Weapons Of Warfare Network Threats

Published Date: 02 Nov 2017

The protection of Data is a major priority in every organization, the importance of this objective is significantly compounded in the fast pace Financial Sector. Over the years it has become increasingly difficult to keep apace of industry’s security standards, emerging threats and minimizing risks in an organization’s efforts to maintain data and network security.

The intension of the author through this research is to take a closer look at network security in a financial institution focusing primarily on the achievement of its security objectives through the deployment of infrastructure coupled with the enforcement of policies and procedures. Through the analysis of the data collected, the author seeks to determine, if any, the impact this network strategy has on the productivity level of its employees both in the operations and ICT areas.

Research Problem

Many organizations direct their focus on protecting their network from external threats such as virus transmitted via electronic mails or attacks of intrusion from external individuals with malicious or even curious intentions. In today’s networks a distinct separation of the network zones are defined and categorized as Internal, External or De-militarized (DMZ) zones.

However organizations have made greater efforts to dramatically increase network security within the Internal Zone as they have come to the harsh realization that the impact of security breaches, electronic extortion, data manipulation, theft or sabotage within the Internal network can impose the same or even greater level of damages as external intrusions to the organization financially or enterprise reputation.

Nacht’s (2013) view supports the need for a robust perimeter security infrastructure but concluded that this by itself is insufficient as it leaves the internal network vulnerable to the spread of malicious worms and viruses resulting in detrimental results for the organization both in the area of Finance and Production. Nacht states that "Internal network security compliments perimeter security solutions by providing additional layers of defense."

Notwithstanding this, a security paradox exist as the demand for higher levels of productivity increases and the pressures for remaining competitive in an already fast paced industry builds, organizations look for any way necessary to meet this demand and continue to strive for higher profitability and shareholder investment returns. It is this corporate objective that is the driving force to in any organization; however this is achieved at the expense of network security measures, policies and procedures.

The contradiction between network security and productivity has been identified in the work of Bacik (2013) where she differentiates between the "primary purpose" of IT staff and the "primary security purpose" of IT staff. While one objective is to foster efficiency, the other is to protect the company’s data. "The enterprise mobile workforce demands that data be portable and instantly accessible from anywhere. In doing so, this negates the physical barriers designed to keep information secure."

While the author has briefly identified the importance of both network security and productivity to an organization, it is the intension of the author through this research to further analyze the impact network security has on productivity in a financial institution to determine a justifiable well balanced approach to network security, RSSC (2011).

Research Question

What impact does network security has on user productivity?

Research Aim and Objectives

The aim of author through this research is to find a balanced approach to network security as it relates to user productivity. To facilitate this, the author identified the following objectives to this research:

Analyze the organization’s Security Objectives and where they currently find themselves as it relates to these objectives.

Evaluate the network hardening strategy deployed by the organization and compare this to other industry models.

Evaluate the impact the network hardening strategies undertaken at First Citizens Bank in this project had in mitigating the existing risk.

Identify and analyze new or unchanged risks and vulnerabilities that exist as a result of the Network hardening project and the impact these have on the organization’s ability to achieve its Network Security Objectives.

Analyze network usability in the organization before the network hardening exercise.

Analyze the impact of the Network Hardening project on the employees’ ability to perform their job functions and meet deliverables.

Ethics Checklist

2.1 Principles and Guidelines

The author recognizes that the area of network security in general plays a critical role in the operations of any organizations and most are extremely hesitant in sharing any information relating to its company security strategy and network infrastructure because of the risk of information leakage resulting in security breaches. This concern is further compounded in the financial industry as all data is considered critical and confidential. The institution in itself is bounded to confidentiality both by their customers and their governing body, the Central Bank of Trinidad and Tobago. In this regard the author exercises great care in the collection, analysis and reporting of all information for this research as it relates to the researched institution in accordance to the guidelines and principles outlined by EU Code of ethics for socio-economic research (The Institute for Employment Studies, 2004).

2.3 Privacy

All interviews and questionnaires will be conducted privately to prevent any leakage of information during the data collection process. The chosen participants for interviews and questionnaires have been reserved the right to refuse to answer any questions they deem too sensitive for release. They have also been given the right to verify any information to appropriate individuals before answering the questions. Any individual not wishing to disclose their identity have also been afforded the right to do so.

2.3 Confidentiality

The organization will be assured that all data collected for the purpose of this research will be treated with the strictest confidentiality as a non-disclosure agreement will be prepared and signed between the author and the organization.

