WIXLIB

Cyber Security Risk AssessmentA Visibility intoMalicious Network Traffic andApplicationsForCompanyPrepared for: XYZPrepared by: Infoguard Cyber SecurityApril 25, 2014Infoguard Cyber Securitywww.InfoguardSecurity.com

Contents1.XYZ Network Traffic Analysis and Security Assessment . 32.Summary and Key Findings . 33.Top 50 Attacker Countries . 41.Spyware on the Network & Source Countries . 52.Top Threats Traversing the Network . 63.Business Risks Introduced by High Risk Applications . 74.Application Characteristics That Determine Risk . 75.Top High Risk Applications in Use . 86.Top Applications Traversing the Network. 97.Application Subcategories . 108.Cloud or Online Data Storage in other Countries . 119.Spyware Infected Hosts . 1210.Top Risk Users . 1311.Top Viruses . 1412.Top Vulnerabilities . 1513.Hi Skype Users: . 1614.Hi Skype Users by Traffic Volume: . 1615.Findings: . 1716.Appendix A: Business Risk Definitions . 18Applications and Network Traffic AnalysisPage: 2

1. XYZ Network Traffic Analysis and Security AssessmentInfoguard conducted analysis of XYZ’s network traffic its applications. This report provides visibility into contenttraversing the network and their associated risks, users, sources, destinations and summarizes the analysisbeginning with key findings and an overall business risk assessment. Beyond that, the report analyzes XYZtraffic based on specific applications, the technical risks and threats, and provides a high level picture of howthe network is being used. The report closes with a summary and recommended actions to mitigate the risk tothe organization.2. Summary and Key FindingsKey findings that should be addressed by XYZ: A high volume of data transfer to different countries. A high number of attacks from different countries. Applications that can lead to Intellectual Property and confidential data loss.File transfer applications (peer-to-peer and/or browser-based) are in use, exposing XYZ to significantsecurity, data loss, compliance and possible copyright infringement risks. Applications that can be used to conceal activity.IT savvy employees are using applications that can conceal their activity. Examples of these types ofapplications include external proxies, remote desktop access and non-VPN related encrypted tunnel.Visibility into who is using these applications, and for what purpose should be investigated. Applications used for personal communications.Employees are using a variety of applications that enable personal communications. Examples includeinstant messaging (a single user 400 Skype calls to 40 countries) , webmail, and VoIP/video conferencing.These types of applications can introduce productivity loss, compliance and business continuity risks. Personal applications are being installed and used on the network.End-users are installing and using a variety of non-work related applications that can elevate business andsecurity risks. Bandwidth hogging, time consuming applications in use.Media and social networking applications were found. Both of these types of applications are known toconsume corporate bandwidth and employee time.Applications and Network Traffic AnalysisPage: 3

3. Top 50 Attacker CountriesFigure 1: Top 50 attacker countriesApplications and Network Traffic AnalysisPage: 4

1. Spyware on the Network & Source 0/201420:114/20/201420:11ThreatSource ipCAUserhgandhiApplicationSourceCountry22 Pages RemovedApplications and Network Traffic AnalysisPage: 5

2. Top Threats Traversing the NetworkThe increased visibility into the traffic flowing across the network helps improve threat prevention by determining exactlywhich application may be transmitting the threat, not just the port and protocol. This increased visibility into the actualidentity of the application means that the threat prevention engine can quickly narrow the number of potential threatsdown, thereby accelerating ernetApp ip-videoApp asednsweb-browsingsipdnsyahoo-voiceThreat/Content NameHTTP OPTIONS MethodFTP Login FailedSIP Register Request AttemptSIP Register Message Brute-force AttackSSH2 Login AttemptSSL Renegotiation Denial of ServiceVulnerabilityHTTP Unauthorized ErrorSSL Renegotiation Denial of ServiceVulnerabilityHTTP WWW-Authentication FailedGeneric GET Method Buffer OverflowVulnerabilityHTTP OPTIONS MethodMicrosoft Communicator INVITE Flood Denialof Service VulnerabilitySuspicious DNS Query(generic:api.greygray.biz)Suspicious DNS Query (PWS.fapk:advombat.ru)Suspicious DNS Query (generic:ibnlive.in.com)SIP Bye Request AttemptHTTP GET Requests Long URI AnomalyJavaScript Obfuscation DetectedSuspicious DNS Query(generic:api.megabrowse.biz)Suspicious DNS Query (TrojanDropper.sysn:ak.imgfarm.com)SSH User Authentication Brute-force AttemptDNS ANY RequestMicrosoft ASP.NET Remote UnauthenticatedDenial of Service VulnerabilityAdobe PDF File With Embedded JavascriptSuspicious DNS Query (generic:tracker.ccc.se)SSL Renegotiation Denial of ServiceVulnerabilitySuspicious DNS Query(generic:cdn.ministerial5.com)Microsoft ASP.Net Information LeakVulnerabilitySipvicious.Gen User-Agent TrafficSuspicious DNS Query (generic:s.m2pub.com)SIP Register Request 19818113112711895507 Pages RemovedFigure 5: Top threats identified.Applications and Network Traffic AnalysisPage: 6

