Cybersecurity Risk Management Report: CSE5CRM Analysis

Verified

Added on 2022/12/26

AI Summary

This report provides a comprehensive analysis of the British Airways data breach, examining the mechanisms of the breach, the risk management program control objectives, and potential mitigation strategies. The report begins with an introduction that outlines the incident, where hackers stole customer data including personal and payment information. It then delves into the technical aspects of the breach, including the use of JavaScript and digital card skimmers and identifying Magecart as a likely threat actor. The report also discusses the risk management program control objectives, including the importance of risk assessment, frameworks, and the various steps involved in creating an effective risk management program. It concludes with a discussion of strategies to mitigate actual threats, such as preparing for incidents, increasing visibility, securing attack vectors, and fixing vulnerabilities. The report emphasizes the importance of proactive cybersecurity measures to protect against data breaches and ensure data security.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running head: CSE5CRM CYBERSECURITY RISK MANAGEMENT
Cse5crm Cybersecurity Risk Management
Name of the Student
Name of the University
Author Note:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

1CSE5CRM CYBERSECURITY RISK MANAGEMENT
Table of Contents
Introduction......................................................................................................................................2
Mechanism of Breach..................................................................................................................2
Risk Management Programme Control Objective.......................................................................4
Mitigation of Actual Threat.........................................................................................................6
Conclusion.......................................................................................................................................7
References........................................................................................................................................8

2CSE5CRM CYBERSECURITY RISK MANAGEMENT
Introduction
On 6th Sep, British Airways have encountered a breach that ultimately resulted in breach
of data of customers. British Airways announced that around 380,000 customers are affected and
information like personal and payment information were stolen (Ganin et al., 2017). Hackers
were unable to steal the information with respect to passport. On the Official website, British
Airways has placed an article which explains all the required details of the incident. The
technical details mainly comprise of information like payment which is made through the
website was affected. Apart from this, the payment made through mobile application was also
affected (Meszaros & Buchalcevova, 2017). In the between the time period 21 August and 5th
September, the payments made to British Airways were affected. The report highlighted the fact
that information was stolen from the website of British Airways and mobile application. There
was nothing clearly mentioned about database and server which indicated the indicated the
affected breach in comparison to information of payment which is provided on website.
In the coming pages of the report an idea has been provided with respect to mechanism of
breach at British Airways. After that, an overview has been given with respect to risk
management programme control objectives. A list of methods has been discussed in details
which is needed for avoiding the security breach. The main focus of cyber risk assessment is all
about informing stakeholders and decision maker along with providing proper risk response.
Mechanism of Breach
Around 380,000 data of customer have highlighted the data breach by British Airways
prior to this year (Randall & Kroll, 2016). This particular attack resulted in theft of data of
customer which is inclusive of both financial and personal data. This particular data breach is
highly targeted as it makes use of JavaScript and digital card for skimmers which is loaded from

3CSE5CRM CYBERSECURITY RISK MANAGEMENT
web server. It is expected that Mega cart which is a malicious threat actor is main reason for this
data breach at British Airways. This has mainly impacted a large number of victims which is
known to be part of massive credit card skimming that is inclusive of Newegg breaches
(Radziwill & Benton, 2017). From the year 2015, it is expected that Megarcart comes up with
modification or even injection PII or credit card logging JavaScript. The complete payment is
done on web pages of different organization which is needed for stealing the data of credit card
user and PII customers.
Fig 1: Data Breach of British Airways
(Source: Airways, 2019)
Depending on the present available details, all the data of third party compromised for
supply chain services or even direct compromising. This particular aspect will help in
understanding the target webserver which is known to be initial vector (Hubbard & Seiersen,
2016). In the data breach case of British Airways, the organization tend to have been
compromised in direct way. The main focus of hacker in this attack is to modify one of the files
of JavaScript (Modernizr JavaScript library, version 2.6.2) that is inclusive of credit card and PII

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

4CSE5CRM CYBERSECURITY RISK MANAGEMENT
for logging script. In this attack, the hacker collected the payment information and send to the
server which is completely controlled by hacker, on “baways[.]com”. It is coming up with SSL
certificate which is completely issued by the certificate authority. The Mobile application of this
airway loads webpages that is completely built on the same CSS and JavaScript parts that are
major part of the website that comprises of malicious script completed installed by Mega cart. In
this way the payment made through mobile application of British Airways were also affected.
From the available data, the major reason for Data Breach at British Airways is due to
progression of Magecart which Grable up the supply chain attack. The beginning reconnaissance
is mainly done by making use of a suitable tool leveraging (Allodi & Massacci, 2017). In this
case study, the modernizr library composed of data which is a part of PII that has grabbed the
initial vector where infiltration vector was used. Depending on available details, the biggest
progression which is leverage by attacker is all about customizing the malicious PHP log payload
for the beginning infiltration into a CND instance which is used British Airways.
Fig 2: British Airways

