Q-1:
“Personnel’s education and training do not affect the server security
architecture”. Do you agree on the previous statement? Why? Please discuss your
opinion considering the all components of the server security architecture.

Describe
the differences between security awareness, training, and education in terms of
the goals, the target group, the level, the test measure, and the teaching
methods?

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

Explain the
responsibilities of Computer Security Incident Response Team (CSIRT)?

 

Answer

Personal
education and training affects the server security architecture. This is
because for a clearer server security architecture, practices and police must
be offered in combination e,g personal education, training and awareness must
be incorporated as a combination to produce a better and sound security
architecture.

The
security architecture in this case provides the needed framework for integrating
the existing security tools, people, users to provide the needs of the organization
and provide a security direction as a basis for a future decision making. All
these are laid down to match the strategic vision of the organization.

 

The most important aspects of a
security

 

The
strategic process involved in planning and developing the security architecture
model is to maximize the use available resources to minimize the cost and
spending. In this case, complexity in unnecessary and only increase costs when
multiple security are deployed. Here security controls must be tactical in
nature and implemented through a perceived need though this may require time
and more monetary spending as compared to security architectures which are
strategically designed.

 

Security
architecture has a primary response goal of providing a clear and defined means
of control. This is a time and money saving applications. Data security model
and data classification provide a working solution that brings requirements
into manful categories helping to bring about a predefined control. This saves
time and money when consistently applied.

 

                      Data classification model

This is a
data classification component designed to promote sharing of information.
Because information needs to be classified correctly. It helps to in
identification of critical information and the required security controls.
Information can be classified high, medium, low or unclassified. When critical
and sensitive information in under classified, it may be compromised and
intercepted in transmission. Over classification can also lead to complexity
and may undermine the credibility of the classification system

 

                      Data security model

This
classification component directs and helps end users in ensuring that
information systems and data are secured in an appropriate manner. Here the requirements
of security and the classification level are defined basing on each company’s
choice of implemented technologies. In this model, security is most important
concern and how information is secured.

 

Security
awareness can be defined as a view that users should be in position to know
that threats, risks and dangers exist. When a user is able to perceive a
threat, then he/she is aware of the threat. Here users should also be aware of
the kinds of applicable measures that should be used to protect themselves in
case of such dangers. The major important reason of carrying out information
security awareness is to effectively reduce security hazards. Security
awareness focuses on how users respond in regards to information security and
how information van be transferred to users in regards to information security
that influences user’s behavior.

 

User
security training is a means making known the fundamental learning experiences
needed that is given to employees to bring about the much needed performance
improvements to attain the organizations objectives.

 

User
Education is concerned about giving knowledge and tools to grow and expand

 

CIRT a
group of trained professionals responsible for handling security incidents so
that they can be easily removed, investigated and contained. This group is
usually a small number from the same organization.

 

Roles:

 

Studying abuses cases

CIRT team
provides the platform in developing real abuse cases. They share articles on
attack mechanisms and available security flows so that necessary measures can
be put in place.

Risk
analysis

The team
can provide test scenarios on software testing basing on their experiences.
Here they provide an interaction between developers and the incident management
team. The testing element helps the team find any software coding errors.

 

Penetrative testing

The CIRT
team also provides penetrative testing as part of their roles. If
vulnerabilities are found at the penetrative testing stage, the software may
also be sent back to the developers so that the know security flow can be
fixed.

 

Providing feedback
on development practices.

The team
may propose a certain curriculum for educating developers, managers, executives
and others about security issues and enabling developers know about the
attacker exploits including the corresponding solutions and mitigations.

 

 

 

Q-3: A
company Vortex® works mainly in currency exchange. The company has more than
10000 customers, and 700 employees. The company has 25 servers in different
types (database, web server, product
activation server, etc.). Two servers are still unoccupied. The company
employees utilize different operating systems such as Windows XP, Windows 8.1,
Windows Server 2012, and Debian Linux. The client computers used in the working
environment are mix of computers provided by the company, employees BYOD (bring
your own devices) computers, and mobile devices. The clients are connected
through both cable and Wi-Fi. The internet connection comes from two different
ISPs. A lot of time is spent on setting up local user accounts on every
employee’s computer and to troubleshoot third party applications installed by
the employees. The company plans to move some of their used applications to the
cloud, and the company needs this issue to be considered.