3. Business Risks Introduced by High Risk ApplicationsIdentifying the risks an application poses is the first step towards effectively managing the related business risks.The potential business risks that can be introduced by the applications traversing the network are determined bylooking at the behavioral characteristics of the applications. Each of the behavioral characteristics can introducebusiness risks.4. Application Characteristics That Determine RiskThe application behavioral characteristics is used to determine a risk rating of 1 through 5. The characteristics are an integralpiece of the application visibility that administrators can use to learn more about a new application that they may find onthe network and in turn, make a more informed decision about how to treat the application.Application Behavioral Characteristic DefinitionsProne to misuse. Used for nefarious purposes or is easily configured to expose more than intended. Examplesinclude SOCKS, as well as newer applications such as BitTorrent and AppleJuice.Tunnels other applications. Able to transport other applications. Examples include SSH and SSL as well asHopster, TOR and RTSP, RTMPT.Has known vulnerabilities. Application has had known vulnerabilities – and typically, exploits.Transfers files. Able to transfer files from one network to another. Examples include FTP and P2P as well aswebmail, online filesharing applications like MegaUpload and YouSendIt!.Used by malware. Has been used to propagate malware, initiate an attack or steal data. Applications that are usedby malware include collaboration (email, IM, etc) and general Internet categories (file sharing, Internet utilities).Consumes bandwidth. Application consumes 1 Mbps or more regularly through normal use. Examples includeP2P applications such as Xunlei and DirectConnect as well as media applications, software updates and otherbusiness applications.Evasive. Uses a port or protocol for something other than its intended purpose with intent to ease deployment orhide from existing security infrastructure.With the knowledge of which applications are traversing the network, their individual characteristics and which employeesare using them, XYZ is enabled to more effectively decide how to treat the applications traffic through associated securitypolicies. Note that many applications carry multiple behavioral characteristics.Applications and Network Traffic AnalysisPage: 7

5. Top High Risk Applications in UseThe high risk applications sorted by category, subcategory and bytes consumed are shown below. The ability toview the application along with its respective category, subcategory and technology can be useful whendiscussing the business value and the potential risks that the applications pose with the respective users orgroups of users.About 400 applications traversing XYZ networkKey observations on the 50 high risk applications:Activity Concealment:Proxy (5) and remote access (14) applications were found. IT savvy employees are using these applications withincreasing frequency to conceal activity and in so doing, can expose XYZ to compliance and data loss risks.File transfer/data loss/copyright infringement:Peer-to-Peer (P2P) applications (21), and browser-based file sharing applications (32) with over 80 gig bytes filetransfer were found. These applications expose XYZ to data loss, possible copyright infringement, compliance risks andcan act as a threat vector.Personal communications:A variety of applications that are commonly used for personal communications were found including instant messaging (5),webmail (9), and VoIP/video (4). These types of applications expose XYZ to possible productivity loss, compliance andbusiness continuity risks.Bandwidth hogging:Applications that are known to consume excessive bandwidth including photo/video, audio and social networking weredetected. These types of applications represent an employee productivity drain and can consume excessive amounts ofbandwidth and can act as potential threat vectors.Applications and Network Traffic AnalysisPage: 8

6. Top Applications Traversing the NetworkAbout 400 applications (based onseverity and bandwidth consumption), sorted by category and subcategory are shownbelow. The ability to view the application category, subcategory and technology is complemented by the behavioralcharacteristics (previous page), resulting in a more complete picture of the business benefit an application may tmpedailymotionApp neral-internetcollaborationmediamediaApp r-basedbrowser-basedBytes7.02577E 6015408426627.58734E 117.20254E 115.23916E 170695430113067463577694023874061265735883Pages RemovedFigure 3: Applications that are consuming the most bandwidth, sorted by category, subcategory and technologyApplications and Network Traffic AnalysisPage: 9

7. Application SubcategoriesThe subcategory breakdown of all the applications found, sorted by bandwidth consumption provides an excellentsummary of where the application usage is heaviest. These data points can help IT organizations more effectivelyprioritize their application enablement efforts.Sub-CategoryNumber of ApplicationsBytes 1,293,4386,046Gemail & 6,955Grand Total173840,456,335,343Sessions Consumed40,489,955Pages RemovedFigure 4: Subcategory breakdown of some of the applications found.Applications and Network Traffic AnalysisPage: 10

8. Cloud or Online Data Storage in other 56 xxx15:573/28/2014192.168.41.218 1/2014192.168.41.152 3/27/2014192.168.41.173 xxx13:373/24/2014192.168.41.243 xxx17:523/25/2014192.168.41.243 xxx17:403/28/2014192.168.41.243 xxx18:593/27/2014192.168.41.243 xxx19:243/26/2014192.168.41.243 xxx19:053/29/2014192.168.41.243 xxx7:553/28/2014192.168.41.243 xxx23:594/2/2014192.168.41.243 xxx9:543/24/2014192.168.41.243 xxx19:553/25/2014192.168.41.243 xxx19:554/1/2014192.168.41.243 xxx16:05Figure 2: Data storage in other 5Applications and Network Traffic CNCNCNCNPage: 11