Incident response to Cyber Threats Related to the Use of Wireless and Mobile Devices at the Workplace
You’ve recently been promoted to the role of a cybersecurity incident manager as part of a new contract with a major media and entertainment company. The company requires its employees, artists, and clients to have wireless and mobile device access to company networks.
Because of the “bring your own device” policy, there has been an increase in the number of cybersecurity incident reports. You realize that you need to increase awareness of security standards. In your security monitoring of the company networks, you use tools that track employee behavior.
You want company leadership to understand the technologies used in wireless networks and mobile device management, and you want those leaders to be educated about the implementation, threats, and safeguards for all devices—including personal units that are used for work-related tasks. You believe that executive leadership needs to incorporate these kinds of safeguards as part of its business strategy. You decide to compile a cybersecurity incident report that you will send to management. You will list the actions, defense, and preventative measures you have taken to address threats and why.
The report will incorporate terminology definitions, information about the cyber kill chain, and impact assessments. Your cyber incident report will need to illustrate the threats you discovered and the resolutions you employed. You want leadership to be confident about the strategy you have used to defend the company’s networks.
The report will consist of the following steps
2. Terminology defintions
3. The cyber kill chain (a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data.)
4. Impact assessment
5. Threats Discovered and Resolutions employed
Gone are when the most confidential information in employees’ mobile phones were telephone numbers with their respective contacts (Kaiser, 2019). Currently, advancements in technology have revolutionized mobile technology to become a fundamental part of work. Employees are now using their smartphones to conduct sensitive work operations such as accessing official emails, stored passwords, trade secrets, and proprietary company data. With the inception of 5G technology that will streamline the accessibility processes, more entities are bound to adopt mobile technology as a normal part of the business. Wireless networks have also allowed employees using mobile phones to access the internet and carry out their business operations both on-premise and remotely/
It is, however, prudent to note that the increase in connectivity such that companies choose to adopt the “Bring Your Own Device” policy has come with its risks. From the high number of cybersecurity incidents, it is evident that the devices are leading to catastrophic security issues. Malicious attackers are primarily looking to take advantage of any system vulnerabilities present within mobile networks to exploit them for their benefit (Powers, 2021). Therefore, proper security mechanisms must be established such that even as the employers continue to use the networks, the malicious attackers are put away. This essay seeks to discuss the security risks affiliated with mobile networks and identify the security mechanisms to protect the systems.
“Bring Your Own Device” Policy: This policy statement allows an organization’s employees within a particular entity to utilize their personally owned devices for work-related operations. These include carrying out tasks such as accessing emails, connecting to the corporate network systems, and accessing the applications and data of the corporate.
Wireless Network: This computer network utilizes wireless data connections between the network nodes. They include mobile phone networks, wireless local area networks, wireless sensor networks, and satellite communication networks.
Wired Equivalent Privacy (WEP): This is a security algorithm for the 802.11 wireless networks whose intention was to provide data confidentiality comparable to that of the conventional wired network.
NIST Cybersecurity Framework: National Institute of Standards and Technology (NIST) is the non-regulatory federal agency focused on promoting innovation and industrial competitiveness through advancements in various aspects, including technology and their respective standards. Its cybersecurity framework is an exhaustive list of guidelines on how an entity can prevent, detect and respond to cyberattacks.
The Cyber Kill Chain
The cyber kill chain is primarily a cybersecurity model developed by Lockheed Martin for tracing all the states that happen within a cyber-attack, identifying the vulnerabilities, and aiding the security stakeholders to terminate the attacks at every stage of the chain. The military was first to adopt the term kill chain, where they used it concerning the structure of an attack. The process entails identifying the target, dispatching, deciding to order, and ultimately destroying the target. Concerning a cyber attack, the following stages articulate the stages involved in a cyber attack.
1. The reconnaissance stage:
This is the initial stage of the cyber kill chain, which entails gathering information of a potential target who could be an individual or an organizational entity. The stage can be broken down into target identification, selection, and profiling (Yadav & Rao, 2015). Therefore, this stage within cyberspace will include crawling the world wide web and looking for information on a target. The information collected is utilized in the later stages of the chain, especially in designing and delivering the payload. Generally, reconnaissance is divided into two types: passive and active reconnaissance. The [passive one is undertaken by collecting information on a target without their knowledge. The active one entails extensive target profiling, leading to a trigger that alerts the target.
Ultimately, the stage provides knowledge on the potential targets, allowing the attacker to decide the kind of weapon suitable for the target, the delivery methods possible for the respective types, challenges in the installation of malware, and security approaches that need to be bypassed.
