Реферат на тему «IT-security»

Оглавление

1. Introduction
2. Brief description of Design & Architecture
3. The activity of Design & Architecture studio is aimed at the complex solution of the problems connected with the organization of the internal space of private housing and commercial real estate. The studio develops design projects of apartments, houses, offices, restaurants and organizes renovation and construction works in Moscow, St. Petersburg, Russia and Europe.
4. Also the enterprise is engaged in sales of decorative materials of a premium class. The studio is the official distributor of European brands «Spiver» — decorative plasters, and «TKROM» — paint and varnish materials for different purposes: decorative painting, protection, preparatory and finishing works.
5. The studio has a mission to share its knowledge: «We organize master classes and workshops on interior design and application of decorative materials.
6. Design & Architecture is registered in Russia as a Russian legal entity according to the Federal Law of February 08, 1998, No. 14-FZ (as amended on April 23, 2017) “On Limited Liability Companies” in 2009.
7. The head office of the company is located in Moscow, 129110, Moscow, Prospekt Mira street, 57, bldg. 2, office 17.
8. In 2017 the company opened its office in Norway. Design & Architecture rents space on the 6th floor of a building in the center of Oslo. The company has 15 employees in its branch (Design&Architecture 2019).
9. Design & Architecture, despite of the fact that it recently opened a business in Norway, is already considered a «rising star» in the design industry.
10. Information security of the enterprise is controlled by the Information Security Administrator. System administrator reports to the Information Security Administrator.
11. The duties of the Design & Architecture Security Administrator include: control and monitoring of the current situation with database, development of mechanisms for detecting and preventing emerging threats.
12. The security administrator regulates the delineation of the access rights of all possible users of the enterprise information systems, and for this purpose monitors the activities of the system administrator as part of his duties.
13. Methods of information security research applied by Design & Architecture
14. Analysis of information security of business on the example of Design & Architecture
15. Recommendations for improving the information security of business on the example of the design company Design & Architecture
16. List of references (Harvard Referencing Standard)
17. Progress Report

Introduction

Within the framework of this work we have conducted the Analysis of business information security on the example of the branch of Design & Architecture, which carries out its activities in Norway.

Information security of the enterprise is controlled by the Information Security Administrator, under whose authority the system administrator is located.

To analyze the security of the information system, the method of testing (external and internal) was chosen, during which the conditions were recreated, as close as possible to the conditions of the real attack, which allowed to form a correct assessment of the level of security of the information system of the enterprise.

An analysis of the security of the wireless network and an assessment of staff awareness of information security issues was carried out.

However, in Design & Architecture, except for information leaks by means of information technologies, there are risks of the human factor, such as:

— Disclosure of confidential information;

— Negligent attitude to confidential information.

In order to identify threats to social engineering, checks were carried out by means of telephone communication and e-mails were sent. In a telephone conversation, attempts were made to obtain valuable information from users.

E-mails contained attachments or a link to a web resource where you would like to enter credentials. During the check, the reaction of employees was recorded: the facts of clicking on the link, entering credentials or launching an attachment.

By results of the spent analysis, it has been revealed that the information system of enterprise Design&Architecture can be considered insufficiently protected as software, system and social vulnerabilities have been revealed.

To eliminate these problems, recommendations were given to improve the information security system of the enterprise.

Brief description of Design & Architecture

The activity of Design & Architecture studio is aimed at the complex solution of the problems connected with the organization of the internal space of private housing and commercial real estate. The studio develops design projects of apartments, houses, offices, restaurants and organizes renovation and construction works in Moscow, St. Petersburg, Russia and Europe.

Also the enterprise is engaged in sales of decorative materials of a premium class. The studio is the official distributor of European brands «Spiver» — decorative plasters, and «TKROM» — paint and varnish materials for different purposes: decorative painting, protection, preparatory and finishing works.

The studio has a mission to share its knowledge: «We organize master classes and workshops on interior design and application of decorative materials.

Design & Architecture is registered in Russia as a Russian legal entity according to the Federal Law of February 08, 1998, No. 14-FZ (as amended on April 23, 2017) “On Limited Liability Companies” in 2009.

The head office of the company is located in Moscow, 129110, Moscow, Prospekt Mira street, 57, bldg. 2, office 17.

