The objective of this report is to examine the traffic of the Bank of Maryland network infrastructure. The bank network was requested to be reviewed after the increase in intrusion activities that are related to financial services. The bank Information Technology Department has observed potential attacks that are seriously disrupting their network, halting almost all online banking activities affecting thousands of customers. Thus, the bank network architecture will be discussed, various threats it is facing, techniques that can be employed to deter threats, and possible recommendations on the bank system’s general improvement.
Network Architecture Overview
The Bank of Maryland has a robust network infrastructure, although it can be improved to counter new cybersecurity threats. The bank has a broader router that gives access to the internet, creating the first line of defense with built-in security. Behind the broader router is a firewall that is designed to filter traffic and identify traffic that has been set to be filtered. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) were implemented by the bank to prevent intruders’ unauthorized access. They monitor the system to report any suspicious activity while also guarding against threats (Yadav, 2020). Information transmitted by the internet is broken into small packets because it is easier and faster to transfer numerous small packets than one big message securely. The essential innovation that allows messages to be transmitted more quickly across a network is breaking each message into small fragments and sending each piece individually (Severance, 2015). These small fragments of messages are called packets in the networking term. The packets are then transmitted with the source and destination address that routes it to the intended destination (Pressbooks, 2020). When an enormous number of packets from various sources move simultaneously, they take different routes, and there is a possibility they will not arrive at the destination in order. Below are some of the data transmission components that have been designated to be monitored.
User Datagram Protocol (UDP): Application on a network may sometimes want to send messages to a specific application or process on another network. The process is accomplished by UDP, providing a datagram means of communication between applications on Internet hosts. UDP uses destination protocol ports, identified by positive integers, to send messages to one of the multiple destinations on a host because senders do not know which processes are active at any given moment (IBM Knowledge Center, 2020). The protocol ports receive and hold messages in queues until applications on the receiving network can retrieve them. Since UDP relies on the underlying IP to send its datagrams, it offers the same connectionless message delivery as IP. It gives no assurance of datagram delivery or duplication protection. However, it allows the sender to specify source and destination port numbers for the message and calculates the data’s checksum. These two features will enable the sending and receiving applications to ensure the correct delivery of a message.
Transmission Control Protocol/Internet Protocol (TCP/IP): According to Rouse (2020), Transmission Control Protocol/Internet Protocol is a suite of communication protocols used to interconnect network devices on the internet. It can also be used as a communications protocol in a private computer network. The complete Internet Protocol Suite is a set of rules and procedures commonly referred to as TCP/IP and is the two main protocols. The TCP/IP protocol suite operates as an abstraction layer between internet applications and the routing/switching fabric. It specifies how data is switched over the internet by offering end-to-end communications that classify how it should be broken into addressed, packets, routed, transmitted, and received at the destination. It needs slight central management, and it is constructed to make networks reliable, with the ability to recover automatically from the failure of any device on the network (Rouse, 2020).
Internet packets: Currently, people and business transfer billions of messages electronically daily, having their messages sent and delivered in seconds. In achieving this high-speed delivery, message contents and communicative information are packaged into small groups called Internet packets. These Internet packets are the ones referred to as data packets and are formatted, addressed, and sent using common Internet communication protocols like the Transmission Control Protocol/Internet Protocol (TCP/IP).
IP address schemes: it is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. An IP address performs two key purposes, which are host or network interface identification and location addressing (Cisco, 2020).
(Source: Unified Modelling Language, 2020)
For more than three decades, Banks and credit unions have been using firewalls as part of their network-perimeter defense to make security decisions efficiently and protect networks from outside attacks. Though, over the years, as technology and threats transform, firewalls must also develop. Financial institutions need to have processes in place to effectively discover, analyze, and understand cyber threats. Detection measures involve analyzing available information to determine if an information system has been compromised, misused, or accessed by unauthorized individuals. Detection measures in banks may be enhanced through the use of intrusion detection systems (IDSs) that act as a burglar alarm, alerting the bank or service provider to potential external break-ins or internal misuse of the systems being monitored.
The difference between these technologies is that firewalls are used to make security decisions and protect the networks of the bank, whereas the IDs are threat detectors and alert the service provider of the potential external intrusion. When planning for IP addressing on the network, it is essential to determine which network class is appropriate for the network. After that, obtain the network number from the InterNIC addressing authority. There are currently three TCP/IP networks, and each uses 32-bit IP address space differently. IP address schemes that will be involved in IP addressing assignment model are Class A network numbers due to its capability to accommodate more hosts. There are numerous potential cybersecurity risks involved in setting up IP addressing schemes. The machines number may vary at each branch, and each node is assigned an IP address by DHCP for the wireless networks and wired. Every branch is designated with IP addressing schemes that involve private addresses for the wired network devices and wireless devices. According to Wrinkle Brain’s article (2018), DHCP’s use can present a risk for an attack that includes resource exhaustion of IP addresses at the DHCP server, which will allow for a spoofed DHCP server to provision IP address with a redirected DNS address for networking services.
Well-known ports usually range from 1 to 1023, such as 22/SSH, 25/SMTP, 80/HTTP, and 443/HTTPS, and they make some type of network connection and are typically allocated to a specific network protocol. The bank Port numbers are 32-bit that are used to identify different applications and IP/TCP programs from an IP address. These ports are vulnerable as they are usually targeted by intruders because they always open. Since there is so much traffic that passes through the ports, activities, and traffic usage are heavily monitored for irregular traffic and unfamiliar usage (CCM, 2016).
