Jakob Coker

300444995

CYBR37 Final Assignment

Section 1 (35 Marks)

(1) [5 Marks] Briefly compare and contrast multilevel and multilateral security models in
terms of their goals and application areas.
Multilevel and Multilateral security models are both ​Security Policies​ which have their own
unique protection properties that the system requires. Both policies encompass a variety of
Access Control Models​.

Multilevel security (also known as Mandatory Access Control - MAC) is a ​security model​ in
which access is based on the security level assigned to objects and subjects. ​Confidentiality
policies​ following this model are generally implemented for database systems which hold
information at different levels of classification, such as military organisations. It attempts to
ensure that data can be read only by a principal whose level is at least as high as the data’s
classification.

Multilateral security (also known as compartmented security) is a ​security model​ which follows
the idea of ​controlling information flow​ across a database or other shared data. The primary
goal of this model is that anyone will have access to exactly what they need, and nothing more.
The focus of multilateral security is ​inference control ​and​ ​compartmentation​, which, to put it
simply; is to keep data separated and ​prevent information flowing ‘across’, rather than ‘down’
which is the focus of multilevel security.​ ​Confidentiality policies following this model are
generally implemented for database systems which require information to be ​separated
between departments​, such as Hospitals with medical records or government organisations
where access to classified data needs to be restricted to particular departments/teams.

(2) [5 Marks] Explain why the Bell-LaPadula star property was introduced to the security
model.
The Bell-LaPadula *-property was initially introduced to​ ​prevent attacks which use malicious
code​. The purpose of this is to ensure that the security policy is enforced ​independently ​both of
users’ direct ​and​ ​indirect actions​ ​- i.e. actions taken by programs that users’ run.
In general, the *-property enforces a policy that ​no process may write data ‘down’ to a lower
level,​ also known as ​no write down (NWD). ​This ties in with the ​simple security property ​- no
process may read data at a higher level, also known as ​no read up (NRU).
A good example of a ​would-be ​violation of the security policy which the *-property prevents is if
an attacker embedded some code in a product which would look for secret documents to copy
and then write them down to where its creator could read it.
Jakob Coker
300444995

(3) [5 Marks] Outline the principle of least privilege and explain how this can be
implemented by applying the principle of weak tranquillity in the Bell-LaPadula security
model.
The principle of least privilege is a security principle which ensures all entities have the least
privilege required to perform their duties, ​and nothing more.​ This principle can be implemented
by introducing the weak tranquility property, which says that “...labels never change in such a
way as to violate a defined security policy.” - ​Security Engineering: A Guide to Building
Dependable Distributed Systems, Second Edition, Part II, Chapter 8. - Multilevel Security.
With this property a system can implement the principle of least privilege by starting a process
at an uncleared level, after which the process of a user is upgraded each time it accesses data
at a higher level (as long as their clearance is higher or equal to it). This means that a user is
elevated for the clearance that is required for each task, not their highest level clearance every
time.

(4) [5 Marks] Do you consider inference control for Census data to be an example of
multilateral or a multi-level security model? Make sure you justify your answer.
Inference control for Census data would be an example of a multilateral security model. This is
because multilateral security policies are catered towards information spreading ‘across’
departments/areas. Census data is most likely compartmented in such a way that information
which should be kept from the entities which shouldn’t have it is as such, such as personal
details of people involved in the census which should be kept anonymous. Justification for this is
that parts of the Census data would most likely be used for different reasons in each department
or branch and so the Security model would need to ensure that each department only gets the
information required.

(5) [5 Marks] Briefly explain why the Chinese-Wall security model is an example of a
Mandatory Access Control security model.
The Chinese Wall model is an example of the MAC security model (or multilateral security
model) because it is designed upon internal rules to prevent conflicts of interest (which are
called Chinese Walls). This model introduces the concept of separation of duty into access
control, stating that a user can choose Task A or Task B, but not both because they are
considered to be conflicts of interests. Once a duty has been chosen, the user’s actions in that
sector/department are constrained which prevents information sharing in a multilateral system.
Jakob Coker
300444995

(6) [5 Marks] Consider a General using a computer system secured using the
Bell-LaPadula security model. Imagine that she is required to issue written orders to her
Lieutenant Generals. Explain why the computer system would prevent her from issuing
the orders?
Using a computer would most likely require a program in order to issue the orders. The
Bell-LaPadula model introduces the *-property which enforces a policy that ​no process may
write data ‘down’ to a lower level,​ also known as ​no write down (NWD).​ This property will
prevent the General from issuing orders to lower level users​ (Lieutenant Generals). This
prevents any malicious code from sending classified data to lower levels which can then be read
without correct clearance. A ​multilevel security policy model​ would be more appropriate for this
security system.

