ONEMi is one of its kind digitally-enabled platform operated by ONEMi Technology Solutions Private Limited with a vision to provide speedy and hassle-free credit financing to its customers across India. ONEMi Technology Solutions Pvt. Ltd came into existence in the year 2015, intending to open up new vistas in consumer credit financing for online as well as offline purchases using the latest technology as an aid. Our constant efforts to financially empower our customers led us to be present across various segments of business such as Online Purchase Loan, Personal Loan, and our newest offering - “Revolving Line of Credit.” ONEMi Technologies (ONEMi) is engaged in merchant acquisition / tie-ups, development of credit gateway technology, assessing the creditworthiness of the customers. Onemi Technology uses its proprietary software, algorithm, and credit marketplace platform for provisioning instant consumer loans through their financing partners. However, the entire credit assessment, KYC processing, credit approval, financing of consumer loans for the purchase of goods and services from online and offline channels is taken care by RBI-registered NBFCs tied up with ONEMi. The process of collection of repayments and EMIs is undertaken by ONEMi and NBFC partners through registered intermediaries.
Wissen Baum Software Solutions is leading company in Cyber security area, with ISO 27001:2013 Compliance. Its presence in Asia, Middle east, South Africa, Europe and Northern America. We work in area of Asset lifecycle management, Network security, Threat Intelligence, Incident detection and response and SOC response to provide our clients best in class Cyber security.
It is agreed that Wissen Baum will assist ONEMi in area of Cyber security to enhance ISO 27001 framework. A one day onsite/offshore semi audit was conducted and performed CAS assessment through NASMS (Network Asset Security Management System) leading Cyber security software and SME's (Subject Matter Experts) from Cyber security domain.
| 1. Date of CAS | 24th November 2022 | |
|---|---|---|
| 2. Location of CAS | 10th Floor, Tower 4, Equinox Park, LBS Marg, Kurla West, Mumbai, Maharashtra 400070 | |
| 3. Presented By | Wissen Baum Software Solutions | |
| 4. Members of Team WBSS | Nitin Kumar, Karthik P, Manikandan S | |
| 5. Presented To | ONEMi Technologies Pvt Ltd. (Kissht) | |
| 6. CAS Details |
|
The NIST Cybersecurity IT Asset Management defines an effective IT asset management (ITAM) solution can tie together physical and virtual assets and provide management with a complete picture of what, where and how assets are being used. ITAM enhances visibility for security analysts, which leads to better asset utilization and security.
In our study the emphasis is given to the following four Asset categories namely Hardware, Software, Communication and Cloud the details is given in the below table 3.1.
| Hardware | Software | Communication | Cloud |
|---|---|---|---|
| Desktop Laptop Printer Access Control Surveillance Camera Digital Video Recorder |
Dropbox Google Chrome Python 3.8.2 Microsoft Office Pro Plus 2010 Microsoft Edge Windows SDK Yam 1.19.1 em signer 2.0.0 Team Machine-wide installer 1.5.0 Adobe Reader XI 11.0.23 McAfee 4.1.1.787 Any desk 7.0.14 EaseUS Data Recovery Geany 1.38 WinRAR Archiver ePass2003 Scansoft pdf pro ApplogLib Setup Nuance Paper Port 14 Http ToUSB Bridge CryptoID V2.3.18.404 |
Firewall Switch Switch POS Wi-Fi Access Point Tap Scheduler IP Phone EBPAX Meet Up Rally Bar Smart TV |
Amazon Web services Google Suite Dropbox |
Table 3.1 Asset Classification
Network architecture is the design of an organization IT infrastructure. It is a framework for the specification of a network's physical components and their functional organization and configuration, its operational principles and procedures, as well as communication protocols used.
The below figure 3.2 signifies that asset network structure on ONEMi Technology. The network communication begins through ISP (Internet Services Provider) It transmit the Internet into firewalls (SonicWall HA 3700) for primary and secondary connections. Cisco Core Management switch distributing the internet services to different mode of network switches such as Power over Ethernet (POE), EPBAX, Access point POE and DVR. These network products distributing the data services with current VLAN segmentation to all end points such as desktop computers, laptop computers, printers and other resources. Ring office data centre have communicating with different geolocation call centres in Mumbai.
Figure 3.2 Asset Network Diagram
ONEMi's enterprise IT landscape has well maintained with essential security such as enclosed Server rooms, connectivity and power, room temperature control and ventilation, rack security and fire and seismic protection on placed.
