Professional Documents
Culture Documents
Student declaration
I certify that the assignment submission is entirely my work and I fully understand the consequences of plagiarism. I understand that
making a false declaration is a form of malpractice.
Student’s signature
Grading gr
P1 P2 P3 P4 M1 M2 D1
1
Table of Contents
I. Introduction ............................................................................................................................................ 6
II. Identify types of security threats to organizations. Give an example of a recently publicized security
breach and discuss its consequences (P1) ...................................................................................................... 7
II.1. What is the security........................................................................................................................... 7
II.2. What is a security risk ......................................................................................................................... 8
II.3. Identify threats .................................................................................................................................... 9
II.4. Identify threats agents to organizations ............................................................................................ 10
II.4.1. Nation States .............................................................................................................................. 10
II.4.2. Non-target specific (Ransomware, Worms, Trojans, Logic Bombs, Backdoors and Viruses
perpetrated by vandals and the general public) .................................................................................... 10
II.4.3. Employees and contractors ........................................................................................................ 10
II.5 List types of threats that organization will face ................................................................................. 10
II.5.1 Computer Viruses ....................................................................................................................... 10
II.5.2. Trojans Horse ............................................................................................................................. 11
II.5.3. Adware ....................................................................................................................................... 12
II.5.4. Spyware ..................................................................................................................................... 13
II.5.5. Worm ......................................................................................................................................... 14
II.5.6. Denial of Service (DoS) Attack ................................................................................................. 15
II.5.7. Phishing ..................................................................................................................................... 16
II.5.8. Malware ..................................................................................................................................... 16
II.5.9. Ransomware............................................................................................................................... 17
II.5.10. Data breach .............................................................................................................................. 18
II.5.11. Zero-day attack ........................................................................................................................ 19
II.6 An example of a recently publicized security breach ........................................................................ 20
III. Describe at least 3 organizational security procedures (P2) ............................................................. 22
III.1. What are security procedures .......................................................................................................... 22
III.2 Anti-virus procedures ....................................................................................................................... 22
III.2.1 Purpose of anti-virus procedures ............................................................................................... 22
III.3. Password procedures ....................................................................................................................... 23
III.3.1 Purpose ...................................................................................................................................... 23
III.3.2. The password policies and best practices that every system administrator should implement:
.............................................................................................................................................................. 24
III.4. Physical Security Procedures .......................................................................................................... 24
1
III.4.1 Purpose ...................................................................................................................................... 24
III.4.2. Procedures of physical security ................................................................................................ 25
IV. Identify the potential impact to IT security of incorrect configuration of firewall policies and IDS
(P3) 26
IV.1. Firewall............................................................................................................................................ 26
IV.1.1. Definition ................................................................................................................................. 26
IV.1.2. How does a firewall work?....................................................................................................... 26
IV.1.3 The usage of firewall ................................................................................................................. 27
IV.1.4. Advantage of firewall ............................................................................................................... 28
IV.1.5. How does a firewall provide security to a network? ............................................................... 29
IV.1.6. Show with diagrams the example of a firewall work ............................................................... 29
IV.2 IDS ................................................................................................................................................... 30
IV.2.1. Definition ................................................................................................................................. 30
IV.2.2. Type of IDS .............................................................................................................................. 31
IV.2.3. How do IDS work .................................................................................................................... 32
IV.2.4. Usage of IDS ............................................................................................................................ 33
IV.2.5. Advantage of IDS ..................................................................................................................... 33
IV.2.6 How do an IDS provide security to a network? ........................................................................ 34
IV.2.7. Show with diagrams the example of how IDS works .............................................................. 34
IV.3. The potential impact (Threat-Risk) of a Firewall and IDS if they are incorrectly configured in a
network ..................................................................................................................................................... 35
IV.3.1. The potential impact of a Firewall ........................................................................................... 35
IV.3.2. The potential impact of IDS ..................................................................................................... 36
V. SHOW, USING AN EXAMPLE FOR EACH, HOW IMPLEMENTING A DMZ, STATIC IP, AND
NAT IN A NETWORK CAN IMPROVE NETWORK SECURITY (P4) .................................................. 38
V.1. DMZ ............................................................................................................................................... 38
V.1.1 Purpose of DMZ ......................................................................................................................... 38
V.1.2. How does DMZ work? .............................................................................................................. 38
V.1.3. Usage of DMZ ........................................................................................................................... 39
V.1.4. Advantage of DMZ .................................................................................................................... 39
V.2. Static IP............................................................................................................................................. 40
V.2.1. Purpose of Static IP ....................................................................................................................... 40
V.2.2. How does static IP work? .......................................................................................................... 41
V.2.3. Usage of static IP ....................................................................................................................... 42
V.2.4. Advantage of static IP................................................................................................................ 42
V.3. NAT .................................................................................................................................................. 43
V.3.1. Purpose of NAT ......................................................................................................................... 43
V.3.2. How does NAT work? ............................................................................................................... 44
V.3.3. Usage of NAT............................................................................................................................ 44
V.3.4. Advantage of Nat ....................................................................................................................... 45
2
VI. Propose a method to assess and treat IT security risks. (M1)........................................................... 45
VI.1. Discuss the approaches needed to assess the threat to its security. Tools monitoring, for example.