2.4 Informed Consent

The author will acquire formal authorization from the organization collect, analyze and report accurately all data collected for the purpose of this research. The letter requesting this authorization will be included in the appendix of this document in Appendix 2. Although verbal permission has already been acquired by the author from the Chief Information Officer, the author still awaits the confirmation in writing.

2.5 Ethics Checklist

The ethics checklist to which this research is guided is included in the Appendix 1

Conceptual Framework

3.1 Introduction

The war has begun as organizations are constantly under attack and engaged in battle in the defense of the data that they hold. Though they have always deemed their information as important, the company’s data is fast becoming a treasure in their eyes as it is constantly under threat of being stolen, misused, sabotaged or destroyed from "every direction." The author’s metaphorical use of the term "every direction" is symbolic of the communication flow as it relates to accessing the company’s data. This will be further explained as the author examines modern network and security hypotheses, the threat it faces and the strategy adopted in defense of these threats.

3.2 Network Concepts

In today’s economy, organizations are required to provide their goods and services twenty four hours a day, every day. This business requirement means that the company’s network must be robust enough to facilitate this. The network topology and infrastructure must continuously evolve to keep apace of the business demands.

The basic model as identified in the work of Castelli ( 2004) is the Flat Model. Padjen and Lammele (2000) identified other network models designed for larger networks in their work. These include:

The Star Topology Model

The Ring Topology Model

Mesh Topology Model

Hierarchical Network Model

3.3 Weapons of Warfare: Network Threats

3.3.1 External Zone

This is an area or network where devices accessible to the public over the internet are placed together. These can include web servers, external mail servers, and DNS servers. Attacks to this zone are usually conducted by individuals external to the organization trying to gain access to the network through the internet. It may be from inexperience hackers trying amateur based methods. This is referred to as unstructured threats. It may also be from very experienced hackers conducting a more coordinated attack; this is referred to as structured threats (Deal, R. 2004).

3.3.2 Internal Zone

The internal zone is usually a trusted zone and comprises of all user workstations, laptops, printers, servers and all other authorized devices on the network. Sadly many organizations overlook this zone as a legitimate security threat and often find themselves victims of a security breach since the attack originates from users who already has network access and maliciously or accidentally cause a vulnerability to the protection of data. Experts have all agreed that security breaches in this zone can be much more costly and have far greater consequences to the organization than an external breach.

Deal (2013) cited the results of a CSI survey which determined "that, of the 70 percent of the companies that had security breaches, 60 percent of these breaches come from internal sources. Some of these security breaches were malicious in intent; others were accidental."

Leyden (2002) cited the results of another survey in his article "Around half (51 per cent) of the respondents to the Oracle/Institute of Directors-sponsored survey, said that internal security breaches were a bigger threat to business than those originating outside their companies. This belief was particularly strong among smaller firms."

3.2.3 Categories of Network Threats and Mitigation Strategies

It is critical that organizations are well informed of the attack strategies being used and how to combat them. These can be categorized into four main stages (Deal, R. 2004):

Reconnaissance

Access

Denial of Service

Reconnaissance attack is a strategy where the attacker gathers as much information on the network, its usage and any other useful information that can be accessed. This information is vital to the attacker in determining any vulnerability that might exist on the network and planning a successful attack. To collect this information the attacker can use well known strategies like port scans, network sniffers, ping sweeps or simply researching the internet for company registration information and IP address assignments.

Once the attacker collects enough information and have identified vulnerability he can begin the second wave, the network access. He can utilize packet sniffing tools to capture usernames and passwords to gain network access or can perform a brute force attack where he tries to determine the password using dictionary words. To combat against this type of attack, organizations need to enforce a strict password policy to control the amount of failed login attempts and also to ensure that the employees are educated on how the set strong passwords.

If the attacker can gain access to a web server that is accessible to the public, he can use this server to gain access into the restricted part of the network, the internal zone. This attack strategy is called trust exploitation. Another strategy used to gain access through the trusted host is the redirection of ports where he can, through the use of software redirect ports through this host to inside host. To militate against these attacks it is critical that the organization set up strict controls and restrictions between the internal zone and the servers on the public site of the fence. This can be done through network segmentation by creating restricted VLANs and by the closing of unused ports.

