Juan Quintero 3/23/13 SEC572 You Decide - Week 3

Now that the CIO is well aware of the controls to be used in prevention and mitigation of external attacks against the network, he has turned his attention to internal threats and what the Information Security Department is doing about it. Detecting and preventing

insider attacks is just as important if not more important than dealing with threats from outside the network. Most networks are vulnerable to betrayal from within do to the assumption that everyone who is inside the network physically/virtually should be there and therefore should have access to all systems. We are going to limit the amount of access that users have, limit the flow of traffic, use least privileged access controls, strong password policies, etc. That along with strong training for all company employees and clear policies should help the CIO feel confident that the company network is well protected. To start we will use an IP packet-filtering router. This type of router permits or denies the packet to either enter or leave the part of the network through on the basis of the protocol, IP address and the port number. The protocol may be TCP, UDP, HTTP, SMTP, or FTP. The IP address under consideration would be both the source and the

destination addresses of the nodes. The port numbers would correspond to the well-know port numbers. Packet filtering lets us control data flow based on the source and destination, as well as the session and application protocols. Filtering allows us to provide protections for an entire network. Consider Telnet as an example, it is not enough to close the services on all the hosts, the administrator still has to worry about someone in the organization installing a new machine and forgetting to close the port. On the other hand if Telnet is not allowed by your filtering router do to a control being applied on the router; such new machine would be protected right from the start, regardless of whether or not its Telnet server was actually running. We will implement access controls to traffic flowing from one side of the network to the other in order to prevent unauthorized access. We will implement authentication controls including the use of Cisco proprietary TACACS+ for authentication, but also to keep an eye on administration personnel and their actions. It is important to keep logs on the activities of the people who monitor the network, as they should be held accountable for their fiduciary responsibilities. We will also use port blocking which prevents communication on a specific port when not used for company purposes. Port 25 for example is the SMTP port used by mail servers to send mail. It is a popular target for viruses which would initially comes from outside, however it only takes one machine to get infected, and your business email will be blocked. If you block ports that arent use you limit the risk

of attack spreading across the network and reaching access to critical systems. As far as the users are concerned, their access will also be limited not only by firewall/router ACLS. Server ACLs will also be employed to make sure that no employee has access to files that arent necessary to complete daily operations. Disgruntled employees are a big threat to the security of the network, and thus we should not grant access to users above their grade. For example folks in the sales department shouldnt have access to payroll files, god forbids someone is unhappy with their compensation and decides to delete all the payroll files for everyone in the department. Strong password policies will be enforced for all users. Passwords will require at least 8 characters, both numbers and letters as well as special characters. The passwords cannot be reused, and must be changed every 90 days. Tokens will be issued to users with certain levels of access to confidential information for an added measure of security. Incremental and full backups of critical information will be performed in accordance with the security policies we have set forth. Appliance set up information must also be backed up regularly in order to maintain a record of all configurations in the event of a failure. This will also be described in the security policies with clear steps to follow regarding how to and frequency. Final we will briefly address some aspects of the physical security. It doesnt matter how secured the network is if the server room is unlocked, unwatched or if the host machines are not accounted

for. Therefore we have ensured that the server room is to remain locked whenever an admin is not inside. There will be a log in which everyone who has entered the rooms name will be. Cameras have been installed in order to watch the entrance to the server room. Inventory of all machines will be kept, including any changes made to machines at the request of the users using a ticket system. In conclusion, the Information Security Team has taken into consideration the likelihood of internal attacks and prepared for that as well. We will train employees on the importance of protecting the information systems and their credentials. We will secure the network physically and virtually. This will help prevent and/or mitigate the chances of internal attacks.

References: Wk 3 iLab, Text Ch2, Ch11, Ch5. Network security through packet filtering http://static.usenix.org/publications/library/proceedings/sec92/full_p apers/chapman.pdf Building firewalls http://www.c3.hu/docs/oreilly/tcpip/firewall/ch06_01.htm Strong passwords http://www.infoworld.com/d/security/creating-strong-passwords-easieryou-think-206865

Security policies http://www.sans.org/reading_room/whitepapers/awareness/buildingsecurity-policy-framework-large-multi-national-company_1564 Least privilege http://technet.microsoft.com/en-us/library/bb456992.aspx