it explores SaaS vendor tools (Cflowapp, 2023)
With a plethora of tailored connectivity and integration options available, companies leverage these choices to simplify the incorporation of SaaS applications within a cloud- based environment These customized tools provide pre-made plugins and data sources, thus furnishing more uncomplicated solutions
Vendor management tools are designed to accommodate non-technical users, and SaaS applications are indispensable for their efficient workflow The integration functionalities facilitate seamless workflows by offering real-time data feedback Beyond just vendor management tools, an evaluation tool for vendors becomes essential for organizations to scrutinize data interchange among vendors, aiding in the comparison of various vendor performances b For Quality and Relationship Management
Vendor relationship management is a process conceived by software programming solutions that helps companies to have freedom from both clients and merchants to have a smooth relationship with the vendors This process also applies to vendors to have effortless relationships with different establishments So having good vendor relationship management is one of the most crucial parts of an organization’s procurement and sourcing strategy (Cflowapp, 2023)
Supplier relationship management (SRM) acts as leverage between vendors and companies, cuts bottom-line costs, enhances critical KPIs as well as improves supplier quality management Therefore, SRM is called the chameleon of a business’s procurement and sourcing activities SRM is crucial for any business organization that has clearly defined its production process and purchasing products and services However, it is vital to know that how a company manages its relationship with its vendors is relative to its own system So, every organization which uses SRM will reap benefits according to the magnitude of usage
Vendor relationship or supplier relationship management is complex Given the complexity of vendor relationship management, supplier relationship management software can simplify operations greatly c Vendor Compliance and Risk Assessment
Vendor compliance tools are vital for successful vendor management in procurement They establish specific requirements for vendors to resolve issues efficiently and mitigate risks These tools must prioritize data security and privacy, especially as data sharing grows An effective tool should offer customized vendor security approaches and access to prominent questionnaires like ISO 27001 Additionally, it should enable tailored questionnaires and streamline information flow within IT teams Ensuring compliance and data security between companies and vendors is essential for efficient vendor risk assessment (Cflowapp, 2023)
Vendor risk pertains to potential negative impacts on a client company's operations Many firms use vendor risk assessment tools to oversee vendors and business partners This risk management approach involves identifying and mitigating potential risks associated with external vendors and partners This evaluation takes place twice— before entering into a vendor relationship and during the contract period—to establish a foundation for a healthy long-term partnership
Protecting your company involves several steps Initially, one must recognize the specific type of vendor risk Evaluating third-party risk starts with identifying potential risks before engaging in a vendor agreement These risks span strategic, compliance, geographic, technical, resource, operational, reputational, financial, and cyber domains After recognizing risks, it's essential to understand the nature of the business between the company and the vendor Subsequently, the right vendor needs to be chosen to align with the company's goals
Furthermore, the risk assessment process involves distinct evaluations—one for the vendor as a business partner and another for the company's product Specific inquiries arise: Is the product secure and reliable? What's the cost? Can employees quickly adapt to the software? Does the product adhere to data security and privacy laws? Addressing these queries aids in deciding whether to proceed with the vendor relationship Incidents of vendor-related risks, such as the 2013 Target data breach involving an HVAC vendor, underscore the importance of vigilance
After evaluating a vendor, it's crucial to determine overall risk levels and categorize vendors accordingly This approach establishes vendor credibility and streamlines future relationship planning Efficient assessment aids in vendor selection, promotes fairness, and enhances efficiency Subsequently, formulating a customized vendor risk
Page 36 of 95 management plan is essential This plan should incorporate regular vendor monitoring, annual comprehensive vendor procedure updates, and adept contract management Staying informed about regulations and conducting regular assessments contribute to mitigating potential vendor risks
1.2 Breach and attack simulation tool (BAS)
Figure 10:Breach and attack simulation tool (BAS)
Breach and attack simulation (BAS) technology imitates the role of an attacker to assess a network's cybersecurity defenses These automated tools simulate attacks to evaluate a company's ability to prevent, detect, and mitigate threats For instance, they might replicate a phishing attack on a company's email systems, attempt to breach a web application firewall (WAF), simulate data exfiltration, move laterally within networks, or launch malware attacks on endpoints Many of these tools operate continuously to alert the company about potential vulnerabilities or risks resulting from network changes Some offer scheduled or surprise mock attacks to test a security operations center's effectiveness Certain tools incorporate artificial intelligence and machine learning to execute progressively advanced attacks or analyze a company's cybersecurity status (Harvey, 2018)
What is the current weakness or threats of an organization?
Organizations face ongoing cyber security threats, regardless of whether they engage with the public or other businesses These threats involve malicious efforts to gain unauthorized access to an organization's network and its resources
Cybercriminals and hackers worldwide are persistently trying to breach an organization's network, representing an ever-present danger Without the proactive implementation of a strong cyber
Page 40 of 95 security program by organizational leadership, these threats can quickly escalate into cybercrimes (Hall, 2021)
2.1 Leadership Shapes the Cyber Security Culture
Organizational leadership and senior management must provide the necessary resources, training, and tools to counteract cyber threats effectively Without the support and commitment from upper and middle management, an organization becomes vulnerable to various cyber threats
In 2020, cyber threats escalated into large-scale data breaches, compromising user accounts, email addresses, and credit card information Some of this compromised data was subsequently sold on the dark web (Hall, 2021)
Organizations need to remain vigilant to prevent cyber threats from evolving into cybercrimes These threats persist because they prove profitable for cybercriminals Cybercriminals prioritize information that can generate immediate revenue, either through direct use or by selling it on the dark web They particularly value certain types of business information, including banking credentials, critical data related to customers, vendors, and staff, trade secrets, and any information that could harm an organization's reputation
The motivation for cybercriminals lies in stealing financial and intellectual property data Consequently, organizations must be equally determined to eliminate or mitigate all cyber threats to safeguard their assets and reputation (Hall, 2021)
According to Cybersecurity Ventures, cybercrimes are projected to cause damages of approximately $10.5 trillion annually by 2025 Additionally, Coalition's findings indicate that ransomware accounted for 41% of cyber insurance claims payouts in the first half of 2020
Cybercriminals target various organizations and individuals, but they prefer vulnerable targets with higher potential payouts Particularly vulnerable industries, as identified by CDNetworks, include small businesses, healthcare institutions, government agencies, energy companies, and higher education facilities It is crucial for management in these industries to fully invest in robust cyber security programs
Whether managing a financial institution or a small business, management personnel must possess a working understanding of cyber security risks to effectively mitigate cyber threats Implementing cyber security best practices can be achieved by consulting resources like the Center for Internet Security (CIS) or the National Institute of Standards and Technology (NIST) to compare and improve current cyber security practices (Hall, 2021)
Incorporating a comprehensive understanding of the prevalent cyberattacks should be an essential component of the mandatory annual security training for all organizations Cyber threats may originate both from internal and external sources (Hall, 2021) a Internal Cyber Threats
Endpoint Protector identifies the leading internal cyber threats as follows: o Unauthorized data sharing: The act of sharing sensitive data with external parties lacking the required need-to-know privileges o Shadow IT: The utilization of unauthorized third-party software within the organization o Unauthorized devices: The usage of unsanctioned and unsecure devices at work, which could include USB sticks or personal devices connected to the business network or introduced into secure areas o Theft of property: When authorized devices containing sensitive information, such as company laptops or phones, are not returned to the office as expected b External Cyber Threats
Below are the top five external cyber threats: o Internet of Things (IoT) Vulnerabilities: Due to weak passwords, patching gaps, and IoT skill deficiencies, this technology becomes highly susceptible to external attacks, as observed by Thales o Phishing: Cybercriminals impersonate trusted sources and contact users through email, phone, or text, aiming to obtain sensitive information via social engineering or infect the network with malware through malicious links o Distributed Denial of Service (DDoS): Attackers overwhelm a computer or network by inundating it with fake requests from multiple sources, causing unavailability o Brute-force attacks: Hackers employ brute-force tools like Hashcat, L0phtCrack, or Aircrack-ng to guess a user's password, with weak passwords being particularly vulnerable to such attacks o Advanced Persistent Threat (APT): A sophisticated form of attack where hackers infiltrate the network for an extended period, executing multiple small attacks or data thefts over months or even years, often remaining undetected by conventional cybersecurity measures.
What tools will you propose to treat IT security risks?
