Defending Computer Networks Against Attacks - Research Essay.

Part 1- Researching Network Attacks

Computer Network attacks have resulted in the loss of sensitive data and significant network downtime. When a network or the resources within it are inaccessible, worker productivity can suffer, and business income may be lost. Attackers have developed many tools over the years to attack and compromise the networks of organizations. These attacks take many forms, but in most cases, they seek to obtain sensitive information, destroy resources, or deny legitimate users access to resources.

To understand how to defend a network against attacks, an administrator must first identify network vulnerabilities. Specialized security audit software developed by equipment and software manufacturers can be used to help identify potential weaknesses. In addition, the same tools used by attackers can be used to test the ability of a network to mitigate an attack. After the vulnerabilities are known, steps can be taken to help mitigate the network attacks.

This Assignment gives a planned research project that is separated into three parts: Researching Network Attacks, computer Security y Tools, current attack and case study.

In Part 1, you research various network attacks that have actually occurred. You select one of these and describe how the attack was perpetrated and how extensive the network outage or damage was. You also investigate how the attack could have been mitigated or what mitigation techniques might have been implemented to prevent future attacks. In part 2, you research about the WannaCry ransomware and answer the questions that are related with part. In part 3, you need to write a technical report about the given case study, which is about social engineer attack.                          

Part 1- Researching Network Attacks     

In Part 1 of this Assignment, you research various computer system attacks that have recently occurred and select one on which to report. Fill in the form below based on your findings.

Q1) List one of the computer attacks you identified in your search? The below table can be used.

Name of attack:
Type of attack:
Dates of attacks:
Computers / Organizations affected:
How it works and what it did:
Mitigation options:
References

Part 2- Researching about WannaCry Ransomware Attack   

WannaCry ransomware attack is malicious software designed to block access to a computer system until a sum of money is paid. This attack started on Friday, 12 May 2017, infecting more than 230,000 computers in 150 countries. Research about this attack is required while answering to the below questions. At least three different resources should be used.    

1) How it works and what it did?  

2) How this attack is propagated?  

Part 2- Researching about WannaCry Ransomware Attack

3) Discuss the impact of this attack on the operation of an organization? What are some key steps organizations can take to help protect their networks and resources?                               

4) Give an example of a duty of the Incident response planning, Disaster recovery planning and Business continuity planning when having an unexpected event like this attack. 

5) What steps can you take to protect your own PC or laptop computer from this attack and other attacks? 

6) Briefly describe the lessons learned from this malware incident. 

7) If any Australian organization or Australian businesses is infected with attack, who is the main point of contact for this cyber security issues affecting?    

Part 3- Case Study (1): Victim of Social Engineering 

Throughout the process, the auditor found countless examples of lax information security throughout the organization. There was a lack of a coordinated security policy, and the policies in place were not being followed. While reviewing the notes, the auditor noticed that a contractor requested the TMS server address over the phone. Further follow up revealed that a system administrator gave out the server address to a contractor because the contractors were in the middle of upgrading servers. The administrator also mentioned that the contractor requested the password, but the administrator didn’t feel comfortable sharing the password on the phone and asked the contractor to stop by the office – but the contractor was a no show. From the description of the events, the auditor felt it was a social engineering attempt. Social engineering is when a hacker attempts to gain access to sensitive information by tricking a person into giving it to them. The immediate recommendation of the auditor was to focus on the contractor’s activity in the organization.

Over the next few weeks the story unfolded and all the pieces of the puzzle were put together. It was eventually proven that the contractor stole the information. The contractor was hired to oversee the upgrade of servers on the storage network. While doing this, she learned about the transaction management system. She knew PII could be sold on the black market and thought the lax security at TKU would enable her to get away with stealing data without any repercussions. Her only obstacle was access. Since she only had access to the storage network, she needed a way to get access to the transaction management server. That’s when she called the system administrator and got the IP address and tried to get his login credentials. Once she got the IP address, she was able to utilize the free tools available on the Internet to scan the system and get the username and password with administrative access. It took her only a matter of minutes to get this information.

The password was only three characters long and didn’t use any numbers or special characters. With her new administrative permissions, she was able to export the PII.

Write a Memo that discusses the serious of the situation and highlight key breaches, including ITSec recommendations.

