Digital Forensic Compilation Report-Out
Abstract
Digital forensics involves conducting different processes that can involve identifying the digital evidence, extracting the digital evidence, preserving the digital evidence, and documenting the obtained digital evidence. Various tools and activities are used to facilitate the different activities that are involved in digital forensics. In this compilation report, we conduct different digital forensics activities, such as evidence collection and analysis. We also address the different types of attacks and attack vectors and conduct packet analysis using the Wireshark packet analyzer tool. We also conduct vulnerability tests using the Nessus Vulnerability Assessment tool, the SCAP Workbench tool. This report also provides a risk and vulnerability report that includes recommendations on mitigating the identified vulnerabilities in the system. Need help with your assignment ? Reach out to us. We offer excellent services.
Introduction
The case of insider threats is addressed in the digital evidence collection and analysis section of the report. The insider threats case involved the introduction of the Reventon malware in the computer system. The suspected individual to have facilitated the attack is an IT personnel called Ms. Penelope Anne Grascholtz. Attackers are likely to conduct different types of attacks, such as active attacks and passive attacks. Different modes of attacks can be implemented in both types of attacks. Examples noted in the case of Australia’s attack incident include the WordPress attack, the Denial-of-Service attack, and the Cross-Scripting attack. The Wireshark packet analysis tool is used to analyze the different packets that were sent to facilitate the different attacks noted in the incident. In implementing security measures to address the vulnerabilities present in a system, network administrators are required to identify the different vectors that can facilitate the occurrence of the attacks. Identifying the different vectors is useful in implementing layered security to address the different vectors. In a network, it is essential to identify the different vulnerabilities present before the attackers exploit them to implement the attacks in the network. Some of the tools that are used to conduct vulnerability tests in the network include the Nessus Vulnerability Assessment tool and the SCAP Workbench tool.
Digital Evidence Collection and Analysis
The Human Resources office may have discovered insider threats. A web developer, a server operations team member, and Ms. Penelope Anne Grascholtz have been unaccounted for for over five days. Upon investigation, the server team discovered a thumb drive lying inside the rear panel of a hardware enclosure for a server that hosts websites for both internal and external users. An unauthorized Windows 10 user account was recently created on that server. Four thumb drives were discovered with partitions, and only one contained data. Passwords were also found on a sticky note stuck to the inside of a laptop known to be used by Ms. Grascholtz but were not exclusively used by her. A Word document claiming to be a resignation letter from Ms. Grascholtz was on one of the partitions of the thumb drive. None of the USB’s had external labels.
Evidence Collection
A thumb drive was discovered in the user account server rack, and the presence of an unauthorized user account on the same machine.
- The user name for the unauthorized account was Penelope Anne.
- The password for the unauthorized account was not recoverable.
- The account was a standard user account.
- The system log files showed no privilege escalation for the Penelope Anne account.
- The default browser for the Penelope Anne account was Firefox.
- The list of URLs found in the browser history:
- Thumb drives discovered and were found with multiple partitions on the devices:
- Only the first partition had any data.
- The other three partitions were zero-filled.
- Passwords found on a sticky note stuck to the inside of a laptop:
- A file was found on the Windows 10 desktop of the unauthorized account.
- The file was password-protected. The recovered password was: Fast246.
- A Word document claiming to be a resignation letter from Ms. Grascholtz:
Discoveries
Findings of the same type of thumb drives at the workstation and the user account server.
System logs need to be checked to see if Ms. Grascholtz’s account mounted a thumb drive at any time. The partitioning of the thumb drives would lead one to believe that the concealment of data would have been the purpose behind the action. Windows 10 does not recognize the partitions on a thumb drive, thus leading one to believe the creator knew Linux or another OS other than Windows. This type of partitioning is commonly used on hard drives to create multiple logical drives on a large physical drive. People who “have something to hide” can use this “multiple partitions” technique to hide data on a USB since Windows 10 (and earlier Windows operating systems) will not allow direct access to the contents of those extra partitions. The techniques and tools to create multiple partitions on a USB or other types of removable storage media are easily found online.
