Intrusion Detection System

Intrusion Detection System

Introduction:

The banking institution I will be focusing on will be Bank United bank and the main issues examining is network intrusion and prevention systems. The report will include an analysis of the technologies use and malicious activity reports. The report will show the areas where the bank needs to make improvements and view and analyze network architecture. Different network attacks that threaten the bank and the reason that most of them are successful will also be examined. Information security management is very challenging for any institution who usually relay in information technology in their business. Information related to coming up, evaluating, and maintaining a very secure I.S. is addressed by the use of an Information Security Management System. Failure to implement security in an organization can harm the reputation and productivity of the organization.

Different tools can be used to ensure that the organization uses the latest and proper protocol to face security breaches (Phatak, 2011). These technologies include the use of a detection system for intrusion, the use of a firewall, and also the use of anti-virus. As a study shows, most of the security breaches in any organization result from human error. Humans are usually targeted to ensure they provide a loophole to the system without their understanding. This indicates that security in an organization is not entirely a technical problem, but human plays a significant role.

2.Overview of the Network Architecture

User Datagram Protocol (UDP)

User Datagram Protocol (UDP) is an alternative to TCP, though it is used as a communication protocol. Computer applications can send datagrams, messages to different hosts on the I.P. network. UDP works by ensuring that there is a creation of a connectionless transmission model which have to follow a certain protocol mechanism. UDP is mainly used in Domain Name System and voice-over I.P. for example, while communication through Skype when packet loss is more valuable considered to packet arrival latency. It is known to a connectionless because it does not require a handshake before the message is sent.

Transmission Control Protocol/Internet Protocol (TCP/IP)

TCP/IP is a communication protocol used for interconnecting devices in the network on the internet. In banks, Transmission Control Protocol/Internet Protocol (TCP/IP) is used mainly for private communication within the network. It also specifies the data exchange through the provision of end to end communication over the internet. Mainly the protocol does not require main central management to recover any network failure on a device within the network. Some of the most used protocol in this bank includes the use of HyperText Transfer Protocol, Secure HTTP and finally File transfer protocol.

Internet packets

Packets are units of TCP/IP network communication. To allow the data to be transmitted into a certain bandwidth, the devices have to divide the involved data into o required small sizes. The reason behind the use of packets is to ensure that the internet and the network used are connectionless. That is, no session is required. Therefore the receiver can easily access the data without the sender doing anything for the receiver to access it. Therefore, the Internet packet is a data unit routed from origin to final destination on the internet. The packets are used to carry data that the internet requires. Each of the existing packets has a different part of the message from the main message body.

I.P. address schemes

The addressing schemes are generally the computer network requirement in communication which allows packets to be forwarded to different locations (Ellingwood, J. (2014). Layer two three and four of the TCP/IP has to produce a header from the protocol task model. The header in the I.P. addressing scheme has 32 bit, which is used for addressing the desired device within the network. I.P. addresses are very important since they are used to locate devices on a network. The network I.D. is also used to identify network name that device belongs to meaning that network from one network has the same network ID.

3.Network Attacks

Banking organizations face a lot of threats from all over the world, with people trying in all ways to ensure that they gain access to the organization data. Data hostage holding and deletion threats are major attacks impact banking network attacks. With the 21^st technology advancement, the banking sector has been on high threats making it hard for organizations no to make a single mistake while in operation. It has been recorded that cyber-attacks are the major threat in the financial sector, with many people looking for ways to access general data. The reason behind this is evolving techniques in cybercrimes and hackers forming groups and trying in all the ways to access different institutions.

1. Identity theft.

In every ear, millions of money are lost from the banking sector through identity theft. More than 15 million customers in the USA have been victims of this fraud, making it a threat to the people and the banking operations (Johnson et al., 2016). Identity theft involves the use of other people’s credit information and conduct a purchase or borrow money without their consent. After this has been a success, the victim’s identity is then sold to other hackers or the dark web, and from here, they are fully exploited.

