Fresh News

A partnership of information

Welcome to Evolution Atlanta's News Room, here you will find articles and reports regarding security. In addition, we will post tips and other help articles to make maintaining your network simple.
Network Risk of Ping Sweeps & Port Scans

Ping Sweeps & Port Scans Network Threat

Definitions

A “Ping Sweep” is being defined as an attack using an ICMP packet on a targeted computer sub network which like a normal ping used to gain an IP addresses this type of ping looks for specific computers and components running on the computer through the ping sweep, while also returning the IP addresses. The ping sweet in short gathers the network addresses and components and returns the data to the hacker.
Ping Sweep is the first step in this type of network attack and after completion the hacker can plan his next move. After planning the hackers’ next step is to actually perform a port scan.
A “Port Scan” is the process of scanning the computers TCP ports to find one that is open and allowing access. Port scans also look for partially open ports as well (half-open). The port scan also lets the hacker know which systems are on so he doesn’t have to worry about designing an attack for computers that are in active or ports that are closed. The port scan will return which ports on the computer system are open and will allow access.

Current Network State

You current infrastructure is designed to limit access from outside users while we are not a closed network we only have open the needed connections for secured internet use and FTP. Your FTP should be password encrypted. In addition to limiting the ports availability you should blocked countries that have a significant higher amount of attacks coming from them unless you do business in that country (Africa, India, Brazil, Chili, Sweden). The list of blocked countries should be approved by your Operations Director or assigned management yearly. Lastly you should utilize a program that monitors your ports and notifies the system when a scan is done. This gives your network support a heads up on the potential attack and the area needing attention.

Potential Threat

The possibilities of a Ping Sweep on your company is always possible as every company will have a ping sweep done on them by random hackers. Our preventative measure is constant monitoring by our Network Director effectively prevent a hacker from gaining access after a port scan. These types of attacks are usually to gain access and destroy the computers or copy data from a file system.

Recommendations

Evolution Atlanta recommends updating software to latest server version and maintain up-to-date patches and hot fixes. Evolution Atlanta runs the Newest Versions of Servers and software providing us the best protection base protection standards and limits. Our virus protection and malware is always up-to-date and the most current version of virus definitions is in place daily.
Optional security that you could consider and adopted would be a secure file lock system which would require IT Support or an employee to research products and determine the actual advantage of storing all your documents and data in a specialized file system vault.

Summary

In summary of the above points and recommendations the risk of Ping Sweeps and Port Scans on your company’s network is possible; however with the appropriate steps you will have a very low risk following the for mentioned procedures and security measures if taken.
Network Shortcomings and Vulnerabilities, The Basics

Network Shortcomings and Vulnerabilities, The Basics

Definitions

Network shortcomings and vulnerabilities are predictions on when security or technology will fail and actual problems or weaknesses in the current system. Finding these shortcomings is to first look at the current business policies and objectives to assure that the normal operations of the company are not impacted by changes or shortcomings. Other aspects of vulnerabilities are standard problems and concerns in how much control can be placed on the system and its users.

Current Network State

Your current network state should always be good and never fair. Your shortcomings in securing windows and unix/linux servers are going to be in the installation of updates as soon as they come out. This also includes the new release of Server Operating Systems, hot fixes and sometimes the reinstallation of software. The vulnerability in an older system is in the updates and the discontinued attention the supplier has on the older products. Evolution Atlanta recommends that you should always upgrade your servers after an evaluation of a new version is released as the new version will have all the previous bug/fixes resolved allowing for faster and more efficient use. Remember to add Software and Hardware to your Technical Budget so you do not get into a dangerous situation. Now Evolution Atlanta focuses on physical security protocols as well as technical and securing your servers from any and all personnel not needed access is important to limiting shortcomings and vulnerabilities. Remember that your servers and work stations will be effected by the temperature of the room and should always be kept in a dry environment where the temperature can be regulated to 68 – 75 degrees at all times. Not doing this will shorten your hardware’s shelf-life (life-cycle). Evolution Atlanta recommend placing your servers and databases in a secured room that is temperature controlled. Other concerns are in who can access the system and where they can access the system from. A policy of open terminals poses risk to sensitive information and data. This is a shortcoming as a company cannot monitor every workstation 24/7. It is always best to assign local terminals to employees for access and having non-essential employees, clients or guests routed to a clone server or separate wireless network.

Potential Threat

Outside of physical shortcomings and vulnerabilities that are important to keep in place as Security Guidelines and handbook so that everyone can have access to the policies in your company. Other shortcomings are in training programs that do not get monitored or updated as technology and business policy changes. The good part about a handbook and training is the Date coding for when it was last updated. A company can get put under scrutiny for loss of data or not following GOV protocol. Your company needs to make sure every employee has received formal training and preformed a risk assessment on their current habits and trends based on the concerns assessed in a Security Analysis of your storage and network devices to include the data, passwords and network protocols. In addition, the accessibility of the internet and monitoring of a site that people go to is important as the fastest way to get data out of a building is to upload it. For this you need to block site’s that use specific methodology posing a risk and limiting what data can be transferred from a server to a terminal. Internet Browser access should never be available for a user on the actual server. This is a common mistake, you need to remember this is not a personal computer it is a server and designed for specific use.

