Network security of the tech firms, institutions, and companies is crucial and requires maximum focus and attention to ensure the systems are secure from both internal and external attacks. Various firms and institutions have implemented Bring Your Own Device (BYOD) program to work that has caused serious network security threats. Due to serious threats caused by such a program, this Cybersecurity Incident Report (CIR) is purposed to perform an analysis on the network access points of the systems, detect some of the vulnerabilities in the system, threats paused, and actionable procedures to undertake to prevent systems future attacks in High Tech Company. The company systems have had attacks from employees’ laptops attempting to leverage a PHP vulnerability that is capable to cause unauthorized disclosure of information. Such attacks shed light on the need for the company to improve Bring Your Own Device (BYOD) policies, also work on security monitoring and management of their system networks.
For BYOD policy and wireless improvement so that the monitoring and protection of systems network are enhanced, various security measures need to be implemented. First and foremost, there is the need to implement enhanced rogue access point and malicious activity response. There is a need of implementing a remote configuration management system that will ensure good management, control, and secure the system network devices. With the successful implementation of these actions, the company’s systems networks will be protected from any attack both internally and externally especially from employee misconduct in the BYOD program.
Wireless and BYOD Security Plan
Many companies have implemented Bring Your Own Device (BYOD) policy which permits employees to bring devices to work particularly laptops. These devices are allowed to access the company network as the company enjoys the benefits of cutting costs to purchase particular hardware since employees can afford them. However, with the rush to allow access of the devices to the network, some companies make mistakes in security configurations and monitoring processes that use to help detect any possible threats accompanied by the new network access points. According to Souppaya and Scarfone (2012) of the National Institute of Standards and Technology (NIST) and Scarfone Cybersecurity respectively, it is necessary for the company to perform both vulnerability monitoring and attack monitoring when managing WLAN security which most firms tend to ignore. For the identification of security gaps in the company networks, it is necessary to consider the systematic process of the cyber kill chain. According to Hutchins, Cloppert and Amin (2011), the cyber kill chain methodology will ensure security decisions and measurements undertaken are based on a keen understanding of the malicious actor. The following structure is a systematic process of the Cyber Kill Chain.
Source: Poppy, 2019
Cyber Kill Chain is relevant in examining likely intruders’ patterns and their particular phases. Netwo*rk attack is associated with the following stages reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions (Poppy, 2019). With the Cyber Kill Chain process, it is easy to detect intruders’ next action enabling security experts to protect the targets. The reconnaissance stage of the cyber kill chain can be difficult in detecting potential attacks as it does not involve direct interaction with the target network. The intruders use strategies such as researching information on the company employees through social sites or affiliated groups. In the weaponization stage, the intruders launch a payload believing they can exploit vulnerabilities creating accessibility through backdoors (Poppy, 2019). The delivery stage is employed to get the payload to the intruder through the use of a malicious email link or external drive. The exploitation stage involves successful loading of the code to the network for the installation stage, and command and control stages. After the successful installation of malware, it allows intruder remote access where actions and objections can be carried out.
Rogue access points and unauthorized devices are the major sources of threats to the company Wireless Local Area Network. The two sources of threats can cause huge damage to any network infrastructure when companies lack proper measures in place to detect and block intruder devices from entering the network. Intruders with unauthorized devices tend to use Denial of Service (DoS) attacks in blocking authorized users to access the network and also employee eavesdropping strategy to get confidential data. Thus, to detect unauthorized devices in the network, Intrusion Prevention System (IPS) should be in place to enable alerts in case of intrusion. Also, Cisco Identify Services Engine (ISE) has been effective in detecting unauthorized devices which ensure enforcement of policies and management (Cisco Systems, 2018). Further, Cisco ISE ensures identified unauthorized devices are contained to prevent network accessibility for reviewing. Rogue access points present man-in-the-middle attacks and denial of services attacks to the system network. Authorized access points are identified with most system networks through MAC address recognition utilizing a combination of encryption for validation. However, rogue access points can imitate authorized access points to continue with secure authentication into the network (Juniper Networks, 2019). Thus, for rogue access points identification, security experts identified Cisco Adaptive Wireless Intrusion Prevention System (WIPS) as the most effective (Cisco Systems, 2008).