.................................................................................................................................................................. 45
VI.1.1. Security risk assessment ........................................................................................................... 46
VI.1.2. Importance of regular IT security assessments ........................................................................ 46
VI.1.3. What is a cyber risk (IT risk)? .................................................................................................. 46
VI.1.4. IT risk assessment components and formula ............................................................................ 47
VI.1.5. How to perform a security risk assessment .............................................................................. 48
VI.1.6. Ex: Monitoring tools ................................................................................................................ 49
VI.2. What is the current weakness or threat of the organization? ........................................................... 51
VI.3. What tools will you propose to treat the IT security risk? .............................................................. 52
VII. Discuss three benefits to implement network monitoring systems with supporting reasons. (M2) . 53
VII.1. Some networking monitoring devices and describe each. ............................................................. 53
VII.2. Why do you need to monitor network?.......................................................................................... 57
VII.3. The benefits of using a network monitoring system for and organization are next: ...................... 57
VIII. Conclusion ........................................................................................................................................ 60
IX. Reference list .................................................................................................................................... 61
3
Table of figures
Figure 1: Security ...................................................................................................................6
Figure 2: Network security .....................................................................................................7
Figure 3: Security risk ............................................................................................................8
Figure 4: Security threats .......................................................................................................9
Figure 5: Computer Viruses .................................................................................................11
Figure 6: Trojans Horse ........................................................................................................12
Figure 7: Adware ..................................................................................................................13
Figure 8: Spyware ................................................................................................................14
Figure 9: Worm ....................................................................................................................15
Figure 10: DoS Attack..........................................................................................................16
Figure 11: Malware ..............................................................................................................17
Figure 12: Ransomware........................................................................................................18
Figure 13: Data breach .........................................................................................................19
Figure 14: Zero-day attack ...................................................................................................20
Figure 15: Kaseya Ransomware Attack ...............................................................................21
Figure 16: Anti-virus ............................................................................................................22
Figure 17: Password procedures...........................................................................................23
Figure 18: Physical Security.................................................................................................25
Figure 19: Firewall ...............................................................................................................27
Figure 20: The example of a firewall work ..........................................................................30
Figure 21: IDS ......................................................................................................................31
Figure 22: Type of IDS ........................................................................................................32
Figure 23: IDS work .............................................................................................................35
Figure 24: Potential of firewall ............................................................................................36
Figure 25: Intrusion Detection System .................................................................................37
Figure 26: DMZ....................................................................................................................38
Figure 27: DMZ Network.....................................................................................................40
4
Figure 28: Static IP ...............................................................................................................41
Figure 29: NAT ....................................................................................................................44
Figure 30: Security risk assessment .....................................................................................46
Figure 31: Cyber risk............................................................................................................47
Figure 32: XpoLog ...............................................................................................................50
Figure 33: Imperva ...............................................................................................................50
Figure 34: Hoxhunt ..............................................................................................................51
Figure 35: Octave .................................................................................................................52
Figure 36: Smartext Monitoring ...........................................................................................53
Figure 37: The Elastic Stack ................................................................................................54
Figure 38: Zabbix .................................................................................................................55
Figure 39: SolarWinds Server & Application monitor.........................................................55
Figure 40: Datadog Infrastructure Monitoring .....................................................................56
Figure 41: ManageEngine OpManger ..................................................................................56
Figure 42: Benchmarking standard performance .................................................................58
Figure 43: Identifying security threats .................................................................................59
5
I. Introduction
FIS advises and implements technological solutions to possible IT security concerns for medium-sized
businesses in Vietnam. Due to a lack of technological competence in-house, the majority of clients
have outsourced their security issues. Your boss, Jonson, has requested that you produce an interesting
presentation to teach junior staff members about the tools and procedures involved with detecting and
analyzing IT security threats, as well as the organizational policies to secure business-critical data and
equipment, as part of your job.
When the internet and networks were not yet a concern, the security measure was initially deployed
for computers in 1960. Many businesses at the time were focusing on a physical security mechanism
to safeguard their computer-implemented passwords from those who knew how computers worked.
This report explains the Octave method for assessing IT security risks in an IT organization, the
impact of incorrect firewall and third-party VPN configuration on the IT organization, the benefits and
reasons for network monitoring systems, as well as how to improve network security using DMZ,
static IP, and NAT, and finally, the explanation of risk assessment and risk management in an
organization and the impact of the organization after a SWOT evaluation of an internal project.
Investigate a "trusted network" and evaluate how it may be used as part of FIS' security system by
analyzing its positive and negative aspects.
Figure 1: Security
6
II. Identify types of security threats to organizations. Give an example of a
recently publicized security breach and discuss its consequences (P1)
II.1. What is the security
Network security refers to a wide range of technology, equipment, and procedures. Its most basic
form is a system of rules and settings that use both software and hardware to safeguard the integrity,
confidentiality, and accessibility of computer networks and data. Regardless of its size, sector, or
infrastructure, every company needs network security solutions to defend itself from the ever-
increasing panorama of cyber threats that exist today.
Today's network architecture is complicated, and it's up against a constantly evolving threat
environment, as well as attackers that are always looking for and exploiting weaknesses. These flaws
may be found in a variety of places, including devices, data, apps, people, and places. As a result,
today's network security management tools and software target both individual threats and exploits as
well as regulatory non-compliance. When even a few minutes of the outage may cause widespread
inconvenience and significant harm to a company's financial line and reputation, these safeguards are
critical.
7
II.2. What is a security risk
A computer security risk is anything on your computer that might harm or steal your data, or allow
someone else to use your computer without your permission. Malware, a broad word used to describe
various sorts of harmful software, is one of the numerous things that can put your computer in danger.
We usually think of computer viruses, but viruses, worms, ransomware, spyware, and Trojan horses
are all examples of harmful software that may compromise computer security. Computer product
misconfigurations, as well as risky computing practices, are additional dangers. Let's take a closer look
at these.
Some researchers have studied that the efficacy of risk communication depends not only on the
nature of the risk but also on the alignment between the conceptual model embedded in the risk
communication and the user’s mental model of the risk. (Asgharpour, Liu and Camp, 2007)
8
II.3. Identify threats
IETF defines threats as a potential for violation of security, which exists when there is an entity,
circumstance, capability, action, or event that could cause harm. And NIST defines it that an event or
condition that has the potential for causing asset loss and the undesirable consequences or impact from
such loss. Anything that can exploit a vulnerability to breach security and negatively change, delete, or
injure an item or objects of interest is considered a threat. The effects of various threats vary
considerably: some affect the confidentiality or integrity of data while others affect the availability of a
system. (Asgharpour, Liu and Camp, 2007)
Cyber threats and vulnerabilities are frequently misunderstood. The keyword, according to the
definitions, is "potential." The threat does not stem from a security flaw in the implementation or
organization. Instead, it is anything that has the potential to compromise security. A vulnerability, on
the other hand, is a real flaw that may be exploited. Regardless of any precautions, the threat always
exists. Countermeasures, on the other hand, can be implemented to reduce the likelihood of it
occurring.