The resignation letter claiming to be from Ms. Grascholtz states that an extortion attempt was made against her to infect the computers on the network. After this interaction, it is claimed that Ms. Grascholtz attempted to contact management to report the incident, and she was denied help resolving the issue. This document cannot be trusted at this time as being the true intentions of Ms. Grascholtz. Just because Ms. Grascholtz’s name appears on the document, it alone does not prove she wrote the document. The thumb drive was not located in her workstation, as would be expected if she intended to send the document herself. Direct managers need to be interviewed to try and validate the statements made concerning reporting the extortion attempt. Meta Data should be examined to find data/time of creation, last edits, and document owner. Previous documents and emails sent by Ms. Grascholtz should be examined to identify how Ms. Grascholtz sings her documents. The document ends with Penelope Anne rather than Penelope Grascholtz. The metadata information about the file should be reviewed for file size, total editing time, last modified date, creation date, last printed date, author, and last editor (last modified by).
The passwords found on the workstation contained the password (Fast246) to decrypt the document (resignation letter) discovered on the thumb drive in the back of the server. Two of the other passwords were mentioned in the resignation letter as the passwords needed to decrypt the file encrypted by the ransomware. The password Fast246 does not fit the other passwords due to its simplicity. This simplicity may have been to ensure that it could be decrypted easily.
The list of websites visited by Ms. Grascholtz’s would indicate a person who was seeking information on ransomware and how to report it. There was an instance of going to Facebook in the browsing history but not to any person’s page. The other pages were about Coronavirus testing and travel. The visiting of Coronavirus testing and travel pages may indicate someone gathering information to plan to travel. In conjunction with the sites for reporting extortion, this could be the actions of someone who is fearful and planning on traveling to get away from someone.
Follow-Up Actions
- The two missing employees need to be found.
- The accounts of both missing employees must be locked to prevent further logins.
- Unauthorized accounts that are found will be locked, and forensics will investigate them.
- The USB drives will be investigated to find what they have been used for and by whom.
- System logs will be checked to find instances of USB drives mounted to the system.
- Look into labeling the thumb drives and if users log them out.
- The metadata from the resignation data will need to be reviewed for information.
- Grascholtzs’ managers will be interviewed to verify extortion attempt report claims.
- Coworkers in the vicinity of the workstation of exposed passwords will be interviewed.
An unauthorized user/attacker gained unauthorized access to the computer network to alter/destroy information and released a malicious code that performed a ransomware attack. CERT Australia’s national computer emergency response team provided advice and support to the owners and operators of Australia’s critical infrastructure and other systems of national interest regarding cyber threats and vulnerabilities. There is currently insufficient evidence to link Ms. Grascholtz to the introduction of the Reventon malware. No witnesses were placing the thumb drives in Ms. Grascholtz’s possession. There is no digital forensics proving that Ms. Grascholtz was the one who partitioned the thumb drives or wrote the resignation letter found on them. There is a reason not to discount the possibility of another insider besides Ms. Grascholtz. Two individuals were still unaccounted for held positions that would allow access to the systems needed to infect the network and place information that would point to Ms. Grascholtz. Further investigations are currently ongoing.
Network Attacks and Analysis
Network Attack Techniques
Bad actors attempt two types of attacks and techniques: active and passive. Passive attacks normally sit in the background on a device and can be considered ‘stealthy,’ this data gathering technique is normally undetectable to an untrained eye and usually consists of network sniffers, brute-force attacks, and keystroke loggers. On the other hand, active attacks can be spotted as these vectors are used to modify systems of data, and most often utilizes social engineering for pharming, phishing, baiting, whaling, and spoofed emails attempting to access systems and networks. Some additional schemas and frameworks used for familiar attacks include SQL injection, Trojan horses, cross-site scripting, IP address spoofing, Man-in-the-middle attacks, hijacking sessions, smurf attacks, wireless attacks, and logic bombs. With the increased internet use, web applications and web-based malware attacks are starting to experience rapid growth. Australia’s particular attack incident comprised a WordPress attack, DoS, and cross-site scripting.
