The action of the network contractor has damaged the confidentiality, integrity and availability of the corporate network. The full extent of the introduced vulnerability is impossible to fully determine and to ensure the security of the system it must be assumed that all systems are compromised to the largest extent possible. At a minimum the implemented network deviates completely from the original requirements and contains serious flaws including unauthorized network equipment that allows remote access to the network.
The first priority in the remediation of the network faults is to secure all data essential to the business and to safely remove the contractor's direct access to the network. This will be achieved with a full backup followed by a temporary shutdown of all Internet connectivity across the network to allow for the initial network repairs. Secondly, the network must be audited to search for any additional security vulnerabilities that have been introduced as well as any malicious code that could be present. Finally, the network needs to be completely redesigned to bring it in line with business requirements and security needs as well as created a suite of policy governing the operation and maintenance of the network.
Retrenchment and Initial Security Plan
Get your grade
or your money back
using our Essay Writing Service!
The network is not functioning as designed and has not been implemented as expected. There is a potentially malicious actor who currently has supreme access to the network. There is evidence of misuse of the network possibly by the contractor in that the network is experiencing high levels of use outside of business hours. The extent of the network compromise cannot be determined to a high level of assurance.
Potential threats to the network include:
Introduced security flaws (intentional / unintentional)
Key loggers, spyware, viruses
To secure the system from the contractor all possible access methods into the network must be secured. The retrenchment of the contractor must be coordinated with swift and decisive network access to prevent retaliatory action. It is vital that business continuity is maintained by securing critical information assets in particular the customer database. It will be difficult to ensure the integrity of the system until a thorough audit and redesign of the network is undertaken. The immediate remediation actions will serve to sever the contractor's control of the network but will not constitute a complete security refresh.
To prevent any future legal problems and to assist with any legal action the company may take, all actions taken in cancelling the contractor's employment and reconfiguring the network must be meticulously documented. In particular it is important to document any discrepancies between the system's original design and the current implementation and all remediation actions taken after terminating the contractor. Where practical these records should be created and maintained on an independent computer system that has never been part of the corporate network e.g. a stand-a-lone laptop.
Create Backup of Primary Database
The primary database of customer information is a vital corporate asset and the highest priority is to ensure its integrity. Without the database business operations would be severely hindered. Thursday night a full backup of the database should be made to external media for example a Lacie drive enclosure. The backup should run overnight with both the verification and checksum options from MS SQL server enabled. Any other important data such as files on the fileserver should be backed up at this point. It is important that if at all possible the contractor remain unaware of these actions.
Once the backup is complete (Friday morning) examine the backup transaction log looking for checksum or verification errors. The backup is worse than useless if it is corrupt as it will give you a false sense of security. For all other data backed up verify the accuracy of a backup with a MD5 hash comparison of the backed up files to the original data.
Initial Asset Audit
Briefly enumerate all equipment connected to the corporate network looking especially for unexpected or unauthorized equipment. It is important to know what devices are connected to the network as each device connected can create new security issues. In particular a list of the wireless access points should be compiled to make sure that they can be disconnected from the network. Without a list of hardware it will be difficult to know what devices need to be audited to secure the network or removed to return the network to its designed state. This information may also be useful for legal matters arising from the network mismanagement.
Inform the Contractor of Contract Termination
Always on Time
Marked to Standard
Before making any significant changes to the network it is important to inform the contractor of termination of employment. By informing the contractor a clear transition of network responsibility is established noting that prior to the point of notification the network was entirely managed by the contractor. As soon as reasonable notice to the contractor has been served the first remediation actions should be undertaken, unnecessary delay may risk retaliatory action from the contractor.
The contractor should be informed in writing by mail and by email as well as an attempt to contact the contractor by phone. All of the notifications should be recorded and retained and contain the same information including:
Reasons for termination
Requests for all corporate property be returned (license keys, any documentation created)
Notification that further access to corporate networks is prohibited
After notifying the contractor of employment termination the networks need to be isolated to prevent the contractor from accessing the system. It is important to prevent any interference or retaliation while the initial mitigations are conducted. The ADSL connections at each site needs to be disconnected (remove the phone connection from the router and power off the router). Also disconnect the wireless network from the corporate network and power off all wireless routers.