This stage entails designing the backdoor and penetration plan while using the information collected from the reconnaissance states, which allows successful backdoor delivery. Technically, it binds software or application exploits via the remote access tool (RAT). Weaponizing entails the design and development of two components: RAT and Exploit.
RAT is specifically a software piece executed in the target’s system and avails remorse, hidden and undetected access to the attacker (Yadav & Rao, 2015). This is typically considered the payload to the cyber weapon, the second component of the exploit is mainly the part of the weapon that will facilitate the RAT to execute, it acts as the carrier for the RAT, and it utilizes the system or software vulnerabilities for dropping and executing the RAT. Its primary aim is utilizing the exploits for evading user attention while setting up silent backdoor access through the RAT.
In this stage, the attacker sends the malicious payload to the victim through channels such as email. This approach is known to be one of the many intrusion approaches attackers use. Currently, there are over 100 possible delivery methods. The primary objective here is for the attackers to launch their mission using the weapons developed in the weaponize stage. The two primary methods here include the adversary-controlled delivery that entails direct hacking into the open port. The second approach is the adversary-released delivery that entails conveying the malware to the target via phishing.
This stage is hence considered the high-risk part of the cyber kill chain since it is responsible for an efficient and effective cyber attack. It is also a high-risk activity for the attacker since delivery does leave traces. To this effect, many of the attacks happen anonymously through paid anonymous services, compromised websites, or email accounts (Yadav & Rao, 2015). Since one single delivery method cannot ensure 100% success is attained, weapon delivery is more likely to use several delivery methods. The failed attacks are at times valuable in getting basic information on the system information for a target.
After the attackers have identified a vulnerability within the system, they exploit the weakness to execute the attack. The attacker compromises the host machine with the delivery mechanism during the exploitation stage, usually constituting one or two of the following actions. It is the installation of malware that allows the attacker to command execution. Instead, it would entail the installation of malware and the other download of additional malware from the internet so that the attacker can command execution (Deloitte, 2017). Immediately a foothold has been established inside the network. The attacker will typically download further tools and escalate their privilege to extract password hashes, among others.
Particular conditions need to be fulfilled for the exploit to be triggered. The first one is that the user needs to be using the software or operating system in which the exploit has been created. The second condition is that the software or operating system should not have been updated to the versions where the exploit cannot work (Yadav & Rao, 2015). The final condition is that the antivirus or any other security mechanisms should not be able to detect the exploit booth statically or dynamically during runtime. The fulfillment of these conditions will allow the exploit to be triggered for the successful installation of execution of the payload within the target’s system. The payload will connect to the respective command and control unit to inform the successful execution and wait for further commands to execute (Yadav & Rao, 2015).
Currently, host-based security measures have developed considerably compared to other security mechanisms. This has prompted the innovation in the procedures that circumvent these host-based security controls so that the malware can be installed, updated, and regulated while in the victim’s computing device. The modern installation of malware follows several stages and heavily depends on both droppers and downloaders for the malware modules to be delivered very complexly. The droppers are programs that install and run the malware to the targeted system. The downloaders are designed for performing similar actions to the droppers, that is, to disable the security of the targeted system and monitor the software. They will hide the primary components and obfuscate the infection vector, among other activities.
The modern installation life-cycle incorporates many checks, balances, and resilience features to maximize the success of the installation and protect the involved attackers (Yadav & Rao, 2015). Some of the techniques used for covert persistent and anonymous installations for malware are depicted in the table below.
Table 1: Vulnerabilities and Exploits
6. Command and Control
At this phase, the ransomware used the command and control connection for downloading the encryption keys before hijacking the files (Deloitte, 2017). For instance, the remote access trojans open the command and control connection to allow remote access to the system. This permits persistent connectivity for undisrupted access to the environment and the defensive measure for the defender activity.
The primary process in this phase will have the command and control of the compromised resource being accomplished through a beacon over the allowed path out of the network. The beacons follow many forms but typically tend to be HTTP or HTTPS-based, which are Made to look like benign traffic via falsified HTTP headers Deloitte, 2017). In the cases where encrypted communication is used, the beacons tend to utilize the self-signed certificates or utilize custom encryption over the allowed path,
At this point, the actions refer to the attacker accomplishing their final objectives, which could range from extracting ransom from the entity in exchange for file decryption to the infiltration of customer information out of the network. In the second example, the data loss prevention solution may hinder data exfiltration before leaving the network. Other attacks will entail endpoint agent software identifying activity that deviates from the established baseline to have the IT team notified of something suspicious that could be happening.
