Home Uncategorized Performing Risk Assessment And Identifying Threats And Vulnerabilities For CloudXYZ
Uncategorized

Performing Risk Assessment And Identifying Threats And Vulnerabilities For CloudXYZ

Methods for Risk Assessment

In UK, a cloud service provider named CloudXYZ, provides IT network/ system for various organizations. CloudXYZ ensures securing storage and virtual server services for both the individual customers and for the organizations. Ultimately, they target on security system for preventing or decreasing any business loss due to incidents like data modification, malfunction, data deletion and information stealing. The task of this project includes to perform risk assessment for the provided security network architecture. For performing risk assessment, there exists certain “open-source” methods and some proprietary methods, which provides answer to the questions like- What must be protected? What are the vulnerabilities and threats? What are its implications? What value it has to the organization? and What could decrease the damages? Therefore, these are the advantages of risk assessment methods. The utilized risk assessment methods are, Qualitative Risk Assessment Matrix (RAM), Risk Probability and Impact Assessment, Combination of checklists and what-if analysis methods, and Preliminary environment risk ranking method. The ISO 27001 based Risk Assessment Tool is effective solution. The impact analysis and likelihood are the other tasks which will be performed during the risk assessment on the given system. Because, it helps to determine the potential impacts resulting from the critical business processes. Moreover, the risk assessment methods help to provide suggestions of whether the system’s security, integrity, confidentiality must be increased or not?  

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

For maintaining the database, security tool, website and other services which provides a function for security vulnerability or exposure identification is known as capability. Here, the user denotes the owner and the owner has the responsibility of maintaining the capability. The CVE (Common Vulnerabilities and Exposures) compatibility provides the facility of sharing the data, only when there is accurate capability mapping. Thus, it is required that CVE-compatible capabilities should meet minimum accuracy requirements (Cve.mitre.org, 2018).

The owner specifications include the following (Cve.mitre.org, 2018):  

  • The Owner should have valid phone number, email ID and address.
  • The capability should give additional information or value that is provided in the CVE such as, name, references, description and related data.
  • The queries related to CVE functionality of the capability and mapping must be provided by the technical point of contact which the owner has.
  • By using CVE names (“CVE-Searchable”), the capability show let the users to locate the security elements.
  • The CVE names must be used for Security Service to mention the user which of the security elements are tested or detected by the service (“CVE-Searchable”).
  • The Service should enable the client to decide the related CVE names for those elements (“CVE-Output”), for the report which recognizes the single security elements, by completing at least one of these- letting the client directly incorporate CVE names in the report, by furnishing the client with a mapping between the security elements and CVE names, or by utilizing any other system.
  • Any desired reports or mappings which are given by the Service should fulfill the requirements of media.
  • The product must be CVE-compatible, when the Service provides direct access to the users.  

The assets are considered as either primary or secondary, to recognize the assets that are imported.  For instance, the assets that should be imported first when compared to the other assets are referred as primary assets and the assets which will be imported after the primary assets are referred as the secondary assets (Support.symantec.com, 2011).

The primary assets contains super-set of the secondary assets. For instance, when a Control Compliance Suite is considered, it is required to first import the Windows Domain prior to importing the Windows Machines. Thus, here the primary asset is denoted as Windows Domain and the secondary asset is denoted as Windows Machine. On the other hand, in the asset system, the Windows Domain is called as the default scope for the Windows Machines. On the other hand, default scope refers to importing the primary assets prior to the secondary assets. 

Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper

ID

Asset

Primary or Secondary Asset

CS

Cloud storage

Primary Asset

VS

Virtual server

Secondary Asset

AS

Authentication Server

Secondary Asset

CD

Customer Database

Secondary Asset

WS

Web server

Secondary Asset

MS

Mail Server

Secondary Asset

FW

Firewall/IDS

Secondary Asset

I

Internet

Primary Asset

Threats and Vulnerabilities for CloudXYZ Assets

The CloudXYZ organization’s assets their threats and vulnerabilities are as follows:

  • Cloud Storage

Threats

  1. Data Breaches

The security breaches comprises of healthcare data, revenue details and financial data (Networkmagazineindia.com, 2002).

  1. Data Loss

There are possibilities of heavy loss of data and it could be highly expensive for the organization.

  1. Malicious Insiders

The threats of IT and network security could harm the organizational infrastructure.