1. Threats from employees

Today, employees are the main threat to the banking operation, taking the highest percentage of most network attacks. The main reason behind this is the human error while they are in their daily activities giving hackers who are always active a chance to exploit the bank. Since a human must operate the bank, it becomes very hard to minimize risk related because humans always make errors. One of the mistakes that the users do is accessing bank services using their devices, such as checking emails. From this point, they end up installing malware, which acts as a breach exposing all activities in the organization (Scarfone, & Hoffman, 2009).

1. Supply chain attacks

Supply chain attacks involve an attacker trying to access the network without the user knowing by use of the back door. “In most network their security vulnerabilities that can easily be accessed by backdoor malware attack such as DNS lookup and connect following techniques that grant remote access to the attacker without even the user being aware.” After gaining access, it becomes easier for the hacker to access the system without any detection.

1. Ransomware

Ransomware involves gaining access to the internet and then holding captive victim services until ransom money is paid. The attack is also achieved from errors and ignorance of the employee when they open suspicious links from their emails. When this is done, the links directly activate malicious software installation to the system where hackers cannot have access to the system or the network. Some organizations that have tried their best to ensure data security achieved include Cisco, DELL, Gillware, and many more. Cisco has dramatically contributed by coming up with extremely encrypted networks for data transfer and communication. Cisco is used mainly for providing networking products such as wireless and wired, security, and other I.T. products. The industry is well known for its secure servers, quality products, and data security. The industry has been able to secure many companies from breaches such as hacking, which was very common.

One of the discussed risks is hacking; it involves unauthorized people getting through security. They can either delete all the data from the database, insert the data, or make some of the users not access the system. Most of the hacking cases have been for fame, where different groups try to break through the security of a company such as Amazon. They may do it as fun, but this can cause the company to suffer losses if they can access the data.  Cisco has tried to ensure that they use strong encryptions and keys to access the system.

Some of the mitigations that have been used are the use of powerful passwords. This has protected the visual policy where another person’s probability of understanding the password is very low. It also ensures that password guessing is hard and always keeps the data protected. To ensure your data is protected, everyone needs to be responsible for their passwords. You do not have to trust anyone with your logins but try to make them as secure as possible so that no one can access them. Leaving a password on the desk is not recommended as anyone can enter the room and access the system through the password.

4. Network Traffic Analysis and Results

With the above data, it is very easy to analyze the information and summarize the analysis with the data from the source and destination I.P. The time and the protocol used help for records and administration purposes for users to track every step. Wireshark is used to detect all the network traffic and the users’ identification through I.P. There are different techniques and ways that can be used to summarize the work and generate results which can be easily be summarized (Khan et al., 2014).

5. Other Detection Tools and Techniques

The intrusion detection system (IDS) is software applications or devices used to monitor any malicious activity in a network or any policy that is violated. Banking services need a device that can report and collect violation activities in a central management system. The bank needs to have an intrusion detection system (IDS) that can quickly respond to any malicious activity discovery. The intrusion detection system (IDS) used in this bank is NIDS that is Network intrusion detection systems that can monitor and analyze all the received network traffic. The type of IDS used is signature-based IDS, which detects any threat by looking for some network patterns such as a sequence of bytes.

The bank uses the intrusion detection system with the help of the intrusion prevention system (IPS) to eliminate any threat. IPS are used to keep an eye on malicious activities in the system and prevent the threats that have been identified. Because the organization has very many access points, it is important to have a system that can prevent any threat activity in the bank. The difference between the IDS used an intrusion prevention system (IPS) is that it manages to monitor and also take necessary actions required and stop the attack. The same type of IDS used is also used for IPS, which is the signature-based intrusion prevention system (IPS).

To protect the bank operations, the management has installed a firewall to ensure that intruders are protected from the network. Firewall achieve this by establishing a barrier between the external side or environment and the system (Bourgeois, 2014). When properly selected, firewalls are a very important mechanism that can be implemented to achieve maximum security. The firewalls that have been established are the Packet filter firewall, which is the most basic type, and it works according to access control listed. It is used to monitor incoming and outgoing packets declining access or allow them as per I.P. addresses.

