Risk Assessment and Mitigation Strategies for CONVXYZ Network Security

Verified

Added on 2023/01/19

AI Summary

This report comprehensively analyzes the network security of CONVXYZ, identifying assets, threats, and vulnerabilities. The assessment employs risk management principles, including asset classification, threat identification, and vulnerability assessment. The report utilizes matrices to visualize risks, assesses likelihood and impact, and provides an impact table specifying risks. It recommends risk treatment methods such as updating security applications, patching operating systems, and increasing employee awareness to prevent phishing and social engineering attacks. The report also addresses database risks through access controls and concludes with observations and references, adhering to ISO 31000:2018 guidelines for risk management. The analysis covers various threats, including protocol attacks, router vulnerabilities, web server threats, email server threats, database vulnerabilities, authentication server threats, and PC threats. The report also provides a vulnerability table to identify the scope of the vulnerabilities and their impact.

1CONVXYZ RISK ASSESSMENT
Executive Summary
This report aims to analyse the various assets of CONVXYZ network and identifies threats, vulnerabilities and
specifications. The vulnerabilities and threats discussed represented in two Boston grid matrices based on
identification and likelihood of the risks. Thereafter a summary of security risks are given in impact table
specification after which the report closes with observations in conlusions.
Risk treatment methods recommended are updating the security applications and firewalls to
prevent protocol attacks against the firewall. Operating systems and related software applications must be
updated regularly for incorporating their latest hotfixes and patches. Best method of avoiding phishing
attacks can be by increasing awareness among employees, customers and lawyers while also making them
intuitive in identifying harmful sources. Ways for preventing the social engineering attack like email spoofing,
can be by making customers and lawyers of CONVXYZ communicate through custom mailboxes secured with
firewall policies and rules while promoting caution regarding tempting emails, and use of multifactor
authentication as also updating security software. Operating up to date and industry leading security
applications can help in mitigating malware threats from computers. In addition to appropriate hiring
policies, addressing of database risks can be done significantly by means of query level access controls that
can limit users with minimum privileges the given operational requirements.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

2CONVXYZ RISK ASSESSMENT
Table of Contents
Introduction.......................................................................................................................................................3
Assessment of risks............................................................................................................................................3
Specifications of Assets..................................................................................................................................3
System Parameters Table...........................................................................................................................3
Threats...........................................................................................................................................................4
Threat Assessment.....................................................................................................................................5
Vulnerabilities.................................................................................................................................................7
Vulnerability Assessment Table:.................................................................................................................8
Likelihood.....................................................................................................................................................10
Dbs & Cud TH Risks...................................................................................................................................10
Dbs & Cud TS Risks...................................................................................................................................11
Impact Table Specifications..........................................................................................................................12
Identification................................................................................................................................................14
Conclusion........................................................................................................................................................14
References........................................................................................................................................................16

3CONVXYZ RISK ASSESSMENT
Introduction
This report aims to analyse the various assets of CONVXYZ network and identifies threats,
vulnerabilities and specifications. The vulnerabilities and threats discussed are then plotted in BCG matrices
as per the metrics, identification and likelihood (Madsen 2017). After the report summarizes the security
risks and forms the impact table specification, it ends with concluding notes.
Organizations are facing immense consequences from risks in terms of finances as well as
performance and reputation thus altering safety, societal and environmental image of organizations for
which the ISO 31000:2018 has been formed (Selvaseelan 2018). It provides companies with processes,
principles, frameworks and guidelines to manage security risks but not in the form of certifications.
Risk Analysis
Specifications of Assets
System Parameters Table
ID_No Sys_Desc Application/
Firmware
No_of_Devic
es
Product_Des
c
Vendor_Des
c
SY001 PC Win 10 64bit,
Windows 7
20 Thinkstation
(P320 SFF)
Lenovo PC
Internation
al
SY002 Server Win Server version
2012
5 IBM-AS/400 Internation
al Business
Machine
(IBM)
SY003 Switch SG350 2 QFX-5110 Juniper
networks
SY004 Router C819HG-U-K9 1 Cisco-Rv320 Cisco

4CONVXYZ RISK ASSESSMENT
SY005 Firewall Device Cisco Adaptive
Security
Appliance
1 Cisco-ASA-
5505
Cisco
SY006 WebServer ApacheWebServ
er
1 IBM-AS/400 IBM
SY007 MailServer ApacheHTTP_Se
rver
1 IBM-AS/400 IBM
SY008 AuthenticationServ
er
OAuth_2.0 1 IBM-AS/400 IBM
SY009 Employee
DatabaseServer
AdvancedHRM
v1.6
1 IBM-AS/400 IBM
SY001
0
Consumer
DatabaseServer
Mainframe 1 IBM-AS/400 IBM
The different network equipment used by CONVXYZ are provided by the above table and the
applications and firmware used by the systems with part number, vendor and count is also mentioned.
Asset Threat List
Firewall Threat: Protocol attacks are DDoS attacks which drains load balancer, resources of firewall and
prevents processing of legitimate traffic (Hutle, Hansch and Fitzgerald 2015). This may negatively affect
CONVXYZ network. Though firewalls can generally provide adequate protection versus DDoS attacks, are not
as effective against protocol attacks.
Router Threat: VPNFilter targets routers of small offices like CONVXYZ (Siegel 2018). Unlike a traditional
malware, they cannot be erased via resetting that infected system as also converting an infected device to
bot.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