Additional Full Backup
Another full backup should be taken after the network is isolated both to capture any new data from Friday and to allow for the possibility that the data was tampered with by the contractor on Friday. Differences between the Thursday and Friday datasets should be investigated but as this is low priority and should be left until the audit. It is important that the same verification and checksum precautions are taken with this backup.
Reinstate Ethernet Network
Switch the Sun terminals from the wireless network to the Ethernet network. Switching to the Ethernet network will improve performance and the removal of the wireless network will remove a dangerous access vector from the network.
Audit System Accounts
The contractor may have secret accounts on the system and may also know the password of other users. All servers and workstations should be audited looking for extraneous accounts. In particular privileged 'root' level accounts or 'Administrator' accounts should be examined. All accounts that cannot be attributed to an employee or a legitimate system process should be deleted. Every user account should have its password changed to a temporary password and reset by the users on Monday morning.
Audit ADSL Router / Firewall
Knowing that the contractor has been accessing the network remotely suggests that there are unauthorized changes to the ADSL Router settings. Static NAT mappings may have been added or custom firmware may have been loaded onto the router. The ADSL Router should be examined looking for custom user accounts, strange firewall rules, extraneous static NAT mappings and other possible remote access vectors. In addition all the user accounts should be password reset and update the firmware of the router to the latest version.
Remove Unauthorized / Unnecessary Equipment
All devices that are not essential to the function of the network should not be connected to the network. Having unnecessary devices increase administrative complexity of the network as well as adding more places where vulnerabilities may exist. The DBDEV server should be disconnected from the network and its drives purged of all customer data. The wireless access points should be physically removed from the network as well. In addition all devices that have not been purchased by the organization should be removed. A list of such devices should be provided to the contractor with the offer of returning them after they have been sanitized if they belong to him.
Network Traffic Sampling
Before reestablishing Internet connectivity monitor the network looking for attempts to connect to the Internet. Place a network tap (either by inserting a hub, performing an ARP poisoning attack or if available using a span port on the switch) between the ADSL Router and the core switch. Monitor the tap for unusual traffic in particular unusual DNS requests. Filter out any routine activity (Windows Update, Antivirus Updates, etc) after checking that the domains in the requests actually belong to the obvious candidates (make sure the request is for windowsupdate.com not windowupdate.com.au) and investigate any remaining traffic. Any devices with suspicious communication should be isolated from the network before reconnection.
Initial Network Reconnection
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
Reconnect both site networks to the Internet and reexamine the configuration and status of the ADSL Routers checking for normal function. Verify that there are no unexpected firewall rules or NAT mappings.
Once the network is reconnected the performance of the network should be tested. Examine the performance of database access, Internet access and the performance of user applications. Investigate any performance issues found. With the network reconnected examine network traffic coming in from the ADSL Router this time checking bother incoming data and outgoing data and looking for suspicious activity particularly on the HTTP, SSH and Terminal Server ports. Any devices involved with suspicious traffic should be isolated from the network and investigated.
It is important to gain an understanding of the state of the network after initial remediation. A thorough investigation will turn up some of the faults that may have been introduced into the network. The documentation gained during the audit will be valuable to any legal proceedings arising as well as a useful guide to issues to consider for the network redesign. On any subverted network it is difficult to be sure that all vulnerabilities to be detected or all malware to be removed. Unless equipment is replaced or at least reinitialized from known good software states all the equipment must be considered unsound.
Document all the equipment that currently comprises the network and all the major software packages that are installed on the system. Compare installed software packages to current software licenses held and compare all hardware to corporate purchase records. If the software license information has not been provided by the contractor reiterate the request and if no information is forthcoming contact the vendors for replacement license keys. Delete any unauthorized superfluous software packages and remove any hardware that is not owned by the corporation. If the contractor owns any of the hardware offer to return it to him after the devices have been sanitized to remove all corporate information from them.
Running Services / Processes
For each server and workstation investigate running processes and installed services. For the Microsoft Windows devices a tool like Microsoft's Process Explorer can be used to examine the running programs their constituted threads and the DLLs loaded. Using the Internet as a reference verify that all running processes and services are legitimate and necessary. Also look for non-system DLLs injected into processes and processes that have more than one thread. It is difficult to identify sophisticated malicious behavior by this method but it is still a worthwhile technique for finding simple problems.
