University of The Cumberlands
ISOL 533 – Information Security and Risk Management
Sriram Reddy Challa
Mirza Quadrath Ullah Baig
Anand Sai Chunduru
Tirupathi Rao Chintalapudi
Under the guidance of
Professor Doug Smith
Cloud is an off-premise form of computing that stores data on the Internet. The physical storage spans multiple servers (sometimes in multiple locations), and the physical environment is typically owned and managed by a hosting company.. A business typically relies heavily upon the applications, administrations and information contained inside a cloud data center, making it a point of convergence and basic resource for regular tasks. In today’s world every organization, whether it’s government’s, entertainment industries, financial sectors or educational institutions everybody records and stores their information in the cloud. With the growth of data centers, the security breaches have been increased and risk management has become a crucial part. In this paper we are going to discuss which methodologies should we implement in order to avoid any such risks.
This project evaluates the risks and security applications of cloud environments, large and small scale organizations and web systems. Also concentrates on the current security challenges facing cloud-computing and possible ways of tackling them, some of which are already being employed. Taking the preventive measures today the organizations can improve their services, values and quality. Analyzing, determining the risks involved with the cloud environments, understand the layers involved in its architecture and how to secure them. The concept, growth and implementation of cloud computing has been a major milestone in the past few years of technological advancement and the need to improve on any cloud computing technology currently being implemented cannot be overemphasized. Cloud computing is an Internet-based computing, where shared resources, software and information, are provided to computers and devices on-demand. It provides people the way to share distributed resources and services that belong to different organizations. Cloud computing is the term used to represent the emerging technology that entails sharing of pooled computational resources and other data representations from different sources, usually geographically distant systems, delivering them to organizations and end-users on-demand. It is implemented as a result of a network of connected computers and other devices sharing computing resources usually over the Internet and offers a better, more portable and more spacious storage system than the traditional hardware data storage system. However, cloud-computing, as the name implies, is practiced in an open environment as it were, claiming to offer stress-free and timely third-party access to cloud contents. Hence, undoubtedly it must be fully supervised and properly managed or controlled as necessary with its security tightened to ensure reliability, data integrity and related functionalities.
Physical Security and Risks:
Physical security is becoming more challenging for the organization, where technology and computer environments are compromising to the increasing risks. USB hard drives, laptops, tablets and smartphones are prone to the data lost or stolen because of the portability and mobile accessing nature. When computers are initially developed there are mainframes which can be handled by few people and highly secured in the lock rooms (Harris, 2013)
Physical security is assurance of hardware, software, networks and data which are lost during any disaster or the physical actions by the agency. This also includes protection from fire, floods, Natural disaster damages, theft, burglary.
Physical security has three main features:
• Access control
There should be some blocks between the attackers and physical sites should be very strict about the accidents, attacks and environmental disasters. These risks include fencing, locks, access control cards, biometrics access control systems and fire suppression systems. Highly confidential places should be observed and monitored with the video surveillance and alerting systems like intrusion detection sensors, heat sensors and smoke detectors. The disaster recovery procedures and the steps taken should be tested regularly to make sure of the safety by this it helps to reduce the time for recovery of data.
Now-a-days, Desktop computers and the mobile laptops are used in the companies to access the data throughout the company. Securing the data, networks and systems are becoming more difficult to put into the effort with the mobile users who can able to take their computers out the company especially the laptops. This is the main reason for the vandalism, sabotage, accidents, and theft leads to huge loss for the organization where the situations are becoming more complex and dynamic.
When comes to the management physical security becomes more harder as with the gradually increase of the complexity, and risks where vulnerabilities are shown. Stealing the devices like mobiles and laptops are not only the possible way to get data by the attackers but also through downloading the confidential data when the users connect their storage devices like hard drives or flash drives to an unprotected computer.
When there is a USB flash drive plugged in to the system outside the campus is the other way of stealing the confidential information. The malicious stress on the device infects the device, when these devices are inserted into their computer all the systems get infected and highly prone to the problems with the confidential data. This type of scenarios is seen in the U.S. Department of Defense base in the Middle east in 2008. An employee unknowingly inserted the infected external device to the government’s laptop where the virus is spread into all the devices and sent the confidential data to the other countries (Lynn III, 2010).
Stealing of hardware or vandalism usually occurs during working with administrative and technical controls. Where organizations usually monitor technology and administrative controls and have least focus on the data breaching will not be detected right way. Where the data breaching information have different weakness, risks and counter measures than physical security. In the information security, the incorporate the network using the unauthorized means through wireless, open ports.
Security must be increased the productivity by the protecting assets. These security practices make employees feel safe and secure, they mainly focus on the tasks and securing the sensitive data of the company. CIA triad has more influence on the organization’s physical security that includes confidentiality of data, integrity of assets and availability of the company resources.
The physical security’s first make sure that all the personnel information is safe. Followed by the securing of company assets, where they restore the IT operations if there is any natural disaster. When there is an explosion or fire, should implement the right suppression methods. Water, gases and powders are used in different scenarios to reduce the four fire elements like heat, oxygen, fuel, chemical reaction. A former employee files a case against Coca-Cola company stating the company has poor implementation in securing their personnel data.
