Network Security Traceback Attack and React in the United States Department of Defense Network

By Edmond K. Machie

Network Security and how to traceback, attack and react to network vulnerability and threats. Concentration on traceback techniques for attacks launched with single packets involving encrypted payloads, chaff and other obfuscation techniques. Due to the development of various tools and techniques to increase the source of network attacks, our interest will include network forensics, with the goal of identifying the specific host which launched the attack and cause denial of services (DoS). Also we will include tracing an attack that would compromise the confidentiality and integrity of information on the Intelligence Community (IC) network, which includes the NIPRNET, SIPRNET, JWICS, and IC enclaves. Deliverables will be technical reports, software, demonstrations, and results of experiments, which will provide evidence and metrics. The emergence of hybrid worm attacks utilizing multiple exploits to breach security infrastructures has forced enterprises to look into solutions that can defend their critical assets against constantly shifting threats.

• Language: English
• Publisher: Trafford Publishing
• Release date: Mar 29, 2013
• ISBN: 9781466985742

Book preview

NETWORK SECURITY TRACEBACK ATTACK AND REACT IN THE

UNITED STATES DEPARTMENT OF DEFENSE NETWORK

EDMOND K. MACHIE

Order this book online at www.trafford.com

or email orders@trafford.com

Most Trafford titles are also available at major online book retailers.

©

Copyright 2013 EDMOND K. MACHIE.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the written prior permission of the author.

ISBN: 978-1-4669-8573-5 (sc)

ISBN: 978-1-4669-8575-9 (hc)

ISBN: 978-1-4669-8574-2 (e)

Library of Congress Control Number: 2013905670

Trafford rev. 03/25/2013

7-Copyright-Trafford_Logo.ai www.trafford.com

North America & international

toll-free: 1 888 232 4444 (USA & Canada)

phone: 250 383 6864 ♦ fax: 812 355 4082

CONTENTS

Dedication

Introduction

PART ONE NETWORK SECURITY

CHAPTER I:   NETWORK ATTACK TRACEBACK

I. INTRODUCTION

II. ATTACK TRACEBACK IN A NETWORK ATTACK

III. DENIAL OF SERVICES IN THE NETWORK ATTACK—(DoS)

IV. NETWORK FORENSICS

V. INTRUSION DETECTION SYSTEMS (IDS)

VI. CONCLUSION

CHAPTER II:   SECURITY ARCHITECTURE AND ANALYSIS

I. INTRODUCTION

II. INTRUSION DETECTION SYSTEM v INTRUSION PREVENTION SYSTEM

III. NETWORK MODULE FOR CISCO ACCESS ROUTERS

IV. INTRUSION DETECTION SYSTEM INTEGRATED INTO THE ROUTER USING CISCO INTRUSION PREVENTION SYSTEM (IPS) SENSOR

V. CONCLUSION

CHAPTER III:   CISCO INTRUSION DETECTION SYSTEM (IDS) NETWORK MODULE FOR CISCO ACCESS ROUTERS-INTERGRATES TRADITIONAL INTRUSION DETECTION INTO THE ROUTER USING CISCO INTRUSION PREVENTION SYSTEM (IPS) SENSOR