The below table 3.3 shows, server types, server details and locations at ONEMi Technology. The Webserver, Application server, Data server and Windows patch servers are hosted in AWS cloud. The mail server is G-Suite work place and hosted at Google cloud. The organization is accessing most of its applications, data bases from AWS cloud.
| Sr.No | Server Types | Details | Location |
|---|---|---|---|
| 1 | Web Server | S3 Bucket published | AWS |
| 2 | Application Server | Virtual private cloud | AWS |
| 3 | Database Server | AWS RDS MYSQL | AWS |
| 4 | Patch update | AWS Guarduty | AWS |
| 5 | Email Server | Gsuite | |
| 6 | File Server | Dropbox and Gsuite | |
| 7 | Proxy Server | Gsuite | |
| 8 | Internet Relay Chat Server | Microsoft Teams | Microsoft |
| 9 | Fax Server | NA | NA |
| 10 | Groupware Server | NA | NA |
| 11 | News Server | NA | NA |
| 12 | List Server | NA | NA |
| 13 | Telnet Server | NA | NA |
| 14 | Windows | NA | NA |
| 15 | Streaming Server | NA | NA |
| 16 | FTP Server | NA | NA |
Table 3.3 Server Overview Information
All end points resources such as Desktops, Laptops, etc. are managing through individual WORKGROUP and not in the Active Directory.
Telnet and FTP server not in place but ports are making transaction into network.
NIST controls 800-63B define that identification and authentication controls is to ensure that all users and devices accessing information systems are uniquely identifiable and their authenticity is verified before the system grants access. Identification and authentication are crucial for ensuring accountability of individual activity in the organizational information systems.
It is strongly recommended to deploy Active Directory server On-premises / Cloud to centrally manage all the resources for enhance the Cyber security.
Network traffic analysis is an essential way to monitor network availability and activity to identify anomalies, maximize performance and keep an eye out for attacks. Network traffic is a core piece of the comprehensive visibility and security analysis to discover threats early and extinguish them fast.
In our case study of NTA (Network Traffic Analysis) consider the current blind spots on your network and the critical areas on the network where they converge for efficient monitoring.
Network traffic analysis (NTA) is a method of monitoring network availability and identifying anomalies. Common use cases for NTA include,
- Collecting a real-time and historical record of what's happening on your network
- Detecting malware activities such as ransomware
- Detecting the use of vulnerable protocols and ciphers
- Troubleshooting a slow network
- Improving internal visibility and eliminating blind spots
The below table 4.1 represent overview of Internet Service Provider (ISP) information on ONEMi (Ring shop floors). There are two Internet Service Providers which is giving the internet services via MUX and Ring network topology. To provide a high availability internet connection, both ISPs manage load balancing and failover WAN feasibility.
| Sr No | ISP Vendor Name | IP Ranges | Subnet Mask | Connection Type | Primary DNS |
|---|---|---|---|---|---|
| 1 | Tata Telecom Service | 123.252.170.186/30 | 255.255.255.252 | Primary | 8.8.8.8 |
| 2 | Vodafone Idea Service | 123.63.171.122/29 | 255.255.255.248 | Secondary | 8.8.8.8 |
Table 4.1 Internet Network Services
NIST control SP 800-53 define that capability to switch over automatically (typically without human intervention or warning) to a redundant or standby information system upon the failure or abnormal termination of the previously active system.
The additional ISP is good for organizations information security continuity, redundancy, and availability requirements. Refer NIST SP 800-53R4: CP-10 for more details.
Figure 4.2 demonstrates, how a legitimate administrator can control the entire network, firewall rules and cloud servers. The business transactions are accessible through Core switches and POEs at all network end points. The ONEMi Ring floor has been divided into two Sub networks, Floor phase I and Floor phase II. These two networks are connecting with uplink Fiber Optic for failover backup purpose. Internal resources (Desktop, Laptops, etc.) communicating with AWS cloud through secured VPN and allowed static IPs AWS Security policy for access various business operations such as AWS EC2, AWS S3, AWS VPC, AWS SQS, AWS SNS, AWS RDS MYSQL, AWS RDS Postgress, Cloudwatch etc.
Figure 4.2 Network Architecture
Current VLAN setup has establishing the segmented traffic through network switch interfaces X0, X1 and X2 between two firewalls. VLAN segmentation between critical assets and functional groups not in place.
The additional Fiber Optic bridge is good for organizations information security continuity, redundancy, and availability requirements. Refer NIST SP 800-53R4: CP-10 for more details.
Predefined IP range 192.168.48.1/21 is distributing the dynamic IP with limited lease connections to all resources.
It is strongly recommended to configure department and functional groups based on VLAN segmentations. The isolation techniques must be selected based on a risk management perspective that balances the threat, the information being protected, and the cost of the options for protection. Architectural and design decisions should be guided and informed by the security requirements and selected solutions. The NIST SP 800-160-1 guidelines should be referred.
Internal and external network connection at ONEMi is depicted in figure 4.3 below. There are two Internet service provider (ISP) available in the system and the IP ranges are shown below. Core network switch carry the internet connections through two ISP. The entire endpoint network is connected to the default VLAN, which is provides services to network management switches and POE (Power over Ethernet). The default VLAN's IP range from 192.168.48.1 - 192.168.55.254.