Downloading the cyb670PCAP.zip file
Extra of the cyb670PCAP.zip file
cyb670PCAP file opened on Wireshark
The DoS attack consisted of 1,907,899 packets sent to two computers:
Computer A: 1,864,853 & Computer B: 43,046
The WordPress Attack and Cross-Site Scripting consisted of the following user-agent string request: Mozilla/4.0 (compatible; MSIE 6.0; Windows-NT 5.1) followed by a GET request pointing to an off-site URL http://192.168.10.111/wordpress/randomfile1
Network Attack Vectors
A modern enterprise consists of a plethora of cybersecurity threats, which come from vulnerabilities found in hardware, software, operating systems, telecommunications, and even human factors. As cybersecurity practitioners, the Australian team identified many forms and types of cybersecurity threats to our enterprise. The results consisted of internal and external threats to include disgruntled employees. The team did not rule this out, as insider threats can devastate an enterprise and the information these personnel have access to. While external threats are persistent, mitigations and layered security are helpful with proper protocols, procedures, and policies, as our team has ensured due diligence through the use of the Risk Management Framework (RMF) in hardening the network enclave. This type of layered security through RMF is important because threats can be mitigated or severely reduced but can never completely be eliminated.
The National Institute of Standards and Technology defines threats as “any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations or modification of information, and/or denial of service” (NIST, 2012). Anomalies in network traffic can be identified with the proper tools. Using Wireshark, the analysis can help identify the network hopping where attack vectors multiply and allow for malicious activity.
Recent attack vectors identified show the attackers targeted the User Datagram Protocol (UDP) Port 55, which received the most hits, totaling 1,822,349 requests, and the Transmission Communication Protocol (TCP) Port 80 totaled 86,132 requests:
Network Analyzing Tools
The process for analyzing the network is with log files and identifying anomalies in network traffic. Examining the log files provides critical information on server activity, including timestamps, user identification, and how a server was accessed. The National Institute of Standards and Technology (NIST) has issued guidelines on designing forensic services that can be used to recreate the transactional history of web traffic (NIST, 2010).
Australia could use multiple security tools to defend against DoS attacks. Wireshark was used for filtering, inspecting, and analyzing the network packets:
Layered protection on the network’s infrastructure is key, utilizing Intrusion Detection Systems (IDS) combined with Intrusion Protection Systems (IPS) and properly managing threats through firewall filters. Address all firewall ingress and egress, explicitly deny all external ICMP traffic, non-policy VPN, load balancing, and maintain up-to-date patch management and vulnerability configurations. Ensure antivirus and anti-spyware software is used on every device. Maintain redundancy in the network architecture and continuous monitoring of network traffic, establish a baseline to easily identify malicious DoS attacks and a flood of packets versus normal traffic congestions as identified:
Final Considerations
Part of the network hardening process is to protect against known attackers. Because of the data discovered by the cybersecurity team through Wireshark, the attack vectors are now known and shared with all FVEY nations attending the summit to implement the following actions. Since the analysis showed a UDP flood attack on UDP port 55, locking down open communication ports, and weaknesses in the firewall ACLs, blocking spoofed IP addresses from sending traffic from outside the trusted network. Deploy the Snort rules inline, which will drop the malicious traffic. This Snort was written to define the malicious network activity; since we have the signatures, all future packets coming into the network that match the defined criteria will drop, and the alerts will notify network administrators.
Continuously monitor the network to recognize unusual and malicious network traffic. Pay particular attention to the POST requests to the servers for unfamiliar traffic, which may indicate suspicious activity. Investigate TCP sessions lasting longer than 30 seconds and any large streams of HTTP data. Finally, all firewalls will be configured to block all incoming traffic (including ICMP) to the network by default. Only allowed traffic to required ports, protocols, and services will be utilized. IP spoof guard feature will be turned on, and the firewalls will be updated and audited regularly to maintain security compliance.
Network administrators are required to harden their infrastructure and to protect private data on the network. To accomplish this, network hardening through layered protection is key. Utilizing and implementing the tools and techniques identified in this report is a start; network administrators need to stay updated on new attack techniques and attack vectors to properly mitigate the threats to their enterprise networks.
Vulnerability Assessment
Nessus Scan and Report
The Australian team conducted three Nessus scans against one Windows host with an IP of 10.11.91.9. The scans were conducted to discover information about the host and ensure it is reachable via the network. The information gained was identifying what ports are currently open on the host and what services are running on the open ports. This information is then compiled by the scanning tool, and vulnerability analysis is performed to produce a report showing the severity and the number of vulnerabilities discovered on the host. In turn, the information from the report will be used to implement mitigation strategies to harden the systems.
