Risk Assessment on Network of CONVXYZ

Verified

Added on  2023/04/24

|16
|3227
|104
AI Summary
This report involves identification of security risks, likely to affect internal IT network of the conveyance and real estate firm CONVXYZ. The report begins with asset specifications and then discusses about threats to CONVXYZ with the Threat assessment table and vulnerabilities for CONVXYZ with the Vulnerability assessment table after which the calculations are provided and observations are given in concluding notes.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
1RISK ASSESSMENT ON NETWORK OF CONVXYZ
1. Introduction
The study involves identification of security risks, likely to affect internal IT network of the conveyance
and real estate firm CONVXYZ. Thus, CONVXYZ must prevent incidents like malfunction, data theft, data
manipulation and deletion including recent conveyancing scams like “Friday afternoon fraud”. Threats and
vulnerabilities for each of the assets are discussed by referring to NVD for CVE and definition. The report
begins with asset specifications and then discusses about threats to CONVXYZ with the Threat assessment
table and vulnerabilities for CONVXYZ with the Vulnerability assessment table after which the calculations
are provided and observations are given in concluding notes.
1.1 Risk Management
Risk management is the most necessary factor for the different versions of the various important
cyber security standards or associated frameworks. Because of the sensitivity and nature of business
activities, compliances for the different frameworks are required for private as well as public sector
businesses that aim to conduct services for public sector.
1.2 Risk Standards
ISO 27005:2018 aims to assist in implementing satisfactory information security based on risk
management approaches. Compared to easily understandable ISO 31000:2018 risk-management guidelines
for top level executives or board of directors, ISO 27005:2018 is long, dense as also technically aimed
towards Chief Information Security Officers or CISOs with emphasis on systematic approaches to develop
and maintain ISRM processes.
2. System parameters, table
SysNo# Network
Component
Platforms used Number of
Devices
Product
Information
Vendor
SYS01 Servers Windows- 5 IBM AS/400 IBM

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
2RISK ASSESSMENT ON NETWORK OF CONVXYZ
Server-2012
SYS02 Routers RV 325 1 Cisco Rv320 Cisco
SYS03 Firewall ASA 1 Cisco ASA
5505
Cisco
SYS04 Switches Version-SG300-
52
2 QFX5110 Juniper
networks
SYS05 Computers Windows
10(64-bit)
20 Lenovo
Thinkstation
P320
Lenovo
SYS06 Authentication
server
OAuth_2.0 1 IBM AS/400 IBM
SYS07 Customer
Database
server
Bitrix24 1 IBM AS/400 IBM
SYS08 Mail server ApacheHTTP
Server
1 IBM AS/400 IBM
SYS09 Staff Database
server
AdvancedH
RM v1.6
1 IBM AS/400 IBM
SYS10 Web server Apache
WebServer
1 IBM AS/400 IBM
In the above table the different network components are listed along with hardware and software
specifications mentioned in the corresponding column. The applications chosen for the components are
specially considered for CONVXYZ business type.
Document Page
3RISK ASSESSMENT ON NETWORK OF CONVXYZ
3. Risk Assessment Process
Threats
Threat to Firewalls (ASA5505): Protocol attacks belong to the family of DDoS attacks which drain load
balancer along with resources of firewall, thus preventing process of legitimate traffic (Šimon, Huraj and
Čerňanský 2015). CONVXYZ can suffer massively from this as although firewalls provide security from almost
all DDoS attacks, they are ineffective versus any protocol-attack.
Threat to Routers (RV320): Routers are often targeted by VPNFilter (Rouveyrol, Raveneau and Cunche
2015). This cannot be erased by rebooting the system causing disruption of operations over CONVXYZ’s
network as well as turning infected devices into a bot.
Threat to Web Server: Phishing attacks, redirect victims towards infected websites by making them click on
malicious links using Cookie tampering, Parameter form tampering, non-validated inputs, buffer overflow
attacks and even SQL injection (Sarma 2017).