In 2017 the company opened its office in Norway. Design & Architecture rents space on the 6th floor of a building in the center of Oslo. The company has 15 employees in its branch (Design&Architecture 2019).

Design & Architecture, despite of the fact that it recently opened a business in Norway, is already considered a «rising star» in the design industry.

Information security of the enterprise is controlled by the Information Security Administrator. System administrator reports to the Information Security Administrator.

The duties of the Design & Architecture Security Administrator include: control and monitoring of the current situation with database, development of mechanisms for detecting and preventing emerging threats.

The security administrator regulates the delineation of the access rights of all possible users of the enterprise information systems, and for this purpose monitors the activities of the system administrator as part of his duties.

Methods of information security research applied by Design & Architecture

The analysis of information system security was conducted by the Information Security Administrator of Design & Architecture by means of external and internal penetration testing.

During the testing, the conditions were recreated that are as close as possible to the conditions of the real attack, which allowed us to form a correct assessment of the level of protection (Design&Architecture 2019).

External testing simulated the actions of a potential attacker who does not have privileges in the corporate information system and operates through the Internet. In this case, the goal was to overcome the network perimeter and gain access to local network resources.

Internal testing was also conducted, which implied that the intruder was operating from a local area network segment and was aimed at controlling the infrastructure or some critical resources (Design&Architecture 2019).

An analysis of the security of the wireless network and an assessment of staff awareness of information security issues was carried out.

Security analysis also identifies various vulnerabilities and gaps in protection mechanisms, which can be divided into four categories:

— Configuration flaws;

-Lack of security updates;

-Vulnerabilities in web application code;

-Password policy drawbacks.

One of the common options for successful testing of attacks is to detect system interfaces at the network perimeter, which should be accessible only from the internal network.

For example, the use of incorrect settings and vulnerabilities in video control systems, when you can not only view video from cameras, but also to execute any code due to outdated firmware version of the DVR. This example shows how important it is to correctly define the boundaries of the network perimeter and monitor the security status of each system component.

Social engineering is one of the most popular and successful ways of penetrating the company’s internal network. Therefore, in addition to penetration testing, it is important to conduct information security awareness checks on employees. The work is performed according to pre-agreed scenarios that simulate a real attacker (Babash, A 2013).

The checks are carried out by telephone and e-mail. In a telephone conversation, attempts are made to obtain valuable information from users. E-mails contain attached files or a link to a web resource where you need to enter credentials. During the check, the reaction of employees is recorded: the facts of clicking on the link, entering credentials or launching an attachment.

To analyze the security of wireless networks, the possibility of different types of attacks is checked depending on the authentication method used. For WPA2/PSK, a handshake between the access point and the legitimate client of the access point is intercepted, followed by a password search (Babash, A 2013).

Another way of attacking is to create a fake access point, which is used for any authentication method.

Analysis of information security of business on the example of Design & Architecture

Results of external penetration tests:

— Full control over the infrastructure was obtained in 70% of penetration attempts;

-The use of dictionary passwords and insufficient protection from recovering credentials from OS memory are the main drawbacks in the internal network of the enterprise (Design&Architecture 2019);

-Interception of credentials is successfully used in internal penetration testing.

The potential for intrusion into the enterprise intranet is related to insufficient protection of web applications: this is a major problem at the network perimeter. However, if the attack consisted of several steps, different types of vulnerabilities could be exploited at each step.

Typical attack scenario — selection of dictionary user account of the web application and subsequent exploitation of the vulnerability caused by errors in the code of the web application, for example, the ability to upload arbitrary files to the server (Design & Architecture 2019).

Other ways primarily consist of finding dictionary passwords to different systems — Outlook Web App (OWA), VPN-servers and workstations, as well as to use the shortcomings of network equipment configuration. Overcoming the perimeter is also potentially possible through outdated software versions that contain vulnerabilities that allow you to gain control of the server.

During the testing of settings and vulnerabilities in video control system, it was revealed that the intruder can intercept the credentials transmitted via open protocols without using encryption and gain access to the relevant resources (video control systems), during which the external intruder has access to interfaces for remote access, equipment management and connection to the database.

Also, network perimeter resources contain sensitive data that helps an attacker develop an attack. This includes web application backups, system configuration information, critical resource access credentials or user IDs that an attacker can retrieve.

