CST 630 Project 2 Resources

Deliverables

Cybersecurity Incident Report (CIR): Your report should be a minimum 12-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
Executive summary: This is a one-page summary at the beginning of your CIR.

Incident Response

You’ve recently been promoted to the role of a cybersecurity incident manager as part of a new contract with a major media and entertainment company. The company requires its employees, artists, and clients to have wireless and mobile device access to company networks.

Because of the “bring your own device” policy, there has been an increase in the number of cybersecurity incident reports. You realize that you need to increase awareness of security standards. In your security monitoring of the company networks, you use tools that track employee behavior.

You want company leadership to understand the technologies used in wireless networks and mobile device management, and you want those leaders to be educated about the implementation, threats, and safeguards for all devices—including personal units that are used for work-related tasks. You believe that executive leadership needs to incorporate these kinds of safeguards as part of its business strategy. You decide to compile a cybersecurity incident report that you will send to management. You will list the actions, defense, and preventative measures you have taken to address threats and why.

The report will incorporate terminology definitions, information about the cyber kill chain, and impact assessments. Your cyber incident report will need to illustrate the threats you discovered and the resolutions you employed. You want leadership to be confident about the strategy you have used to defend the company’s networks.

Today’s companies face many security challenges to their networks, and a company’s incident manager needs to be ready to respond to potential threats. Some of those threats can occur from the actions of well-intentioned employees who fail to follow security protocols, and others can arise from disgruntled workers who may be able to access accounts on personal devices long after leaving an organization.

Wireless devices and bring your own device (BYOD) computing in the workplace often increase productivity and convenience, but such ease of access to resources can be a significant threat to organizational security, and BYOD computing adds another layer of concern for the incident manager.

Remote management, such as tracking and data swipes, helps to locate devices containing company data and to eliminate any unauthorized viewing of that data. Authentication, access controls, and strong encryption are just some of the security measures that need to be part of a secure wireless network and mobile device management practices in the workplace. However, security will need to evolve in order to protect against employees who may have malicious intent. It will need to include behavior cues as well as effective countermeasures, as the need for greater employee availability drives more wireless computing and BYOD integration in the workplace.

For this project, you will take a close look at the variety of threats facing an incident manager as you develop a cybersecurity incident report (CIR) for management with an executive summary.

There are seven steps to complete the project. Each step will highlight the types of threats you will encounter. Most steps in this project should take no more than two hours to complete, and the project as a whole should take no more than two weeks. Begin with the workplace scenario and then continue to Step 1.

Step 1: Develop a Wireless and BYOD Security Plan

Since the company you work for has instituted a bring your own device (BYOD)  policy, security attitudes have been lax, and all sorts of devices, authorized and unauthorized, have been found connected to the company’s wireless infrastructure. In this first step, you will develop a wireless and BYOD security plan for the company.

Bring Your Own Device (BYOD)

Many organizations are adopting policies to allow workers to bring personal computers or mobile devices to work. This practice allows organizations to reduce costs and provides employees with the freedom, flexibility, and convenience of using one device for both personal and business use. While there may be some benefits to adopting a bring your own device (BYOD) policy, there are security risks.

Worker-owned devices can now carry sensitive and confidential organizational data. Data access and ownership issues can create risk of data loss. Additionally, use of personal computers for business can bring about security complications. Personal equipment might not always be patched properly, and employees might access websites, applications, or other content that would normally be blocked on most company equipment.

In order to minimize security risks and maximize effectiveness, organizations must have comprehensive security and BYOD policies. Organizations need to invest in security solutions such as registering personal devices, implementing encryption standards for data protection, and using endpoint protection technology to guard personal devices against attacks. User knowledge of security threats related to using personal devices for business purposes can also help mitigate the risk.

Although implementing security controls directly onto a worker’s personal equipment might be a challenge for many organizations, it is imperative that employers design properly documented BYOD policies to mitigate risk and data loss. Employees can focus on user training programs, remote system access, and virtual private networks to help create a more secure environment for personal devices.

References

Horwath, J. (2013, April 29). Managing the implementation of a BYOD policy. https://www.sans.org/reading-room/whitepapers/leadership/managing-implementation-byod-policy-34217

Use the NIST Guidelines for Securing Wireless Local Area Networks (WLANs) Special Publication 800-153 (I will include this upload) to provide an executive summary to answer other security concerns related to BYOD and wireless. Within your cybersecurity incident report, discuss why the security of wireless access points is important. Provide answers to the threat of unauthorized equipment or rogue access points on the company wireless network and the methods to find other rogue access points. Describe how to detect rogue access points and how they can actually connect to the network. Describe how to identify authorized access points within your network.