It is
required to:

1. Design
complete server security architecture for the company Vortex®. The design
should produce secure servers, and build a secure working environment from both
inside and outside the company

2. Develop
a flowchart that describes the design aspects for the entire design process.
You can use IF-THEN approach.

Hints: You
can consider different factors and keywords in your design like:

• The
network design/ topologies for the 25 servers. Dividing the servers into
different network zones according the sensitivity and functionality of 2 the
servers


Protection of the servers from the networking perspective. Network-based
firewalls, distrusted firewalls, and host-based firewalls

• The
installation and the hardening process of the server OSs which needs a policy
or a regulation document

• User
/customer authentication to the servers (from inside the company and from
outside the company as well)

• Servers
management plans by IT personnel

• Security
techniques for the database servers that are connected to database security on
the application layer

• Security
awareness, training, and education for the employees

• Advices
about using cloud computing by Vortex®

The
question has a broad scope, and you have to do your best to bring all the
possible design aspects. You need to apply what you have learned from the lab
assignments in the design of the server security architecture.

 

Answer

Interconnected
computers bring large amounts of possibilities in the company Vortex for collaboration,
intercommunication, remote access, social networking file and printer sharing.

Network
communications in small to medium organizations is largely and often impaired
malicious attacks which target network equipment and users to disrupt network
traffic. The most common among those attacks is the denial of service attacks and
user or host compromise attacks.

In a denial
of service attack, the attacker sends large amounts of bogus data traffic to
the target computer with intentions of causing disruptions while consuming
large amounts of bandwidth and in the end rendering the computer unable to
provide services to the intended legitimate users. In a host compromise attack,
the attacker exploits vulnerabilities in a host thereby gaining control of it 2.
When these two attacks are combined, they can be used to cause more distrustful
kind of attack called distributed denial of service attacks(DDoS).

 

The number
of DDoS have been on the rise recently on many popular e-commerce and gaming
websites which have been targeting mostly the Domain name servers. The most
important solution that research has found on better countering them is through
design of secure servers and schemes of detecting and recovery using detection
features like intrusion detection systems (IDS). Other methods range from
resistant schemes designed based on built capabilities to survive and resist
network attacks. All these measures have been proposed but has not solved the
ever increasing attacks yet hackers still launch successful attacks 2.

The solution
therefore resides in the design of secure network architectures and other
network schemes that are capable of avoiding and mitigating serious impacts of
the attacks.

The reasons
for the security architecture design include;

v  For consumer trust and
confidence

v  Better business focus

v  Better and secure
information exchange

v  Remote and secure access
to internal workings and operations

v  Improved business
productivity

v  Reduction in costs
associated with loss of information

 

components of security architecture
model components

The
successful security model will be in position to put together a combination of
policies and also leading practices, user training and education, encompassing
new technologies, and awareness programs. There are four different layers
considered in the design of the server security architecture which are
addressed in the architecture,

v  Secure access

v  Hardware and operating
system

v  Applications

v  Human aspects

 

A number of
programs like anti-virus, intrusion protection systems, firewalls play an
important role in the protection of the companies from any attacks coming from
within the organization or outside it. A holistic architecture will be implement
at Vortex® to achieve the highest from the security mechanisms that will be inclusive
of all the security elements. This architecture is coordinated and structured
to include the people, the network servers, the end user computers, which work
together to completely ensure security at Vortex®.

To align
these components effectively, the security architecture needs will be driven by
policy stating management’s performance expectations, how the architecture is
to be implemented, and how the architecture will be enforced. This will enable
the architecture to guide management so that decisions are aligned and
consistent throughout the entire IT landscape. The architecture also will be
strategic — it will be structured in a way that supports the organization’s
business goals.

The IT
department will be in position to understand the design of the security
architecture and its main components, how to assess the architecture’s effectiveness
and the all the needed frameworks in order to maximize any audit efforts 3.

