Methods for Risk Assessment

In UK, a cloud service provider named CloudXYZ, provides IT network/ system for various organizations. CloudXYZ ensures securing storage and virtual server services for both the individual customers and for the organizations. Ultimately, they target on security system for preventing or decreasing any business loss due to incidents like data modification, malfunction, data deletion and information stealing. The task of this project includes to perform risk assessment for the provided security network architecture. For performing risk assessment, there exists certain “open-source” methods and some proprietary methods, which provides answer to the questions like- What must be protected? What are the vulnerabilities and threats? What are its implications? What value it has to the organization? and What could decrease the damages? Therefore, these are the advantages of risk assessment methods. The utilized risk assessment methods are, Qualitative Risk Assessment Matrix (RAM), Risk Probability and Impact Assessment, Combination of checklists and what-if analysis methods, and Preliminary environment risk ranking method. The ISO 27001 based Risk Assessment Tool is effective solution. The impact analysis and likelihood are the other tasks which will be performed during the risk assessment on the given system. Because, it helps to determine the potential impacts resulting from the critical business processes. Moreover, the risk assessment methods help to provide suggestions of whether the system’s security, integrity, confidentiality must be increased or not?  

For maintaining the database, security tool, website and other services which provides a function for security vulnerability or exposure identification is known as capability. Here, the user denotes the owner and the owner has the responsibility of maintaining the capability. The CVE (Common Vulnerabilities and Exposures) compatibility provides the facility of sharing the data, only when there is accurate capability mapping. Thus, it is required that CVE-compatible capabilities should meet minimum accuracy requirements (Cve.mitre.org, 2018).

The owner specifications include the following (Cve.mitre.org, 2018):  

• The Owner should have valid phone number, email ID and address.
• The capability should give additional information or value that is provided in the CVE such as, name, references, description and related data.
• The queries related to CVE functionality of the capability and mapping must be provided by the technical point of contact which the owner has.
• By using CVE names (“CVE-Searchable”), the capability show let the users to locate the security elements.
• The CVE names must be used for Security Service to mention the user which of the security elements are tested or detected by the service (“CVE-Searchable”).
• The Service should enable the client to decide the related CVE names for those elements (“CVE-Output”), for the report which recognizes the single security elements, by completing at least one of these- letting the client directly incorporate CVE names in the report, by furnishing the client with a mapping between the security elements and CVE names, or by utilizing any other system.
• Any desired reports or mappings which are given by the Service should fulfill the requirements of media.
• The product must be CVE-compatible, when the Service provides direct access to the users.  

The assets are considered as either primary or secondary, to recognize the assets that are imported.  For instance, the assets that should be imported first when compared to the other assets are referred as primary assets and the assets which will be imported after the primary assets are referred as the secondary assets (Support.symantec.com, 2011).

The primary assets contains super-set of the secondary assets. For instance, when a Control Compliance Suite is considered, it is required to first import the Windows Domain prior to importing the Windows Machines. Thus, here the primary asset is denoted as Windows Domain and the secondary asset is denoted as Windows Machine. On the other hand, in the asset system, the Windows Domain is called as the default scope for the Windows Machines. On the other hand, default scope refers to importing the primary assets prior to the secondary assets. 

ID	Asset	Primary or Secondary Asset
CS	Cloud storage	Primary Asset
VS	Virtual server	Secondary Asset
AS	Authentication Server	Secondary Asset
CD	Customer Database	Secondary Asset
WS	Web server	Secondary Asset
MS	Mail Server	Secondary Asset
FW	Firewall/IDS	Secondary Asset
I	Internet	Primary Asset

Threats and Vulnerabilities for CloudXYZ Assets

The CloudXYZ organization’s assets their threats and vulnerabilities are as follows:

• Cloud Storage

Threats

1. Data Breaches

The security breaches comprises of healthcare data, revenue details and financial data (Networkmagazineindia.com, 2002).

1. Data Loss

There are possibilities of heavy loss of data and it could be highly expensive for the organization.

1. Malicious Insiders

The threats of IT and network security could harm the organizational infrastructure.

Vulnerabilities

1. The CVE number of the vulnerability is CVE-2017-1375. This vulnerability refers to the IBM System Storage Storwize V7000 Unified (V7000U) where 1.5 and 1.6 utilizes cryptographic algorithms that are weaker and this might help the attacker in decrypting the extremely sensitive information. IBM X-Force ID: 126868. (High)
2. The CVE number is CVE-2017-1304. This vulnerability could result in using incorrect memory address and can lead to DoS or undetected data corruption (Nvd.nist.gov, 2018). (Medium). 

