Table of Contents
- Executive Summary
- Wireless and BYOD Security Plan
- Threats Associated with Wireless Technology and BYOD
- Ways of Identifying Rogue and Authorized Access Points
- The plan to Secure Wireless Networks and BYOD within the Organization
- How Identity Theft and MAC Spoofing Could Take Place in the Workplace
- MAC Spoofing
- Ways of Detecting MAC Spoofing and Identity Theft
- What should be conducted before Starting this Investigation?
- Were Your Actions Authorized, Was the Notification Valid, or are there any other Concerns?
- Continuous Improvement Plan
- Remote Configuration Management
- How to Remove Employee Devices from the System Based on the BYOD Policy
The most critical asset in the life of any organization is Information. As a result, so many people get out to get the hands-on data and trade secrets of other organizations for malicious acts. Reports are issued daily about cyber-attacks on influential organizations. States and different countries have been forced to enforce policies due to the sensitive nature of data security. However, despite all that has been done to do away with cyber-attacks, they have continued to occur. This is why an incident report is required to minimize the impact that any attempted or actual unauthorized access to systems has on the confidentiality, integrity, and availability of any institution’s data resources, application and process. A good incident report is needed to give institutions a practical approach to managing such incidents and limiting the negative consequences. It is also essential since it improves an institution’s ability to restore operations affected by such incidents promptly.
An incident report is often detailed and explains the factors that led to an attack and gives the best line of action needed for recovery. It also offers step-by-step actions that must be taken to identify what led to the attack, including analysis of users’ behaviours and activities before and after the attack and the types of configurations that may lead to the attack—finally, the report details what was affected and the best business continuity plan. A cybersecurity Incident Response policy must be developed with a broader view of the climate under which the organization is operating in terms of types of security threats witnessed and the frequency of attacks. The main objective of these reports is always to ensure such incidences never occur again in the organization’s life.
Wireless and BYOD Security Plan
With the continued sophistication of technology and increasing performance advantages, many companies are now deploying wireless accessibility and relying on a wireless network to carry more of their operations. Wireless technology has also made operations on the Internet of Things to go up significantly, therefore exposing numerous data to the threats associated with the internet. Many technologies such as WAN, Wireless Access Points and Set identifiers are now a part of most users’ daily lives, thanks to wireless technologies. The organization also has a BYOD (bring your device) policy to make employees’ lives much more straightforward. BYOD and wireless technology expose the organization to several threats.
A computer security incident can be defined as attempted or successful unauthorized access, misuse, or disclosure of data transmitted through the computing systems and networks, including hacking and theft. This paper discusses Cyber Security Incident Report plan and the security threats and risks associated with BYOD and the wireless technologies used by the company. Also, the form will look into the Cyber Kill Chain framework, and an approach could be used to improve the incident response times for networks.
Threats Associated with Wireless Technology and BYOD
- Unauthorized Equipment: Only those authorized by an employer should be used to handle work data. However, some employees tend to use personal tools that are fitted with all the policy requirements. This is a significant risk to the company. Connecting these devices to the company network may create a gateway into the system for hackers. This is why some applications to detect the IP addresses of devices accessing any account must be deployed by the system managers and logs of access kept daily (Long, 2018). All tools used by the employees must be password-protected, have tracking applications, and must be fitted with antivirus applications and must be updated regularly.
- Rogue Access Points: This is one of the most common wireless security threats, mostly used in DoS, DDoS attacks and other phishing attacks. Most of these rogue access points are established by internal employees who aim to enjoy unfettered wireless access. These access points are always weak points because of how attackers can exploit them to get into an organization’s network. Other rogue access issues are established by neighbouring companies using another company’s wireless connection for free (Long, 2018). These points are always not encrypted and authenticated, thereby presenting a vast security hazard to the company.
Ways of identifying Rogue and Authorized Access Points
Every system administrator must have devices such as Wireless radios to initiate an automatic analysis of a systems RF spectrum for all the access points transmitting in each spectrum field of the network. The RF scans will send signals if they discover third-party transmitters in addition to the juniper radios. The system administrator considers the non-juniper transmitters’ potential rogues by default. This is because all the MAC addresses for the Juniper transmitter are stored in appropriate databases. In case a transmitter is a juniper device. The MAC address is not stored correctly; it implements an identification protocol to identify it as non-rogue. All the rogue devices are then reported to Mobile Satellite Service.
