Ownership And Annualized Loss Expectancy

Published Date: 02 Nov 2017

Total cost of ownership commonly shortened to TCO, is a computation intended to help people make more accurate financial decisions. Rather than just analysing the purchase price of an item, TCO looks at the entire cost from acquiring to discarding an item. Thus, this means that extra costs expected to be incurred during the life time of an item, will be added to the initial purchase price.

The below table illustrates the total cost of ownership for the online ticketing service:

Total Cost of Ownership

6 Web Servers @ $ 8,000

8,000 * 6 = 48,000

2 Database servers @ $ 12,000

12,000 * 2 = 24,000

Total Hardware Cost

Annual Support Cost

1,000 * 6 = 6,000

2,500 * 2 = 5,000

Total Support Cost per year

Over 5 years Support Cost

5 * 11,000 = 55,000

2 Web Administrators @ $ 50,000 per annum

50,000 * 2 = 100,000

1 Infrastructure Administrator @ $ 50,000 per annum

50,000 * 1 = 50,000

Over 5 years admin cost

100,000 + 50,000 * 5 = 750,000

Total Cost of Ownership

72,000 + 55,000 + 750,000 = 877,000

Annual Loss Expectancy

The annualized loss expectancy defines the predictable financial loss that can occur for an asset due to a risk over a one year period. It is well-defined as:

ALE = SLE * ARO

SLE refers to the Single Loss Expectancy while ARO stands for Annualized Rate of Occurrence.

This mathematical computation (ALE) offers the benefit that it can be used directly in a cost-benefit analysis. Thus this will be used to determine the possible monetary loss that the company may face if a threat occurs:

As the company’s management states in the scenario the turnover is $400,000,000 annually. Thus, when calculating ((400,000,000 * 12hrs) / 8,760hrs) it turns out that the company makes a turnover of $547,945.21 per hour.

It is also estimated that costs due to reconfiguration, delayed development and lost work will costs the company the amount of $3,508 per breach. This has been calculated as follows: (0.4% * $877,000.00 which is the amount of the TCO).

The company had to refund 20,000 fraudulent tickets which were being sold at $25.00 each. Thus, (20,000 tickets * $25.00) will cost the company $500,000.

It is also noted that the company had to pay $5,000 in order to fix a DDOS attack.

When adding all the above to find out the Single Loss Expectancy (SLE) it produces the result of $1,056,453.21.

The Annualized Loss Expectancy (ALE) is the result of multiplying the SLE by the Annualized Rate of Occurrence (ARO). Thus, $1,056,453.21 * 2, is equal to $2,112,906.42.

Annual Savings

The Company will be paying an annual salary of $50,000.00 each annually to the eight full-time security administrators that will need to be employed. This sums up to ($50,000.00 * 8), $400,000.00 annually.

Annual security budget for both hardware and software, for the next five years, to be adopted by these security administrators is $200,000.00.

The sum of the salaries, hardware and software costs as calculated above are equal to $600,000.00.

On the other hand, if these preventive measures are not taken into consideration, the Company will need to spend $2,112,906.42 per year (ALE). This means $1,512,906.42.00 more ($2,112,906.42 - $600,000).

The Company will be saving $1,512,906.42.00 per year.

TASK 2

Intrusion Detection

Intrusion Detection

An intrusion Detection System (IDS) is a software or device used to monitor network or system activities for policy violations or malicious activities. As there is no single intrusion detection solution that can detect all malicious activities over the network, intrusion detection can be monitored by integrating different technologies.

There are three (3) main components which can be used and implemented to detect malicious activities, which are:

Network Intrusion Detection system (NIDS)

This method is used to analyse the traffic travelling on the entire subnet. It works in a loose manner, and matches the traffic that is travelling on the subnets to the collection of well-known attacks. When an attack is recognized, or the system senses an abnormal behaviour, it can send an alert to the system administrator. Thus it is suggested that the system should be installed on the subnets where the firewalls are located, so it will detected whether anyone have attempted to break into the firewall.

Figure 2. Typical Network Intrusion Detection System

Network Node Intrusion detection system (NNIDS)

This type of intrusion detection system is used to carry out analysis of the data that is passed from the network to a particular host. This is different from NIDS for the reason that this method analyses the traffic on a single host and not on the whole subnet. Usually this is installed on VPN devices, to analyze the data once it is decrypted. Therefore, if someone tries to break into your VPN device, he/she will be detected.