Summary

In conclusion, the securing of your servers is extremely important for the future of your company due to the value of the data stored in house and remotely. Monitoring employee use and access is important to lessen the risk of shortcomings and to spot vulnerabilities early enough to fix them before harm can come to the system or business operations. Lastly a full security guidelines and training program will ensure the infrastructure is maintained securely. For consultations regarding an analysis contact Evolution Atlanta.
Encryption Types for Data Connections

Securing your confidential data and documents across a network and to external sources is always on your Network Administrators mind. A company's data is the core in developing the business and should be treated like a secrete niche. This report will go over the basics of encryption so you can be more informed as to your option. It's easy to reference a program or company product, however knowing the fundamentals behind it is what matters when using it to prevent attacks and shortcomings.

Definitions

Asymmetric encryption is the process of using a public and private key for verification. You find this used in login screens where it asks you to type in the words or numbers you see on the screen. This method allows a public key to be generated for all users randomly and then the key must link up and match the Private Key on the system to verify that the source accessing is actually that source. This is done through an algorithm as it changes when the key does. The preventative measure of this method is in the fact a person or other computer cannot intercept and use the same key and get into the account or access the system.

Public Key Infrastructure (PKI) is the public side of asymmetric encryption which identifies the source so that the private key knows it came from the right source and is authorized to access the decryption. This process will only allow a 1 time connection and attempt protecting the accessed system.

Symmetric encryption involves a secret key which can be a string of letters a number or a word. As long as both people know the secret key they can encrypt and decrypt messages making this very secure with a strong symmetric encryption. This method means you have to be authenticated at each end and each end must know who is accessing it.

Risk Factors

Outside of physical shortcomings and vulnerabilities it is important to consider how many people should be able to access your information. If you know the number and the people symmetric encryption is the best option for securing your data. Now as far as collaboration goes between your company and XYZ Inc. let’s say, you could use asymmetric encryption and we would recommend a hybrid version if you choose this route. Asymmetric encryption will allow you to limit the connection to only trusted sources and will verify connects from its established source. The symmetric encryption will do the same thing however its weakness is in the complexity of the keys. This means the stronger the key the strong security you have over your data and you control the key.

Summary

In conclusion, we believe that you should use an asymmetrical encryption for collaboration and a symmetrical for security and access internally where parties are required to be limited an known.
Personal Computer Security Advisor
The potential security threats of a personal computer connected to the internet is internally. The computer needs to have a firewall and virus protection. In addition, you might want to consider a malware monitoring program as well. The personal computer can also be added to a home network and in doing this you want a wireless router and/or hub that comes with a built in firewall. Many cases it will have a firewall depending on the model, if it is very cheap/inexpensive then it most likely has no security added to it putting the responsibility on your computers installed protection.

Other personal computer vulnerabilities are in remote access or password encryption as many personal computers do not have a password or use something very simple. This makes accessing or hacking very easy after getting through any other protection. The remote access is a problem due to the fact you are opening up your port connections to connect to another computer and if that computer has no security then you just opened the door from someone to hack your computer or send a virus to it without having to go through a firewall or initial virus scan. Another problem in personal computers like network stations or servers require installation of updates for the operating system as the patches and hot fixes are designed to protect vulnerabilities they are considered mandatory in the Network World.

The next issue and security risk with personal computers pose is emails and downloads. These are the leading causes of viruses and malware on a computer in general. Many times the email service you use doesn’t screen the emails for all risks if at all. Then there are those that use auto preview which allows for data to be downloaded and executed without opening in the preview pain. You may not think this is a problem because it asks you to download images but that’s all it is stopping, the images and large macro files / Meta data from being downloaded. We recommend turning off preview mode in your mail client to minimize the potential threat. If you have a dedicated professional that works on your actual mail server you may not have to however I would ask before assuming cause the problem while minor could be major over time.

Preventing the attack on your computer is in many ways a continuous process and the methods that a hacker uses varies from programs that search for open ports to specific email clients that have known vulnerabilities to your basic password breaking software. The following are best practices; 1) Change your password 1 to 3 months 2) never use the same password in the same year 3) Be creative with your password Simple but complex(ex. I'm32inMar2012 , i8URc00kie5) 3a) If you change your password the first week of every month use the date some how chg12pPSon4th change December password Paul styles on 4th 4) Always set you personal computer to auto download windows updates and MAKE SURE TO INSTALL THEM they are release for security reasons 9 out of 10 time
Wireless Risk Management Policy Memo After the Fact

Effective security is proactive security. This report is an assessment of a security breach of a wireless network that took basic precautions and had to hire a Information Security Engineer to resolve the issues and prevent it from reoccurring. This would be the first document provided in the process.