(7) [5 Marks] Successful execution of a TCP session Hijack attack requires guessing the
correct sequence number expected by the server. List TWO ways to determine the
correct sequence number to use.
1. Randomly guessing sequence numbers
2. Snooping over the session

Section 2 (65 Marks)

(8) [5 Marks] Briefly evaluate whether requiring the use of the TCP protocol instead of
the UDP protocol would prevent DNS amplification attacks.
TCP protocol is actually used to mitigate DNS amplification attacks often by requiring the
responding DNS server to force queries such as ANY and TXT record queries to use TCP. If an
attacker was to redirect to TCP responses it could reveal their source IP due to the fact that
TCP requires a three-way handshake. TCP packets can have their source IPs spoofed, but that
will be a different process therefore mitigating DNS amplification attacks. This process however,
would require TCP port 53 to be opened which could allow for a SYN/ACK flood attack, rather
than DNS amplification.

(9) [4 Marks] Discuss to what extent firewalls and intrusion detections can be used to
detect confidentiality breaches.
In the current tech industry, firewalls and IDSs can be configured to protect against countless
known vulnerabilities, and find new vulnerabilities through careful monitoring and analysis.
The shortcomings of firewalls and IDSs however, are
● The heavy reliance on physical security, which can render a good portion of the system’s
security useless if the real-world system isn’t secure enough. The system can be the
Jakob Coker
300444995
most securely configured in the world, but if it’s physically vulnerable, many threats
become possible.
● Uncertainty - The majority of vulnerabilities which are detected and managed follow
patterns that are suspicious or known breach attempts; the extent at which firewalls and
IDSs can detect confidentiality breaches are those such breaches which we know are
possible and have a clear reasoning. We cannot prevent breaches which don’t exist yet
and we don’t know what will be worth stealing in the future.

(10) [6 Marks] Describe the process by which a rule-based IDS such as snort detects
the following attacks. Use actual examples of Snort rules to illustrate your answers. a.
IP spoofing Attack b. Dictionary Attack against a SSH service c. Worm Propagation
Snort Explanation:
A set of personalised or generic rules and internal network variables are written to the config file
by the administrator which rules are then loaded into the ​Detection Engine a ​ nd network
variables to the ​Decoder​.
During run-time, the ​Packet Decoder r​ eceives incoming packets from the internet and decodes
them.
Next, the decoded packets are sent to the ​Preprocessor​, which holds host and internet network
data such as MAC/IP addresses, ports, etc in order to compare both the packet and rules
against.
In order to detect attacks the packet is sent to the ​Detection Engine​; if the packet violates any
rules it is dropped - a Snort rule is divided into two logical sections: ​Rule Header, a​ nd ​Rule
Options​, the first contains the rule’s action, protocol, source/destination IPs and netmasks, and
source/destination ports. The second contains any alert messages and information about which
parts of the packet to inspect.
An example of a rule to generate an alert every time it detects a TCP SSH protocol dictionary
attack:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE
Potential SSH Scan"; flags:S; threshold:type threshold, track
by_src, count 5, seconds 120; flowbits:set,ssh.brute.attempt;
classtype:attempted-dos; sid:2001219; rev:8;)
After dropping (or allowing) the packet, the IDS will either go to the ​Logging and Alerting
system, or the various Output Modules which will both handle alerting the host or adding a log to
a file (depending on the rule and what it is told to do), the key difference however, is that Output
Modules are plugins which can perform specific types of logging/alerting including sending
SNMP traps and modifying configuration on routers and firewalls, and various other API-based
tasks.
Jakob Coker
300444995

(11) [9 Marks] Compare the similarities and differences between signature and
anomaly-based Intrusion Detection Systems in the context of systems with many
different operating systems and components such as bring your own devices according
to the following criteria: a. Detection rate (false positive and false negative) b.
Performance as time goes on c. Management of the IDS system

IDS System Detection Rate Performance System Management

Signature-based Low rate of false Will become more Will need to be

positives because it redundant over time updated ASAP for
is designed to detect unless more any new intrusion
known intrusions. signatures are added signature in,
to blacklist to remain otherwise will
effective. become redundant.

Anomaly-based High initial rate of Will become more Needs to be trained

false positives effective over time as in order to
/negatives because it long as genuine differentiate between
is designed to teach users behave in genuine user
itself what an predictable ways, as mistakes and
anomaly looks like. this will reinforce the intrusion attempts.
learning of anomalies
which are threats.