9
II.4. Identify threats agents to organizations
II.4.1. Nation States
Companies in specific industries, such as telecommunications, oil and gas, mining, power generation,
national infrastructure, and so on, may become targets for other countries, either to disrupt operations
today or to provide that nation a future grip in times of crisis.
We've heard many examples of this, from alleged Russian meddling in the US presidential election to
Sony claiming North Korea was responsible for their websites being hacked in 2014, and more
recently, concerns about Huawei providing 5G networks because of the possibility of them passing
information to the Chinese government.
II.4.2. Non-target specific (Ransomware, Worms, Trojans, Logic Bombs, Backdoors and Viruses
perpetrated by vandals and the general public)
Companies have told me several times, "Oh, we're not going to be a target for hackers because..."
However, because the number of random assaults that occur every day is so large (and there are no
exact numbers to give here), any organization can become a victim.
The WannaCry ransomware assault, which infected over 200,000 machines in 150 countries, is the
most well-known example of a non-target-specific attack. It caused the NHS in the United Kingdom to
be shut down for many days. Of course, there's the bored teenager in a loft someplace who's just
looking for a weak link on the internet.
Unless it's a Zero-day virus, machines and software programs are rather effective at protecting
themselves against malware. Humans are frequently the weakest link in the security system, whether
intentionally or unintentionally.
We all make errors, such as sending an email to the wrong person, but we typically catch ourselves
and can correct the issue promptly. Simple safeguards, such as password-protecting data, can assist to
limit the consequences of such errors.
Unfortunately, some unhappy employees intentionally destroy organizations from the inside. A
dissatisfied internal auditor at Morrison’s supermarket recently obtained payroll and other HR personal
data and released it on the internet. Morrison was penalized because the company did not have the
required technological and organizational procedures in place to prevent the ex-employee from
committing the crime (note that Morrison is currently appealing against the fine).
10
Figure 5: Computer Viruses
11
Figure 6: Trojans Horse
A group of authors talked about Trojan Horse that Trojan-horse attacked quantum-key-distribution
systems, i.e., attacks on the system via the quantum channel, are analyzed. We illustrated the power of
such attacks with today’s technology and conclude that all systems must implement active
countermeasures. (Gisin et al., 2006)
Trojan Horse's attack method:
• The victim receives an email with an attached file that seems to be an official email from the
sender. When the victim clicks on the attached file, it may include malicious code that is run
immediately.
• In this situation, the victim has no idea or doesn't realize that the attachment is a Trojan horse.
II.5.3. Adware
Adware is a type of software that displays commercial and marketing-related adverts on your
computer screens, such as pop-up windows or bars, banner ads, and video.
Its major goal is to make money for its creator (Adware) by presenting various forms of adverts to
internet users.
Adware attack:
• When you click on that sort of advertisement, it will take you to a website that will gather
information about you.
12
• By monitoring your online actions and selling that information to a third party, it may also be
used to steal all of your personal information and login passwords.
Figure 7: Adware
II.5.4. Spyware
Spyware is a sort of unwanted security threat to businesses that installs itself on a user's computer
and gathers sensitive data such as personal or company information, login passwords, and credit
card information without the user's knowledge.
This sort of attack keeps track of your online activities, logs your login credentials, and snoops on
your personal information.
As a result, every company or individual should use anti-virus, firewall, and only download
software from reputable sources to protect themselves against spyware.
13
Figure 8: Spyware
According to Roger Thompson, Spyware is annoying and negatively impacts the computing
experience. Even worse, there are real and significant threats to corporate and even national
security from those who use and abuse spyware. (Thompson, 2005)
II.5.5. Worm
A computer worm is a sort of malicious software or program that spreads through an organization's
network and replicates itself from one machine to another.
Worm spreads:
It may propagate without the help of humans, exploiting software security flaws and attempting to
get access to steal sensitive data, alter files, and install a back door allowing remote access to the
system.
14
Figure 9: Worm
Some authors talk about DoS that attackers could easily hack the IoT devices that can be used to
form botnets, which can be used to launch distributed denial of service (DDoS) attacks against
networks. The DDoS attack is the major attack on the network, which made the entire network
down so that normal users might not avail of the services from the server.
15
Figure 10: DoS Attack
DoS Attack:
• When an attacker prohibits legitimate users from accessing certain computer systems,
devices, or other resources, this is known as a denial-of-service attack.
• The attacker sends too much bandwidth to the target server, overloading it, causing
websites, email servers, and other Internet-connected services to go down.
II.5.7. Phishing
Phishing is a sort of social engineering attack that tries to steal personal information such as
usernames, passwords, credit card numbers, login credentials, and so on.
Phishing attack:
• In a phishing email assault, an attacker sends phishing emails to victims that appear to be
from their bank, asking them to disclose personal information.
• The message contains a link that will take you to another insecure website where your
information will be stolen.
• As a result, it's best to avoid, don't click, or read such emails, and don't send any important
information.
II.5.8. Malware
Malware is computer software that is often composed of a program or code that is created by
cybercriminals. It is a class of cyber security risks aimed at causing significant harm to systems or
gaining unauthorized access to a computer. According to Divya, the purpose of Malware is to
cause damage or penetrate a user's computer by hacking personal data for illegal activity such as
financial crimes. (Divya, 2013)
16
Figure 11: Malware
Malware attack:
• Malware may infect a device in a variety of methods. For example, it might be transmitted
by email as a link or file, requiring the user to click on the link or open the file to run the
malware.
• Computer viruses, worms, Trojan horses, and spyware are examples of this form of assault.
II.5.9. Ransomware
Ransomware is a form of security threat that prevents users from accessing their computer systems
and demands bitcoin in exchange for access. WannaCry, Petya, Cerber, Locky, and Crypto Locker
are among the most dangerous ransomware outbreaks.
Some security specialists research that this type of malware has direct financial implications,
which has promoted an ecosystem of cybercriminals, who employ it as a business model.