I. INTRODUCTION

II. INTRUSION DETECTION SYSTEM v INTRUSION PREVENTION SYSTEM

III. NETWORK MODULE FOR CISCO ACCESS ROUTERS

IV. INTRUSION DETECTION SYSTEM INTEGRATED INTO THE ROUTER USING CISCO INTRUSION PREVENTION SYSTEM (IPS) SENSOR

V. CONCLUSION

PART TWO NETWORK VULNERABILITY ASSESSMENT

CHAPTER IV:   NETWORK VULNERABILITY ASSESSMENT NETWORK SECURITY THREAT AND VULNERABILITIES

I. INTRODUCTION

II. ATTACK TRACEBACK IN A NETWORK ATTACK

III. DENIAL OF SERVICES IN THE NETWORK ATTACK—(DoS)

IV. NETWORK FORENSIC

V. CONCLUSION

CHAPTER V:   DISTRIBUTED DENIAL OF SERVICE DETECT AND REACT IN THE UNITED STATES DEPARTMENT OF DEFENSE NETWORK

I. INTRODUCTION

II. DATABASE SECURITY BEST PRACTICES

III. DATABASE SERVER SECURITY LAYERS

IV. DATABASE—LEVEL SECURITY

V. OTHER DATABASE OBJECTS FOR SECURITY

VI. APPLICATION LEVEL SECURITY

VII. SUPPORTING INTERNET APPLICATIONS

VIII. FORENSICS ANALYSIS OVER DATABASES

IX. DATA MINING USAGE AS ATTACKING

X. DEFENSIVE TOOLS IN COMPUTER AND NETWORK SECURITY

XI. CONCLUSION

PART THREE SOFTWARE SECURITY AND WIRELESS NETWORKS

CHAPTER VI:   LIGHTWEIGHT MIDDLEWARE ENVIRONMENT FOR AD-HOC WIRELESS NETWORKS

CHAPTER VII:   AUDITING SOFTWARE AND TOOLS—ARCHITECTURAL AND SOURCE-LEVEL

I. INTRODUCTION

II. AUDITING SOFTWARE AND TOOLS

III. AUDITING SOFTWARE CATEGORY

IV. SOFTWARE ARCHITECTURE AND SOURCE-LEVEL

V. SOFTWARE SENTINEL ANTI-TAMPER TECHNIQUE

VI. CONCLUSION

PART FOUR INFORMATION SYSTEM FOR MANAGERS—LEGAL AND ETHICAL MANAGEMENT IN INFORMATION SECURITY

CHAPTER VIII:   CYBERSECURITY AND THE TRUST ISSUES

IN THE ONLINE TRANSACTION

CHAPTER IX:   THE SARBANES-OXLEY ACT of 2002—LITERATURE REVIEW

I. INTRODUCTION

II. LITERATURE REVIEW

III. COMPARISON AND CONTRAST OF CURRENT LITERATURE

IV. CONCLUSION

CHAPTER X:   THE SARBANES-OXLEY ACT of 2002—SECTION 404: MANAGEMENT ASSESSMENT OF THE INTERNAL CONTROL OF ALL PUBLICLY-TRADE COMPANIES

I. INTRODUCTION

II. DESCRIPTION OF LEGAL OR ETHICAL ISSUES TO BE ADDRESSED

III. ANALYSIS OF THE SARBANES-OXLEY ACT OF 2002

III. REVIEW OF RESEARCH ON DATA PROTECTION LAW AND LEGISLATION WITHIN EUROPE AND IN THE UNITED STATES

IV. ETHICS AND COMPLIANCE WITH LAWS

V. CONCLUSIONS AND RECOMMENDATION

CHAPTER XI:   SARBANES-OXLEY ACT of 2002

I. INTRODUCTION

II. INFORMATION SECURITY PROGRAM

III. APPLICABILITY OF SARBANES-OXLEY

IV. CONCLUSION

CHAPTER XII:   DATA PROTECTION LAW AND

LEGISLATION IN THE UNITED STATES

AND THE EUROPEAN UNION

I. INTRODUCTION AND DESCRIPTION OF REGULATORY ENVIRONMENT

II. DESCRIPTION OF LEGAL OR ETHICAL ISSUE TO BE ADDRESSED

III. REVIEW OF CURRENT RESEARCH

IV. CONCLUSIONS AND RECOMMENDATIONS

CHAPTER XIII:   INFORMATION ASSURANCE POLICY PLANNING & ANALYSIS

I. STEPS REQUIRED TO INTRODUCE THE E-MAC POLICY

II. TRAINING REQUIRED AND THE DELIVERY PLAN

III. PROCESS FOR RECORDING ACKNOWLEDGEMENT

IV. HOW THE POLICY WILL BE MONITORED AND ENFORCED

V. MAJOR TASKS ASSOCIATED WITH THE E-MAC POLICY IMPLEMENTATION

VI. TIMELINE FOR POLICY IMPLEMENTATION

VII. PROCESS FOR ENFORCEMENT AND PERIODIC REVIEW

PART FIVE SECURITY FORENSICS

CHAPTER XIV:   COMPANIES SPECIALIZING IN COMPUTER FORENSICS SUMMARY REPORT

I. INTRODUCTION

Advanced Surveillance Group, Inc. (ASG)

