The Cyber security

Question: Analysis of Cybersecurity Capabilities ? Answer: Introduction Cyber security consists of the technologies, policies and procedures that are designed for protecting the public and private networks and their data from external attacks and unauthorized access (Wang and Lu 2013). Cyber security is basically the security for the computers. It provides security to the computer from external theft and damage. In addition to this it provides safety of the hardware as well as the software components of the computer. In addition to this, it also provides safety from external network access and malicious code injections. It also controls the physical access to the machines. The cyber security issues are growing day by day with the increase of the with the growth of the number of computer systems and over dependence on these computer system. The report consists of description of different types of cyber security tools and a brief analysis about them. The report contains an analysis of two the different tools in different categories such as, Network Intrusion Detection System (Liao et al. 2013), Host Intrusion detection System, Web Application Firewall (Razzaq et al. 2013), Honeypot (Holeczer et al. 2015), Security Information and Event Management, and Network Vulnerability Scanner. In addition to this, the report also contains a brief analysis of the existing threat models. Cyber security Threat Models and Risk Management Standard The threat model is very essential for website development or any other application developments. There are various models: Stride The Stride is the scheme to classify the threats according to the kind of damage they to the system. The STRIDE is basically: Spoof Identity: Identifying the spoofing is a very serious risk identity technique for the applications. It can help to identify the spoofer so that, no can inherit the attribute of the other users. Tampering with the data: The data of the users can be manipulated or changed according to wishes of the mal practitioner. It should be ensured that the data of the user is not lost or stolen. Repudiation: The dispute in the transactions should be solved by this type of procedure. Information Disclosure: The user are aware of the submitting the details to the company or the organizations. This might lead to wrongful use of their details of the users. The system can prevent this type of mal partition. Denial of Service: There are various kind of services that are inappropriate for the users. The Denial of services unapproved these kind of services. Elevation of Privilege: The accessing privilege are also a very serious issue. The elevation of privileges can control these privilege accesses. Dread This is a scheme that can classify the risk by quantifying and also by setting priority of the amount of the risks. The DREAD is also known as: Risk_DREAD Damage Potential Reproducibility Exploitability Affected Users Discoverability In addition to these are various alternative threat models that are existing are: Trike AS/NZS 4360:2004 Risk Management CVSS OCTAVE Host Intrusion Detection System The host intrusion detection system is the system that can monitor and analyze the internal systems of computer. In addition to this, it also protects the network packets and the network interface of the system. It monitors the dynamic behavior of the computer system. The computers have encountered the tools that, monitor the dynamic processes, in the form of the anti-viruses. The programs also monitor the state of the system as well. They also control the lines that are blurred and the overlapping contents. The HIDs generally, uses the database system and the system objects in it. During the communication procedure, the client exchanges the passphrase fro verification of the identities. The HIDS take great measures in preventing the tampering of the data objects. They adopt the crypto technique for this procedure. The HIDS also allow the administrators the option of storing the data in physical memories. Among the HIDS tools OSSEc is the most important one. Ossec OSSEC is multiple piece tool (Mehta et al. 2015). It consists of a central manager for receiving and monitoring the information from the syslog, agents, databases and devices that are agentless. OSSEC can be installed on the Microsoft Windows platforms as an agent. For, installing these system on Linux, an OSSEC server has to be present in the system. The agentless systems need some integrity check to be performed. IT can be used for scanning the firewall, routers and even the operating system. Input / Output and configuration procedure of the tool: The process contains several steps: Step1: Downloading and Verifying the OSSSEC on the server and on the agent. In this step the user is required to download OSSEC tool and the checksum file along with it. The user is required to log in to the server and update the package database. sudo apt-get update The user is required to install the available updates. sudo apt-get upgrade The user is required to install the packages required and install the following on the server; sudo apt-get install inotify-tools