Figure 4.3 Network IP Flow
Current VLAN setup has establishing the segmented traffic through network switch interfaces X0, X1 and X2 between two firewalls. VLAN segmentation between critical assets and functional groups not in place.
Predefined IP range 192.168.48.1/21 is distributing the dynamic IP with limited lease connections to all resources.
It is strongly recommended to configure department and functional groups based on VLAN segmentations. The isolation techniques must be selected based on a risk management perspective that balances the threat, the information being protected, and the cost of the options for protection. Architectural and design decisions should be guided and informed by the security requirements and selected solutions. The NIST SP 800-160-1 guidelines should be referred.
The figure 4.4 depicts the distribution of configured VLAN on ONEMi network. The high availability SonicWall Firewall is centrally managing the VLAN distribution through Cisco Core switch.
Figure 4.4 Network VLAN Distribution
VLAN has been configured in three interfaces X0, X1, X2 on the Cisco core switch and its centrally distributing the network traffic to entire network products and end points as given in the figure 4.3 Network IP Flow.
It is strongly recommended to configure department and functional groups with additional VLAN segmentations (Currently 3 in place). The isolation techniques must be selected based on a risk management perspective that balances the threat, the information being protected, and the cost of the options for protection. Architectural and design decisions should be guided and informed by the security requirements and selected solutions. The NIST SP 800-160-1 guidelines should be referred.
The below figure 4.5 shows that top utilization of IP ranges from source and destination data which is making traffic transactions on ONEMi. Top 5 ranges from source IPs are 104.152.52.X (Rethem Hosting LLC) 192.168.55.X, 192.168.52.X, 192.168.50.X (Internal IP), 142.250.183.X (Google LLC) and Top 5 ranges of destination IPs are 74.125.250.X (Google LLC), 192.168.51.X (Internal IP), 52.66.194.X (amazon.com), 192.168.137.X (Internal IP), 31.13.79.X (Facebook).
Diagram 4.5 shows Utilization of IP Ranges
Domain Name System (DNS) filtering services to help block access to known malicious domains in place.
Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviour as per NIST SP 800-171B.
The below figure 4.6 shows that internal vs external traffic utilization from connection, byte, duration in graphical representation. The figures 4.6 provides the detailed analysis demonstrate to utilizations of Internal traffics are Connection 4.16%, Bytes 4.16% and Durations 0.83% and provides the detailed analysis to utilizations of External traffics are Connection 95.84%, Bytes 95.84% and Durations 99.17%.
Figure 4.6 Internal vs External Traffic Utilization
Traffic utilization representing that high consumed Byte, Connection, Duration from External traffic transactions.
The below figure 4.7 illustrates that Internal and external participants utilization. High consuming traffics are Amazonaws, Google, Cloudfront and Akamai technologies.
Figure 4.7 Internal Vs External Traffic Classifiction
Domain Name System (DNS) filtering services to help block access to known malicious domains in place.
Through distributions of Internal vs External traffic, it was discovered that social media and E-commerce such as Facebook, Twitter, Telegram, Netflix and Alibaba.com are in utilized.
Recommendations :Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviour as per NIST SP 800-171B.
The below figure 4.8.1 and 4.8.2 depicts the top utilization bytes from source and destination IPs. Figure 4.8.1 shows that top source IPs 14.96.1.97 (Tata Telecom) utilized bytes is 167682 and 49.44.173.162 (Reliance Jio) utilized bytes is 57629. Figure 4.8.2 shows that top destination IPs 123.63.171.122 (Vodafone Idea) utilized bytes is 521677 and 123.252.170.186 (Tata Telecom) utilized bytes is 344071.
Figure 4.8.1 Top Source IP - Bytes
Figure 4.8.2 Top Destination IP - Bytes
Domain Name System (DNS) filtering services to help block access to known malicious domains in place.
Byte utilization illustrates that highest Business relevance traffics are Vodafone idea, Tata Telecom, Dropbox, Akamai technologies in places. The Non business relevance traffic are such as Facebook, Alibaba.com.
NIST SP 800-137 framework Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Strongly recommended to continues monitor network traffic activities to establish the detect and response from several attacks.
The below figure 4.9.1 and 4.9.2 depicts the top utilization connection from source and destination IPs. Figure 4.9.1 shows that top source IPs 14.96.1.97 (Tata Telecom) utilized connections is 120, 108.158.61.95 (Cloudfront) utilized connections is 98, 23.211.217.233 (Akamai Technologies Inc) connections is 69. Figure 4.9.2 shows that top destination IPs 123.252.170.186 (Tata Telecom) utilized connections is 1724, 123.63.171.122 (Vodafone Idea) utilized connections is 1536, 192.168.48.1 (Kissht Internal) utilized connections is 84.
