This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In general, Local Area Network (LAN) and Wide Area Network (WAN) is a network that consists of many devices like Personal Computers (PC), printers, switches, hubs, router etc that connect with each other. A LAN exist within an area usually inside one building or a single room where as a WAN extends the network by connecting LAN's together so that one computer is able to contact to another on another location.
Security in any Network is important to protect information that is essential to any individual or organization. For example, companies with sensitive Data/information like employee details and future company plans. Security is also important in protecting against attacks in a network where data and service is vital as an asset in an organization.
2.0 Concepts of Network Security
The network security is based on three areas, Confidentiality, Integrity and Availability (CIA) known as the CIA triangle. (See figure 2.1)
Confidentiality allows data and information to be secure by showing whether it has been breached or unsealed before it has reached its desired destination. By sealing the information before sending it shows that it has not been breached or disclosed to anyone who does not have the rights. If any information or data taken away from work or any organization and lost, that information has lost its confidentiality revealing it's data to unknown parties.
When data or information offers integrity, it shows that it is not altered by unauthorized personnel in any way from its original state. There is certain aspect that enforces integrity which secures the data or information within. Modification to the original data or information should not be allowed to unauthorized personnel, unauthorized modifications should not be approved to authorized personnel and the data should be internally and externally consistent to their correct value.
Availability means that data or information is accessible whenever needed and uninterrupted. Availability prevents disruptions when accessing data or information. When Availability is present, it offers a high quality of service showing that all devices within a network perform efficiently. Certain attacks like Denial of Service (DoS) or Distributed Denial of Service (DDoS) intends to disrupt the quality of service that slows down the network or even causing a failure to the network.
3.0 Potential threats to a Network
Today, threats to a network are still a major issue in securing data and information. Viruses, Worms and Trojan Horses are common threats that intend to reveal vulnerability in a Network.
Koobface is an anagram of Facebook, a worm that targets within social networking websites like Facebook, etc that appeared in 2008. More alias of Koobface was detected in 2009 from many anti-virus organizations.
Koobface, takes control of your account altering your profile and attempts to steal sensitive information such as credit card numbers. They can also alter the computers search engine and redirect each search to contaminated websites.
A computer is infected with Koobface upon receiving fake messages directing you to watch a certain video on YouTube or a photo. On clicking the link, it directs you to websites that asks you to update your software in order to watch this video or photo. Wherever you click on the website starts a download of the update which in fact is a Malware. After the download completes, it then tries to create a new account on various websites. It bypasses a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) test by presenting a window to test for human presence in order to create a new account. (See figure 3.1.1.)
After it passes the CAPTCHA test, the malware creates a new email and starts a new Blog on Blog website or creates a new message in one of the social network websites that contains a link to a website and the cycle starts again with other users. It can also create messages with link to contaminated websites containing other different malware.
A list below explains the countermeasures to prevent a computer from being infected with the Koobface worm.
Install anti-virus software with the latest virus signature update.
Only update software from the manufacture website and not from third party websites.
Use caution when downloading any applications.
If the computer has been infected, there are two approaches in removing the Koobface Worm, Automatic and Manual. See appendix for removal instructions.
The Win32/Conficker.B worm can infect computers by exploiting vulnerability in the Windows Server service known as SVCHOST.EXE. It can execute a remote code to enable file sharing which can spread through removable drives and weak administrator password. It will also disable important system services and security products.
The worm installs a copy of itself into the windows system folder as a hidden DLL file. It will use a random name to avoid detection. A registry entry is created to ensure that a dropped copy of the worm is run every time Windows starts. It then attempts to infect other computers within the same network. It attempts to drop a copy of the worm into the ADMIN$\System32\<random letters>.dll using the credentials of the current infected logged-on user. After it drops the copy, it then creates a remote schedule job which activates the copy of the worm even when the original copy of the worm is removed.
The worm can also drop a copy of itself into the Mapped and Removable drives. It then creates a RECYCLER folder in the root of the drives. It then drops an autorun.inf file which allows the worm to execute whenever it is accessed or when Autoplay is available. Figure 3.2.1.shows how the worm executes the Autoplay option.
Notice that the 'Install or run program' section, it has a file called 'Open Folder to view files'. The clue that it is a worm or malware is where it indicates that the Publisher not specified.conficker.b pic.jpg
The worm also modifies a registry entry so that hidden files cannot be viewed be. It then disables TCP/IP tuning, Terminates and disables services such as:
Windows Security Center Service (WSCSVC) - notifies users of security settings (e.g. Windows update, Firewall and Antivirus)
Windows Update Auto Update Service (WUAUSERV)
Background Intelligence Transfer Service (BITS) - used by Windows Update to download updates using idle network bandwidth
Windows Defender (WinDefend)
Error Reporting Service (ERSVC) - sends error reports to Microsoft to help improve user experience
Windows Error Reporting Service (WERSVC)
A registry key for Windows Defender is deleted by the worm which stops it from running at the start of the system. It will also disable any process that allows the any network traffic to search for malware signature updates. It will also reset System Restore Points removing the possibility to recover the systems back to before it was infected.
3.3 W97M/Melissa. A
The Melissa virus was first discovered on March 26th 1999 which caused a failure to the internet mailing system. Melissa is a mass mailing macro virus and spreads via e-mail by infecting Word documents such as Office97 and Office 2k. It attempts to send an e-mail with an attachment of the virus to other computers which are not infected. The virus can reveal vulnerabilities by disabling security software in the computer. Figure 3.3.1. Shows what the e-mail containing the virus would look like.