DriveCrash.com

Forensic Computer Service (FSC)

II. Conclusion

CHAPTER XV:   AFFIDAVIT CRITIQUE—REVIEW OF THE HANSSEN AFFIDAVIT—CRITIQUE OF

ITS CONTENT AS IT PERTAINS TO

COMPUTER EVIDENCE

I. INTRODUCTION

II. SUMMARY PRESENTATION AND CRITIQUE OF AFFIDAVIT

III. FORENSIC EVIDENCE

IV. THE SEARCH AND SEIZE WARRANT FOR FAMILY OR RELATIVE PROPERTY

V. CONCLUSION

PART SIX GUIDING PRINCIPLES OF SECURITY OF WEB APPLICATION AND SAMPLES TEST QUESTIONS AND ANSWERS

CHAPTER XVI:   GUIDING PRINCIPLES OF SECURITY

OF WEB APPLICATION

1. Practice Defense-In-Depth

2. Secure the Weakest Link

3. Fail Securely

4. Follow the Principle of Least Privilege

5. Compartmentalize

6. Keep It Simple

7. Promote Privacy

8. Hiding Secrets is Hard

9. Be Reluctant to Trust

10. Use Your Community Resources

CHAPTER XVII:   SAMPLE TEST QUESTIONS AND ANSWERS

1. Initial review

2. Definition phase: Threat modeling

3. Design phase: Design review

4. Development phase: Code review

5. Deployment phase: Risk assessment

6. Risk mitigation

7. Benchmark

8. Maintenance phase: Maintain

DEDICATION

In Memory of my mother, Kameni Francisca-Edmond

My uncle, Doctor Jean-Bosco Tchiemessom

My grandfather, Edmond Kameni

INTRODUCTION

Network Security and how to traceback, attack and react to network vulnerability and threats. Concentration on traceback techniques for attacks launched with single packets involving encrypted payloads, chaff and other obfuscation techniques. Due to the development of various tools and techniques to increase the source of network attacks, our interest will include network forensics, with the goal of identifying the specific host which launched the attack and cause denial of services (DoS). Also we will include tracing an attack that would compromise the confidentiality and integrity of information on the Intelligence Community (IC) network, which includes the NIPRNET, SIPRNET, JWICS, and IC enclaves. Deliverables will be technical reports, software, demonstrations, and results of experiments, which will provide evidence and metrics.

The emergence of hybrid worm attacks utilizing multiple exploits to breach security infrastructures has forced enterprises to look into solutions that can defend their critical assets against constantly shifting threats.

The Intrusion Detection System (IDS) has been used as the traditional security solution. This includes such things as firewalls and anti-virus software, as they are necessary to identify and prevent many attacks that have plagued the network. Unfortunately, IDS has been insufficient in addressing the new generation of networks propagating malware or targeted DoS attacks.

An Intrusion Prevention System (IPS), like an IDS, was designed to detect malicious activities running on a host or hiding in normal network traffic. But rather than simply raising an alert, an IPS is intended to block the intrusion before it has a chance to inflict any damage similar to a firewall. Where Cisco’s purpose-built IPS appliances and IDS/IPS expansion card for its Catalyst 6500 switches, the newer networking products running IOS are now capable of providing in-line intrusion prevention. Studies have found that Cisco has embedded a limited, but effective, amount of IPS functionality in its routers and firewalls, as the IOS IPS provides an additional layer of protection.

Network security issues, including network vulnerability and threats, consider as an attack treaceback, Trace-back attack to a network with the goal of identifying the specific host, which launched the attack.