Figure 4.9.1 Top Source IP - Connections
Figure 4.9.2 Top Destination IP - Connections
Connection traffic illustrates that Business relevance traffics are Vodafone idea, Tata Telecom, Cloudfront, Akamai technologies in places and Non business relevance traffics in place such as Facebook, Telegram.
NIST SP 800-137 framework defined Security-related information obtained from monitoring is analyzed and met with appropriate responses. Response to findings at all tiers may include risk mitigation, risk acceptance, risk avoidance/rejection, or risk sharing/transfer, in accordance with organizational risk tolerance.
Strongly recommended to continues monitor network traffic activities to establish the detect and response from several attacks.
The below figure 4.10.1 and 4.10.2 depicts the top utilization connection from source and destination IPs. Figure 4.10.1 shows that source IPs 14.96.1.97 (Tata Telecom) utilized durations is 120, 108.158.61.95 (Cloudfront) utilized durations is 98, 23.211.217.233 (Akamai Technologies Inc) utilized durations is 69. Figure 4.10.2 shows that top destination IPs 123.252.170.186 (Tata Telcom) utilized durations is 1724, 123.63.171.122 (Vodafone Idea) utilized durations is 1536, 192.168.48.1 (Kissht Internal) utilized durations is 84.
Figure 4.10.1 Top Source IP - Durations
Figure 4.10.2 Top Source IP - Durations
Duration traffic illustrates that Business relevance traffics are Vodafone idea, Tata Telecom, Cloudfront, Akamai technologies in places and Non business relevance traffics in place such as Facebook, Telegram.
NIST SP 800-137 framework defined Security-related information obtained from monitoring is analyzed and met with appropriate responses. Response to findings at all tiers may include risk mitigation, risk acceptance, risk avoidance/rejection, or risk sharing/transfer, in accordance with organizational risk tolerance.
Strongly recommended to continues monitor network traffic activities to establish the detect and response from several attacks.
The below figure 4.11 represent the analysis of vulnerable ports traffic transactions. Network VLAN interfaces X0, X1, X2 establishing the all IP and port traffics through the firewall. Based on vulnerable ports analysis, detecting some intrusion port traffics, those ports are circle marked in the below figure.
22 (ssh) 54.87.144.97 (Amazon.com), 23 (telnet) 193.142.146.214 (Colocation Datacenter), 25 (smtp)104.152.52.73 (Rethem Hosting LLC), 21 (smtp)104.152.52.56 (Rethem Hosting LLC), 445 (smb) 5.62.53.136 (avast.com), 53 (DNS) 104.152.52.57 (Rethem Hosting LLC).
Figure 4.11 Vulnerable Port Traffic Analysis
Customer shall enforce traffic crossing the network boundary should be in compliance with the NIST SP 800-171R2 standard for the protocol in question and using the appropriate well known port. If the port or protocol is not known the traffic should be blocked.
It is strongly recommended to restrict, disable or prevent the use of nonessential ports.
The below figure 4.12 depicts the internal and external traffic connection through vulnerable ports. Network traffic IP connections are indicated with colour code such as internal traffic is marked in colour green and external traffic is marked in colour red shown in the figure below.
| Port 21_ftp | |
|---|---|
| Internal | External |
| Rethem Host | Tata Tele |
| Port 25_smtp | |
|---|---|
| Internal | External |
| Tata Tele | Rethem Host |
| Port 22_ssh | |
|---|---|
| Internal | External |
| Tata Tele | Rethem Host |
| Amazon_EC2 | - |
| Port 23_telnet | |
|---|---|
| Internal | External |
| Tata Tele | Rethem Host |
| Kissht_Int | Colocation_DC |
| Port 445_smb | |
|---|---|
| Internal | External |
| Rethem Host | Avast.com |
| Kissht_Int | Tata_Tele |
| Port 3389_rdp | |
|---|---|
| Internal | External |
| Avast | Rethem Host |
| - | Vodafone |
| Port 53_dns | |
|---|---|
| Internal | External |
| Private Host | Avast.com |
| Rethem Host | Tata Tele |
| Kissht_Int | Level3_DNS |
| - | Vodafone |
Figure 4.12 Port vs IP Connections
Above figures illustrates that known vulnerable ports traffic have established business relevance transactions through the ports 445_smb, 25_smtp, 3389_RDP, 21_ftp, 22_ssh, 53_dns, 23_telnet.
Customer shall enforce traffic crossing the network boundary is in compliance with the NIST SP 800-171R2 standard for the protocol in question and using the appropriate well-known port. If the port or protocol is not known the traffic should be blocked.
It is strongly recommended to use secure protocols that can provide encryption of both passwords and data (e.g., SSH, HTTPS); do not use less secure protocols (e.g., telnet, FTP, HTTP) unless absolutely required and tunnelled over an encrypted protocol, such as SSH, SSL, or IPsec as per NIST SP 800-123 (General Server Security).