• Virtual Server

Threats

1. Traffic control(US EPA, 2018).
2. Lack of visibility.

1. The CVE number is CVE-2017-6160.  The remote attacker could easily makes HTTP request that are crafted maliciously, so that the Traffic Management Microkernel (TMM) will restart then it will fail to process the traffic temporarily. (Medium).
2. The CVE number is CVE-2017-6159. The following are vulnerable to DoS attack, in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controller, PEM, Websafe software version 12.0.0 to 12.1.2, 11.6.0 to 11.6.1. The attacker could harm the services so that the Traffic Management Microkernel (TMM) will restart then it will fail to process the traffic temporarily. (Medium). 

• Authentication Server

Threats

1. Sniffingand Spoofing
2. Data leakage
3. Denial of Service (DoS) 

Vulnerabilities

1. The CVE number CVE-2017-16025 refers to a DoS vulnerability through invalid Cookie header. (Medium)
2. The CVE number CVE-2018-7942 refers to the vulnerability that leads to improper authentication design, exploitation and leakage of information.  (High)

• Customer Database

Threats

1. Privilege Abuse, which is a threat in thedatabase security.
2. Web application Security which is not enough.
3. Storage media which is not secure enough (Securitycommunity.tcs.com, 2017). 

Vulnerabilities

1. The CVE number CVE-2008-6761 refers to the vulnerability that lets the attackers to inject a static code injection in admin/install.php. (High)
2. The CVE number CVE-2005-4515 refers to DISPUTED SQL injection vulnerability in the WebDB 1.1. (High) 

• Web Server

Threats

1. Coding errors
2. Security holes
3. Sensitive file

Vulnerabilities

1. The CVE number CVE-2018-2893refers to the vulnerability of exploitation. (critical).
2. The CVE number CVE-2018-0340 refers to the vulnerability in the web framework. The attacker can exploit the vulnerability. (medium).

• Mail Server

Threats

1. Spam
2. Hoaxes
3. Fake emails

Vulnerabilities

1. The CVE number CVE-2017-14077 refers to the vulnerability that allows the attackers inject the arbitrary HTML into the body of the e-mail message. (medium).
2. The CVE number CVE-2016-9127 refers to the vulnerability that sends a large number of password recovery/ bug recovery emails to the registered users. (High). 

• Firewall/IDS

Threats

1. Insider Attacks
2. Missed Security Patches
3. Distributed Denial of Service (DDoS) attacks

Vulnerabilities

1. The CVE number CVE- 2018-0227 refers to the vulnerability present in the Secure Sockets Layer (SSL), the Virtual Private Network (VPN) Client Certificate Authentication because of incorrect SSL Client Certificate verification. (High).
2. The CVE number CVE-2018-8873 refers to the vulnerability of denial of service (High). 

• Internet

Threats

1. Hacking

This is a serious threat, where unauthorized user can easily access other person’s confidential information, for performing malicious activities and harming them.

1. Viruses

The computer programs are sent through email which are refers are virus and has the capacity to harm the computer and its working (Roussey, 2017).

1. Data leakage 

Vulnerabilities

1. The CVE number CVE-2018-0978 refers to remote code execution vulnerability. (High)
2. The CVE number CVE-2018-1025 refers to information disclosure vulnerability. (Medium). 

The likelihood is calculated using the following formula,

Likelihood= Threat * Vulnerability

1. Cloud Server

Likelihood = High

Virtual Server

Likelihood = Medium

Authentication Server 

Likelihood = High

Customer Database

Likelihood = High

Web Server

Likelihood = High

Mail Server

Likelihood = High

Impact Table (related to CloudXYZ)

High	Long-term impact
Medium	Short term impact
Low	No or low impact

The risk is calculated using the following formula,

Risk= Impact * Likelihood

1. Cloud Server

Risk = High

Threat Level

Threat	Level	ID
Data Breaches	High	Th1
Data loss	Medium	Th2
Malicious Insider attacks	High	Th3
Lack of visibility	Medium	Th4
Traffic control	High	Th5
Natural disasters	Low	Th6
Sniffing and Spoofing	Medium	Th7
Data leakage	Medium	Th8
Denial of Service	High	Th9
Web application Security	High	Th10
database security threats	High	Th11
Coding errors	High	Th12
Security holes	High	Th13
Sensitive file	Medium	Th14
Spam	Low	Th15
Hoaxes	Low	Th16
Fake emails	Low	Th17
Missed Security Patches	Medium	Th18
Hacking/ outsider attacks and Viruses	High	Th19
Hardware failure	Medium	Th20
Software failure	Medium	Th21
Competitors	High	Th22

The identified threats are Data Breaches, Data loss, Malicious Insider attacks, Lack of visibility, Hypervisor Security, Sniffing, Spoofing, Denial of Service, Web application Security, database security threats, Coding errors, Security holes, Sensitive file, Spam, Hoaxes, Fake emails, Missed Security Patches, Hacking/ outsider attacks and Viruses.   