Auditing software and tools, at the architectural and source level, will try to apply this by investigating and improving software sentinel anti-tamper (AT) technique using secure inter-process communications for the U.S. Department of Army. According to this department, software sentinel(s) (or software agents) monitor system timing, the contents of computer files and binaries to verify the integrity of the software and the sentinels. Thus, multiple software sentinels are being used to make defeating the software protection more difficult. Furthermore, The Department of Defense, in SBIR topic, supports that the software sentinel’s protection mechanism is the ability to communicate between sentinels to monitor and verify the integrity of the sentinels. The goal is to allow all the software sentinels to communicate with each other through a single shared memory variable concurrently (simultaneously). Review has included evaluation of audit software and tools, including auditing software at the architectural and source level.

Edmond K. Machie

PART ONE

NETWORK SECURITY

CHAPTER I

NETWORK ATTACK TRACEBACK

I. INTRODUCTION

While increasing in number, sophistication, and severity, the network attacks on governmental, business, academic, and critical infrastructure networks need immediate attention. In this research, prevention, detection and reaction are the truism of the network security vulnerability and assessment. Variable aspects or processes are addressed with regard to attacks. Investigated attacks include, data collection, which refers to the collection of data from multiple operating systems. Vatis states that, Investigators also need tools to automate the collection of data files from multiple operating systems in the victims’ network or the network being attacked.¹

II. ATTACK TRACEBACK IN A NETWORK ATTACK

The UNIX System is more complex than Windows, and is necessary for the digital evidence examiner. Usually UNIX is configured to print, log, and store user data (e.g. files, e-mail, passwords) on remote location systems.

One of the options to trace back the attack in the network is Mapping Network Topology. This provides a solution to automate the process of developing the map of the network quickly and accurately. It maps the victim’s network during the preliminary stage of a network-attack traceback to assess the extent of the attack.

What follows are the specific network attack data recovery tools to automate the digital evidence recovery process; capturing resident memory data is also part of network attack traceback, as well as analyzing excessively large media storage devices.

Michael A. Vatis described Log Analysis and Reporting as automated log file analysis and developing graphical reporting. Furthermore, he defined Log Compilation as recognizing and importing preliminary investigation data, recognizing and importing logs across a network, reconstructing altered or damaged logs, placing log data into an organized timeline, organize output to a common and portable format. Thus, Vitas presents IP Tracing and Real-Time Interception as critical for tracking cyber attackers. According to the reporting, the distributed denial of service attacks or (DDoS) origin and location of the attacker remain hidden. Non-technical issues such as underemployed technologies to counter attacks utilizing spoofing and lack of record keeping by Internet Service Providers (ISP) hamper the tracing of IP addresses. The real-time interception of digital data is a use of specialized forensic solutions for retrieving, storing, and analyzing very large media storage devices compromised by network attacks.

The other important point is that data collection from multiple operating systems is demonstrated because of computers’ usage of several different operating systems to perform different tasks. Data collections from several computers are relevant to understand how a network was compromised. It happens that Windows operating systems dominated their caseloads in the use of the types of operating systems encountered in the traceback attack. UNIX and Linux operating systems were encountered less frequently. Mac OS (through version 9) and Mac OSX were seen the least during the last three years, but still on occasion by some investigators. Solutions that can automate the collection of data from multiple operating systems are still needed, as well as solutions to identify and report system configurations and file locations.

There is a need of tools that will help analyze the attack data across multiple platforms, regardless of the platform that the investigator is working on. After data collection, this tool will reduce time and focus on analysis rather than collection.

III. DENIAL OF SERVICES IN THE NETWORK ATTACK—(DOS)

Symantec Security Response supports the thought that Denial of Service (DoS) attack is not a virus, but a method hackers use to prevent or deny legitimate users access to a computer. In order to traceback an attack in the network better, we should know how the attack occurred. In so doing, Symantec Security Response indicates that DoS attacks are some type of execution using DoS tools that send many request packets to a targeted Internet server (usually Web, FTP, or Mail server), which floods the server’s resources,