The attacker will execute the commands after getting the communication setup with the target system (Yadav & Rao, 2015). The command to be used relies on the attack’s interests. This could entail mass attacks that focus on getting as numerous targets as possible or targeted more complex attacks and done with more caution (Yadav & Rao, 2015). If the attack is intended to destroy the two attack types, it could crash the system hard drive or the device drivers. The attackers may make the CPU utilize its maximum capacity to damage the processor hardware for a long time.
It is prudent that the entity conducts an impact assessment of the information systems precisely to determine the extent to which changes to the information system have affected the system’s security state. At this point, impact assessment seeks the cyberattacks concerning employees’ wireless and mobile phone connections.
The assessment here determines the impacts of the wireless and mobile phone networks being attacked by cybercrime. The consequences of a cyber attack on a smartphone can be just as detrimental or even more than the attack on a personal computer (PC). According to Patrick Traynor, a researcher and assistant professor at the Georgia Tech School of Computer Science, mobile apps rely on the browser to operate (Traynor et al., 2012). subsequently, more Web-based attacks on mobile devices will have increased over time. Traynor also states that IT professionals, computer scientists, and engineers are required to delve into the variations between mobile and conventional desktop browsers to fully comprehend how cyber attacks can be prevented (Traynor et al., 2012).
If a cybercrime successfully attacks the wireless and mobile networks, the organization must understand the costs of cybercrime. First, tech costs associated with anticipating cybercrime include the individual and organizational security measures, insurance expenses, and costs incurred to comply with the required IT standards (Detica Limited, 2011). The costs of cybercrime include the business continuity expenses, disaster recovery response costs, and the indirect losses that arise from mitigating commercial exploitation of intellectual property and opportunity costs via awakened competitiveness. The costs of responding to cybercrime include the compensation payments to the victims’ identity theft regulatory fines from the industry authorities and indirect expenses affiliated with the legal or forensic matters (Detica Limited, 2011). The indirect expenses affiliated with cybercrime encompass the reputational damage to the organizations, the lost confidence in the cyber transactions, mitigated public sector revenues, and the expanding underground economy. The impact of cybercrime on the organization is extensive, especially after it has successfully happened (Detica Limited, 2011). Considerable analysis of the prevention and dealing with the cyber crimes has shown it is better to cater to the costs incurred in anticipation of the cybercrime instead of handling the costs incurred after it has occurred, including the response costs and indirect costs that tend to be very costly.
Threats Discovered and Resolutions Employed
Concerning the wireless and mobile networks within the organization, numerous threats were discovered that could exploit their vulnerabilities for the benefit of the malicious attackers. One of the threats included configuration challenges, either misconfigurations or incomplete configurations (Wilkins, 2011). Generally, the simple configuration challenges always lead to numerous vulnerabilities due to many users’ access points having no security configuration. The configuration issues will also include feeble security deployments, weak paraphrasing, and default SSIS usage. Any novice user could quickly establish one of their devices and obtain access or instead open a network to external use without the need for further configuration. These activities permit the attackers to steal the SSID and connect without anyone knowing it.
The solution to the configuration challenges was to use a centrally managed Wireless Local Area Network (WLAN) that features periodic audits and coordinated updates. Generally, the centrally managed WLAN will provide various security benefits, including periodic audits and coordinated updates to reduce TCO, Improve reliability, and low risk (Scheck, 2022). The centrally managed WELAn has proven safe and more effective than the individually managed access points within the organization’s network.
The second primary threat was the Denial of Service (DoS) attack, which entails limiting users’ access to services (Wilkins, 2011). It happens through the placement of viruses or worm programs in the network. The attacker could send extensive traffic to a particular targeted system to cause a slowdown or have the wireless services shut down. Subsequently, the attackers obtain the opportunity to hijack resources and view the unauthorized information disclosures while introducing backdoors to the systems. This threat is much easier regarding wireless networks since the signal could easily interfere via various techniques. When the wireless LAN utilizes the 2.4 GHz band, the interference could be caused by something straightforward, such as a competing access point within the same channel. Due to that band being limited to only three non-overlapping channels, the attacker requires to cause considerable interference in the three channels leading to interruption in services (Wilkins, 2011). This attack could also be used together with the rogue access point, such as when one is setting up within a channel, the authorized access point is not used. The DoS attack will be launched at the channel that is being sued to cause the endpoint devices to attempt and reassociate following a different channel utilized by the rogue access point.