Cybersecurity Incident Report

Many organizations have cybersecurity response teams dedicated to the handling of incidents—events that indicate compromises of systems or data loss. When organizations use tools to help detect events, it is important that organizations have a well-defined incident-handling process to resolve security issues.

During the preparation phase, incident handlers need to make sure that they are familiar with organizational policies and procedures. These policies and procedures should outline information such as drills and escalation contacts. If an incident affects a range of people, critical systems or infrastructure, national security, control systems, economic security, and/or the general health and safety of the public, then it may need to be reported to the federal government. Cybersecurity incidents can be reported to local field offices of the applicable federal agency. The US Justice Department’s website lists the federal agencies that assist with cyber crimes and incidents:

Type of Crime	Federal Agency
Computer intrusion (i.e., hacking)	FBI local office US Secret Service Internet Crime Complaint Center
Password trafficking	FBI local office US Secret Service Internet Crime Complaint Center
Counterfeiting of currency	US Secret Service
Child pornography or exploitation	FBI local office if imported, US Immigration and Customs Enforcement Internet Crime Complaint Center
Child exploitation and internet fraud matters that have a mail nexus	US Postal Inspection Service Internet Crime Complaint Center
Internet fraud and spam	FBI local office US Secret Service Federal Trade Commission if securities fraud or investment-related spam emails, Securities and Exchange Commission Internet Crime Complaint Center
Internet harassment	FBI local office
Internet bomb threats	FBI local office ATF local office
Trafficking in explosive or incendiary devices or firearms over the internet	FBI local office ATF local office
Source: US Department of Justice. Reporting computer, internet-related, or intellectual property crime. In the public domain. https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime

The table lists a few of the agencies; however, there are more agencies that work on cybercrime such as the National Cyber Investigative Joint Task Force (intrusions and crimes), and the National Cybersecurity and Communications Integration Center (assistance with removing adversary and restoring operations).

The United States Computer Emergency Readiness Team (US-CERT) also assists with handling security incidents and analysis, and includes an online form for reporting information: https://www.us-cert.gov/forms/report

The online form requires the reporter’s and affected user’s contact information, the type of organization, the critical infrastructure owner or operator, time zone, incident start time, incident detection, impact details and threat vectors (US-CERT). When planning for incident response, it is imperative to have this information.

When creating an internal incident report, include similar information such as provided below by the Department of Defense’s Defense Security Cooperation Agency (Multinational Industrial Security Working Group, 2013):

reported by (name, position, telephone number, email)
business unit details and internal reporting (manager, department)
incident details and impact level (dates, affected systems, what happened, classification level, system compromise, type of system, level of impact, government involvement needed/reporting, number of systems, action taken, supporting documents, current incident status)
mitigation actions (details, results, additional assistance required)
computer network defense incident type (type of malware, vulnerability exploit, disruption of service, access violation, accident or error, user involvement, origin of attack
systems affected (network, type of system, operating system, protocols, applications)
follow-up activities (has information been provided to authorities, next steps)

References

Multinational Industrial Security Working Group. (2013, December 20). Cyber security incident report format. In International Programs Security Handbook, Defense Security Cooperation Agency, Department of Defense. http://www.discs.dsca.mil/documents/ips/AppJJ_062015.pdf

United States Computer Emergency Readiness Team (US-CERT). (n.d.). US-CERT incident reporting system. https://www.us-cert.gov/forms/report.

Security of Wireless Access Points

Wireless access points, or just access points (APs), are networking hardware devices that allow users access to a network. These devices are normally small and easy to install. Wireless access points fall into one of two categories: authorized and rogue. Also, each access point is configued to be either secure or open to users.

Authorized Access Points

Authorized APs have been granted permission to be on the network by the network administrator. A network administrator should know every access point connected to the network. It is essential to be able to physically locate the access points.

Authorized access points should have MAC addresses that are recognized by the organization’s Address Resolution Protocol (ARP) tables. Authorized access points should be protected through security controls such as encryption algorithms (e.g., AES, RSA, EC, DH) and hash algorithms (e.g., SHA-1, SHA-2, MD5), authentication (e.g., WPA, WPA2, 802.1X), WLAN security policy enforcement, and frequent software patches.