(12) [9 Marks] A key feature of hybrid IDPS systems is event correlation. After
researching event correlation online, define the following terms as they are used in this
process: a. Compression, b. Suppression c. Generalization.
Compression
Takes multiple occurrences of a single event and analyses them for repeated information,
keeping only unique information, such as keeping track of how many occurrences there are.
After this the occurrences are concatenated together to form the same event with the useful
information to differentiate between one event and many occurrences of that event. This
difference could look like a single alert: “1000 SSH connection attempts” instead of 1000
separate “SSH connection attempt” alerts.
Suppression
Assigns priorities with alerts and tells the system to suppress lower-priority event alerts when
higher-priority events occur.
Generalization
Correlates alerts with other higher-level events, such as many different events failing with a
cause that’s correlated. These higher-level events are reported rather than the individual events
pre-generalization.
Jakob Coker
300444995

(13) [6 Marks] List and explain three malicious behavior addressed by a Host Based
Intrusion Detection System (HIDS)
1. Loss of data integrity - if packets or files are intercepted and injected with malicious code
it may be too late for a system by the time it is discovered, HIDS helps to discover this
before the damage can happen by scanning a system and creating a MD5 hash (or
other hash) as the output and saving it in a readonly section. Upon transmitting or
receiving the data, the MD5 checksum can be checked against the system which will
indicate a loss of integrity.
2. HIDS systems are able to monitor CPU usage of a system and detect anomalous CPU
load spikes, which can be used as a detection method for a potential attacker performing
an amplification attack or other intensive malicious behaviour.
3. HIDS can detect failed attempts at connections which can be used to measure malicious
or anomalous behaviour when based on the frequency of these failed attempts and can
differentiate between a failed logon and an attempted brute force attack.

(14) [10 Marks] Tarpit and Dionaea are two server honeypot systems, one primarily
used to slow down or stop the propagation of worms and the other to collect of malware
binaries respectively. Explain the underlying mechanism by which these honeypot
operate.
Honeypots are in layman terms ‘bait’ for attackers attempting to find and exploit vulnerabilities in
systems. This ‘bait’ works by exposing common vulnerabilities intentionally such as pretending
to be poorly designed and lies under the assumption that the attacker is going to believe the
system is the real one and either continue messing about within the system to find more
vulnerabilities or give up before finding the actual system. Server Honeypot systems are usually
placed (not physically) close to the actual server to feign legitimacy and populated with common
services such as mail, HTTP, or FTP servers, which serves the same purpose as the former and
acts as an entry point for would-be attackers. Tarpit and Dionaea use these underlying
mechanisms for different purposes, however. Tarpit is designed to slow down an attacker by
acting like a ‘Tar Pit’ in order to discourage the attacker from attacking the functional system. An
example of this could be creating a delay upon an invalid login attempt, which is bearable for
normal users, but crippling for attackers (when done right). Dionaea uses the mechanisms in
order to monitor and perform R&D on the attacker’s techniques while they poke around inside
the Honeypot, this is for the purpose of interpreting malware and extrapolating malware
binaries.
Jakob Coker
300444995

(15) [5 Marks] How can server honeypots’ detection capabilities be integrated into Snort
IDPS to detect worm propagation across a network?
Ran out of time :’(

(16) [5 Marks] What security vulnerabilities are unique to or intensified by using VPN?
A unique aspect of using a VPN connection is that the connection is under a mandate by the
VPN owner/company rather than the communicating partie’s ISP. Over the internet ISPs have
historically been the only entities able to snoop over certain connections but are prevented from
doing so in most cases by governments and contracts. Because a VPN company takes the ISPs
place however, the trust between an the establisher and the established can no longer be
guaranteed, because the VPN company holds the keys and the locks. Even with a reputable
company, VPN companies are much more likely to be breached due to their size and
experience in the industry.
A vulnerability intensified by using VPNs is the expectancy for VPNs to be running 24/7. This
causes a severe lack of patching, leading to vulnerable packets being found on the internet.
Due to this need to be operational all the time, it’s been found that ​web applications take an
average of 34 days to patch a vulnerability.​

(17) [6 Marks] Name and explain the three Protocols used in IPSec and their role in the
secured VPN communication
Authentication Header (AH)
The AH protocol authenticates the ​header ​(source/dest info) and the ​payload ​(the actual data). It
is used during secured VPN communication to guarantee the integrity of the data being sent
pre-encapsulation and encryption.
Encapsulating Security Payload (ESP)
The ESP protocol allows us to add a ​security policy​ to the packet (header+payload) and encrypt
it, this encryption is done using ​kernel CryptoAPI​. ESP protocol uses ​Security Parameter Index
(SPI)​ which is a unique number to denote a connection between two hosts. ESP also uses
Sequence numbers (SN)​ which increments by one for each packet sent, and has a ​Integrity
Check Value checksum​ ​(ICV) ​for each packet. The benefit of using ESP is to allow datagrams
to travel along the network layer with protocols that usually wouldn’t be usable thanks to the
encapsulation and added security policy.
Internet Key Exchange (IKE)
This protocol is used for the ​secret key exchange​ between two hosts. This ​secret key​ is used by
ESP protocol to calculate the checksum and verify the integrity of each packet. This secures
VPN communication by preventing both snooping, and detecting loss of integrity.