Part 1- Researching Network Attacks

Name of attack:	Petya
Type of attack:	Ransomware/ network worm
Dates of attacks:	27 June 2017
Computers / Organizations affected:	Governments and banks. Additionally, is affected several organizations  in countries including Denmark, France, and Pittsburgh, Pennsylvania
How it works and what it did: Petya ransomware takes control of computer systems and demand that the user need to pay a ransom equivalent to $300 in Bitcoin cryptocurrency [1].  The worm then uses the Internet to automatically spread itself using Eternal Blue susceptibility in Windows OS or through Windows administrative tools. Petya will try both options to see which will succeed and has an even updated spreading mechanism compared to WannaCry ransomware. Although the ransomware was first detected in 2016, it became a global cyber-attack in June 2017 [2].  Like WannaCry, it targets computers with Windows OS, infects the boot settings and execute a malicious code that encrypts the computer’s hard drive which prevents Windows boot up process [3]. It propagated through infected mail attachments and started from Ukraine to spread across the globe [4].
Mitigation options: There are several measures that can be taken against Petya ransomware according to [5] i. Download and install system patches ii. Update software’s iii. Computer backup iv. Data recovery procedures v. Refrain from clicking suspicious links and emails

1.WannaCry attack is one of the biggest ransomware attack that has happened in the recent past. A ransomware is a computer malware that prevents users from accessing their computers  or files until a ransom is paid. WannaCry ransomware works by encoding data on the victimized computer. As a computer worm, WannaCry spreads quickly through the computer networks and infects Windows computers. It then encrypts computer files that are saved on the hard drive and then tells the user that their files have been encoded and they should pay a ransom payment displayed on the screen by the worm in form of Bitcoin for the data to be decrypted back to its original state [1]. As such, WannaCry restricts access to your computer files or computer  network and makes threats  to erase  all your data within an allocated time  if you fail to pay the ransom [2]. In May 2017, which is the year the attack occurred, it infected the NHS as well as other organizations all over the world including governments in Russia, China, US and Europe [3].

2.WannaCry ransomware spreads through an exploit referred to as EternalBlue in old versions of Windows operating systems. Apparently, Eternal Blue was released by a group of hackers called Shadow Brokers just before the attack started propagating [4].  EternalBlue is an exposed NSA SMB protocol exploit in Microsoft Windows that propagates the malware in affected systems [5]. After infecting the first computer system, that ransomware spread very first through mail attachments, images, pdfs, links, message links and more as it had a mechanism to spread itself across the Internet automatically. Most of the computers running on unsupported and unpatched versions of Windows OS and servers were affected.  The WannaCry attack started on a Friday, 12 May 2017, with the initial infection likely to have started with a vulnerable and exposed SMB port. After just one day since the attack began, the malicious code had spread and infected over 200000 computers in more than over 150 countries across the globe [6].

3.The impacts of the WannaCry were huge in May 2017.  For example, the attack affected one of the largest telecommunications company Telefonica in Spanish.  It also affected computer systems in National Health Service, Britain resulting to the cancellation of hundreds of thousands of critical operations appointments. The WannaCry ransomware also infected thousands of Windows systems in about 150 countries. Some of the most affected countries included Ukraine, Russia, India and Taiwan [7].  WannaCry attack damages were estimated to range between several millions to billions of dollars across the globe. The impacts of the attack for organization is destructive and can lead to the pausing of all business operations. Since it encrypts computer systems and file systems, an affected organization cannot be able to access critical documents and computers. The effects include the fact that the organization would be stuck with system downtime, loss of customers and loss of revenue.  Some key steps that organizations can do to protect themselves against WannaCry attack is to ensure they use updated software’s and install security patches as soon as they are released [8]. Companies should also implement continuous network monitoring in order to inspect network susceptibilities and vulnerability. When caught ahead of time, such risks can easily be mitigated                                                                                                                             

4.Incident response planning

Incident response planning focus on ensuring that an incident is reported to the right party in the organization in the event of a disaster or tragedy. It includes incident assessment, evidence and response strategy [9]. An example includes reporting the matter to the company management as soon as an attack is detected so that the right response can be done to restore operations.

Disaster recovery planning

Disaster recovery planning involves mechanisms and procedures that need to be implemented in the event of a tragedy. In the event of a cyber-attack, the company should implement some mechanisms listed in their disaster recovery plan such as using backed up systems to ensure the business is restored to operative state in the least time possible. For example, starting backup implementation as soon as an attack has happened.

Business continuity planning

Refers to a strategy that ensures the business will be able to recover from a disaster such a cyber-attack or a natural disaster [10]. For instance, setting aside some cash to help restore the business to recover from  the attack.

5.There are several measures that I can take to protect my laptop or PC against a WannaCry attack including the following:

1. Installing software security patches for software’s
2. Keeping and maintaining   backup of all my critical  data and information

• Make sure to use  reliable security applications and enable system monitoring on my computer  

1. keeping all my  software applications  updated always
2. Properly handle all  emails and   attachments  and refrain from opening suspicious emails
3. Store  sensitive data privately and  independently together

• Report any  ransomware attack to local authorities in the event that it occurs                                                                                                              

6.The WannaCry ransomware   caught the world by surprise and taught us a few lessons.

