Information Security and Analysis

LAB DA 4

NIST Report for VIT

Manan Jain
19BCE2183
• The NIST Cybersecurity Framework (NIST CSF) provides guidance on how to manage
and reduce IT infrastructure security risk. The CSF is made up of standards, guidelines
and practices that can be used to prevent, detect and respond to cyberattacks.

• The National Institute of Standards and Technology (NIST) created the CSF for private
sector organizations in the United States to create a roadmap for critical
infrastructure cybersecurity.

• In VIT University, SDC deals with critical cybersecurity infrastructure.

1. IDENTIFY

● Make a list of all equipment, software, and data you use

VTOP, Codetantra, moodle, Microsoft Teams, Laptop, Tab, Mobile, Excel etc

● Make a list of all vendors and vendor accounts that have access to district
systems.

Codetantra is an external platform in which students for VIT attempt their exams.

The vendor who supplied digipads, computers in the lab

● Identify roles and responsibilities for employees, vendors, and anyone else with
access to sensitive data.

Faculties, dean, Hod, COE, registrar, a member who work on the college software
and maintain it

● Identify steps to take to protect against an attack and limit the damage if one
occurs, including the creation of an incident management plan.
 1. Maintain backups – thoughtfully

2. Develop plans and policies

3. Review port settings

4. Harden your endpoints

5. Keep systems up-to-date

6. Implement an IDS
● Identify the gaps and prioritize your current vulnerabilities and weaknesses,
ranking them relative to the actual level of concern. Worry Index = %impact x
%probability

Vulnerability---a weakness of an asset (resource) or a group of assets that can be

exploited by one or more threats

• Risk---potential for loss, damage, or destruction of an asset as a result of a

threat exploiting a vulnerability

• Example: In a system that allows weak passwords,

– Vulnerability---password is vulnerable for dictionary or exhaustive key attacks

– Threat---An intruder can exploit the password weakness to break into the
system

– Risk---the resources within the system are prone to illegal

access/modification/damage by the intruder.

• Threat agent---entities that would knowingly seek to manifest a threat

● Identify and address the privacy implications of identity management and access
control measures to the extent that they involve the collection, disclosure, or use
of personal information.

Records secure through the use of password protected files, encryption when sending
information over the internet, and even old-fashioned locked doors and drawers. They
 frequently do not record information in a way that links subject responses with
identifying information

● Explicitly manage the on-boarding and off-boarding of employee accounts. Force

removal and disabling of exited employee credentials and recovery of assets.
● Update your relevant school board policies for employee and student records to
address data privacy, confidentiality, and accountability.

2. PROTECT

● Control and track who logs on to your network and uses your computers and
other devices.

Access to network and associated facilities is limited to authorized users,

processes, and devices, and is managed consistent with the assessed risk of
unauthorized access to authorized activities and transactions using Identity
Management, Authentication and Access Control. Employee access should be
granted based on business need and job responsibilities, providing temporary
role-based access to only those resources and data required at that moment in
time.

To monitor users on the network VIT can-

● Download and install Nmap.

● Compare Nmap's list with your router's list.
● Install Wireshark.
● Analyze sketchy activity.
● Use network monitoring software.
● Check your router's log.
● Keep Wireshark running.

● Create a process for disabling potentially compromised accounts globally.

A compromised U-M account is one accessed by a person not authorized to

use the account. Criminals and hackers target U-M users to gain: Access to the
U-M network, processing power, and/or storage they can use to commit crimes.

All users must be notified if any suspicious activity occurs in their account and
the users must be provided with an option to revoke and reissue credentials.
● Change your purchase process to make cybersecurity part of your intake
process. Modify RFP evaluation templates. Update contract and MoU templates
to include cybersecurity language and concerns.
● Encrypt sensitive data, at rest and in transit. Protect your API and encryption
keys. Encrypt laptops and USB drives with offline data to protect against theft
and loss.
○ Access control: Protect all physical access to your server, client and/or
data rooms with keys, chip cards, walls, lockers, alarms and the likes.
○ Minimization: Ensure that all the authorized parties can access only the
data specifically related to their specific tasks and/or authorization without
being allowed to see anything else.
○ Integrity: Protect your data from accidental loss, destruction or damage
using appropriate countermeasures (fire/flood sensors, Disaster Recovery
and the likes).
○ Pseudonymisation: Replace user-related data by random, anonymous
blocks of text, so that the owner will still be able to retain the entries (for
statistical purposes) and, at the same time, stripping them from any
personal info.
○ Encryption in-transit: Ensure that the data is always transmitted using
strong in-transit encryption standards (SSL/TLS certificates) and through
secure connections: this also applies to any kind of website and web-
based service containing forms, login screens, upload/download
capabilities and so on.
○ Encryption at-rest: Protect your local data storage units (including those
used by servers and desktop & mobile clients) with a strong at-rest
encryption standard; ensure that the data stored in SaaS and cloud-based
services are also encrypted at-rest.
○ Confidentiality: Prevent unauthorized or unlawful processing by
implementing concepts such as separation of concerns & separation of
duties, enforcing password policies, and so on.
○ Evaluation: Submit the whole system to regular technical reviews, third-
party audits, adopt an effective set of security indicators, and so on.
● Conduct regular backups of data. Test the backups.