Vulnerabilities

  1. The CVE number of the vulnerability is CVE-2017-1375. This vulnerability refers to the IBM System Storage Storwize V7000 Unified (V7000U) where 1.5 and 1.6 utilizes cryptographic algorithms that are weaker and this might help the attacker in decrypting the extremely sensitive information. IBM X-Force ID: 126868. (High)
  2. The CVE number is CVE-2017-1304. This vulnerability could result in using incorrect memory address and can lead to DoS or undetected data corruption (Nvd.nist.gov, 2018). (Medium). 
  • Virtual Server

Threats

  1. Traffic control(US EPA, 2018).
  2. Lack of visibility.
  1. The CVE number is CVE-2017-6160.  The remote attacker could easily makes HTTP request that are crafted maliciously, so that the Traffic Management Microkernel (TMM) will restart then it will fail to process the traffic temporarily. (Medium).
  2. The CVE number is CVE-2017-6159. The following are vulnerable to DoS attack, in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, Websafe software version 12.0.0 to 12.1.2, 11.6.0 to 11.6.1. The attacker could harm the services so that the Traffic Management Microkernel (TMM) will restart then it will fail to process the traffic temporarily. (Medium). 
  • Authentication Server

Threats

  1. Sniffingand Spoofing
  2. Data leakage
  3. Denial of Service (DoS) 

Vulnerabilities

  1. The CVE number CVE-2017-16025 refers to a DoS vulnerability through invalid Cookie header. (Medium)
  2. The CVE number CVE-2018-7942 refers to the vulnerability that leads to improper authentication design, exploitation and leakage of information.  (High)
  • Customer Database

Threats

  1. Privilege Abuse, which is a threat in thedatabase security.
  2. Web application Security which is not enough.
  3. Storage media which is not secure enough (Securitycommunity.tcs.com, 2017). 

Vulnerabilities

  1. The CVE number CVE-2008-6761 refers to the vulnerability that lets the attackers to inject a static code injection in admin/install.php. (High)
  2. The CVE number CVE-2005-4515 refers to DISPUTED SQL injection vulnerability in the WebDB 1.1. (High) 
  • Web Server

Threats

  1. Coding errors
  2. Security holes
  3. Sensitive file

Vulnerabilities

  1. The CVE number CVE-2018-2893refers to the vulnerability of exploitation. (critical).
  2. The CVE number CVE-2018-0340 refers to the vulnerability in the web framework. The attacker can exploit the vulnerability. (medium).
  • Mail Server

Threats

  1. Spam
  2. Hoaxes
  3. Fake emails

Vulnerabilities

  1. The CVE number CVE-2017-14077 refers to the vulnerability that allows the attackers inject the arbitrary HTML into the body of the e-mail message. (medium).
  2. The CVE number CVE-2016-9127 refers to the vulnerability that sends a large number of password recovery/ bug recovery emails to the registered users. (High). 
  • Firewall/IDS

Threats

  1. Insider Attacks
  2. Missed Security Patches
  3. Distributed Denial of Service (DDoS) attacks

Vulnerabilities

  1. The CVE number CVE- 2018-0227 refers to the vulnerability present in the Secure Sockets Layer (SSL), the Virtual Private Network (VPN) Client Certificate Authentication because of incorrect SSL Client Certificate verification. (High).
  2. The CVE number CVE-2018-8873 refers to the vulnerability of denial of service (High). 
  • Internet

Threats

  1. Hacking

This is a serious threat, where unauthorized user can easily access other person’s confidential information, for performing malicious activities and harming them.

  1. Viruses

The computer programs are sent through email which are refers are virus and has the capacity to harm the computer and its working (Roussey, 2017).

  1. Data leakage 

Vulnerabilities

  1. The CVE number CVE-2018-0978 refers to remote code execution vulnerability. (High)
  2. The CVE number CVE-2018-1025 refers to information disclosure vulnerability. (Medium). 

The likelihood is calculated using the following formula,

Likelihood= Threat * Vulnerability

  1. Cloud Server

Likelihood = High

Virtual Server

Likelihood = Medium

Authentication Server 

Likelihood = High

Customer Database

Likelihood = High

Web Server

Likelihood = High

Mail Server

Likelihood = High

Impact Table (related to CloudXYZ)

High

Long-term impact

Medium

Short term impact

Low

No or low impact

The risk is calculated using the following formula,

Risk= Impact * Likelihood

  1. Cloud Server

Risk = High

Threat Level

Threat

Level

ID

Data Breaches

High

Th1

Data loss

Medium

Th2

Malicious Insider attacks

High

Th3

Lack of visibility

Medium

Th4

Traffic control

High

Th5

Natural disasters

Low

Th6

Sniffing and Spoofing

Medium

Th7

Data leakage

Medium

Th8

Denial of Service

High

Th9

Web application Security  

High

Th10

database security threats

High

Th11

Coding errors

High

Th12

Security holes

High

Th13

Sensitive file

Medium

Th14

Spam

Low

Th15

Hoaxes

Low

Th16

Fake emails

Low

Th17

Missed Security Patches

Medium

Th18

Hacking/ outsider attacks and Viruses

High

Th19

Hardware failure

Medium

Th20

Software failure

Medium

Th21

Competitors

High

Th22

The identified threats are Data Breaches, Data loss, Malicious Insider attacks, Lack of visibility, Hypervisor Security, Sniffing, Spoofing, Denial of Service, Web application Security, database security threats, Coding errors, Security holes, Sensitive file, Spam, Hoaxes, Fake emails, Missed Security Patches, Hacking/ outsider attacks and Viruses.   

