96%(95)91 out of 95 people found this document helpful
This preview shows page 5 - 7 out of 19 pages.
Security monitoring was not previously considered when implementing the WLAN. As such, we did not have the proper infrastructure to do so, we did not have APs that could identify rogue APs or a management system that could identify and fingerprint devices such as Cisco ISE. WLANs are typically more vulnerable than their wired counterparts, as there are not specific connection points (the devices connected can be anywhere within a specific range of the AP). This allows for devices to possibly be moved to hide them, which when compounded with the common issue of commonly having poor security (e.g. using an old outdated security protocol such as WEP instead of a more secure one such as WPA2 – both of which are discussed further below in the Continuous Improvement Plan section), and that WLANs also are subject to attacks from wired connections (NIST, 2012) (as typically WLANs have a connection point to the internet which provides a possible attack vector if not secured) . While security monitoring can identify attacks, before they are completed- not all attacks are identifiable (such as the passive attacks already discussed), as they do not send transmissions, and thus do not have any identifiable traits on the network. The only types of attacks or infiltration attempts are those that active monitoring can identify (such as the previously discussed masquerading, replay, message modification, Denial of Service, misappropriation, or rogue APs. To improve incident response times, it can be helpful to examine the Cyber Kill Chain framework (modeled after the military methodology of the “kill chain”. It provides a methodology for examining expected attack patterns and its phases. Attacks typically follow a
Cybersecurity Incident Report6specific pattern of phases: reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions (Korolov, & Myers, 2017). Using the framework, you can better identify what next actions of an attacker might be and focus on ensuring those targets or goals are hardened and protected. The reconnaissance phase is usually difficult to detect and harden, as it does not necessitate interaction with the target systems planning on being exploited. It could take the form of researching information on employees from outside of the corporate network (e.g. through LinkedIn). The weaponization phase is when the attacker builds a payload they believe can exploit a vulnerability and create a backdoor for access. Delivery is the means of getting the payload to the target, be it from a media device an employee unknowingly tries to use (e.g. USB), to an email with a malicious attachment, or malicious link to a spoofed website. The Exploitation phase is when the code executes on the targets system. The code will enable theinstallation phase which installs the intended malware on the targets system. This allows for the command and control of the malware remotely and can be used to create backdoors or actively carry out the actions the attacker wishes (e.g. ransomware or data exfiltration, etc.).