Threat vector and analysis

Introduction

As of late, the organization has settled on the choice to use the Internet as much as possible for information/document exchanges to and from our clients. With the predominance of business nearness on the Internet, this procedure is a decent method to decrease media communications cost for organizations and their merchants and colleagues. Different reasons incorporate the utilizing of the foundation over numerous clients and lessening the number of specialized staff. Nonetheless, before any real change in technique and arrangement, clients and the executives need to be guaranteed that legitimate security practice and methodology are used to ensure the client and interior frameworks and information. It was resolved, that so as to meet this objective, the technological branch required to upgrade the current framework and make a design wherein to assemble upon.

Scope

We plan to implement 2 IDS devices between the DMZ to ensure that both traffic from the inside and the outside are clean and secured. This will protect the clients who try to connect to our servers in the DMZ and also prevent an inside attack from our intranet in the organization. A newly formed team that consists of an Information Security Manager, a System Administrator and a Network Administrator will supervise the implementation of this topology for our network infrastructure.

Threat vector and analysis

Even with a secure environment like the DMZ, threats are everywhere. Most common threats that can still affect our network can range from something as simple as an internal authorization breach or a DoS attack. Having an Intrusion Detection System helps the administrators react to those threats fast enough to prevent major risks. It alerts the administrator once an issue has risen in the network based on a set of rules defined by the administration. Once an issue has been detected, IDS will do multiple actions based on the threat like:

• Monitoring the operation of routers, firewalls, key management servers and files that are needed by other security controls aimed at detecting, preventing or recovering from cyber attacks.
• Providing administrators with a way to tune, organize and understand relevant operating system audit trails and other logs that are often otherwise difficult to track or parse.
• Providing a user-friendly interface so non-expert staff members can assist with managing system security.
• Including an extensive attack signature database against which information from the system can be matched;
• Recognizing and reporting when the IDS detects that data files have been altered.
• Generating an alarm and notifying that security has been breached.
• Reacting to intruders by blocking them or blocking the server.

Information Security Manager

An information security manager is somebody who is in charge of ensuring an association’s computers, networks and information against PC infections, security breaks, and noxious programmer assaults.

Information security managers assume a key job in maintaining a strategic distance from catastrophes by recognizing any frail territories that may make information frameworks helpless. They evaluate an association’s security estimates, for example, hostile to infection programming, passwords, and firewalls so as to distinguish any territories that may make information frameworks helpless against assault. They additionally dissect reports created by the checking framework to distinguish whatever may show a future hazard.

Information security managers likewise oversee reinforcement and security frameworks, care for the recuperation of information in catastrophe circumstances, and direct security infringement examinations. Regularly, reproduced assaults are done so as to test the proficiency of the security estimates that are set up.

Information security managers additionally give preparing to representatives, clarifying security hazards just as the requirement for utilizing solid passwords and ensuring information when utilizing cell phones outside the workplace. In view of position and occupation capacity, workers and managers are regularly given various dimensions of access to organization information.

IDS need analysis:

Since an Information Security Manager is responsible for the security of information in an organization, they’re the ones to determine if a system like an IDS is required to further enhance the overall security of the organization or not. Which in turn has to be approved by the upper management. In our case, to preserve our company’s security, an IDS system is indeed required to protect the valuable information of our clients and our internal data from any harm.

IDS implementation analysis:

Our network consists of a DMZ that connects our intranet with the internet. In order to properly monitor it and protect it since it contains most of our valuable information, we have to implement 2 IDS on both sides of the DMZ to fully monitor the entire network both from the outside and from the inside.

Threat mitigation:

As an Information Security Manager, to mitigate threats using IDS, you have to issue and state the required criteria to be executed by the Network and System administrators in order to meet the and prevent the latest threats in the cyber world. Like defining a set of rules or access list to be implemented.