Ransomware as a service (RaaS) is a service that allows the easy acquisition of ransomware codes
at a price. (Mohurle and Patil, 2017)
17
Figure 12: Ransomware
Threats of various kinds are commonly implanted in a computer system in the following ways:
• When you open and download a malicious email attachment, be cautious.
• Install a virus-infected program or app
• When a person visits a website that is harmful or susceptible
• Untrustworthy web links or graphics should be avoided.
18
Figure 13: Data breach
19
Figure 14: Zero-day attack
20
Figure 15: Kaseya Ransomware Attack
21
III. Describe at least 3 organizational security procedures (P2)
III.1. What are security procedures
A security procedure is a collection of steps that must be followed to complete a certain security
duty or function. Procedures are often developed as a set of actions to be performed in a consistent and
repeatable manner to achieve a certain goal. Security procedures, once developed, give a set of defined
steps for performing the organization's security affairs, making training, process auditing, and process
improvement easier. Procedures serve as a starting point for establishing the uniformity required to
reduce variance in security procedures, hence improving security control inside the business. In the
security sector, reducing variance is also an excellent method to reduce waste, enhance quality, and
boost performance.
22
❖ The antivirus software deployed on PCs and servers must be set to update regularly or more often.
❖ Anti-virus software should be installed and running on all computers used purely as servers.
❖ Only servers with a considerable negative impact from running anti-virus software, or servers
running a low-risk operating system like Solaris or VMS, may be considered for an exemption
from this method.
❖ The Director of Information Technology Services must approve any exclusions in writing.
❖ Virus-infected devices must be disconnected from the network until they are virus-free. System
administrators on campus are responsible for developing processes to guarantee that anti-virus
software is executed on university-owned devices at regular intervals and that the devices are
virus-free.
❖ Any acts that aim to produce and/or disseminate dangerous programs (e.g., viruses, worms, Trojan
horses, e-mail bombs, etc.) in or on the New Kensington Data Network are forbidden.
❖
III.3. Password procedures
III.3.1 Purpose
The first line of defense in protecting our financial transactions, personal conversations, and
private information saved online is a password policy. For end-users, having a strong password at
work is just as vital as having one at home; it's like having your bodyguard protecting you from
significant security risks, fraudsters, and hackers. Password policies are a collection of guidelines
designed to improve computer security by encouraging users to develop strong, secure passwords and
then properly store and use them. Passwords are a ubiquitous and critical component of many security
systems. As the information and access guarded by passwords become more necessary, we become
ever more dependent upon the security passwords provide. (Shay, Bhargav-Spantzel and Bertino,
2007)
23
III.3.2. The password policies and best practices that every system administrator should
implement:
• Enforce Password History policy: The Enforce Password History policy determines how
many times an old password may be used. It should be used with a minimum of 10
previously memorized passwords.
• Minimum Password Age policy: This guideline establishes how long users must maintain
their passwords before changing them. The Minimum Password Age prevents users from
circumventing the password system by creating a new password and then reverting to their
old one.
• Maximum Password Age policy: The Maximum Password Age policy establishes how long
users are allowed to maintain a password before being forced to update it. Set the value to
90 days for passwords and 180 days for passphrases to maintain network security.
• Minimum Password Length policy: The minimum number of characters required to
generate a password is determined by this policy. Because long passwords are more
difficult to crack than short ones, you should set the Minimum Password Length to at least
eight characters.
• Passwords Must Meet Complexity Requirements policy: These rules are followed while
creating a password:
➢ Passwords cannot include the user's whole name or portions of it, such as
their first name.
➢ At least three of the four-character kinds are required in passwords:
lowercase letters, uppercase letters, digits, and symbols.
• Reset Password: For further protection, the local administrator password should be changed
every 180 days, and the service account password should be changed at least once a year
during maintenance.
• Use Strong Passphrases: Domain administrator accounts should always be protected with
strong passwords of at least 15 characters.
• Password Audit policy: When you enable the Password Audit policy, you may keep track
of all password changes. This ensures user responsibility and serves as proof in the case of
a security compromise.
• E-Mail Notifications: Create email alerts before password expiration to inform your users
that their passwords are about to expire.
24
information, cognitive, and social domains to ensure resilience. (DiMase, Collier, Heffner and
Linkov, 2015)
25
• Visitors in restricted sections of Information Resource facilities must be accompanied at all
times by authorized employees.
Access cards:
➢ The permission of a member of the physical security committee is required for the process of gi
ving cards and/or key access to Information Resource facilities.
➢ Each person who is permitted access to an Information Resource facility must execute the nece
ssary access and non-disclosure agreements.
➢ Keys and/or access cards must not be given or lent to others.
➢ Access cards and/or keys that are no longer necessary must be returned to staff in charge of ma
naging the physical facilities of the Information Resource.
➢ Cards must not be transferred to another person to avoid the return procedure.
➢ Lost or stolen access cards and/or keys must be notified as soon as possible to the person in
charge of the Information Resource physical facility management physical security committee.
➢ Individuals who change responsibilities within (District/Organization) or are separated from
their association with (District/Organization) must have their card and/or key access rights
removed by the physical security committee.
➢ Regularly, the physical security committee must examine card and/or key access rights for the
facility and revoke access for those who no longer require access.
26
Figure 19: Firewall
27
harm to the minds of children. A powerful firewall safeguards computer systems by blocking
immoral and obscene information from entering, allowing parents to keep their children secure.
➢ Prevents Hacking
Depending on the sort of cyber-attack, a firewall can either entirely halt a hacker or prevent
them from choosing an easier target.
28
➢ Stops Spyware
As computer systems get more complicated and resilient, the number of entry points
available to thieves to obtain access to your systems grows. Spyware and malware are
programs that are meant to enter your networks, take control of your machines, and steal
your data. Firewalls are a vital barrier against harmful applications.
➢ Promotes Privacy
Upgrades to data-protection systems can provide a competitive edge as well as a selling
point to customers and clients. The value grows when your company's data becomes more
sensitive, and you have more safeguards in place to secure it. It can also assist you in
creating a private environment in which your clients can put their faith.
