CSEC610 Individual Assignment 2  Disclaimer/Caveat/Disclosure/Whateveryouwouldliketocallthis: You are more than welcome to use my paper below as a reference. But, please be smart and do not simply copy and paste because your Prof. or TA will know. Just like you, they have access to this website as well. So be nice and smart and don't set yourself up for a failure, at the very least you should rephrase/paraphrase/reword/Whateveryouprefertocallthis. Just a suggestion, but at the end of the day, it will be your decision. :) Also, I have got at the very least 90% in each of my papers, but that DOES NOT guarantee that you will get the same. It depends almost exclusively on how your professor looks at your response and how s/he grades. The ones that I got were awesome professors and my work and my points went across to them, hence the higher grade. So, basically what I am trying to say here is that if you score less than 90% while using my papers as reference or as a whole, don't curse me out, you just got a stricter professor. :) Abstract: The paper talks about the potential vulnerabilities an Airport network faces from inside or outside of its network. The threat caused to it by a hacker or a disgruntled employee. The paper also covers one of the many solutions that a network administrator can apply to its vulnerable network to protect its network from the threats. The paper also talks about the advantages and the disadvantages of the solution presented.  With the increasing reliance on technology, cyber attack can be as devastating as a physical attack, if not more, on any organization. From a small office equipment like a paper stapler to a people carrier like a Boing 787 Dreamliner, and everything in-between, they all rely on some sort of technology. They all have sensors, computers and electronics to make them work and make our life easier and convenient. Cost of this convenience? How about vulnerability to an individual, or a group of individuals, out in the world with access to our network and ill-intentions? All he will need is a back-door access to our gadgets and networks, and he will be running around like a kid in the Disney World. Air traveling is one of the million conveniences we have created for ourselves. Making the traveling shorter and faster is one of the perks that Air traveling offers. It's safer than driving and quicker than sailing around the world. But, at the same time, it is a nightmare for the airport security personnel to keep everything safe and smooth. When it comes to security, Airports are more vulnerable than any other place to an attack. In the good old, less technological advanced times, it was relatively easier for the security personnel to keep the bad guys out. Nowadays, it's a different story and totally different ball-game. A hacker with a laptop, wireless capabilities and knowledge, can cripple an airport security within hours, if not in minutes. The network security personnel have to be on their toes all the time to keep their networks safe from any kind of potential threat from the cyber-space. An example of a recent cyber attack at an airports will be the "Technical Snag" of Indira Gandhi International Airport (IGIA), Delhi, India. On June 29th, 2011, around 0230, the Common Use Passengers Processing System (CUPPS) at IGIA became non-operational due to a malicious code planted from a remote location. According to Indian Express: "Three months ago, a ‘technical snag’ had hit operations at the state-of-the-art T3 terminal at Indira Gandhi International Airport (IGIA). It now turns out it was caused by a “malicious code” sent from a remote location to breach the security at the airport. A hunt has been launched to nab the perpetrator with the CBI registering a case under the IT Act and IPC. Investigators say that the “malicious code” was in the form of “attack scripts”, which means a programme (sic) was written by an expert to exploit the system’s security weakness." The IGIA incident might involved foreign powers, or they might be internal powers working against the government. They could be a separatist group or it might be a religious group. But that cannot always be the case. Sometimes a disgruntled Airport employee can be a threat to an Airport facility too. And that can be a bigger threat than an outsider. Why is that? Because he or she knows the inside and knows the system better than an outsider. An example of that will be the 46 year old Transportation Security Authority (TSA) employee, Douglas James Duchak of Denver, Colorado. On Oct. 22, 2009, seven days after he was told his employment would be terminated on Oct. 30, Duchak accessed a sensitive database and deleted instructional code necessary to format information received in connection with the arrest-warrant database, according to the DoJ. (Montalbano, 2011) At the time, he also injected unauthorized code into the Colorado Springs Operations Center (CSOC) server containing data from the U.S. Marshal's Service Warrant Information Network. The next day Duchak tried to load malicious code onto a server that contained the Terrorist Screening Database, investigators found. (Montalbano, 2011) Duchak's actions were detected several days later after his replacement observed what he believed to be unauthorized code in the system, according to the DoJ. The TSA then shut down the system to avoid any further damage. (Montalbano, 2011) Looking at the examples above, one might wonder what will the best option be to keep the Airport IT system secure? Everyone talks and worries about the outside enemy, but what about the enemy within? How to deal with a computer savvy disgruntled employee that just got laid-off, like Douglas Duchak? The Airport Infrastructure is complex and costly task to maintain. The Federal Aviation Administration (FAA) develops, maintains, and operates one of the largest and most complex of these critical infrastructures; an infrastructure that is almost totally information centric. Destroying information or changing it improperly can disrupt the work of FAA and the national airspace system. The disclosure of sensitive information about ongoing, critical transportation functions to unauthorized entities can harm the operations of FAA and other government agencies. (Mehan, 2000) Information systems employed by the FAA are another component of the airport information system collage. As far back as 1997, security experts advised the US government about the vulnerability of computer security in the aviation sector, especially the systems maintained by the FAA. (Amorosi, 