The cyber attacks are really becoming unpredictable due to the fact that the hackers of different parts of the world have been united with the help of cloud computing and other related collaborating technologies. In order to secure the networks, the IT heads are facing various kinds of challenges namely resource allocation, lack of expertise, resistance from the end users etc. However, they have to proceed somehow. In this write up,emphasis have been given to the activities or initiatives that we may start immediately and then we have to go for some advanced and costly security solutions.
At first we may identify the security issue into malicious attack from outside and malicious attack from inside. We discuss about the protection of malicious attack from outside. Malicious attack from outside can enter into our network from the Internet as well as from the end point devices. Most of the cyber attacks come through email. Email attachment or an alluring malicious link are the two tools that the hackers use to implant a malware that is used by the hackers to launch the pre-planned attack which might take several months to occur. However, we are not going to discuss about the details of the attacks. Our intention is to protect ourselves. So remedy to be safe from this kind of attack can be to use a central gateway through which all email access should be given to all employees of an organization. A security solution can be installed in this gateway that can check all the incoming and outgoing email to ensure that the emails are safe.Regular update of this security solution is very much important.Therefore, it should be one of an important task of the security monitoring team. In order to be safe from the email attachment, it is required to educate the end users so that they do not click on any attachment from unknown sources.Most of the vulnerabilities come through the attachment of Word and Excel files.
Now we can discuss about end point security. If we want to use the endpoint devices safely, we must block all the ports (CD & USB) and may impose restriction on installation of any authorized Application in the endpoint devices. We should have a list of white listing Applications that we allow to be installed in an endpoint device. We may also impose restriction of user access permission.An user’s access right must be time based as he or she works for a particular period of time. Active Directory solution and latest antivirus solution are two tools we may use for this purpose. However, we may face resistance from the end users. Our end users show lame excuse to keep the USB port open. If they want to use the USB port for a printer or scanner, then we may allow it only for printer or scanner but in any case we should not allow them to use the USB port for pen drive as pendrive is one of the major source from which malware can be injected into your network.
Network design is another factor that should be given emphasis first for securing our network. We follow the principle of segregation of duties. For this reason, all the Application and Database servers in the militarized zone are supervised by separate group of people and therefore these servers should not be placed in a single network. They should be placed in separate sub zones by using firewall.An administrator of one sub zone should not try to enter into the other.The central security monitoring team should regularly check it. In the same way all the PC of a branch of a bank do not communicate with all the servers in the Data Centre. For example, the branch having AD license use 2 to 3 PC for SWIFT message preparation and transmission. Some PC are used for BACPS and BEFTN only. Therefore,we may create separate sub network for these separate purposes and may use branch firewall to ensure that only the right group of PC of a branch are allowed to have access to the right group of servers in the data Centre. Itwill also ensure that an user of a sub network can not get access into another if it is not required for valid purpose.
We may now think of Application level security. All transactional request must be initiated from the Application and the corresponding database will simply keep the records after processing by the Application.As we cannot restrict the access of the DBA to the business information tables without employing a tool(Database vault for example in oracle), we should immediately install a syslog server and configure it to collect the database logs. The administration of the syslog server should be maintained by the IT security team only. The DBA should have no access in it. The routine monitoring team of IT security should regularly check the access logs from the syslog server. A smart application can be downloaded from the Internet to prepare a report from the syslog information.
Normally we use Intrusion Prevention system (IPS) in the perimeter firewalls that detects and reports from outside intrusion. It works in the network level. But each Application installed in the militarized zone should have it own IPS as the intrusion into the Application server from inside are different. So we may install Host Intrusion Prevention System (HIPS) that monitors each Application Server and protect them from intrusion.
Our DMZ area is really left unattended by most of the banks. We do not take care of these servers.These servers provide Internet services through web service. We do not keep records how many attacks are coming from outside world. We do not analyze the behavior of these attacks. As we are providing transactional services through these servers, we should place a Web Application Firewall (WAF) that can be used to do the above functions.
An advanced level feature of security can be monitored the integrity of the files that determines the authorized the behavior of an Application. The hackers target these file and changes its behavior to conduct its malicious intent. File Integrity Monitoring(FIM) solution can be used to protect the critical Applications.Another advanced level protection can be used for a Security Information and Event Management(SIEM) that collects log information from various sources, analyze it, find patterns or trends and passes necessary information to the right devices or persons. Most SIEM systems work by deploying multiple collection agents in a hierarchical manner to gather security-related events from end-user devices, servers,network equipment — and even specialized security equipment like firewalls, antivirus or intrusion prevention systems. The collectors forward events to a centralized management console, which performs inspections and flags anomalies. To allow the system to identify anomalous events, it’s important that the SIEM administrator first creates a profile of the system under normal event conditions.■