In the midst of escalating intricacies within business landscapes, the collaboration between IT and cybersecurity experts becomes paramount They must employ established frameworks that facilitate a thorough and methodical evaluation of an organization's IT vulnerabilities Among these frameworks, the OCTAVE model stands out as a preeminent choice Let's delve into the nature and significance of this model (Chamberlain, 2022)
3.1 What Is the OCTAVE Threat Model?
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) framework is employed to evaluate an organization's environment and identify its IT risks OCTAVE offers adaptability, making it suitable for virtually any organization, and necessitates the collaboration of a modest team comprising cybersecurity, IT, and operations professionals (Chamberlain, 2022)
When implementing the OCTAVE framework in a business context, it's crucial to recognize that the standard model might not always align seamlessly with an organization's structure Consequently, various adaptations have emerged, such as OCTAVE-S (utilized when the team possesses extensive knowledge of the organization's environment), OCTAVE Allegro (simpler and suited for smaller teams), and OCTAVE Forte (the most versatile variant) Alternatively, a customized approach can be devised to ascertain the optimal fit for your business
Regardless of the chosen OCTAVE variation, it's worth noting that its origins trace back to its development for the US Department of Defense at Carnegie Mellon University (CMU) in
2001 Since then, it has been successfully utilized and validated for more than two decades
3.2 Benefits of the OCTAVE Threat Model
There are several advantages to utilizing the OCTAVE threat model, and here's an overview of the most notable ones
• Efficiency: OCTAVE directs its focus towards an organization's most crucial assets, ensuring that significant outcomes are achieved with minimal effort
• Swiftness: Despite its intricacy, the OCTAVE model stands out as one of the most time-effective approaches for identifying, prioritizing, and mitigating risks It manages to balance speed with thoroughness
• Practicability: Implementing the OCTAVE threat model all at once can be demanding, given its design to be executed in segments Consequently, it's divided into three phases, each of which is further broken down into processes
• Comprehensiveness: The primary strength of the OCTAVE threat model lies in its extensive coverage This attribute has made it a favored choice not only for the Department of Defense but also for numerous other organizations, spanning more than twenty years
Taking these advantages into account, let's delve into the process of implementation, which might initially appear to be a significant undertaking
3.3 How to Implement the OCTAVE Threat Model
Embarking on the implementation of the OCTAVE threat model is not a casual endeavor that can be undertaken spontaneously In reality, this model demands extensive documentation, spanning hundreds of pages, to ensure a thorough understanding Delving deeper, one must navigate the intricacies involved in adapting and applying this framework to various organizational contexts, a topic well-covered in CMU's comprehensive resources (Chamberlain, 2022)
However, prior to immersing oneself in the intricate documentation concerning the OCTAVE threat model's implementation, it's prudent to initially approach the process from a broader perspective This approach involves laying the groundwork for implementation and assembling the necessary resources Hence, here's an overarching view of the essential aspects entailed in implementing the OCTAVE threat model
3.4 The Three Phases of Implementation
Generally, the implementation of the OCTAVE threat model involves a structured approach composed of three distinct phases These phases are outlined as follows:
• Oganizational view: This initial phase necessitates a collaborative effort from a team to compile a comprehensive profile of all your organization's assets, along with their corresponding threats Through this analysis, existing IT assets and their protective measures are scrutinized, enabling the identification of security gaps and associated risks
• Technological view: Once vulnerabilities have been pinpointed within your organization's infrastructure, the subsequent step involves devising fresh policies and procedures to address and manage these vulnerabilities This phase employs various tactics, including the utilization of techniques like penetration testing
• Strategy and plan development: The concluding phase entails the development of a security risk management strategy In this stage, remaining risks are defined, prioritized, and incorporated into a comprehensive plan for ongoing mitigation and management of security risks This plan requires regular review and adaptation
On paper, this process might appear straightforward However, the analysis, strategizing, and implementation of such an extensive framework demand a considerable amount of time and effort The duration of completion, whether spanning weeks or months, hinges on factors such as team size, organizational complexity, familiarity with the framework, and the leadership and architectural capabilities driving the initiative
Throughout each phase of the implementation procedure, your team should be prepared to utilize an array of testing and analysis tools and methodologies, ensuring that no aspect remains unexamined and no potential scenario is overlooked Consequently, here are several common techniques that you should be ready to acquaint yourselves with:
• System Audits: System audits provide insights into your organization's network and system structure They unveil the location of assets, their interconnections, and the access permissions granted to individuals
• Penetration Testing: Penetration testing is instrumental in identifying vulnerabilities within your system, offering a deeper comprehension of the access points that demand safeguarding It establishes a foundational understanding crucial for the successful implementation of OCTAVE
• Risk Assessments: Risk assessments play a pivotal role across various stages of the implementation process They entail meticulous planning, involving the prioritization of each risk and the formulation of strategies for mitigation and prevention
Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS (P3)
Discuss briefly firewalls and policies, their usage and advantages in a network
Despite the distinction between a host-based application software firewall, which operates as a program on an individual client, and a hardware-based network firewall, which safeguards an entire network, their fundamental purposes remain alike Both are responsible for examining
Page 46 of 95 packets and determining whether to permit or block their entry Hardware firewalls typically serve as the initial line of defense situated outside the network security perimeter
Firewalls can filter packets using one of two methods The first is "stateless packet filtering," where the incoming packet is examined, and the firewall grants or denies access based on predefined conditions established by the administrator The second method is "stateful packet filtering," which involves keeping track of the connection's status between an internal computer and an external device The firewall then makes decisions based on both the connection status and the established conditions For example, a stateless packet filter firewall may allow a packet to pass through if it is destined for a specific computer on the network However, a stateful packet filter would block the packet if the internal network computer did not initiate the request for information from the external server beforehand (Ciampa, 2015)
The fundamental purpose of a firewall is straightforward: its primary task is to prevent any network traffic that hasn't been explicitly permitted Firewalls are equipped with rules that specify the kinds of traffic allowed to enter or exit a network Whenever the firewall receives a network message, it assesses the message against its set of rules If the message aligns with a rule, the firewall permits it to proceed On the other hand, if the message doesn't correspond to any rule, the firewall denies passage to the message (David Kim, Micheal G Solomon, 2018)
Apart from this core function, firewall technology encompasses three main types:
• Packet filtering, as a type of firewall, operates in a straightforward manner It evaluates incoming traffic against a predefined set of rules that determine which data is allowed to pass through the firewall For every packet that arrives at the firewall, it independently decides whether to permit or block it based on these rules Notably, it does not retain any memory of previous packets it may have processed
• Stateful inspection, as a type of firewall, retains data concerning the state of network communications When the firewall receives the initial packet of a communication, it stores information about that session until it is terminated Consequently, this firewall does not need to reevaluate its rules for every packet it receives It only needs to examine the rules when a new communication session is initiated
• An application proxy firewall surpasses the capabilities of a stateful inspection firewall Instead of enabling direct packet transmission between systems on different sides of the firewall, the application proxy firewall establishes distinct connections with each of the communicating systems Acting as an intermediary or proxy, it facilitates communication between the two systems This approach enhances security since the firewall can analyze application-specific details when deciding whether to permit or block traffic
The selection of a firewall for your network relies on various considerations For instance, if you intend to deploy a firewall at the perimeter of a vast network, a basic packet filter might suffice However, if your goal is to safeguard a highly secure data center that houses web applications, an application proxy would be a more suitable choice
1.3 Firewall benefit a Stateless Packet Filtering
• Efficiency: Stateless packet filtering is relatively efficient as it examines each packet in isolation without maintaining a connection state This simplicity makes it suitable for high-speed networks
• Simplicity: It is easy to configure and implement because it evaluates packets based on individual rules without tracking connection states
• Low Overhead: Since it does not keep track of connection states, there is less overhead on the firewall, making it resource-friendly b Packet-Filtering Firewall
• Flexibility: Packet-filtering firewalls offer more flexibility in creating rules based on various criteria, such as source/destination IP addresses, port numbers, and protocols
• Network-Level Filtering: They can effectively block or allow traffic based on network-level attributes, which provides a degree of protection against certain threats
• Cost-Effectiveness: Packet-filtering firewalls are generally cost-effective, making them accessible for small to medium-sized organizations c Application Proxy Firewall
• Enhanced Security: By acting as an intermediary between internal and external systems, application proxy firewalls add an extra layer of security, making it harder for attackers to directly target internal systems
• Deep Packet Inspection: The application proxy can perform deep packet inspection, allowing it to analyze application-level data and make more informed decisions about permitting or denying traffic
• Protocol Independence: Application proxy firewalls can work with various protocols, offering protection for a wide range of applications beyond standard network-level filtering
It's worth noting that while each type of firewall has its advantages, a comprehensive security strategy may involve using multiple firewall technologies in combination, depending on the specific security requirements and network architecture of an organization.
How does a firewall provide security to a network?
Firewalls play a crucial role in enhancing network security by acting as powerful tools They are configured using rules, making rule-based management the most common approach to network security Rule-based management involves defining acceptable and unacceptable actions on the network Firewalls use filters, known as firewall rules, which are easily configured to meet various security requirements Different types of firewalls utilize different rule sets, and even basic firewalls support access control lists (ACLs) An access control list defines rules to manage traffic from specific hosts, protocols, and ports Firewalls can also filter traffic based on ports, commonly referred to as port security
Access control lists can be highly specific or include ranges of hosts and ports Each rule in the firewall configuration instructs how certain types of messages should be handled, with the most common actions being 'allow' and 'deny.' For maximum network security, a firewall can be set to 'deny' all messages by default, except those explicitly permitted, known as implicit deny While this approach is very secure, it may require network administrators to make more effort in opening necessary ports (David Kim, Micheal G Solomon, 2018)
Firewalls contribute to network security in various ways, not only through filtering features but also by providing additional security measures:
• Flood guard is a feature that enforces rules to restrict the bandwidth of traffic from hosts, preventing any single host from overwhelming the network with excessive data
• Loop protection is a capability of firewalls to examine message addresses and identify if a message is caught in an endless loop, which can also result in a form of flooding
• Network separation involves the implementation of filtering rules that create boundaries between networks, preventing traffic from crossing over to different networks.
