Risk Assessment Of Cloud Architecture Using ISO 27001 Standards, Essay.

This assignment requires you to plan, conduct and document a risk assessment based on the scenario described in Section 3. You should carefully read the marking scheme (refer to Section 5) to have a clear perception of what is the expected content of the risk assessment report you have to deliver and how it will be evaluated.

The scenario is described in broad terms, therefore, you may need to make assumptions and set a scope for the risk assessment; all this has to be documented in the report. Additionally, any use of published information has to be properly referenced with in-text citation and a corresponding item in the references list using the Harvard style[ https://www.uclan.ac.uk/students/support/wiser/referencing_guides.php] consistently.

A cloud service provider in UK, CloudXYZ, hired your team to set up their IT network/system. The company provides (i) secure storage and (ii) virtual server services for both individual customers and organizations. The goal of the security system is to prevent or minimize the business loss caused by possible incidents, such as malfunction, information stealing, data modification, deletion or destruction, etc. Your colleagues in the team have proposed the first version of the security network architecture depicted in Figure 1. As a person responsible for risk assessment your task is to conduct a risk assessment on this system.
 

Benefits of using ISO 27001 standards for risk assessment

The risk assessment of the proposed cloud architecture will be done using the ISO 27001 standards. It is a standard method used for the security risk analysis and gives a clear overview of the security related factors. There are various benefits of using the ISO 27001 standards for the risk assessment. The advantages are the improved security measures, standard security report, identifications of flaws in the cloud system and standard security assessment (Alebrahim et al. 2015)

The standard provides a systematic approach to examine the risk of the implemented information security system with a reference to the associated threats, vulnerabilities and impact of the threat that is unique to the organization (Kurnianto, Isnanto and Widodo 2018).

Based on the analysis, it provides the most effective solutions to address those needs that will improve the security of the system. It also provides the continuous assessments of security infrastructure to meet with issues related to the system infrastructure.

The ISO 27001 is well a well recognized international standard for security assessment that follows the criteria mentioned above. The certification, being independent and unbiased increases the authenticity. The certification provides a systematic and scientific overview of the existing information security practices (Hoy and Foley 2015).  

The assessment report first discuses about the owner specifications that basically describes about the hardware and software specifications used for the cloud system design. The threats associated with each asset have also been discussed in the report. The Vulnerabilities associated with those assets has also been highlighted with official CVE number. The Boston grid method has been used to compute the risk level. The impact table specification has been provided in the report. With the help of the Boston grid the risk associated with the project has been identified with the appropriate risk level. The report concludes with the overall findings of the report with a justification for the chosen security measure.    

Owner specification:

Type of assets:

The primary assets are those that need to be incorporated at the first place to implement other assets. The second type of assets are known as secondary assets (Puiler, Martinez and Hill 2015).

To implement the cloud architecture both hardware and software is needed. However the software must be first incorporated first to enable the hardware to support the cloud architecture.  Hence software is the primary assets and supported hardware is the secondary asset. The  primary assets include

• Cloud storage
• Virtual servers
• Firewall
• Firmware
• Intranet
• Internet
• Web and email server

Analysis of primary and secondary assets

The secondary assets include:

• Admin pc
• Human resource pc
• User pc

Threats with cloud storage:

The cloud storage is provided by the third party service provider and located remotely. It is not possible to take full control over the storage (Almorsy, Grundy and Muller 2016).

The options used for login to grant storage access is not totally secure which has been identified by the hackers. Hence, there is high risk of data theft stored in the cloud storage (Almorsy, Grundy and Muller 2016).

Threats with virtual servers:

Virtual server needs high level of administrations knowledge and if the administrator has lack of understanding of the servers, then the server is likely to face security issues due to unauthorized access.

 Virtual servers should be updated with the regular security patches; otherwise the server becomes less secure and makes it easy to hack (Jokar, Arianpoo and Leung 2016).

Threats with firewall:

Firewall helps to create protection for the internal network against the attacks made via the external internet. However, it is not suitable to defend the network against the internal security flaws.

If the system allows external communication like receiving emails from the outside sources, the firewall cannot prevent the communication and detect flaws, if any (Singh, Jeong and Park 2016).

Threats with the intranet:

Intranet is used for the internal communication within the organization. This makes employees fell that the network is fully secured and is not accessible from outside and due to this often weak password is used for the login to profiles hosted on the network. This has the potential to make the network less secure (Wang, Wei and Vangury 2014).

The access to the network is easily given to the peoples belonging to the organizations which pose a security threats if the network is not handled properly.  

Threats with web and mail servers:

The web and mail servers in the network are secured using the firewall. However, the firewall too has limitations and it is not a complete solution for network security. The attackers, by finding security flaws in the firewall can get access to the servers and steal important data (Wang, Wei and Vangury 2014). 

Threats with the firmware and the admin and user pc:

Firmware is not protected using the signed cryptography. This makes firmware easy to hack, thus gaining access to the computer systems and the hardware it contains which allows to access and steal important data in the system (Singh, Jeong and Park 2016) .

Identification of vulnerabilities associated with each asset

The admin pc as well as the user pc connected to the overall network is subject to security threats.

CVE-2013-2639

Vulnerability was found in the CTERA cloud storage. The vulnerability is related to the Cross-site scripting (XSS). With the help of the scripting, remote attackers can inject web script arbitrarily.  The script can also inject HTML through description contained in a project folder (Cvedetails.com 2018).