build-essential The following is to be installed on the agent. Sudo apt-get install build essential After this the user is required to download OSSEC and its checksum on both the Droplets. wget -U ossec https://www.ossec.net/files/ossec-hids-2.8.1.tar.gz wget -U ossec https://www.ossec.net/files/ossec-hids-2.8.1-checksum.txt After this the user needs to verify the md5sum of the compressed tarball. md5sum -c ossec-hids-2.8.1-checksum.txt The output would be: ossec-hids-2.8.1.tar.gz: OK md5sum: WARNING: 1 line is improperly formatted These processes should be followed by verifying the SHA1 checksum. Step 2: Install the OSSEC Server In this step the user is required to install the OSSEC server. The following commands should be executed only within one droplet. The user should then start the installation procedure. Sudo./install.sh After this the user needs to select the mode in which the tool is to be installed.What kind of installation do you want (server, agent, local, hybrid or help)? After the successful installation the following output would be produced. - System is Debian (Ubuntu or derivative). - Init script modified to start OSSEC HIDS during boot. - Configuration finished properly. More information can be found at https://www.ossec.net Press ENTER to finish (maybe more information below). --- Then the user is required to press enter. Step 3: Configuring the OSSEC Server The user needs to OSSEC server stings and make sure that it can send alerts to the specified emails. At firs the user needs to move into the root directory. When inside the root directory the user needs to change the directory into the location of the configuration file of the OSSEC. The user needs to make a backup copy of the configuration file. Then the original file is to be opened, and the nano text editor is used to configure the file. Nano ossec.conf The following configuration setting need to be done: global email_notificationyes/email_notification email_tosammy@example.com/email_to smtp_servermail.example.com./smtp_server email_fromsammy@example.com/email_from /global After modifying the settings the user need to save the file and start the OSSEC. Step 4: The installation process The user needs to install the tool. Sudo ./install.sh What is the IP Address of the OSSEC HIDS server?: your_server_ip The user needs to provide the IP address the user had received earlier. For the other settings the user needs to select the default values and press ENTER. Step 5: Add Agent to the Server and Extract its Key. The user is required to start the process of adding the agent, /var/ossec/bin/manage_agents For adding the agents the user would be prompted to specify the name, IP address and an ID for the agent. After entering all the fields the user need to confirm by pressing y. Step 6: Importing the key from the server to the agent. The user needs to import the key from server to the agents. The user needs copy the key from the server to the agent. Step 7: Allow the UDP port 1514 Traffic through the Firewalls Firstly, the user needs to remove the drop rule. Sudo iptables D INPUT j drop For adding the OSSEC server, the OSSEC IP of the agent needs to be entered. Next, all the outbound traffic is required to be allowed. Iptables A OUTPUT j ACCEPT Finally, add the drop rule again to both. Sudo iptables A INPUT j DROP Step 8- Restart OSSEC Agent and Server The user needs to restart the server and activate the agent by typing /var/ossec/bin/ossec-control restart. If the connection is successful an output would be produced. agentUbuntu-111.111.111.111 is active. After successfully completing all the procedures the user would be getting the outputs. The line of the alerts of the agent would look like OSSEC Notification - (agentUbuntu) 111.111.111.111 - Alert level 3 OSSEC have many methods of sending the alerts to the other systems or the applications. The main methods of sending the alerts are, Syslog, email, and sending alerts to any SQL database. The output methods are only alerts and not full data. Honeypot The Honeypot is the security mechanism that would detect or deflect or counter the effects of the effects of unauthorized access. It consists of the data that is generated from the legitimate part of the site. Although the actual function of the tool is monitoring and controlling the processes of the website and preventing the attackers from potentially blocking and disrupting the processes of the website. The process is actually inducing the offender to commit the offence and catch the offender in exchange. These tools prohibits several applications from effecting the websites. These are: Deception Technologies, Malware Honeypots and Spam version of the software. Kippo Kippo honeypot can be defined as a secure shell medium-interaction honeypot which is used to block the shell interaction or brutal attacks created by any attacker (Sochor and Zuzcak 2014). Python 2.5+, Twisted 8.0, PyCrypto or Zope interface is required to run this software (Rivvers and Koedinger 2015). It should be run through dedicated non-route user. Basic kippo configuration includes switching to a dedicated user and then acquiring Kippo. Later