29
Figure 20: The example of a firewall work
IV.2 IDS
IV.2.1. Definition
An Intrusion Detection System (IDS) is a system that analyzes network traffic for unusual behavior
and sends notifications when it detects it. It is a software program that analyzes a network or
system for malicious activities or policy violations. Any harmful activity or violation is often
notified to an administrator or centralized via a security information and event management
(SIEM) system.
Intrusion Detection Systems (IDS) is aimed at analyzing and detecting security problems. IDS
based on anomaly detection and, in particular, on statistical analysis, inspect each traffic flow to
get its statistical characterization, which represents the fingerprint of the flow. (Boero, Marchese
and Zappatore, 2017)
30
Figure 21: IDS
31
➢ Application Protocol-based Intrusion Detection System (APIDS):
A system or agent that lives within a collection of servers is known as an Application Protocol-
based Intrusion Detection System (APIDS). It detects intrusions by monitoring and analyzing
application-specific protocol traffic. For example, this would track the SQL protocol as it is
communicated to the middleware by the database in the webserver.
32
➢ The IDS identifies contaminated elements that have the potential to degrade overall
network performance, such as malformed information packets, DNS poisonings, Xmas
scans, and more.
33
I’d make it simpler to comply with security rules since they provide better visibility across
your network. To satisfy certain standards, you can also utilize your IDS logs as part of the
documentation.
o They have the potential to increase productivity.
IDS sensors can analyze the data within network packets and identify the services or
operating systems that are being used since they can detect network devices and hosts.
When compared to complete it manually, this saves a lot of time. In addition to decreasing
labor, an IDS may automate hardware inventory. This increased efficiency can help a
business save money on employees while also offsetting the expense of deploying the IDS.
34
Figure 23: IDS work
IV.3. The potential impact (Threat-Risk) of a Firewall and IDS if they are incorrectly
configured in a network
IV.3.1. The potential impact of a Firewall
Firewalls are core elements in network security. However, managing firewall rules, especially for
enterprise networks, has become complex and error-prone. Firewall filtering rules have to be
carefully written and organized to correctly implement the security policy. In addition, inserting or
modifying a filtering rule requires a thorough analysis of the relationship between this rule and
other rules to determine the proper order of this rule and commit the updates. (Al-Shaer and
Hamed, 2004)
So, the firewall still has some risks, some threats if misconfigured about it:
❖ Broad policy configurations
Firewalls are frequently configured to allow traffic from any source to any destination.
This is because IT teams do not always know exactly what they require. It's also a good
idea to evaluate your firewall settings regularly to examine application use patterns.
❖ Risky rogue services and management services
Unencrypted protocols like telnet are still used to handle equipment that is more than 30
years old. Hardening devices and verifying that configurations are compatible before
they are placed into production are the solutions to this challenge. You may boost
security and lower the risks of leaving a harmful service running on your firewall by
setting your devices depending on the function you want them to perform.
35
According to good governance rules, test systems should not link to production
systems. However, testing teams typically ignore this because they believe that using
production data is the most reliable approach to test. The information may be very
sensitive, and it's also possible that it's subject to regulatory compliance.
❖ Log outputs from security devices
Enterprises must assess the health of their firewall security and identify any potential
vulnerabilities. The cost of logging infrastructure is high, and it's difficult to implement,
analyze, and manage. The costs of being compromised without being notified or tracing
the assault are undoubtedly far higher.
❖ Port blocking is no longer effective
When every service in the globe utilized its TCP/IP port—FTP over 21, SMTP over 25,
and so on—traditional firewalls were more useful. Today, most communication takes
place via ports 80 and 443, with the latter becoming more important. What little
network traffic isn't already carried over 443 will most likely be in the coming years.
❖ Boundaries are fading away
Security domain borders are epitomized by firewalls. A firewall is used to enforce
traffic between two or more security boundaries. Effective, secure borders have been on
the decline for over a decade. They were never ideal, but borders began to fade as we
began to link the internet to other networks and include Wi-Fi routers into the mix.
36
❖ Source Addresses
Intrusion detection software can be fooled by forged or scrambled network addresses.
In each of these cases, the IT specialist is left chasing ghosts and powerless to prevent
network attacks. The IP address in an IP packet is used by intrusion detection software
to offer information about a network.
❖ Encrypted Packets
Encrypted packets could be used to facilitate an unnoticed network infiltration. This
might result in the introduction of a virus or other software flaw, which could be
averted if the intrusion detection software could process encrypted packets rather than
un-encrypting them as it presently does.
❖ Analytical Module
Intrusion detection is an effort to prevent unwanted access to a computer network. An
IT expert monitoring the system will be notified that strange activity has been
discovered, but they will be unable to determine where it originated. If further
information could be discovered, the IT expert may take a defensive posture to avoid
future intrusions.
❖ False Alarms
False alerts can be generated by intrusion detection software. IT personnel must acquire
considerable training to distinguish between what is and is not a false alert. Another
downside of intrusion detection software that businesses must deal with is the cost of
completing this training.
37
V. SHOW, USING AN EXAMPLE FOR EACH, HOW IMPLEMENTING A DMZ,
STATIC IP, AND NAT IN A NETWORK CAN IMPROVE NETWORK
SECURITY (P4)
V.1. DMZ
V.1.1 Purpose of DMZ
A DMZ Network is a perimeter network that protects and adds a layer of protection to an
organization's internal local-area network from unauthorized traffic. The DMZ is the public access
network. It contains servers that can be accessed from the outside and the inside network. It can
contain an HTTP server, Mail server, DNS, etc. Its location reduces the network complexity and
increases network security. Local users get credible performance because the latency between
DMZ and them is low. (Rababah, Zhou and Bader, 2018)
The DMZ Network exists to safeguard the most vulnerable hosts to assault. These hosts often
provide services to users outside of the local area network. They are placed in the monitored
subnetwork because of the greater risk of assault. Access permissions to other services within the
internal network are rigorously limited for hosts in the DMZ.