There are four hints to determine that this email contains the Melissa virus.
It show that the e-mail is sent from someone that you know, but they are not aware of the sent e-mail
In the subject section, it will show 'Important Message From' with the name of someone u may know.
The message within the e-mail will read "Here is that Document you asked â€¦ don't show anyone else :-)"
You will also see an Attachment named 'list.doc' which is the virus itself once opened.
Once opened, the virus will run a check in the registry files searching for marker to determine whether it has already infected this computer. If the marker is not found in the registry file, it will start to check in Outlook address list and collect 50 emails. It creates an e-mail with the same context as figure 3.3.1.
After the mailing has been completed or the system does not have Outlook installed, it will then start to infect the Normal templates within the system.
The virus also has a Payload which is date based. Whenever the number of minute is equal to the day of the month, it will then insert the following text to active documents which enables the virus to create the e-mail again on a regular basis.
"Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
4.0 Countermeasures to Network Threats
Threats have been a main problem to a network in this modern day. There has been numerous ways to attack a network to gain access where damage can be done to an extent. Attempts to attack a network can be easy where securing it can be a difficult task. Securing a network can reduce the possibility for an attack to become successful. Countermeasures can prevent the likelihood of an attack like the viruses mentioned in the previous section. Most of the viruses have a few things in common in there characteristics where we can implement countermeasures to prevent them from a successful attack. Figure 4.1 shows a list of what a virus looks for or need in order to attack a network and the countermeasures to prevent it.
5.0 Symmetric and Asymmetric Encryption
Encryption allows the transformation of data which is referred to as plain text by using algorithms making hidden or unreadable unless those who have access to a key. The key allows the encrypted data to be transformed back into plain text. There are two types of encryption which differs the strength and time the data can be encrypted and the time it can be for a person without the key can attempt to decrypt it. Although both types of encryption can be equally strong, they both have their own advantages in encrypting data depending on the size of the data and the strength of the encryption needed.
5.1 Symmetric Encryption
Symmetric encryption consists of where the algorithm of the encryption and the decryption key are identical. This means that the sender has a key to encrypt the data and the receiver will use an identical key of the sender to decrypt the data back into plain text.
There are two types of symmetric encryption available which shows how the data can be encrypted based on the size and the speed it need to. These are known as Stream ciphers and Block Ciphers of the symmetric encryption.
5.1.1 Stream Ciphers - RC4 Cipher
Stream ciphers are algorithms that encrypt data at one bit at a time. The encrypt data at a higher speed and a lower hardware complexity. An example of a stream cipher is the RC4 Cipher.
The RC4 is the most common software stream cipher used today in popular protocols such as the Secure Sockets Layer (SSL) and WEP which secures the wireless network. According to Matt J. B. Robshaw, (Stream Ciphers Technical Report TR-701, version 2.0, RSA Laboratories, 1995, page 25) the speed in the encryption process is determined by the variable key-size. It is able to encrypt data at around 1Mb/s on a 33MHz machines. Although it is not recognized as a one-time pad because it does not use a random key, it is considered to run very quick in software and very secure with a key size of 1-256 bits.
5.1.2 Block Ciphers - Triple Data Encryption Standard (3DES)
3DES is also the common name for Triple Data Encryption Algorithm (TDEA). The name 3DES means that the DES algorithm has been applied three times to each block of data. By applying the DES algorithm three times, it increases the key size of the cipher thus protecting it against brute force attacks without the need of a new block of algorithm. It uses a method called the '3DES-Encrypt Decrypt Encrypt (3DES-EDE)' to encrypt the data needed to be ciphered.
It encrypts the plaintext using a 56bit key (Key1).
It then decrypts the data using another 56bit key (Key2).
It finally encrypts the data again using a third 56bit key (Key3)
When 3 different keys are used to cipher the data, it effectively increases the key size to 168bit. If the data is encrypted with three 56bit keys, it is equal to be of the same strength of a 58bit key. On the other hand, if Key1 and Key3 are identical, then the key size of this combination would be of 112bits. To decrypt the data back into plaintext, a reverse of the encryption is applied.
Decrypt the data with Key3
Encrypt the data with Key 2
Decrypt the data with Key1
5.2 Asymmetric Encryption
Asymmetric encryption known as public key cryptography does not use identical keys on that a sender has with a receiver. The algorithm creates a private key and a public key to provide authentication of the message by using a digital signature created using a private key. The public key is then used to verify the authenticity of the digital signature created. This provides confidentiality and integrity of the message by using the public key to encrypt the message and the private key to decrypt the message.
5.3 Certificate Authority
Certificate Authority (CA) issues Digital Certificates to other parties. The CA can be known as a trusted third party. The CA can be used by other parties to verify that the particular organization exist by using the certificate issued by the CA. Large organizations need these credential to verify that they are a legit company. Without a CA certificate, much fake organizations can claim to be an organization that they are not.
The contents of a typical digital certificate consist of the following:
Serial number, this is unique which identifies the certificate.
Subject who identifies the person or organization.
Signature Algorithm which is used to create the signature.
Issuer is the organization which issued the certificate.
Valid-From indicates the date of which the certificate is issued.
Valid-To indicate the date where the certificate expires.
Key-Usage specifies the purpose of the public key.
Public Key is the key that encrypts the message.
Thumbprint Algorithm is the algorithm used to hash the certificate.
Thumbprint is the hash itself to ensure the certificate has not been tampered