Show with diagrams the example of how firewall works
There are several diverse methods to implement firewalls within your network In this section, we will explore a few of the most prevalent firewall deployment techniques, including border firewalls, screened subnet (or DMZ) firewalls, and multilayered firewalls Depending on your organization's specific security requirements, one or more of these approaches may be well-suited for your setup (David Kim, Micheal G Solomon, 2018)
The simplest approach is the border firewall, which creates a division between the protected network and the Internet, as depicted in FIGURE 10 Positioned behind the router, the border firewall intercepts all incoming and outgoing communications between the private network and the Internet Typically, border firewalls utilize either packet filtering or stateful inspection methods
Border firewalls are predominantly utilized by organizations that do not provide public services If you have outsourced your website and email, there might be no need to permit public access to your network In such cases, you can simply block most, if not all, inbound traffic A border firewall is highly effective in this context
In certain scenarios, completely prohibiting all inbound traffic to your network may not be practical For example, if you run a public website or manage your own email server, you need to allow restricted inbound connections In such cases, the screened subnet firewall topology offers an effective solution This firewall setup includes three network cards Two of these cards function similarly to a border firewall, with one connected to the Internet and the other to the private network The third network card is linked to a dedicated network known as the screened subnet or demilitarized zone (DMZ).
Define IDS, its usage, and show it with diagrams examples
Certain controls within this category have the capability to detect suspicious actions and potentially halt an ongoing attack These monitoring mechanisms encompass intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and firewalls (David Kim, Michael G.Solomon, 2018)
4.1 Define Intrusion Detection System (IDS)
Implementing a layered defense strategy involves deploying multiple controls to safeguard against attacks One commonly employed approach in layered defense is to position an IDS behind a firewall, enhancing the overall security In this setup, a network intrusion detection system (NIDS) is responsible for monitoring the traffic that manages to pass through the firewall, with the purpose of detecting any malicious behavior Additionally, a host-based intrusion detection system (HIDS), discussed later in this chapter, performs a similar function but focuses on scrutinizing traffic directed at a specific computer or device Due to its narrower scope, the HIDS can be finely tuned to identify highly specific activities Unlike the NIDS, the HIDS also has visibility into traffic that originates within the network perimeter (David Kim, Michael G.Solomon, 2018)
4.2 IDS filter rules and advantages IDS
An intrusion detection rule defines an abnormal network traffic pattern that could indicate an attack on the industrial network The Intrusion Detection System utilizes these rules to inspect the network traffic
There are two types of rule sets:
• System rule sets: These rule sets are pre-configured to detect commonly encountered attacks or undesirable network activity They are readily available upon the installation of the IDS application Users can keep these rule sets up to date by installing updates provided by the application
• Custom rule sets: Users can load custom rule sets separately into the IDS application This is achieved by using files containing data structures that define the specific Intrusion Detection rules The files for custom rule sets must be in the same folder and have the "RULES" extension The names of the custom rule sets must correspond to the names of the files from which they are loaded, excluding the file extensions
• Fewer security incidents: While connected units typically do not notice any changes, the IPS ensures less disruption for university systems and a reduced number of security incidents
• Selective logging: The IPS only records network activity when it takes action, maintaining the privacy of network users
• Privacy protection: The IPS compares network traffic against a list of known malicious traffic and does not store or view content
• Reputation-managed protection: The IPS subscribes to a reputation based list of known malicious sites and domains, which it uses to proactively protect the university
• Multiple threat protection: The IPS offers zero-day threat protection, mitigates brute force password attempts, and provides protection against availability threats, such as DDoS and DoS attempts
• Dynamic threat response: The IPS can be fine-tuned to recognize and respond to particular threats, allowing the university to react to identified threats to university business
4.3 Show with diagrams the example of how IDS works
The intrusion detection system (HIDS), which will be discussed in a later part of this chapter, performs a similar function by monitoring traffic directed at a specific computer or device The advantage of the HIDS is that it has a more focused perspective, allowing you to customize it to detect highly specific activities In contrast to the NIDS, the HIDS also has the ability to observe traffic originating from within the network perimeter A network setup featuring both a NIDS and a HIDS device is illustrated in the figure (David Kim, Michael G.Solomon, 2018)
Figure 18: IDS as a firewall complement
As Figure 13 illustrated, you have the option to link a NIDS to a switch or hub Subsequently, the IDS captures and examines all the traffic passing through the switch to identify any unauthorized activity The analysis can be conducted in various ways, depending on the type of engine employed within the IDS (David Kim, Michael G.Solomon, 2018)
Figure 19: Basic NIDS as a firewall complemnt
Write down the potential impact (Threat-Risk) of a firewall and IDS if they are incorrectly
5.1 Comparison of IDS with Firewalls
While both IDS and firewalls play roles in network security, they differ in their functions Firewalls are designed to proactively search for intrusions and prevent unauthorized access by restricting network entry points However, they may not detect attacks originating from within the network On the other hand, an intrusion detection system (IDS) identifies potential intrusions after they have occurred, raising alarms to alert administrators about suspicious activities (Andrea, 2023)
5.2 Impact of incorrect configuration of Firewalls
Threat-Risk: The risk associated with an incorrectly configured firewall can lead to significant security vulnerabilities and potential attacks on the network Here are some potential impacts:
• Unauthorized Access: If the firewall rules are not properly configured, unauthorized users might gain access to sensitive data, systems, or services, leading to data breaches or unauthorized use of resources
• Data Exfiltration: Inadequate firewall settings may allow malicious actors to exfiltrate sensitive data from the network, causing data leaks or intellectual property theft
• Denial of Service (DoS) Attacks: Misconfigurations may render the firewall ineffective against DoS attacks, leading to service disruption and availability issues
• Internal Threats: An incorrectly configured firewall may fail to block internal threats or lateral movement within the network, enabling malicious activities from within
• Malware and Virus Spread: A misconfigured firewall might allow malware or viruses to enter the network and spread to other connected devices, leading to widespread infection
• Unintended Open Ports: Misconfigurations can inadvertently leave ports open, creating unintended entry points for attackers to exploit
5.3 Impact of incorrect configuration of IDS
Threat-Risk: The risk associated with an incorrectly configured Intrusion Detection System (IDS) can lead to a compromised network and missed detection of security threats Here are some potential impacts:
• Undetected Attacks: If the IDS rules and thresholds are not set correctly, it might miss detecting various types of attacks, allowing malicious activities to go undetected
• False Positives/Negatives: Improper configuration may result in a high number of false positives (detecting non-threatening events as attacks) or false negatives (failing to detect actual attacks), leading to confusion and ineffective response
• Resource Overhead: Incorrect settings can cause the IDS to consume excessive resources, affecting the network's performance and efficiency
• Delayed Response: If the IDS is not configured to generate real-time alerts or if those alerts are not adequately monitored, the response to an ongoing attack could be significantly delayed
• Inadequate Logging: Misconfigurations may result in inadequate logging of events, making it difficult to conduct post-incident analysis or forensic investigations
• Rule Evasion: Attackers might exploit misconfigurations to evade the IDS detection mechanisms, allowing them to carry out their activities undetected
A firewall and an IDS are essential security devices that safeguard a network against unauthorized access and malicious attacks However, improper configurations of these devices can pose serious threats to network security and performance Some potential consequences include:
• Data breaches: Inadequate firewall rules or outdated configurations can enable attackers to bypass the firewall and gain access to sensitive data on the network Similarly, an improperly tuned IDS with false positives may miss detecting actual malicious activities or generate alerts for legitimate traffic
• Network downtime: Overly restrictive or conflicting firewall rules can block legitimate traffic, causing disruptions in the network For instance, blocking dynamic routing protocols can lead to network instability Additionally, an IDS ill-equipped to handle high traffic volumes or with false negatives may overload the network or fail to alert on genuine attacks
• Compliance violations: Outdated or poorly configured firewall and IDS setups can expose the network to vulnerabilities, compromising compliance standards Absence of antivirus protection or use of vulnerable XML files in the firewall and IDS can be exploited by attackers or malware Insufficient access controls or logging capabilities can lead to unauthorized access or data tampering
• To avert these consequences, it is imperative to ensure the correct configuration of the firewall and IDS, and to regularly monitor and update them Tools like Windows
Security can be utilized to check the status of the firewall and network protection, providing an added layer of security and peace of mind
To mitigate the risks associated with incorrectly configured firewall and IDS, it is crucial to follow best practices for configuration, regularly review and update rule sets, perform security audits, and ensure that experienced personnel handle the setup and maintenance of these security measures Additionally, regular security training and awareness programs for network administrators can help minimize the chances of misconfigurations (Andrea, 2023).