Host Intrusion Detection System (HIDS)

HIDS is a method were a snap shot of the system files is matched with a previous snap shot. If the snap shot does not match for the reason that the system files were modified or deleted an alert will be sent to the system administrator so he/she can investigate.

Figure 2. Typical host IDS architecture

Pros and Cons of Implementing an Intrusion Detection System (IDS)

Although an IDS does not solve all security related issues, it will help a system administrators to keep a computerized system secure as much as possible. The following section highlights what IDS can and cannot do:

An intrusion detection system can:

Trace user activity.

It will sense when a system is under attack.

If configuration errors exists in a system this will be detected by the IDS

Easley managed by non-experts staff

It will serve as a basis for the system administrator to develop a policy for computing items

Monitoring task will be automated by the IDS

On the other hand an intrusion detection system cannot:

Compensation for weak identification and authentication methods

Does not carry out investigations of attacks without human involvement

It is not capable to examine all the traffic on a busy network

Does not tackle weaknesses in network protocols

Implementing an Intrusion Detection and Intrusion Prevention System

It is suggested that an Intrusion Detection System be implemented in a layered approach. Thus, it can be implemented in four (4) layers.

The first layer will be responsible for monitoring the network and network devices, where this can be achieved by involving NIDS and honeypots to monitor the traffic passing over the network.

The second layer will be implemented to be responsible for monitoring computer systems for malicious activity. In fact, this will be the duty of the HIDS and honeypots. In order to implement the HIDS, the use of specific software is required. One recommended software used for this scope is SIEM 2.0 produced by LogRythm. Honeypots are essential to be included in an Intrusion Detection System for the reason, that they can provide information with regards what attacks are being directed against the company.

The third layer will be used to analyze the data gathered by the intrusion detection devices over time. This information is required to be collected so that the system administrator can have better understanding of the types of attacks that are happening. Therefore, he/she can adapt the system to defend the weakest areas. Type of information that can be gathered during a breach includes:

Which protocols and ports are being used

A detailed log which includes the data and time of when the activity happened

Security Level must also be included as a type of information that may be gathered during a breach

The system administrator must also keep in mind that he/she should gather data that identify the source and destination network address

Portmap messages as these are able to recognize calls to services initiated by remote hosts. So any unauthorized access to particulars services which may not be active or allowed to be accessed remotely can be easily noticed by the system administrators.

Login Messages must also be gathered by the system administrators for the reason that these give a good indication of when a user has failed to login into the system successfully. Although this may happens because user tends to forget their passwords it also gives an indication whether anyone has tried to crack into the system by discovering passwords by using a brute force attack.

Online Statistics and events as these give an indication with regards the usage of the system and how the network connectivity is performing.

The fourth layer can be called the knowledge-based area for the reason that it contains, current news, web sites, and newsgroups that offer information about malicious activity and attacks.

Another approach suggested to be used is called Distraction Technique, a technic which is used to distract detected intruders by emulating different operating systems and applications. This usually achieved by emulate a web server or an alternative service to create a mock response to request.

This technique is good because it could confuse a possible abuser and buy time for a well-organized response.

Proposed Intrusion Detection System Diagram

Figure 2., Proposed NIDS diagram

TASK 3

Denial of Service Attacks

Denial of Service Attacks

A denial of service attack (DoS) or distributed denial of service attack (DDoS) includes many types of attacks designed to make network resources such as a host connected to the internet unusable.

Usually these attacks are designed to attack sites and services that are hosted on high-profile web servers which include: root name servers, credit cards payment gateway and banks. These attacks involve a method that saturate the target machine with outside communication requests, in a way that impend the system from responding to legitimate traffic by overloading the server. This may cause the need to be reset or overwhelming its resources so that it can no longer offer its intended service.

Denial of service attacks violates the Internet Architecture Board’s Internet proper use policy and the acceptable use policies of virtually all Internet service providers. They also violate the laws of individual nations.

According to the United States Computer Emergency Readiness Team, although not all of the interruptions to services are the effect of a denial of service attack the following lists highlights possible clues that might indicate a Denial of Service or Distributed Denial of Service attack:

Slow network performance which could be noticeable when opening various files or accessing different websites

Unable to access any website

Unable to access a particular website

Notice a relevant number of increase in the amount of spam you receive in your email account

Distributed Denial of Service Attacks

A distributed denial-of-service (DDoS) attack is one in which a number of hacked systems attack a single target, as mentioned earlier this cause a denial of service for users of the targeted system.