Rogue Access Points

If there is an access point on the network that the network administrator did not authorize, then it is a rogue access point. Rogue access points, whether set up by malicious actors to lure potential victims or innocently by workers within an organization, present a security threat. Rogue access points are a common source of attack. Organizations need to ensure that they routinely search for and identify rogue access points and either authorize and secure them or remove them.

In some cases, access points are set up directly between two client devices. These ad hoc access points are rogue by default since they provide a vulnerable means for compromise because they are not directly managed by the organization’s security team.

Technology to assist organizations in determining authorized access points and squelching unauthorized access points is readily available.

Most often, rogue access points can be identified by cross-referencing the service set identifier (SSID) against a preconfigured list of approved access points. This is because rogue access points frequently broadcast SSIDs that are not approved by the organization. An SSID is a one- to 32-character alphanumeric string used to identify a wireless network. It is also referred to as the network name. SSIDs are continually broadcast by access points several times a second.

Rogue access points are vulnerable to certain attacks such as Address Resolution Protocol (ARP) poisoning, denial-of-service attacks, sniffing attacks to identify further vulnerabilities, and man-in-the-middle attacks. In some cases, spoofing legitimate access point SSIDs while providing a different log-in page can compromise sensitive user information. This type of attack is known as an “evil twin” attack (Saruhan, 2007).

Although there are options available, such as SSID hiding to disable the broadcast feature, many cybersecurity experts disagree on whether the practice is more secure; nonetheless, it can assist with finding rogue networks. Hiding SSIDs is inconvenient for users, though. User computers and devices can continuously ping to find the router. This makes these routers more vulnerable against sniffing attacks.

For organizations to be better protected against rogue access points, organizations need to ensure they establish strict policies and classification rules to help identify rogue APs. Additionally, these lists require constant monitoring and updating so organizations become more efficient in identifying and remediating rogue AP issues (Juniper, 2015). With consistent detailed policy, vigilance, and efficient investigation, organizations can be better protected from rogue access points and the vulnerabilities they create.

Open Access Points

Open wireless access (or simply open access) is an access point that is insecure with no protection or access control implementation—there are no authentication and authorization mechanisms, or other security controls. For example, an authorized user might create an open access point by connecting a wireless station to an Ethernet connection and provide wireless access for other devices and users. However, if the network administrators are unaware of this new wireless station, it would be a rogue access point.

Unfortunately, this type of AP is so vulnerable to attacks that it presents potential for abuse by hackers for malicious or illegal intent. Open networks should be used with caution and should not be used for vital tasks like transferring sensitive information because other users can observe or sniff network traffic using tools such as Wireshark. On the other hand, they are convenient and free networks that can be used for minimal tasks like surfing the internet.

References

Saruhan, I. H. (2007, August). Detecting and preventing rogue devices on the network. SANS Institute. https://www.sans.org/reading-room/whitepapers/detection/paper/1866

Juniper Networks. (2015). Understanding rogue access points. http://www.juniper.net/documentation/en_US/junos-space-apps/network-director2.0/topics/concept/wireless-rogue-ap.html

Network Computing (n.d.). Protect yourself against rogue wireless access points. http://www.networkcomputing.com/networking/protect-yourself-against-rogue-wireless-access-points/768376782

Within your plan, include how the Cyber Kill Chain framework and approach could be used to improve the incident response times for networks.

Cyber Kill Chain

Developed by Lockheed Martin, the Cyber Kill Chain provides a framework for the life cycle of a cyberattack. This framework gives a different perspective to security analysts to help understand the techniques and processes of the attacker. Below is a brief description of the different phases of the Cyber Kill Chain (Sager, 2014):

Phase	Description
Reconnaissance	Researches the target and its vulnerabilities
Weaponization	Generates malware to exploit vulnerabilities
Delivery	Malware is transmitted to target
Exploitation	Malware is triggered
Installation	Malware installs backdoor
Command and Control	Hacker can type commands
Action on Objectives	Hacker attempts to achieve the objectives of the attack

It is important to note that the Cyber Kill Chain focuses heavily on intrusion techniques. The first six steps of the model focus on the intrusion aspects of the attack, while the last step focuses on the purpose, which can often last for months while attackers slowly meet their objectives. It is important for cybersecurity analysts to understand every step of the Cyber Kill Chain in order to better predict, intercept, and learn to defend against attackers.

