Risk Assessment on Network of CONVXYZ
Added on 2023-04-24
16 Pages3227 Words104 Views
1RISK ASSESSMENT ON NETWORK OF CONVXYZ
1. Introduction
The study involves identification of security risks, likely to affect internal IT network of the conveyance
and real estate firm CONVXYZ. Thus, CONVXYZ must prevent incidents like malfunction, data theft, data
manipulation and deletion including recent conveyancing scams like “Friday afternoon fraud”. Threats and
vulnerabilities for each of the assets are discussed by referring to NVD for CVE and definition. The report
begins with asset specifications and then discusses about threats to CONVXYZ with the Threat assessment
table and vulnerabilities for CONVXYZ with the Vulnerability assessment table after which the calculations
are provided and observations are given in concluding notes.
1.1 Risk Management
Risk management is the most necessary factor for the different versions of the various important
cyber security standards or associated frameworks. Because of the sensitivity and nature of business
activities, compliances for the different frameworks are required for private as well as public sector
businesses that aim to conduct services for public sector.
1.2 Risk Standards
ISO 27005:2018 aims to assist in implementing satisfactory information security based on risk
management approaches. Compared to easily understandable ISO 31000:2018 risk-management guidelines
for top level executives or board of directors, ISO 27005:2018 is long, dense as also technically aimed
towards Chief Information Security Officers or CISOs with emphasis on systematic approaches to develop
and maintain ISRM processes.
2. System parameters, table
SysNo# Network
Component
Platforms used Number of
Devices
Product
Information
Vendor
SYS01 Servers Windows- 5 IBM AS/400 IBM
1. Introduction
The study involves identification of security risks, likely to affect internal IT network of the conveyance
and real estate firm CONVXYZ. Thus, CONVXYZ must prevent incidents like malfunction, data theft, data
manipulation and deletion including recent conveyancing scams like “Friday afternoon fraud”. Threats and
vulnerabilities for each of the assets are discussed by referring to NVD for CVE and definition. The report
begins with asset specifications and then discusses about threats to CONVXYZ with the Threat assessment
table and vulnerabilities for CONVXYZ with the Vulnerability assessment table after which the calculations
are provided and observations are given in concluding notes.
1.1 Risk Management
Risk management is the most necessary factor for the different versions of the various important
cyber security standards or associated frameworks. Because of the sensitivity and nature of business
activities, compliances for the different frameworks are required for private as well as public sector
businesses that aim to conduct services for public sector.
1.2 Risk Standards
ISO 27005:2018 aims to assist in implementing satisfactory information security based on risk
management approaches. Compared to easily understandable ISO 31000:2018 risk-management guidelines
for top level executives or board of directors, ISO 27005:2018 is long, dense as also technically aimed
towards Chief Information Security Officers or CISOs with emphasis on systematic approaches to develop
and maintain ISRM processes.
2. System parameters, table
SysNo# Network
Component
Platforms used Number of
Devices
Product
Information
Vendor
SYS01 Servers Windows- 5 IBM AS/400 IBM
2RISK ASSESSMENT ON NETWORK OF CONVXYZ
Server-2012
SYS02 Routers RV 325 1 Cisco Rv320 Cisco
SYS03 Firewall ASA 1 Cisco ASA
5505
Cisco
SYS04 Switches Version-SG300-
52
2 QFX5110 Juniper
networks
SYS05 Computers Windows
10(64-bit)
20 Lenovo
Thinkstation
P320
Lenovo
SYS06 Authentication
server
OAuth_2.0 1 IBM AS/400 IBM
SYS07 Customer
Database
server
Bitrix24 1 IBM AS/400 IBM
SYS08 Mail server ApacheHTTP
Server
1 IBM AS/400 IBM
SYS09 Staff Database
server
AdvancedH
RM v1.6
1 IBM AS/400 IBM
SYS10 Web server Apache
WebServer
1 IBM AS/400 IBM
In the above table the different network components are listed along with hardware and software
specifications mentioned in the corresponding column. The applications chosen for the components are
specially considered for CONVXYZ business type.
Server-2012
SYS02 Routers RV 325 1 Cisco Rv320 Cisco
SYS03 Firewall ASA 1 Cisco ASA
5505
Cisco
SYS04 Switches Version-SG300-
52
2 QFX5110 Juniper
networks
SYS05 Computers Windows
10(64-bit)
20 Lenovo
Thinkstation
P320
Lenovo
SYS06 Authentication
server
OAuth_2.0 1 IBM AS/400 IBM
SYS07 Customer
Database
server
Bitrix24 1 IBM AS/400 IBM
SYS08 Mail server ApacheHTTP
Server
1 IBM AS/400 IBM
SYS09 Staff Database
server
AdvancedH
RM v1.6
1 IBM AS/400 IBM
SYS10 Web server Apache
WebServer
1 IBM AS/400 IBM
In the above table the different network components are listed along with hardware and software
specifications mentioned in the corresponding column. The applications chosen for the components are
specially considered for CONVXYZ business type.
3RISK ASSESSMENT ON NETWORK OF CONVXYZ
3. Risk Assessment Process
Threats
Threat to Firewalls (ASA5505): Protocol attacks belong to the family of DDoS attacks which drain load
balancer along with resources of firewall, thus preventing process of legitimate traffic (Šimon, Huraj and
Čerňanský 2015). CONVXYZ can suffer massively from this as although firewalls provide security from almost
all DDoS attacks, they are ineffective versus any protocol-attack.
Threat to Routers (RV320): Routers are often targeted by VPNFilter (Rouveyrol, Raveneau and Cunche
2015). This cannot be erased by rebooting the system causing disruption of operations over CONVXYZ’s
network as well as turning infected devices into a bot.