The cross-product of analysis between source and destination ports Connection vs. bytes utilization is displayed in the figure 4.13 below.
Figure 4.13 demonstrates that highly consumed source port is 443 (tcp-https), connections is 1701 and bytes is 648725. Figure 4.13 demonstrates that highly consumed destination port is 443 (tcp-https), connections is 108 and bytes is 16876.
Figure 4.13 Traffic Through Ports
Above figures illustrates that top port 443(https) traffic have established through business relevance transactions.
Customer shall enforce traffic crossing the network boundary is in compliance with the NIST SP 800-171R2 standard for the protocol in question and using the appropriate well-known port. If the port or protocol is not known the traffic should be blocked.
The cross-product of analysis between source and destination IPs Connection vs. bytes utilization is displayed in the figure 4.14 below.
Figure 4.14 demonstrates that highly consumed source IP is 14.96.97.120 (Tata Telecom) and bytes is 167682, connections is 120 and highly consumed destination IP is 123.63.171.122 (Vodafone Idea ISP) and bytes is 521677, connections is 1536.
Figure 4.14 Top Source IP - Connection vs Bytes
Source and destination IPs are highly consuming connection and bytes through two Internet Service Providers (Tata Telecom and Vodafone Idea).
The below figure 4.15.1 provides the analysis of Top events for overall utilization of Source IP vs Destination IP and Source port vs Destination port. Figure 4.15.2 represent that non business hours traffic
Figure 4.15.1 Top Events traffic analysis - Timeline
Figure 4.15.2 Non-Business
SonicWall Firewall is effectively addressing the non-business hours transactions such as malicious traffic, incorrect addresses in the packet headers (Spoofing attacks), Authenticating external traffic before allowing traffic to pass as per NIST SP 800-41 RE1 (Packet Filter).
High utilization source IP traffics is 1.1.1.1 (Cloudflare DNS), 5.189.183.129 (ISP services), 157.240.237.60 (WhatsApp) and Top destination IP transactions is 123.252.170.186 (Tata Telecom Services). Non business relevance traffic occurred at 18th hour such as WhatsApp.
As per NIST SP 800-137 framework define Security-related information obtained from monitoring is analyzed and met with appropriate responses. Response to findings at all tiers may include risk mitigation, risk acceptance, risk avoidance/rejection, or risk sharing/transfer, in accordance with organizational risk tolerance.
Strongly recommended to continues monitor network traffic activities to establish the detect and response from several attacks.
Figure 4.16.1 shows that per day network traffic signature analyse includes utilization of bytes, connections, duration during business and non-business hours in a day.
The table 4.16.2 below summarises non-business hours traffic from various participants, including source IP, destination IP, source port, destination port, and consumed Bytes.
Figure 4.16.1 Average Day traffic
| Non-Bussiness Hour: 1 | |||
|---|---|---|---|
| Rank | SIP vs DIP | SPT vs DPT | Bytes |
| 1 | 104.21.235.50 - 123.252.170.186 | 443 - 58378, 65299 | 1460 |
| 2 | 149.170.244.12 - 123.63.171.12 | 443 - 15089 | 1460 |
| 3 | 88.208.39.159 - 123.63.171.122 | 443 - 30287 | 76 |
| Non-Bussiness Hour: 3 | |||
|---|---|---|---|
| Rank | SIP vs DIP | SPT vs DPT | Bytes |
| 1 | 185.2.81.66 - 123.63.171.122 | 443 - 55498 | 1460 |
| 2 | 93.190.141.213 - 123.63.171.122 | 443 -19548 | 1460 |
| 3 | 192.168.55.86 - 172.31.25.85 | 57564 - 27017 | 60 |
| Non-Bussiness Hour: 19 | |||
|---|---|---|---|
| Rank | SIP vs DIP | SPT vs DPT | Bytes |
| 1 | 184.26.162.177 - 123.63.171.122 | 443 - 23645 | 1500 |
| 2 | 123.63.171.122 - 123.63.171.122 | NA | 168 |
| Non-Bussiness Hour: 20 | |||
|---|---|---|---|
| Rank | SIP vs DIP | SPT vs DPT | Bytes |
| 1 | 162.125.81.12 - 123.63.171.122 | 443 - 38279 | 1500 |
| 2 | 104.152.52.14 - 123.252.170.168 | 44664 - 22 | 60 |
Table 4.16.2 Non business hours traffic
Non-business relevance hour traffic transactions consumed more bytes, connections and duration through Internet Service Providers (Vodafone Idea, Tata Telecom), AWS Services (Cloudflare, Data Centre), Share Drive (Drop Box).
Business relevance hour traffic transactions represented in graph on 9 - 18 Hrs. The Highlighted non business hours traffic transactions hours are 1, 3, 19, 20.