References

Sager, T. (2014, July). Killing advanced threats in their tracks: An intelligent approach to attack prevention. www.sans.org%2Freading-room%2Fwhitepapers%2Fanalyst%2Fkilling-advanced-threats-tracks-intelligent-approach-attack-prevention-35302&usg=AFQjCNG4wvxSNqdZWMBZuG_yE66ySSHZtA&bvm=bv.145822982,d.eWE

Include this at the beginning of your CIR as the basis for all wireless- and BYOD-related problems within the network. Title the section “Wireless and BYOD Security Plan.”

Incident Response

Many corporations have cyber response teams dedicated to the handling of incidents—events that indicate compromised systems or data loss. When organizations use tools to help detect events, it is important that those organizations have a well-defined incident-handling process to efficiently resolve security issues.

According to the SANS Institute’s Incident Handler’s Handbook, the security incident handling can be separated into phases: preparation, identification, containment, eradication, recovery, and lessons learned.

During the preparation phase, incident handlers and corporations need to make sure they are familiar with company policies and playbooks. These policies and playbooks should outline information such as drills and escalation contacts.

The next phase of the incident-handling process is the identification of the incident. This stage involves accurately reporting the discoverer of the incident, the time, and the technological and business impacts of the incident.

Once the incident has been successfully identified, the incident handler can move to the next phase of the process, containment. Containment involves determining if the incident can be isolated and working with system owners and network administrators to help contain the problem. Incident handlers working with other security teams can help back up the system as well as save forensic copies for evidence.

The next phases involve remediating the incident or compromise. The eradication and recovery phases involve attempting to reimage or restore the system from a secure backup in order to secure the system. Additionally, incident handlers can apply patches or other fixes to protect the system from malware targeting the same vulnerabilities.

The final stage of the incident-handling process is lessons learned. During this phase, security professionals can document all processes of the issues and identify weakness areas to remediate in future incident-handling procedures.

In conclusion, incident handling is a large part of any organization’s cybersecurity teams. In order to effectively handle, remediate, and contain incidents, proper incident-handling techniques and processes must be in place in order to maintain a more secure and vigilant environment.

References

Kral, P. (2012, February 21). Incident handler’s handbook. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

Step 2: Track Suspicious Behavior

You’ve completed your wireless and BYOD security plan. Now it’s time to take a look at another workplace situation.

You have been notified of an employee exhibiting suspicious behavior. You decide to track the employee’s movements by using available industry tools and techniques. You know the location and time stamps associated with the employee’s mobile device.

How would you track the location of the company asset?

Explain how identity theft could occur and how MAC spoofing could take place in the workplace. How would you protect against both identity theft and MAC spoofing? Address if it is feasible to determine if MAC spoofing and identity theft has taken place in the workplace. Include a whitelist of approved devices for this network. Review materials on security of wireless access points

Identity Theft

Identity theft is the use of someone’s personal information to perform an unauthorized action. Malicious actors can launch a variety of attacks against insecure networks and systems in order to steal sensitive data such as personally identifiable information (PII). Identify theft can occur when sensitive information such as credit card information or PII, such as name and Social Security numbers, are compromised.

Hackers steal information such as credit cards and banking information through many methods. Hackers can use social engineering techniques, ransomware, and targeted phishing attacks to collect data. In other cases, they set up “evil twin” websites—sites that look familiar, but are actually redirects from common user typographical errors (i.e., CaptolOne instead of CapitalOne). Unsuspecting users enter passwords and banking information, which is collected and stored. Hackers can also target companies and organizations to collect data on employees and customers.

Stolen information can be used in many ways. Hackers have become smarter and more organized. Criminal enterprises across the globe set up data shares where information is sold to the highest bidder. There are sites that act as black markets for this type of data.

Identity theft is a common form of cybercrime committed by both individuals and organizations. It is important for users and enterprises to be aware of the issue to take better steps to be protected. User awareness is key. However, users of home and enterprise networks also need to employ various defense-in-depth strategies to be better protected.

MAC Spoofing

In networking, Media Access Control (MAC) spoofing means taking on the identity of another computer, and can be done for both malicious and benign reasons. It can be used to obscure the true MAC address or gain access to networks by using a MAC address that is identifiable by the network.