In a distributing denial of service attack, a hacker begins by discovering and misusing vulnerability in one computer system to make it the DDOs master. This will allow the cracker to identify and communicate with other systems that can also be hacked. Once a system is hacked it gives the intruder the opportunity to load cracking tools available on the internet on other compromised system. Then the attacker instructs the computer to launch a flood attack against an indicated target where this flood causes a denial of service.

It is important to highlight that a computer controlled by an intruder is known as a bot or zombie, and a group of different computers also controlled by an intruder are known as a zombie army. Both Symantec and Kaspersky Labs have stated that a zombie army is the biggest threat to Internet security. The following diagram depicts a typical scenario:

http://www.techexams.net/technotes/securityplus/images/ddosattack.gif

Figure 3.1, DOS attack diagram

Source: http://www.techexams.net/technotes/securityplus/attacks-DDOS.shtml#teardrop

Types of Attacks

ICMP Attack

A smurf attack is a method used to flood DoS attack on the Internet. It depends on misconfigured network devices which allow packets to be sent to an amount of computer hosts on a specific network through the broadcast address of the network rather than a particular machine. Therefore the network will be transformed into a smurf amplifier. In order to complete the attack, the offenders will send a huge amount of IP packets with the source address forged to give the impression that is the address of the victim. Once this process is begun it quickly uses the network’s bandwidth and denies access to legitimate packet from travelling to their destination.

To fight Denial of Service attacks on the public Internet, services like the Smurf Amplifier Registry, a list of misconfigured devices found on the Internet, ensures network service providers have the ability to identify misconfigured networks and to carry out proper actions such as filtering.

ICMP attack includes also Ping Flood which involves sending to the victim an overwhelming considerable amount of ping packets, typically using the "ping" command from unix-like hosts.

Ping of death another method used to send a number of abnormal ping packet, intended to cause system crash.

SYN Flood

A SYN flood happens when a host sends an inundation of TCP/SYN packets, often with a fake sender address. Each of these packets are handled like a connection request, making the server to issue a half-open connection, by distributing back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). Though, because the sender address is forged, the reply never comes. These half-open connections flood the amount of accessible connections the server is able to make, keeping it from replying to genuine requests. The below diagram illustrates how a SYN Flood attack operates.

http://tomicki.net/images/halfopenconnection.png

Figure 3.2, SYN Flood attack

Source: http://tomicki.net/syn.flooding.php

Tear Drop Attack

A Teardrop attack contains the distribution of distorted IP fragments with overlapping, over-sized payloads to the target machine. This can crash several operating systems because of a bug in their TCP/IP fragmentation re-assembly code. The following list highlights a list of operating systems vulnerable to tear drop attack:

Windows 3.1x

Windows 95

Windows NT

Linux Versions 2.0.32 and 2.1.63

R-U-DEAD-YET?

This type of attack is one of the two web applications known as DoS tools available designed to attack web applications by limit the number of available sessions on a web server. In other words like Slowloris an application developed by Robert Hansen (RSnake) which allows a single machine to attack and crash another machine’s web server by limiting the bandwidth. RUDY keeps sessions open and uses never ending POST transmissions and sending a randomly outsized content length header value.

Prevent a DOS and DDOS attack

It is the utmost important that although there are no effective ways to prevent a DOS or DDOS attack, the company takes the necessary steps to reduce the likelihood that someone use the company’s computer to attack another computers. These steps involve:

Avoid single point of failure, this can be achieved by implementing an internal mesh network.

Install antivirus software, but it is important that you maintain it by installing the latest updates and patches.

Install a firewall device, and configure it to control traffic coming into and leaving your computer system. It is also important that you install the latest updates and patches.

Implementing a demilitarized zone (DMZ) between the router and an external firewall which helps to protect the Local Area Network (LAN)

It is important that a good security policy be followed for using your email address. By applying various email filters you can better manage unwanted traffic.

TASK 4

Credit Card Encryption

Secure Payments

As the company takes payment for tickets for events online via credit card it is the utmost important that the company opts for the most secure processing methods. The company is required to do so for the reason that these methods reduce fraud risks.

Therefore it is suggested that the company uses the service of a third party which offers payment gateway systems which are designed to process online payment in a secure way.