Different devices achieve the connection between the operating systems, the software, and hardware components in the network, firewall, and IDS. Wireless LAN controller is used by the bank to enhance and manage the wireless network access points. The device is used to ensure that the wireless devices connect to the network without any problem. The core switch connects all other hardware equipment such as IDS and IPS, and they interact with the operating system.

Because the banks are also associated with computer operations in different departments, they use the firewall to protect any unauthorized access to the system. The firewalls in banks are used to protect the activities inside the bank from outside attacks. Information flow in an out the banks needs to be secure and monitored not to fall on wrong hands or access to unauthorized areas. Firewalls have, therefore, become an important solution for decades in protecting the banks if collect installed and updated. The separation between banking and brokerage activities ensures that attacks made across the network are not successful.

With many threats being made today in different organizations trying to access and steal information IDSs have played a major role in security enhancement. In banks, IDSs are used to report and collect violation activities to a central management system. The bank needs to have an intrusion detection system (IDS) that can respond very fast upon any malicious activity discovery. With the help of IPS, the IDS manages to minimize all the possible threats within the banking environment and alert the department on the available threats. Without IDS it would be very hard to detect any malicious activity that is going on of the business making all the business operation in the bank be in risk

6. Recommended Remediation Strategies

To improve network security, more need to be done from how people behave and the advancement of the equipment that is used in the banks. The main thing that needs to be adopted in the organization is to create a network security policy. By having a clear and comprehensive policy, the organization will have a security compass that guides all operations. The policies should cater to different network issues on what can be accessed and the methods of assessing the risk regarding the network. The policy helps develop a disaster recovery plan that needs to be followed and ensure that everything works in order.

In most cases, it is very difficult for the banking organization to deal with threats or attacks to the bank or user cunts (Duquea, & bin Omar, 2015). Therefore I would recommend that the bank approach and improve on the use of multi-factor authentication. MFA protects the customers and employee access to the system by adding more steps in access than normal. The best way is by sending a code to another device and then match it to the system. The method will also alert the user that someone is trying to access their device, and instantly they can make some changes. It is very easy to crack passwords with high technology in the world, such as brute force devices, and therefore, passwords will never be successfully secure.

Keeping the network and all components that support it updated is also the main thing that the bank needs to adopt. After a series of auditing and analyzing the banking network used, the banks have adopted good measures, but they are not updating their systems. The neglect of not updating the resources and network gives hackers the chance to exploit it by using it as a breach. After updating a need to review the whole network and changing the default network settings is very important to ensure that it matches the policies. Creating a new password and stronger one is also important as you update the network so that any breach that existed before can be eliminated.

Installing a trustworthy firewall that will act as a true guard and keeping an eye on all unauthorized processes is also recommended. As the company invests in making a profit, they need to consider that they have to invest in a security that will protect everything in the bank. Installing a firewall is not important, but installing a trustworthy one will positively impact your operations. Installing both firewalls for software and hardware minimizes the chances of malicious files entering the system or the network. By providing well-outlined policies, a trustworthy firewall will monitor your traffic on the web, malware, attempts in hacking and keeping away keyloggers as per instructions laid.

In conclusion, organizations need to ensure that they provide proper training to their workers by providing them with adequate knowledge of different techniques used. Awareness can also be provided to ensure that everyone I reminded the risks and the impact cybercrimes can have on the organization. On the technical side, the organization needs to always have the best and updated security system.

Joint Indicator Bulletin (JIB)

July 19, 2020

Introduction

The various group in the world have engaged in activities has threatened most of the financial institution in the country and all over the world. The objective of this paper is to try to maintain bank security and minimize cases of theft in organizations. Today hackers have managed to employ different techniques and destroy or kept hostage bank information. In collaboration with the Federal Burea of investigation, the banking sector has provided this information. Banks are advised to follow all the required guidelines and ensure that they are safe from any malicious activity out there.