Ensure that all the relevant data is subject to regular backups and also be sure to
regularly check them to ensure that the data can be successful retrieved.

● Schedule application, operating system (OS), and firmware updates regularly,

automating those patches where possible.

Create a list of all your production systems. If necessary, do a search for

commercial network scanners and automated discovery products that can help
with this process. Then compare the list against any new security vulnerabilities
that are reported and update as necessary and automate everything possible.

● Have formal policies for safely disposing of electronic files and old devices,
including printers.
● Partition your networks into smaller pieces

Subnetting is the process of stealing bits from the HOST part of an IP address in
order to divide the larger network into smaller sub-networks called subnets. After
subnetting, we end up with NETWORK SUBNET HOST fields. We always reserve
an IP address to identify the subnet and another one to identify the broadcast
subnet address.
When you divide your network into subnets, you can also better contain security
incidents. Because there are clear separations between subnets, you can set
rules to limit traffic between each distinct subnet, and you can reduce exposure
to security incidents..
● Make sure you have enabled all malware protections in your web filters.

OpenDNS provides Web content filtering at the individual domain level, which
enables administrators to Always Block (adds domain to the blacklist) or Never
Block (adds domain to the whitelist) the Internet domains that you specify. When
you manage domains directly, these settings override any specified through
category filtering.

To manage individual domains, log in to your OpenDNS account, select the

network and navigate to Web Content Filtering. Select the action you want to apply
for a domain and enter that domain in the blank text box. Select Add Domain and
repeat as necessary.
 ● Limit the use of Domain Admin and other sensitive accounts to as needed ONLY,
and force multi-factor authentication (MFA) for sensitive accounts.
● Use different admin passwords for staff, students, and servers. Change them
periodically.
● Train everyone who uses your computers, devices, and network about
cybersecurity. You can help employees understand their personal risk in addition
to their crucial role in the workplace.

Partners such as Codetantra, moodle and schoology understand their

responsibilities

3. DETECT

● Monitor your computers and web use for unauthorized personnel access, devices
(like USB drives), software, and shadow IT data uses like Dropbox, Google Drive,
Box and ShareFile.

When running company workstations that connect to the Internet, you have to
think about the security of VIT. A basic way to do this is to monitor the
workstation to ensure that no unauthorized users are connected. This means
using monitoring utilities to determine incoming and outgoing connections,
keeping track of strange files or files that have been modified by others and
keeping track of your system logs to determine who has logged into your system.

Check all incoming and outgoing connections using the Netstat command. To do
so, navigate to the "Start" button, then type "cmd" (without quotes) in the Search
field. Click the "cmd" entry that appears in the search results. Enter the command
"netstat -a" (without quotes) into the DOS prompt. A list of incoming and
outgoing TCP connections appears, including their foreign domain address
names and IP addresses. Look for any addresses you do not recognize.

2
 Look for files modified without your knowledge. Search your Windows 7
filesystem by clicking the Search field and using the "date modified" qualifier to
locate any files modified in the last few hours without your knowledge. For
example, a search such as "datemodified:07/13/12..07/14/12" will look over two
days for recently modified files.

3
Check your login history. Click "Start | Control Panel | System and Security |
Administrative Tools | Event Viewer." You can go through the daily system logs to
determine when user accounts logged in to the system, and determine when this
happened without your knowledge.

● Activate data loss prevention (DLP) tools where you have them, and watch for
social security numbers, credit card numbers, and other sensitive data patterns.

1. Arcserve UDP

● Data loss and downtime prevention for cloud/on-premise workloads.

● Data recovery validation for shorter downtimes.
● Storage optimization by freeing up 20X more capacity.
● VM and bare-metal recovery for faster data restoration.

2. Barracuda Backup

■ Backup: You can store a duplicate data instance offsite to protect

against local disasters and data loss. Barracuda offers unlimited
cloud storage that lets you scale data assets with ease. All data
goes through 256-bit AES encryption, and data is backed up every
15 minutes to enable near-continuous protection.
■ Recovery: Barracuda Backup comes with multiple restore options,
including bare metal restoration and faster, image-based
restoration. The LifeBoot feature allows users to leverage
Barracuda Cloud Storage as a booting environment if the main
virtual environment is experiencing downtime.
 ■ Management: Barracuda Backup has a centralized management
console with role-based admin access. You can leverage the
solution as an all-in-one physical appliance or in a pure software
format.