(Source: Oracle Corporations, 2010)
The bank of Maryland’s network was scanned for the following security breaches, spoofing/Cache poisoning, man-in-the-middle, and season hijacking. Spoofing/cache poisoning is a type of attack targeting caching name servers in an effort to control the answers stored in the DNS cache. The attack is associated with different methods, but they typically involve flooding the recursive server with forged DNS responses, changing the query ID in each response hoping to guess the right ID at just the right time. A man-in-the-middle attack happens when a malicious actor is positioned between two legitimate systems. The actor impersonates the systems and receives data shared, unaware of the authentic systems (Publico, 2017). For instance, if the attacker opens the mail while in route and steals data, then release mail looking usual. Session hijacking involves taking controlling active TCP/IP communication session without the user’s authorization. After successfully taking it, attackers assume the compromised user’s identity and enjoy the same access to resources as the compromised user. Some of the common impacts of session hijacking are identity theft, information theft, and stealing sensitive data.
Detecting a Man-in-the-middle attack can be difficult if proper steps are not considered. Scrutinizing for proper page authentication and implementing some tamper detection are typically the key procedures for detecting a potential attack, although these techniques might require extra forensic analysis after-the-fact (Rapid7, 2020). In protecting systems against season hijacking, various intrusion detection tools and advanced techniques are used such as Cisco Intrusion System (IPS), Cisco Intrusion Detection System (IDS), cookie monster, wavelet-based detection, among others. For detecting spoofing attacks, it is essential to monitor DNS data and look for new patterns in the system, like the existence of a new external host, that could show the presence of an intruder or attacker (SolarWinds MSP, 2019).
In computer security terms, a cyber honeypot is baiting a trap for hackers like a decoy. It imitates a target for attackers by using their intrusion attempts to gain information about cybercriminals and the way they are operating or distracting them from other targets. Honeypot appears to be a real computer system containing data and applications, tricking cybercriminals into believing it is an authentic target. For instance, a honeypot can imitate a firm’s customer billing system, a common target of strike for offenders who want to find credit card numbers (Kaspersky, 2020). The moment hackers enter the system, they are tracked, and their actions are evaluated for hints on how to construct the actual network more secure. Several threats to the system cannot be prevented, but detection will be the best remedies.
Many systems have been developed for early detection of an attack, and one most popular is Intrusion Detection System (IDS). A honeypot is an IDS or works similar and has no critical data or application, making it a safe way to counter the hackers. When a hacker attacks honeypot, all activities are recorded in log files, which are later audited. The key objective of hackers is to get a database regarding usernames, passwords, and account numbers. Thus, through honeypot, banks can redesign systems to prevent such attacks. The moment hackers have identified the true identity of a honey pot; its significance is considerably reduced. Invaders start to ignore or attempt to bypass the honeypot, eradicating its capability for capturing data. Even more critical is the threat that the invader can initiate bogus or false information into the honey pot to mislead the data analysis when identified.
A false negative is an incident in security that was not noticed very early by the systems. For instance, a phishing strike compromises user accounts going undetected by the security team until extra damage happens (Duquea, 2015). On the other hand, false positives are an alarm caused by security systems that shows a security breach has occurred when everything is normal (Intelligent CISO, 2020). Different types of intrusion detection systems have been designed to detect known attacks for determining and testing false positives and negatives. False-negative is the riskier to the network’s health as when an IDS identifies activity as acceptable when the activity is actually an attack.
The bank traffic analysis suffers from several factors that can reduce its ability to help protect the network by creating numerous false positives. These dangers are rooted in poor planning when creating parameters employed in the monitoring network. The security team should test new parameters in isolation when compiling a list of the most frequently used bank destinations during the implementation period. The parameters list should encompass work-related and non-work-related sections which are allowed by acceptable use policy. The list should also be checked for any known threats before being removed from the list used by IPS/IDS to flag traffic. The bank lacks an advanced detection system like an IPS to prevent traffic from happening. For covering the security gap, they should install an IPS that has similar rule sets for its current IDS.
The Bank of Maryland has several identified threats on their network system that needs mitigation to prevent future risks from occurring. The mitigations required can be categorized into two, which are the tools and practices. Regarding tools, it is an improvement in the system hardware and software such as IPS and IDS packages and firewalls. The practices needed to represent the techniques employed, ensuring further attacks do not happen. The IPS and IDS are effective tools in ensuring the bank’s network systems are protected, but with the addition of an intrusion response system, the tools can increase the ability to detect threats in more dynamic ways. The intrusion response system offers countermeasures that can respond effectively to potential threats and inappropriate activities. As an IPS tries to prevent a threat from happening, the IRS allows the security team to respond immediately when other protections flops (Zain et al., 2017).
Cybersecurity threats keep on evolving and becoming complex to most of the institutional systems. It is essential to train all the staff, including non-technical, on the system’s threats and security to mitigate vulnerabilities. The bank security team should be conversant with key issues in cybersecurity so that they can also detect an attack early. The use of Honeypots is an effective way to help counter-attack hackers in the system. The bank should consider developing one honeypot and try to use it in protecting the network. Through honeypots, the bank security team can be able to detect where cybercriminals are coming, the level of threat, what modus operandi they are using, what data or applications they are interested in, and how well their security measures are working to stop cyberattacks.