With the latest version of the antivirus engine and the latest signatures run a full scan over every server, workstation and file server. This scan is not likely to discover any malicious code installed by the contractor but has a good chance of finding any generic malware that has made its way onto the network (possibly due to a security vulnerability introduced by the contractor). The scan may also discover remote access software that is not inherently malicious but indicated unwanted software that acts as a possible vector for the contractor's remote administration of the system.
Using a tool such as Microsoft's Rootkit Revealer scan all Windows systems looking for rootkits. Rootkits can conceal processes and files from the operating system as well as compromising the core areas of the operating system. The presence of a rootkit indicates the possibility of the complete compromise of the machine in question. A computer with a rootkit cannot be completely trusted as the malicious code has supreme access to the hardware and operating system of the computer. It is not possible to definitively detect rootkits by running a detection utility on the possibly compromised machine since the rootkit can misrepresent itself to the sensors in the rootkit detector. Any machine in which a rootkit is detected cannot be considered safe until it has been reinstalled from trusted media.
Check all workstations and servers for software updates for both the operating system and any installed software packages. It is critical that the latest patches are applied to mitigate any security vulnerabilities that have been discovered.
Monitor the network over an extended period of time looking for anomalous behavior. Look for connections on unusual ports, to strange hosts and at unusual hours. Consider deploying an Intrusion Detection System to help detect anomalous traffic.
In redesigning the network it is vital to start with solid business requirements. Without a thorough understanding of the business requirements driving a system it is impossible to create a system that will accurately support the needs of the enterprise. From a solid foundation of business requirements a policy framework governing the use and administration of the network must be created. In particular the rights and responsibilities of each stakeholder of the network need to be codified. A solid security policy should be constructed to describe the measures to ensure the integrity, confidentiality and availability of the corporate system and core corporate data.
Once the business requirements and policy have been formalized a network design to meet the requirements needs to be created.
For this system some of the basic design requirements are:
2 sites: 15 users at site A, 9 users at site B
Large customer database (currently at site A)
Corporate mail system (currently at site A)
Web access from both sites (currently via proxy at site A)
File storage and printer access to all users
The proposed network design tries to create a straight forward environment centered on a Microsoft Windows Active Directory for workstation control and user authentication coupled with a Linux server at each site providing network services. The network access control follows the least-privilege model of denying all network traffic that isn't specifically allowed via fine grained firewall rules.
The essential features of the proposed network design are:
ADSL2 Internet at each site
Linux box as Firewall and IPsec VPN concentrator at each site
IPSec VPN for secure inter-site connectivity
Web access via a Squid web proxy at each site
Corporate mail services provided from Site A's proxy server
Windows XP SP2 workstations with locked down configuration
Least privilege principal for network access and server/workstation configuration
Full backup weekly, incremental backup daily, offsite backup monthly
Without proper policy it is difficult to create an effective, efficient and secure network. Having documentation describing the network design, business requirements, security policy and user rights and responsibilities creates firm guidelines for the operation and security of the network. Policy and design documentation allows for easy transition between staff as well as creating a strong tie between business requirements and the system implementation.
Business Requirements Document
The business requirement documentation needs to enumerate the role of the network to the business describing the capabilities in terms of the necessary services and the required availability of the services. It should include:
A list of critical systems and critical data
The availability and protection requirements of those systems and data
A list of users that will need access to the systems and the activities they are required to perform
List of the physical locations covered by the network
Acceptable Use Policy
The Acceptable Use Policy needs to clearly state the activities that the information system is designed to facilitate and what if any actions besides those are permitted. Consider whether or not users can use the network for personal activities not related to work and to what extent.
Can users access the Internet to take care of non work related matters like:
Personal administrative business (e.g. online banking)
Personal communications (e.g. personal email, instant messaging)
Managing unrelated business issues (e.g. share trading, operating a side business)
File sharing (e.g. peer to peer networks)
Social networks (e.g. Facebook, MySpace)
Web browsing and research
Streaming media (e.g. YouTube, Internet Radio)
Can users use business systems for personal requirements like:
Using graphics design programs for community newsletters
Completing University assignments
Regardless of the level of personal use granted to users the Acceptable Use Policy must clearly state that personal use must not interfere with the business operations of the network or put undue strain on corporate resources (such as bandwidth). The Acceptable Use Policy must address the necessity to comply with security requirements and include statements about the level of monitoring on the network. The Acceptable Use Policy also must outline the penalties for breaches of the policy. The policy should address what material is inappropriate for the network i.e. is violent, pornographic or hateful content permissible and in what circumstances? One approach is to only prohibit illegal content and that likely to offend other network users.