Threat to E-mail Server: In Social engineering attacks like e-mail spoofing attackers masquerade as
legitimate sources by carrying false sender information in the e-mails to hide their actual origin (Krombholz
et al. 2015). These attacks are similar to e-mail hacking scams dealing with theft of property purchasing cash
like the “Friday afternoon fraud”.
Threat to Database: Users and applications are granted privileges to database exceeding requirements of
specific job functions which can be used for malicious practises. (Elshaafi, McGibney and Botvich 2017). For
CONVXYZ, a database administrator requiring read-only access for customer records can use ‘update’
privileges to manipulate the respective property information.
Threat to Authentication Server: Bypass attacks are caused from absence of access policies in software level
or ineffective authentication systems (Miu et al. 2013). Custom web code enforcing strict password policies
for businesses like CONVXYZ to perform authentication through user credentials but might allow blank
passwords thereby creating serious loopholes.
Document Page
4RISK ASSESSMENT ON NETWORK OF CONVXYZ
Threat to Computers: Malware or malicious software can be viruses, Trojan horses, spywares and potentially
unwanted programs (Dahl 2013). Such threats require user inputs which can be opening of unnsolicited e-
mails or download of malicious files.
Threat Assessment Table
AssetNo
#
Primary-
Asset/
Supportin
g-Asset
Inside
scope/outsid
e scope
AssetData Threat
source
ThreatI
D
Attractiveness(H/
M/L)
Cudat Primary-
Asset
Inside scope Data of
Customers
Hacker
s
Staff
THk
TSf
[H]
[L]
Stdat Primary-
Asset
Inside scope Data of Staff Hacker
s
Staff
THk
TSf
[M]
[L]
Lgdoc Primary-
Asset
Inside scope Law specific
data
Hacker
s
Staff
THk
TSf
[H]
[M]
Prpmt Primary-
Asset
Inside scope Property-
specific
payment data
Hacker
s
Staff
THk
TSf
Fbdat Primary-
Asset
Inside scope Finance/
Business based
data
Hacker
s
Staff
THk
TSf
[H]
[M]

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
5RISK ASSESSMENT ON NETWORK OF CONVXYZ
Db Supportin
g-Asset
Inside scope Database-
server
Hacker
s
Staff
THk
TSf
[H]
[M]
Ws Supportin
g-Asset
Inside scope WebServer Hacker
s
Staff
THk
TSf
[M]
[L]
FWD Supportin
g-Asset
Inside scope Firewall
Hardware
Hacker
s
Staff
THk
TSf
[H]
[L]
BeC Supportin
g-Asset
Inside scope Back-end-
computers
Hacker
s
Staff
THk
TSf
[M]
[L]
FeC Supportin
g-Asset
Inside scope Front-end-
computers
Hacker
s
Staff
THk
TSf
[M]
[L]
Ro Supportin
g-Asset
Inside scope Routers Hacker
s
Staff
THk
TSf
[H]
[M]
GC Supportin
g-Asset
Outside
scope
Guest-
Computers
Hacker
s
Staff
THk
TSf
Document Page
6RISK ASSESSMENT ON NETWORK OF CONVXYZ
The above table specifies the assets with their respective IDs and mentions the attractiveness level
with respect to the source of threats. It also mentions the scope of the threats for primary as well as
secondary assets.
Vulnerabilities
Vulnerability for Firewalls (ASA5505): CVE-2018-0101 for Cisco Adaptive Security Appliance (ASA) allow
remote attackers reading and running of random files with unknown vectors like bugs as well as denying
services (Andreeva et al. 2016). Firewall services built around Cisco ASA framework are commonly used by
CONVXYZ and similar sized companies demanding mandatory action for addressing the loophole.
Vulnerability for Routers (RV325): A vulnerability CVE-2019-1653 exists in web based interfaces of Dual
Gigabit WAN VPN routers Cisco RV325 with firmware releases 1.4.2.17 allowing unauthenticated remote
attackers in retrieving confidential information. These routers are commonly used by businesses like
CONVXYZ.