Show, using an example for each, how implementing a DMZ, static IP and NAT in a network can
Define and discuss with the aid of diagram DMZ Focus on its usage and security function as
The DMZ is a semiprivate network used to host services that the public can access Users have limited access from the Internet to systems in the DMZ to access these services A secure network does not allow direct access from the Internet to the private network
This approach recognizes that systems accessed from the Internet pose a special risk They are more likely targets of attacks and, therefore, are more likely to suffer successful attacks
If you confine these machines to the DMZ, they can jeopardize only other systems in the
DMZ An attacker who gains access to a DMZ system will not be able to use that system to directly access systems on the private network (David Kim, Michael G.Solomon, 2018)
1.2 How does a DMZ Network work
• Businesses operating public websites that are accessed by customers must expose their web servers to the internet, which, unfortunately, poses a significant risk to their entire internal network To address this vulnerability, organizations have the option to pay a hosting company to host their website or public servers on a firewall, but this approach may lead to performance issues Instead, a more secure solution involves hosting the public servers on a separate and isolated network (Anon, 2023)
• This isolated network, known as a DMZ (Demilitarized Zone), serves as a protective buffer between the internet and the organization's private network The DMZ is separated by a security gateway, like a firewall, which filters traffic between the DMZ and the internal LAN (Local Area Network) Furthermore, the DMZ server is safeguarded by another security gateway, filtering incoming traffic from external networks
• Ideally positioned between two firewalls, the DMZ setup ensures that incoming network packets are scrutinized by a firewall or other security tools before they reach the servers hosted in the DMZ Consequently, even if a sophisticated attacker manages to bypass the first firewall, they must also breach the fortified services in the DMZ before causing any harm to the business
• In the event that an attacker successfully penetrates the external firewall and compromises a system within the DMZ, they are then confronted with an internal firewall before gaining access to sensitive corporate data While a highly skilled malicious actor may still breach a well-defended DMZ, the resources within it are designed to raise alarms and provide ample warning of an ongoing breach
• To comply with regulations such as the Health Insurance Portability and Accountability Act (HIPAA), some organizations opt to deploy a proxy server in the DMZ This simplifies the monitoring and recording of user activity, centralizes web content filtering, and ensures that employees use the system to access the internet
1.3 Diagram of DMZ and explain
Consider a scenario where a bank places its automated teller machine (ATM) right in the middle of its highly secure vault Such a setup would practically invite disaster as it would allow any external user to enter the secure vault to use the ATM To avoid this vulnerability, a more prudent approach would involve keeping the ATM and the vault separate The ATM should be positioned in a public area accessible to anyone, while the vault remains restricted to trusted individuals Similarly, it is not advisable to place public-facing servers like web and email servers within the secure network If an attacker manages to breach the security of these servers, they would gain access to the entire secure network (Ciampa,
To permit untrusted external users access to resources like web servers, most networks implement a demilitarized zone (DMZ) The DMZ acts as a distinct network outside the secure network's perimeter, allowing untrusted users to access the DMZ but preventing them from entering the secure network itself
Figure 22: DMZ with one firewall
Figure 23: DMZ with two firewalls
Figure 16 depicts a demilitarized zone (DMZ) housing a web server and an email server, both accessible to external users The setup employs a single firewall with three network interfaces: the first connects to the Internet, the second forms the DMZ, and the third establishes the secure internal LAN However, this configuration comes with certain drawbacks Firstly, the firewall becomes a single point of failure for the entire network Secondly, it bears the responsibility of managing all traffic between the DMZ and the internal network, potentially causing performance issues To enhance security, Figure 17 demonstrates a more robust approach with two firewalls This setup requires attackers to breach two separate firewalls before accessing the secure internal LAN
The primary advantage of a DMZ is to enhance the security of an internal network by restricting access to sensitive data and servers It acts as an intermediary zone, allowing website visitors to access certain services while creating a protective buffer between them and the organization's private network Consequently, a DMZ offers various additional security benefits, such as:
• Enabling access control: Organizations can grant users access to specific services outside their network perimeter via the public internet The DMZ facilitates this access while implementing network segmentation, making it more challenging for unauthorized users to reach the private network Additionally, a DMZ might incorporate a proxy server, centralizing internal traffic flow and simplifying monitoring and recording of that traffic
• Preventing network reconnaissance: By placing a buffer between the internet and the private network, a DMZ thwarts attackers from conducting reconnaissance to identify potential targets Servers within the DMZ are publicly exposed but receive an extra layer of security from a firewall that obstructs an attacker's view into the internal network Even if a DMZ system gets compromised, the internal firewall keeps the private network secure and hinders external reconnaissance
• Blocking Internet Protocol (IP) spoofing: Attackers often attempt to gain access to systems by spoofing an IP address and impersonating an approved device on the network A DMZ can detect and impede such spoofing attempts as another service verifies the legitimacy of the IP address Furthermore, the DMZ facilitates network segmentation, organizing traffic and enabling access to public services away from the internal private network
Services commonly found in a DMZ include DNS servers, FTP servers, mail servers, proxy servers, and web servers
1.5 The Importance of DMZ Networks: How Are They Used?
DMZ networks have played a central role in securing global enterprise networks ever since firewalls were introduced These DMZs act as a protective barrier, keeping internal
Page 59 of 95 networks separate from systems that might be targeted by attackers, thus safeguarding organizations' sensitive data, systems, and resources Additionally, DMZs offer the advantage of allowing organizations to control and restrict access to sensitive systems
In recent times, enterprises are increasingly turning to containers and virtual machines (VMs) as a means to isolate their networks or specific applications from the rest of their systems The rise of cloud computing has led many businesses to reduce their reliance on internal web servers and shift a significant portion of their external infrastructure to the cloud using Software-as-a-Service (SaaS) applications
Define and discuss with the aid of diagram static IP Focus on its usage and security function as advantage
A Static IP (Internet Protocol) address is a fixed and unchanging numeric label assigned to a device connected to a network, such as a computer, server, or network printer Unlike a Dynamic IP, which can change each time a device connects to the network or at regular intervals, a Static IP remains constant throughout the device's connection to the network
Static IPs are typically manually configured for a device and are not subject to change unless deliberately modified by the network administrator They are commonly used for devices or services that require a consistent, reliable address, such as web servers, email servers, network devices, and certain types of remote access setups (Fisher, 2021)
2.2 How static IP address work?
Since most Internet Service Provider (ISP) companies do not provide static IP addresses by default, individuals or organizations seeking one must contact their ISP and request the assignment of a static IP address to their device, such as a router Once the device is configured with the unchanging IP address, a single restart is required All computers or devices behind the router will share the same static IP address Once in place, the static IP address remains constant and does not need any ongoing management, as it does not change
However, there is a limited availability of static IP addresses, which often means that obtaining one may involve additional costs To address this limitation, IPv6 was introduced as a solution IPv6 extends IP addresses from 32 bits to 128 bits (16 bytes), vastly increasing the number of available IP addresses This expansion makes it easier and less expensive to obtain and maintain static IP addresses Although a significant portion of internet traffic still utilizes IPv4, there is a growing shift towards using IPv6, and both versions are currently in use
IPv6 allows for a staggering number of unique IP addresses, up to 340 undecillion To put it in perspective, this means there are 340 followed by a total of 36 zeros, or 340 trillion, trillion, trillion unique IP addresses that can now be assigned This significant extension in the total number of IP addresses accommodates substantial future growth of the internet and alleviates concerns about potential shortages of network addresses (Gillis, 2023)
2.3 Diagram of static IP and explain
• Internet: Represents the global internet, the vast network connecting all devices worldwide
• ISP (Internet Service Provider): The ISP is the organization that provides internet connectivity to the business It assigns an IP address to the business network, which
Page 62 of 95 is known as the public IP address This public IP address is static and remains the same over time
• Business Network: This is the local network of the business where various devices are connected, such as computers, servers, printers, etc
• Router: The business network may have multiple routers that manage the flow of data between the internal devices and the external internet
• Device IP: Each device within the business network, such as computers and servers, is assigned a private IP address These private IP addresses are unique within the local network and are managed by the router
In this diagram, the static IP address is assigned by the ISP to the router connected to the business network This static IP is used to identify the business network on the internet The devices within the business network have private IP addresses assigned by the local router, and these private IP addresses are not visible to the internet The router acts as an intermediary between the internal devices with private IP addresses and the external internet with the static public IP address
With this setup, devices within the business network can access the internet using the static
IP address assigned by the ISP However, external entities on the internet can only communicate with the business network through the router's public IP address This arrangement provides an additional layer of security, as it hides the specific private IP addresses of internal devices from direct exposure to the internet (Gillis, 2023)
2.4 Benefit of static IP address
While static IP addresses are not as commonly used, they offer various advantages that may not be immediately apparent Some of the benefits of using a static IP address include: (Gillis, 2023)
• Consistency: A static IP address remains the same over time, providing a consistent and reliable address for devices or services This makes it easier for other devices or users to locate and communicate with the device
• Hosting Services: Static IP addresses are essential for hosting services such as websites, email servers, FTP servers, and VoIP systems They enable users to access these services using a fixed address, ensuring seamless connectivity
• Remote Access: Having a static IP address makes it simpler to establish remote access to a device, such as accessing a home or office computer from a different location
• Stability: Static IP addresses are less prone to connectivity issues and interruptions, as they do not change, reducing the likelihood of service disruptions
• Geolocation and Filtering: Geolocation services can accurately determine the location of a device with a static IP address, which can be beneficial for various
Page 63 of 95 applications Additionally, static IPs can be useful for filtering and access control purposes
• Faster File Transfers: File servers with static IP addresses generally experience faster file uploads and downloads, as there is no need for frequent IP address updates
• VPN and Gaming: Static IPs are preferred for hosting Virtual Private Networks (VPNs) and online gaming servers, as they provide a fixed endpoint for users to connect to
• Simplified Network Management: Network administrators find it easier to manage and track devices with static IP addresses, particularly for running servers and critical network infrastructure
Overall, a static IP address is advantageous for scenarios where consistent connectivity, hosting services, remote access, stability, and efficient network management are essential
It is a valuable option for businesses, servers, and applications that require a reliable and fixed address to operate effectively
Static IP addresses are often perceived as less secure due to their unchanging nature Hackers may find it easier to locate and gain access to data on devices with static IP addresses, and these addresses are more susceptible to follow-up attacks Moreover, static IPs are easier to track
On the other hand, security weaknesses associated with dynamic IP addresses can be mitigated by implementing measures such as a router firewall, security suite, or VPN For instance, a VPN can help obscure a device's network address, making it more challenging to determine its physical location While these measures do not guarantee complete data safety at all times, they can significantly enhance security, making it advisable to incorporate additional security protocols (Gillis, 2023)
