Mechanism used: Intrusion Detection and Prevention Systems (IDPSs) Two types of IDPSs: Host-based IDPSs Network-based IDPSs Host-based IDPSs Host-based intrusion detection systems are aimed at collecting information about activity on a particular single system or host. They are sometimes referred as sensors; they would normally be installed on a machine that is deemed to be possible susceptible to possible attacks. Sensors works about collecting data about events that are taking place on the system are being observed. The information is recorded by operating system apparatuses that are called unit trails. (Brackney, 1998 ) Other sources from which a host-based sensor can obtain data include system logs, other logs generated by the operating system procedures, & stuffing of entities not reflected in standard operating system audit and logging apparatuses. As host-based systems rely heavily on audit trails, they become limited by these audit trails which are not provided by the manufactures who design the intrusion detection system itself. The host-based sensors can recover which process initiated an event, and original user identifications associated with that event, in case the user identifications changes. Host-based detection systems are desirable for several reasons because host-based can monitor access to information in terms of who accessed it, these systems can trace malicious or improper activities to a specific ID user. This is always important as it can identify whether a person inside the organisation is responsible for the improper use of company resources. Host-based sensors are also useful in a way that they can keep tracks of the behaviour of individual users. This can help to catch attacks while they are happening or possibly stop a potential attack before it can attack the system. Host-based systems are valuable in some ways that they are very versatile. They have the ability to operate in environments that are encrypted, as well as over a switched network topology. Since host-based systems are necessary disbursed throughout the system, there are certain cost advantages associated with them. They can distribute the load associated with monitoring across available hosts on large networks, therefore cutting deployment costs. (Debar, 1999) Disadvantages of host-based IDPSs They can’t see the network traffic. Since they are not designed to see network traffic, but on a single system, it seems unfair to characterise this as a negative point. Since individual sensors are required r each host, management and deployment costs associated with host-based systems are usually greater than in other approaches. In very large environments, a host-based approach could be economically feasible. Host-based intrusion detection systems have chronic problem of portability. The sensors are host-based, so they have to be compatible with the platform they are running over. This lack cross-platform support would represent a major obstacle for a corporation wishing to employ a host-based solution. Network-based IDPSs Network-based intrusion detection systems collect information from the network itself, instead of collecting information from each separate host. They function fundamentally based on wiretapping concept information is collected from the network segment. (Bace, 1998) The network-based intrusion detection system checks for attacks or irregular behaviour by inspecting the contents and header information of all the packets moving across the network. The network sensors are equipped with attack signatures. (Bace, 2000) Using a network data as a primary source of information is desirable in several ways. To start running network monitors does not degrade the performance of other programs running over a network. This low performance cost is due to the fact that a monitor only read each packet as they come across its network segment. (Bace, 2000). The operation of the monitors will be transparent to system users (Chang, 1999), and this is also important for the intrusion detection system itself. Transparency of monitors drops the likelihood that adversary will be able to locate it and nullify its capabilities without significant effort (Bace, 2000). This decreased vulnerability strengthens the intrusion detection system, and adds another measure of security. Network-based are very desirable. Network-based are also extremely portable. They only monitor traffic over a specific network segment and are independent of the operating systems that they are connected on. Organized network-based intrusion detection sensors will listen for all attacks, regardless of the destination operating system type. Disadvantages of network-based IDPSs: The sensors spot attacks based on their signatures. These signatures are written based on data collected from known and previous attacks and this unfortunately ensures that these signatures will always step behind the latest underground exploits. (Chang, 1999). Scalability – network monitors must inspect every packet data that is passed through the segment they placed on. Encryption and switching represent two further limitations of network-based approaches. If network is encrypted, an agent can’t scan the protocol or the content of these packets. The nature of switches makes network monitoring extremely difficult. Network monitors are unable to see traffic travelling on other communication media. The best mechanism for the scenario is the host-based intrusion detection and prevention system; because the host-based IDPSs reside on particular computers or servers they monitor activity only on that system. A host-based benchmarks and monitors the status of key system files and detects when an intruder creates, modifies, or deletes such and most host-based IDPSs work on the principle of configuration or change management. Its advantage over network-based IDPSs is that it can usually be installed to access information when such travels over a network. (SANS, 2005) Monoalphabetic ciphers (ceaser cipher) (Cipher machines, 2016) 4.2 Advantages of monoalphabetic ciphers: It is easy to remember. There have been various attempts at making substitutions more secure. Disadvantages of monoalphabetic ciphers: It is easy to predict the pattern of encryption. They are not really secure and can be easily broken by statistical means. 