System Administrator

A System Administrator is an individual who bolsters a multi-client registering condition and guarantees consistent, ideal execution of IT administrations and supports networks. This incorporates introducing and overseeing work area and PCs, networks, IT security systems and other basic parts of an association’s IT framework. System administrators are additionally in charge of deciding fitting IT approaches for organizations, administering lower-level specialist staff and furthermore might be accountable for the acquiring of IT gear. System Administrator responsibilities include:

• Configuration, upkeep and troubleshooting of workstations, servers, operating systems, software and other computer systems
• Creating user accounts and assigning user permissions
• Setting up system-wide software
• Executing anti-virus mechanisms
• Establishing policies for backup and recovery and assigning bulk storage
• Creating file systems
• Monitoring network communication
• Updating systems when new operating systems or software are released
• Implementing computer, network and security policies for system and network users

IDS need analysis:

When it comes to getting an IDS device, System Administrators have the hardware knowledge needed to determine which type of IDS is most optimal for the specified needs stated by the Information Security Manager. They can issue a request to implement an IDS if they think that it will better help and sustain the availability of the other assets that could go down due to outside attacks.

IDS implementation analysis:

As a System Administrator, your job is to properly install and provide the hardware and media needed to fully support the device’s needs. Things like cables, drivers, patches and even power are examples of what could be provided by a System Administrator.

Threat mitigation:

In order to mitigate threats as a System Administrator, you do so by making sure your devices such as the IDS is up running as much as possible. A Downed IDS won’t be monitoring the network, therefore, increased threat potential. Maintaining hardware uptime can be ensured through different means like having a back-up power supply or determining time till failure and time between failures.

Network administrator

A network administrator is an IT expert who deals with an association’s network. The network administrator must have an abnormal state of innovative learning and is most generally the largest amount of specialized staff inside a given association. Network administrators keep networks operational and screen capacities and activities inside the network.

A network administrator is in charge of introducing, keeping up and overhauling any product or equipment required to effectively run a PC network. The IT or PC network may stretch out to a neighbourhood, wide region network, the Internet and intranets. The main tasks associated with network administration include:

• Design, installation and evaluation of the network
• Execution and administration of regular backups

● Precise technical documentation like network diagrams, network cabling documents, etc.

• Precise authentication of network resource access
• Provision for troubleshooting assistance
• Administration of network security, including intrusion detection

IDS need analysis:

Networks Administrators determine whether an IDS is needed to protect the network traffic or not based on the overall importance of the data and the available budget. Their job is to properly monitor the network and configure the rule sets and access lists regularly.

IDS implementation analysis:

When it comes to implementation, Network Administrators have the knowledge to properly configure and maintain the IDS. They can set the needed rules for the alerts and configure access lists as needed on the network.

Threat mitigation:

In order to mitigate threats as a Network Administrator, you have to keep monitoring the network activities as much as possible while configuring and updates the rules and access lists as needed.

Components list

Most IDS comes with its all components as a package. These components are:

• Data Preprocessor
• Detection Engine
• Decision Engine

Other than the above, IDS requires a sustained power source and connection to the network to properly function.

List of Sensors and components needed for IDS

Optional sensors include:

• Signature-based: A signature-based IDS sensor looks for predefined network traffic patterns (signatures). It then compares traffic to a known database and triggers an alarm or prevents communication when finding a match. The signature can be based on a single packet or packet sequence. There will be no detection of new attacks that do not match a signature. Because that The signature database must therefore be constantly updated.

• Policy-based: Based on the network security policy, the IDS sensor is preconfigured. It is necessary to create the policies used in a policy-based IDS or IPS.

• Anomaly-based: Signatures based on anomalies or profile typically look for network traffic that deviates from what is “normally” seen. The biggest issue with this methodology is that you first need to define what “normal” is. Some systems have hard-coded definitions of normal traffic patterns and, in this case, they could be considered heuristic-based systems.

• Honey pot-based: Honey pot systems use a dummy server to attract attacks. The honey pot approach is intended to distract attacks from real network devices. By arranging various sorts of vulnerabilities in the honeypot server, you can analyze incoming types of attacks and malicious traffic patterns. You can use this analysis to tune your sensor signatures to detect new types of malicious network traffic.

Signatures

Some Signatures recognized by most IDS provided by Cisco[1]:

Future scope

After testing the new implementation and reviewing the results gained from monitoring, we could expand and find a way to secure our communications between other branches of our organization through methods to be determined after extensive research. Or look into upgrading some of the current components in the main network if needed to protect against the latest threats in the cyber world.