2.6 How static IP can improve network security?
Static IP addresses can improve network security in several ways:
• Reduced Attack Surface: With a static IP address, devices or services only need to expose specific ports to the internet for their intended functions This reduces the attack surface compared to dynamic IPs that may change and require constant port reconfigurations
• Access Control: Static IPs allow for more precise access control Network administrators can set up firewalls and security policies to allow access only from trusted IP addresses, thereby limiting potential threats
Define and discuss with the aid of diagram NAT Focus on its usage and security function as
• Preventing IP Spoofing: Static IPs make it more challenging for attackers to impersonate trusted devices through IP spoofing, as the address remains unchanged
While static IPs offer these security benefits, it's important to remember that network security is a multifaceted approach Employing additional security measures, such as firewalls, intrusion detection systems, strong authentication protocols, and regular security audits, is essential to bolster overall network security (Gillis, 2023)
3 Define and discuss with the aid of diagram NAT Focus on its usage and security function as advantage
Network Address Translation (NAT) is a method enabling the utilization of private IP addresses on the public Internet These private IP addresses, documented in figure 19, are not allocated to any particular user or organization but can be employed within any private internal network Essentially, private addresses function just like regular IP addresses within the internal network Nevertheless, if a packet containing a private address attempts to reach the Internet, the routers discard that packet (Ciampa, 2015)
3.2 How does Network Address Translation work?
A Network Address Translation (NAT) functions by utilizing gateways positioned between two local networks: the internal network and the external network Devices within the internal network are usually assigned IP addresses that cannot be directly routed to the outside networks, such as those in the 10.0.0.0/8 block (Hanna, Burke, 2023)
The gateway is allocated a few externally valid IP addresses Outbound traffic from an internal system is altered by the gateway to appear as if it is originating from one of these valid external addresses Similarly, incoming traffic directed at a valid external address is directed to the appropriate internal system
The primary benefit of NAT is enhancing security Since each outgoing or incoming request must undergo a translation process, there is an opportunity to scrutinize or authenticate incoming data streams, ensuring they match with the outgoing requests
NAT also serves to conserve the number of globally valid IP addresses required by a company and, when used in conjunction with Classless Inter-Domain Routing (CIDR), it has significantly extended the useful life of the IPv4 protocol The overall concept of NAT is outlined in IETF RFC 1631
3.3 Diagram of NAT and explain
NAT performs the substitution of a private IP address with a public IP address As data packets exit a network, NAT strips off the private IP address from the sender's packet and replaces it with an alternate public IP address, illustrated in Figure 20 To achieve this, NAT maintains a record of the private IP addresses and their corresponding public alias IP addresses When a packet returns to NAT, the process is reversed, and the original private
IP address is restored A variant of NAT is port address translation (PAT), which assigns each outgoing packet the same IP address but a different TCP port number This cleverly enables multiple users to share a single public IP address
A device utilizing NAT, such as a NAT router, can also offer a level of security Since all outgoing traffic passes through the NAT router, it keeps track of the packets sent out and the expected incoming responses If a packet arrives at the NAT router for an internal network device, but the router has no record of the initial request being sent out, it will reject all unsolicited packets, preventing them from entering the internal network This functionality makes the NAT router akin to a firewall, effectively blocking unwanted packets
Moreover, NAT enhances security by concealing the IP addresses of internal devices If an attacker captures a packet on the Internet, they cannot ascertain the actual IP address of the sender This lack of visibility makes it more challenging for the attacker to identify and target a specific computer, adding an extra layer of protection against potential cyber- attacks (Ciampa, 2015)
3.4 Network Address Traslation (NAT) types
Network Address Translation (NAT) comes in several types, each serving different purposes and providing specific functionalities The common types of NAT include:
• Static NAT (One-to-One NAT): In this type, a fixed mapping is established between an internal private IP address and an external public IP address It ensures that a specific internal IP address is always associated with the same external IP address Static NAT is commonly used when a device or server within the internal network needs to be accessed from the internet using a consistent public IP address
• Dynamic NAT: Dynamic NAT maps a pool of internal private IP addresses to a pool of external public IP addresses As internal devices initiate outbound connections, they are assigned an available public IP address from the pool This type allows multiple internal devices to share a limited number of public IP addresses, conserving public IP address space
• Overload NAT (Port Address Translation - PAT): PAT is a form of dynamic NAT where multiple internal private IP addresses are mapped to a single public IP address by using different port numbers It is commonly used in home and small business
Page 67 of 95 networks where many devices share a single public IP address PAT keeps track of the port numbers associated with each internal device to correctly route incoming data to the appropriate internal recipient
• Twice NAT (Bi-directional NAT): Twice NAT involves changing both the source and destination IP addresses in packets passing through the NAT device It allows bidirectional translation, enabling more flexibility in how internal and external addresses are matched and presented
Discuss three benefits to implement network monitoring systems with supporting reasons (M2)
List some of the networking monitoring devices and discuss each of them
Network monitoring involves observing devices, often called nodes, in a network to assess their well-being and accessibility The aim of this practice is to empower administrators with up-to-the- minute understanding and clear visibility into the network's status It aids in recognizing patterns, promptly identifying or averting problems and interruptions Instances of network nodes that are frequently under surveillance encompass servers, switches, routers, firewalls, cloud infrastructure, and Internet of Things (IoT) devices (Bertucci, 2022)
The network monitoring process encompasses network discovery and real-time observation, achieved through a diverse array of protocols Each protocol carries its own advantages and drawbacks, and popular network monitoring tools often employ multiple protocols The following are some of the most prevalent network monitoring protocols:
• SNMP (Simple Network Management Protocol): SNMP is widely used for network monitoring It supports polling (where a monitoring station queries a network device) and notifications (devices send SNMP TRAPs or INFORMs to a monitoring station)
• ICMP (Internet Control Message Protocol - ping): ICMP, utilized by commands like ping and traceroute/tracert, is effective for determining device availability, network connection latency, and jitter
• IPMI (Intelligent Platform Management Interface): IPMI facilitates server monitoring and management independently of the operating system Network monitoring tools leverage IPMI to collect data like CPU and memory usage from monitored servers
• Flow protocols: These protocols provide insights into network traffic flow Notable examples include NetFlow, sFlow, and jFlow, enabling a deeper understanding of data movement among devices
• Syslog: Syslog protocol enables centralized logging, enhancing efficiency in network monitoring and incident response by sending logs from network devices to a monitoring station Severity indications aid administrators in filtering and addressing events
• HTTP(S) (Hypertext Transfer Protocol): HTTP and its secure version, HTTPS, are common for monitoring web servers and applications with APIs exposed via HTTP(S)
Advanced network monitoring software extends to additional protocols like SSH (secure shell), WMI (Windows Management Instrumentation), LLDP (Link Layer Discovery Protocol), and CDP (Cisco Discovery Protocol), alongside tools such as port scanning, packet captures, and agents (installed on network endpoints) to enhance network visibility
Protocol selection depends on factors such as network devices and desired visibility/reporting levels ICMP with continuous pings suffices for basic uptime monitoring, while comprehensive network visibility and mapping might involve a mix of agents, pollers (e.g., SNMP and HTTP GETs), flow protocols, and inbound notifications (e.g., SNMP TRAPs and syslog messages)
1.2 Some of the networking monitoring devices a Auvik
Auvik is a network monitoring tool hosted in the cloud, tailored to meet the needs of both internal IT teams and Managed Service Providers (MSPs) Auvik offers extensive support for diverse network monitoring protocols, serving the purpose of network discovery and surveillance Moreover, its TrafficInsights feature surpasses the scope of typical NetFlow-based traffic analysis through the fusion of machine learning and flow protocols (Bertucci, 2022)
Because Auvik operates in the cloud, it simplifies the initial setup process that often accompanies on-premises network monitoring systems It streamlines the commencement of network discovery by employing a lightweight collector, deployable both on-site and in cloud environments
Following the discovery phase, Auvik not only provides customizable and detailed network monitoring but also facilitates network mapping and a range of automated workflows, including the automation of network documentation
Furthermore, Auvik boasts extensive compatibility with various integrations, spanning from collaborative tools like Microsoft Teams and Slack to IT service management platforms such as ServiceNow and FreshDesk The robust API offered by Auvik enhances its adaptability and opens avenues for additional integrations beyond the pre-existing ones
➢ Scenario: Monitoring Latency on a Network Link