1. It is important to train users on how to use IT and Internet technologies. According to research most security breaches attacks occur when employees click on infected attachments, malicious links, and compromised sites or fail prey to social engineering attacks.  Workforces are the weakest link to cyber security and it is important to train them against phishing and associated attacks[9] .
2. It is not okay to pay a ransom demanded through a ransom ware as it would only encourage more attackers to create more destructive network worms [10]

• It pays to use licensed and updated software’s

1. It is crucial to install software security patches once they have been released
2. Data backup and recovery measures are very important for modern businesses                                                                                                                  

7.If an organization in Australia is affected by an attack, the main point of contact affected is the business itself. Firstly, it can no longer be able to serve its clients and loses a lot of money. Not only will the organization suffer on its own, even the organization clients too as they can’t be able to access the company products and services and especially if it was an e-business. The attack would also affect the country as a whole as a lot of money can go into recovery processes. Business loss means the country will also lose in terms of taxes.

Memorandum

To: TKU Company

From: Security auditor 

Subject: Security concern for TKU Company Server

Date: May 25, 2018

Upon the successful monitoring of your company systems, it has been found out that the status of the systems security for TKU Company is wanting and very vulnerable. The server is in control of a contractor who was hired to perform an upgrade. The following risks have been observed:  

1. Lack of proper security policies and procedures of company systems
2. Lack of the implementation of current security procedures

• Company systems could have been infiltrated through a social engineering attack where the IT admin was manipulated into giving away the server password to a third party service provider

1. Sensitive server data and information is not encrypted
2. Lack of a strong password to secure company  server
3. IT admin may not understand the social engineering attack as they gave the password through the phone to an outside party, a contactor  

As such, the auditor recommends the following measures to be done immediately:

1. Secure server with a strong password
2. Train IT and other staff on the importance of security of business systems

• Perform in house server upgrades if possible

1. Train employees not to release any sensitive information such as login credentials to unauthorized persons as they could be hackers or attackers
2. Store data in encrypted format
3. Perform regular data backups

• Create and ensure all workers follow IT policies and procedures

References

[1] J. Fruhlinger, "What is WannaCry ransomware, how does it infect, and who was responsible?," CSO Online , 27 September 2017. [Online]. Available: https://www.csoonline.com/article/3227906/ransomware/what-is-wannacry-ransomware-how-does-it-infect-and-who-was-responsible.html. [Accessed 22 May 2018].
[2] C. Mercer, "What is WannaCry? How does WannaCry ransomware work?," www.techworld.com, 2017 May 2017. [Online]. Available: https://www.techworld.com/security/what-is-wannacry-how-does-wannacry-ransomware-work-3659064/. [Accessed 22 May 2018].
[3] J. Parsons, "What is 'Wanna Decryptor'? A look at the ransomware that brought down the NHS," Mirror.co.uk, 17 May 2017. [Online]. Available: https://www.mirror.co.uk/tech/what-wanna-decryptor-look-ransomware-10410236. [Accessed 22 May 2018].
[4] A. Russell, "How the WannaCry ransomware attack spread around the world," Global News , 15 May 2017. [Online]. Available: https://globalnews.ca/news/3452129/how-the-wannacry-ransomware-attack-spread-around-the-world/. [Accessed 24 May 2018].
[5] R. Langde, "WannaCry Ransomware: A Detailed Analysis of the Attack," Techspective, 26 September 2017. [Online]. Available: https://techspective.net/2017/09/26/wannacry-ransomware-detailed-analysis-attack/. [Accessed 24 May 2018].
[6] BBC News , "Cyber-attack: Europol says it was unprecedented in scale," BBC , 13 May 2017. [Online]. Available: https://www.bbc.com/news/world-europe-39907965. [Accessed 25 May 2018].
[7] S. Larson, "New ransomware attack hits Russia and spreads around globe," CNN , 25 October 2017. [Online]. Available: https://money.cnn.com/2017/10/24/technology/bad-rabbit-ransomware-attack/index.html. [Accessed 25 May 2018].
[8] D. Cameron, "Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It," www.gizmodo.com, 13 May 2017. [Online]. Available: Today's Massive Ransomware Attack Was Mostly Preventable; Here's How To Avoid It. [Accessed 25 May 2018].
[9] D. Drinkwater, "10 steps for a successful incident response plan," June 2017. [Online]. Available: https://www.csoonline.com/article/3203705/security/10-steps-for-a-successful-incident-response-plan.html. [Accessed 25 May 2018].
[10] Investopedia, "Business Continuity Planning," 2018. [Online]. Available: https://www.investopedia.com/terms/b/business-continuity-planning.asp. [Accessed 25 May 2018].
[11] S. Tendulkar, "Lessons Learned From the WannaCry Ransomware Attack and Many Others That Preceded It," Security Intelligence, 17 May 2017. [Online]. Available: https://securityintelligence.com/lessons-learned-from-the-wannacry-ransomware-attack-and-many-others-that-preceded-it/. [Accessed 24 May 2018].
[12] L. MAGID, "Lessons learned from the WannaCry ransomware attack," The Mercury News , 18 May 2017. [Online]. Available: https://www.mercurynews.com/2017/05/18/lessons-learned-from-the-wannacry-ransomware-attack/. [Accessed 25 May 2018]