Though network interface controllers (NICs) are assigned permanent MAC addresses when manufactured, there are tools that can be used to make computers believe that a NIC has a different MAC address. MAC addresses are assigned per hardware at the factory, and each piece of hardware has a unique MAC address. All network interface controllers (NICs) have unique 48-bit MAC addresses. These addresses are used to identify different devices in order to connect with one another on a local area network.

Whitelist

Cybersecurity threats are ever-present, multiplying rapidly, and evolving continuously. Attack vectors can include email-based attacks (i.e., phishing), web-based attacks (i.e., Javascript, ActiveX), vulnerabilities in add-ons such as QuickTime or Adobe, non-web-based protocols, and social networks. With such an expanded threat surface, signature-based antivirus and current blacklisting strategies have difficulty keeping up with the sheer volume of malware on the internet.

Whitelisting addresses this challenge by flipping the defense model from a default allow to a default deny. While blacklisting techniques use signatures to maintain a list of entities to block, whitelisting creates a list of a few trusted entities to allow while blocking anything not on the whitelist.

Organizations use whitelisting techniques to help give them a different advantage against malicious attackers.

In many cases, more security can mean less flexibility and a burden on users. Organizations are therefore continuously having to balance between complex defense-in-depth strategies while meeting user needs for flexibility and ease of use.

Security of Wireless Access Points

Authorized Access Points

Rogue Access Points

Technology to assist organizations in determining authorized access points and squelching unauthorized access points is readily available.

Open Access Points

References

Saruhan, I. H. (2007, August). Detecting and preventing rogue devices on the network. SANS Institute. https://www.sans.org/reading-room/whitepapers/detection/paper/1866

Juniper Networks. (2015). Understanding rogue access points. http://www.juniper.net/documentation/en_US/junos-space-apps/network-director2.0/topics/concept/wireless-rogue-ap.html

Network Computing (n.d.). Protect yourself against rogue wireless access points. http://www.networkcomputing.com/networking/protect-yourself-against-rogue-wireless-access-points/768376782

Are there any legal issues, problems, or concerns with your actions? What should be conducted before starting this investigation? Were your actions authorized, was the notification valid, or are there any other concerns? Include your responses as part of the CIR with the title “Tracking Suspicious Behavior.” Note that a CIR summary would not include the name of the actual employee; the situation is being used as an example of what to do when something like this occurs.

In the next step, you will explore another workplace scenario, and your responses will help you formulate a continuous improvement plan, which will become another part of your CIR.

Step 3: Develop a Continuous Improvement Plan

Now that you’ve completed the section on tracking suspicious behavior for your CIR, you are confronted with another situation in the workplace.

You receive a memo for continuous improvement to the wireless network of your company, and you are asked to provide a report on the company’s wireless network. You have been monitoring the activities on WPA2. Provide for your leadership a description of Wi-Fi protected access (WPA) networks and include the pros and cons of each type of wireless network with a focus on WPA2.

Wi-Fi Protected Access Networks

Before the Wi-Fi Protected Access (WPA) standards were adopted, the only standard in place to protect wireless networks was Wired Equivalent Privacy (WEP). WEP was designed to encrypt communications on a wireless network, but ultimately was found to have many security vulnerabilities. WPA was created as a subset of the 802.11i standards to help address those vulnerabilities.

WPA comes with three features meant to address the vulnerabilities of WEP: 802.1x-based authentication, Temporal Key Integrity Protocol (TKIP), and message integrity checks.

802.1x- based authentication contains three elements; a supplicant, an authentication server, and an authenticator. This mutual authentication framework provides an added layer of security in dealing with wireless communications.

TKIP was specifically implemented to solve the key reuse flaw in WEP communications. Where WEP keys were not long enough, WPA’s TKIP packet comprises a 128-bit key, the MAC address, and a 48-bit initialization vector. This guarantees the usage of different keys.

Finally, message integrity checks enforce integrity by checking for potential packet alteration.

Although WPA made some significant improvements to WEP encryption standards, it still has a few security weaknesses and was not perfect. WPA was the interim solution to the WEP vulnerability, to be further enhanced through WPA2 and 802.11i: stronger solutions to wireless security.

Since WPA2 uses encryption to provide secure communications, define the scheme for using preshared keys for encryption. Is this FIPS 140-2 compliant, and if not, what is necessary to attain this? Include this for leadership. Include a list of other wireless protocols, such as Bluetooth, and provide a comparative analysis of four protocols including the pros, cons, and suitability for your company.