• Threshold: If the round-trip latency on a specific network link exceeds 50 milliseconds (ms) for more than 3 consecutive ping tests, trigger an alert
• Explanation: In this example, you're monitoring the latency (delay) on a specific network link to ensure that communication between two endpoints is within an acceptable range You set a threshold of 50 ms for round-trip latency The monitoring tool periodically sends ping tests to measure the latency between the endpoints If the latency exceeds 50 ms for more than 3 consecutive ping tests, Auvik triggers an alert
• Action: Upon receiving the alert, the network administrator can investigate further High latency could indicate network congestion, routing issues, or other problems that might impact communication performance The administrator might review network traffic patterns, analyze routing configurations, and potentially take actions to optimize the network path or allocate more resources to the link
Keep in mind that the specific values for monitoring thresholds depend on the characteristics of your network, the expected latency tolerance, and the criticality of the
Page 72 of 95 link being monitored Regularly reviewing and adjusting these thresholds based on network performance trends and user requirements is important to maintain efficient network operations
• Network Mapping: Auvik automatically discovers and maps network devices, providing a visual representation of the network topology to help administrators understand device relationships and connections
• Automation of Network Documentation: Auvik assists in documenting the network by automatically gathering and organizing device details, configurations, and other relevant information This simplifies network documentation processes
• TrafficInsights™ - Intelligent Network Traffic Analysis: Auvik's TrafficInsights™ feature analyzes network traffic patterns, helping administrators identify anomalies, bottlenecks, and potential security threats to optimize network performance and security
• 2FA (Two-Factor Authentication): Auvik supports two-factor authentication, enhancing the security of user accounts by requiring an additional verification step beyond a password
• Granular Access Controls: Auvik allows administrators to define specific access permissions for different users or user groups This ensures that users have appropriate levels of access to network monitoring and management functions
• SSO (Single Sign-On) Support with Integrations: Auvik supports single sign-on (SSO) for user authentication, streamlining access to the platform It integrates with authentication providers like Okta, Azure Active Directory, Google, and more
• Inventory Management with Firmware and Lifecycle Data: Auvik maintains an inventory of network devices, including firmware versions and lifecycle data This helps administrators manage device health, updates, and replacements more effectively
• Configuration Backup and Recovery: Auvik facilitates the backup and recovery of device configurations This ensures that configurations can be quickly restored in case of errors or device failures
• Robust API (Application Programming Interface): Auvik offers an API that allows integration with other tools and platforms This enables customized workflows, data exchange, and enhanced automation capabilities
Why do you need to monitor networks?
Gaining comprehensive insight into your hardware and software resources enables you to guarantee the vigilant observation of your network's well-being A fitting analogy is likening network monitoring to a consultation with a cardiologist, where potential warning signs are observed as blood circulates through the heart's vessels, valves, and chambers In a similar vein, network monitoring platforms oversee data traversing cables, servers, switches, connections, and routers Should an issue arise, the physician (representing your monitoring tools) possesses the expertise to pinpoint the root cause, enabling swift resolution (Newsroom, 2023)
At its core, a network monitoring solution serves the fundamental purpose of indicating the operational status of devices like routers, switches, servers, and databases Waiting for issues to escalate and users to report problems is undesirable Taking a proactive stance in maintaining network health not only minimizes technical support requests but also decreases instances of downtime (Newsroom, 2023)
A network disruption is a dreaded scenario for any network administrator Network monitoring solutions play a pivotal role in preventing such disruptions beforehand These tools proactively survey your network for anomalies in performance that could signal an
Page 79 of 95 impending outage If any device or network segment experiences lagging performance, the monitoring solution promptly identifies the issue and alerts you to take action
Network monitoring software enhances business efficiency by streamlining network management processes, thereby reducing operational time and costs Additionally, by staying informed about existing or imminent issues, you can effectively mitigate or minimize downtime, ultimately boosting the productivity and efficacy of your business teams (Newsroom, 2023)
2.4 Increase performance through understanding capacity
Network monitoring software aids in comprehending the effective, excessive, and insufficient utilization of network components Moreover, it reveals superfluous expenses that can be trimmed and identifies elements necessitating upgrades for sustained future performance Typically, by furnishing instantaneous data across diverse metrics such as bandwidth consumption, packet loss, jitter, latency, and others This comprehensive insight into your system empowers your IT personnel to promptly identify the origins of issues Proactive monitoring also facilitates preemptive issue resolution rather than reactive responses (Newsroom, 2023)
Ensuring compliance stands as a crucial responsibility for IT teams managing intricate networks within demanding schedules Extracted data from monitoring utilities aids in evaluating the entire system's adherence to regulatory and security prerequisites, guaranteeing the provision of a secure and streamlined service that aligns with mandated criteria Contemporary compliance directives emphasize the active observation of deviations in routine system operations and abnormal data patterns A continuous monitoring system operating around the clock can serve as an effective mechanism for alerting you when anomalies arise (Newsroom, 2023)
What are the benefits of monitoring a network?
The sheer volume of internet-connected devices has reached astonishing levels, with projections indicating over 35 billion devices to be interconnected by 2021 With a rising trend of remote work, the utilization of personal devices (BYOD), and an increasing array of devices connecting to corporate networks, the potential for security vulnerabilities rises As networks expand in size and intricacy, it becomes critically significant to comprehend the advantages of network monitoring (Cassandro, 2021)
You must have the capability to oversee every element of your network, encompassing all connected devices and the data flowing within the network This approach offers the most
Page 80 of 95 effective means to ensure your network's well-being and detect any slowdowns in its operation (Cassandro, 2021)
However, effectively managing all network components can be quite demanding Utilizing automated network mapping tools as a component of your network monitoring strategy can deliver a comprehensive understanding of even the most intricate network setups
Entities obligated to adhere to regulatory requirements must employ suitable network monitoring solutions Standards such as PCI DSS, HIPAA, FISMA, SOX, and similar mandates necessitate network monitoring as an integral component of the internal control framework for compliance, alongside any existing external security measures (Cassandro,
Unplanned service interruptions can significantly hamper productivity and result in substantial costs According to a recent survey, 40% of large businesses indicated that a single hour of downtime could incur expenses ranging from $1 million to $5 million
Implementing monitoring strategies can proactively mitigate unforeseen disruptions A key function of network monitoring tools is to detect early indicators that could signal device malfunctions or network issues This capability aids in pinpointing problems and averting instances of downtime
Moreover, network monitoring not only serves as a preventative measure against downtime, but performance monitoring also empowers IT teams to enhance efficiency for more streamlined operations
3.4 Finding and Fixing Problems Quickly
In times of trouble, network monitoring expedites the process of identifying the problem Whether it's a variation in traffic, a misconfiguration, or a more critical concern, network maps facilitate swift pinpointing of the problem's source Incorporated within your monitoring approach, network automation tools can even autonomously address various issues (Cassandro, 2021)
Minimizing your Mean Time to Repair (MTTR) lessens the repercussions of downtime or subpar network efficiency, enabling your IT team to allocate attention to other matters
Though its primary function is performance monitoring, network surveillance serves a dual purpose by revealing potential security risks within your system Through ongoing vigilance for abnormal or dubious actions, you might identify minor threats before they escalate Instances like inconspicuous malware or viruses can elude initial detection, but a network
Page 81 of 95 monitoring system can raise red flags for atypical behavior, such as questionable utilization of network assets (Cassandro, 2021) Additionally, this approach enables proactive detection of unauthorized entry and security menaces, including DDoS attacks or unapproved downloads
When your network's data flow experiences congestion, it leads to dissatisfaction among both your staff and clients Keeping track of the usage of your network's capacity helps you recognize when a decline in speed is underway As bandwidth consumption approaches crucial thresholds, you'll receive notifications, enabling you to modify your quality of service (QoS) measures or implement alternative strategies to enhance overall performance (Cassandro, 2021)
The ever-changing nature of user requirements adds complexity to predicting how and where network resources will be utilized in the future As usage grows, it becomes crucial to proactively plan for additional infrastructure and capacity to cater to this rising demand (Cassandro, 2021)
Through active monitoring and continuous performance tracking, network monitoring software becomes a valuable tool for detecting spikes in utilization By establishing a performance baseline, you can more precisely forecast future capacity needs and make informed decisions about network upgrades
