During this last week of Discussion Questions, I would ask that you reflect that you consider at least one of the following:
- Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
- What mitigation methods did you become aware of for the first time during this capstone class? Why is that mitigation method unique, more efficient or effective, or otherwise significant?
Shubham Patil says
I become aware of the Man in the middle attacks, In man-in-the-middle (MitM) attacks, threat actors intercept an outbound secure connection request from clients and relay their own requests to the intended servers, terminating both and acting as a proxy. This allows attackers to defeat encrypted channels without having to find vulnerabilities in the algorithms or their implementations. Basically, When Person A sends information to Person B, the attacker is in the middle and intercepts the information. The attacker can then modify, steal, or use the information. An attacker gains access to a line of communication. Some of the most common hacks occur through IP, DNS, HTTPS spoofing and ARP cache poisoning.
Use authentication based on key exchange between the machines on your network; something like IPsec will significantly cut down on the risk of spoofing. Use an access control list to deny private IP addresses on your downstream interface. Implement filtering of both inbound and outbound traffic. Configure your routers and switches if they support such configuration, to reject packets originating from outside your local network that claim to originate from within. Enable encryption sessions on your router so that trusted hosts that are outside your network can securely communicate with your local hosts.
Protect the network by regularly clearing the DNS cache of local machines and network servers. In addition, users of Microsoft-based systems can look into utilizing Domain Name Security System Extensions (DNSSEC), which are a suite of extensions that tighten DNS security by providing features such as origin authority, data integrity, and authenticated denial of existence. DNSSEC is particularly effective against DNS spoofing attacks.
SSL and TLS protocols use web encryption to provide secure network communication. The most common type of SSL protocol, and the one most often encountered by regular users, is HTTPS. This protocol consists of communication over the traditional Hypertext Transfer Protocol (HTTP), but is protected via encryption through SSL and TLS. While these protocols provide greater protection for network communication, they can still be vulnerable to MiTM attacks. Always verify if a website is secure by checking the URL bar for a (green) lock icon before typing any sensitive data like password. A (green) lock icon means the traffic to the website is encrypted with a legitimate certificate.
Sometimes attackers alter a system’s ARP table so it contains incorrect information. This is called ARP table cache poisoning. The attacker’s goal is to receive packets intended for another computer. This is a type of masquerading attack. Adding static ARP entries into the cache is one method of mitigating ARP cache poisoning attacks. This method prevents attackers from using ARP requests and replies as the devices in the network will rely on the local cache instead.
Mohammed Syed says
Excellent Point.
Mohammed Syed says
Having third party attack the systems and using VPNs and creating secure environment, securing the physical access to the devices in the local area network is essential in mitigating the attacks.
Antonio Cozza says
One of the most common ways that MiTM is prevalent right now is to use a tool named MITM6 with Responder in Active Directory (most corporate) networks for a variety of different attack vectors to attempt to own a domain controller or harvest credentials and observe protections in place in an AD environment. Responder acts as an MitM by exploiting the way Windows operates, and attempts to trick the target into providing its NTLMv2 hashes which could then potentially be cracked offline.
Kelly Sharadin says
Hi Shubham,
DNSSEC is also an area I need to dive into more to better understand how to implement this control in practice. With the prevelance of phishing campaigns and as the initial attack vector for ransomware I agree that DNS security is paramount as part of an organization’s cyber defense against email spoofing attempts.
Kelly
Mitchell Dulaney says
Hey Shubham – ARP poisoning attacks were also new to me through this class. Surprisingly, limiting physical access to an organization’s facilities is another way to mitigate this threat, because one must have access to the local network for ARP messages to be routable to the target device.
Kelly Sharadin says
This course covered a tremendous amount of material. However, I would say the security threat that I was least aware of is the increasing amount of emerging state-level data privacy laws. It is one thing to be mindful of international regulations like GDPR. Still, the rise of various and differing state data privacy laws introduces a whole new risk factor for many organizations. Such laws draw attention to the line between security officers and data privacy officers in terms of responsibilities. Many smaller organizations do not have the resources for security, let alone data privacy officers. Therefore I believe the continued emphasis on secure development operations will be paramount for organizations’ use of personally identifiable information in a manner that is compliant with these emerging regulations.
Mohammed Syed says
I agree with you.
Mohammed Syed says
Currently, these five states Virginia, California, Colorado, Connecticut, Utah have the law in effect. I am sure more states are going to be following soon, It definitely will create multiple new risks factors and open a whole new can of worms.
Antonio Cozza says
California is likely the most strict state in the US for data protection and privacy laws. With data being the most valuable resource on the planet, it is certain that this trend will only continue and likely impose more stringent requirements on major companies.
Shubham Patil says
Kelly,
Even I was not much aware of the privacy laws, especially GDPR. All the data harvested from personal devices along with the trail of electronic transactions has led to rise of the data privacy laws. As the technology evolves, there will be new rules added to these privacy laws which will be one of the challenges for the big companies.