Vulnerability for Web (Apache): CVE-2019-0190 is the vulnerability for Apache web server where use of
mod_ssl lets attackers handle client renegotiations, here custom requests are transferred making mod_ssl
loop indefinitely resulting in denying of services (Jerca 2014). This exploit only can get triggered in Apache-
HTTP-Server if operated along Open SSL. CONVXYZ can suffer severe inconveniences from the vulnerability.
Vulnerability for Email Servers (Apache-HTTP-Server): Vulnerability CVE-2018-6789, for email servers on
base64d function in SMTP listener in mail transfer agents before 4.90.1 results in buffer overflow through
sending of customized messages and remote running arbitrary programs (Breyha et al. 2014). As the
operating systems are widely used among small sized businesses such as CONVXYZ, this vulnerability poses
considerable threat.
Vulnerability for Databases: CVE-2018-1834 refers to the vulnerability in IBM DB2 in most operating systems
except Mac operating systems allowing local users in escalating their privileges to root using symbolic link
Document Page
7RISK ASSESSMENT ON NETWORK OF CONVXYZ
attacks. This makes stored data of CONVXYZ insecure including lawyer specific data that are securely
transferred through the VPN.
Vulnerability for Authentication Servers (OAuth): In vulnerability CVE-2018-16875 regarding TLS Golang
authentication, User input gets formulated by attackers in a way that verification algorithm in crypto x509
repository for Go which helps eat up every CPU resource in validating vast series of TLS instructions assigned
by attackers (Mshangi, Nfuka and Sanga 2015). Since the authentication technique is very popular and most
surely in use by CONVXYZ servers, the loophole must be addressed.
Vulnerability for Computers: The Windows vulnerability CVE-2019-0555 involves elevation of privileges of
the attacker (Kulenovic and Donko 2014). The vulnerability can jeopardise CONVXYZ operations as the
exploit leads to considerable information disclosure along with system file tampering.
Vulnerability Assessment Table:
AssetNo
#
Primary-
Asset/
Supporting-
Asset
Inside
scope/outsid
e scope
AssetData Vul_ID CVE_Num Vul_
Lvl
Cudat Primary-
Asset
Inside scope Data of
Customers
---- ---- ----
Stdat Primary-
Asset
Inside scope Data of Staff ---- ---- ----
Lgdoc Primary-
Asset
Inside scope Law specific data ----
Prpmt Primary-
Asset
Inside scope Property-specific
payment data
----
FBdat Primary- Inside scope Finance/Business

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
8RISK ASSESSMENT ON NETWORK OF CONVXYZ
Asset based data
Db &
Cudat
Inside scope Database-with-
customer-data
Vd1 (CVE-2018-1834) [H]
Db &
Stdat
Inside scope Database-with-
staff-data
Vd2 (CVE-2018-18382) [M]
Db &
lgdat
Inside scope Database-with-
legal-data
Vd3 (CVE-2018-6861) [M]
Ws Supporting-
Asset
Inside scope Web-server Web (CVE-2018-6796) [L]
FWD Supporting-
Asset
Inside scope Firewall-device (CVE-2018-0101) [M]
BeC Supporting-
Asset
Inside scope Back-end-
Computers
(CVE-2019-0555) [M]
[L]
FeC Supporting-
Asset
Inside scope Front-end-
Computers
(CVE-2019-0555) [M]
[L]
Ro Supporting-
Asset
Inside scope Routers (CVE-2019-1653) [H]
GC Supporting-
Asset
Outside scope Guest-Computers (CVE-2019-0555)
The above table specifies the assets with their respective IDs and mentions the vulnerability levels
level with respect to the assets and vulnerability identified. It also mentions the scope of the vulnerability
for primary as well as secondary assets.
Document Page
9RISK ASSESSMENT ON NETWORK OF CONVXYZ
i. Likelihood
Case 1: Db & Cudat Thk
RISK = LIKELIHOOD x IMPACT
LIKELIHOOD = Threat (attractiveness) * Vulnerability
Likelihood of Db & Cudat Thk= Threat attractiveness (H) * Vulnerability level (H)
= High * High = High
Case 2: Db & Cudat Tsf
Likelihood of Db & Cudat Tsf = Threat attractiveness (L) * Vulnerability level (H)
= Low * High = Medium
ii. Impact
Case 1: Db & Cudat Thk
Impact is High (H) since hackers can successfully attack the Databases and access the Customer information
along with legal information related to the associated properties.