5CONVXYZ RISK ASSESSMENT
Web Server Threat: Through Phishing attacks victims are redirected to infected websites which happens
when the user clicks on harmful links (Legg et al. 2017). Then the user information is stolen through
tampering of Parameter forms and cookies, SQL injection and buffer overflow attacks.
E-mail Server Threat: E-mail spoofing are social engineering by which attackers pose as legitimate sources as
they carry false sender address in e-mails for hiding their real identity (Amin and Valverde 2017). Attacks like
these akin to the infamous email hacking scam “Friday afternoon fraud”.
Database Threat: Privileges of database granted to users and applications often exceed their job
requirements (Darwish, (Nouretdinov, and Wolthusen 2017). Excess privileges can be leveraged for
manipulating data critical organizational data. In CONVXYZ, database administrators who just requires read-
only access to customer data may use ‘update’ privileges for manipulating information regarding a particular
property.
Authentication Server Threat: A Bypass attack results from inadequate configuration in access policy at
software level or from ineffective authentication designs (Sion, L., Yskout, K., Van Landuyt, D. and Joosen,
W., 2018). Strict password policies are often enforced by companies like CONVXYZ for authentication of
login credentials though might let blank passwords go through thus leading to security loopholes.
PC Threat: Malicious programs or malwares may come as viruses, Backdoor Trojans, ransomwares, spywares
and many more (Canfora, Mercaldo and Visaggio 2016). They need user inputs like downloading infected
files from untrusted sources.
Threat Table
Asset
_ No.
Prime or
Supportiv
e
InScope/
Out_
of_scope
Asset_Desc Threat_source Sourc
e of
Threa
t
Attractiveness/
level
Cud Prime InScope CustomerData Hacker TH H

6CONVXYZ RISK ASSESSMENT
Staff TS L
Std Prime InScope StaffData Hacker
Staff
TH
TS
M
L
Lgd Prime InScope Legal documents Hacker
Staff
TH
TS
H
M
Prp Prime InScope PropertyPaymen
ts
Hackers
Company_Sta
ff
TH
TS
Fbd Prime InScope FinancialData
and
BusinessData
Hackers
Company_Sta
ff
TH
TS
H
M
Dbs Supportiv
e
InScope DatabaseServer Hackers
Company_Sta
ff
TH
TS
H
M
Wbs Supportiv
e
InScope WebServer Hackers
Company_Sta
ff
TH
TS
M
L
Frw Supportiv
e
InScope FirewallDevice Hackers
Company_Sta
ff
TH
TS
H
L
BePC Supportiv
e
InScope Back-end PCs Hackers
Company_Sta
ff
TH
TS
M
L
FePC Supportiv InScope Front-end PCs Hackers TH M

7CONVXYZ RISK ASSESSMENT
e Company_Sta
ff
TS L
Rou Supportiv
e
InScope Routers Hackers
Company_Sta
ff
TH
TS
H
M
GePC Supportiv
e
Out_of_scop
e
Guest PCs Hackers
Company_Sta
ff
TH
TS
The assets of CONVXYZ with their identifier, scope threats from hackers and staff computers and the
attractiveness of that threat is given in the Threat Assessment Table (Nurse, Creese and De Roure2017).
Classification of assets are also done on the basis of prime and supportive types.
Asset Vulnerability list
Firewall-based Vulnerability: DDoS attack by executing codes remotely is done by the vulnerability [CVE-
2018-0101] in XML-based parser in Cisco Adaptive Security Appliance software for firewall Cisco ASA 5505 let
remote attackers trigger reload of systems, remote code execution as also prevent processing of request
regarding authentication over the VPN short of memory (Li et al. 2016). Companies like CONVXYZ commonly
use Cisco ASA based firewall devices and hence it is mandatory to address the issue at the earliest.
Router-based Vulnerability: [CVE-2019-1653] vulnerability lies in web oriented clients for the routers RV320
and RV325 of Cisco with firmware applications (1.4.2.15 and 1.4.2.17) and allows a remote attacker to
retrieve sensitive data (Zhu et al. 2015). Such routers are popular among businesses and CONXYZ network is
no exception.
Web Server Vulnerability: (CVE-2019-0190) is the vulnerability in the method of using mod_ssl for handling
client renegotiations, through which requests are forwarded placing the mod_ssl in never ending loops