Document Overview

This Joint Indicator Bulletin has different sections with I.P. address and domain names known to be working with the malicious activity today. Therefore the banks should use this information to ensure that they are safe and report any case. With this, the banks will be alert by learning from shared information, using the provided list, and warning the system before. Any similarity should also be determined as a threat, and the banks should know the best way to handle these groups.

NOTE: Any action on the system should be handled according to the defence policies outlined in the organization. The presence of an of this I.P. addresses does not fully understand that the system is at threat or does not fully guarantee that this is a malicious identity.

Indicator Descriptions

The following activities have been the most used method of attacks on different banks:

1. Identity theft.

In every ear, millions of money are lost from the banking sector through the use of identity theft. More than 15 million customers in the USA have been victims of this fraud, making it a threat to the people and banking operations.

1. Threats from employees

Employees today are the main threat to the banking operation, taking the highest percentage of most network attacks. The main reason behind this is the human error while they are in their daily activities giving hackers who are always active a chance to exploit the bank.

1. Supply chain attacks

Supply chain attacks involve an attacker trying to access the network without the user knowing by use of the back door.

1. Ransomware

Ransomware involves gaining access to the internet and then holding captive victim services until ransom money is paid. The attack is also achieved from errors and ignorance of the employee when they open suspicious links from their emails.

