Question A
A1. Reconnaissance
Active Information Gathering involves the situation an organization becomes alert of the ongoing reconnaissance procedure as the pen-tester is said to be actively engaging with the target. Thus, it implies that one of the attackers of the Western Interconnection power grid must have directly engaged the computer systems at the power grid to gather active information. The attackers must have taken an active part in drawing network infrastructure. They would then tally and scans the exposed services for vulnerabilities to eventually gains access to the power grids unpublished directories, files, and servers. Through direct contact with the target, the attackers would as well gain regarding operating system Fingerprinting, Banner grabbing, and Web server application scan. Thus, it is highly likely that the adversaries executed these active information-gathering techniques to gain intelligence on the target in the scenario.
Similarly, the adversaries must have executed some Passive Information Gathering techniques that would accord them reasonable intelligence from the computer systems at the power grid. Further, in order to protect themselves from detection or suspicion from the power grid, the adversaries must have exercised precautious measures not to be detected by the target. Through passive gathering, the adversaries must have used the institution’s information posted on their social media pages, the institution’s website or just by use of search engines, without physically having to be present at the western interconnection to gather the requisite intelligence. The attackers must have passively gathered the institutions information taking precaution of any tools that would send an indication to the Western Interconnection power grid of an impending attack. This must have been technically burdening for the adversaries since in order to establish the legitimacy of information and intelligence gathered, they may have to authenticate whatever they find with stored information. The most apparent challenge faced by the attackers during the passive information gathering must have been that such information could not be up to date or could be incorrect because such information could be limited to inquiries collected from third parties. Through this mode of information gathering, the adversaries must have gathered information on the grids Infrastructure Providers Addresses, External sites identity, people identity, Technology identity, content of interest identity and vulnerabilities identity.
Delegate your assignment to our experts and they will do the rest.
A2. Weaponization and delivery
Upon gathering information and gaining intelligence from the power grids computer systems, the adversaries must have exploited the server information collected and information about the computers’ operating systems in addition to information about open ports to exploit the weaknesses of the computers. Through weaponization and delivery, they must have implemented a malicious payload software into a delivery track in the computer system. Delivery would therefore involve carriage of the payload to the target, by exploiting the established vulnerability of the software at the control system: which in this regard is in the Western Interconnection power grid. Detection of this malicious activity could be difficult and at times impossible for the administrators at the power grid. Similarly, the attackers must have identified and used an open port as a gateway to management to navigate the computer system and execute the payload.
A3. Exploitation and Installation
In order to advance their objective, the adversaries must have used an official who has local access to any of the personal computers at the grid. The adversaries would only require the official to connect a USB drive into one of the personal computers at the power grid. The USB could therefore contain an infected exploit kit file. If the file is opened in one of the computers at the facility, the infected file would scan through the computer systems at the grid to establish vulnerable points in the organization’s operating systems. The exploit kit would be able to identify such weaknesses in the system as failure if the administrators at the station to update the control system, and use that as a gateway to the network by installing malware into the computer system and securing control of the systems (Valeriano, 2015).
For instance, the adversaries could have delivered a shellcode whose main purpose is to pull down and execute more accomplished code upon implementation, into the system through any users with local access to the computers at the grid. A shellcode must be portable for many reasons so as to necessitate such an approach . This must have been the focal point of the attack . If this stage is completed successfully, incident response is introduced. This malware remains present on a machine (Richet, 2015).
A4. Command and Control
During this phase of the intrusion, the adversaries undertake their ultimate objective which is to exploit the compromised network and send or receive any information whenever they wish to. The adversaries would conduct this by sending commands to the power grids network with effect to transferring information from the command and control server at the station. The attackers may then transmit the information to themselves from the system to through the firewalls, if any is implemented in the network, without triggering the Intrusion Detection System (ODay, 2005). This may be facilitated by the using the koadic command and control remote access took kits. The graphical representation below demonstrates the channel in the network that would be exploited by an adversaries.
From the representation above, it is apparent that only the Demilitarized Zones isolate the grids internal network from unauthorized and malicious remote access. The Adversary’s entry point is therefore the interface between the external communication infrastructure and the servers. This is based on the assumption that the network is not protected by a firewall. It would, therefore, be prudent to include a firewall at the entry point that would be configured with policies and privileges to restrict access to the servers and as well monitor and detect any malicious activities in the network.
A5. Actions
The filtration stage is when the data, which has been the crucial target all along, is taken. The collection of information about the environment of the compromised machine cannot fail at this stage because such data is gathered to serve either immediate or longer-term purpose. Thus, it facilitates the gathering of sensitive and vital information. It is said to be the source code of the new operation system. It is a new widget that costs a lot of money to develop access to the credit cards (Farwell, 2011). Having established the systems weaknesses and being in control of the system, the adversaries would have access to the processes under the control system and use such knowledge and control to intentionally compromise the computer information systems, which would be detrimental to the company.
Question B
B1. People
People are said to be the essential element of the defense in depth strategy process. It is said that the best technology in the world is useless without personnel that administer them and the user that needs the access. People using technologies to conduct its operations are the strategy's main subject and target. People create, form, install, operate, authorize, assess, evaluate and maintain various security measures kept in place.