Any gadget that is connected to the internet bears the brunt of most attacks and hence bears the
most danger. Companies with public servers that must be accessible by persons outside the
company are often more vulnerable to assaults. DMZs serve as a buffer zone between an external
network and an internal network. Creating a DMZ between two firewalls implies that all incoming
38
traffic is filtered using a firewall or security appliance or firewall before it reaches the
organization's server.
If a competent bad guy breaches the company's firewall and gets unauthorized access to those
systems before engaging in destructive conduct or accessing sensitive data, those systems notify
the host that a breach is ongoing.
Even if you have a strong security posture, an attacker may be able to hack one of these systems by
exploiting a zero-day vulnerability or failing to install a patch. As a result, you should perceive
these systems as untrustworthy, or at the very least, as posing a greater danger.
A DMZ is a security layer that expects one of these systems will be attacked at some point and
attempts to restrict the amount of damage an attacker may cause. You may effectively restrict the
harm an attacker can accomplish by forcing all traffic from the DMZ to transit via a firewall. Only
approved connections from the DMZ to the internal network should be allowed if this firewall
ACL is configured properly. As a result, an attacker will find it far more difficult to pivot to the
internal network and target internal systems.
39
➢ Improved Access Control: By putting a firewall between your internal network and your
Internet-facing systems, you can check all connections between them. This enables the
company to create and implement rigorous access rules to secure its internal systems.
➢ Improved Network Performance: Internet-facing systems are built to be regularly used
by external users. By putting these systems on a DMZ, the demand for internal network
infrastructure and firewalls is reduced, and performance is improved.
V.2. Static IP
V.2.1. Purpose of Static IP
A static Internet Protocol (IP) address (static IP address) is a number that is issued to a computer
by an Internet service provider on an ongoing basis (ISP). A static IP address is the inverse of a
dynamic IP address and is also known as a fixed IP address or dedicated IP address. When a
machine with a static IP address connects to the Internet, it uses the same IP address. Static IP
addresses are important for gaming, website hosting, and Voice over IP (VoIP) services. The
importance of speed and dependability cannot be overstated. Systems using static IP addresses are
subject to data mining and increased security issues since their addresses are constant.
40
The most important factor is to secure the information stored by a user. Information can be easily
copied or erased or modified. This stage implements two important factors of security in the static
IP address and Biometrics. Internet users assigned Static IP addresses is the essential factor.
(Jayakumar and Christopher, 2012)
An IP address range is assigned to an ISP. The Dynamic Host Configuration Protocol (DHCP)
server, which is set to assign static IP addresses to specific machines, is used by the ISP to assign
each address to its networked PCs.
When the Internet was initially conceived, the need for an unlimited number of IP addresses was
not anticipated. The Internet Protocol version 4 (IPv4), which used 32-bit addressing, allowed for
4.2 billion distinct addresses at the time.
IPv6 was a successor to IPv4 that allowed for 128-bit addressing and essentially infinite IP
addresses.
When you connect to the internet using a static IP address, that IP address remains constant
regardless of how many times you reset the connection or the router.
All devices with a normal IP address can be set with a static IP address. A static IP address
is assigned by an Internet Service Provider (ISP). It can take the form of both IPv4 and
IPv6.
41
Internet Service Providers assign static IP addresses (ISPs). Depending on the terms of your
service agreement, your ISP may or may not assign you a static IP address. We'll go into
your alternatives later, but for now, consider that a static IP address increases the cost of
your ISP subscription.
A static IP address might be IPv4 or IPv6; the crucial attribute, in this case, is static.
Someday, every piece of networked equipment will have a unique static IPv6 address.
We're not quite there yet. For the time being, we use static IPv4 addresses for permanent
addresses.
42
locate a device that has been allocated a Static IP address. Devices with dynamic IP addresses,
on the other hand, are notorious for being difficult to locate.
V.3. NAT
V.3.1. Purpose of NAT
Network Address Translation (NAT) is a method of representing an entire group of machines with
a single, unique IP address. NAT saves IP addresses by allowing private IP networks to connect to
the internet using unregistered IP addresses.
As part of this capacity, NAT settings can expose just one IP address for a whole network to the
outside world, essentially masking the entire internal network and adding security. Network
address translation is commonly used in remote-access scenarios because it provides both address
conservation and increased security.
According to some authors, NAT uses mapping to translate packets for each TCP connection. NAT
maintains a state associated with in-progress and established connections. (Guha et al., 2008)
A networking system needs a unique IP address to interact with the internet. This 32-bit number is
used to identify and find the network device so that it may be communicated with.
Although the IPV4 addressing mechanism of previous decades made billions of these unique
addresses available, not all of them could be given to communication devices. Instead, some were
exempted and allowed to be used for testing, transmission, and some restricted military reasons.
As a workaround to this flaw in the IPv4 addressing method, the IPv6 addressing scheme was
devised. IPv6 restructures the addressing system to provide additional alternatives for allocating
addresses, however, the architecture and implementation of IPv6 have required several years. In
the meanwhile, Cisco introduced and extensively used NAT.
43
Figure 29: NAT
NAT acts as a receptionist for a major corporation, with explicit instructions on whether calls and
guests should be kept out, made to wait, or sent through, as well as where they should go. You may
tell the receptionist, for example, not to transmit any visitors or calls without your permission
unless you're waiting for something specific; you can then leave instructions about allowing that
specific client contact through.
Because that public-facing number is the only one that anyone knows, the client dials the
company's main number. They advise the receptionist that they need to talk with you, and the
receptionist a) double-checks the instructions to ensure that you want the call forwarded, and b)
compares your extension to a list to ensure that the information is sent to the correct location. The
caller is never connected to your line.
Similarly, network address translation works. The request comes at the public IP address and port,
and the NAT instructions direct it to the appropriate destination without disclosing the destinations'
private IP addresses.
44
Internet and that 10% of DSL lines have multiple hosts that are active at the same time. Overall,
up to 52% of lines have multiple hosts. Our findings point out that using IPs as host identifiers
may introduce substantial errors and therefore should be used with caution. (Maier, Schneider
and Feldmann, 2011)
➢ Network address translation security: NAT allows users to use the internet with greater security
and privacy, even when transmitting and receiving traffic. Users can use NAT rate-limiting to limit
the number of concurrent NAT operations on a router. This may also help you avoid worms,
viruses, and denial-of-service (DoS) assaults. The use of dynamic NAT automatically builds a
firewall between the internal network and the internet.