CVE-2016-9245

The vulnerability is related to the F5 BIG-IP systems, the platform used for the Virtual servers. The attackers can make malicious request that will be passed to the virtual servers through an HTTP profile. This has the capability to restart the TMM. This Vulnerability is applicable to the all the BIG-IP APM profiles irrespective of the settings applied to the profiles. The issue is also applicable non-default "Normalize URI”, a configuration used for iRules. The issue is also exposed with the BIG-IP LTM policies. With the help of this Vulnerability, it is possible for the attackers to create disruption in the traffic or create failure in the BIG-IP system (Cve.mitre.org 2018).    

CVE-2008-6096

This vulnerability is related with Juniper NetScreen ScreenOS that is used for the DMZ network in the cloud architecture. With the help of the cross-site scripting, it is possible for the remote attackers to inject web script arbitrarily. The script can also inject HTML through user name parameters used in the web interface of the user login page (Cve.mitre.org 2018).  

CVE-2017-6062

The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" also known as the mod_auth_openidc is used for the HTTP authentication server maintained by Apache software foundation. The server does not have the ability to skip the OIDC_CLAIM_ and OIDCAuthNHeader headers in an "OIDCUnAuthAction pass" configuration. This enables the attackers in bypassing the authentication request made through the HTTP traffic (Cve.mitre.org 2018).

 CVE-2017-11693

The vulnerability is related with the MEDHOST, a document management system that is used for creating customer database in the cloud infrastructure. The system uses hard-coded credentials that are necessary to request access to the database. It is not impossible for the unauthorized users to access the database. All it takes is the knowledge of those credentials. With the help of those hard coded credentials, it is possible for the attackers to directly communicate with the database. It is even possible for the attackers to create modifications in the database by accessing the sensitive information contained in the database. The database is designed with the PostgreSQL. The Account name is dms and the password is hard-coded which is same not only throughout the applications but also same across all the installation process. The customer does not have any option to change the password either. The dms account connected to the PostgreSQL can access the database schema used for the DMS (Cve.mitre.org 2018). 

Overview of risk level using Boston grid

CVE-2017-9457

The vulnerability is identified with the firmware that is used in the admin pc. The firmware is made by the Compulabe. The main issue with the firmware is that it does not include the signature checking for firmware updates. Due to this, it is possible for anyone to modify the firmware setting during the system flash. The modification can be done using the Phoenix “UEFI update program”. It is not hard to obtain the Phoenix utility program. The DOS or the Windows version of the program can be easily downloaded online. With the help of the utility program, rootkit can be installed to the computer at the firmware level, which has the ability to corrupt the entire system, leading to the denial of the service, even by the admin profile (Cve.mitre.org 2018).

The installation does not require the permission of the admin and the process can be completed at the background without the knowledge of the user. Once the installation is done, it is not easily detectable by the utilities provided by the operating service. 

CVE-2017-8514

The vulnerability is related to the intranetwork that is used for the internal device connections in the network. The intra network used is the architecture is the Microsoft SharePoint technology. The issue that is identified in this context is that network is not strong enough to prevent unauthorized users to access the data that is meant to be kept private and secure. Once the hackers get access to the network, they can use the victim’s identity and perform action on behalf of the user, like changing security setting, deleting content and it is even possible to steal important data like browser cookies and inject malicious codes in the browser of the user (Cve.mitre.org 2018).

CVE-2017-9450

The vulnerability is the identified with the web and mail service provider Amazon Web Services ,also known as AWS. The bootstrap tools packed called CloudFormation permits the users in executing codes arbitrarily with root access. It helps the users in creating local files in the directory, not specified in the system (Cve.mitre.org 2018).    

Reference:

Alebrahim, A., Hatebur, D., Fassbender, S., Goeke, L. and Côté, I., 2015. A pattern-based and tool-supported risk analysis method compliant to iso 27001 for cloud systems. International Journal of Secure Software Engineering (IJSSE), 6(1), pp.24-46.

Almorsy, M., Grundy, J., & Müller, I. (2016). An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.

eate organisational efficiencies: ISO 9001 and ISO 27001 audits. Total Quality Management & Business Excellence, 26(5-6), pp.690-702.

Jokar, P., Arianpoo, N. and Leung, V., 2016. A survey on security issues in smart grids. Security and Communication Networks, 9(3), pp.262-273.

Kurnianto, A., Isnanto, R. and Widodo, A.P., 2018. Assessment of Information Security Management System based on ISO/IEC 27001: 2013 On Subdirectorate of Data Center and Data Recovery Center in Ministry of Internal Affairs. In E3S Web of Conferences (Vol. 31, p. 11013). EDP Sciences.

Pulier, E., Martinez, F. and Hill, D.C., ServiceMesh Inc, 2015. System and method for a cloud computing abstraction layer. U.S. Patent 8,931,038.

Singh, S., Jeong, Y.S. and Park, J.H., 2016. A survey on cloud computing security: Issues, threats, and solutions. Journal of Network and Computer Applications, 75, pp.200-222.

Wang, Y., Wei, J. and Vangury, K., 2014, January. Bring your own device security issues and challenges. In Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th (pp. 80-85). IEEE.