SECURE NETWORK DESIGN

DOCUMENT

DOMAIN: SOCIAL MEDIA (Privacy Design Architecture)

SEC B , GROUP NO. 14

IIT2021199 AVADHUT SAVALE

IIT2021200 BITTU SHARMA
IIT2021201 AMAN GUPTA
IIT2021203 TUSHAR KUMAR
IIT2021212 UJJWAL KUMAR PANDEY
 I. ABSTRACT

In this report, we explored the sudden rise and popularity of social media and how that has not
only enabled communication to expedite globally but also for attackers to misuse the plethora of
information available online. Social media allows people to communicate with their loved ones,
friends, and coworker, due to which its use has skyrocketed in recent years. Attackers are
drawn to content published on social networks and in the media because it spreads quickly—
almost instantly. The user's shared information raises several security and privacy concerns,
especially when the user uploads private content such as images, videos, and audio. Attackers
can wreak global havoc with this massive amount of knowledge at their disposal. Thus,
information security is required due to the risk that is created when technology is used to
process information, as information may be disclosed incorrectly or to the wrong person.

Despite the technology used at their facilities or the procedures put in place by their security
personnel, social networking services (SNS) like Facebook are not as secure. The information
that people post on these social networks is primarily to blame for this due to the astounding
popularity of these social networks, which are frequently used by minors and individuals who do
not prioritise privacy or security. Using GNS3 software, we aimed to emulate and devise a
network topology of our own that was similar to that of Facebook so we could describe the
network security measures put in place for social media platforms. This report further analyses
the network topology and types of attacks that could be faced by a social media website and
aims to create a Security Operation Center (SOC) that ensures network performance and
security. The job of a security operations center– sometimes called an information security
operations center, or ISOC– is to improve an organization's threat detection, response and
prevention capabilities by unifying and coordinating all cybersecurity technologies and
operations. The report aims to study the software involved in Network monitoring tools and
utilize its features to harden the network against the threat landscape as elucidated upon.

II. INTRODUCTION

A Security Operations Center (SOC) is an organizational structure that employs people,

processes, and technology to continuously monitor and improve an organization's security
posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. The
SOC acts as a hub or central command post, receiving elementary data from across an
organization's IT infrastructure, including networks, devices, appliances, and information stores,
regardless of where resources are located. The proliferation of advanced threats has made
gathering context from various sources extremely important. Essentially, the SOC is a point of
correlation for all logged events within the monitored organization. For each of these events, the
SOC must decide how to manage and handle it. First, the SOC team gathers information from
various resources such as CTI threat feeds and logs files from systems across the organization.
The SOC team closely monitors the company's assets, from on-premises servers in the data
center to cloud resources. Close monitoring is important. As such, SOC team members monitor
servers, endpoints, and perimeter devices such as firewalls and switches.

Fig 1. Security Information & Event Management (SIEM)

Members of the SOC team then carefully interpret this data to provide actionable information.
Part of this interpretation is eliminating duplicate data and identifying the root cause of the
problem. This activity is often called data normalization. Viewing the SIEM tool log file is not
sufficient. Employees must have sufficient experience and wisdom to interpret the data
correctly.
The ideal SOC team member plays a key role in interpreting information in many different ways.
SOC team members spend a lot of time identifying ideal breeding ground conditions for
hackers.

This can include looking for the following:

● Unpatched server endpoints: Updating your system may seem like a trivial step, but it
really isn't. SOC team members can help flag unpatched systems and identify alternative
courses of action. For example, if for some reason a system cannot be easily patched, it
may be necessary to monitor the unpatched system until it is time to patch it properly.
● Vulnerable endpoints: This may include those that have poorly updated virus definitions
or even no good working antivirus.
● Perimeter and edge devices that demonstrate characteristics of neglect: These may
include routers, switches and other network devices that are on your network or just
beyond your network that are not properly updated and secured.
 ● Reports concerning end-user activity: Social engineering is the primary way that hackers
gain improper access to company information and resources. SOC members, therefore,
do their best to protect people from being manipulated by hackers.

III. THREAT LANDSCAPE

A threat landscape is a collection of threats in a particular domain or context, with information on

identified vulnerable assets, threats, risks, threat actors and observed trends. An attack vector
is a method by which an attacker can gain access to private information or undermine a
company. An attack vector or threat vector is the point of entry for attackers into a network or
system. In cybersecurity, an attack vector is a method of gaining unauthorised network access
in order to launch a cyberattack. Cybercriminals can obtain sensitive data, personally
identifiable information (PII), and other valuable information available following a data breach by
exploiting system flaws with attack vectors.