Once the attacker gains entry to the network, he can easily cause major discomfort to the network users and by extension the organization. Launching a Denial of Service (DOS) attack means that he can deny network or other authorized users from accessing data by consuming system resources. A distributed DOS attack occurs by flooding the network link with illegitimate data thus consuming all bandwidth and preventing user access. Some tools used to conduct DOS attacks are (orbit-computer-solutions.com, 2012):

Ping of Death

Syn Flood Attack

Email Bombs

Malicious Applets

Denial of Service and Distributed DOS can be controlled by the implementation of anti-spoof and anti-DOS access control list (ACLs) applied to the routers.

Incorporating firewalls onto the network is a critical step towards mitigating the threats. Though traditionally deployed at the network’s edge (separating the external and internal networks), recent network security strategies have utilized additional firewalls into the network routing core. This affords organizations greater control of the traffic traversing their network and different levels of protection.

John R. Vacca identifies three main level of protection achieved by the implementation of firewalls (Vacca, J.R. ed.,2010. Managing Information Security. Massachusetts: Syngress, p24):

Packet Filtering – the firewall can perform stateful packet inspection.

Proxies –proxies can terminate and re-establish connection between hosts. This is a useful tool in protecting the network from intruders, viruses and worms.

Application Layer Firewall - This is designed to protect applications from known vulnerabilities such as SQL injection, perimeter and cookie tampering and cross-site scripting.

3.2.4 The Security Paradox

In recent years, worker mobility has become a requirement as oppose to a luxury. With the sale of mobile devices such as smart phones, laptops and tablets on the rise in recent years, the ability for workers to always remain connected to their office has increased as to their desire for this service. "The growth of mobile broadband and access to applications is driving mobile subscriber growth — over 1.3 billion mobile phone subscribers will be added by 2013 to reach 4.9 billion subscribers. " (Domage, Dahlgren, Odgers, 2011).

While mobility brings flexibility and increased productivity, it also brings with it a greater security risk because of the nature of the data on these devices and the risk of data leakage. Security administrators are often seen as too strict when the security policies are introduced and enforced. Employees may argue that this is having a direct impact to the level of productivity achieved.

Another example of this paradox is the implementation of security patches. Vendor occasionally releases security patches for applications and databases. This may require administrators to be pulled off other projects to analyze and test these patches before it is applied to production systems. Even the implementation of the patches may require downtime for the databases and any down time is productivity loss. Patching of servers, desktops and mobile devices although critical can also result in downtime for employees accessing the required resources to do their jobs (Los, 2012).

Los (2012) continues to ask "what about full disk encryption?" Encrypting hard drives can help in the security battle but this can be very time consuming while the employees wait for access. Once implemented, encryption can slow down the computer considerably and having a direct impact on the productivity of employees.

Most company tries to control the use of the internet by staff by implementing website filtering, blacklisting and white listing. In this process, certain legitimate sites that are required for the employee to do their jobs are also blocked. This would then require the employee or their manager making a request to the administrator to grant access. This request can take time based on the schedule of the administrator. While the employee waits, productivity is affected.

Bacik (2011) highlighted the CobIT model as a way to balance the implementation of network security and the impact on productivity. It recommends that organizations should:

Plan and organize - The enterprise must perform an assessment of the existing infrastructure to determine its strengths and weaknesses.

Acquire and implement - Selection and implementation of the solution that best matches the requirements.

Deliver and support - Ideally, the solution adopted should protect the confidentiality, integrity and availability of sensitive information by managing user privileges and restricting the transfer of information to users and unauthorized devices.

Monitor and evaluate - The ability to continuously measure the performance of an enterprise's established IT infrastructure.

4 Research Design and methodology

4.1 Research Approach

The author seeks to briefly review the concepts and paradigms existing in modern research, making reference to relevant examples to further validate the methods used in this proposal.

4.1.1 Deductive or Inductive Approach

The deductive approach (also informally called a "top-down" approach), uses general theory of the research topic which is then narrowed down to specific hypotheses which can be tested. These hypotheses can be narrowed even further as observations are derived and collected. It is these specific data that can be used to test the hypotheses to confirm (if possible) the original theories (Trochim, 2006). This deductive process forms the basis of the Positivism philosophy. According to this philosophy, researchers aim to collect general information and data from a large social sample, their own beliefs have no value to influence the research study and is unbiased (Livesley, 2006).

The inductive approach is contrary to deductive, in that it moves from specific observations to broader generalizations and theories. Based on these observations, the researcher can recognize regularities and patterns which are used to formulate the hypotheses. Exploring these hypotheses enables the researcher to develop general conclusions and theories. This approach is informally referred to as "bottom up" (Trochim, 2006) and is associated with the Interpretivism philosophy. In this approach, researchers use small sample and evaluate them in detail to understand the views of large people (Kasi 2009 p98). This philosophy holds the view that social reality is not objective but highly subjective because it is shaped by our perception and as a result the researcher interacts with that being researched (Creswell, 1998 p75).

