Introduction
Organisations face new threat scenarios every day. This report provides a threat profile for one of the most recent security threat and vulnerability facing organisations currently. The report also provides a detailed description of the vulnerability attacks and prevention.
A threat is whatever thing that has the capability or intention to interrupt the operation, functioning or reliability of an information system or application (John, 2001, pg 25). The term vulnerability refers to a flaw in a system or applications that can let an attacker to infringe the integrity of that system or application (Vacca, 2013, pg 201). Vulnerabilities include software bugs, virus or malware and script code injection. Threat profile describes threats and vulnerabilities that are likely to attack an organisations information assets and how they may try to harm, change, distort or in some way prevent services, information and other components within the organisation from being rightfully being used or retrieved. For the rationale of this report the following parameters were used to create the threat profile; threat name, description, threat agent, attack vector, attacked system, threat risk rating and finally existing risks mitigation control.
Threat name: OpenSSL Heartbleed vulnerability (CVE-2014-0160)
|
Threat description:
A severe vulnerability in the OpenSSL cryptographic software library. The vulnerability can allow malicious people to repossess private memory of an application in chunks of 64K at a time which might include the secret keys, usernames and passwords.
|
Threat agent:
Non-human
|
Attack vector:
TCP/IP transport layer security protocols (TLS)
|
Asset(s) at risk:
Wired and wireless communications using OpenSSL versions 1.0.1 through 1.0.1f
|
Threat / risk rating:
Severe
|
Exploitation of this vulnerability can lead to:
ü Loss of confidential, sensitive or classified data and information to unauthorised persons.
ü Loss of data integrity through data corruption or destruction of information
ü Severe legal actions, unintended expenses, financial losses or damage to an organisation reputation
|
Existing risk mitigation control:
ü Use the latest OpenSSL versions
ü Patching
ü Configure OpenSSl to remove support for the Heartbeat protocol using the OPENSSL_NO_HEARTBEATS flag (Ivan,2014, pg 164)
|
Conclusion
Preparing a threat profile in an organisation allows the risk and incident management team to be prepared on how to handle threats that might face the organisation. The threat profile describes how the threat occurs, which system it attacks, the attack vector and how to mitigate the attack. This detailed information enables the incident management team to put into action safeguards to moderate the risk of anticipated attacks even before they happen.
References
Ivan R. (2014).Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications. Festy Duck Limited: London
John E.C., (2001).Fundamentals of Network Security. Artech House:
US-CERT (2014). Retrieved August 03, 2017 from Alert (TA14-098A) OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160). website https://www.us-cert.gov/ncas/alerts/TA14-098A
Vacca J. R., (2013). Managing Information Security Second Edition. Elsevier Inc: USA