Fig 2. Various types of Threats

The secure network design document prepared for the C1 component studied the various types
of threats that social media networks are privy to which will be elucidated upon in this section. In
a social media network, the vulnerabilities, malware, certain attacker groups, and their methods
are usually considered to be part of the threat landscape since they pose a risk in that particular
environment. The social network and the attackers who seek sensitive information are two of
the threats faced by the network. It is possible to hack a social networking site and provide
unauthorised parties access to a user's personal information. Additionally, a social networking
site could be hacked by an attacker, who could then access any user's personal data, or the site
operator could be ordered by the authorities or a court to divulge users' personal data. Users'
personal information should not be accessible on the social network, which should be regarded
as a potential danger to their privacy. By crawling channels to obtain private user data, an
attacker seeks to compromise the privacy of social network users. Other studies have noted
that social networking sites' default privacy settings are frequently insecure. This can also be
accomplished by posing as a person or business but including a dangerous link or false contact
details. By making use of the reputations that the person or company has already built, these
phoney accounts can amass thousands of followers in a matter of days.

Some of the threats and attacks that social media networks are privy to are Malware, Crypto-
jacking, Supply chain attacks, Ransomware, Non-malware or fileless attacks, Social
engineering, Site compromise, Data breach, Phishing, Account takeover, Lack of encryption,
Browser-based attacks, Compromised Credentials, Distributed Denial of Service (DDoS) and
many more. These network breaches can result in hours-long outages of Facebook and its
sibling sites, including Instagram and WhatsApp, and can result in massive loss of revenue in
the terms of millions of dollars. If users are unable to use the social network’s apps and other
services, the service disruption can impact Facebook’s stock as well. Hence, it is imperative to
safeguard the security of the social media network in order to prevent any kind of attack vector
to penetrate through the network configuration.

CATEGORY OF THREAT –

- Fake Accounts: One of the most frequent risks in social networks is this one. Sometimes
users of fake accounts utilize credentials that do not truly exist. They demand financial
benefits such as requesting debts, phone credits, bank account information, or credit card
details if they have been in contact with the target for a while and gained their confidence.
Sometimes, unlawful acts might be planned and started using false accounts such as
cyberbullying, and sexual harassment. According to Dailyworld, there are 270 million fake
accounts on Facebook (Dailyworld, 2017). Menczer (2018) also stated that between 9% and
15% of Twitter users could be fakes.
- Theft of Accounts : Through hijacked accounts, social network account hijackers can
distribute offensive or unlawful content. Additionally, they can connect with those on their
friend list and request money, credits, or sensitive information from them (Lena, 2016).
- Social Malware: Also referred to as soc-ware. It aims to collect personal data such as
passwords for social media or email accounts, bank account numbers, credit card numbers,
names, or home addresses. A link received through the seized account can be used to
access any kind of information. Scareware is a category of harmful software that is another
sort that is frequently spotted on social media. This program incites panic by convincing
users of a harmful condition that doesn't actually exist (such as virus infection, system
failure, or confiscation of social media accounts). It then leads users to buy software that will
help to eliminate this terrible problem.
- Violation of Privacy: Without the person's consent, the social network makes everyone in it
aware of their private information, photos, videos, or documents. Without their consent, the
seizure and recording of this data, including images, videos, and documents, is likewise
seen as an infringement on their right to privacy.
 IV. NETWORK TOPOLOGY

Network topology is the physical and logical arrangement of nodes and connections in a
network which describes the layout of networks and the relative location of traffic flows.
Administrators can use network topology diagrams to determine the best location for each node
and the optimal path for traffic flow. Network topology plays a major role in how the network
works. Topology has a direct impact on network functionality. The correct choice of topology
can help increase performance, a correctly chosen and maintained network topology increases
energy efficiency and data transfer speed. Network topologies are of various types such as Bus,
Star, Ring, Mesh, etc.