Vraj Patel says
Hey Kelly,
That was a great post. There are multiple different types of data protection laws. In addition to that something that I have noted was how challenging it could be to implementing a proper security control to comply with those laws.
Mitchell Dulaney says
Hey Kelly, GDPR is an interesting and necessary topic to cover because of just how impactful it is to information security worldwide. The EU is so large, with so many high-GDP countries that are lucrative for companies to operate within, that any medium- to large-sized companies must contend with GDPR requirements.
Mohammed Syed says
During the capstone class, we learned that user devices, software, and web servers are vulnerable to multiple threats. Various viruses, malware, and ransomware are malicious for our devices which can be infected from it and can be devastatingly detrimental. To mitigate these, the priority should be to take care of our devices that can be involved or connected within that network. To protect, you must use updated software, constantly update security tools and operating systems, also update antivirus signatures, etc.
Antonio Cozza says
Just about everything connected to any network is vulnerable and likely always will be. Patching and updating systems takes care of some major vulnerabilities from being exploited after they are made available by vendors. It seems so simple, yet it is almost never the case in practice, or the scope of machines to patch is incorrect, or administrators refuse to let servers’ states alter from production despite critical RCE vulnerabilities being present.
Kyuande Johnson says
Great Points Mohammed,
Vulnerability managent is an essential aspect of protecting against system vulnerabilities. Having work experience with patching system utilizing vulnerability scanners. New vulnerabilities are found every day!. It’s best practice to prioritize critcal vulnerabilites. Critical vulnerabilities need to be remediated within a weeks time. Prioritizing vulnerabilities signifacantly reduces the attack surface of that system.
Vraj Patel says
Hello Mohammed,
I sure do agree that there are many types of vulnerabilities within the devices, software, and webservers. There are more security flaws being introduces as there are updates being made to the software. Along with updating those devices to mitigate the security flaws it’s also important to implement other safeguards as well to protect the devices from the zero-day attacks.
Tal Eidenzon says
Hi Mohammed,
You make many good points here.
Antivirus program can only be as good as its definitions are, so it is critical to keep updating and patching systems.
Thanks,
Tal
Antonio Cozza says
The threat I consider the most relevant to this question right now is that of ransomware. Although it is not a new concept to me or the world, in researching the various news articles I gained more insight on just exactly how prevalent they are – and that they are still on the rise despite basic mitigation methods being able to stop it. Some footholds are gained in clever ways lately such as baiting people with malicious Microsoft Word documents, and exploiting new Windows vulnerabilities, but then the attack pivots to ransomware in many cases around the world right now, targeting anything ranging from healthcare organizations, political entities, etc. Ransomware will have much more of a detrimental effect to organizations that are not prepared for such attacks, who then have little choice but to pay the ransom, despite what they announce to the public. organizations that lack basic mitigations like tested effective backups that are routinely updated and actionable most importantly above all else. Secondary controls one can implement are MFA which could help with scripted login attempts or at least generate an alert even if bypassed, security awareness training which may reduce the attack surface and prevent the foothold gained from phishing potentially, and lastly behavior-based endpoint protection which could inspect and detect malicious scripts.
Kyuande Johnson says
Great Points Antonio,
Ransomeware can be desvistating for an organization. Not only company does the confidentiality of company information is compromised, the aviablity is also compromised. Ransomware uses asymmetric encryption to lock files and from there orders the organzaition to pay to release the files. In many cases many organziation has fallen victim to these ransome where attacks. There is no garentee that you will recieve the data back even after the ransome is paid. It’s best for organizations to prepare for this incident before it occurs. The best way to prevent ransome where is to maintain patch management on all of your system. It’s also essential to maintain proper backup methods to ensure that data is recoverable when this ransomeware attack occurs.
Kelly Sharadin says
Hi Antonio,
Ransomware is at the forefront of many executives concerns as well as it is probably the most tangible cybersecurity threat for non-security folks to understand. Business leaders read the news and can observe the real-world consequences of falling victim to such attacks. As a consulant many organizations would emphasis the desire to build table top exercises around ransomware attacks. Interestingly, enough despite the fear and demostratable destruction may organizations still do not want to implement some the most basic security controls to prevent such an attack like you mentioned with MFA.
Kelly
Tal Eidenzon says
Hi Kelly,
You hit the nail on the head.. And with the recent increase in remote work, there is a challenge in enforcing MFA and allowing for remote enrollment. If an employee is partially remote, then they can enroll on a day that they are in the office, but for full time remote employees, it can be more complicated.
-Tal
Vraj Patel says
Hello Antonio,
Ransomware is one of the high-risk threats. I do agree that having MFA enable could help prevent the ransomware attack. In addition to that it would be also helpful to continuously monitoring the network activities for any abnormal activities and to continuously updating the anti-malware software.