Network Design Documentation
The network design documentation should list all the software and hardware required to implement the network. The design should give background to key design decisions as well as document all major configuration requirements. The documentation must contain up to date network diagrams of the system. The design documentation must also include business continuity plans including backup requirements.
Security policy describes the protective measures and procedures implemented to secure the network. Some areas to be addressed include:
What devices can be connected to the network
What traffic is allowed over the network (through the VPN or ADSL)
Password policy (length, complexity, change frequency, reminder to keep it private)
Data access policy (default allow or default deny access to internal data?)
Data movement policy (how can corporate data be handled?)
System update policy (patching)
Workstation security policy (Antivirus? Host based Firewalls?)
Server access policy (Who? How? How audited?)
No unauthorized changes to the network
Authentication requirements (Password only? Biometrics? Token?)
Security policy should also describe the incident response procedures including the roles of each stakeholder during an incident. All decisions underpinning the security policy should be documented so that the policy can be updated if circumstances change.
Network Administrator Responsibilities and Restrictions
There is a requirement for a document outlining the responsibilities and restrictions of the network administrator. The document should enumerate the administrator's responsibilities and routine tasks as well as explicitly defining limits around the administrator's actions. The document should clearly demark the areas of responsibility of the administrator, whether or not the administrator is responsible for purchasing, security monitoring, performance monitoring, hardware maintenance, etc and what areas are the responsibility of other areas such as management and accounting.
Some questions that should be answered by this policy document include:
Can the administrator monitor all the traffic entering and exiting the network?
In what circumstances can the administrator read employee email or monitor employee workstations?
What is the network administrator responsible for monitoring for?
Network performance issues?
The policy should also describe network maintenance procedures including change management, procurement, configuration management, software updates and business continuity planning. The documentation requirements of the network administrator must be set out including any periodic reporting requirements. Administrator misconduct penalties should be enumerated in this document as well.
The core principal of the network is 'least privilege' meaning that where possible agents on the network should have the least amount of access to the network to undertake authorized usage. To that end the network is divided into three segments per site. These logical segments are the internal network (including all of the Windows based infrastructure), the DMZ (containing the Linux network services) and the Outside which describes the ADSL routing equipment as well as the Internet. The DMZ in this network is unconventional in that it doesn't facilitate external access to internal resources but rather mediates all internal access to external resources. The access controls of the section are maintained by the Linux firewall and VPN concentrator functioning as a router in the centre of each site's network.
Expected Traffic Profile
There are expected traffic flows for internal workstations on the network which makes crafting firewall rules for each scenario simple. Internal clients will connect to the local proxy server or the mail server to get Internet services. Internal clients connect to the database server to access client data. Internal clients will connect to the update server to get software and antivirus updates. Internal clients will connect to the Active Directory servers for policy as well as file and print server access. Beyond these traffic flows internal clients should have no connectivity especially no direct Internet connectivity including external DNS resolution.
The firewall box is a Linux server running a very minimal install. The server should have no graphical interface and only the minimum required amount of software installed. The server will have 3 interfaces, an Inside interface, a DMZ interface and an Outside interface. The firewall will deny all traffic except that explicitly allowed using Linux 2.6 IPTables (See Appendix B for firewall rules). No network services should be running on this box except SSH for remote administration (from the internal network only). Inter-site connectivity will be provided by an IPSec tunnel (in ESP mode) which adds security robustness over PPTP which has been encumbered by security concerns (especially with the use of MSCHAP for authentication). The IPSec connection should be built on PKI certificates generated by a local CA with its private key stored off of the corporate network. The firewall server itself should have no direct access to the Internet (beside that required for establishing the VPN tunnel) and should use the proxy server for downloading updates. The administrator should monitor the interfaces of this server looking for unusual traffic spikes.
If a smart switch is installed network ports should be locked to MAC addresses to make it more difficult to connect unauthorized equipment to the network.
