Question

Assume a scenario where the hackers gained access to information through malware on Point-of-Sale (POS) systems of more than million credit and debit card. The firewall had captured the first malware code and an alert was issued which was ignored. The hackers started downloading the collected data. The cyber criminals have hacked the system to gain credit and debit card information.

1. Explain in your own words what happened in the above discussed data breach.

2. Identify and experience the type of attack experienced in the above scenario

3. The stolen credentials alone are not enough to access the company’s POS devices. What other means can the hackers acquire to allow them to navigate the company’s network and deploy the malware.

4. What would have hackers done for privilege escalation?

5. The organization admitted that they ignored many alerts from their network security devices because of alert overload. If you are the organization’s Chief Technical Officer (CTO), what would you do to reduce the problem of alert overload?

6. The security experts criticize the organization for failing to isolate sensitive sections of their networks from those more easily accessible to outsiders. As a CTO, please propose a feasible solution to segment and categorize your networks and resources.

Answer 1

Question 1. Explain in your own words what happened in the above discussed data breach.

Answer to Question (1):

The Point-of-Sale (POS) system implemented must be an Internet Based Cloud system that heavily depends on Networks. Thus, network and system security is of prime importance to POS systems that stores sensitive personal and credit card information. In the current case, the Firewall alerted the Network Security Personnel with the possible network security breach and its signature. The Network Security Personnel should have been more careful to analyze the Malware code and identify and block the unauthorized entry into the POS system. A possibility is that the attacker succeeded in some kind of password attack to steal the administrator passwords to steal the sensitive password, personal and credit card information. The attacker could have used password attacking tactics like

· Dictionary attack (applicable if the user used weak common password)

· Brute Force Attack (applicable if the user used weak short password)

· Traffic interception (applicable in the absence of strong and secure malware removal tools)

· Man in the Middle (applicable in the absence of strong network security and encryption mechanisms)

· Key logger, spyware or Trojan attack (applicable in the absence of strong and secure malware removal tools)

· Social engineering attacks like phishing, spear phishing, baiting, quid quo pro, etc., (applicable in the absence of strong and secure malware removal tools and lack of awareness or ignorance of employee)

· Hash injection attack (applicable in the absence of strong and secure malware removal and network security breach identification tools and lack of awareness or ignorance of employee)

· Replay attacks (applicable in the absence of strong and secure malware removal and network security breach identification tools and lack of awareness or ignorance of employee) where packets and authentication captured using a sniffer are used to extract relevant information, and then they are placed on the network to gain access

· Rule-based attack (applicable in the absence of strong and secure malware removal and network security breach identification tools and lack of awareness or ignorance of employee)

2. Identify and experience the type of attack experienced in the above scenario

Answer to Question (2):

The types of attacks caused by this kind of security breach is just unimaginable as the attackers could use the sensitive personal, credit card and password information for large scale attacks, including:

· Theft of fund from credit card holder’s account

· Theft of fund from the company’s account

· Theft of user’s personal information

· Large scale data destruction and manipulation

· Loss of inventory information

· Denial of business services

· Denial of network services

These kinds of attacks could lead catastrophic damages to the business institutions, customers and the general public. The effects of such attacks could be anything like:

· Huge financial losses due to theft, loss of business, prolonged shutdowns, etc.

· Loss of business

· Loss of customers

· Loss of trust and goodwill

· Disclosure of sensitive information

· Theft of services

· Loss or corruption of information

Question 3. The stolen credentials alone are not enough to access the company’s POS devices. What other means can the hackers acquire to allow them to navigate the company’s network and deploy the malware.

Answer to Question (3):

The attackers may use multiple tactics to get access to and navigate the company’s network and deploy the malware. These can include

· Privilege escalation

· Theft administrative passwords

· Use of software security flaws and patches

· Use of human negligence and errors

· Lack of security controls

· Non-use of strong encryption techniques

· Dishonest technical staff and other employees

· Use of non-standard and non-secure networks tools, services, and devices to gain access to sensitive systems

· Use of software bugs, design flaws, or configuration errors to gain access to sensitive systems

All these can lead to security breach that can be intelligently exploited by attackers to gain full-privileged entry into the PSO system.

Question 4. What would have hackers done for privilege escalation?

Answer to Question (4):

Privilege escalation is a type of network attack used by attackers to obtain unauthorized access to sensitive systems of organizations. Privilege escalation attacks exploit weaknesses and security vulnerabilities with the goal of elevating access to a network, applications, and mission-critical systems. Privilege escalation attacks can be of vertical and horizontal in nature. In vertical attacks, an attacker gains access to an account with the intent to perform actions as that user. In horizontal attacks, the attacker gains access to account(s) with limited permissions and then use escalation of privileges, such as to an administrator role, to perform the desired actions. The horizontal privilege escalation attacks are more serious type of attack. Privilege escalation happens when a malicious user exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to resources that should normally be unavailable to that user. The attacker can then use the newly gained privileges to steal confidential data, run administrative commands or deploy malware and potentially do serious damage to operating system, server applications, organization, and reputation.

5. The organization admitted that they ignored many alerts from their network security devices because of alert overload. If you are the organization’s Chief Technical Officer (CTO), what would you do to reduce the problem of alert overload?

Answer to Question (5):

Securing a network can be overwhelming. New security threats are likely to appear daily. As a CTO, I would prefer to use a set network security tools assist me in better address the network security issue. I suggest the following security tool to be implemented in the organization:

• Access control systems
• Anti-malware software
• Anomaly detection systems
• Application security
• Data loss prevention systems
• Data back-up and recovery systems
• Email security systems
• Endpoint security systems
• Secure and efficient malware (viruses, spyware, Trojans, etc.) detection and prevention tools
• Scalable firewall systems
• Intrusion prevention systems
• Network segmentation
• Security information and event management (SIEM)
• Virtual private network (VPN)
• Web security systems
• Wireless security systems
• Automatic system, driver, software updation tools

These tools can reduce the vulnerabilities and therefore can reduce possible attacks and alerts. However, considering the scale of possible threats, the alerts can still be unmanageable. To tackle this is, using tools, the alerts will be prioritized on basis of possible damage they can cause and are then addressed.

6. The security experts criticize the organization for failing to isolate sensitive sections of their networks from those more easily accessible to outsiders. As a CTO, please propose a feasible solution to segment and categorize your networks and resources.

Answer to Question (6):

Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each acting as its own small network. Network segmentation allows network administrators to control the flow of traffic between segments. Segmentation can enhance security, improve monitoring, boost performance, localize technical issues. With network segmentation, I have a powerful tool to prevent unauthorized users, including insiders or malicious attackers, from gaining access to valuable assets, customers’ personal information and company financial records of the organization.

As a Chief Technical Officer, I would use the following combined approach for network segmentation:

• Physical Segmentation by deploying multiple firewalls for internal networking. Firewalls are deployed inside a network to create internal zones to segment functional areas from each other in order to limit attack surfaces, thereby preventing threats from spreading beyond a zone.
• Logical segmentation with virtual local area networks (VLANs or subnets). VLANs create smaller network segments with all hosts connected virtually to each other as if they were in the same LAN. Subnets use IP addresses to partition a network into smaller subnets, connected by networking devices.