The first scan conducted was a basic Nessus scan from the dashboard image presented below; it shows that there were 18 vulnerabilities, with 5 of them being rated as medium. Twenty-six information artifacts were also identified in the scan.
Figure 1
Nessus Dashboard (Basic Scan)
The second scan conducted was an advanced scan without the use of an audit file. The results from that scan were identical to the first basic scan conducted.
Figure 2
Advanced Scan With No Audit File
The third and final Nessus scan was also an advanced scan using the NIST-provided Windows 7 Configuration Baseline file that was provided. This scan returned, showing 20 vulnerabilities compared to the 18 from the previous two scans.
Figure 3
Advanced Scan With Audit File
One of the medium-rated vulnerabilities identified was the use of SSL Medium Strength Cipher Suites Supported (SWEET32). This means that The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple-DES in CBC mode, aka a “Sweet32” attack (CVE-2016-2183, 2016). The solution provided by Nessus is to Reconfigure the affected application, if possible, to avoid using medium-strength ciphers (Nessus, 2020).
Another finding was The server’s X.509 certificate cannot be trusted. This situation can occur in three different ways, in which the chain of trust can be broken, as stated below:
- First, the top of the certificate chain sent by the server might not be descended from a known public certificate authority. This can occur when the top of the chain is an unrecognized, self-signed certificate or when intermediate certificates that would connect the top of the chain to a known public certificate authority are missing.
- Second, the certificate chain may contain a certificate that is not valid during the scan. This can occur either when the scan occurs before one of the certificate’s ‘notBefore’ dates or after one of the certificate’s ‘notAfter’ dates.
- Third, the certificate chain may contain a signature that either didn’t match the certificate’s information or could not be verified. Bad signatures can be fixed by getting the certificate with the bad signature to be re-signed by its issuer. Signatures that could not be verified are the result of the certificate’s issuer using a signing algorithm that Nessus either does not support or does not recognize.
If the remote host is a public host in production, any break in the chain makes it more difficult for users to verify the authenticity and identity of the web server. This could make it easier to carry out man-in-the-middle attacks against the remote host.
Solution
Purchase or generate a proper SSL certificate for this service” (Nessus, 2020).
Other vulnerabilities identified were:
- TLS Version 1.0 Protocol Detection. The remote service accepts connections encrypted using TLS 1.0. TLS 1.0 has several cryptographic design flaws. Modern implementations of TLS 1.0 mitigate these problems, but newer versions of TLS, like 1.2 and 1.3, are designed to combat these flaws and should be used whenever possible.
- SMB Signing not required. Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server.
- SSL Self-Signed Certificate. A recognized certificate authority does not sign the X.509 certificate chain for this service. If the remote host is a public host in production, this nullifies the use of SSL, as anyone could establish a man-in-the-middle attack against the remote host.
Notably, 86% of the findings from the scan were information findings. If found by someone with malicious intent, this information could be used to enumerate the host and possibly target the service or application running on those ports. These attacks will be narrower in scope than the Nessus scan can scan for. Below is the list of information findings as presented by the Nessus dashboard.
These findings will need to be researched further to try and limit the amount of information that can be gained from an outside entity.
SCAP Workbench
SCAP-workbench is a tool that can open XCCDF or SDS files and allows the user to evaluate either local or remote machines using the content in the opened file (SCAP workbench User Manual, nd). Team Australia used this tool to change the user account policy to secure the hosts better. The first change was to change the time in seconds to be used with the lockout threshold value from 900 seconds to 1800 seconds. This setting will delay the time a user must wait for their account to become enabled after reaching the maximum attempts of logging in.
Figure 4
SCAP Baseline Configuration
The team also reduced the maximum number of attempts to log in from 5 to 3. This will help prevent an individual from trying to guess a password or using a rainbow table against an account by forcing the account to be disabled for 15 minutes.
Figure 5
SCAP Baseline Configuration
Once these configuration changes are completed and scanned, a baseline will be established using these configurations. A gold standard image will be created and used for imaging of user workstations. The image will be patched and updated as determined by the ISSM and rescanned and tested before being deployed. Scanning along will only find vulnerabilities available to the tool being used. Penetration testing should be conducted to open the aperture of the vulnerabilities that our systems can be exposed to.