➢ Flexibility: NAT is adaptable; it may, for example, be used in a public wireless LAN setting. In
some circumstances, inbound mapping or static NAT allows external devices to connect to
computers on the stub domain.
➢ Simplicity: When a network changes or merges, there is no need to renumber addresses. You can
construct an inside network virtual host to coordinate TCP load-balancing for internal network
servers using network address translation.
➢ Speed: NAT is transparent to both destination and source computers, unlike proxy servers,
allowing for faster direct communication. Furthermore, proxy servers often operate at the OSI
Reference Model's transport layer or above, making them slower than network address translation,
which operates at the network layer or layer 3.
➢ Scalability: The DHCP server distributes unregistered IP addresses for the stub domain from the
list as needed, and NAT and dynamic host configuration protocol (DHCP) operate effectively
together. Scaling up is easier because instead of requesting new IP addresses from IANA as needs
grow, you may expand the available range of IP addresses that DHCP configures to create a place
for extra network machines right away.
45
VI.1.1. Security risk assessment
The process of identifying and analyzing risks for assets that might be harmed by cyberattacks is
known as cybersecurity risk assessment (SRA). In essence, you analyze both internal and external
risks, assess their potential impact on data availability, confidentiality, and integrity, and calculate the
costs of a cybersecurity event. You may customize your cybersecurity and data protection procedures
to fit your organization's real risk tolerance using this information.
SRA tolerates analyzing security risks to act on them as quickly as possible. Today’s SRA must
mandatory face the IoT’ scalability feature, devices’ diversity, and the infrastructures’ interrelation.
Consequently, traditional SRA approaches do not sustain resistance, tolerance, and resilience towards
security risks occurrence. (Abbass, Bakraouy, Baina and Bellafkih, 2019)
46
Any danger of financial loss, interruption, or harm to an organization's reputation stemming from
the breakdown of its information technology systems is referred to as cyber risk. Cyber risk can
manifest itself in a variety of ways, including:
❖ Intentional and unauthorized security breaches to obtain access to information systems.
❖ Breach of security that is unintentional or unavoidable.
❖ Poor system integrity, for example, poses operational IT hazards.
The authors identify a gap between Enterprise Risk Management (ERM) as a general approach to
risks threatening firms’ objectives on the one hand and Cyber Risk Management on the other hand.
The results suggest that Enterprise Risk Management needs to better understand and describe
emerging IT risks. (Eling, 2018)
47
Vulnerability: Any possible weak point that might allow a threat to do harm is referred to
as a vulnerability. The NIST National Vulnerability Database keeps track of particular,
code-based flaws in software and hardware that security specialists should be aware of.
Impact: The impact is the overall amount of harm an organization would suffer if a threat
exploited a vulnerability. A successful ransomware assault, for example, might result in
lost productivity and data recovery costs, as well as the revealing of client data or trade
secrets, resulting in lost business.
Likelihood: This is the likelihood of a threat occurring. It is generally a range rather than a
precise number.
You'll need to categories these data assets based on their sensitivity level as well as the strategic
value of the asset to the firm once you've identified all of your information assets and key
stakeholders across all departments.
48
Step 5: Determine the likelihood that an incident will occur
Many organizations use the terms "high," "medium," and "low" to describe the likelihood of a
danger occurring. On the other hand, if you deal with a lot of personal health data, have automated
mechanisms for encrypting and anonymizing it, and test and review the performance of such
systems regularly, the chances of an incident are slim. To make this conclusion, you'll need to
leverage your understanding of the vulnerabilities and the controls that have been implemented
inside your business.
49
Figure 32: XpoLog
50
Figure 34: Hoxhunt
51
• Using insecure Windows operating systems: Unpatched Microsoft Windows operating
systems are frequently used in industrial systems, resulting in known vulnerabilities.
• Unknown third-party relationships: Many ICS providers may be unaware of the third-party
components they utilize in their systems, making it harder for them to alert consumers
about vulnerabilities. As a result, hackers who are aware of the reliance can target software
that the industrial business is unaware of.
VI.3. What tools will you propose to treat the IT security risk?
OCTAVE is a risk assessment approach that is both flexible and self-directed. To handle the
organization's security demands, a small team of employees from the operational (or business)
units and the IT department collaborate. To characterize the present state of security, identify
threats to vital assets, and develop a security plan, the team depends on the expertise of numerous
personnel. It may be modified to fit the needs of almost any company.
The OCTAVE technique, unlike most other risk assessment approaches, is driven by operational
risk and security processes rather than technology. Its purpose is to enable a company to:
➢ Direct and manage their own information security risk assessments
➢ Make the best decisions possible based on their own concerns.
➢ Concentrate on safeguarding critical data assets.
➢ Communicate critical security information effectively.
52
The OCTAVE technique is divided into three parts and is based on eight operations. It is
frequently preceded by an exploration phase (known as Phase Zero) in higher education
institutions to define the criteria that will be employed throughout the use of the Octave technique.
Sematext Monitoring is a full-stack IT infrastructure monitoring tool that gives you real-time
visibility into both on-premises and cloud installations. It monitors apps, servers, containers,
processes, inventories, events, databases, and more to assess how healthy your infrastructure is.
This tool detects anomalies in infrastructure and integrates with external notification systems
such as PagerDuty, Opsgenie, Splunk On-Call, and webhooks for infrastructure alerting.
53
Figure 37: The Elastic Stack
The monitoring solution ELK Stack (ELK Stack) integrates the features of three open-source
projects: Elasticsearch, Logstash, and Kibana. Metricbeat is a module that lets you correlate
data from a variety of sources, including servers, Docker containers, Kubernetes, and more.
You may also use third-party integrations to set up alerts for index/metrics-based thresholds
and send notifications.
❖ Zabbix
54
Figure 38: Zabbix
One of the most widely used open-source infrastructure monitoring tools is Zabbix. It's a
flexible solution with different network, server, cloud, application, and database monitoring
options. Zabbix collects essential data including CPU, memory, and network utilization across
many platforms (Windows, Linux, Unix, etc.).