Social media platforms like Facebook provides their users with end-to-end encryption in which
user data is not seen by anyone when it is delivered to another user. For communication
between two users securely, Facebook creates a server in which the user first connects with the
server and the server will connect with the other user. That type of structure of connection
between two users is done by all the users, i.e. all the users (nodes) are connected to the other
node via the server. So, to implement this Network Topology, in which every node is connected
to each other via any single device is done by Star topology and this topology also ensures that
no network collision occurs and the network is high performing. Also, end-to-end encryption can
be achieved using this topology which is what this report aims to achieve as in the case of
social media networks.
 Fig 3. NETWORK topology for social media network

V. TEST CASE & METHODOLOGY

The tool used to design the Network Topology for a social media network is Graphical Network
Simulator-3 (GNS3), a network software emulator that allows the combination of virtual and real
devices, used to simulate complex networks. Organizations create their own SOC with
proprietary or open-source tools and skilled resources or they used technology like Kibana
which has suites of integrated firewalls/network monitoring tools/IDS that is explored in the
following section.

In application security testing, the security of a web application or platform is checked and
evaluated using a detailed methodology. While there are many tools and products you can use
to do rapid tests, out-of-the-box solutions do not take into consideration specific use cases. To
secure the security of your web platform or application, it is therefore not sufficient to simply
employ the most well-liked penetration testing tools as-is. The ideal way to develop a threat
analysis and testing plan is to base our examinations on widely accepted standards and
procedures for security assessment. By doing this, we can select the testing approach that will
work best for our social media platform.

Fig 4. A typical OPSEC process

Kibana is an open-source browser-based visualization tool mainly used to analyze large

volumes of logs in the form of line graphs, bar graphs, pie charts, heat maps, region maps,
coordinate maps, gauges, goals, timelion etc. The visualization makes it easy to predict or to
see the changes in trends of errors or other significant events of the input source. Kibana works
in sync with Elasticsearch and Logstash which together form the so-called ELK stack. ELK
stands for Elasticsearch, Logstash, and Kibana. ELK is one of the popular log management
platforms used worldwide for log analysis. In the ELK stack, Logstash extracts the logging data
or other events from different input sources. It processes the events and later stores them in
Elasticsearch. Kibana is a visualization tool, which accesses the logs from Elasticsearch and is
able to display them to the user in the form of line graphs, bar graphs, pie charts etc.
Kibana offers its users the following features:

1. Visualization: Kibana provides many ways to easily visualize your data. The most
commonly used are column charts, horizontal bar charts, pie charts, line charts, heat
maps, etc.

2. Dashboard: Once your visualizations are ready, you can put them all on one board
(dashboard). Looking at the various sections together gives an overall clear picture of
what exactly is going on.
 3. Dev Tools: You can work with your indexes using dev tools. Beginners can add dummy
indexes from dev tools and also add, update, delete the data and use the indexes to
create the visualization.

4. Reports: All the data in the form of visualization and dashboard can be converted to
reports (CSV format), embedded in the code or in the form of URLs to be shared with
others.

5. Filters and Search query: You can make use of filters and search queries to get the
required details for a particular input from a dashboard or visualization tool.

6. Plugins: You can add third-party plugins to add some new visualization or also other UI
additions in Kibana.

7. Coordinate and Region Maps: A coordinate and region map in Kibana helps to show the
visualization on the geographical map giving a realistic view of the data.

8. Timelion: Timelion, also known as Timeline, is another visualization tool primarily used
for time-based data analysis. To work with the timeline, you'll need to connect to the
index and use a simple expression language that helps you perform calculations on your
data to get the results you want. Useful for comparing data with previous cycles in terms
of weeks, months, etc.

9. Canvas: Canvas are another powerful feature of Kibana. Canvas visualizations allow
you to view your data in different colour combinations, shapes, text, and multiple pages,
essentially called workpads.

V. TARGET DEVICES

- FIREWALL – A firewall is a network security device or software that monitors and controls
incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier
between a trusted internal network and potentially untrusted external networks (like the
internet), helping to protect the network and the devices connected to it from unauthorized
access, malicious activities, and various cyber threats. Firewalls can be implemented at
different levels of a network, including the perimeter of the network, individual devices, and even
within applications.
- NETWORK BANDWIDTH - Network bandwidth refers to the maximum data transfer rate that a
network can support, typically measured in bits per second (bps). It's an essential consideration
in network topology design, as the network's topology affects how efficiently and effectively
bandwidth is utilized. Network topology refers to the arrangement of nodes (devices) and links
(connections) in a network. Different network topologies can impact how bandwidth is shared
among devices and how data flows within the network.
- ROUTERS :Routers play a crucial role in network security as they serve as key devices that
control the flow of data between different networks, such as local area networks (LANs) and the
internet. They enable communication between devices within a network and provide a gateway
to external networks.
- APPLICATION SERVER - An application server is a software framework that provides a
platform for running and managing applications, particularly web-based applications and
services. Application servers are a critical component in modern software architectures, but
their security implications are also significant. Properly securing an application server is
essential to ensure the confidentiality, integrity, and availability of applications and the data they
handle.
VII. INCIDENT HANDLING & SOC MONITORING