Table 5.1.1 below demonstrates the secure rule and malicious rule analysis in the SonicWall firewall. Rule no. 7 and NAT policies 19, 21 has configured to perform the security activities such as LAN to WAN traffic, Attacks monitor, Content filter, IP spoof detect, Port scan possible, Website block.
The table below 5.1.2 Firewall malicious traffic rule shows that allowing traffics social media and Ecommerce website such as Facebook, Twitter, WhatsApp, Telegram, Alibaba.com through 443, 80 ports. This is suspicious and chances of Cyber-attacks such as Ransomware, DDoS (Distribution denial of service), Botnet activities, etc.
| Rule | NAT Policy | Source Interface | Destination Interface | Rule Service | Group | Action |
|---|---|---|---|---|---|---|
| 7 | 19 | X0 | X2 | Security | Content Filter | Drop |
| 7 | 21 | X1 | X1 | Security | Content Filter | Drop |
Table 5.1.1 Firewall Secure Rule
| Rules | Rule Description | Source Interface | Destination Interface | Source IP | Destination IP | Status | Risk Impact | Action |
|---|---|---|---|---|---|---|---|---|
| NA | NA | X2 | X2 | 91.108.56.154 | 123.63.171.122 | Allow | High | URGENT |
| NA | NA | X0 | X1 | 192.168.52.196 / 170 / 215 / 191 / 37 | 31.13.79.18 /53 /54 | Allow | High | URGENT |
Table 5.1.2 Firewall malicious traffic
Domain Name System (DNS) filtering services to help block access to known malicious domains in place.
NIST SP 800-137 framework defined Security-related information obtained from monitoring is analyzed and met with appropriate responses. Response to findings at all tiers may include risk mitigation, risk acceptance, risk avoidance/rejection, or risk sharing/transfer, in accordance with organizational risk tolerance.
The below table 5.2 shows that summarises of risk impact areas through above case studies in Network traffic analysis and some preventive action plans in observations and recommendations as shown below.
| Sr No | Categories | Threats and Impact | Severity Level | Observation and Recommendation |
|---|---|---|---|---|
| 1 | VLAN Distribution | DDoS / High Utilization of traffic / DR | High | 1. It is advised to separate the important asset network endpoints and ports into separate VLANs. 2. Monitoring important assets for high availability and disaster recovery (DR) in the event of a failure, such as firewalls, backup servers, switches, door access controls, and more. 3. The process of keeping track of crucial assets across all network endpoints in order to defend the network from DDoS, malware, and unknown traffic threats from both internal and external sources. |
| 2 | Internal Vs External Utilization | DDoS | High | 1. Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviour as per NIST SP 800-171B. |
| 3 | Top 10 IP Utilization (Bytes, Connections, Durations) |
CIA (Criticality, Integrity, Availability) | High | 1. Recommended that perform asset identification through
VLAN distribution. Based on the asset functionality segregate
critical assets for protect critical asset from attacks and high
availability.
2. Recommended to configure the secondary ISP for load balancing. Current high utilization source IP is Tata ISP. |
| 4 | Traffic Malicious Ports | ftp (20/21) - Directory Traversal Attacks SMTP (25) - Spoofing/Spamming DNS (53) - DDoS (Distribution Denial of Service) SMB (139) - Brute Forcing Attack NTP (123) - MitM (Man in the Middle) Attack |
High | 1. It is recommended to monitor ports both in terms of
business significance in order to correct problems with port
rules involving whitelisting and blacklisting.
2. The firewall/Core switch needs to conduct port-wise rules and VLAN segregation. |
| 5 | Average day traffic | Non business hours traffics | High | 1. To monitor traffic usage outside of business hours in order
to stop DDoS outbound unidentified sources 2. Non-business hours tasks like patch management, software patch updates for vulnerabilities, critical server backups and images, etc., must be planned and maintained. |
| 6 | Internal Vs External traffic distribution | Social Media - Cybercriminal attacks | High | 1. Through internal vs external traffic distributions found that social media traffics (Facebook). 2. Recommended that create firewall rule / URL filtering to block social media sites to prevent IT infrastructure from Cybercriminal attacks. |
Table 5.2 Threat Summary
The table below recommends some preventing action plans based on observations made through asset management, network analysis and firewall rules.
As per NIST, Weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source.