The author recognizes the need to adopt a deductive approach to this research as he will question a number of persons spanning a wide area of operations and different hierarchal positions in the organization chart. The research problem facilitates the general theory which will be narrowed down to specific areas of impact that network security has on productivity. The Epistemological assumption will be applied in this research by the author as any possible research influence can be anticipated, detected and controlled.

4.1.2 Quantitative, Qualitative or Mixed

Quantitative data is numerical data; it can be measured, calculated and counted through mathematical and statistical methods. Quantitative research includes survey, sampling and census method to collect data and a large amount of statistical data is collected. A quantitative research begins with a hypothesis and test for confirmation and rejection of that theory and thus it is deductive (Frankel & Devers, 2000. p251-261).

Qualitative research is generally inductive and is based on texts and images (Creswell, 2003). It involves in-depth interviews and observations during the data collection stage and is subjective in nature. With this method, the sample size is small and describes the research problem in depth to find out its solution. The purpose of this research is to provide insights into the setting of a problem, generating ideas and/or hypotheses for later quantitative research (snapsurveys.com, 2011).

The mixed approach attempts to bring together methods from different paradigms. Combining quantitative and qualitative methods of data collection enables the researcher to capitalize on the strengths of each method and offset their different weaknesses. The researcher can conduct a few semi-structured interviews with a small number of participants coupled with questionnaires targeting a larger sample size.

Based on the nature of the research topic, its aims and objectives, the author will seek to adopt a mixed approach to data collection. Questionnaires will be developed and distributed to specific sample groups namely Tellers, CSRs and Loans departments. However the author recognizes the need to acquire additional qualitative data from the ICT professionals who implemented the network security. This small sample group will be interviewed in a structured manner. Notwithstanding this, the author also recognizes the need to leave the door open for unstructured questions if necessary based on the answers provided by the respondent.

5 Data Collection Tools

5.1 Secondary Data

Secondary data is the data that have been collected and made available by other sources for purposes other than the current research project. It can be useful in gaining insight into a research problem and also often used in the absence of or limited availability of primary data (steppingstones.ca, 2004). The classifications of secondary data lies in its source; it can either be internal (or in-house data) or external in origin.

Internal secondary data is secondary information acquired within the organization where the research is being carried out. The sources of this type of data are (readingcraze.com, 2013):

Sales and marketing reports and statistics

Accounting and financial records

Other miscellaneous reports relevant to the organization

There are a number of sources of external secondary data. These include (readingcraze.com, 2013):

Published printed data (books, magazines, newspapers, journals etc.) which is a very reliable secondary source of information.

Published electronic data (internet articles, e-journals, weblogs etc.)

Unpublished personal records (diaries, letters etc.)

Government records (census data and statistics, health and other public institutions records.

Public sector records (NGO’s records and surveys etc.).

For the purpose of this research, the author will review and analyze a number of company reports to compare the productivity levels of staff before and after the network hardening project. For example the number of Bank Accounts opened by a CSR daily or the number of daily transactions by the tellers and the length of time to complete similar transactions. The external secondary data useful to the author will be industry best practices, and organizational comparisons in the area of network security.

5.2 Primary Data Collection

Primary data is data which was collected first-hand for the purpose of the research project. Its sources include experiments and surveys. It is a critical element in the research process. It is possible to conduct a valid research and draw substantiated conclusions with only primary data; however any research based solely on secondary data can have its reliability and validity questioned as this data is susceptible to manipulation by previous users (Ahmad, 2013).

5.2.1 Questionnaires

A questionnaire is a set of printed or written questions with a choice of answers, devised for the purposes of a survey or statistical study (Oxford, 2013). It is an effective tool in the data collection process and a useful method to investigate patterns, frequency, user needs, expectations and satisfaction (evalued.com, 2006).

There are a number of ways that a questionnaire can be administered; it can be completed by the respondent in the presence of the researcher. It can also be asked in a formal and structured way by the researcher. The questionnaire can also be administered to a group and completed as a group. The questionnaire can be delivered by Government mail to a sample group and returned within a specified period of time. Alternatively it can be sent via electronic mail or conducted over the telephone.