Wireless Security

Recent events in the storage and transfer of personal customer information have led to the release and miss handling of personal credit-card information. This breach has impacted the company and effectively decreased the amount of sales transactions made as compared to last year. The breach was made by an attacked on our wireless network. This problem is under investigation as to whether it was the device or and internal cause. However, the correct course of action is to remove the wireless system from the main local network. First step will be to connect all office computers to the network through a hard line and assign every work station a new DNS ID. After this is completed the wireless network will be converted to a non-office network that will allow access to the internet. All remote connections will have to be through VCN and the information needed to do this can be obtained through the IT Department. After this solution is in place the wireless network will not pose a direct threat or security vulnerability to customer information or sensitive data stored on the network. This new wireless network in short will work like any other internet connection providing additional layers of security due to firewalls and permissions in addition to the network Domain Controller.

Note: No personal login or passwords should ever be given or shared with another person in or outside the company.

Redact or Add: If you want to keep internal access wirelessly to the network I recommend replacing all wireless devices and purchasing a stand-alone firewall in addition to the device firewall. This firewall will be between the device and the network adding another lay of security. However, this is not recommended since it does not eliminate the problem or security vulnerability it just lessons it.  

Terminal Access Security

The second breach made to our network data recently was the unauthorized access to a terminal whereby an individual outside of the company was able to gain access to data. This security breach is very serious as it is the easiest to correct yet the most common mistake made. The following rules and steps are to be memorized and used at all times.

1) You are to Lock your computer if you are not at your desk
2) You are not to write down your password and keep it at your desk
3) You are not to save passwords in work documents on your computer
4) You are not to share your work station or login information with another employee

The above steps and rules will prevent users from gaining unauthorized access to the company network. In addition, we will be implementing an ID card Access system to the main parts of the facility. The badges will be white for employees and visitors’ badges will be yellow. These colors may change at any time.
Redact after approval
Incident Response Policy & Disaster Recovery
The purpose of this policy is to have a rapid response system for handling any failures within the network, database or web application. By minimizing downtime you won't have to worry about a customer not being able to reach you or a extended period of time where your salaried employees cannot perform their jobs. Each policy is unique to a business and this is a sample that Evolution Atlanta can create for your company.

Incident Response Policy

This policy is the responsibility of the Information Security officer. All employees, contractors, visitors and other guest are required to follow the company’s security and access policy. Furthermore anyone using a company computer must sign a company security policy agreement stating they know and understand our security policy and procedure.

The incident response policy is as follows:
  • Identification – once an incident happens it is to be documented and reported to an Incident Team member
  • Assessment – Incident team member(s) are to identify the incident and isolate the problem immediately

         a. If the incident is on a Local work station that computer is to be taken off the network immediately by         disconnecting its access
         b. If the problem is in a file server that file server is to be taken offline
         c. If the active directory has a security incident the network is to be taken offline to determine if it has
             affected the work stations or file servers

             i. If none are affected the active directory server is to be restored from the cloned backup immediately
             ii. If a file server is affected it is to be taken offline and the incident is to be documented after which
                the operating system is to be restored only if the problem solution is known and it will not happen
                again
  • Solution - the problem is to be isolated and a solution is to be developed to fix the problem immediately
  • Reporting – reports of all incidents are to be created after the problem is resolved with all data gathered during the process to include the initial report information of the incident

         a. A file is to be created by the tile after what caused the incident and the effect
         b. The incident is to be added to the security policy for monitoring and analysis
         c. System Security Officer is to sign off on the report as being complete and added to the security policy
  • Notification – final step is to notify the staff of the breach and its effect plus its solution if the incident is isolated to only causing internal problems

         a. The CEO or OO is to be notified of the problem immediately after being reported to the IT Department
         b. If the problem/incident effects external operations the Security Officer is to draft a report for external
         consumption and get it approved by the Company’s Operations Officer or CEO
         c. If any legal issues are a concern they are to be provided in writing to the CEO or OO
  • Prevention – any issue that arises is to be added to the security policy for future reference
  • Backup & Restore – data integrity
  • Each file system is to mirror itself through raids setup to maintain data integrity.
  • Active Directory server will have a cloned server on standby for emergency situation
  • All servers will be backed up weekly on a backup server
  • Cost & Damages – documentation of the potential costs and damages of the incidents occurrence and impact if it happens again

      • Incident Response Team

      The network administrator, Junior Network Administrator and information security officer are required to create an on-call schedule for 24/7 coverage and during normal business hours all IT staff is to be notified in person and through an inter-office email.

      The final authority regarding reporting and notification are the heads of this policy. They are the Chief Executive Officer and the Operations Officer.

      Disaster Recovery Procedures

      In the event of a disaster all file servers and the Window Active directory server are to immediately start backing up to our off site location. In the event that the disaster will prevent the backup from completing the backup drives are to be pulled from the servers prior to evacuating the building.

      Secondary disaster recovery is to create a dummy network server instance to take over operations. This network instance will be a false network not connected the actual server system and will be turned on in the event of a disaster to prevent any unforeseen issues.

      Disaster Recovery Maintenance

          Online Backup channels are to be monitored
          Raid clones of file system drives are to be maintained constantly to include duplication
          Removable backups are to be monitored for viability

          This concludes the policy and if further information is needed it will be added and adopted per company policy. All plans are customized to the business needs. This plan is for 3 file servers, 1 Windows 2008 Active Directory Server, a firewall and 10 personal computers.