Furthermore, historical data serves as compelling support for future investment proposals during budget discussions Presenting evidence that network slowdowns or reduced performance are directly linked to increased utilization makes a compelling case to executives for the necessity of system upgrades
During the implementation of new technologies, network monitoring plays a crucial role as well It aids in assessing the network's capacity to accommodate extra resources and preemptively identifying potential performance challenges Following the deployment, continuous network monitoring enables the verification of sustained performance levels (Cassandro, 2021)
Network monitoring tools also offer an underappreciated advantage Presently, IT teams face an overwhelming workload The expansion and intricacy of networks have placed substantial responsibilities on teams that often lack adequate staffing, yet are still held accountable for flawless performance The appropriate network monitoring tools, like WhatsUp Gold, can substantially alleviate this burden (Cassandro, 2021)
IT teams regain authority over their networks without the need for manual performance investigation They receive proactive alerts when intervention is necessary and reduce downtimes In the event of an issue, network monitoring solutions simplify the process of identifying, isolating, and rectifying the problem
All of this grants team members more time to concentrate on other ventures that can contribute to revenue growth – a priceless advantage
Investigate how a ‘trusted network’ may be part of an IT security solution (D1)
Discuss and explain what are trusted network
Trusted networks are portrayed as the networks confined within your security perimeter and generally encompass the networks that are being safeguarded Computers within the trusted network can easily access specialized services within departments, such as NFS for home and project storage, NIS for account management and data distribution, printers, and software packages (tutorialspoint, 2022)
Access to this network is restricted to machines overseen by the Laboratory Staff, ensuring the protection of sensitive information and the availability of departmental resources An up-to-date list of machines on the trusted network can be found at this location
A trusted network architecture employs contemporary standards, protocols, and hardware components to establish a sense of 'trust.' This framework supports crucial security services like user authentication, thorough scrutiny of network device admission, verification of end-device conditions, access control based on policies, traffic filtering, automated resolution of non- compliant devices, and audit trails
In the context of a trusted network, a minimum of two Network Admission Devices (NADs), which are switches equipped with firewalls, and an Authentication, Authorization, and Accounting (AAA) server are necessary Additional Policy Validation Servers (PVSs) can be added as required, such as an anti-virus validation server to ensure devices have the latest virus protection, a patch management server to validate the presence of required patches, and a software validation server to authenticate installed device firmware While integrating multiple PVSs increases the cost of the Trusted Private Communication Network (TPCN), it enhances security
All network components like switches, routers, and wireless access points must support the functionality of the trusted network Some vendors offer products with built-in trusted network capabilities Consequently, if an organization is deploying new equipment, implementing a TPCN can be cost-effective However, legacy systems might necessitate significant upgrades, which can be financially burdensome
Client devices may require software and firmware updates to enable trusted network functionality
A trusted network user is essential for authenticating with the AAA server and transmitting posture values For secure applications, Trusted Platform Module (TPM) chips can be utilized to verify configurations and obtain posture signatures
Certain devices like Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs) usually lack TPMs However, since some RTUs come with integrated web servers, integrating TPMs into these devices could be relevant, particularly when regulatory mandates demand the implementation of trusted Industrial Control System (ICS) architectures
Administrators facilitate system updates by issuing new directives within the AAA and PVSs The AAA server communicates the updated policy to devices If the devices are equipped with the update, they validate this status with a PVS before staying on the network Subsequently, the appropriate server equips them with necessary patches (or deploys patches automatically), allowing them to gain network access
TPCNs face similar availability challenges as traditional Process Control Networks (PCNs) since deploying patches can lead to system failures As a result, each patch or update must undergo rigorous testing before being introduced to the AAA server.
Give brief details with an example on its uses
Figure 32: Trusted process Control Network
Figure 32 illustrates the structure of a trusted process control network (TPCN) architecture To initiate the process of joining the network, a client device sends its request to the Network Admission Device (NAD) Using the EAP protocol over 802.1x, the NAD verifies the identity of the client device and transmits the results to the Authentication, Authorization, and Accounting (AAA) server via the RADIUS protocol The AAA server responds with a list of requirements for posture validation and the addresses of the relevant Policy Validation Servers (PVSs) (Hamed Okhravi, David Nicol, 2008)
Subsequently, the client device undergoes posture validation with each of the PVSs If the client adheres to the compliance criteria, the results are communicated to the AAA server using the HCAP protocol Conversely, if the client falls short on any requirement, the suitable posture remediation servers recommend corrective actions to the client
The directory server determines the client's assigned group or role By considering inputs from the PVSs and the directory server, the AAA server determines the set of regulations applicable to the client's access and network usage These rules are then conveyed to the NAD for enforcement Once this stage is reached, the client is granted permission to communicate through the NAD, and all its activities are continuously monitored to ensure adherence to policies
The policy maintained by the AAA server consists of an authentication mandate and a roster of posture validation prerequisites For instance, authentication might demand the use of token- based authentication, and postures must be verified through interactions with the anti-virus server, patch management server, and driver validation server When a client device seeks to join the network, a NAD engages with the AAA server on behalf of the device The AAA server authenticates the device and formulates rules based on the device's security postures, which are then applied by the NAD to all incoming and outgoing traffic to and from the device As an illustration, a Remote Terminal Unit (RTU) with validated firmware is granted communication privileges with the historian, while other traffic is blocked The ensuing examples provide further clarity on the functioning of a TPCN (Hamed Okhravi, David Nicol, 2008)
Imagine a situation in which a person working at a computer wishes to wirelessly link to a network in order to retrieve past information regarding the functioning of a particular facility To achieve this, the computer connects to a wireless access point (AP) within the business network, equipped with Network Admission Control (NAD) capabilities By default, this access point enforces a policy that restricts all data flow apart from what's necessary for establishing trust The computer then proves its authenticity to the access point through the use of the 802.1x protocol with EAP, transmitting a pre-stored certificate This authentication process prompts the AP to forward the computer's identity to a RADIUS server, which in turn relays the user's identity to a directory server containing information about the user's role (in this case, an "analyst")
Using RADIUS once again, the AAA (Authentication, Authorization, and Accounting) server provides the workstation with a list of requirements for system posture, such as the version of the anti-virus software and the history of operating system patches The computer employs a trusted platform module (TPM) chip to securely generate and send the posture values to the relevant Posture Validation Servers (PVSs) These PVSs then assess and confirm the validity of the provided values During this assessment, one of the PVSs identifies that a necessary patch is absent from the workstation's operating system Consequently, the patch management PVS collaborates with a remediation server to dispatch the appropriate patch to the workstation
Once the assessment is complete, the PVSs communicate the results back to the AAA server using the HCAP protocol If the workstation is found to be in compliance with the requirements, the AAA server sends a set of rules to the access point for implementation Given that the user's role is that of an "analyst," the rule set permits TCP connections to the historical data repository while concurrently preventing access to any other devices on the network
Imagine a situation where an RTU (Remote Terminal Unit) aims to become part of the PCN (Process Control Network) The RTU establishes a connection with a switch located on the factory floor, utilizing a network cable This switch possesses Network Admission Control (NAD) capabilities The communication protocols employed in this scenario are the same as those detailed in Example 1, thereby eliminating redundancy The switch verifies the authenticity of the RTU by utilizing the token stored within the RTU
The AAA server mandates the RTU to confirm its configuration via a configuration management server The RTU transmits its configuration details to the configuration management server, which subsequently communicates the successful outcome back to the AAA server Consequently, the AAA server sends an appropriate set of rules, tailored for the compliant RTU, to the switch, instructing it to apply these rules As a result, the RTU gains the ability to interact with other RTUs, the MTU (Master Terminal Unit), and the historian Meanwhile, the switch remains responsible for preventing any other forms of communication traffic.
How can it be a solution in IT security?