Tracking Suspicious Behavior
To track and detect activities suspicious activities launched by specific employees in the network system, it is necessary to use a combination of MAC address recognition and verification of AP access (Hoffman, 2019). However, due to the MAC address’s ability to be spoofed, it is necessary to employ more than one method for tracking the malicious movements to ensure accuracy. Also, in most cases, the devices using Bring Your Own Device (BYOD) policy are equipped with GPS tracking devices making it easy to search the geographical area location of the device for verification. Thus, the devices can be tracked through GPS and Wi-Fi for the exact location after which remote configured management can be used to access the device and examine deeper on the user activities. For the full disclosure, company employees are needed to sign and agree to have BYOD access and most companies do not have legal concerns with the procedure. Employees are required to agree on activities permitted and those not permitted and agree to the tracking of their devices.
With the permission to use privately owned devices, there is the possibility of identity theft occurring. Identity theft victims experience compromise of confidential information such as banking information, social security number, address among others that may be present on the devices introduced to the network. Due to such threats, it is essential for employees to take precautionary measures of their identity in the network. Employees should also limit having more personal information on the devices. MAC spoofing is one method of attack that can lead to identity theft where an intruder pretends to be the target equipment through imitating the equipment’s unique MAC address (Hoffman, 2019). The main purpose of the MAC spoofing method is to obscure important data for detecting an intruder by making them invisible to standard detection methods. For intruders to obtain MAC address the user devices many have unknowingly been a victim of eavesdropping.
MAC spoofing can be prevented through having proper security systems such as Cisco Adaptive wIPS and Cisco ISE which have the capability to identify and track suspicious behaviors in the network (Cisco, 2020). The systems create a profile for users using their data patterns and activities in the network. For instance, in the event a user was using WLAN and changes connectivity to Ethernet, the system detects and applies appropriate actions to prevent any activity that can violate established policies. The systems will enable the prevention of an attack on the network before damage is done by the intruder. However, the attacks on the network usually vary making it recommendable to have a whitelist of approved equipment. The whitelist will be the gatekeeper of the network ensuring only permitted devices can have access. Cisco Identify Services Engine is capable of creating device profiles enforcing the whitelist (Cisco, 2020). Thus, any device which is not in the whitelist tries to access the network, they are automatically denied accessibility by default because they are not known and do not have a profile in the network.
Continuous Improvement Plan
For the improvement in network security, companies are required to review their current network protocols in order to detect the updates needed to enhance security. Some of the preventative measures that organizations can undertake in regards to network security include three common protocols that are used for Wi-Fi connectivity. These protocols include Wi-Fi protected Access (WPA), Wi-Fi protected Access 2 (WPA2), and Wired Equivalent Privacy (WEP). Among the three protocols, WPA2 is the most secure while WEP the least secure. WEP protocol uses RC4 stream cipher with a standard 40-bit key, with s 24-bit initialization vector to create randomization (Computer Networking Notes, 2018). WPA protocol was released as an upgrade of WEP using Temporal Key Integrity Protocol (TKIP) and a 256-bit key for authentication. WPA2 protocol uses Advanced Encryption Standard (AES) and Cipher Block Chaining Message Authentication Code Protocol (CCMP) (Scarpati, 2017). Thus, the use of block cipher technology protects data in the network while ensuring the integrity of messages as they travel through the network.