Information Assurance
Information assurance principles can be seen as the backbone of securing and having trusted communications across the network. The pillars of information assurance are:
Availability
Availability means that users can access the data stored in their networks or use services that are featured within those networks (The 5 Pillars of Information Assurance, n.d.).
Integrity
Upholding an information system’s integrity involves keeping its network intact and uncompromised; thus, the primary goal of this pillar is to set up safeguards that deter threats. For example, viruses and malicious code are the most common threats to a system’s integrity (The 5 Pillars of Information Assurance, n.d.).
Authentication
Authentication methods verify a user’s identity before allowing them to access data. Common authentication methods include a username and password combination and biometric logins, such as fingerprint scanning recognition (The 5 Pillars of Information Assurance, n.d.).
Confidentiality
Confidentiality involves protecting private information from disclosure to any unauthorized users, systems, or other entities. Confidentiality must be considered in terms of the data, not just in terms of access or permissions. Only those who are authorized can access the data, the devices, or the processes that contain the data (The 5 Pillars of Information Assurance, n.d.).
Non-Repudiation
When individuals send information through a network, it is important that the information system be able to provide proof of delivery to confirm that the data was properly transmitted. The same applies to the receiving end—recipients should have confirmation of the sender’s identity. This information, called non-repudiation, is necessary to confirm the individual responsible for processing certain data (The 5 Pillars of Information Assurance, n.d.).
There will be both hardware and software tools implemented to ensure that these pillars are adhered to across the network. The human interactions with the network will make ensuring these pillars are upheld challenging, and training must occur to help inform them of proper use and reporting.
Attribution Report
This report is to identify anomalous behavior that was captured in network traffic during the Five Eyes (FVEY) conference. This report will cover what would appear anomalous behavior if not malicious but will stop short of placing attribution on any actors or nation-states. Attribution is difficult to obtain without an outright admission from the perpetrator as it is possible for an actor from another country to gain access to a remote computer and use it for nefarious actions. With the limited information collected for this report it is only pertinent to report on the location of the IP address and what perceived actions were conducted.
IP Country of Origin
The FVEY partners are Britain, the United States, Canada, Australia, and New Zealand, as defined in the multilateral agreement for cooperation in signals intelligence (SIGINT), known as the UKUSA Agreement, on March 5, 1946. With these locations in mind, it would be reasonable to assume there would be network traffic between the host nation and the partner nation during the conference. This network traffic can be identified as normal traffic from attendees conducting normal business relations.
The information showed evidence that there were location origins that were not from one of the FVEY countries. IP addresses were captured from Venezuela, China, Netherlands, Russia, China, and Saudi Arabia. The location of the IP’s origin alone is not malicious but was rather a reason to look further into the intent behind the connections.
Indicators and Warnings (I&W)
Using Whois.com to look at the registration information of the IP address, there were I&W that possible malicious activities were intended. IP address 190.142.94.44 registered to Corporación Telemic C.A. in Venezuela has an administrator listed as “Abuse Account”. This information is inputted by the individual registering the IP block, bringing into question the intent behind the name. There are two IPs, 113.245.133.236 and 222.215.134.15, which are both registered to CHINANET. With the cyber activity perpetrated by China, it is concerning to see two IP addresses from that nation during this event. The IP 82.196.6.46 is registered Digital Ocean, which is a cloud infrastructure provider that has servers all over the world. This IP is registered to a block of addresses out of the Netherlands. Knowing that this is a cloud provider, it must be considered that it may not be originating from the Netherlands but rather someone using a service that is in the Netherlands.
Using Alien Vault Open Threat Exchange to gather open-source intelligence on the identified IPs is an asset that can be used to identify known malicious activity from previously seen hosts or IPs. IP Nations is another tool that allows a user to find the location of the origin of an IP. This is useful and can help to narrow down indicators by looking for known tactics of a given nation.
The following IPs were seen using the process mssecsvc.exe, which is known to be associated with the WannaCry ransomware.
The introduction of ransomware at the conference would be very detrimental to the attending nations and could create friction among the partners.
Cyber is nothing new, and bad actors in the cyber realm are now the new normal. Some are very overt about their actions, while others will try to hide in the noise that is cyberspace, but none should be a surprise. By labeling individuals or nations that conduct malicious cyber activities as bad actors, there may be posturing and/or threats of political actions against those who call them out. This should not stop the Australian government from raising awareness of those bad actions.