Contact NCCIC/US-CERT

(UNCLASS) Phone: +1-703-235-8833

(UNCLASS) Email: soc@us-cert.gov

US-CERT’s PGP download key at us-cert.gov/contact

(SIPRNET) Email: us-cert@dhs.sgov.gov

(JWICS) Email: us-cert@dhs.ic.gov

IP List awareness

100[.]42[.]216[.]230

108[.]166[.]200[.]130

108[.]171[.]251[.]102

112[.]196[.]231[.]13

112[.]11[.]239[.]25

12[.]14[.]129[.]90

120[.]15[.]0[.]131

120[.]167[.]251[.]94

120[.]2[.]49[.]15

120[.]232[.]138[.]23

120[.]30[.]41[.]134

120[.]33[.]114[.]160

120[.]33[.]114[.]224

122[.]55[.]220[.]79

124[.]146[.]219[.]130

129[.]44[.]254[.]139

141[.]112[.]19[.]195

141[.]116[.]72[.]95

167[.]58[.]177[.]111

167[.]58[.]93[.]50

167[.]20[.]172[.]230

172[.]254[.]222[.]138

173[.]10[.]39[.]23

173[.]160[.]48[.]149

173[.]184[.]133[.]177

173[.]224[.]213[.]184

173[.]224[.]213[.]247

173[.]224[.]215[.]177

173[.]231[.]45[.]231

173[.]254[.]222[.]138

199[.]119[.]201[.]124

203[.]170[.]198[.]56

203[.]11[.]236[.]81

203[.]111[.]73[.]150

203[.]111[.]73[.]155

203[.]12[.]248[.]2

203[.]13[.]68[.]10

203[.]14[.]142[.]210

203[.]14[.]88[.]45

203[.]215[.]64[.]28

203[.]249[.]169[.]4

203[.]249[.]169[.]5

203[.]45[.]16[.]203

203[.]74[.]218[.]145

203[.]9[.]206[.]14

204[.]159[.]83[.]12

204[.]209[.]161[.]13

204[.]209[.]172[.]203

204[.]234[.]168[.]48

207[.]173[.]155[.]44

207[.]36[.]209[.]221

207[.]40[.]43[.]102

207[.]71[.]209[.]148

206[.]109[.]50[.]151

206[.]185[.]233[.]184

206[.]239[.]156[.]123

206[.]37[.]108[.]211

206[.]53[.]100[.]162

206[.]68[.]171[.]220

206[.]69[.]32[.]231

206[.]77[.]45[.]131

206[.]77[.]45[.]142

206[.]77[.]45[.]82

84[.]147[.]31[.]178

84[.]162[.]4[.]2

84[.]162[.]42[.]46

84[.]211[.]192[.]181

84[.]225[.]225[.]42

84[.]228[.]128[.]19

84[.]245[.]62[.]11

84[.]246[.]147[.]11

84[.]64[.]175[.]136

84[.]73[.]10[.]130

84[.]73[.]11[.]15

84[.]184[.]61[.]9

84[.]171[.]89[.]5

84[.]195[.]112[.]159

84[.]200[.]159[.]118

84[.]211[.]192[.]150

84[.]82[.]1[.]226

84[.]84[.]24[.]72

84[.]84[.]24[.]77

84[.]97[.]51[.]121

64[.]122[.]68[.]213

64[.]126[.]12[.]2

64[.]14[.]81[.]30

64[.]184[.]2[.]3

64[.]25[.]15[.]226

64[.]32[.]164[.]43

64[.]34[.]172[.]210

64[.]4[.]217[.]138

64[.]50[.]130[.]74

64[.]87[.]230[.]242

64[.]81[.]194[.]171

64[.]81[.]252[.]184

87[.]107[.]54[.]158

87[.]112[.]75[.]130

87[.]114[.]195[.]226

87[.]116[.]58[.]5

87[.]119[.]5[.]3

87[.]124[.]105[.]76

87[.]17[.]233[.]30

87[.]207[.]215[.]10

66[.]0[.]167[.]105

66[.]153[.]38[.]202

66[.]155[.]114[.]145

66[.]16[.]75[.]201

66[.]167[.]118[.]29

66[.]179[.]156[.]10

66[.]181[.]8[.]162

Domain Name Awareness

businessconsults[.]net

businessformars[.]com

canadatvsite[.]com

canoedaily[.]com

chileexe77[.]com

climate[.]undo[.]it

cnndaily[.]com

cnndaily[.]net

comrepair[.]net

defenceonline[.]net

downloadsite[.]me

e-cardsshop[.]com

economic[.]mooo[.]com

firefoxupdata[.]com

freshreaders[.]net

honeycow[.]keren[.]la

hugesoft[.]org

info[.]serveusers[.]com

issnbgkit[.]net

jobsadvanced[.]com

marsbrother[.]com

mcafeepaying[.]com

news[.]trickip[.]org

newsonet[.]net

newsonlinesite[.]com

niemannews[.]com

nytimesnews[.]net

pop -musicsite[.]com

rssadvanced[.]org

satellitebbs[.]com

staycools[.]net

symanteconline[.]net

thehealthmood[.]net

todayusa[.]org

upload[.]ignorelist[.]com

usabbs[.]org usnewssite[.]com

voiceofman[.]com

work[.]myftp[.]name

yahoodaily[.]comusabbs[.]org

work[.]myftp[.]name

References

Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Computer security: Guide to cyber threat information sharing: Special Publication 800-150, 2nd draft. National Institute for Standards and Technology. http://csrc.nist.gov/publications/drafts/800-150/sp800_150_second_draft.pdf

Bourgeois, D. T. (2014). Information systems for business and beyond. The Saylor Academy.http://www.saylor.org/site/textbooks/Information%20Systems%20for%20Business%20and%20Beyond.pdf

Scarfone, K., & Hoffman, P. (2009). U.S. guidelines on firewalls and firewall policy: Recommendations of the National Institute of Standards and Technology: Special Publication 800-41. National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-41-Rev1/sp800-41-rev1.pdf

Khan, S., Shiraz, M., Wahab, A., Gani, A., Han, Q., & Rahman, Z. (2014). A comprehensive

review of the adaptability of network forensics frameworks for mobile cloud computing. The Scientific World Journal. https://www.hindawi.com/journals/tswj/2014/547062/.

Phatak, P. (2011). The importance of intrusion prevention systems. http://opensourceforu.com/2011/01/importance-of-intrusion-prevention-systems/

Ellingwood, J. (2014). Understanding I.P. addresses, subnets, and CIDR notation for networking. Digital Ocean. https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking.

Duquea, S., & bin Omar, M. N. (2015). Using data mining algorithms for developing a model for intrusion detection systems (IDS). Procedia Computer Science, 61, 46–51. http://www.sciencedirect.com/science/article/pii/S1877050915029750