In our case study performed vulnerability analysis for five assets from different departments such as IT, Development, HR, Accounts and Legal. The below tables 6.1 shows that software vulnerability report.
| Sr.No | Product | Product Version | CVE Number | CVSS Version | CVSS BaseScore | Description | Endpoint Host | Team |
|---|---|---|---|---|---|---|---|---|
| 1 | VLC media player | 3.0.8 | CVE-2019-18278 | 3.1 | 7.8 | When executing VideoLAN VLC media player 3.0.8 with libqt on Windows, Data from a Faulting Address controls Code Flow starting at libqt_plugin!vlc_entry_license__3_0_0f+0x00000000003b9aba. NOTE: the VideoLAN security team indicates that they have not been contacted, and have no way of reproducing this issue. | DESKTOP-LOVMVNK | Developer |
| 2 | WinZip | 9 | CVE-2007-0264 | 2 | 6.6 | Buffer overflow in Winzip32.exe in WinZip 9.0 allows local users to cause a denial of service (application crash) and possibly execute arbitrary code via a long command line argument. NOTE: this issue may cross privilege boundaries if an application automatically invokes Winzip32.exe for untrusted input filenames, as in the case of a file upload application. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. | DESKTOP-LOVMVNK | Developer |
| 3 | WinZip | 9 | CVE-2004-1465 | 2 | 3.7 | Multiple buffer overflows in WinZip 9.0 and earlier may allow attackers to execute arbitrary code via multiple vectors, including the command line. | DESKTOP-LOVMVNK | Developer |
| 4 | HP Update | 5.005.002.002 | CVE-2015-5442 | 2 | 4.6 | Unspecified vulnerability in HP Software Update before 5.005.002.002 allows local users to gain privileges via unknown vectors. | DESKTOP-3F5BFM2 | Account |
| 5 | Adobe InDesign 2023 | 18 | CVE-2023-21592 | 3.1 | 5.5 | Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | DESKTOP-LOVMVNK | Developer |
| 6 | Adobe InDesign 2023 | 18 | CVE-2023-21591 | 3.1 | 5.5 | Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | DESKTOP-LOVMVNK | Developer |
| 7 | Adobe InDesign 2023 | 18 | CVE-2023-21590 | 3.1 | 7.8 | Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | DESKTOP-LOVMVNK | Developer |
| 8 | Adobe InDesign 2023 | 18 | CVE-2023-21589 | 3.1 | 7.8 | Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | DESKTOP-LOVMVNK | Developer |
| 9 | Adobe InDesign 2023 | 18 | CVE-2023-21588 | 3.1 | 7.8 | Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | DESKTOP-LOVMVNK | Developer |
| 10 | Adobe InDesign 2023 | 18 | CVE-2023-21587 | 3.1 | 7.8 | Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | DESKTOP-LOVMVNK | Developer |
| 11 | McAfee LiveSafe | 16 | CVE-2017-3898 | 3 | 5.9 | A man-in-the-middle attack vulnerability in the non-certificate-based authentication mechanism in McAfee LiveSafe (MLS) versions prior to 16.0.3 allows network attackers to modify the Windows registry value associated with the McAfee update via the HTTP backend-response. | LAPTOP-SOKU6N51 | legal |
| 12 | McAfee LiveSafe | 16 | CVE-2017-3897 | 3 | 9.8 | A Code Injection vulnerability in the non-certificate-based authentication mechanism in McAfee Live Safe versions prior to 16.0.3 and McAfee Security Scan Plus (MSS+) versions prior to 3.11.599.3 allows network attackers to perform a malicious file execution via a HTTP backend-response. | LAPTOP-SOKU6N51 | legal |
| 13 | Total Protection | 16 | CVE-2022-43751 | 3.1 | 7.8 | McAfee Total Protection prior to version 16.0.49 contains an uncontrolled search path element vulnerability due to the use of a variable pointing to a subdirectory that may be controllable by an unprivileged user. This may have allowed the unprivileged user to execute arbitrary code with system privileges. | LAPTOP-SOKU6N51 | legal |
Table 6.1 Software Vulnerability Report
As per software vulnerability analysis, observed that overall software's are updated versions and patched in ONEMi assets.
As per NIST SP 800-137 Each system, including all servers and end points that are part of the system, should be protected based on the potential impact to the system of a loss of confidentiality, integrity, or availability protection measures (otherwise known as security controls) tend to fall into two categories. Security weaknesses in the system need to be resolved. If a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated.
Recommended to validate the possible software vulnerability in the given table and perform vulnerability assessment as per NIST SP 800-137 and NIST SP 800-18 Rev.1 controls.
The below figure 6.2 shows software vulnerability score analysis through installed software list in the ONEMi network assets.
As per NIST Vulnerability management, An ISCM capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.
The below table shows the top-ranking complexity vulnerabilities found on various software installed on ONEMi asset end points.
Figure 6.2 Software Vulnerability score Analysis
The figure above shows that most critical and high impact software's are McAfee and Adobe in places.
As per NIST SP 800-137 Each system, including all servers and end points that are part of the system, should be protected based on the potential impact to the system of a loss of confidentiality, integrity, or availability protection measures (otherwise known as security controls). Recommended to security weaknesses in the system need to be resolved. If a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated.
Recommended to validate the possible software vulnerability in the given table and perform vulnerability assessment as per NIST SP 800-137 and NIST SP 800-18 Rev.1 controls.