The ADSL Routers should provide NAT masquerading for the proxy server and firewall server and static NAT mapping for ESP protocol and UDP port 500 to the firewall for the IPSec tunnel. The ADSL Router should not allow any administration from the Internet interface. The router must have a strong administrator password, the latest firmware from the manufacturer and have UPNP disabled. These measures will make it difficult for external attackers to gain control of the network by compromising the router.
Servers are the backbone of the corporate system containing all the corporate data as well as providing all network services. The key to securing these servers is to keep them as simple as possible removing any unnecessary software, services and user accounts which will reduce the server attack surface to a minimum.
Windows Domain Servers
The Windows Domain Servers provide centralized authentication and configuration management for workstations as well as file and print services. These servers should be running Windows 2003 Server in an Active Directory controller mode. These servers will also provide miscellaneous network services including DHCP, NTP and DNS. Each site should form an independent Active Directory that is connected to the other with a trust relationship. Comprehensive Group Policy should be configured to lock down the user workstations.
Proxy / Mail Servers
Like the Firewall server the proxy / mail servers are based off of a minimalistic Linux install with no graphical interface and the minimum required software installed. These servers are the only parts of the network that have direct access to the Internet and a responsible for proxying traffic from all other hosts who require Internet access. For email services from Site A the server will run a Sendmail server smarthosted to the company's mail provider and Fetchmail supported by a POP3 server to provide inbound email access. Mail security will be provided by spamassassin and clamav running on the local mail spool. Web services will be provided by the Squid proxy server which will require basic authentication from users before traffic will be forwarded (optionally NTLM authentication from the domain controllers can be implemented but it is more secure to require user interaction for authentication to ensure that the user is driving the network connection). A web proxy is in place at each site to save bandwidth and decrease latency of the web services at site B. A comprehensive whitelisting solution for web traffic should be considered limiting traffic to approved sites only, if this is deemed too restrictive consider a dynamic whitelisting solution such as Whitetrash that allows users to add sites to the whitelist without administrative intervention. The Squid Proxy logs should be audited weekly looking for:
Anomalous transfer ratios (more outgoing than incoming)
Unusual sites with an extremely high visit number or traffic statistics
Connections to IP addresses or Dynamic DNS hosting sites
Connections after hours
The database server is vital to the network as it stores mission critical information assets. The database requires a backup solution to ensure that business continuity can be maintained. The server is a Windows 2003 Server running MS SQL Server. The server should have limited access where only the administrator can log on to the server. All applications that access the SQL database should be audited to make sure that they only have the required SQL permissions. In particular check for instances where a process that only requires SELECT access also has UPDATE or INSERT access or a circumstance where a SQL user has shell execute permissions.
The update server will be running the update daemons for all installed software. Software required includes Windows Software Update Service and the corporate antivirus update agent. This server may need an exception in the proxy server to allow it to connect without authentication if the corporate update mechanisms do not support basic authentication. This server does not need user access and the only the administrator should have direct access.
Workstation configuration is important as it represents the point where all network interactions originate. From a security perspective workstations are a common source of vulnerabilities targeted by attackers due to the generally low security standards of these systems. Also workstations have a large attack surface presented by the large variety of software present on them. To secure these systems it is important to limit the user's ability to influence the system state by removing administration privileges from them and by strictly controlling file system and registry permissions. In addition the workstations should be protected by multiple host based security systems including antivirus and host based firewalls.
Each workstation should have a corporate antivirus scanning engine installed. The configuration of the client should be configured centrally either by Group Policy or from the update server. In addition to the runtime analysis the engine may provide there should be daily full filesystem scans looking for malware. The software should be configured such that it is transparent to users, the users should not ever be asked security questions and instead any threats should be automatically blocked and brought to the administrator's attention. Antivirus will not catch any customized threat to the network but is adequate in detecting common untargeted threats. Modern antivirus also contains basic heuristic capabilities to detect possibly malicious software that has not been cataloged as yet.
A packet filtering firewall should be installed on each workstation. The Microsoft Windows XP SP2 firewall is adequate for the task but an alternative commercial solution can be substituted. The firewall should be centrally configurable from Group Policy or the update server and should by default block all incoming and outgoing traffic as well as alert on new listening ports. The protection should be transparent to the user with any suspicious traffic being blocked and the administrator notified. The workstations have a very limited traffic profile so it should be simple to develop appropriate packet filters. The workstations need to access to the proxy/mail server, domain controllers and database server all other connectivity should be blocked.