Tal Eidenzon says
Hi Vraj.
Secure MFA enrollment is vital. Remote work complicates that process.
But it is extremely important security feature to implement.
Thanks,
Tal
Vraj Patel says
The security threat that I became aware of during this capstone course was regarding the asset security. The risk of how easily the unauthorized devices could connect to the organization network and the different types of risks the mobile devices possess. The organizations could have a process in place to enroll the devices to the organization’s network and not allowing any other devices to connect to the network if they are not approved through that enrollment process. To mitigate the risks with mobile devices the organizations could implement a mobile device management (MDM) solution to implement a security control within mobile devices. One of the mitigation methods that I have become aware of was the DevSecOps. It is most effective method to use during the Software Development Life Cycle (SDLC) as it would integrate the security control within the software while it is being developed.
Kyuande Johnson says
Great Points Vraj,
Keeping control of whats on your network is key to preventing unauthorized access. There are many technologies that prevent unauthorized users for entering the network. 802.1x is an great example. 802.1x provides network edge security, protecting Ethernet LANs from unauthorized user access by blocking all traffic to and from a supplicant (client) at the interface until the supplicant’s credentials are presented and matched on the authentication server (a RADIUS server). This prevents an authorized user from pluggin into an open ethernet port and accessing the network.
Kyuande Johnson says
This capstone covered many threats and aspects of cyber security. Throughout this course I realized how important physical security is. Especially when dealing with hazrds such as Fire. Fire detection, prevention and mitigation are key aspects of physical security. There are three ways to detect fire. Heat detectors, flame detectors, and smoke detectors. Each of these methods have pro and cons when implementing within an environment. Its best to select the proper method of detection that suits the organization. Its always best practice to prevent fire, rather than exstinguish fire. In cases where a fire needs to be extinguish there are four methods that can be performed (Sometimes in combination) reducing the temperature of the fire, reducing the supply of oxygen, reducing the supply of fuel, and interfering with the chemical reaction within fire. Water suppression involves lowering the temperature of the ignition point. Water is the safest suppressive agent, recommended for extinguishing common combustible fires such as burning paper or wood. Soda acid also has additional suppressive properties beyond plain water: it creates foam which can float on the surface of some liquid fires, starving the oxygen supply. Dry powder is primarily used to extinguish metal fires.
Vraj Patel says
Hello Kyuande,
That was a great post. I do agree that physical security is important as if someone gains a physical access to the device, they will have higher chance of being able to control that device faster than trying to get access to that device remotely. Also, those were some of good examples of the threats that are relevant to the physical facilities.
Tal Eidenzon says
Which security threats did you become aware of during this capstone class? How would you mitigate against this threat?
During this class I learned about the Man-in-the-Browser attack. It is a specialized version of the Man-in-the-middle attack, which involves a Trojan horse on the victim’s computer that is capable of modifying that user’s web transactions.
The initial phase often involves a phishing email to get the trojan onto the user’s system, and then once the system is infected, the browser take-over occurs. On the surface, transactions are taking place normally with expected prompts and password requirements. The attack can also change the appearance of a website and change server responses.
The result is that the attacker can reroute money transfers to an account of their choosing instead of to the target destination.
As always, the best defense is avoidance. Users should be trained and retrained on recognizing and avoiding phishing emails. Strong antivirus scanners with updated definitions can be beneficial in detecting the trojan.
Mitchell Dulaney says
Hey Tal, man-in-the-browser is definitely an interesting exploit. It’s especially difficult for an organization to contend with this, because while their customer believes they are interacting as normal with the company’s website, they are in fact having their credentials (or worse) stolen from them. To make matters worse, the impacted customers may believe the company has responsibility for eliminating this risk, which is not necessarily the case.
Anthony Wong says
One of the threats that I learned about through the course was around physical security. Generally, we focused on technical threats and lose track of the threats against organization’s data centers. It was interesting to learn about HVAC systems along with how data centers are designed. Additionally, it was beneficial to learn about the different controls necessary to protect against these threats with locks, CCTVs, fencing, and much more.
Mitchell Dulaney says
Hi Anthony, another aspect of physical security that I found interesting was crime prevention through environment design (CPTED). I think it’s fascinating that inconspicuous benches or plants around a company’s headquarters are likely part of the security posture and not just decorative.
Mitchell Dulaney says
I learn a lot in this class regarding the different types of alternative sites that are used to mitigate the impact of a disaster on an organization. While I was aware that there were different types of sites, I wasn’t confident in the differences between cold/warm/hot sites, or why they might be used in different situations. Furthermore, I definitely was not aware of reciprocal agreements, nor did I know that there is a very specific circumstance in which reciprocal agreements should even be considered (between two organizations with very specific technological requirements that are difficult to recreate). The geographical locations of alternative sites and the motivations behind all of this decision-making was interesting and very applicable moving forward.