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

8CONVXYZ RISK ASSESSMENT
leading to denial of services (Vellaithurai et al. 2015). This exploit is only activated in case of ApacheHTTP
Server in conjunction with the OpenSSL. Significant inconvenience is caused by this vulnerability on data of
CONVXYZ lawyers as well as property buyers.
Email Server-based Vulnerability: [CVE-2018-678] is the vulnerability present in email servers for base64d
functions in listeners of SMTP for all Exim mail older than 4.90.1 and causes buffer overflow through
handcrafted messages and remote code execution arbitrarily (Li, Mehta and Yang 2017). As this is used
widely by small medium enterprises such as CONVXYZ, the vulnerability carries a significant level of threat.
Database-based Vulnerability: The [CVE-2018-1834] vulnerability in DB2 DBMS of IBM DB2 with LINUX,
UNIX and windows operating systems allow local users to escalate assigned database privileges for rooting
through symbolic link attacks (Takahashi and Inoue 2016). This makes CONVXYZ data insecure affecting
lawyer information that are transferred through the VPN channel in a secure manner.
Authentication Server-based Vulnerability: The [CVE-2018-16875] vulnerability for mutual TLS
authentication of Golang involves formulating Input from attackers via ways that verify algorithms through
crypto/x509 library in Go becomes usable for hogging all CPU resources by validating large TLS chains ( Cheng
et al. 2016). As this is a popular authentication technique, it is pretty surely being used by the servers in
CONVXYZ servers and hence the vulnerability should be addressed on an urgent basis.
Computer-based Vulnerability: [CVE-2019-0555] is a windows specific vulnerability more precisely for
elevation of Privilege in XmlDocument of Microsoft by attackers (Wang and Fan 2018). The vulnerability can
easily jeopardize CONVXYZ operations since such an exploit results in significant disclosure of information.
Vulnerability Table:
Asse
t No.
Primary/
supporting
In scope/out
of scope
Asset name Vulnerabili
ty ID
CVE number Vulnerabili
ty Level
Cud Prime InScope CustomerData ---- ---- ----
Std Prime InScope StaffData ---- ---- ----

9CONVXYZ RISK ASSESSMENT
Lgd Prime InScope Legal
documents
----
Prp Prime InScope PropertyPayme
nts
----
Fbd Prime InScope FinancialData
and
BusinessData
Dbs
with
Cud
InScope Databases and
customer info
Vdb1 CVE-2018-
1834
H
Dbs
with
Std
InScope Databases and
staff info
Vdb2 CVE-2018-
18382
M
Dbs
with
Lgd
InScope Databases and
legal info
Vdb3 CVE-2018-
6861
M
Wbs Supportive InScope WebServer Wb1 CVE-2018-
6796
L
Frw Supportive InScope FirewallDevice Vfw1 CVE-2018-
0101
M
BeP
C
Supportive InScope Back-end PCs Vbc1 CVE-2019-
0555
M
L
FeP
C
Supportive InScope Front-end PCs Vfc1 CVE-2019-
0555
M

10CONVXYZ RISK ASSESSMENT
L
Rou Supportive InScope Routers Vro1 CVE-2019-
1653
H
GeP
C
Supportive Out_of_sco
pe
Guest PCs Vgc1 CVE-2019-
0555
The assets of CONVXYZ with their identifier, scope vulnerabilities from hackers and staff computers
and the attractiveness of that vulnerability is given in the Threat Assessment Table ( Allodi and Massacci
2017). Classification of assets are also done on the basis of prime and supportive types.
Risk_Likelihood
Figure 1: BCG matrix for risk identification

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

11CONVXYZ RISK ASSESSMENT
Malwares, social engineering and vulnerability CVE-2018-6789 are risks that are more likely to occur serving
as cash cows though CVE-2018-6789 remains as most alarming vulnerability for CONVXYZ in this section.
Dbs & Cud TH Risks
Risk level = Likelihood*Impact
Risk_Likelihood = Attractiveness_Threat*Vulnerability
Likelihood(Dbs & Cud TH) = Threat attractiveness(H) * Vulnerability level(H) = High
Risk_Impact - High(H) since hackers can easily penetrate the Databases and access Customer-based
information.
Risk level = Likelihood(High) * Impact(High) = High
Dbs & Cud TS Risks
Likelihood(Dbs & Cud TS) = Threat attractiveness(L) * Vulnerability level(H) = Medium
Risk_Impact - High (H) since hackers can also indirectly compromise Databases thereby accessing Customer-
based information.
Risk level = Likelihood (Medium) * Impact (High) = Medium
The scores of the above risks can be obtained from the following risk matrix.