5CSE5CRM CYBERSECURITY RISK MANAGEMENT
(Source: Khidzir et al., 2016)
Depending on the present attack vector which is leverage Magecart malicious threat
actor, there are mainly three areas of monitoring which is needed for increasing the overall
chance of detection. The areas that need to be revised are Web Server Content, Endpoints log
and HTTP proxy logs (Busby, Green & Hutchison, 2017). The first point that needs to be taken
is all about identifying any kind of supply chain attack. Any kind of attempt of malicious threat
actor needs to be installed on JavaScript on the given server. Apart from this, there are many
other areas that is needed to be identified for working within the user.
Risk Management Programme Control Objective
Risk Management and internal control can help the organisation like British Airways to
understand the risk the exposed to. It is mainly done so that they can put proper controls for
counter the threats and effectively pursuing the objectives (Barrett, 2018). It is considered to be a
vital parameter which is needed for governance, operation and management. There are many
professional accountants which can play a key role that will help organization in achieving their
objectives. This particular aspect can create an approach which is needed for risk management
and internal control (Basto-Fernandes et al., 2017). This particular aspect will help in creating
and protecting the stakeholder value at British Airways.
ISRM stands for Information Security Risk Management can be stated as a method which
is needed for proper management of risk which is associated with the use of information security.
Organization like British Airways mainly focus on identifying and analysing the risk with
respect to confidentiality, availability and integrity of need of information (Teixeira et al., 2015).
This particular process mainly comprises of two aspects that risk assessment and treatment of
risk. At present, there are large number of frameworks which will help British Airways in

6CSE5CRM CYBERSECURITY RISK MANAGEMENT
creating ISRM strategy. There are large number of Cybersecurity framework that needs to be
taken into consideration like
Identification: Activities in this group focus on development of proper understanding
with respect to cybersecurity risk with respect to people, data and overall capabilities (Shetty et
al., 2018). In the present business context, all the risk associated with British Airways will help
the organization understanding the present threat along with giving priority to the security
efforts. In the given stage, the activities mainly comprise of asset management and governance.
Protecting: British Airways need to implement proper safeguards which is needed for
safeguarding and providing proper security controls that is needed for protecting the vital data
against any cyber-attack.
Detection: British Airways need to quickly spot certain number of events that can bring
huge amount of risk to the present data security (Roldán-Molina et al., 2017). On a usual note,
British Airways need to be completely depended on certain number of monitoring techniques
and incident detection techniques.
Responding: British Airways need to proper action which is needed for detecting any
kind of cyber-security based incidents (Nurse, Creese & De Roure, 2017). British Airways can
easily make use of huge number of techniques like overall impact of incident.
Recovering: British Airways need to come develop and implement activities which is
needed for restoring the services that has been impacted by the security incident (Mills, 2017).
This particular group of activities mainly comprises of normal operation that is needed for
minimizing the overall impact of the incident.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

7CSE5CRM CYBERSECURITY RISK MANAGEMENT
Fig 3: Customer Data Theft at British Airways
(Source: Randall & Kroll, 2016)
ISRM can be stated as an ongoing method that is needed for accessing and responding to
any kind of security risk. For effective management of risk, British Airways need to make an
evaluation of the likelihood of data breach (Radziwill & Benton, 2017). It can ultimately create
huge amount of risk to the present environment and overall impact of each of the given risk. As
per the various ISRM programs to be completely effective in nature, mere focus is on the
comprehensive programs. It is all about simplification of complete security risk management
method by dividing it into required steps (Hubbard & Seiersen, 2016). ISRM method are
considered to be very much manageable which is needed for overcoming some of the major
issues. It mainly comprises of five steps which is needed for building an effective risk
management program like
Awareness of Business: British Airways need to have an idea with respect to the present
condition like consideration of budget and overall complexity of the business process

8CSE5CRM CYBERSECURITY RISK MANAGEMENT
Definition of the program: British Airways need to completely define the present ISRM
program that needs to be implemented in this organization.
Development of Program: In this step, British Airways need to have an idea with respect
to the functional capabilities and control with respect to IT security and risk management (Allodi
& Massacci, 2017). The governance model is all about defining the people that are responsible
for each of the ISRM strategy.
Benchmarking and Metrics: In the final stage, British Airways need to completely
defining the present metrics which is needed for understanding the overall effectiveness of ISRM
strategy.
Implementation and Operation: British Airways need to go through all the required
above stages along with repeating them on regular basis (Khidzir et al., 2016). It is very much
mandatory for organization like British Airways to come up with a policy needed for describing
the various stages of ISRM.
Mitigation of Actual Threat
British Airways need to understand overall benefits of cybersecurity strategy. The
organization need to follow a list of steps like
Getting ready for Incident: Cybersecurity Incident can easily take place on any given
time or it have the potential to take place. British Airways need to take up fundamental step for
any kind of incident response (Busby, Green & Hutchison, 2017). British Airways need to sit
down with team so that they can review the communication plan.
Increasing the visibility and Looking for blind spot: British Airways need to have an
inventory of system and proper understanding of data. The organization need to have a picture