3. Code42

Key features: Incydr comes with a variety of features:

■ Detection: It connects with endpoint devices, cloud, and

email to mitigate insider risk through a file, vector, and user
behaviour-based analysis.
■ Investigation: You can drill down into user profiles, specific
file events, and risk indicators to identify your top security
priorities.
■ Response: Incydr integrates with SIEM systems to raise
■ security events and automate responses.
● Log, alert, and actively investigate any unusual activities on your network or by
your staff.

Security Log Management Challenges Met by Event Log Analyzer

Roll up your sleeves for its time for action towards building a strong security log management
foundation. Count your reasons:

● A security incident is not an accident. You can very well prevent thefts of your secured data.
● The evolving compliance regulations ensure your IT infrastructure takes the reigns of the
information security in their hands. Your organization is bound to abide by the laws set
towards internal security.
● Beneficial in storing adequate information on events for a specified period
● Scaling to meet the demands of the growing number of logs and sorting these event logs to
identify the security-related activities for operational, compliance, and security reasons
● Protecting your confidential corporate information from unauthorized disclosure that could be
a threat in disguise to your network security.
● Reports employee abuse on restricted access information
 ● Includes in-built threat intelligence and alerts you to malicious IPs and URLs. Also processes
prominent STIX/TAXII threat feeds and alerts you to malicious URLs, IPs, and domains.
● Prevents several common deadly attacks such as Denial of Service, SQL injection, and
others
● Correlates events from all devices in your network, including routers, firewalls, VPNs,
servers, applications, and workstations, to detect potential attack patterns.
● Protects your business-critical applications by detecting anomalies and attacks
● Secures your network devices including routers, firewalls, and IDS/IPS
●
● Solves regulatory requirements, assists in forensic analysis and identifies IT issues near
real-time providing convenience in troubleshooting these issues
● Security theft is a corporate threat and recovery from the theft is an expensive affair,
nevertheless, required to ensure business continuity. Investing in a security log management
tool is wise and worth it.
● By ensuring security towards electronic customer information, you gain trust, everlasting
business relations, improve revenues and enhance customer experience

4. RESPOND – have (and regularly test) a plan for:

● Notifying students, faculties, and others whose data may be at risk.

● Keeping all the operations up and running
● Reporting the attack to law enforcement, the state, and other authorities.
● Filing with your cyber insurance provider.
● Updating your cybersecurity handbook and disaster recovery plan with lessons
learned.
● Preparing for other threats (weather, power, air conditioning) that may put data at
risk.
● Managing communications with the parents, community and the press.

To secure Life Book the information that flows across internal networks and to/from the
Internet, colleges and universities need to effectively manage their physical and logical
network infrastructure. The protection of networked information assets requires policies,
standards, and a sound network control strategy. If you are just getting started in this
area of your security program, then the following steps can be very helpful to get
underway:

1. Develop policies and standards that support the:

 1. Establish clear authority and accountability for network management.

2. Risk-based segregation of groups of systems, users, and information systems.

3. Authority to control, actively monitor, and log traffic traversing designated ingress and
egress points.

2. Identify threats related to the communications environment.

1. Evaluate threat scenarios and methods of network attack (reconnaissance, exploitation,

data exfiltration).

3. Identify the most critical systems, data, or equipment within the network. (see Asset and Data
Management).

4. Use routing and firewalls to define the network perimeter.

5. Use a border firewall and/or Intrusion Detection/Prevention Devices to limit entry/exit of network
traffic.

6. Define the “demilitarized zone” of the network where the public can access limited network
resources, as well as public access points to the network such as open access ports and public
WiFi.

7. Define restricted portions of the network for use by authorized staff and facility personnel; use
identity and access management controls for users and systems on the network.

8. Define highly restricted portions of the network such as within data centres, communications
facilities, or other highly restricted areas.

9. Establish information transfer policies and encryption standards that address varied needs for
confidentiality, integrity, and non-repudiation of internal and external data exchanges.

5. RECOVER – after an incident:

● Repair and restore the equipment and parts of your network that were affected.
● Keep faculties and customers informed of your response and recovery activities.

University repairs the reputation after an incident. Recovery activities are communicated
to executive and management teams. Implement crisis response strategies which will
include actions to change perceptions of the university in crisis, and reduce the negative
effect generated by the crisis.
From the above-mentioned cyber security framework, it seems that aligning
cybersecurity framework to out university objectives and making cybersecurity
framework as a part of our culture will helps us in a greater way to be prepared for the
upcoming incidents.