Project Final Report

Cybersecurity vulnerability is any weakness within an organization’s information systems, internal controls, or system processes that can be exploited by cybercriminals. Through points of vulnerability, cyber adversaries are able to gain access to your system and collect data. With regard to your organization’s overall security posture, Cybersecurity vulnerabilities are extremely important to monitor as gaps in a network can lead to a full-scale breach of a system.

Vulnerabilities differ from cyber threats in that they are not introduced on a system; they are there from the beginning. Very rarely are cyber vulnerabilities created as a result of actions taken by cybercriminals, instead, they are usually caused by operating system flaws or network misconfigurations. Conversely, cyber threats are introduced as a result of an outside event such as an employee downloading a virus or a social engineering attack.

There is a huge range of possible vulnerabilities and potential consequences to their exploits. The US government’s National Vulnerability Database (NVD) which is fed by the Common Vulnerabilities and Exposures (CVE) list currently has over 150,000 entries. One well-known example of Cybersecurity vulnerability is the CVE-2017-0144 Windows weakness that opened the door for WannaCry ransom ware attacks via the EternalBlue exploit. Another infamous case is the Mirai botnet that spread through the exploitation of multiple flaws.

Once vulnerabilities are discovered, developers typically work fast to release an update, or “patch.” Ideally, all users install the update before attackers have a chance to exploit the vulnerability. But the reality is that in many cases, attackers strike quickly to take advantage of a known weakness. Plus, even when a patch is released, slow implementation of updates means that attackers can exploit vulnerabilities years after they have been discovered.

Unpatched vulnerabilities can be exploited by cybercriminals to carry out attacks and steal valuable data. Similar to system misconfigurations, cyber adversaries will probe networks looking for unpatched systems they can compromise. To limit this risk, it is important to establish a patch management schedule so that all new system patches are implemented as soon as they are released. Eternal Blue is a common type of unpatched vulnerability.

The following statistics are derived from National Vulnerability Database (NVD) analysis on vulnerabilities.

i. Almost 22,000 vulnerabilities were published in 2021

The NVD database holds 21,957 vulnerabilities published in 2021. This is a higher number than in previous years (18,362 in 2020, 17,382 in 2019, and 17,252 in 2018).

ii. Half of internal-facing web application vulnerabilities are considered high risk

Edgescan’s 2021 Vulnerability Statistics Report analyzed the severity of web application vulnerabilities. It found that 50 percent of internal application vulnerabilities are considered high or critical risk. It also found that 32 percent of vulnerabilities in internet-facing applications are considered high or critical risk.

iii. Organizations with more than 100 staff see more high or critical-risk vulnerabilities

Edgescan’s report also broke down the severity of vulnerabilities according to company size. Smaller companies with 100 employees or fewer saw the lowest portion of medium, high, or critical-risk vulnerabilities (five percent total). Companies with 10,000+ employees see the largest portion of medium and critical-risk vulnerabilities while medium-sized organizations with 101–1,000 employees saw the largest portion of high-risk vulnerabilities.

iv. 31% of companies detected attempts to exploit software vulnerabilities

A 2020 report from Positive Technologies found that almost one-third of detected threats involve software exploit attempts. According to the report, “More than half of attempts involved vulnerability CVE2017-0144 in the implementation of the SMBv1 protocol. This is the same vulnerability leveraged by the infamous WannaCry ransom ware, and for which a patch was released back in 2017. But attackers have kept it in their arsenals as they search for computers that have not been updated in the last 3.5 years.”

The project seeks to research, define and recommend measures towards protection of computers and systems against cyber vulnerabilities with focus on eternal blue. The project is anticipated to have the following positive impact both locally and globally.

i. Protection from theft of corporate information

ii. Protection of financial information such as bank details or payment card details which could rather be stolen without knowledge on eternal blue prevention.

iii. Prevents theft of money

iv. Prevents disruption to trading. This may include inability to carry out transactions online.

v. Prevention from loss of business or contract.

The project might have some negative impact to the society. While some measure are meant to prevent eternal blue, they may be misused. For instance, antivirus programs purchased by organization to be installed on organization computers may be used on personal computers. Rights and privileges may be abused by staff as granted by the system administrators with advice from line management.

The project seeks to increase awareness amongst users on this exploit – eternalblue and recommend measures on how they can protect their data and information from data breach through eternalblue. A detailed description of how the vulnerability can be exposed will be done with remedies on how to counter and protect devices and systems.

Many researchers have broadly examined each contributor’s role in the construction and spread of the virus that contributed to such a destructive cyber-attack. A wide net of blame can be cast on Microsoft’s unsecure protocol, Russia’s use of the malware, and the business I.T. professionals within organizations that failed to apply the available patch to all of their compromised systems, but when analyzing the role of the NSA, journalists mainly focus on what factors contributed to the data breach and what measures could be taken to prevent future leaks. They conclude that the NSA’s failure to retain its secrets, including its hacking tools, is the area of root concern where the organization must be held accountable.