Results of internal penetration tests

The test gave us full control over the internal infrastructure, which took an average of four steps. The typical attack was based on dictionary password recovery and account recovery from the OS memory with the help of special utilities. Repeating these steps, the attacker moves from one host to another within the network until the domain administrator’s account is found (Design & Architecture 2019).

The analysis of the company’s network traffic showed that there were also flaws that allowed interception of information transmitted over the network. NBNS and LLMNR protocols are not protected. An intruder can intercept user IDs and password hashes using NBNS Poisoning and LLMNR Poisoning attacks, and then retrieve passwords based on the hashes received.

One of the main features of the attack in the internal environment is the ability to copy the virtual machine’s hard drive without turning it off. In the course of testing, the virtual machine disk on which the domain controller was launched was copied. The files ntds.dit and SYSTEM were unloaded from this disk, and then HTLM hash sums of domain users, including HTLM hash sums of user’s passwords, were extracted with the help of software (from the public Impacket set)

The presence of HTLM-hash sum of the user’s password allows to carry out an attack. Service account privileges allow you to provide login with any level of access and access to resources with maximum privileges. With the help of the utility the access code was generated and the possibility of executing OS commands on the domain controller with maximum privileges was obtained.

Results of staff awareness assessment of information security issues

-5% of employees can potentially run malicious code on their work computers;

-23% of employees can potentially engage in a dialogue with an intruder and give out confidential information;

-20% of employees enter credentials into a fake form of authentication.

Results of wireless security analysis

-Wireless network security deficiencies have resulted in access to LAN resources.

In the course of the tests, it was found that dictionary keys for connecting to the wireless network are used in 48% of cases.

If certificates are not authenticated when connecting to a wireless network, an intruder can create a fake access point with a name same to original network. When a client connects to this access point network name (ESSID) which has a stronger signal than original access point, the attacker receives its identifier in an open form and the value of NetNTLM v1 challenge-response, which can be used to retrieve the password by brute force (Design & Architecture 2019).

For the guest network, it is important that users are isolated and that company employees do not use it from devices that connect to corporate wireless networks. An intruder who gains access to the Guest Network where there is no isolation will be able to attack users and obtain clear passwords from other Wi-Fi access points if the employee keeps them for automatic connection. As a result, the attacker will receive a password from the corporate network without attacking it.

Recommendations for improving the information security of business on the example of the design company Design & Architecture

As a result of the analysis performed we proposed the following steps for improving the information security of the company.

Eliminate the vulnerability of web applications that allowed you to overcome the network perimeter (Design & Architecture 2019).

1. Regularly analyze the security of web applications.
2. To correct the vulnerabilities it is necessary to make changes in the code of the application used in the local network.
3. To maintain business continuity, it is recommended to use an application layer firewall that will not allow exploiting the vulnerability until it is eliminated, and will also protect against new and not yet found vulnerabilities.

Fixing vulnerabilities in video surveillance systems

1. Limit the number of services on the network perimeter, making sure that interfaces open for connection should be available to all Internet users.
2. Conduct regular inventory of resources available for connection from the Internet. Vulnerabilities can occur at any time because the infrastructure configuration is constantly changing, new nodes appear, new systems appear, and administrative errors are not excluded.
3. Refuse to use simple and dictionary passwords, develop strict rules for corporate password policy and control their implementation.

Fix vulnerabilities on network perimeter resources

1. Make sure that sensitive information that is of interest to the attacker is not stored in an open form (e.g., on web application pages);
2. Software update.

Fix vulnerabilities to gain full control over internal infrastructure

1. Protect the infrastructure from attacks aimed at restoring accounts from the OS memory. To do this, all workstations of privileged users, as well as all the nodes that are connected to using privileged accounts, install the latest generation operating system and include privileged domain users in the Protected Users group.
2. Use modern OS versions on workstations and servers.
3. Provide additional protection for privileged accounts (in particular, domain administrators). It is good practice to use two-factor authentication.

Eliminate threats to network traffic usage

Disable the channel layer and network layer protocols not used in the LAN. If these protocols are required for the operation of any systems, it is necessary to allocate a separate segment of the network to which there is no access from the user segment.

Eliminate the threat of NTLM hash theft

To eliminate the consequences of such an attack, you will not only have to reset your service account password twice, but also reinstall all your domain infrastructure systems.