Software Restriction Policies
Software Restriction Policies restrict the execution of code to those programs that meet certain criteria. Programs can be allowed or blocked based on code signing signature, MD5 hash or location on the filesystem. Software Restriction Policies are a powerful tool in preventing malware from gaining a foothold on the system. Execution should be limited to areas where authorized programs are installed and users do not have write access for example "C:\Program Files" and "C:\Windows". This protection is only sufficient if filesystem permissions are properly configured. For enhanced security consider limiting execution to binaries signed by trusted vendors (e.g. Microsoft) or binaries that match a preapproved hash. The software restriction policies can be centrally managed from Group Policy.
Many content formats contain features that allow code execution. Examples of such technologies are Microsoft Office documents (with Macros), Adobe PDF Files (ActionScript) and signed Java / Flash programs (which can access the local system when accessed from the Internet zone). To protect the network from malicious content attacks consider disabling these technologies. If it is not feasible to remove these features (e.g. a business need for Excel Spreadsheets with Macros) make exception for these particular cases. Make sure that these content viewing applications are configured in such a way that they do not rely on user decisions for security (e.g. do not prompt the user asking for permission to execute code).
User and File permissions
Workstation users should be running with limited (User) access to the system. In addition file and registry permissions should be such that the user has no control over the configuration of the system or the filesystem. The only exception should be the User Profile (e.g. where My Documents are stored) and HKEY_CURRENT_USER registry hive where user preferences are stored. In particular make sure that "C:\", "C:\Windows" and "C:\Program Files" are read-only for Users.
Business Continuity Plans
It is important to have a solid backup regime to recover from disaster. A weekly backup should be made to an external disk array (e.g. Lacie disk enclosure) with daily incremental backups added. Monthly offsite backup should be made by transporting a disk array from Site B to Site A. If the daily data delta on the database is small enough (<500mb) mirror the daily changes between sites. Make sure that all backups created are verified for accuracy and that backup restoration procedures have been tested. This situation will allow some limited operations to continue if Site A is destroyed and provide greater protection from lesser calamities (server failures, theft, and vandalism).
Appendix A - Network Diagrams
Approximate Original Network Diagram
Approximate Implemented Network Diagram
Redesigned Network Diagram
Appendix B - Firewall Rules
Site A Firewall
ALLOW: INSIDE A -> DMZ A (TCP 3128, 110, 25)
ALLOW: INSIDE A -> DOMAIN CONTROLLER @ INSIDE B
ALLOW: DMZ A -> OUTSIDE A (TCP 80, 443, 25, 110; UDP 53)
ALLOW: RELATED / ESTABLISHED TRAFFIC
DENY: ALL OTHER TRAFFIC
Site B Firewall
ALLOW: INSIDE B -> DMZ B (TCP 3128)
ALLOW: INSIDE B -> DMZ A (TCP 110, 25)
ALLOW: INSIDE B -> DOMAIN CONTROLLER @ INSIDE A
ALLOW: INSIDE B -> DB SERVER @ INSIDE A
ALLOW: DMZ B -> OUTSIDE B (TCP 80, 443; UDP 53)
ALLOW: RELATED / ESTABLISHED TRAFFIC
DENY: ALL OTHER TRAFFIC
Appendix C - Possible Discrepancies and Assumptions
There are several possible interpretations of the case study data and the interpretation I have taken may not be the same as other students or the authors of the case study. The first two network diagrams in Appendix A represent my understanding of the network as required and as implemented by the contractor.
Some of the points that I was unsure about are:
- Is there a DB server at each site?
- What are the mail hosting arrangements? i.e. does the organization act as its own MX or is mail handled by the ISP?
- Does the original design call for the Win2k VPN boxes to have two interfaces and route all traffic?
- The exact number of servers required at each site (are some servers performing multiple roles?)
- Whether the wireless network was an unauthorized addition or required for business processes?
- The exact business requirements for network
- The budget and time scales for network remediation
- Is the contractor considered inept, malicious or both?
- Is there a desire to pursue the contractor for damages / other legal matters?