Network Security Checklist
Network Security Checklist Development
This network security checklist was developed to detail the methods used to develop this checklist. We consider this document’s design to purposely give the network security department governance for information assurance and network threat mitigation. Some considerations were based on known and unknown variables to include information sharing within our trusted Five Eyes Alliance (FVEY) community in regard to policies on a global domain and our relationships between these nations: the United States of America, Australia, New Zealand, Canada, and the United Kingdom. These relationships have varying trust levels, translating into multilevel communications and information-sharing security. The intent of this plan is to outline network monitoring, tracking, and risk management throughout our network.
Service Level Agreements
A service level agreement is the documented aspect between two or more parties outlining the use of provided technologies. Australia plans on implementing software and hardware configurations utilizing firewalls, system certification and accreditation, and secure communications protocols to include Public Key Infrastructure (PKI), Secure Sockets Layer (SSL), Internet Protocol Security (IPSEC), and Virtual Private Networks (VPNs). These security characteristics will be managed to determine the level of access, communications, and data-sharing policies within our FVEY relationship to establish and maintain secure communications. Proper risk analysis of these communications channels will allow proper network traffic without over-encryption, which may hamper communications. The intent is to provide safe and reliable protocols while maintaining cyber security and information protection.
Components of the Security Checklist
Hardware configurations will be applied to all devices connected to the network, including firewalls, servers, and workstations. Information Technology Equipment Custodians (ITEC) will maintain an updated inventory list of all servers and workstations. This list will include known IP addresses and MACs (WiFi or Physical), the current Operation System, and its version to include the device’s physical location. Network Operators will ensure the known IP and MAC address list is current and up to date when adding or removing devices. Client administrators will ensure devices are properly configured and the proper naming convention is used for Australian-owned devices starting with AUS (Laptop, Desktop, Tablet) and the last six alpha-numerics of the MAC, i.e., AUSL6A8H35 or AUSD89FH21. This standardization of devices will ensure network threats can be quickly identified from bad actors.
The software will be administered by the Configuration Management administrators. This will ensure devices are up to date and the proper patching has been applied. This team will also evaluate new updates to ensure secure protocols are not reverted to manufacturer standards through a configuration control board (CCB). Vulnerability scans will be conducted on the network, and logs will be reviewed against a proper network baseline. This approach will indicate any outliers in identifying bad actors and possible infected devices.
Communication and Data Sharing Policies
Network security, integrity, and non-repudiation are the intent of Australia’s communication and data-sharing policies with the FVEY multi-nations. The file shares on the network contribute to effective and instantaneous communication channels from our trusted partners. This convenience and ease of use shall not infringe on Australia’s information assurance.
All routers, switches, and firewalls will be standardized throughout the FVEY communities to ensure secure communications are seamlessly transmitted while keeping bad actors at bay. This standardization development will go through risk analysis and not hamper any nation’s security protocols.
Application Layer Filtering
Australia’s application layer filtering will consist of Palo Alto’s Next Generation firewall, which “combines packet inspection with stateful inspection and also includes some variety of deep packet inspection, as well as other network security systems, such as intrusion detection/prevention, malware filtering and antivirus,” (Ferrell, 2019). This firewall meets the intent of our secure communications while providing layered security. “Traditional firewalls look exclusively at the protocol header of the packet, deep packet inspection looks at the actual data the packet is carrying. A deep packet inspection firewall tracks the progress of a web browsing session and is capable of noticing whether a packet payload, when assembled with other packets in an HTTP server reply, constitutes a legitimate HTML formatted response” (Ferrell, 2019). Configurations will allow secure traffic from the multi-nations worldwide traffic from various locations that implement SSL and IPSEC.
Network Accreditation and Certification
An Information System Security Officer (ISSO) will be assigned at every FVEY nation and “will serve as the principal advisor to the Chief Information Security Officer (CISO) or Information System Security Manager (ISSM) on all matters, technical and otherwise, involving the security of any information,” (DHS, 2013). The ISSM will be responsible for implementing the Risk Management Framework (RMF) methodology. This will allow a risk-based approach to our network accreditation and certifications, which occur every two years while incorporating strategy, policy, awareness/training, assessment, continuous monitoring, authorization, implementation, and remediation on the network, and testing and authorizing all the activities of the systems.