The process of classifying rogue access points and clients is as in the figure below:
The Plan to Secure Wireless Networks and BYOD within the Organization
- BYOD Policy
Having a documented BYOD policy is the primary guidance in securing the organization’s BYOD form of operation. The system must state the best use practices and a straightforward process of auditing personal data types to be accessed and the devices to be used. The second section of the BYOD policy must establish a clear plan of using a sandbox or ring-fencing of data to ensure data on devices is heavily encrypted and backed up if the device is misplaced or accessed by unauthorized persons (Long, 2018).
The third section of the policy should have other recommendations, such as how corporate data should be stored on personal devices, how the data should be transferred from the personal device to the company’s servers and how and when the corporate data should be deleted from the individual machine.
- The Wireless Policy Recommends the Following:
- Data Encryption: The guideline recommends that the wireless network be encrypted with powerful security techniques. The wireless security protocols recommended include WEP, WPA, and WPA2. All have up to standard capabilities to support the entire networks’ encryption as the data is transmitted over the airwaves (Miller, 2018).
- Periodic Review of Network Security: The security of a network depends on how often the admin inspects the packets, ports and the entire infrastructure. Periodic inspection should be done every two weeks.
- Password Protection: All the network devices and the accounts must be password protected. The passwords must adhere to all the password policies.
- Authentication and Authorization Protocols: The network must be fitted with an Intrusion Detection System and Intrusion Prevention Systems to help with the process of access control (Miller, 2018).
- The Wireless Policy Recommends the Following:
Cyber Kill Chain Framework and Approach
The term “Cyber Kill Chain” is essential because it creates a clear understanding of the stages of cyber-attack. The Cyber Kill Chain framework is intrusion-centric, making it a necessary tool for intrusion detection and prevention. The framework relies on eight stages: Reconnaissance, Weaponization, Delivery, Exploit, Installation, Command & Control, and Actions to protect an organization’s network. Usually, the Cyber Kill Chain framework is combined with advanced analytics and predictive modelling to make it more sophisticated inside out security. The breakdown into the above stages helps identify the active state of a data breach. The user identification module also brings advanced threat intelligence to every step of the kill chain, which is critical for stopping ongoing attacks before the damage is done (Wyspianskiego, 2019). Using the kill chain model gives the system administrators and the system itself a better understanding of the reasons and methods of attack so that the cybersecurity incident response team (CERT / CSIRT) can identify participants in the anti-organization campaign quickly and determine the directions and methods of defence to deploy to stop the attack. Cyber Kill Chain framework trains the system on how to defend itself before help arrives.
Tracking Suspicious Behavior
How can you monitor the company’s asset location?
All company devices have a database where all the MAC addresses are stored. Also, I have found my device applications installed. However, when an employee can disable all the features that can be used to track the company, there are instances. In this case, the answer lies in deploying a switch port mapping tool such as SolarWinds that has a User Device Tracker. The device devises tracks activities and pinpoints the exact location using the area network satellite that the device is using. This way, the tacker can move directly to where the device signal is transmitted.
How identity theft and MAC Spoofing Could Take Place in the Workplace
- Identity Theft
Identity thieves can steal personal information directly or indirectly by:
- Stealing their colleagues’ wallets and purses that contain their containing identification cards or any access information.
- Spoofing is another common way that employees use to steal other employees’ identities.
- Sending unsuspecting colleagues’ malicious links requesting a change of access details under the pretense of being senior-level management to make them issue their login credentials. The link will redirect the information to their emails (Meyer, 2018).
- Preventing Identity Theft
- It is essential that all employees verify the source of their emails before changing any passwords and access credentials
- All computers and mobile devices must have firewall programs and virus protection applications to stop any malicious activity (Meyer, 2018).
- All employees should keep their access cards and credentials hidden at all times to avoid access by unauthorized persons.
- It is also essential to use the Secure Socket Layer (SSL), and its successor Transport Layer Security (TLS) technologies to encrypt all data that is transmitted over the networks (Meyer, 2018).