essential logging table is created after which setup suitable to the environment is made. After configuring the whole set up accordingly, one can run Kippo with ($./start.sh). It has the option to get more than one password to a user name but it may prove too suspicious to others. It portrays an annoying sticky feature. With this the attacker cannot exit from the shell by simply clicking on exit command. It actually acts like a honeytrap which holds the attacker into a shell which executes and shows meaningless results. Kippo graph is anot her feature which allows a user to see the honeypot in a statistical way. The Kippo graph uses a Libchart PHP. It detects all the attacks done for a given time and generates it statistically. It elevates the usability of Kippo for logging data into a SQL database. The generated graphs are in Python. A single graph is generated twice once in a larger scale and the other in its tenth form. Input / Output and configuration procedure of the tool: For the installation procedure of Kippo the following files would be required. kippo - directory with Kippo source files (python); kippo.tac - configuration file for twistd (twistd is required to run Kippo); start.sh - shell script for starting Kippo; For the configuration process of the tool the configuration file is to be accessed. The configuration file can be found at: https://kippo.googlecode.com/svn/trunk/kippo.cfg.dist. The main configuration file for the tool is to be saved with the name of kippo.cfg. There are three sections in the configuration file: [honeypot] - mandatory section including core honeypot configuration; [database mysql] - optional section including configuration of the MySQL logging module; [database xmpp] - optional section including configuration of the XMPP logging module; In the honeypot section the following parameters are to be defined. ssh addr - IP address on which Kippo listens for new connections (default is 0.0.0.0 that means any address IP); ssh port - TCP port on which Kippo listens for new connections (default is 2222); hostname - hostname displayed by shell prompt; log path - directory for saving log files download path - directory for saving files downloaded by the emulated wget command; download limit size - maximum size of downloaded file filesystem file - path to the file containing emulated filesystem contents path txtcmds path data path public key private key out addr - IP address used by emulated wget for opening outgoing connections sensor name fake addr banner file interact enabled interact port In the database_mysql section the following configurations are to be done. host - name of the server running database database - database name username - name of the database user password - password of the database user port - port on which the database listens for new connections; In the database _xmpp section the following fields are to be configured: server - name of the XMPP server user - name of the XMPP user password - password of the XMPP user muc - name of the MUC service signal createsession signal connectionlost signal loginfailed signal loginsucceeded signal_command signal_clientversion debug - flag (true or false) In addition to this some option for the twistd are also to be set: Option -1: default is log/kippo.log Option pidfile: default is kippo.pid The tool also requires some additional configuration data: userdb.txt - text file containing in each row a trio login:uid:password last.log - text file containing information about last logins to the system emulated by Kippo After the completion of the configuration procedure the start-up procedure is implemented: The start.sh file has to execute for starting the process. The output characteristics of the Kippo: establishment of TCP connection: -source IP address: L, B, X; source TCP port: L, X; target IP address: L, X; target TCP port: L, X; time of establishment of TCP connection: L, B; Termination of TCP connection/SSH session: reason of termination of TCP connection/SSH session: L; time of termination of TCP connection/SSH session: L, B*, X*; in the case of termination of SSH session: content of the file with SSH session history: B*; Receiving of the information about the version of the SSH client: client version: L, B*, X*; 8 time of receiving of information about client version: L Establishing the connections that are encrypted- encryption algorithm: L; time of establishment of encrypted connection: L; The authentication attempt of the client: login: L, B, X; password: L, B, X; information if attempt was successful: L, B, X; time of performing the clients authentication attempt: L, B; in the case of successful authentication (i.e. creating SSH session): size of terminal: L, B; name of created file to record SSH session history: L; values of environment variables (e.g. XMODIFIERS, LANG): L; Execution of the shell commands: command name: L, B, X; information if command was recognized by Kippo: L, B, X; time of command execution: L, B; in the case of wget command: URL of downloaded file: L, B; name of the file where downloaded file was saved on the host machine: L, B; time of starting the file download: L, B; time of finishing the file download: L; The data input for the shell command command name: L, B; input data: L, B; time of data input: L, B; The output format: Main Log: timestamp - log entry creation time context - log entry context message - log entry message The main log consists of these three parts. The TCP connections are established in the main log as single entry. context := [kippo.core.honeypot.HoneyPotSSHFactory] message := New connection: IP source:port source (IP dest:port dest) [session: session id], where: IP source: source IP address; port source: source TCP port; IP dest: target IP address; port dest: target TCP port; session id: number uniquely identifying TCP connection/SSH session in the main log (session identifier); 10 The output that is generated by this connection: 20130108 14:18:25+0100 [kippo.core.honeypot.HoneyPotSSHFactory] New connection: 192.168.122.1:35533 (192.168.122.82:2222) [session: 0] Information log bout the encrypted process: 20130108 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] kex alg, key alg: diffiehellmangroup1sha1 sshrsa 20130108 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] outgoing: aes128ctr hmacmd5 none 20130108 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] incoming : aes128ctr hmacmd5 none 20130108 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] NEW KEYS 20130108 14:18:26+0100 [HoneyPotTransport,0,192.168.122.1] starting service sshuserauth The authentication attempt of the client. 20130108 14:33:27+0100 [SSHService sshuserauth on HoneyPotTransport,0,192.168.122.1] login attempt [root/123456] succeeded 20130108 14:33:27+0100 [SSHService sshuserauth on HoneyPotTransport,0,192.168.122.1] root authenticated with keyboard interactive 20130108 14:33:27+0100 [SSHService sshuserauth on HoneyPotTransport,0,192.168.122.1] starting service sshconnection 20130108 14:33:27+0100 [SSHService sshconnection on HoneyPotTransport,0,192.168.122.1] got channel session request 20130108 14:33:27+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] channel open 20130108 14:33:27+0100 [SSHService sshconnection on HoneyPotTransport,0,192.168.122.1] got global nomore sessions@openssh.com request 20130108 14:33:27+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] pty request: xterm (33, 129, 0, 0) 20130108 14:33:27+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] Terminal size: 33 129 20130108 14:33:27+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] request env: x00 x00x00nXMODIFIERSx00x00x00x08@im=none 20130108 14:33:27+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] request env: x00 x00x00x04LANGx00x00x00npl PL.utf8 20130108 14:33:27+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] getting shell 20130108 14:33:27+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] Opening TTY log: /var/log/kippo/log/tty/201301081433279152.log 20130108 14:33:33+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] /etc/motd resolved into /etc/motd Execution of the Shell command: 20130108 14:51:47+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] CMD: wget www. dna.caltech.edu/Papers/DNAorigaminature.pdf 20130108 14:51:47+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] Command found: wget www.dna.caltech.edu/Papers/DNAorigaminature.pdf 20130108 14:51:47+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] Starting factory HTTPProgressDownloader: https://www.dna.caltech.edu/Papers/ DNAorigaminature.pdf 20130108 14:51:50+0100 [HTTPPageDownloader,client] Updating realfile to /var/log/kippo/dl/20130108145147 http www dna caltech edu Papers DNAorigami nature pdf 20130108 14:51:50+0100 [HTTPPageDownloader,client] Stopping factory Inputting data 20130108 14:51:47+0100 [SSHChannel session (0) on SSHService ssh connection on HoneyPotTransport,0,192.168.122.1] INPUT (passwd): pp Establishment of the connection: insert into sensors (id, ip) values (3, kippo hp); insert into sessions (id, starttime, endtime, sensor, ip, termsize, client) values (e28678b4599511e2bab10800277e980c, 20130108 13:18:26, NULL, 3, 192.168.122.1, NULL, NULL); Termination of the TCP connection update sessions set endtime = 20130108 14:03:22 where id = e28678b4599511e2bab10800277e980c; insert into ttylog (id, session, ttylog) values (4, e28678b4599511e2bab10800277e980c, BLOB); The XMPP: The TCP connection information: message from=kippo-events-createsession@conference.localhost/kippo -XDJQcVxo type=groupchat to=kkoltys@localhost/localhost body kippo xmlns=https://code.google.com/p/kippo/ type=createsession session locaLhost=127.0.0.1 session=136371692 cdb4d91b3eec6ff04618232 locaLport=2222 remote_port=35533 remote_host=192.168.122.1/ /kippo /body /message message from=kippo-events-connectionlost@conference.localhost/ kippo-XDJQcVxo type=groupchat to=kkoltys@localhost/ localhost body kippo xmlns=https://code.google.com/p/kippo/ type=connectionlost session session=136371692cdb4d91b3eec6ff04618232/ /kippo /body /message message from=kippo-events-clientversion@conference.localhost/kippo -XDJQcVxo type=groupchat to=kkoltys@localhost/localhost body kippo xmlns=https://code.google.com/p/kippo/ type=clientversion version