The level of security you need plays a significant role in determining the approach you take Establishing a connection to a dependable network can substantially contribute to your security measures Given the complexity of modern network systems, any vulnerabilities can quickly make you susceptible to daily hacking incidents experienced by numerous individuals Employing a variety of tools and software protocols can be instrumental in ensuring the complete safety of your network
The foundation of security begins with a trusted network Without this, all other efforts are futile Trusted networks encompass the secure perimeters within which you wish to safeguard your digital infrastructure Within these networks, designated computers can access various resources such as NFS (home and project drives), NIS (distributed accounts and data), printers, software packages, and departmental services Access to this network is strictly controlled by Lab Staff, ensuring sensitive information remains protected while departmental resources stay accessible An up-to- date roster of trustworthy network machines is readily available
The architecture of a reliable network is built on contemporary standards, protocols, and hardware components to establish a sense of "trust." Such a network supports multiple security features including user authentication, meticulous admission control for network devices, verification of end-device conditions, policy-based access management, traffic filtering, automated rectification of non-compliant devices, and comprehensive auditing For the creation of this trusted network, two NADs (firewall switches) and a AAA server are necessary The integration of additional PVSs is
Page 88 of 95 viable, such as an anti-virus validation server to ensure up-to-date virus protection, a patch management server to keep systems current, and a software validation server to confirm genuine firmware Incorporating multiple PVSs increases costs but boosts security
In the corporate setting, the network used for internal operations is termed a trusted network This network typically defaults to a "secure" mode within the organization It supports essential functions like backend systems, internal websites, data processing, communication channels, and sometimes internal instant messaging In many cases, unencrypted direct communication between systems is permitted within the trusted network, and multiple protocols can coexist without any form of filtering or virus scanning
However, the problem with this definition arises from its assumptions about various businesses A secure network isn't necessarily equivalent to a trusted network Internal networks are often comprised of several distinct segments, and these segments can't always be completely trusted Multiple points of entry to the external world, including recent acquisitions, legacy systems, international access points, and various connections to the outside, can create vulnerabilities
The common understanding of a trusted network pertains to the network used by internal employees at the workplace or through secure dial-in methods A demilitarized zone (DMZ) serves as a singular entryway to the external world, acting as a buffer between the trusted and untrusted networks The DMZ prevents unauthorized users from accessing the Trusted Network There are various configurations possible for setting up a DMZ
In conclusion, maintaining a secure network is paramount for safeguarding digital infrastructure Employing contemporary security measures, like user authentication, admission control, and DMZs, helps mitigate the risks posed by vulnerabilities in the complex network landscape The terminology of "trusted networks" within corporate environments can sometimes be misleading due to varying levels of trust within network segments Therefore, a comprehensive and adaptable security strategy is crucial to addressing the evolving challenges of network security
In this assignment, a range of subjects concerning network and IT security were explored These included identifying potential security vulnerabilities, organizational protocols for security, and the consequences of improper configurations for firewall policies and IDS Additionally, an examination was conducted on the utilization of DMZ, static IP addresses, and NAT to enhance network security
Throughout this process, I gained valuable insights into the significance of proactive security measures and the ongoing commitment required to safeguard businesses from emerging risks Armed with this knowledge, I am now better equipped to navigate the intricacies of IT security and ensure the safeguarding and resilience of crucial data and assets in the digital realm
Abrams, L., 2022 Microsoft confirms they were hacked by Lapsus$ extortion group [Online]
Available at: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-they-were- hacked-by-lapsus-extortion- group/#:~:text=March%2022%2C%202022%2008%3A13%20PM%200%20Microsoft%20has,source%20co de%20stolen%20from%20Microsoft%27s%20Azure%20DevOps%20server
Andrea, H., 2023 Comparison and Differences Between IPS vs IDS vs Firewall vs WAF [Online]
Available at: https://www.networkstraining.com/firewall-vs-ips-vs-ids-vs-waf/
Available at: https://www.fortinet.com/resources/cyberglossary/what-is- dmz#:~:text=The%20main%20benefit%20of%20a
Available at: https://www.fortinet.com/resources/cyberglossary/what-is- dmz#:~:text=The%20main%20benefit%20of%20a
Bertucci, D., 2022 10 Best Network Monitoring Tools, Compared [Online]
Available at: https://www.auvik.com/franklyit/blog/best-network-monitoring- tools/?fbclid=IwAR2WhkT1zYAgfO09h1wFCCNmBlfJGmNQI_cKqqBbHo6o14OtY0RMsiL1lt4#:~:text=For% 20example%2C%20port,want%20to%20achieve
Cassandro, A., 2021 The Benefits of Networking Monitoring [Online]
Available at: https://www.whatsupgold.com/blog/The-Benefits-of-Networking-Monitoring
Cflowapp, 2023 Top 5 Vendor Management Tools Every Organization Needs to Consider [Online]
Available at: https://www.cflowapps.com/top-vendor-management-tools/
Available at: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/octave-threat- model-benefits/
Ciampa, M., 2015 Brokers In: CompTIA Security+guide to network security fundamentals s.l.:s.n
Ciampa, M., 2015 Collect Data In: CompTIA Security+guide to network security fundamentals s.l.:s.n., pp 60, 61, 62
Ciampa, M., 2015 Concealment In: CompTIA Security+guide to network security fundamentals s.l.:s.n., pp 58, 59
Ciampa, M., 2015 Cyberterrorists In: CompTIA Security+guide to network security fundamentals s.l.:s.n., p 24
Ciampa, M., 2015 DMZ In: CompTia Security+Guide to network security fundamentals s.l.:s.n., p 293
Ciampa, M., 2015 Firewall Network In: CompTIA Security+guide to network security fundamentals s.l.:s.n., pp 280, 281
Ciampa, M., 2015 Hactivists In: CompTIA Security+guide to network security fundamentals s.l.:s.n., p
Ciampa, M., 2015 Insiders In: CompTIA Security+guide to network security fundamentals s.l.:s.n., p 23 Ciampa, M., 2015 Malware In: CompTIA Security+guide to network security fundamentals s.l.:s.n
Ciampa, M., 2015 NAT In: CompTIA Security+Guide to network security fundamentals s.l.:s.n., pp 290,
Ciampa, M., 2015 Script kiddies In: CompTIA Security+guide to network security fundamentals s.l.:s.n Ciampa, M., 2015 Threats In: CompTIA Security+guide to network security fundamentals s.l.:s.n., p 47
Ciampa, M., 2015 Trojans In: CompTIA Security+guide to network security fundamentals s.l.:s.n., pp 57,
Ciampa, M., 2015 Viruses In: CompTIA Security+guide to network security fundamentals s.l.:s.n., p 53 Ciampa, M., 2015 Worm In: CompTIA Security+guide to network security fundamentals s.l.:s.n., p 57
Compia, M., 2015 Cybercriminals In: CompTIA Security+guide to network security fundamentals s.l.:s.n., p 21
Cowley, S., 2022 Block says a former employee downloaded data on millions of Cash App Investing customers [Online]
Available at: https://www.nytimes.com/2022/04/06/business/block-cash-app-data-breach.html
David Kim, Michael G Solomon, 2018 Lan Domain In: Fundamentals of Information Systems Security s.l.:s.n., p 22
David Kim, Michael G Solomon, 2018 Lan to Wan Domain In: Fundamentals of Information Systems
David Kim, Michael G Solomon, 2018 Remote Access Domain In: Fundamentals of Information Systems
David Kim, Michael G Solomon, 2018 User Domain In: Fundamentals of Information Systems Security s.l.:s.n., p 19
David Kim, Michael G Solomon, 2018 Wan Domain In: Fundamentals of Information Systems Security s.l.:s.n., p 28
David Kim, Michael G Solomon, 2018 Workstation Domain In: Fundamentals of Information Systems
David Kim, Michael G.Solomon, 2018 Change Control Procedures In: Fundeamentals of Information
David Kim, Michael G.Solomon, 2018 DMZ In: Fundeamentals of Information Systems Security s.l.:s.n., p 344
David Kim, Michael G.Solomon, 2018 Intrusion Detection System (IDS In: Fundeamentals of Information
David Kim, Micheal G Solomon, 2018 Firewall types In: Fundamental of Information System security s.l.:s.n., pp 342, 343
David Kim, Micheal G Solomon, 2018 Incident handling Procedures In: Fundamental of Information System security s.l.:s.n., p 278
David Kim, Micheal G Solomon, 2018 Incident handling Procedures In: Fundamental of Information
Fisher, T., 2021 What Is a Static IP Address? [Online]
Available at: https://www.lifewire.com/what-is-a-static-ip-address-2626012
Gillis, A S., 2023 static IP address [Online]
Available at: https://www.techtarget.com/whatis/definition/static-IP-address
Hall, D., 2021 Top Cyber Security Threats to Organizations [Online]
Available at: https://www.cioinsight.com/security/cyber-security-threats/
Hamed Okhravi, David Nicol, 2008 TPCN Architecture In: APPLYING TRUSTED NETWORK TECHNOLOGY
Available at: https://www.esecurityplanet.com/threats/breach-and-attack-simulation-find- vulnerabilities-before-the-bad-guys- do/?fbclid=IwAR2UDScmeD3Cu7kZUv1pV8SfryXPvvxR7qts1FXYuCQobaLU6tQUK8C2e-o
Heiligenstein, M X., 2023 Amazon Data Breaches: Full Timeline Through 2023 [Online]
Available at: https://firewalltimes.com/amazon-data-breach-timeline/
Page 93 of 95 imperva, 2023 imperva.com [Online]
Available at: https://www.imperva.com/learn/application-security/vulnerability-assessment/
Available at: https://www.getastra.com/blog/security-audit/vulnerability-assessment-scanning-tools/ [Accessed 01 08 2023] javatpoint, 2023 Trusted Systems in Network Security [Online]
Available at: https://www.javatpoint.com/trusted-systems-in-network-security
Katie Terrell Hanna, J B., 2023 Network Address Translation (NAT) [Online]
Available at: https://www.techtarget.com/searchnetworking/definition/Network-Address-Translation- NAT
Mark Ciampa, 2015 Who are the attackers? In: CompTIA Security+guide to network security fundamentals s.l.:s.n., p 21
Newsroom, 2023 These are the best Network Monitoring Tools [Online]
Available at: https://network-king.net/best-network-monitoring-tools/
Sharif, A., 2023 WHAT IS SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM)? [Online] Available at: https://www.crowdstrike.com/cybersecurity-101/security-information-and-event- management-siem/
[Accessed 01 08 2023] startupstash, 2022 Top 20 Breach and Attack Simulation (BAS) Tools [Online]
Available at: https://startupstash.com/breach-and-attack-simulation-bas-tools/
[Accessed 29 07 2023] tutorialspoint, 2022 tutorialspoint.com [Online]
Available at: https://www.tutorialspoint.com/what-are-trusted-networks-in-information-security [Accessed 17 08 2023]
Yasar, K., 2023 Antivirus software (antivirus program) [Online]
Available at: https://www.techtarget.com/searchsecurity/definition/antivirus-software
Powered by TCPDF (www.tcpdf.org)