Question

Assume a scenario where the hackers gained access to information through malware on Point-of-Sale (POS) systems of more than million credit and debit card. The firewall had captured the first malware code and an alert was issued which was ignored. The hackers started downloading the collected data. The cyber criminals have hacked the system to gain credit and debit card information.

1. Explain in your own words what happened in the above discussed data breach. [5 Marks]

2. Identify and experience the type of attack experienced in the above scenario [2 Marks]

3. The stolen credentials alone are not enough to access the company’s POS devices. What other means can the hackers acquire to allow them to navigate the company’s network and deploy the malware. [3 Marks]

4. What would have hackers done for privilege escalation? [2 Marks]

5. The organization admitted that they ignored many alerts from their network security devices because of alert overload. If you are the organization’s Chief Technical Officer (CTO), what would you do to reduce the problem of alert overload? [3 Marks]

6. The security experts criticize the organization for failing to isolate sensitive sections of their networks from those more easily accessible to outsiders. As a CTO, please propose a feasible solution to segment and categorize your networks and resources. [5 Marks]

Answer 1

Solution:

1. The hackers have gained access to the consumers' POS assets such as bank, credit card and debit card details which the consumer usually enters while doing any transaction. Key logging malware is the main reason for this attack and these attacks are mainly remote. This is usually targeted against all size retailers because of the internet enablement of the POS assets. A firewall is a network security device which helps in securing the network and its purpose is to establish a barrier between the internal network and incoming traffic from external sources (such as the internet) in order to block malicious traffic like viruses and hackers. But in this case as the alert generated by the firewall was ignored and no necessary action was taken so the hackers were able to access all the information of the POS assets.

2. This type of attack is called Man-in-the-middle attack. In this type of attack, hackers interrupt the traffic, can steal or filter the data. On unsecure Wi-Fi networks the hackers can establish themselves between the device and the network, and without knowing the user might pass all the information to the hacker. And once a malware breached a device, the hacker can install software to access all the information.

3. Other means that are acquired by the hackers to steal to navigate the network and deploy the malware are

i) Phishing Emails - The hackers try to access the user's information by tricking him/her through crafty emails such as that of jackpot and lotteries.

ii) Cookie Theft - Usually while accessing a company's website they ask for accepting cookies which gives access to the user's financial data, user credentials and passwords.

iii) Drive by Downloads from a compromised website - This happens when downloading gets started on a website without the user's knowledge.

iv) Denial of Service/Distributed Denial of Service(DoS/DDoS) - This is a technique in which the systems are brought down, by overloading them with login attempts, data requests and repetitve tasks.

v) Malware - Using viruses to access a user's information.

vi) WAP attacks - Setting up a fake wireless access point or WAP is a great way for hackers to gain access to the data streams that can be hijacked for various purposes.

4. Privelege escalation is a type of activity when the hacker is exploiting a bug, taking advantage of programming errors to gain elevated access to the protected services. In this case the hacker might have misused the priveleges associated with the account by assuming the identity of the other user.

5. The methods to reduce the problem of alert overload are:

i) Removing bad traffic and cleaning up the network.

ii) Following a rule to handle the broadcast traffic, with no logging.

iii) Remove unused rules and objects from the rule bases.

iv) Reduce firewall rule base complexity - rule overlapping should be minimized.

v) Separate firewalls from VPNs to offload VPN traffic and processing.

vi) Upgrade the latest software version

6. The feasible solutions to segment and categorize the networks and resources are:

i) Filtering of unwanted traffic from the network and creating a separate segment to handle that traffic.

ii) Guest/Wireless Network - It is to provide internet access to all the guests without having any access to the internal systems.

iii) IT Management Network - Isolate the administration workstations from the non-admin work.

iv) VoIP Networks - Phone systems that can be segmented off.

v) Security Networks - This segment is used to protect the management devices.

vi) Physical Security Networks - Segmenting physical devices such as cameras and ID Scanners.

vii) Server Networks - Keep distinct functions (i.e., human resources, marketing, finance, etc.) that have no reason to talk to each other from a technology or a functional role standpoint separated from each other.

viii) Industrial Control Systems - Segmenting industrial and/or physical plant control systems from the rest of the network.

ix) Demilitarized Zones (DMZs) -  A DMZ is a subnetwork that contains and exposes an organization’s externally facing services (i.e., email and/or web servers) to the Internet.

x) External Network -This type of segmentation clearly specifies what is inside on the private Local Area Network and what is outside in the public network.