Asset ID & Threat ID	Vulnerability ID	Level
CS & Th1	CVE-2017-1375	High
CS & Th2	CVE-2017-1304	Medium
VS & Th5	CVE-2017-6160	Medium
VS & Th9	CVE-2017-6159	Medium
AS & Th9	CVE-2017-16025	Medium
AS & Th8	CVE-2018-7942	High
CD & Th10	CVE-2008-6761	High
CD & Th11	CVE-2005-4515	High
WS & Th12	CVE-2018-2893	critical
WS & Th13	CVE-2018-0340	Medium
MS & Th19	CVE-2017-14077	Medium
MS & Th15	CVE-2016-9127	High
FW & Th18	CVE- 2018-0227	High
FW & Th9	CVE-2018-8873	High
I & Th19	CVE-2018-0978	High
I & Th8	CVE-2018-1025	Medium

The identified risks are mentioned below:

1. Coding errors
2. Denial of Service
3. Data Breaches and Data loss
4. Web application Security  
5. Database security threats
6. Security holes
7. Missed Security Patches
8. Hacking/ outsider attacks and Viruses
9. Traffic control and Data leakage
10. Spam

Coding errors	DoS	Data Breaches and Data loss	Web application Security	Database security threats	Security holes	Missed Security Patches	Hacking/ outsider attacks and Viruses	Traffic control and Data leakage	Spam

The advantages of risk assessment is understood from this report and it is recommended to choose effective method for risk assessment. As, this will help to find the future impacts and security threats for the network. The threats and vulnerabilities for all the assets are identified. The likelihood is calculated. The impact is determined for each asset. Then, the risks are identified. Thus, the recommendation is that, an effective network should be created in the organization, by utilizing extremely valuable cloud storage as well as virtual server (Granneman, 2012). 

Conclusion

It is determined that risk assessment helps to determine the answers for the questions like- What must be protected? What are the vulnerabilities and threats? What are its implications? What value it has to the organization? and what could decrease the damages? The ISO 27001 based Risk Assessment Tool is considered as an effective solution. The CVE based vulnerabilities are considered here, to help the process of performing risk assessment for the provided security network architecture. Impact analysis and likelihood are the other tasks which will be performed during the risk assessment on the given system. The risk assessment method is believed to provide right suggestions related to system’s security, integrity and confidentiality. The threats and vulnerabilities for all the assets are identified. The likelihood is calculated, next the impact is determined for each asset. Finally, all the risks are determined. The likelihood is calculated using the formula, Likelihood= Threat * Vulnerability. The threat level is also determined. Then, the risk is calculated using the formula, Risk= Impact * Likelihood. 

References

Cve.mitre.org. (2018). CVE -Requirements and Recommendations for CVE Compatibility (Archived). [online] Available at: https://cve.mitre.org/compatible/requirements.html [Accessed 3 Aug. 2018].

Granneman, J. (2012). Virtualization vulnerabilities and virtualization security threats. [online] SearchCloudSecurity. Available at: https://searchcloudsecurity.techtarget.com/tip/Virtualization-vulnerabilities-and-virtualization-security-threats [Accessed 4 Aug. 2018].

Networkmagazineindia.com. (2002). Identifying and classifying assets. [online] Available at: https://www.networkmagazineindia.com/200212/security2.shtml [Accessed 4 Aug. 2018].

Nvd.nist.gov. (2018). NVD – Results. [online] Available at: https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=Virtual+Server&search_type=all [Accessed 3 Aug. 2018].

Roussey, B. (2017). Real threats in virtualized environments: Identifying and mitigating the risks. [online] TechGenix. Available at: https://techgenix.com/virtualization-risks/ [Accessed 4 Aug. 2018].

Securitycommunity.tcs.com. (2017). 10 Major Security Threats in Cloud Computing. [online] Available at: https://securitycommunity.tcs.com/infosecsoapbox/articles/2017/02/14/10-major-security-threats-cloud-computing [Accessed 4 Aug. 2018].

Support.symantec.com. (2011). Primary and secondary assets. [online] Available at: https://support.symantec.com/en_US/article.HOWTO40975.html [Accessed 4 Aug. 2018].