Threat to Web Server: Phishing attacks, redirect victims towards infected websites by making them click on
malicious links using Cookie tampering, Parameter form tampering, non-validated inputs, buffer overflow
attacks and even SQL injection (Sarma 2017).
Threat to E-mail Server: In Social engineering attacks like e-mail spoofing attackers masquerade as
legitimate sources by carrying false sender information in the e-mails to hide their actual origin (Krombholz
et al. 2015). These attacks are similar to e-mail hacking scams dealing with theft of property purchasing cash
like the “Friday afternoon fraud”.
Threat to Database: Users and applications are granted privileges to database exceeding requirements of
specific job functions which can be used for malicious practises. (Elshaafi, McGibney and Botvich 2017). For
CONVXYZ, a database administrator requiring read-only access for customer records can use ‘update’
privileges to manipulate the respective property information.
Threat to Authentication Server: Bypass attacks are caused from absence of access policies in software level
or ineffective authentication systems (Miu et al. 2013). Custom web code enforcing strict password policies
for businesses like CONVXYZ to perform authentication through user credentials but might allow blank
passwords thereby creating serious loopholes.
3. Risk Assessment Process
Threats
Threat to Firewalls (ASA5505): Protocol attacks belong to the family of DDoS attacks which drain load
balancer along with resources of firewall, thus preventing process of legitimate traffic (Šimon, Huraj and
Čerňanský 2015). CONVXYZ can suffer massively from this as although firewalls provide security from almost
all DDoS attacks, they are ineffective versus any protocol-attack.
Threat to Routers (RV320): Routers are often targeted by VPNFilter (Rouveyrol, Raveneau and Cunche
2015). This cannot be erased by rebooting the system causing disruption of operations over CONVXYZ’s
network as well as turning infected devices into a bot.
Threat to Web Server: Phishing attacks, redirect victims towards infected websites by making them click on
malicious links using Cookie tampering, Parameter form tampering, non-validated inputs, buffer overflow
attacks and even SQL injection (Sarma 2017).
Threat to E-mail Server: In Social engineering attacks like e-mail spoofing attackers masquerade as
legitimate sources by carrying false sender information in the e-mails to hide their actual origin (Krombholz
et al. 2015). These attacks are similar to e-mail hacking scams dealing with theft of property purchasing cash
like the “Friday afternoon fraud”.
Threat to Database: Users and applications are granted privileges to database exceeding requirements of
specific job functions which can be used for malicious practises. (Elshaafi, McGibney and Botvich 2017). For
CONVXYZ, a database administrator requiring read-only access for customer records can use ‘update’
privileges to manipulate the respective property information.
Threat to Authentication Server: Bypass attacks are caused from absence of access policies in software level
or ineffective authentication systems (Miu et al. 2013). Custom web code enforcing strict password policies
for businesses like CONVXYZ to perform authentication through user credentials but might allow blank
passwords thereby creating serious loopholes.
4RISK ASSESSMENT ON NETWORK OF CONVXYZ
Threat to Computers: Malware or malicious software can be viruses, Trojan horses, spywares and potentially
unwanted programs (Dahl 2013). Such threats require user inputs which can be opening of unnsolicited e-
mails or download of malicious files.
Threat Assessment Table
AssetNo
#
Primary-
Asset/
Supportin
g-Asset
Inside
scope/outsid
e scope
AssetData Threat
source
ThreatI
D
Attractiveness(H/
M/L)
Cudat Primary-
Asset
Inside scope Data of
Customers
Hacker
s
Staff
THk
TSf
[H]
[L]
Stdat Primary-
Asset
Inside scope Data of Staff Hacker
s
Staff
THk
TSf
[M]
[L]
Lgdoc Primary-
Asset
Inside scope Law specific
data
Hacker
s
Staff
THk
TSf
[H]
[M]
Prpmt Primary-
Asset
Inside scope Property-
specific
payment data
Hacker
s
Staff
THk
TSf
Fbdat Primary-
Asset
Inside scope Finance/
Business based
data
Hacker
s
Staff
THk
TSf
[H]
[M]
Threat to Computers: Malware or malicious software can be viruses, Trojan horses, spywares and potentially
unwanted programs (Dahl 2013). Such threats require user inputs which can be opening of unnsolicited e-
mails or download of malicious files.
Threat Assessment Table
AssetNo
#
Primary-
Asset/
Supportin
g-Asset
Inside
scope/outsid
e scope
AssetData Threat
source
ThreatI
D
Attractiveness(H/
M/L)
Cudat Primary-
Asset
Inside scope Data of
Customers
Hacker
s
Staff
THk
TSf
[H]
[L]
Stdat Primary-
Asset
Inside scope Data of Staff Hacker
s
Staff
THk
TSf
[M]
[L]
Lgdoc Primary-
Asset
Inside scope Law specific
data
Hacker
s
Staff
THk
TSf
[H]
[M]
Prpmt Primary-
Asset
Inside scope Property-
specific
payment data
Hacker
s
Staff
THk
TSf
Fbdat Primary-
Asset
Inside scope Finance/
Business based
data
Hacker
s
Staff
THk
TSf
[H]
[M]
End of preview
Want to access all the pages? Upload your documents or become a member.
Related Documents
CONVXYZ Risk Assessmentlg...
|19
|3223
|38
Risk Assessment Report- Docslg...
|11
|1091
|30
CSG3308 : Wireless securitylg...
|11
|2460
|31
Assignment on Network Security Designlg...
|10
|1928
|234
Information Systems Security: IT Security Fundamentals, Vulnerabilities, and IBM Security Architecturelg...
|5
|747
|57
Information Security Management: Risk Assessment and Recommendationslg...
|11
|2902
|54