Payment Gateway

There are various payment gateways from which the company can choose to integrate with its system. These payment gateways include:

Flagship Merchant Service

WorldPay

Intuit

Authorize.net

GoEmerchant

Cybersource

PayPal

Although there are different payment gateways they all offer the same basic features such as:

Accept Credit Cards

Customers can use their credit cards or debit cards to make payments. Online payment gateways make credit card transaction more efficient by supporting batch upload, in order to submit an amount of transaction in a single file. They also offer the ability to validate accounts quickly and securely.

ACH Payment

ACH stands for Automated Clearing House which is a system that offers financial institutions (banks) the benefit of sending money back and forth automatically. This method can be applicable through online payment gateways and supports various types of transactions such as: e-commerce processing and bill payments.

Recurring Billing Options

Recurring billing options offers a flexible and convenience way for making online payments. In fact, this method allows customers to set up weekly or monthly payments and have receipts sent by email to them.

Secure Processing

If the payment gateway has PCI DSS standards it keeps customers’ data safe and protects companies from having data compromised.

How a Payment Gateway Works

The following section outlines the basics of payment process. It will also help you understand the charges and risks involved in accepting payments.

Process 1: Gathering Payment Data

The customer enters the credit or debit card details into the payment system or device. The required details could be entered by a call center operator, read by a card reader or by entering the information into an internet page.

Process 2: Authentication

Details of what the customer bought, details from the card such as the card number, CVV will be sent to the payment gateway. Then the payment gateway identifies the card scheme (MasterCard, Visa, American Express etc.) and then it will send the information to the bank or other organization that issued the card.

A validation process will be carried out and if it fails to process the payment, the transaction will be declined and the customer will be asked to check the details, use another card or another type of payment.

Process 3: Authorization

This process involves the bank who from their end checks the cardholder’s identity, whether there are enough funds in the customer’s account to process the transaction and also checks if the card hasn’t been reported lost or stolen. If everything is fine, the issuing bank authorizes the amount of money requested and reserves that amount of money. The last step of authorization which will be carried out once the transaction is completed involves the payment gateway who instructs the bank to debit the money.

Process 4: Settlement of Funds

The payment gateway will transfer the value of the transaction into you merchant account and from time to time they will also send you a statement that show the details of all transactions that have been processed and how much the company have paid for every transaction.

Payment Processing Diagram

The following diagram illustrates the process described above for processing secure payment:

how.jpg

Figure 4., Payment Gateway Process

Which Payment Gateway?

One of the payment gateways that can be integrated with the Online Ticketing Service is WorldPay which offers the required services to secure and avoid breaches needed by the company. Therefore, the following section highlights the services offered by WorldPay.

Internet merchant account

An internet merchant account is required to use the internet payment processing service. Although many banks and financial organizations offer this service it can be bought from WorldPay as well. WorldPay IMA offers the following benefits:

Accept payments in different currencies

Major credit cards including laser and ELV cards are accepted by WorldPay

Payment Acceptance

The list of credit and debit cards accepted by WorldPay includes:

Visa Credit and Debit card

MasterCard

American Express

JCB

Diner

Laser

ELV

WorldPay offers two different options of how the payments will be processed. These two options include, real-time and deferred. The difference between the two is that real-time a transaction is transferred to the issuing bank for authorization, where deferred the online ticketing service review the customers’ order and payment details before processing the transaction.

Secure Processing

In order to reduce fraud risks transactions processed by WorldPay payment gateway will be carried out in a secured manner by encrypting the information. The customers’ card and account details can be stored on a secure server, so that the company eliminates the need to maintain a secure server.

Transactions processed by WorldPay are supported by:

Card Verification Value (CVV2)

Address Verification Service (AVS)

Cardholder authentication (Verified by MasterCard and Visa secure code)

Fraud Screening

This is another service important for the online ticketing service company. The aim of this service is that by the means of a sophisticated checking system identify potentially fraudulent transactions.

It works by comparing payment information supplied by the customer, with an updated database which stores millions of payments. Once fraud activity is detected WorldPay will notify the company so the necessary measures will be taken by the company to avoid the breach.

They also offer options to block certain email addresses and computer IP addresses.

This service offers the benefits of reducing cost by reducing online fraud, increase sales, offer the ability to customize your own security checks, easy to implement and keeps the company payment system up to date by adapting to the latest threats.

TASK 5

Security and Password Policy

Security and Password Policy

Overview

Passwords and data storage policies are important features of computer security. If no policy is in place and forced to be followed may result in security breach. Thus, all users with access to the Ticketing Online Service system are responsible for taking the correct steps, as outlined below.

Purpose

The purpose of this policy is to create a standard for creation of strong passwords, the protection of those passwords, and the regularity of change. It also establishes a standard for the storage of user details.