Risk = Likelihood (High) * Impact (High) = High * High = High
Case 2: Db & Cudat Tsf
Impact is High (H) since attacks from staff computers can easily compromise databases and access the
Customer information along with legal information related to the associated properties.
Risk = Likelihood (Medium) * Impact (High) = Medium * High = Medium
Document Page
10RISK ASSESSMENT ON NETWORK OF CONVXYZ
Impact Table Specifications
Risk Description Impact
DDoS Attack Targets the Firewall. High
Botnet Attack Targets and hijacks network
routers.
Severe
Phishing Gathers sensitive user
information by techniques like
cookie tampering.
Medium
Social Engineering Gathers sensitive user data by
baiting users open malicious
content.
Medium
Excess Privileges Misuse of database privileges to
serve personal interests.
High
Bypass Attack Hacking systems by exploiting
loopholes in user verification
process.
Severe
Malwares Malicious applications that infect
systems and cause damages.
High
CVE-2018-0101 A firewall exploit which drains
security resources leading to
denial of service.
High
CVE-2019-1653 Gains control and steals router
configuration and diagnostic
data.
High
CVE-2019-0190 Sends the mod_ssl handler into a Medium

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
11RISK ASSESSMENT ON NETWORK OF CONVXYZ
loop leading to denial of service.
CVE-2018-6789 Used for remotely executing
arbitrary codes of malicious
intent.
High
CVE-2018-1834 Allows local users to escalate
privileges to root through a
symbolic link attack.
Severe
CVE-2018-16875 Hogs CPU resources leading to
DoS.
High
CVE-2019-0555 Data theft, file tampering and
performance loss.
Medium
The above table describes the possible threats and vulnerabilities for the assets and mentions the
impact these risks can have on these assets.
Document Page
12RISK ASSESSMENT ON NETWORK OF CONVXYZ
Likely to occur
Figure 1: BCG matrix for risk identification
Among the most likely risks, Malware, social engineering and CVE-2018-6789 are the cash cows.
These risks pose major concerns for the staff computers used by employees of CONVXYZ.
Document Page
13RISK ASSESSMENT ON NETWORK OF CONVXYZ
Ease of Identification
Figure 3: Identification of Risks for CONVXYZ
Among the most identifiable risks, malwares and the vulnerability CVE-2018-1834 are the cash cows
out of which CVE-2018-1834 is the most alarming vulnerability for CONVXYZ.
4. Executive Summary
The objective of the report is to list the different components of the network of CONVXYZ and identify
the specifications, threats and vulnerabilities. These threats and vulnerabilities are discussed and then
plotted in two BCG matrices according to the metrics, likelihood and identification. After summarizing these
security risks to form impact table specification, the study ends with concluding notes.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
14RISK ASSESSMENT ON NETWORK OF CONVXYZ
Key findings are identified as the following – Security risks like vulnerabilities and threats present in all
assets in the network. The risks listed above are identified on the basis of software/firmware or platforms as
used by network components of CONVXYZ.
The risk treatment methods to suggestible are installing firewall definition updates and antivirus
packages for stopping DDoS threats. The OS and subsidiary programs must be periodically patched and
hotfixes installed to address various loopholes. For avoiding phishing attacks awareness and intuition
towards identifying malicious links needs to be evolved in all organizational members. Prevention of social
engineering attacks can be ensured by making CONVXYZ members communicate through a common
corporate mailing agent with rules and policies configured in the ASA firewall. Also the company members
should be training against opening of unsolicited mails. Antimalware applications can alleviate threats
CONVXYZ computers. Database threats are addressable by applying query based access controls, thus
reducing user privileges what was required for their particular roles.