Wi-Fi protected Access 2 (WPA2) protocol supports two methods of authentication which are Personal and Enterprise (Computer Networking Notes, 2018). In the Personal mode of authentication, the encryption scheme uses pre-shared keys. The pre-shared keys act as preapproval code that is used as internal network validation and it does not need each network user to authenticate individually using 802.11i IEEE standards (Arana, 2006). The Enterprise mode on the other side needs each network user individually based on IEEE 802.1x standards. For the network to be FIPS 140-2 compliant, it is essential to implement WPA2 Enterprise 802.1x authentication and key derivation which rely on FIPS-approved algorithms (NIST, 2001).
Apart from the three common Wi-Fi protocols mentioned for network security enhancement, other additional protocols to consider include ZigBee protocols, Bluetooth, and Worldwide Interoperability for Microwave Access (WiMax) protocol (Ray, 2017). For sending data over short distances, Bluetooth protocol is necessary and is usually used by users on their gadgets such as tablets and phones. Bluetooth is seen as a viable option because of its low powered wireless signal that does not drain the battery. However, its limited range of access can cause connectivity interruptions on the devices due to the small coverage area. The ZigBee protocol offers an inexpensive option that requires low power and was designed for M2M networks (Ray, 2017). One advantage of using the ZigBee protocol network is that it has the ability to conserve power making it best for networks in smart homes. One disadvantage of the ZigBee protocol is its inability to communicate with other ZigBee devices. WiMax protocol has the capability to attain long-range communication of about thirty miles though, its signal can defect either indoors or outdoors. Thus, based on the merits and demerits of the discussed protocols, the WPA2 protocol will be the best as it is the most secure. However, organizations can also use ZigBee, Bluetooth, and WiMax that provide a combination of range, security, and speed which are necessary for effective functioning.
Remote Configuration Management
Remote Configuration Management (RCM) is the capability to manage to configure and enforcing of policies without direct console access to the gadget (Williams, 2014). With remote access to the devices, the management has the ability to patch antivirus and updates without the delay imposed by having to be at their console. The company Bring Your Own Device policies are required to have Remote Configuration Management to ensure in the event a threat or vulnerability is detected in the network, immediate actions are to be taken to prevent damage. Remote Configuration Management also ensures that required security patches are completed without having to rely on any action by the gadget user which increases the efficiency to secure the company network.
The Remote Configuration Management is specific to the gadgets that are on the company whitelist. Thus, if the undocumented gadget is identified to have had access to the network, Remote Configuration Management will not be able to prevent the gadget from accessing the network through remote disablement. However, the undocumented gadget will be identified by the Intrusion Prevention System and Cisco Identify Services Engine which can contain the device for further reviewing. If suspicious activity is detected from a known device of the company employee, Remote Configuration Management will be able to prevent it by disabling the device and blocking network accessibility. Also, the RCM will enable security experts of the company to dig deeper to identify the root cause of the attack, giving essential information to identify who initiated the intrusion and if the attack was internal or external (Williams, 2014).
An Ad hoc wireless network is a peer to peer network which contains separate computing devices known as nodes that are connected without a central infrastructure or device such as a router (Pinola, 2018). An Ad hoc wireless network is a threat to network security because it does not have a central authority to ensure that gadgets connecting to it are completely nonthreatening. As Ad hoc wireless network is a peer to peer network, the gadgets have to be in the allocated proximity of their adapter cards which are configured for ad hoc mode and connect to the same Service Set Identifier (SSID) (Pinola, 2018). The Ad hoc networks are usually prone to intrusions such as the denial of services (DoS) and eavesdropping. Thus, they require security enhancement to thwart their inherent threats. As the ad hoc network needs each gadget to have access to its neighbor symmetric keys for successful communication, it does means that the device is secure but leaving the device to susceptible hardware tampering. Thus, the use of an ad hoc network by the company will reduce the general network infrastructure security subjecting the company to increased network security costs and losing full control of the network users.