A complete strategy of education, training, practical experience and awareness training is required at a high level in order to gain and maintain the knowledge and proficiency needed to perform these important tasks. The following are key components when arguing about defense in depth: training, certification, awareness, System Security Administration, Physical Security and Personal Security (Choo, 2014).
For instance, regular training would impart skills among the personnel at the site on how to deal with contemporary network security threats or strategies that may be used to compromise the system by intruders and hackers; hence sensitizing them on the precautionary measures that they should take in order to guard against the same (Choo, 2014) . For example, the applicable information assurance policy in this context would be the requirement that all network users and the Western Interconnection grid should complete a quarterly training program on information system security and records management and be certified to that effect: before continuing with any operational activities in the network. This would raise the information assurance levels as all personnel at the site by creation of awareness as the personnel would be up to date with the relevant information concerning security of facilities and infrastructure at the site: and even secure the resources against developing advancements of security threats.
Similarly, establishing an organized system security administration would facilitate professional upkeep and maintenance of equipment at the site (Heckman, Stech, Thomas, Schmoker, & Tsow, 2015) . For instance, rules of behavior for network users at the grid may be instituted. For example, that all network users would be required to use network information and system outputs in a manner that conforms to the legal provisions of the Privacy Act regarding protection of assorted classes of information and that the network administrators would handle such information according to records management requirements. This approach would facilitate meticulous monitoring of output equipment and information at the site; in addition to timely detection of any weakness that the facilities may depict for timely reaction. another information assurance policy that would be appropriate for the grid would the that all network users are restricted from making attempts to access network resources, authority of which is not conferred to them. This would as well secure sensitive corporate data from unauthorized access as well as timely detection of any of such malicious attempts. Hence, this would protect data and information from imminent threats.
B2. Technology
Perfect security can never be achieved when using one technology. Technology component is more than just installing the latest and greatest security products as it involves a full life cycle and support and development of these systems. It requires a full assessment and foresight to properly place these products in the defense in depth strategy. The main focusses in this area are: Defense in Depth Strategy Layers, Security Criteria, Acquisition, Risk Assessments, Certification and Accreditation (C&A) each layer is associated with a security device.
The security criteria state whether an invention carries out its role at its expected level of performance. An example is evaluating a network and host-based interruption detection systems for a network or to determine the best and easy way to use a virus scanner. This vital information has been passing on to the appropriate acquisition professionals to process the products that meet those necessities and description.
To this effect, it would be prudent for the Western Interconnection grid, for example, to adopt a policy that there shall be an assessment of the reliability standards of the technologies in place by assessing their short-term and long term reliability, in order to ascertain the consistency of the grids bulk power system. This would as well ascertain security of ICS in the course of supply chain management transactions. Other procedures that may be suitable with regard to the security criteria would include the consistent identification and security of all connections advanced to the ICS, enforcing strict accountability on individuals’ performances in relation to the ICS after proper security training and deactivation of irrelevant services, ports and protocols that make the network vulnerable.
B3. Operations
The operation section deals with the application of security actions within an area. These elements include: Valuations, Monitoring and Analysis, Cautioning, Response and Reconstruction. Careful and timely right decisions must be made concerning additional response. These decisions include: declaring a higher level of information operations condition, separate critical systems or appropriate reaction. Operations may also include civilizing situational awareness, conducting exercises and performing vulnerability valuation to improve the security position (Lacey, 2013).
Question C
C1. Sources
Cordesman (2003) in his work emphasized that People are the essential part of the defense in depth process. It is said that the finest technology in the world is useless without personnel that administers them and the user that needs the access. People using technologies to conduct their operations are the strategy's main subject (Cordesman, 2003). The command-and-control stage of the attack represents the period after which antagonists control the abuse of a system. A concession does not necessarily mean Command-and-control, just as command-and-control does not necessarily mean exfiltration. People understand that successful communications back to the adversary often must be made before any possible impact of data can be realized.
Heckman et al., (2015) emphasized in their work that this can be prevented intentionally by identifying command-and-control in past unsuccessful attacks. This is done by using the same challenger resulting in network vindications, or accidentally when challengers leaves malware that is somehow incompatible with the network infrastructure (Heckman, Stech, Thomas, Schmoker, & Tsow, 2015).
References
Choo, K. K. (2014). A conceptual interdisciplinary plug-and-play cyber security framework. In K. K. Choo, ICTs and the Millennium Development Goals (pp. 81-99). Boston, MA: Springer.
Cordesman, A. H. (2003). The Iraq War: strategy, tactics, and military lessons. Westport, CT: Praeger.
Farwell, J. (2011). Cyber threats. Basingstoke: Taylor and Francis.
Heckman, K. E., Stech, F. J., Thomas, R. K., Schmoker, B., & Tsow, A. W. (2015). Cyber Denial, Deception and Counter Deception: a Framework for Supporting Active Cyber Defense. Cham: Springer International Publishing.
Lacey, D. (2013). Advanced Persistent Threats: How to Manage the Risk to Your Business. ISACA Publishing Press.
ODay, A. (2005). Cyberterrorism. Burlington, VT: Ashgate.
Richet, J. (2015). Cybersecurity policies and strategies for cyberwarfare prevention. Hershey, PA: Information Science Reference.
Valeriano, B. (2015). Cyber war versus cyber realities: cyber conflict in the international system. Oxford: Oxford University Press.