Prevention of the risk of attacks by social engineering methods

1. The most effective way to do this is to use antivirus software that is based simultaneously on multiple vendors, can detect the hidden presence of malicious programs and allows you to detect and block malicious activity in various data streams — mail, network and web traffic, file storages, web portals. It’s important that the chosen solution not only allows you to scan files in real time, but also automatically analyzes those that have already been scanned, so you can identify previously undetected threats when updating your signature databases.
2. Regular training of employees to improve their competence in information security issues, with monitoring of results.
3. To increase the security of the guest network, it is necessary to use reliable encryption mechanisms (WPA2). It is important to ensure that the users of the access point are isolated, and that employees are not allowed to use it. The guest network should be separated from LAN resources.
4. The corporate network must be protected by a strong password. The area of coverage must be limited so that it is not accessible outside the controlled area. Employee devices should be configured to authenticate certificates when connecting to corporate networks to ensure that fake access point attacks are not successful.
5. Employees should be made aware of information security issues when using wireless networks. For this purpose, periodic training sessions should be conducted with the results monitored.
6. It is recommended that wireless security analysis be performed regularly to identify configuration errors and potential intrusion vectors into the internal network.

Conclusions 

By results of the spent analysis it is possible to draw following conclusions: despite efforts of the system administrator, the information system of the enterprise Design&Architecture appeared poorly protected, and subject to risks of both external, and internal attacks.

The following vulnerabilities were identified during the testing:

-Web applications that allowed us to overcome the network perimeter;

-Vulnerabilities of video surveillance systems;

-Vulnerabilities on network perimeter resources;

-Gaining full control over the internal infrastructure;

-Threats to the use of network traffic;

-Threats to steal NTLM hash amounts of password;

-Risk of social engineering attacks.

Based on the results of the analysis, recommendations were made to address the identified threats.

In addition, regular retrospective analysis of the network should be carried out in order to identify the penetration that has already occurred. To find traces of penetration, it is recommended to use specialized deep analysis tools capable of detecting complex targeted attacks in real time as well as in saved copies of traffic.

This solution will not only allow you to see the facts of hacking, but also to monitor network attacks, including the launch of malicious utilities, exploitation of software vulnerabilities and attacks on the domain controller. This will reduce the time of hidden presence of the intruder in the infrastructure and thereby minimize the risk of data leakage and disruption of the enterprise, reduce possible financial losses.

List of references (Harvard Referencing Standard)

1. ISO/IEC 15408.99 «Information Technology Security Assessment Criteria»;
2. Babash, A 2013, Information security. Laboratory workshop: Training manual, KnoRus, Moscow;
3. Gromov, Y 2014, Information security and information protection: Manual, TNT, Stariy Oskol;
4. Design&Architecture 2019, Annual report 2018, Design&Architecture Limited, Moscow

Progress Report 

This information security analysis by Design & Architecture was written on the basis of the materials of the 2018 Annual Report, as well as the Information Security Administrator’s Report of the company.

Besides, I have studied scientific works of domestic and foreign scientists devoted to information safety of business, methods and techniques of revealing of potential threats of information safety of the company, and also ways of opposition to such threats and elimination of consequences of possible attacks on information system of the organization.

It is not a secret that in an epoch of information technologies the problem of protection of the information of the enterprise costs sharply as despite that the software regularly improves, malefactors continue to make successful attacks on an information system of the enterprises.

Having analyzed methods and techniques of analysis of information security system of the enterprise, I understood the reasons on which the Information Security Administrator of Design & Architecture chose the method of external and internal penetration testing, in the course of which were recreated the conditions, as close as possible to the conditions of the real attack, which allowed to form a correct assessment of the level of security.

In my opinion, this method can most reliably identify possible threats to the information system of the enterprise, as in this case the ability of a particular system to withstand specific and possible threats and attacks, to identify gaps and vulnerabilities of the information system of the enterprise.

There are other methods of information security analysis that can be divided into several groups:

• -methods that use risk assessment at a qualitative level (for example, on a scale of «high», «medium», «low». Such techniques include FRAP in particular;
• -quantitative methods (risk is assessed through a numerical value, for example, the amount of expected annual losses). This class includes RiskWatch methodology;
• -methods using mixed estimates (such approach is used in CRAMM, Microsoft methodology, etc.). Such techniques are based on an integrated approach to risk assessment, combining quantitative and qualitative methods of analysis. The method is universal and is suitable for both large and small organizations, both governmental and commercial sector.