session=136371692cdb4d91b3eec6ff04618232 version=SSH - 2.0-OpenSSH_5.3/ /kippo /body /message message from=kippo-events-loginfailed@conference.localhost/kippo- XDJQcVxo type=groupchat to=kkoltys@localhost/localhost body kippo xmlns=https://code.google.com/p/kippo/ type=loginfailed credentials session=136371692cdb4d91b3eec6ff04618232 password =123 username=root/ /kippo /body /message message from=kippo-events-loginsucceded@conference.localhost/kippo -XDJQcVxo type=groupchat to=kkoltys@localhost/localhost body kippo xmlns=https://code.google.com/p/kippo/ type=loginsucceeded credentials session=136371692cdb4d91b3eec6ff04618232 password =123456 username=root/ /kippo /body /message message from=kippo-events-command@conference.localhost/kippo- XDJQcVxo type=groupchat to=kkoltys@localhost/localhost body kippo xmlns=https://code.google.com/p/kippo/ type=command command session=136371692cdb4d91b3eec6ff04618232 command= known pwd/command /kippo /body /message Conclusion For conclusion it can be said that, there are various types of security tools, which are open source. So, it can be brought for free and free services can obtained from these tools. The report consists of a brief analysis about various kind of security tools. Each tool has some different feature and are efficient in their own way. Hence, different tools must be used for different functions in different situations. Although, most the tool are suitable for almost all type of jobs and in all type of open source platforms. References Arambatzis, T., Lazaridis, I. and Pouros, S., 2016, May. Modern Windows Server Operating Systems Vulnerabilities. In The Third International Conference on Computer Science, Computer Engineering, and Social Media (CSCESM2016) (p. 29). Arney, C.A. and Wang, X., 2016, September. Active Snort Rules and the Needs for Computing Resources: Computing Resources Needed to Activate Different Numbers of Snort Rules. In Proceedings of the 5th Annual Conference on Research in Information Technology (pp. 54-54). ACM. Bacs, A., Giuffrida, C., Grill, B. and Bos, H., 2016, April. Slick: an intrusion detection system for virtualized storage devices. In Proceedings of the 31st Annual ACM Symposium on Applied Computing (pp. 2033-2040). ACM. Blas, G., Javier, F., Wyrzykowski, R., Jeannot, E. and Carretero Prez, J., 2015. Proceedings of the Second International Workshop on Sustainable Ultrascale Computing Systems (NESUS 2015) Krakow, Poland. Blas, G., Javier, F., Wyrzykowski, R., Jeannot, E. and Carretero Prez, J., 2015. Proceedings of the Second International Workshop on Sustainable Ultrascale Computing Systems (NESUS 2015) Krakow, Poland. Choug, J., Kayal, E.S., Ben-Nissanh, B. and Oktari, F.N., 2015. Nano-Bioceramic Synthesis from Tropical Sea Snail Shells (Tiger Cowrie-Cypraea Tigris) with Simple Chemical Treatment. methods, 23, p.24. Di Rita, M., Nascetti, A. and Crespi, M., 2017. Open source tool for DSMs generation from high resolution optical satellite imagery: development and testing of an OSSIM plug-in. International Journal of Remote Sensing, 38(7), pp.1788-1808. Holczer, T., Flegyhzi, M. and Buttyn, L., 2015. The design and implementation of a PLC honeypot for detecting cyber attacks against industrial control systems. Keller, N., 2015. Cybersecurity Framework-Industry Resources. Liao, H.J., Lin, C.H.R., Lin, Y.C. and Tung, K.Y., 2013. Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), pp.16-24. Lin, H., Slagell, A., Kalbarczyk, Z. and Iyer, R.K., 2014, September. Semantic security analysis of scada networks to detect malicious control commands in power grids (poster). In Proceedings of the 7th International Conference on Security of Information and Networks (p. 492). ACM. Mehta, V., Bahadur, P., Kapoor, M., Singh, P. and Rajpoot, S., 2015, February. Threat prediction using honeypot and machine learning. In Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), 2015 International Conference on (pp. 278-282). IEEE. OLeary, M., 2015. IIS and ModSecurity. In Cyber Operations (pp. 457-483). Apress. Razzaq, A., Hur, A., Shahbaz, S., Masood, M. and Ahmad, H.F., 2013, March. Critical analysis on web application firewall solutions. In Autonomous Decentralized Systems (ISADS), 2013 IEEE Eleventh International Symposium on (pp. 1-6). IEEE. Rivers, K. and Koedinger, K.R., 2015. Data-driven hint generation in vast solution spaces: a self-improving python programming tutor. International Journal of Artificial Intelligence in Education, pp.1-28. Rizal, M., 2015, July. RANCANG BANGUN SISTEM PENCEGAHAN PENYUSUPAN PADA JARINGAN KOMPUTER BERBASIS CYBEROAM. In Seminar Nasional Informatika (SEMNASIF) (Vol. 1, No. 3). Sochor, T. and Zuzcak, M., 2014, June. Study of internet threats and attack methods using honeypots and honeynets. In International Conference on Computer Networks (pp. 118-127). Springer International Publishing. Wang, W. and Lu, Z., 2013. Cyber security in the Smart Grid: Survey and challenges. Computer Networks, 57(5), pp.1344-1371. Xu, Z., Malmer, D., Langille, M.G., Way, S.F. and Knight, R., 2014. Which is more important for classifying microbial communities: who's there or what they can do?. The ISME journal, 8(12), p.2357.