Scope

The scope of this policy includes all users who have access to an account, either as an employee who uses any system that resides at the Online Ticketing Service facilities or as a customer who would like to make use of the services offered by the company.

Password Policy

General

All system-level passwords (e.g., Windows Administration, root, application administration, root, accounts, etc.) must be changed every 60 days.

All users’ password (e.g., web, desktop computers, email, etc.) must be alerted to change their password at least every three months.

Customers should be advised to change their password by email.

All passwords must be saved in an encrypted format.

Users must be advised to use a unique password from all other accounts that a particular user might have.

Users must follow the guidelines listed below.

Guidelines

Construct a strong Password

All users accessing accounts at Online Ticketing Services must be advised of how to construct strong passwords.

Strong passwords should be created as follows:

Contain three or more of the following characteristics:

Lower case characters

Upper case characters

Numbers

Punctuation

Special characters such as: /<>’, () [] {}, +-*, $ # @! $ % ^ &, etc.

Passwords must contain not less than sixteen alphanumeric characters.

Passwords should not contain the following characteristics

Password should not be less than sixteen alphanumeric characters.

Words found in the dictionary shouldn’t be used to create passwords.

Common usage words should be avoided, these include:

Family names, fantasy character, pets’ name, co-worker names, etc.

Word or number patterns such as: 123456123456, abcdefabcdef, etc.

Personal information including birthday, addresses, telephone or mobile number.

Password Protection Standards

Users should not use the same passwords used for other personal accounts.

Passwords shouldn’t be shared with other employees or system users.

It is forbidden to store passwords online without encryption.

Users should not write down their password to remember them.

Password shouldn’t be mentioned in front of others.

Passwords should not be written down on security forms or questionnaires.

Users must not tell a password in email, chat, or other electronic communication.

Enforcement

Employees who are found to have dishonored this policy may be subject to disciplinary action, including termination of employment. The information Security Department might carry out password cracking or guessing procedures on random basis to identify weak passwords. If any are identified during these exercises, the user will be notified to change the password.

The password protection policy should also be posted on the company’s website to be accessed by online customers.

Storage of User Details policy

The Online Ticketing Service from day to day collects various sensitive data from different customers. This data includes Addresses, telephone and mobile numbers, email addresses, bank accounts, credit and debit cards information and passwords. Thus it is the utmost important that such data will be stored in the most secured way.

General

The following guidelines will ensure the protection of the sensitive user’s data:

Physical – Computers and Servers at Online Ticketing Service must be accessible only by authorized personnel.

Personnel - Before hiring any Database Administrators it is important that background checks will be performed.

Procedurals – Procedures carried out by the Database Administrators must assure reliable data. If more than one DBA is hired with company their functions should be separated, e.g., one person should be responsible database backups while another should be responsible for investigate the data and verify its integrity.

Technical – Storage, access, manipulation, and transfer of data must be secured by technology that enforces the company’s data management control policies.

Secure Configuration

Following the below guidelines will reduces the risk that data get compromised.

Install only what is required

When database software is installed it is much wiser to install only those services required by the company.

Change Default User Password

After the installation of the software default passwords of administrative users must be changed.

Default passwords for all users should also be changed.

Unused active accounts should be deactivated immediately

Principle of Least Privilege

Privileges should be limited to those who really need them to perform their job.

Restrict Network Access

This can be achieved by using an SSL socket which is an Internet protocol that secures communication.

Security Patches

The system should always be updated with the latest updates and patches.

Securing Sensitive Data

Security mechanisms should be implemented, in order to secure sensitive data, such mechanism includes:

Using users authentication methods to identify users

Auditing for liability

Implement network encryptions to safeguard sensitive data while traversing over the network. Two methods which can be used for network encryption include Secure Socket Layer (SSL) and authentication protocol by the means of X.509 digital certificates.

The database software used to store data must support the following standards:

Data Encryption Standard

Triple DES(3DES, 2-KEY)

Advanced Encryption Standard (AES)

MD4 and MD5 or SHA-1 cryptographic hashes

MD5 and SHA-1 Message Authentication Code (MAC)

Enforcement

Employees who are found to have dishonored this policy may be subject to disciplinary action, including termination of employment.

Conclusion

By following the above policy the company will reduce the risk that experiences a security breach. Thus, it is important that from time to time the Information Security officers revise the policy and include new relevant information which is not available today in order to keep the systems up to date.