The preventive measures to the DoS attack mainly entail the installation of updated security patches from the software vendors. The installed antivirus needs to be updated so that the DoS tools can prevent email worms (NIST, 2012). Firewalls and routers are also needed to provide extensive protection via inbound and outbound filtering, such as having the spoofed packets with fake source addresses stopped from leaving the network. Then the egress filter could be used in the network firewall and router to ensure that nothing leaves the network except those with source addresses belonging to the network (Mohammed & Isaac, 2007). The ingress filter could be used in confirming that packers coming to the network do have addresses that are not within the network. If the attack is not complex, there could be a particular signature on the traffic (Mohammed & Isaac, 2007). Proper examination of the captured packets may reveal a specific trait based on either the access control lists available or the firewall rules (NIST, 2012). Furthermore, a vast amount of traffic comes from a particular provider. Therefore, one could consider temporarily blocking all the traffic from test-specific sources to allow a section of authorized activity to go through.
The third main threat was using rogue or unauthorized access points by attackers, which is done within the range of the existing wireless WLAN. The main idea is to cool the dome of the authorized devices within the range to associate with the rogue access point instead of the legitimate access point. The effectiveness of this kind of attack relies on the amount of physical access that one can obtain. Physical access is needed because when a user affiliates with the rogue access point, then they are knot in a position to undertake their typical tasks, which makes the vulnerability short-lived and limits its effectiveness, nonetheless, if the attacker could gain access physically on the company network and then finds and access point through the port, then it becomes more accessible to associates and captures data from the network for a longer duration. The exception to the barrier happens where the targeted WLAN provides internet access solely. The rogue access point could also provide simple internet access and leave the user in a position of not knowing of their vulnerability for a longer duration. There are other situations where an authorized user establishes an access point but does not implement the proper security mechanisms. This becomes an open way for the watching attackers.
Various measures are implemented to prevent the establishment of these rogue access points, including utilizing appropriate WLAN authentication techniques and encryption approaches. The second measure is establishing and communicating a policy prohibiting employees from utilizing their wireless access points. The employees should find it easy to access the legitimate and secured wireless access points. Also, installing a wireless intrusion prevention system (WIPS) will aid in the scanning radio spectrum, looking for access points with configuration errors.
As Identified above, the users play a huge role in protecting the wireless and mobile networks from cyber attacks. Therefore, before implementing a BYOD policy and even when it is running, users must receive full training sessions that inform them of the benefits and risks of the BYOD policy (EES, 2022). Other effective training methods may include a comprehensive manual or permitting team members to schedule personal training sessions with the IT staff. It makes it easier for employees to learn how to use their devices for productivity, understand risks, and avoid them.
The BYOD policy is fundamental for modern organizations to remain competitive in the current market. However, this policy that allows wireless and mobile networks increases the potential of cybercrime risks. This discussion has pointed out the process of the cyber kill chain, which an attacker may follow when executing cybercrime on the network. Also, the discussion looks into the impact of these cybercrimes, the specific threats, and resolutions. Notably, cyber security remains an evolving field, requiring organizations to conduct regular assessments to identify how they can further protect each other from the menace.
Deloitte. (2017). 7 Stages of Cyber Kill Chain Supplementary Reading. 7 Deloitte Touche Tohmatsu Limited
Detica Limited. (2011). THE COST OF CYBER CRIME. A Detica Report In Partnership With The Office Of Cyber Security And Information Assurance In The Cabinet Office.
EES. (2022, January 5). How to implement an effective BYOD policy? Retrieved from https://www.eescorporation.com/effective-byod-policy/#:
Kaiser, Z. (2019). 5 ways companies can improve mobile device security. Retrieved from https://www.mcclone.com/blog/5-ways-to-secure-your-companys-mobile-devices
Mohammed, L. A., & Issac, B. (2007). Detailed DoS attacks in wireless networks and countermeasures. International Journal of Ad Hoc and Ubiquitous Computing, 2(3), 157-166.
NIST. (2012). Guidelines for securing wireless local area networks. Retrieved from 91ab25dd1b47/1/NISTGuidelinesforSecuringWirelessLocalAreaNetworksWLANsSpecialPublication800-153.pdf
Powers, J. (2021). The ultimate guide to mobile device security in the workplace. Retrieved from https://www.techtarget.com/searchmobilecomputing/The-ultimate-guide-to-mobile-device-security-in-the-workplace
Scheck, S. (2017, August 19). 5 of the major security threats that wireless networks face. Retrieved from https://tweakyourbiz.com/technology/5-major-security-threats-wireless-networks-face
Traynor, P., Ahamad, M., Alperovitch, D., Conti, G., & Davis, J. (2012). Emerging Cyber Threats Report 2012. Atlanta: Georgia Tech Information Security Center
Wilkins, S. (2011, November 2). Common wireless network security threats. Retrieved from https://www.pluralsight.com/blog/it-ops/wireless-lan-security-threats
Yadav, T., & Rao, A. M. (2015, August). Technical aspects of cyber kill chain. In the International Symposium on Security in Computing and Communication (pp. 438-452). Springer, Cham.