Greenberg details the hypocrisy in how the United States redirects the blame on previous administrations and other foreign nation-state actors, as with attributing the WannaCry ransom ware attack to North Korea, without looking introspectively. He calls attention to the workplace procedures that allowed two NSA staffers to carry home large collections of highly classified hacking tools. Antivirus software developed by Kaspersky, a Russian security firm, was reportedly used on one of the staffers’ personal computers, meaning the malware crafted by the NSA was uploaded to the corporation’s servers and remained there for some unknown duration of time. The reporter also mentions the vagueness in wording and the lack of transparency in the implementation of the White House’s Vulnerabilities and Equities Process, a document meant to guide which vulnerabilities are reported to the associated vendors and which are kept secret to gather foreign intelligence (Greenberg, 2017).

Shane, Perlroth, and Sanger’s reporting covers the NSA as a victim within this network robbed entirely of any sense of morale, with the Shadow Brokers as the perpetrators responsible. This framing is apparent while referring to the case as “one of the worst security debacles ever to befall American intelligence” and far exceeding the damage caused by Edward Snowden. They look at how members of the NSA’s internal hacking group, Tailored Access Operations (T.A.O), have been impacted by the revelations, with some members leaving the organization and others having to cancel trips abroad out of fear. The reporting then continues to describe a hostile workplace now plagued by polygraphs and suspensions with difficulty retaining talent. The journalists also cover additional victims of the Shadow Broker’s actions that led to the disruption of business internationally including the millions of computers locked by ransom ware, companies that experienced complete data loss, and hospitals in Indonesia, Britain, and even Pennsylvania that were forced to reject patients (Shane et al., 2017).

Functional requirements describe a particular behavior of function of the system when certain conditions are met. The solutions functional requirements are;

i. Adherence to administrative rules – users will need administrator password to install any program to the system.

ii. Authentication – access to any system will require two-factor authentication (2FA).

iii. Authorization level – an authorization hierarchy will be established to guide on rights and privileges for system users.

iv. Legal and regulatory requirements – all programs used will need to be authentic. No cracked programs to be installed in the system.

v. Audit tracking – the system will be able to keep audit trail for all users.

Non-functional requirement essentially specifies how the system should behave and that it is a constraint upon the systems behavior. The system non-functional requirement will include;

i. Reliability – up to 97% uptime.

ii. Security – high ability to prevent security breaches.

iii. Data integrity – data access will be on need to know basis.

iv. Usability – ease to use among staff

Technical specification document provides developers with clearly defined goals and direction, and ultimately allows for better management of stakeholder expectations. They will be categorized into hardware and operating system.

i. Hardware

a. 4 Cores, 2.8-3.0 GHz each (2.8 GHz minimum speed)

b. 4 GB RAM per core

c. Standard hard drive, 100 GB free

d. Network connectivity

ii. Operating System

a. Oracle Enterprise Linux 4 Update 7 or greater, 64-bit

b. Oracle Enterprise Linux 5 Update 3 or greater, 64-bit

c. Oracle Enterprise Linux 6 64-bit

d. Oracle Solaris 10 (x86)

e. Red Hat Enterprise Linux 4.0 Update 7 or greater, 64-bit

f. Red Hat Enterprise Linux 5.0 Update 3 or greater, 64-bit

The purpose of System Design is to create a technical solution that satisfies the functional requirements for the system. At this point in the project lifecycle there should be a Functional Specification, written primarily in business terminology, containing a complete description of the operational needs of the various organizational entities that will use the new system. The challenge is to translate all of this information into Technical Specifications that accurately describe the design of the system, and that can be used as input to System Construction.

The following chart illustrates all of the processes and deliverables of this phase in the context of the system development lifecycle. The Functional Specification produced during System Requirements Analysis is transformed into a physical architecture. System components are distributed across the physical architecture, usable interfaces are designed and prototyped, and Technical Specifications are created for the Application Developers, enabling them to build and test the system.

The architecture of a system describes its major components, their relationships (structures), and how they interact with each other. Architecture serves as a blueprint for a system. It provides an abstraction to manage the system complexity and establish a communication and coordination mechanism among components. It defines a structured solution to meet all the technical and operational requirements, while optimizing the common quality attributes like performance and security.

System integration (SI) connects multiple subsystems so they can function together and share information. From internal operations to communicating with third parties, data transparency is essential for efficient execution. In other words, businesses with several software systems can use an integrator to create a centralized sharing network that gives users access to all information.

Implementing an integration solution eliminates the need to manually enter data across various software, saving time, labor costs, and reducing the risk of human error. This open network of data sharing enhances communication throughout a company's departments, optimizing operational efficiency.

The system will use standard interfaces between components. Top down integration will be used in roll out process. Implemented elements or aggregates will be integrated in their activation or utilization order.

i. Availability of a sequence diagrams and early detection of architectural faults, definition of test cases close to reality, and the re-use of test data sets possible.

ii. Many stubs/caps will be created; difficult to define test cases of the leaf-implemented elements (lowest level).

iii. Start from the implemented element of higher level; implemented elements of lower level are added until leaf-implemented elements.

References

Blanchard, B. & Fabrycky, W. (2010). Systems Engineering and Analysis (5th Ed.), New Jersey: Prentice Hall.

Ding, A., De Jesus, G., & Janssen, M. (2019). Ethical hacking for boosting IoT vulnerability management: a first look into bug bounty programs and responsible disclosure. Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing - ICTRS '19

Warren, Tom (April 15, 2017). Microsoft has already patched the NSA's leaked Windows hacks. The Verge.