Preshared Keys

A preshared key (PSK) is a security method used to transfer a shared secret key between two parties in order to authenticate users. The process is initiated when PSK cipher suite(s) are included in the hello message to the client.

The wireless local area network (WLAN) produces a passphrase or password of eight to 63 characters. Afterward, a 256-character key is generated using this password by the router and the credentials of the connecting node. This is used for both encryption and decryption.

A PSK does not require an authentication server and is used in environments with limited computer processing power. It is an alternative for avoiding more process-demanding tasks such as public-key operations.

FIPS 140-2

The Federal Information Processing Standards (FIPS) Publication 140-2, issued by the National Institute of Standards and Technology (NIST), specifies the cryptographic security requirements to be used when protecting sensitive but unclassified information.

The former FIPS 140-1 was developed to meet requirements for four different security levels. Each security level provided a different focus for data sensitivity, with security level 1 being an introductory level of cryptographic security, and security level 4 providing the highest level of security defined in the standard. The applications for these security levels range from personal computers protected by simple authentication, to external storage devices and entire environments protected by encryption, signatures, and complex key management. Corporations often use NIST-supplied lists of vendors and their hardware to ensure that the devices used are compliant with national standards.

According to FIPS 140-2:

The FIPS 140-2 standard specifies the security requirements that will be satisfied by a cryptographic module used within a security system protecting sensitive but unclassified information (sensitive information). The standard provides four increasing, qualitative levels of security: Levels 1, 2, 3, and 4.

These levels cover a range of potential applications and environments in which cryptographic modules may be employed. The security requirements cover areas related to the secure design and implementation of a cryptographic module. These areas include cryptographic module specification, cryptographic module ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks. This standard supersedes FIPS 140-1, Security Requirements for Cryptographic Modules.

The Cryptographic Module Validation Program (CMVP) validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography-based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of Canada. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or designated information (Canada). The goal of the CMVP is to promote the use of validated cryptographic modules and provide federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules.

In the CMVP, vendors of cryptographic modules use independent, accredited testing laboratories to have modules tested. National Voluntary Laboratory Accreditation Program (NVLAP)-accredited laboratories perform cryptographic module compliance/conformance testing.

References

National Institute of Standards and Technology. (2001). The Federal Information Processing Standards (FIPS) Publication 140-2: Security requirements for cryptographic modules. In the public domain. http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

Protocols

Protocols are internationally agreed-upon communication frameworks and standards that govern communications across computers or computer systems. Some of the most common protocols are Transmission Control Protocol/Internet Protocol (TCP/IP), User Datagram Protocol (UDP), Internet Control Message Protocol (ICMP), and Hypertext Transfer Protocol (HTTP).

Protocols may carry certain message types or used for specific purposes. Protocol communications may occur within certain layers of communications. Such layers of communications and the types of communications that occur within them have been represented in the industry in the following two commonly used representations: the Open Systems Interconnection (OSI) model and the TCP/IP model.

Different protocols are used at different levels of the OSI and TCP/IP models. For example, the ICMP protocol is used at the network layer of the OSI Model and the internet layer of the TCP/IP model. TCP is used at the transport layer for both models. IP, or the Internet Protocol, is one of the foundational protocols for communicating over the internet.

TCP is used to break down information into packets and then transmit them across the network. UDP is used when less information is transferred or when a connectionless method is preferred, while ICMP is used primarily for small management or diagnostic messages.

Protocols usually communicate over specific TCP ports. For example, SMTP (Simple Mail Transfer Protocol) operates over port 25 and is used to transfer mail. TCP ports 80 and 443 are used for HTTP and HTTPS (Hypertext Transfer Protocol and Secure Hypertext Transfer Protocol) to manage web transmission.

Port	Protocol
22	SSH
23	Telnet
25	SMTP
53	DNS
80	HTTP
110	POP3
443	HTTPS

Ports range from 0 to 65535; ports under 1024 are considered unregistered ports. It is best to use higher ports for troubleshooting and other configurations to avoid conflicting with ports that are designated for specific protocol communication.

There are several hundreds of protocols that operate over many ports. Organizations should always be aware of the protocols in use to ensure a secure enterprise environment.

Include your responses as part of the CIR with the title “Continuous Improvement Plan.”