55
Figure 40: Datadog Infrastructure Monitoring
❖ ManageEngine OpManger
56
ManageEngine OpManager is a reliable infrastructure monitoring tool that can monitor
networks, physical and virtual servers, storage devices, and more in real time. The platform
delivers a complete view of overall network performance with customized dashboards that
include over 200 performance widgets. The program may also automatically map availability
and response-time monitoring to all services operating on Windows and Linux servers.
Network monitoring software also eliminates the requirement for a physical system administrator
as well as manual inspections. This may save your firm both time and money while also ensuring
that the problem is adequately addressed.
The reporting supplied by network monitoring is another significant benefit. These reports can help
you see patterns and trends in system performance, as well as show that improvements or
replacements are required. It's also simple to develop performance benchmarks.
Finally, network monitoring technologies may help you pinpoint which sections of your network
are having issues. This means you can rapidly identify the problem, saving you time and money
when it comes to solving it.
VII.3. The benefits of using a network monitoring system for and organization are
next:
◆ Benchmarking standard performance
IT outages can result from a variety of factors.
❖ Errors made by humans
❖ Changes to the network that are incompatible
❖ Technology's ever-increasing complexity
57
Network monitoring provides you with the insight to assess daily performance and the
foresight to detect any deviations in performance standards, allowing you to detect
abnormalities before they occur.
Effective network monitoring allows IT workers to spot possible problems early and fix
them before they become severe problems that cause system downtime.
With the emergence of internet-enabled sensors, wireless devices, and cloud technologies,
IT teams must better manage how they monitor these technologies for large changes or
suspicious activities.
58
Another development affecting IT environment management is the rise in the number of
wireless devices connected to the network. IT administrators, especially those working in a
BYOD environment, must keep track of the number and types of devices connected to their
network.
As a result, network monitoring will help an IT staff defend a company's data and systems
more effectively.
59
IT teams may use network monitoring to acquire historical insight into how equipment has
performed over time and decide if present technology can grow to meet business demands
using trend analysis.
Organizational networks should be set up with monitoring tools that automatically alert IT
teams to potential risks, such as disk space spikes, backup failure, failing hardware, hacker
attempts, and network devices without up-to-date antivirus software, allowing IT to take
corrective action before it's too late.
VIII. Conclusion
This assignment clarifies what network security is and the advantages of network security.
Aside from understanding about security measures to avoid cyber-attacks, I hope to have more
opportunities in the future to study about and practice extensively for this major because of the
benefits it provides.
60
IX. Reference list
Al-Shaer, E. and Hamed, H., 2004. Modeling and management of firewall policies. IEEE Transactions on
network and service management, 1(1), pp.2-10.
Asgharpour, F., Liu, D. and Camp, L., 2007. Mental models of security risks. International conference on
financial cryptography and data security. Springer, pp.367-377.
Boero, L., Marchese, M. and Zappatore, S., 2017. Support vector machine meets software defined
networking in ids domain. 2017 29th International Teletraffic Congress (ITC 29). pp.25-30.
Crichigno, J., Bou-Harb, E. and Ghani, N., 2018. A comprehensive tutorial on science DMZ. IEEE
Communications Surveys \& Tutorials, 21(2), pp.2041--2078.
DiMase, D., Collier, Z., Heffner, K. and Linkov, I., 2015. Systems engineering framework for cyber
physical security and resilience. Environment Systems and Decisions, 35(2), pp.291-300.
Divya, S., 2013. A survey on various security threats and classification of malware attacks, vulnerabilities
and detection techniques. International Journal of Computer Science & Applications (TIJCSA), 2(04).
Gisin, N., Fasel, S., Kraus, B., Zbinden, H. and Ribordy, G., 2006. Trojan-horse attacks on quantum-key-
distribution systems. Physical Review A, 73, p.022320.
Gouda, M. and Liu, A., 2007. Structured firewall design. Computer networks, 51(4), pp.1106-1120.
Jouini, M., Rabai, L. and Aissa, A., 2014. Classification of security threats in information
systems. Procedia Computer Science, 32, pp.489-496.
Mohurle, S. and Patil, M., 2017. A brief study of wannacry threat: Ransomware attack 2017. International
Journal of Advanced Research in Computer Science, 8(5), pp.1938-1940.
Osaghae, O., Egbokhare, F. and Chiemeke, S., 2014. Design of generic antivirus system. Can. J. Pure
Appl. Sci., 2775, p.2775.
Papadaki, M. and Furnell, S., 2004. IDS or IPS: what is best?. Network Security, 2004(7), pp.15-19.
Rababah, B., Zhou, S. and Bader, M., 2018. Evaluation the Performance of DMZ. International Journal of
Wireless and Microwave Technologies, 1(1), pp.1-13.
Shay, R., Bhargav-Spantzel, A. and Bertino, E., 2007. Password policy simulation and analysis.
Proceedings of the 2007 ACM workshop on Digital identity management. pp.1-10.
Thompson, R., 2005. Why spyware poses multiple threats to security. Communications of the ACM, 48(8),
pp.41-43.
Abbass, W., Bakraouy, Z., Baina, A. and Bellafkih, M., 2019. Assessing the Internet of Things Security
Risks. J. Commun., 14(10), pp.958-964.
Eling, M., 2018. Cyber risk and cyber risk insurance: Status quo and future research. The Geneva papers
on risk and insurance-issues and practice, 43(2), pp.175-179.
Guha, S., Biswas, K., Ford, B., Sivakumar, S. and Srisuresh, P., 2008. NAT Behavioral requirements for
TCP. RFC 5382 (Best Current Practice).
Jayakumar, M. and Christopher, T., 2012. E-Mail Security Through Static Ip Address And Biometrics-
Token Card System. International Journal of Advanced Research in Computer Science, 3(2).
Maier, G., Schneider, F. and Feldmann, A., 2011. NAT usage in residential broadband networks.
International Conference on Passive and Active Network Measurement. Springer, pp.32-41.
61