The below figure 6.3 shows the top-ranking complexity vulnerabilities in percentage found on various software installed on ONEMi asset end points.
Figure 6.3 Software Vulnerability in Percentage
The figures above shows that software vulnerabilities percentage analysis. Top score percentage of vulnerable occurred in Adobe, McAfee and WinZip.
As per NIST SP 800-137 Each system, including all servers and end points that are part of the system, should be protected based on the potential impact to the system of a loss of confidentiality, integrity, or availability protection measures (otherwise known as security controls). Recommended to security weaknesses in the system need to be resolved. If a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated.
Recommended to validate the possible software vulnerability in the given table and perform vulnerability assessment as per NIST SP 800-137 and NIST SP 800-18 Rev.1 controls.
The below table 7.0 shows that condition of health Asset management followed by business impact and risk impact. A detailed brainstorming session should be conducted to review Assets conditions and an effort should be made to improve or maintain these Assets conditions.
| Sr.No | Categories | Condition | Business Impact | Risk Impact | Recommendation |
|---|---|---|---|---|---|
| 1 | Access Control | Good | Moderate | High | Keep Access Control for Various security Levels. Monitor Access Control Lock Regularly |
| 2 | Asset Management | Average | High | High | Thorough Asset Management Activity should be performed |
| 3 | Firewall Management | Poor | High | High | Thorough Network Traffic Activity should be performed |
| 4 | Network Architecture | Average | High | High | Thorough Network Architecture Studies should be performed |
| 5 | Cloud Server Management | Good | High | Low | |
| 6 | Communication Management | Poor | High | High | Observed various communication platforms. If possible, reduce multiple communication platforms |
| 7 | External Traffic Management | Average | High | High | Observed objectionable external traffic with malicious ports |
| 8 | Response Planning | Average | High | High | Thorough Response Planning should be developed and deployed |
| 9 | Risk Assessment | Not Known | High | High | Thorough Risk Assessment should be performed |
| 10 | Risk Management Strategy | Not Known | High | High | Thorough Risk Management Strategy should be developed and deployed |
| 11 | Governance Management | Not Known | High | High | Thorough Governance Management Strategy should be developed and deployed |
| 12 | Anomalies Detection Management | Average | High | High | Continuous Anomalies Detection should be performed |
| 13 | Security Continuous Monitoring | Not Known | High | High | Thorough Security Continuous Monitoring should be developed and deployed |
| 14 | Training and Awareness | Not Known | High | NA | Regular Training and Awareness programs should be conducted |
Table 7.0 Cyber Security health check
The current CAS at ONEMi gives an overview about the cyber security condition at ONEMi. This CAS is addressing ever evolving aspects of cyber security framework such as Asset management, Current Business Environment, current governance, current Risk Assessment, Data Security, Anomalies, Risk mitigation, Response planning, Recovery planning and communication. This POC also aimed at understanding the aspects of business relevance processes with focus on Availability, Integrity and Confidentiality.
The analysis of Asset management shows that most of Assets are managed in Cloud. The Failsafe data mechanism should be reviewed in order to maintain the Availability of data.
There are few redundancies in system in form of Software, hardware, IP etc. This gives an opportunity for cost optimization through continuous monitoring of Assets for minimum period of 6 months.
The cyber security people Asset need additional bandwidth. This can be created by hiring additional resources. The minimum team size of 4 is recommended.
The detailed analysis of Network Security has identified 2 rules and 4 NAT Policies which can lead to risks such as Ransomware attack, DOS, Botnet attack etc. The analysis shows that various non-business relevant activities with higher risk impact are taking place through internet. The details of same are mentioned in section 5.1.
The various recommendations are given in section 5.2 and 5.3 should be implemented as soon as possible. NASMS tool has also given the Auto generated Firewall rules its available in the html report. These Rules should be evaluated and implemented in Firewall rule sheet.
The detailed analysis of vulnerabilities at Software level has been performed. These vulnerabilities are given in section 6.1. These vulnerabilities should be reviewed with internal team and mitigation based on priorities should be initiated.
As the term cyber security is continuous term and needs continuous monitoring of cyber security using Network detection and response followed by vulnerabilities management.
The overall observation through this CAS recommended bringing in place a Security Operations Center (SOC) to monitor, prevent, detect, investigate and respond to cyber threats around the clock. SOC teams are charged with monitoring and protecting the organization's assets including intellectual property, personnel data, business systems and brand integrity. The smart dashboard gives the analysis of proactive operations such as Asset monitoring, Network traffic analysis, Vulnerability analysis, Threat intelligence summary, Account management summary, Authentication summary and Email and malware summary for 24x7 incidents and notifications.
In the end, we would like to conclude this CAS report with Marcel Proust classical saying “We don't receive wisdom; we must discover it for ourselves after a journey that no one can take for us or spare us.”