Cyberattacks can be recognised, contained, and stopped using incident handling (IH) which is
the set of information security policies and procedures used to identify, contain, and eradicate
cyberattacks. It involves incident response whose purpose is to enable organizations to quickly
detect and halt attacks, minimize damage and prevent future attacks of the same kind. Incident
handling includes identifying, followed by recording, followed by analyzing, followed by
managing security threats, risks and incidents in actual time. Delivering a complete and
comprehensive picture of all security problems and rule breaches (such as illegal data access,
for example) inside a given IT system is the goal.

Incident Handling involves 5 major steps:

1. Alert
2. Identification
3. Assessment and Incident Response preparation
4. Incident response
5. Learnings and takeaways
A centralised role within an organisation called a Security Operation Center (SOC) use people,
procedures, and technology to continuously monitor and enhance the security posture of the
business while preventing, detecting, analysing, and responding to cybersecurity issues. SOC
Monitoring is used to handle issues involving hackers and malicious users. Security monitoring
and alerting are the SOC's main duties. To spot suspicious activities and strengthen
organization security, this includes the gathering and analysis of data. The SOC's tools
continuously scan the network for anomalies and suspicious activity. The SOC has the best
chance to stop or lessen harm by being instantly informed of developing threats thanks to
continuous network monitoring. The most sophisticated monitoring tools can use behavioural
analysis to "teach" systems the difference between routine daily operations and actual threat
behaviour, minimizing the amount of bug identification and analysis that is needed to be done
by a human.

The following actions are necessary to develop a successful SOC system:

1. Create a strategy for your security operations center.

 2. Create a SOC solution.
3. Develop training, policies, and procedures.
4. Get your surroundings ready. Take action on your solution.
5. Implement complete use cases.
6. Continue to improve your solution.

A successful SOC is one that not only satisfies the security requirements of a business but also
keeps up with evolving security threats. With the ability to scale up or down as needed, it is
designed to react fast and effectively to new and existing threats. Facebook has a security
incident response process in place to monitor, find, and deal with any potential security events
that may compromise Covered Data. Definitions of roles and responsibilities, communication,
and post-mortem assessments, including root cause analyses and remedial plans, are all
included in the security incident response plan. Facebook keeps an eye out for harmful activities
and security lapses affecting Covered Data. An evaluation of the developers' use, sharing, and
protection of Platform Data in accordance with the Facebook Platform Terms is required before
apps can access advanced rights.

VIII. CONCLUSION

Internet users are increasingly using social networking sites like Facebook, Instagram, and
Twitter. Due to instances of privacy breaches on social networking sites, privacy concerns have
become a huge public concern while users continue to enjoy this form of networking. Taking
Facebook as a reference, this paper analysed the Threat Landscape, Network Topology and
SOC Monitoring involved in social media networks. After scrutinizing the aforementioned in
detail, we implemented a social media topology using GNS3 software using a Star topology
method. We then studied the software Kibana in detail and how that can be put to use to harden
our security network against the threat landscape. We installed Kibana and explored its features
and for network performance, we made a .pcap file to analyze network traffic. We observed that
despite the technology used at Facebook and the procedures put in place by their security
department, social networking services (SNS) like Facebook are not as secure and our
objective would be to design a security network that takes the best from existing security
systems but aims to cover its loopholes.
IX. REFERENCES

[1]
https://thesai.org/Downloads/Volume7No2/Paper_2-Role_of_Security_in_Social_Networking.pdf

[2] https://link.springer.com/article/10.1007/s40747-021-00409-7

[3] https://www.ibm.com/in-en/topics/security-operations-center

[4] https://www.clariontech.com/platform-blog/what-is-kibana-used-for-10-important-
feature s-to-know

[5] https://www.qcert.org/sites/default/files/public/documents/cs-
csps_guidelines_for_securi ng_social_media_accounts_eng_v2.1.pdf

[6]
https://www.forbes.com/sites/petersuciu/2021/10/05/experts-weigh-in-on-what-caused-facebook
s-outage/?sh=6f1ff071212a

[7] https://www.apriorit.com/dev-blog/524-web-application-security-testing