Secure Communications
PKI will be established on the network to eliminate user names and password accounts. This two-factor authentication will also allow email integrity in the form of non-repudiation for digitally signed and encrypted emails. Australia will develop its public and private keys through the use of a trained Local Registration Authority (LRA), which will assist Trusted Agents (TA) in facilitating the actual PKI certificate issuance with our assigned Certificate Authority (CA). The PKI system will allow the multi-nation FVEY to communicate through network access utilizing VPNs for encrypted tunneling into our shared networks with authenticated accounts. Some other features of PKI include certificates for remote access to machines, secure websites, and digitally signing and encrypting emails and documents.
System Security Risk Vulnerabilities Report
Attack Vectors
Vulnerabilities enable the exposure of systems to attack. Often, the vulnerabilities avail a means through which an attacker executes unauthorized commands. These actions are commonly called attack vectors (Ullah et al., 2018). In penetration testing, attack vectors are widely associated with injection attacks where a programmer writes a script that targets legitimate user credentials when using cloud platforms, sending data to a database or logging in to a system (Ee et al., 2020). A typical attack is SQL injection.
Given that most organizations worldwide have adopted information technology (IT) in their workflows, there are numerous threats to their resources, including the company’s IT infrastructure, programs, systems, and computer networks. Threats to such resources could be from external parties or the company’s staff and categorically take two forms: active and passive attacks (Ee et al., 2020). Concerning the active ones, if an attack occurs using social engineering techniques such as phishing or spoofing email attacks, the company’s data, networks, and systems are altered. In contrast, in passive cases, trained professionals may only notice the attacks, and they are quite stealthy to a company’s computing resources. Passive attacks include keystroke logging, brute-force attacks, and network sniffers (Ee et al., 2020). In the modern-day cybersecurity aspects, the most common attack vectors include logic bombs, wireless attacks, smurf attacks, cross-site scripting, buffer overflows, cracking passwords, phishing, trojan horses, SQL injection, and brute-force attacks. Menges & Pernul (2018) assert that software quality assurance for the enumeration of attacks and their patterns ought to use schemas like the Vocabulary for Event Recording and Incident Sharing and the Common Attack Pattern Enumeration and Classification.
Significance of Public-Key Infrastructure (PKI)
PKI facilitates server-side security by providing rules, procedures, and policies that enable the management, storage, cancelation, or creation of digital security certificates and the management of public-key encryption (Lozupone, 2018). Its usage in cyber-security is asymmetric in cryptographic nature. Users are assured of security when accessing websites configured with HyperText Transfer Protocol Secure to access internet banking, emails, and other cloud-based services. The most critical question to establish is what core parts make up PKI?
To realize PKI’s full benefits, a certificate authority (a verified entity that facilitates the authentication of a user’s identity) is mandatory (Lozupone, 2018). The certificate authority (CA) generates digital certificates and assigns them to users. The CA and the system administrator sign the certificates digitally to counter any changes to the digital certificate. The digital certificate is typically signed using a public key and counter-signed by the public key infrastructure provider, a private key. Therefore, the private and public keys must match to verify the certificate and provide encrypted networking over the Internet (Lozupone, 2018). Users can verify the signed digital certificate courtesy of a repository PKI providers offer.
Mitigation
Cybersecurity risk mitigation primarily consists of measures that adequately address a risk to a company’s computing resources. They entail identifying risks, evaluation, and classification and applying an appropriate action such as monitoring, transfer, and control, or the risks can be avoided (Cassidy, 2016). Risk strategies are selected based on the company’s mission statement and business processes. Should the cost of mitigation be smaller than the potential damage or interruption to business processes, the organization must control the risk (Sokri, 2019). The company must implement procedures, policies, and technologies to eliminate particular risk occurrences such as session timers, biometric access to server rooms, and periodic reset of strong passwords (Kure, 2018). If the company uses obsolete technology and exposes its resources to attacks, newer technologies should be implemented. Risk avoidance practice can be attained through education, training, and review of procedures.