 

The following
areas of concern will also form part of an effective and carefully planned
security architecture and will be evaluated during audits of the security
architecture;

v  Guidance in the areas of
incident response, baseline configuration, account creation and management,
disaster recovery, and security monitoring.

v  Identity management.

v  Inclusion and exclusion of
who and what is subject to the domain of the security architecture.

v  Access and border control.

v  Validation and adjustment
of the architecture.

v  Training.

v  Education

 

The logical network zoning
or separation of the servers

The 25
servers will be positioned in logical division of network servers in the Vortex
company. This division is done for better manageable network to reduce on data
theft, reduce attack surface and for compliance. The security zone will have a well-defined
perimeter and strict protection of its boundaries because the systems that are
it can highly be attacked. For example, an end user computer will be given
different security requirements in the architecture as compared to the
financial accountant that store confidential financial reports in the
restricted zone. The zones must all comply to the general security rules and
guidelines

v  Each zone will only have one
separate entry point as defined by the firewall

v  All outbound and inbound
traffic must be monitored at the system perimeter

v  All systems and groups
must be identified

v  Only traffic that relates
to Vortex® will be allowed to leave and enter the system perimeter

While this
can be done smoothly, complexity must be limited by defining clear security
requirements and defining a few or small network security zones

 

 

The Goals:

The goal is
to reduce the attack surface in a zone, which can be achieved exposing a few
number of services coupled with a much more tremendous and strict access
control methods that can be used to provide limited access to only identified
groups of users.

This makes
the zones safe in case of an attack, which will essentially mean the attacker
must compromise all the outer zones before accessing the inner zones where critical
information is stored thus highly increasing critical systems availability.

Network
segmentation provides the following goals as part of a defense in depth

v  Minimal data breach

v  Limits attack surfaces

v  Divides the system into
compartments

v  Increase the availability
of the system

 

The
network zones and their attached trust levels

Zone

Trust level
attached

Restricted

The highest rust

Management

Highest
trust

Extranet

Medium

Enterprise

Medium

External DMZ

Low

Internet

Don’t
trust

 

 

 

Restricted Zone

This is a
place for the all sensitive information breach of which of its confidentiality,
integrity and availability has far reaching consequences to the company on its
reputation, competitiveness, and its market share prices. The highest protection
will be placed at this zone to detect and stop any attacks. The number of
critical systems at this level will include;

v  Financial database

v  User system databases

v  Human resource database

v  Intellectual property

 

 

Management
zone

The
management zone is the center of monitoring and control like performance
servers, security management and configuration management. Here some users have
a higher access privilege than other users thus making systems in this zone a
prime target of attackers.

 

Extranet
Zone

This zone
will house highly trusted connections with third party partners in business
which also extends to the enterprise zone. Information and data flow from the
internal network and the external network must be filtered and monitored in
order to strictly allow company information to leave or enter the zone at the
perimeter.

The Vortex®
has no control on systems that are outside its control in the external zone. This
requires that all third parties adhere to risk assessments to be able to
understand their security position before any connection is being allowed to
them.

 

External
Demilitarized zone(DMZ)

The
external DMZ is responsible for all devices that require internet connectivity.
It provides access to systems that operate between enterprise zone and the
internet.

All traffic
is to be monitored that passes the extranet and the enterprise zones.  Under the extranet zone, hardening is
performed on the systems to minimize attacks, these systems include;

v  email gateway

v  External web servers

v  Web proxy servers

v  Remote service access

v  FTP servers

 

Intranet zone

This zone is solely responsible for mediating between
the restricted zone, external zone and the internal zone. Application servers
will reside in this zone and end user’s devices must authenticate to the
restricted zone before being allowed access.

Access of restricted zone from the internet will only
be possible via a restricted and secure method like the virtual private
network(VPN)

 

Enterprise zone

This is the platform for end user devices like
computers, printers, mobile phones and tablets. Their protection is important
to reduce exposure of end user devices to the risks of malware.

 

Zone control and data access

Each zone is attached a security level with a
trust relationship which increases as to the inner most zone from the outer
zones. Data must be prevented from flowing unnecessarily by deploying security
controls between zones. This can have achieved by use of monitoring tools like
intrusion detection and prevention systems, inspection firewalls, continuous access
controls, and data loss prevention. The control security implementation within
a zone will enable easy detection of malicious activity across systems security
with in a zone (SecureArc, n.d.).

 

 

Training and education

Training is key and will be vital in establishing
a secure architecture in support of the efficiency of system users. In some
scenarios some individuals may perceive security as a hindrance to the day to
day duties of their jobs and may not have an understanding of the risks they
face as a result of system use. This can be attributed to the numerous changes
in security updates and security architectures due to emerging security
threats.