Conclusion
In conclusion, this report sums up specifications of CONVXYZ network and proceeds to summarize
every cyber threats to assets as well as asset vulnerabilities that are applicable for the given network. For
each asset one IS risk like a threat and a vulnerability are discussed. The information security risks are also
shown in BCG matrices for highlighting their likelihood of occurrence and ease of identification. All these
security risks are again summarized to form the impact table specification. The study observes that malwares
and social engineering attacks are the leading cash cows while threats and exploits pertaining to web servers
appear to be the rapidly growing security risks.
Document Page
15RISK ASSESSMENT ON NETWORK OF CONVXYZ
References
Andreeva, O., Gordeychik, S., Gritsai, G., Kochetova, O., Potseluevskaya, E., Sidorov, S.I. and Timorin, A.A.,
2016. Industrial control systems vulnerabilities statistics. Kaspersky Lab, Report.
Bornea, M.A., Dolby, J., Kementsietsidis, A., Srinivas, K., Dantressangle, P., Udrea, O. and Bhattacharjee, B.,
2013, June. Building an efficient RDF store over a relational database. In Proceedings of the 2013 ACM
SIGMOD International Conference on Management of Data (pp. 121-132). ACM.
Breyha, W., Durvaux, D., Dussa, T., Kaplan, L.A., Mendel, F., Mock, C., Koschuch, M., Kriegisch, A., Pöschl, U.,
Sabet, R. and San, B., 2014. Applied crypto hardening.
Chung, C.J., Khatkar, P., Xing, T., Lee, J. and Huang, D., 2013. NICE: Network intrusion detection and
countermeasure selection in virtual network systems. IEEE transactions on dependable and secure
computing, 10(4), pp.198-211.
Dahl, G.E., Stokes, J.W., Deng, L. and Yu, D., 2013, May. Large-scale malware classification using random
projections and neural networks. In 2013 IEEE International Conference on Acoustics, Speech and Signal
Processing (pp. 3422-3426). IEEE.
Devin, H. and Jackie, F., 2014. Website Redesign Project: Creating Intuitive Content Managment.
Elshaafi, H., McGibney, J. and Botvich, D., 2017. Attack surface-based security metric framework for service
selection and composition. IJAACS, 10(1), pp.88-113.
Jerca, A.S., 2014. OpenSSL vulnerabilities: the Heartbleed Bug and Cupid. Journal of Mobile, Embedded and
Distributed Systems, 6(3), pp.122-128.
Krombholz, K., Hobel, H., Huber, M. and Weippl, E., 2015. Advanced social engineering attacks. Journal of
Information Security and applications, 22, pp.113-122.
Document Page
16RISK ASSESSMENT ON NETWORK OF CONVXYZ
Kulenovic, M. and Donko, D., 2014, May. A survey of static code analysis methods for security vulnerabilities
detection. In 2014 37th International Convention on Information and Communication Technology, Electronics
and Microelectronics (MIPRO) (pp. 1381-1386). IEEE.
Miu, T.T., Hui, A.K., Lee, W.L., Luo, D.X., Chung, A.K. and Wong, J.W., 2013. Universal DDoS mitigation
bypass. Black Hat USA.
Mshangi, M., Nfuka, E.N. and Sanga, C., 2015. Using soft systems methodology and activity theory to exploit
security of web applications against heartbleed vulnerability.
Nabi, Z., 2014. A $35 Firewall for the Developing World. arXiv preprint arXiv:1405.2517.
Rouveyrol, P., Raveneau, P. and Cunche, M., 2015, June. Large scale Wi-Fi tracking using a botnet of wireless
routers. In SAT 2015-Workshop on Surveillance & Technology.
Sarma, S., 2017. A Study on Common Web Based Hacking and Preventive Measure.
Šimon, M., Huraj, L. and Čerňanský, M., 2015. Performance evaluations of IPTables firewall solutions under
DDoS attacks. Journal of Applied Mathematics, Statistics and Informatics, 11(2), pp.35-45.
1 out of 16
circle_padding
hide_on_mobile
zoom_out_icon
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]