Once an organization realizes that an attack came from inside, perhaps outsourcing cybersecurity services should be considered. This technique is referred to as risk transfer (Cassidy, 2016). In this case, the organization ought to buy cybersecurity insurance premiums. In other cases, if the organization has a constrained budget, it would be advisable to monitor the risk until a full assessment of the risk is attained and proper actions generated. Therefore, the mitigation strategies have to be continuous and combat newer cybersecurity risks and threats that arise.
Countermeasures
An organization’s countermeasures play an essential role in ensuring its computer networks, applications, infrastructure, and systems are well-secured. They must enhance the three pillars of cybersecurity – confidentiality, integrity, and availability (Cassidy, 2016). The organization must be secured physically from the outside using swiping identity cards to know who accessed what floor. For highly protected floors and sections, biometric scanners must grant access. Exterior doors to such areas should only be opened by specific security personnel, and all people making entries and exits must be logged in the system.
During software and application design, authentication, and security features appropriate to the organization must be designed. Employees and staff should be given the least privileges, which are what they only need to perform their jobs. This minimizes the organization’s exposure in case the users misuse privileges and leak their credentials (Cassidy, 2016). Additionally, the organization must implement appropriate firewalls and intrusion detection systems, protect the company’s WIFI and cabled ethernet networks, set minimum characters allowed for a password and a periodic expiry duration, and consistently install and upgrade the latest antivirus software. Cassidy (2016) proposes that cybersecurity is essential to train all users on the updated company policies concerning the security of the organization’s networks, infrastructure, applications, and other computing resources.
Conclusion
Conducting an analysis of the digital evidence collected allows for determining whether the suspected individual was responsible for facilitating the insider attack. In the case included in this report, the suspected individual is noted not to be responsible for facilitating the attack due to the lack of enough evidence to confirm that the suspect was involved in the attack. Analyzing the captured packets in the identified Australian attack incident shows that the identified cyberattacks can be implemented using different attack vectors. This prompts the implementation of different forms of security measures to form layered security. The identification of the different vulnerabilities in the network requires the network administrator to implement different mitigation measures to address the identified vulnerabilities.
References
Cassidy, A. (2016). A practical guide to information systems strategic planning. CRC press.
CVE-2016-2183. (n.d.). https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
DHS (2013, September 13). Information System Security Officer (ISSO) Guide. Office of the Chief Information Security Officer Version 10.
Ee, S. J., Tien Ming, J. W., Yap, J. S., & Lee, S. C. Y. (2020). Active and Passive Security Attacks in Wireless Networks and Prevention Techniques.
Ferrell, R. (2019, May 13). The 5 different types of firewalls. Retrieved from https://searchsecurity.techtarget.com/feature/The-five-different-types-of-firewalls
Kure, H. I., Islam, S., & Razzaque, M. A. (2018). An integrated cybersecurity risk management approach for a cyber-physical system. Applied Sciences, 8(6), 898.
Lozupone, V. (2018). Analyze encryption and public key infrastructure (PKI). International Journal of Information Management, 38(1), 42-44.
Menges, F., & Pernul, G. (2018). A comparative analysis of incident reporting formats. Computers & Security, 73, 87-101
Nessus. (n.d.). Retrieved October 19, 2020, from https://nessus.umgc.edu:8834/
SCAP Workbench User Manual. (n.d.). Retrieved October 20, 2020, from https://static.open-scap.org/scap-workbench-1.0/
Sokri, A. (2019, July). Cyber Security Risk Modelling and Assessment: A Quantitative Approach. In ECCWS 2019 18th European Conference on Cyber Warfare and Security (p. 466). Academic Conferences and Publishing Limited.
The 5 Pillars of Information Assurance. (n.d.). Retrieved October 20, 2020, from https://online.norwich.edu/academic-programs/resources/the-5-pillars-of-information-assurance.
Ullah, F., Edwards, M., Ramdhany, R., Chitchyan, R., Babar, M. A., & Rashid, A. (2018). Data exfiltration: A review of external attack vectors and countermeasures. Journal of Network and Computer Applications, 101, 18-54.
ORDER A PLAGIARISM-FREE PAPER HERE
We’ll write everything from scratch
Question
Digital Forensic Compilation Report-Out
In this step, your team’s digital forensic investigator will collaborate to create a Compilation Report-Out of at least 20 pages on the information and data gathered through the projects and steps of this course.
Use the attached lab reports to come to complete this assignment.