Questionnaires afford the researcher a number of benefits. Firstly it is relatively easy to administer, extract and analyze data. Secondly, it affords the responder time to consider their response carefully and not influenced by the researcher during their response and it permits anonymity. It also facilitates a large number of respondents simultaneously and at a relatively low cost. Questionnaires can address a large number of issues quite easily and can have a high response rate for example it facilitates questioning the respondent on sensitive topics which they may feel uncomfortable speaking to an interviewer about (economicsnetwork.ac.uk, 2013).

Questionnaires will play an important role in the data collection process for the author. He intends to utilize this tool to collect vital data from various groups within the organization. These groups will range between different job functions and levels within the organization. These include operational departments like Tellers, CSRs and Loans. The unit based departments will include Finance, Marketing, Administration and Information, Communication and Technology (ICT). Through the analysis of data from a wide cross section of job functions within the organization, it will assist greatly in determining the impact network security has on these jobs.

5.2.2 Interviews

According to Fray and Oishi (1995) an interview is "a purposeful conversation in which one person asks prepared questions (interviewer) and another answers them (respondent)." Like questionnaires, interviews can be a very useful tool for collecting relevant data in qualitative research. Interviews can either be structured or unstructured.

Unstructured interviews is a technique where there are no pre-set questions, this interview takes shape based on the answers provided by the respondent and the questions can change accordingly. This in itself is a drawback to this technique as the interview can be quite lengthy and varies in length as the questions are different with each interview.

Structured interviews involve the asking of pre-determined questions and followed thoroughly by the interviewer. All the respondents are asked the same questions and as a result, the data collected from these interviews can easily be analyzed and compared. This significantly increases the validity and reliability of this method.

As mentioned before, interviews in general can be a useful tool in the data collection process. It allows the interviewer to investigate issues in an in dept way, discover user’s perspectives, add a human dimension to impersonal data and better understand and explain statistical data (evalued.com, 2006.

The author will utilize this method to collect the qualitative data that is not attained from the questionnaires. It will be necessary to interview the custodians of the network and systems to acquire qualitative data about the network hardening process conducted in the organization. The network engineer will explain the process and the systems engineer will explain the impact of this process on their job functions. Due to the nature of the research topic, the required data to be collected and the wide area of operations to cover, the author will utilize both questionnaires and interviews to complete this research.

6 Project Plan

6.1 Gantt Chart

A Gantt chart provides an excellent presentation tool for illustrating groups of milestones and demonstrating individual resources scheduled to time (Borysowich, 2008).

The author proposes that the research project will commence on Monday 3rd June 2013 and based on the necessary tasks outlined in the Gantt chart (Appendix 3), it is scheduled to be completed on Thursday 5th December 2013. The research project will take a total of one hundred and thirty-four (134) days and comprises of a five day work week from Monday to Friday. There are eight major areas or milestones to be achieved, each with its associated tasks.

6.2 Critical Path Analysis

Critical Path Analysis identifies tasks which must be completed on time while identifying tasks that can facilitate minimal delays. Program Evaluation and Review Technique (PERT) is a variation on Critical Path Analysis that takes a slightly more skeptical view of time estimates made for each project stage. It is the estimate of the shortest possible time each activity will take, the most likely length of time, and the longest time that might be taken if the activity takes longer than expected (mindtools.com, 2013).

Through the use of a dependency table generated from the Gantt chart, the author mapped the milestone process to determine the minimum length of the project and the headroom to facilitate any delays. The dependency table below outlines the eight major milestones and how each is dependent on each other. The PERT diagram was then formulated from the dependency table and is included in Appendix 4.

ID

Task Name

Duration (Days)

Predecessors

1

Introduction

18

2

Literature Review

24

1

3

Research Methodology

10

2

4

Data Collection

37

2,3

5

Data Analysis

21

4

6

Findings and Discussions

14

5

7

Conclusion and Recommendation

7

6

8

Finalization of Documents

3

7

Research Dependency Table

6.3 Work Breakdown Structure

The Work Breakdown Structure (WBS) is a hierarchical representation of the tasks that comprise a project. It is an essential tool for ensuring that all required tasks are identified and included in the project plan. This hierarchical tree structure enables the researcher to more accurately define and manage the scope of the overall project (Matthis, 2013).

In the author’s preparation of a WBS, the eight milestones identified in this project were analyzed leading to the specification of lower levels of tasks necessary for the completion of the milestones. The WBS was designed in a hierarchical tree structure format and is included in Appendix 5.

D:\School Stuff\Research Methods\Assignment\Conceptual Framework Topology.jpg