It will be considerably more difficult to isolate a device in the event an incident occurs in the future when an ad hoc network performs signal hiding countermeasures. Signal hiding is usually used to hide the Service Set Identifiers (SSID) of the network where it is required for a gadget connecting to the network to know the SSID and the 32-characters identifier. An additional method would be to reduce the signal strength to the lowest possible level for coverage of the physical location or designated area of the base station. Thus, the countermeasures for the signal hiding in the company will require the configuration of the Cisco Identify Services Engine for efficient monitoring of hidden network traffic abnormalities.
Upon the hiring of the employees by the company, they are advised on the importance of network security and how they help influence the company decisions on the way they conduct themselves when using the network. To validate that employees have been working outside business hours, it will require to have a review of activities in the network. With the use of an Intrusion Prevention System, it will be easy to identify the attack through the massive number of HTTP requests that the employees tried in a short time beyond standard network patterns. The system should be able to detect and alert of the malicious activities where it will be reviewed and once it is verified, the immediate action of denying the user network access is initiated. The IP from the attack captured can be used to disable the AP the device was connecting to and locate the device.
Wireless Traffic Analysis
In an attempt to analyze intrusion in the company network, Wireshark which is the most common tool for traffic sniffing was used. The IP address 22.214.171.124 was attempting validation through destination IP 10.0.250.161. There was a loss of more than 6000 packets per attempt from the captured packets indication an issue occurring in the network. When the source IP was identified, it had attempted a total number of six destination IP addresses trying to exploit any gap in the company network. The movements triggered a malicious alert to the system because of the types of server requests and the number of requests received. Just in few minutes, the intruder had attempted a total number of twenty-five thousand requests sent to the webserver all of which were GET requests. The recorded requests encompassed attempts to access htapasswd mysql_history inquiries, config files, and htaccess key information if accessed can result in the escalation of privilege. Also, if the intruder succeeds, it would have been possible to access to launch denial of service (DoS) attack which would prevent security experts from being notified of the attack itself, permitting the intruder to cause chaos in the network unnoticed. From the analysis, information an intruder tried to access is critical to ensuring the company networks are secure, there is a possibility the attacker was probing the network in order to identify the better method of attack in a future attack. Also, it was noticed that the intruder tried to access word press content such as callout information and calendars, indicating that the intruder was not just breaking into the network but was seeking to access information with the ill purpose of selling proprietary information that can cause further damage to the company financial status and destroying reputation with clients.
After the intruder IP address was identified, it was easy to look deeper into the occurrences of the attack by applying a display filter to isolate the traffic specific to the malicious IP address. It was identified that there was a total number of sixty thousand communication attempts that had been made from the intruder source IP address to one destination IP address in a span of one minute. The total number excludes attempts made to the remaining five destination IP addresses, indicating how rapid the attack occurred and the need to emphasize the importance of having Bring Your Own Device (BYOD) policy to address all potential attacks and threats proactively. Thus, the combination of this information confirms that there was a suspicious threat happening against the company networks in a trial to infiltrate secure data. It is most likely that the intruder received a standard web server error but there is a major concern that the suspected intruder was able to identify a gap in the company network security to exploit later.
With successful completion of reviewing the company network security infrastructure, the company has the mandate of upgrading the network security policy through including security protocols and procedures that are essential to ensure Bring Your Own Device policy does not create loopholes for any intrusion. Implementations of Cisco Adaptive Wireless Intrusion Prevention System, Cisco identify Services Engine and AP scanning configurations are important to secure the company network APs. Also, implementation of a Remote Configuration Management System will give the company with necessary control to effectively manage and secure gadgets connecting in the network from a given location, broadening the company’s chance to respond efficiently in the event a malicious move is triggered. Thus, with the implementation of these updates in the network, the Bring Your Own Device policy will effectively deal with the threats that were not previously mitigated, increase the company’s general security posture, and making the probability of a successful intrusion minute which is the ultimate objective. As the company moves forward in its operations, it is essential that the network security team learn from the previous occurrences and remain proactive in ensuring the security needs are well-considered to prevent any future intrusion.