4.3 Characteristics of a good cipher: The amount of secrecy needed should determine the amount of labour appropriate for the encryption and decryption. (Need for more security, needs more encryption). The set of keys and the enciphering algorithm should be free from complexity. The implementation of the process should be as simple as possible. Errors in ciphering should not cause corruption of further information in the message. The size of the enciphered text should be no longer than the text of the original message. (Manavi, 2011) 4.4 Caesar cypher ci = E (pi) = pi + 3 Using this encryption method, the message is as follows: (Whitman & Coles, 2012) Risk assessment – it is the determination of the extent to which the organisation’s information assets are exposed or at risk. (Whitman & Michael, 2012) The importance of risk assessment: Awareness is increased: it increases awareness of the information security threats and risks in an organisation. Achieves mutual understanding: assessment can help management to understand what the information security tries to accomplish. Develops security plan: focused and definite information security plan can be created after the risk assessment. Communicate with risk clearly: the risk assessment is designed to produce results that are simple and specific, and someone who doesn’t know much about information security can understand. Vulnerability assessment Threat Possible Vulnerability An attack to database The attackers entered the organisation’s (Maryland University) network. The students and staff were exposed in a sophisticated database attack; and also some databases were compromised. Sabotage or vandalism Their sophisticated, multi-layered security defences were bypassed. Theft Data has a value and can be stolen. The data about the people whom their confidential information were exposed, their data may be stolen since through the network. (Whitman & Cole, 2012) 3.2 IRP (Incident Response Plan), because: The actions that an organisation can/ should take while an incident is in progress should be specified in a document called the incident response plan, which is exactly what is going on in the scenario. The IR plan provides answers to questions victims might pose in the midst of an incident. The IR plan can be used to access the likelihood of imminent damage and to inform key decision makers in the various communities of interests. The IR plan also enables the organisation to take coordinated action that is either predefined and specific, or ad hoc and reactive. (Whitman & Coles, 2012) 3.3 Avoidance Avoidance attempts to prevent the exploitation of the vulnerability. This is the preferred approach as it seeks to avoid risk in it’s entirely rather than dealing with it after it has been realized. Accomplished through countering threats, removing vulnerabilities, limiting access to assets and or adding protective safeguards. Three area of control: Policy Training and education Technology (Dorian, 1997) 3.4 Incident, because: It was an unexpected event that happened to Maryland database and an unexpected event is called an incident. Incident occurs when an attack affects an information resources and/ or assets, and when we look at the scenario the same thing happened to Maryland University. 3.5 Kerberos protocol Kerberos protocol is an authentication protocol and a software suite implementing this protocol. It uses the symmetric cryptography to authenticate clients to services and vices versa. Other possible uses of Kerberos include, allowing users to log into other machines in a local-area network, authentication for web services, authenticating email client and server, and authenticating the use of devices such as printers. Advantages of Kerberos protocol: It is designed to be secure even when performed over an insecure network. It makes use of symmetric encryption instead of a public key encryption, which makes it computationally efficient. It is bad for the university because: The Kerberos has a single point of failure – if the key distribution centre becomes unavailable, the authentication scheme for an entire network may cease to function. Larger networks sometimes prevent such scenario by having multiple KDCs or having backup KDCs available in case of emergency. If an attacker compromises the KDC, the authentication information of every client and server on a network would be revealed. Kerberos requires all that participating parties have synchronised clocks, since time stamps are used. Replay attacks – the Kerberos protocol is not as resistant to penetration as it should. A number of weaknesses are apparent; the most serious is its use of an authentication to prevent replay attacks, and it’s not of a good thing for people’s confidential databases/information to be exposed or revealed over a network. In Kerberos, the incident that happened to the University of Maryland would still replay at some time in life. (Whitman & Coles, 2012) 3.6 Issue Specific Security Policy (ISSP). An ISSP for Maryland University Computer Lab: Title: Fair and responsible use of Maryland University Computer Lab Classification: Internal use only Statement of policy: This policy addresses fair and responsible usage of technologies and processes that take place at the Maryland University. It is intended for the authorised users within the university. The authorised users are defined as anyone who has been granted approval to access the Maryland University information and information systems. Authorised users are expected to comply with the contents of this document. Prohibited usage: To ensure appropriate protection of privacy, all wireless transmissions will be secured utilizing strong mutual authentication and encryption, the database must be accessed only by the authorised users of the computer lab, which must be established and used in conjunction with the Maryland University. Approved technologies are permitted. The Maryland University reserves the right to audit any and all technologies associated with the computer lab databases. Violations of policy: In the event of inappropriate use of computer lab, the University reserves the right to take whatever steps are deemed appropriate for the specific situation including, but not limited to termination of employment or legal action. All violations of this policy should be reported to your direct report manager who will in turn report the violation to the Information security department. Policy reviews and modifications: The policy will be reviewed by Maryland University Information security department on an annual basis, or as necessitated by changes in technology, and modified where appropriate. Limitations of liability: The University of Maryland assumes no liability for unauthorised acts that violate local, state, or federal legislation. In the event that such act occurs, Maryland University will immediately terminate its relationship with the violator and will provide no legal protection or help. (Whitman & Michael, 2012)