9CSE5CRM CYBERSECURITY RISK MANAGEMENT
which the environment is inclusive of (Barrett, 2018). Much of the attention is paid to the areas
which lack visibility.
Suring up most of the vector attack: The most general view is all about having an idea
with respect to data breach and reports of incident that highlighted the attack at much higher rate.
British Airways is generally attacked by making use of email that is phishing attempt.
Finding and fixing vulnerabilities: The most vital aspect is all about having an idea with
respect to having idea with respect to updates and patches which is needed by British Airways
(Basto-Fernandes et al., 2017). Any outdated application, security program and policy can be
considered to be a hole. Any kind of hole in website of British Airways can result in bringing
threats, reducing overall safety, efficiency that can result in huge number of issues.
Conclusion
The above pages help us in concluding the fact that this report is all about cyber risk
management. For this particular report, the case study of data breach at British Airways has been
taken into account. A proper review has been done with respect to the fact that how the breach
has taken place. The need of risk management programme for analysing the control objectives
has been discussed in details. On 6 Sep, British Airways have announced the fact that both
their personal and payment details of around ten thousand of customer were stolen at the time of
data breach. British Airways has revealed the fact around 382,000 transactions were done in
between 21st August and 5 September. After the data breach, British Airways have revealed the
fact that their services are working on normal way and all the passport and travel details of
passengers were safe. Later on, the higher authorities at British Airways apologised for
disruption of services due to criminal activity. In the upcoming days, higher executives at British
Airways ensure the fact that in the upcoming days there will be serious protection of passenger

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

10CSE5CRM CYBERSECURITY RISK MANAGEMENT
data. After the attack, the authorities of British Airways assured their passengers that they will be
completely reimbursed.

11CSE5CRM CYBERSECURITY RISK MANAGEMENT
References
Airways, B. (2019). BA boss apologises for data breach. [online] BBC News. Available at:
https://www.bbc.com/news/uk-england-london-45440850 [Accessed 5 May 2019].
Allodi, L., & Massacci, F. (2017). Security events and vulnerability data for cybersecurity risk
estimation. Risk Analysis, 37(8), 1606-1627.
Barrett, M. P. (2018). Framework for improving critical infrastructure cybersecurity. National
Institute of Standards and Technology, Gaithersburg, MD, USA, Tech. Rep.
Basto-Fernandes, V., Yevseyeva, I., Silva-Rabadão, C., Almache-Cueva, M., & Roldán-Molina,
G. (2017). A comparison of cybersecurity risk analysis tools.
Busby, J. S., Green, B., & Hutchison, D. (2017). Analysis of affordance, time, and adaptation in
the assessment of industrial control system cybersecurity risk. Risk Analysis, 37(7), 1298-
1314.
Ganin, A. A., Quach, P., Panwar, M., Collier, Z. A., Keisler, J. M., Marchese, D., & Linkov, I.
(2017). Multicriteria decision framework for cybersecurity risk assessment and
management. Risk Analysis.
Hubbard, D. W., & Seiersen, R. (2016). How to measure anything in cybersecurity risk. John
Wiley & Sons.
Khidzir, N. Z., Ismail, A. R., Daud, K. A. M., Afendi, M. S., Ghani, A., & Ibrahim, M. A. H.
(2016). Critical cybersecurity risk factors in digital social media: Analysis of information
security requirements. Lecture Notes on Information Theory Vol, 4(1).
Meszaros, J., & Buchalcevova, A. (2017). Introducing OSSF: A framework for online service
cybersecurity risk management. computers & security, 65, 300-313.

12CSE5CRM CYBERSECURITY RISK MANAGEMENT
Mills, A. J. (2017). The Gendering of Organizational Culture: Social and Organizational
Discourses in the Making of British Airways☆. In Insights and Research on the Study of
Gender and Intersectionality in International Airline Cultures (pp. 37-47). Emerald
Publishing Limited.
Nurse, J. R., Creese, S., & De Roure, D. (2017). Security risk assessment in Internet of Things
systems. IT Professional, 19(5), 20-26.
Radziwill, N. M., & Benton, M. C. (2017). Cybersecurity Cost of Quality: Managing the Costs
of Cybersecurity Risk Management. arXiv preprint arXiv:1707.02653.
Randall, K. P., & Kroll, S. A. (2016). Getting Serious about Law Firm Cybersecurity. NEW
JERSEY LAWYER, 55.
Roldán-Molina, G., Almache-Cueva, M., Silva-Rabadão, C., Yevseyeva, I., & Basto-Fernandes,
V. (2017). A comparison of cybersecurity risk analysis tools. Procedia computer
science, 121, 568-575.
Shetty, S., McShane, M., Zhang, L., Kesan, J. P., Kamhoua, C. A., Kwiat, K., & Njilla, L. L.
(2018). Reducing informational disadvantages to improve cyber risk management. The
Geneva Papers on Risk and Insurance-Issues and Practice, 43(2), 224-238.
Teixeira, A., Sou, K. C., Sandberg, H., & Johansson, K. H. (2015). Secure control systems: A
quantitative risk management approach. IEEE Control Systems Magazine, 35(1), 24-45.