2010) During an international conference on aviation security in Washington, Peter Neumann – a principal scientist at SRI International’s computer science laboratory – warned that the complex systems associated with air traffic control were of particular concern. “Significant problems have arisen in computer-communication systems for air-traffic control”, Neumann cautioned. These problems, while not unique to the aviation industry, are part of a long history of “fiascos” that he cited “in attempts to develop large infrastructural computer-communications systems, which are increasingly dominated by their software complexity”. (Amorosi, 2010) This fact became glaringly clear after a 2009 audit by the Department of Transportation Inspector General and its subsequent report on the state of web application security and intrusion detection being employed by the FAA. It said that more than 800 computer-security related incidents were reported to the FAA in 2008, and in 2009 in excess of 45 000 employee records were stolen when hackers broke into an FAA computer server. (Amorosi, 2010) The report called to task the FAA’s lack of intrusion detection system (IDS) capabilities at 734 air traffic control facilities across the nation, in addition to dozens of insecure web applications being used by aviation authorities. (Amorosi, 2010) During the audit, penetration testers employed by the Inspector General found 763 high-risk vulnerabilities among 70 applications tested, not to mention the hundreds upon thousands of medium and low-risk vulnerabilities. (Amorosi, 2010) The report concludes that vulnerabilities in these web-based applications, widely used across FAA locations, could be used to infect FAA networks and, once infected, “FAA user computers would take orders from hackers to attack other computers or send critical network information to hackers.” (Amorosi, 2010) To protect the airport network from potential threats from hackers, a network Intrusion Detection and Prevention System (IDPS) can be a wise investment. Though, it might not be the only good choice to protect the whole network, but, with the combination of multi-layered prevention steps, an IDPS can be a viable protection to protect from the hackers and unwanted intruders. Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization. (Scarfone & Mell, 2007) IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding. They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content. (Scarfone & Mell, 2007) There are three kinds of IDPSs, Host-Based IDS (HIDS), Network-Based IDS (NIDS) and Application Based. Host-Based IDS (HIDS): Host-based systems were the first type of IDS to be developed and implemented. These systems collect and analyze data that originate on a computer that hosts a service, such as a Web server. Once this data is aggregated for a given computer, it can either be analyzed locally or sent to a separate/central analysis machine. One example of a host-based system is programs that operate on a system and receive application or operating system audit logs. These programs are highly effective for detecting insider abuses. Residing on the trusted network systems themselves, they are close to the network’s authenticated users. If one of these users attempts unauthorized activity, host-based systems usually detect and collect the most pertinent information in the quickest possible manner. In addition to detecting unauthorized insider activity, host-based systems are also effective at detecting unauthorized file modification. (Innella, 2010) Possible host-based IDS implementations include Windows NT/2000 Security Event Logs, RDMS audit sources, Enterprise Management systems audit data (such as Tivoli), and UNIX Syslog in their raw forms or in their secure forms such as Solaris' BSM; host-based commercial products include RealSecure, ITA, Squire, and Entercept, to name a few. (Innella, 2010) Advantages: - Host-based IDSs can detect attacks that are not detectable by a network-based IDS since they have a view of events local to a host. - Host-based IDSs can operate in a network that is using encryption when the encrypted information is decrypted on, or before reaching, the monitored host. - Host-based IDSs can operate in switched networks. (http://csrc.nist.gov/) Disadvantages: - The collection mechanisms must usually be installed and maintained on every host to be monitored. - Since portions of these systems reside on the host being attacked, host-based IDSs may be attacked and disabled by a clever attacker. - Host-based IDSs are not well suited for detecting network scans of all hosts in a network since the IDS at each host only sees the network packets that the host receives. - Host-based IDSs often have difficulty detecting and operating in the face of denial-of-service attacks. - Host-based IDSs use the computing resources of the hosts they are monitoring. (http://csrc.nist.gov/) Network-Based IDS (NIDS): As opposed to monitoring the activities that take place on a particular network, Network-based intrusion detection analyzes data packets that travel over the actual network. These packets are examined and sometimes compared with empirical data to verify their nature: malicious or benign. Because they are responsible for monitoring a network, rather than a single host, Network-based intrusion detection systems (NIDS) tend to be more distributed than host-based IDS. Software, or appliance hardware in some cases, resides in one or more systems connected to a network, and is used to analyze data such as network packets. Instead of analyzing information that originates and resides on a computer, network-based IDS uses techniques like “packet-sniffing” to pull data from TCP/IP or other protocol packets traveling along the network. This surveillance of the connections between computers makes network-based IDS great at detecting access attempts from outside the trusted network. In general, network-based systems are best at detecting the following activities: Unauthorized outsider access: When an unauthorized user logs in successfully, or attempts to log in, they are best tracked with host-based IDS. However, detecting the unauthorized user before their log on attempt is best accomplished with network-based IDS. Bandwidth theft/denial of service: These attacks from outside the network single out network resources for abuse or overload. The packets that initiate/carry these attacks can best be noticed with use of network-based IDS. (Innella, 2010) Some possible downsides to network-based IDS include encrypted