MAC spoofing at work can be done on any device connected in the network, either as a wireless device or the AP. Some of the ways through which MAC spoofing is done include:
- Domain Name Service Spoofing (DNS): DNS spoofing is implemented so that a user is convinced that the system it wants to connect to is a hackers machine. An alternative link is provided to redirect the connection to the actual hacker (Reindl, 2016). The hackers then modify the records of the legitimate user to what will allow them access easily.
- Address Resolution Protocol Spoofing (ARPS): The Address Resolution Protocol (ARP) is used in this case to convince a legitimate user that the attacker’s work station is the trusted point of access.
Preventing MAC Spoofing
The generalized Countermeasures that any organization can use to prevent spoofing include:
- Filtering all incoming packets that seem to be coming from an internal IP address at the work perimeter.
- Filtering outgoing packets that seem to be coming from an invalid local IP address.
- Using a robust authentication and access control protocol. This may include using updated versions of IDS and IPS (Reindl, 2016).
- Using double key encryption of all the outgoing and incoming data
- Using Secure Socket Layers to protect authentication cookies.
Ways of Detecting MAC Spoofing and Identity Theft
The process of detecting a MAC address spoofing and identity theft includes:
One way to detect these two incidences is by using a WISE GUARD (Wireless Security Guard) tool that can be used for detection of MAC address spoofing on 802.11 wireless LANs and any form of Identity theft. This tool integrates three detection techniques known as Operating System (OS) fingerprinting & tracking, SN tracking and Received Signal Strength (RSS) fingerprinting & monitoring. In addition to these three primary techniques, the tool can deploy a method that includes fingerprinting of Access Point (AP) parameters, an extension to the OS fingerprinting (Peethambaran, 2017).
What Should be Conducted Before Starting this Investigation?
Suspicions without any form of evidence are not a base to invade an employee’s privacy. Before the entire process, a fair investigation and comprehensive audit of the employee’s activities had to be conducted as per the terms of the agreement signed by both the employee and the organization at the beginning of the contractual period. He
Were Your Actions Authorized, Was the Notification Valid, or are there any other Concerns?
Access to personal information and tracking individual devices is quite sensitive due to data privacy issues. However, in this case, all the actions were authorized since the terms under which the steps were taken were agreed on by both the employee and the employer. Also, the notifications were valid since the audit process identified malicious activities. The employee set up rogue access points contrary to the best use practices established in both the network management and the cybersecurity policies.
Continuous Improvement Plan
- Wired Equivalent Privacy and also Wi-Fi Protected Access Networks
- Wired Equivalent Privacy: This [protocol was developed for wireless networks, and the International Cyber security bodies approved it as a Wi-Fi security standard in September 1999. This protocol was created to offer the same security level as wired networks. The protocol presented some challenges that were very easy to break and very hard to configure (Phillips, 2019).
- Pros of WEP : It is very affordable and easy to use.
- Cons of WEP: It is effortless for hackers to break the WEP protocol using freely available tools. WEP protocol does not support most of the high-level encryptions, which makes it quite insecure.
- Wi-Fi Protected Access Networks: This was an upgrade from the WEP. It performed all the functions that were performed and included a few enhancements.
- It is also very cheap and affordable.
- It can run a series of similar functions that WEP was unable to run.
- Cons : After a series of tests and adoption in the public domain, this protocol was quite vulnerable to intrusion.
- WPA 2: This was an upgrade from WPA. It was a stepping stone aimed at ensuring that all that WPA could not handle were possible (Phillips, 2019).
Pros : WPA 2 introduced the Advanced Encryption Standard that ensured that all the client networks were secure. WPA2 also introduced the Counter Cipher Mode that had a robust Block Chaining Message Authentication Code Protocol aimed at replacing the TKIP.
- Cons: It was still unable to detect impending vulnerabilities; therefore, it could not act swiftly to resolve the impending danger.
- WPA2 Pre-Shared Key
WPA2-PSK is also known as Personal mode and is mostly used for home and small office networks. The scheme works in that the wireless router encrypts network traffic with a key. The key is usually calculated from a passphrase set up on the router. This passphrase must be entered for a device to connect and understand the encryption. It is important to note that Wi-Fi, specifically 802.11i/WPA2, apply the AES-CCMP and a key ((Pre-shared Key) derivation function, both of which are compliant FIPS 140-2.