In the next step, you will look at yet another workplace scenario, and you will use that incident to show management how remote configuration management works.

Step 4: Develop Remote Configuration Management

You’ve completed the continuous improvement plan portion of the CIR. Now, it’s time to show how your company has implemented remote configuration management.

Remote Configuration Management

Remote configuration management allows system configuration changes to be performed through the network without needing access to the console of the system being configured. A technician can also work on someone’s computer remotely without needing to be physically present at a location. This is often done by installing remote control software or a service to allow the two connecting devices to communicate. Sometimes special protocols are used for this function. Remote configuration management can be used for:

configuration
diagnosing problems/troubleshooting
asset discovery
patch management
monitoring

Remote configuration management tools usually alert the user when someone is trying to connect to the computer. Furthermore, in order to limit malicious activity, the user or administrator can usually determine the level of permission or control granted to the software. Hackers have exploited remote configuration management tools and services to gain access to computers and cause havoc.

Microsoft’s remote desktop protocol, port 3389, was maliciously used by hackers to trick users into allowing the hacker into their machines by posing as Microsoft personnel. Afterward, hackers would encrypt the user’s machine, essentially locking the user out of their machine, and then demand money to unlock the device. This vulnerability was mainly exploited on older versions of Windows such as Windows XP.

Good security practices are imperative when using a remote configuration management tool. Such a service should be disconnected or turned off when it is not being used.

Start your incident report with a description of remote configuration management and how it is used in maintaining the security posture of your company’s network. Then, consider the following scenario:

An undocumented device is found on the company network. You have determined that the owner of the device should be removed from the network. Implement this and explain how you would remove the employee’s device. How would you show proof that the device was removed?

Include your responses as part of the CIR with the title “Remote Configuration Management.”

In the next step, you will illustrate how you investigate possible employee misconduct.

Step 5: Investigate Employee Misconduct

In this portion of your CIR report, you will show how you would investigate possible employee misconduct. You have been given a report that an employee has recorded log-ins during unofficial duty hours. The employee has set up access through an ad hoc wireless network. Provide a definition of ad hoc wireless networks and identify how such networks could contribute to the company infrastructure while also detailing the threats and vulnerabilities they bring. Use notional information or actual case data and discuss.

Ad Hoc Wireless Networks

Configuration

Ad hoc wireless networks, also known as peer networks, consist of computer-to-computer connected devices called nodes. These devices connect to one another without a central device like a router. They represent a local area network (LAN) that requires minimal configuration and can be deployed quickly. The wireless adapter must have the same service set identifier (SSID), be on the same wireless channel, and set to ad hoc mode versus the more traditional infrastructure mode. Infrastructure mode is used when a central device is in place, such as a server or a router.

Limitations

This configuration is useful to share files or other data directly with another computer. However, this type of network is not best for excessive connections. Devices must usually be within 100 meters, and the network cannot be joined to wired LANs or the internet without a special-purpose network gateway. Due to the SSID being broadcasted and lack of network access control lists, hackers can generally find and connect to the device with ease as long as they are within range. Thus, they are inherently more vulnerable.

Disconnecting

When the creator of the network disconnects, the other devices on the network will disconnect as well. Once everyone disconnects, the network is deleted.

Challenges	Description	Solutions
The change propagation problem	Different elements, their relationships, and configuration states must be recognized The knowledge of the sequence of changes in these elements must be represented Each element must be able to be changed through varying proprietary instrumentations, configuration tools, and operations procedures Recovery and undoing of changes in case of failures must be enabled	Network topology discovery Change propagation rules Element heterogeneity Recoverability in case of failures
The configuration policy problem	Configuration states are inconsistent resulting in operational failures and inefficiencies	Understand policy and configuration relationships Enforce policy constraints to assure consistent configurations Enable organizations to program policy constraints to effect operational policies
The composition problem	Adaption to change propagation rules and policy constraints needs to occur	The self-configuration management software propagates changes to the configuration model. For example, upon discovery of a new source, the software will indicate the relationship to the active nodes and configuration changes will occur.
Table derived from Konstantinou, A. V., Florissi, D., & Yemini, Y. (2002). Toward self-configuring networks. http://www1.cs.columbia.edu/dcc/nestor/nestor-dance-2002.pdf

Address self-configuring dynamic networks on open access architecture and the threats and vulnerabilities associated with them, as well as the possible protections that should be implemented. From your position as an incident manager, how would you detect an employee connecting to a self-configuring network or an ad hoc network? Provide this information in the report. How would signal hiding be a countermeasure for wireless networks? What are the countermeasures for signal hiding? How is the service set identifier (SSID) used by cybersecurity professionals on wireless networks? Are these always broadcast, and if not, why not? How would you validate that the user is working outside of business hours?