packet payloads and high-speed networks, both of which inhibit the effectiveness of packet interception and deter packet interpretation. Examples of network-based IDS include Shadow, Snort!, Dragon, NFR, RealSecure, and NetProwler. (Innella, 2010) Advantages: - A few well-placed network-based IDSs can monitor a large network. - The deployment of network-based IDSs has little impact upon an existing network. The network-based IDSs are usually passive devices that listen on a network wire without interfering with the normal operation of a network. Thus, it is usually easy to retrofit a network to include network-based IDSs with a minimal installation effort. - Network-based IDSs can be made very secure against attack and even made invisible to many attackers. (http://csrc.nist.gov/) Disadvantages: - Network-based IDSs may have difficulty processing all packets in a large or busy network and, therefore, may fail to recognize an attack launched during periods of high traffic. Some vendors are attempting to solve this problem by implementing IDSs completely in hardware, which is much faster. The need to analyze packets quickly also forces vendors to try and detect attacks with as little computing resources as possible, which may reduce detection effectiveness. - Many of the advantages of network-based IDSs do not always apply to more modern switch-based networks. Switches can subdivide networks into many small segments (usually one fast Ethernet wire per host) and can provide dedicated links between hosts serviced by the same switch. Most switches do not provide universal monitoring ports and this reduces the monitoring range of a network-based IDS sensor to a single host. In switches that do provide such monitoring ports, often the single port cannot mirror all traffic traversing the switch. - Network-based IDSs cannot analyze encrypted information. This increasingly will become a problem as use of encryption becomes more popular both by organizations and by attackers. - Most network-based IDSs do not report whether or not an attack was successful, they only report that an attack was initiated. After a detected attack, administrators must manually investigate each attacked host to determine whether or not the hosts were penetrated. (http://csrc.nist.gov/) Application-Based IDSs: Application-based IDSs monitor the events transpiring within an application. Often application-based IDSs detect attacks by analyzing the application’s log files. By interfacing with an application directly and having significant domain or application knowledge, application-based IDSs are more likely to have a more discerning or fine-grained view of suspicious activity in the application. (http://csrc.nist.gov/) Advantages: - Application-based IDSs can monitor activity at a very fine granularity, which often allows them to track unauthorized activity to individual users. - Application-based IDSs can often work in encrypted environments, since they interface with the application that may be performing encryption. (http://csrc.nist.gov/) Disadvantages: - Application-based IDSs may be more vulnerable than host-based IDSs to being attacked and disabled since they run as an application on the host they are monitoring. (http://csrc.nist.gov/) Implementation of IDPS: The first step in IDPS implementation is designing an architecture. Architectural considerations include the following: Where the sensors or agents should be placed? How reliable the solution should be and what measures should be used to achieve that reliability, such as having multiple sensors monitor the same activity in case a sensor fails, or using multiple management servers so that a backup server can be used in case the primary server fails? Where the other components of the IDPS will be located (e.g., management servers, database servers, consoles), and how many of each component are needed to achieve the necessary usability, redundancy, and load balancing goals? With which other systems the IDPS needs to interface, including the following: Systems to which it provides data, such as security information and event management software, centralized log servers, e-mail servers, and paging systems Systems on which it initiates prevention responses (e.g., firewalls, routers, switches) Systems that manage IDPS components, such as network management software (for a management network) or patch management software (for keeping consoles’ operating systems and applications fully up-to-date) Whether or not a management network will be used; if so, what its design will be, and if not, how the IDPS communications will be protected on the standard networks? What other security controls and technologies need to be altered to accommodate IDPS deployment, such as changing firewall rule-sets to allow IDPS components to communicate? (Scarfone & Mell, 2007) Before performing a production implementation, organizations should consider implementing the components in a test environment first to reduce the likelihood of implementation problems disrupting production. When the components are being deployed to production networks, organizations should initially activate only a few IDPS sensors or agents. Because a new deployment is likely to generate a large number of false positives until fully tuned and customized, activating many sensors or agents at once might overwhelm the management servers and consoles, making it difficult for administrators to perform tuning and customization. (Scarfone & Mell, 2007)  References: Acquiring and deploying intrusion detection system (1999). Retrieved from http://csrc.nist.gov/publications/nistbul/itl99-11.txt Amorosi, D. (August 4th 2010). Securing friendly skies. Retrieved from http://www.infosecurity-magazine.com/view/11504/securing-the-friendly-skies/ Crich, N., & Waterston, M. (2009). Developing an IT strategy for a growing regional airport. Journal of Airport Management, 3(4), 328-336 Innella, P. (November 3rd 2010). An introduction to IDS. Retrieved from http://www.symantec.com/connect/articles/introduction-ids Mehan, D. (2000). The Federal Aviation Administration’s layered approach. TR News (211), 8- 30. Montalbano, E. (January 13th 2011). TSA hacker sentenced to prison. Retrieved from http://www.informationweek.com/news/government/security/229000639 Scarfone, K. & Mell, P. (February 2007). Guide to intrusion detection and prevention systems (IDPS). Recommendations of the National Institute of Standards and Technology. 800-94 Tripathi, R. (September 25th 2011). Cyber attack let to IGI shutdown. Indian Express Newspaper.