Other protocols and their pros and cons
|Bluetooth||Secure because it uses two-step authentication and also point to point access.
|It can only be used over a short range.
It is only for small file transfers.
|WiFi-ah (HaLow)||It promises a long range communication
Data encryption is heavy thus secures
|It cannot be used for larger bandwidth hence cannot be used transmit large files.|
|Z-Wave||Its faster than Bluetooth and secure due to the two-step authentication||Only possible for short-range transmission of small size data|
|ZigBee||Carries small data over short range while using a very low power consumption unlike Bluetooth that uses much power
It uses the 2.4 GHz ISM frequency band which makes it universally accepted
|The encryption levels are not very strong making the data transmitted vulnerable to attacks.|
Remote Configuration Management
- Remote Configuration Management in the Organization
Website management has become very easy, thanks to technology advancement experienced in remote configuration management. To this end, the entire organization and the employees continue to enjoy the benefits and the ease of access presented by the latest remote control configuration implemented in the organization. Employees are now able to work from any location they are at any time. Under a strict remote access policy, employees can connect with their work stations even on weekends. The configuration module has an operation status section that is used to track all connected users. The module can follow all the access points using the radio and the RF spectrum (Essay, 2018). All the logs are inspected and produced by the report module. An admin can then access all the records and get rid of any rogue access point identified, hence maintaining the entire system’s security. The remote configuration is as in the figure below:
How to Remove Employee Devices from the System Based on the BYOD Policy
All the allowed access points and devices have their IP addresses logged in a different database. Those that are considered rogue also have their IP addresses stored in a blacklist or database referred to as the blacklist. Any employee who has to be removed will have the IP address of their devices transferred to the blacklist. Once they are saved in the blacklist, they will be automatically removed. To prove that the device was released, a system query will be run on the blacklist database and the allowed database; if the IP is not found in the permitted database, this would mean that they are entirely removed.
Not all employees will adhere to all the rules established by the management of an organization. This means that the steps and necessary processes will have to be shown to help investigate employee misbehavior.
Ad-Hoc wireless Network
Ad-hoc networks can be defined as peer-to-peer networks that are known to be set up between wireless computers that lack any form of access points between them. Therefore, these networks are not encrypted, leaving the entire system vulnerable to attacks such as spoofing, denial of services, and cyber exploitation. This network can only be useful to the company if the company needs a connection that is not over the IoT (UK Essay, 2018). Making this security can be done through monitoring all the incoming and outgoing activities using an activity logger.
How to Hide all the Sensitive Information and Signals
Since the company’s network handles sensitive data, using end to end encryption can be used to hide passwords. A radiofrequency device monitors all the movements. Ensuring that the frequencies and the modulations are kept hidden make the transmissions private, thereby protecting the entire network infrastructure (Miller, 2019).
- Countermeasures for signal hiding
- Turning off SSID that is often broadcasted by wireless access points
- Assigning cryptic variable or parameter (names) to SSIDs
- Reducing the signal strength to a minimum level that will still be able to provide requisite coverage
- Ensuring that the wireless access point is located away from exterior walls and windows
Service Set Identifier (SSID)
SSID is used by cyber security professionals to identify networks. It is sometimes referred to as a “network name.” The SSID makes stations establish a connection when several independent systems operate in the same geographical area (Chu & Vlantis, 2018). SSIDs are usually broadcast by each access point several times per minute to advertise its presence in the network.
The most common way to identify if an employee is working outside the business hours is through employee tracking software. The software logs in access times for every account, which can then be reviewed at the start of each working day by the system manager. The software can also be used to set up the maximum number of hours expected from each employee account every week; if the hours go beyond the set limit, it automatically proves that the employee works outside business hours.
Cyber security is an investment that any company must make to avoid falling victim. There is a tremendous advantage in avoiding any of the incidences of cyber-attacks, such as avoiding lawsuits and gaining customer trust. Organizations must work extra hard to prevent any form of insider threat since cyber security only begins from keeping the internal affairs in order. Failing to control the employees is the swift steps of a recipe for disaster. Before hiring, employees must be subjected to a series of scrutiny, including finding out what the referees listed have to say. Any employee found lying about certain things must be kept under close watch to validate their authenticity before allowing access to sensitive data.