However, these methods do not take into account the risks of social engineering. These methods are more focused on the analysis of vulnerabilities of enterprise software. Also such techniques are adapted to the average enterprise, and consider risks as a whole, instead of testing the information system of a certain enterprise.

There is also a method of risk assessment in the organization, developed by the Software Engineering Institute. The peculiarity of this method is that the entire process of analysis is carried out by the staff of the organization, without the involvement of external consultants. For this purpose the mixed group including both technical experts, and heads of different levels is created that allows to estimate comprehensively consequences for business of possible incidents in the field of safety and to develop countermeasures. However this technique, in my opinion, has a number of defects as it is quite probable that the malefactor can be just a member of the mixed group in the company, and nothing giving out itself. It is clear that they will make every effort to eliminate any traces of their activities, and they will create as much interference and obstruction as possible in the production of a reliable report on the current state of information security in the enterprise.

However, theoretical study of various methods of analysis of information security of the enterprise was not in vain — I received the most interesting information that can be used by me in further professional activities. Besides, this topic seemed very interesting and fascinating to me.

After I understood the reasons why the Information Security Administrator of Design & Architecture chose the method of external and internal penetration testing, in the course of which I recreated the conditions as close as possible to the conditions of the real attack, I studied the report of the Information Security Administrator, in which the progress of the research was described, and its results were presented.

After examining this report, I came to the following conclusions.

The possibility of intrusion into the internal network of the enterprise is related to the insufficient protection of web applications, where the typical scenario of an attack — the selection of dictionary user account of the web application and the subsequent exploitation of the vulnerability caused by errors in the code of the web application, the use of open protocols without the use of encryption.

It was also revealed that a probable intruder can use even outdated video control system software (which turned out to be an interesting surprise for me) with the help of which he can get access to the web-interface of the enterprise information system administration.

The web-based administration interface contains a built-in update download function that can be used to execute commands on the server. To do this, an archive is created that contains a set of commands in the shell command language. The archive is uploaded to the server as a file with updates, and as a result, an intruder can execute arbitrary commands.

On the Design & Architecture enterprise server, the internal network interface has been identified, so that an attacker can further develop an attack on LAN resources.

During the internal penetration testing as a result of the vulnerability exploitation the access to the server under the outdated operating system was obtained. This version of the operating system allows you to provide protection against the recovery of credentials, but for this purpose privileged domain users must be included in the Protected Users group — this condition was not met.

A special utility was launched on the node and user IDs and passwords were obtained from the OS memory in an open form. Among the extracted data was the account password, which has the privileges of local administrator on the servers.

Also, due to the shortcomings of wireless network protection it was easy to get access User devices send requests to find previously saved wireless networks. An intruder can create fake open access points by presenting himself as the network whose name appears in the request. These attacks are used in conjunction with a false form of authentication in the corporate identity. When connecting to the network, the user is redirected to the page with the form of authentication, where he is prompted to enter a corporate account. The result of the attack depends on how well the employees of the company are aware of information security issues.

Further analysis of possible vulnerabilities of information security of the enterprise with use of social engineering has been carried out.

The human factor always has an important component in the activity of any enterprise, and especially it concerns the preservation of information security, so that a person, even if not willing to cause damage to the enterprise, may be deceived by a malefactor and unconsciously give him the necessary data.

Possible vulnerability checks using social engineering were carried out by means of telephone interaction with employees and sending e-mails. Attempts were made to obtain valuable information from users during the telephone conversation. E-mails contained attached files or a link to a web resource where credentials were required.

In the course of this inspection it was found that Design & Architecture employees are not competent and knowledgeable enough in the field of information security, they often made gross mistakes, such as: the transition to an insecure connection, can potentially run malicious code on their work computers, can potentially enter into a dialogue with the attacker and give out confidential information, enter credentials into a fake form of authentication.

In order to prevent attacks by social engineering methods, it was recommended to use specialized antivirus software with a built-in isolated environment («sandbox») to dynamically check the files, capable of detecting and blocking malicious files in corporate email until they are opened by employees.

It was also recommended to conduct a course to improve the competence of employees in the field of information security.

So, following the results of writing this work, I can conclude that the analysis of information security at the enterprise is very important and necessary component of the internal enterprise activity.