Therefore, regular user training and education
keeps security awareness visible in the minds of employees enabling them to be
updated on the value of the information in their hands and the current security
best practices and company management expectations

 

Hardware and software technology

The deployed hardware and software in Vortex® used to monitor
and manage this security architecture will be the center of the security
concerns. Other security mechanisms will be put in place to protect the physical
hardware. Like locks, man traps, biometric devices at door entries and etc. This
architecture will not only rely on technology and disregard the individuals who
use it. As technology changes and new solution are put in place, the possibility
is high this will also have an impact on the architecture. The change must also
be evaluated to determine if a related counter change in architecture need to
be performed

 

 

The Forward

This
planned security architecture will help the information technology team
efficiently manage a wide variety of risks consistently maximize industry best
practices while allowing the management make better and informed decisions.
This will improve flexibility and promote interoperability and integration in
the organistion.

 

 

References

1R.
Mohan, “Network Analysis and Application Control Software based on
Client-Server Architecture”, International Journal of Computer
Applications, vol. 68, no. 12, pp. 34-39, 2013.

 

2M.
Bloch, R. Narasimha and S. McLaughlin, “Network Security for Client-Server
Architecture Using Wiretap Codes”, IEEE Transactions on Information
Forensics and Security, vol. 3, no. 3, pp. 404-413, 2008.

 

3V.
Varadharajan and U. Tupakula, “On the Design and Implementation of an
Integrated Security Architecture for Cloud with Improved Resilience”, IEEE
Transactions on Cloud Computing, vol. 5, no. 3, pp. 375-389, 2017.

 

 

 

Q.2 Lab

Prolonged running of the
command hping3 –rand-source 10.0.0.204 –flood -S -L 0 -p 80 overloads fills
memory in Kali and later makes it non responsive

Source addresses are random
IP addresses and later put metasloitable unreachable until a forcible restart
was performed.

 

 

 

I wrote my custom exploit on Metasploitable 2 from Kali Linux.

Manually exploiting VSFTPD V2.3.4 on metasploitable 2

The main purpose of FTP is to transfer data across the internet.

It was exploiting a vulnerability with telnet with metasploit

I ran the service VSFTPD V2.3.4 and worked as root which gave the privilege
access to the root shell on metasplibale 2. 
The vulnerable may not be available since it has already been  removed on deployable systems.

I attempted to exploit the vulnerability backdoor through connecting to
metasplotable 2 VSFTPD service.

I manually used telnet to exploit the vulnerability in VSFTPD v2.3.4 and
metasploit.

in this step I used telnet to connect to metasploit

 

Here below I used nmap to scan for port 6200 to see that port 6200 was open
and execute the malicious code.

I was able to see that FTP was using root by use of the challenge id
command followed by (;)                   

 

I used the
metasploit which had an exploit

 

 

Here the backdoor exploit command was used

 

 

Hacking and Gaining Access to Linux by Exploiting SAMBA Service

I begin by finding open ports using the nmap command nmap -sS -Pn -A  10.0.0.30

 

 

 

After finding samba open ports and its services, I send exploits creating
meterpreter sessions. Here I used metasploit.

I had to first find the version of samba installed

Lunch the command msfconsole to start metasploit

 

 

here are the modules found

The exploit

 

 

 

 

 

 

Hacking Samba and installing meterpreter

This is using interpreter to hack a Linux system and take control of it

Meterpreter is a service that gives the attacker access on the victim
system to create a functionality. It gives the attacker command shell capability
and helps attackers extract information from the victim computer while also
covering his tracks.

I begin opening
metasploit

 

search for any sambo
exploits

 

 

 

issue the command  >use
linux/samba/lsa_transnames_heap

and then asks 

msf> exploit(lsa_transnames_heap) > sjow payloads

 

 

 

 

I choose a specific pay from the long list of payloads which is
linux/x86/shell_bind_tcp

Because its a reverse shell capable of running on systems of x86 and uses
tcp

I use the command   > set payload linux/x86/shell_bind_tcp

 

Shows the payload is acknoledged

the I set the LPORT and RHOST(Loacl host and the remote host)

>setg LPORT 8080 and

>set RHOST 10.0.0.30

 

 

And finally the exploit

 

But the target
returned that it was not a vulnerable samba server