Asset ID & Threat ID

Vulnerability ID

Level

CS & Th1

CVE-2017-1375

High

CS & Th2

CVE-2017-1304

Medium

VS & Th5

CVE-2017-6160

Medium

VS & Th9

CVE-2017-6159

Medium

AS & Th9

CVE-2017-16025

Medium

AS & Th8

CVE-2018-7942

High

CD & Th10

CVE-2008-6761

High

CD & Th11

CVE-2005-4515

High

WS & Th12

CVE-2018-2893

critical

WS & Th13

CVE-2018-0340

Medium

MS & Th19

CVE-2017-14077

Medium

MS & Th15

CVE-2016-9127

High

FW & Th18

CVE- 2018-0227

High

FW & Th9

CVE-2018-8873

High

I & Th19

CVE-2018-0978

High

I & Th8

CVE-2018-1025

Medium

The identified risks are mentioned below:

  1. Coding errors
  2. Denial of Service
  3. Data Breaches and Data loss
  4. Web application Security  
  5. Database security threats
  6. Security holes
  7. Missed Security Patches
  8. Hacking/ outsider attacks and Viruses
  9. Traffic control and Data leakage
  10. Spam

Coding errors

DoS

Data Breaches and Data loss

Web application Security  

Database security threats

Security holes

Missed Security Patches

Hacking/ outsider attacks and Viruses

Traffic control and Data leakage

Spam

The advantages of risk assessment is understood from this report and it is recommended to choose effective method for risk assessment. As, this will help to find the future impacts and security threats for the network. The threats and vulnerabilities for all the assets are identified. The likelihood is calculated. The impact is determined for each asset. Then, the risks are identified. Thus, the recommendation is that, an effective network should be created in the organization, by utilizing extremely valuable cloud storage as well as virtual server (Granneman, 2012). 

Conclusion

It is determined that risk assessment helps to determine the answers for the questions like- What must be protected? What are the vulnerabilities and threats? What are its implications? What value it has to the organization? and what could decrease the damages? The ISO 27001 based Risk Assessment Tool is considered as an effective solution. The CVE based vulnerabilities are considered here, to help the process of performing risk assessment for the provided security network architecture. Impact analysis and likelihood are the other tasks which will be performed during the risk assessment on the given system. The risk assessment method is believed to provide right suggestions related to system’s security, integrity and confidentiality. The threats and vulnerabilities for all the assets are identified. The likelihood is calculated, next the impact is determined for each asset. Finally, all the risks are determined. The likelihood is calculated using the formula, Likelihood= Threat * Vulnerability. The threat level is also determined. Then, the risk is calculated using the formula, Risk= Impact * Likelihood. 

References

Cve.mitre.org. (2018). CVE -Requirements and Recommendations for CVE Compatibility (Archived). [online] Available at: https://cve.mitre.org/compatible/requirements.html [Accessed 3 Aug. 2018].

Granneman, J. (2012). Virtualization vulnerabilities and virtualization security threats. [online] SearchCloudSecurity. Available at: https://searchcloudsecurity.techtarget.com/tip/Virtualization-vulnerabilities-and-virtualization-security-threats [Accessed 4 Aug. 2018].

Networkmagazineindia.com. (2002). Identifying and classifying assets. [online] Available at: https://www.networkmagazineindia.com/200212/security2.shtml [Accessed 4 Aug. 2018].

Nvd.nist.gov. (2018). NVD – Results. [online] Available at: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=Virtual+Server&search_type=all [Accessed 3 Aug. 2018].

Roussey, B. (2017). Real threats in virtualized environments: Identifying and mitigating the risks. [online] TechGenix. Available at: https://techgenix.com/virtualization-risks/ [Accessed 4 Aug. 2018].

Securitycommunity.tcs.com. (2017). 10 Major Security Threats in Cloud Computing. [online] Available at: https://securitycommunity.tcs.com/infosecsoapbox/articles/2017/02/14/10-major-security-threats-cloud-computing [Accessed 4 Aug. 2018].

Support.symantec.com. (2011). Primary and secondary assets. [online] Available at: https://support.symantec.com/en_US/article.HOWTO40975.html [Accessed 4 Aug. 2018].

Hire a Writer
Calculate your order
Pages (275 words)
Standard price: $0.00
Client Reviews
4.9
Sitejabber
4.6
Trustpilot
4.8
Our Guarantees
100% Confidentiality
Information about customers is confidential and never disclosed to third parties.
Original Writing
We complete all papers from scratch. You can get a plagiarism report.
Timely Delivery
No missed deadlines – 97% of assignments are completed in time.
Money Back
If you're confident that a writer didn't follow your order details, ask for a refund.

Calculate the price of your order

You will get a personal manager and a discount.
We'll send you the first draft for approval by at
Total price:
$0.00
Power up Your Academic Success with the
Team of Professionals. We’ve Got Your Back.
Power up Your Study Success with Experts We’ve Got Your Back.
Order Now Order Now