Self-Configuring Dynamic Networks

Self-configuring dynamic networks automate configuration management. This concept will allow self-configuring nodes to adapt their configurations based on the requirements of the environment. The goal of self-configuring networks is to create programmable configuration changes based on organizational configuration policies. This topic has been the subject of many research papers and university projects.

Normally, networks are configured and maintained by skilled administrators. Automation will increase configuration efficiency and productivity and minimize errors and costs. However, some problems can arise when automating tasks:

Signal Hiding

Signal hiding is a strategy used by many home and network owners to stop the automatic broadcasting of wireless access point service set identifiers (SSIDs). An SSID is a one- to 32-alphanumeric string used to identify different wireless networks, and is also referred to as the network name.

Many companies ship routers for wireless networks with default SSIDs such as “wireless,” “tsunami,” “xfinitywifi,” etc. By default, these routers broadcast the SSID in a location radius.

Since these IDs are broadcasted and anyone in the vicinity can view the name of the network, some users opt to hide the SSIDs in order to protect their wireless networks from potential malicious passerby. Although there are some options available for increasing the security of SSIDs, such as SSID hiding to disable the broadcast feature, many cybersecurity experts disagree on whether the practice is more secure. Hiding SSIDs is not only inconvenient for many users, but it may also result in user computers and devices having to ping continuously to find the router. This makes targets more vulnerable to sniffing attacks.

Signal hiding might help provide security through obscurity but is not a strong security solution. Users should consider using WPA2 encryption and strong network keys to maintain a more secure wireless network.

SSID

The service set identifier (SSID) is a one- to 32-character alphanumeric string that is used to identify a wireless network. It is also referred to as the network name. Many companies ship routers for wireless networks with default SSIDs such as “wireless,” “tsunami,” “xfinitywifi,” and other similar common names. By default, these routers broadcast the SSID within the radius of their signal strength.

SSIDs provide a useful way to connect to wireless adapters but are not strong in security. SSIDs are continually broadcast by access points several times a second, and malicious actors can sniff this name in plaintext format.

Although there are options available, such as SSID hiding to disable the broadcast feature, many cybersecurity experts disagree on whether the practice is more secure. Hiding SSIDs is inconvenient for users, since user computers and devices can continuously ping to find the router. This makes these routers more vulnerable against sniffing attacks.

Wireless users should use stronger forms of encryption, such as WPA2 encryption, and strong network keys in order to maintain a more secure wireless network connection.

References

Heddings, L. (2014, August 15). Debunking myths: Is hiding your wireless SSID really more secure [Blog post]. http://www.howtogeek.com/howto/28653/debunking-myths-is-hiding-your-wireless-ssid-really-more-secure/

Scolamiero, J. (2004, April 20). Securing your wireless access point: What do all those settings mean anyways? https://www.sans.org/reading-room/whitepapers/wireless/securing-wireless-access-point-settings-anyways-1405

Include your responses as part of the CIR with the title “Employee Misconduct.”

In the next step, you will use lab tools to analyze wireless traffic.

Step 6: Analyze Wireless Traffic (Lab: I will provide)

You’ve completed several steps that you will use to present your CIR. In this step, as part of a virtual lab, you will analyze wireless traffic.

You are given access to precaptured files of wireless traffic on the company network. This is another way to monitor employee behavior and detect any malicious behavior, intentional or even unintentional.

Step 7: Prepare and Submit the Cybersecurity Incident Report and Executive Summary

You’ve completed all of the individual steps for your cybersecurity incident report. It’s time to combine the reports you completed in the previous steps into a single CIR.

The assignments for this project are as follows:

Cybersecurity Incident Report (CIR): Your report should be a minimum 12-page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables, or citations.
Executive summary: This is a one-page summary at the beginning of your CIR.
Lab report: A document sharing your lab experience and providing screenshots to demonstrate that you performed the lab. Attach it to the CIR as an artifact.

Submit both documents to the assignment folder after reading the instructions below.