Facilities need physical access controls in place that control, monitor and manage access. Categorizing building sections should be restricted, private or public. Different access control levels are needed to restrict zones that each employee may enter depending on their role. Many mechanisms exist that enable control and isolation access privileges at facilities. These mechanisms are intended to discourage and detect access from unauthorized individuals.
Malware and Hackers:
It only seems yesterday when computers were properly introduced in the market. Then came the internet and along with it the sparkle of social media, entertainment and what not. And finally, the cloud. In recent times the migration of data on cloud got so extensive that each and every single industry turned towards it. Social media such as Facebook and Twitter; Subscription services such as Netflix and Cloud storages to store music, movies and photos and documents and pretty much everything. But one may think with the improvement in technology over the years and intensive security measures implemented, the data is secure and out of reach of the hackers, but that’s not the case. They have their own ways and techniques to gain illegal access to the clouds and exploit to steal private info. for criminal activities. DataLossDB did a survey and found that the number of breaches (1041) that occurred during the entire year of 2011 were already crossed within 9 months in the following year. Some of the victims of such breaches were Stratfor and Epsilon. Epsilon lost millions of email addresses that they had in their database and over 75k credit card’s information and over 850k user names and their passwords were stolen from Stratfor.
Cloud computing provides the services through three different layers depending upon the end user requirements and they are: the system layer, the platform layer and the application layer. And all these layers can be exploited in different ways by hackers or even employees who are unauthorized to access such data by implementing different techniques like session hijacking or simply cause damage by uploading virus and trojans to cloud systems. So, it’s important to identify the potential attacks on cloud to avoid them and place proper security measures to protect the cloud environments.
There were times when it used to take months for hackers to organize a cyberattack due to low amount of computing power and it would require multiple computers to produce such power in the first place. And now, with both powerful software’s and hardware’s, hackers take full advantage of the resources at their disposal to takes little time to launch attacks such as brute force attacks which is a technique used extensively to break passwords and DoS attacks which disrupt the users network and freeze their access to it and both these techniques requires powerful computing systems.
A lot of the times it is the insiders in an organization that are responsible for such security breaches. When Cyber security watch conducted a survey back in 2011, they found that the insiders were responsible for more than 21% of the attack and a staggering 63% of corporate data was breached by the insiders which resulted more damaging and this was all due to the unauthorized access to confidential data stolen by rogue insider, who tries to sell the data for some fortune or even benefit from the data for personal objectives in the future. And these attacks are usually the most difficult to trace as the insider is more aware of his surroundings and leaves no room for mistakes in such scenarios making it all more difficult to trace.
Malware injection attack is another form of attack that hackers use. They program malicious codes that consist of application, program and a virtual machine and then send them to the cloud they target and once the injection is complete the hackers can literally do whatever they desire with the data in the cloud. When Symantec did their research in 2011, they found an increase in web attacks by 36% and a staggering 4500 different attacks every single day.
Risks associated with Documentation and Web systems
Web-based systems and applications now deliver a complex array of functionality to a large number of diverse groups of users. As our dependence and reliance on the Web has increased dramatically over the years, their performance, reliability and quality have become paramount importance. As a result, the development of Web applications has become more complex and challenging than most of us think. In many ways, it is also different and more complex than traditional software development. But, currently, the development and maintenance of most Web applications is chaotic and far from satisfactory.
a) Prevalent secure sites: Secure Web sites provide services that are protected for security and privacy concerns. Significant examples include on¬line shopping sites, auctions sites, and home¬banking services. Purchase is the most critical operation in secure e-commerce sites, because sensitive information (e.g., credit card number) is exchanged. When users buy, security requirements become significant and include privacy, non-repudiation, integrity, and authentication rules. The transactions should be tracked throughout the whole user session and backed up in the case of failures. The majority of the content of secure sites is often generated dynamically, however even static resources may need a secure transmission.These ecommerce websites are more prone to hit by hackers these days to steal sensitive information of users etc
b) Prevalent static sites.: Today, static Web sites do not present any real design challenge, because present Web technologies are able to serve an impressive volume of static requests even with commodity off¬the¬shelf hardware and software. The only requirement that a static Web site has to meet concerns the network capacity of the outbound link, which must handle the necessary volume of client requests/responses with no risk of bottleneck
c) Prevalent dynamic sites. Sites offering sophisticated and interactive services, possibly with personalized content, fall in the category of dynamic sites. A peculiarity of dynamic sites is the strong interaction between the Web technology and the information sources (usually, databases) for nearly every client request. To provide adequate performance for serving dynamic resources may be a non¬trivial task because there are several technologies for dynamic content generation, each with some conveniences and limits. Choosing the wrong technology may lead to poor performance of the whole system
e) Prevalent multimedia site: Multimedia Web sites are characterized by a large amount of multimedia content, such as audio and video clips, animations or slideshows. Examples of multimedia sites include e¬learning services, some e¬commerce services specialized in music, such as iTunes on¬line radios, and sites that offer a download section with a repository of multimedia files.
to provide enough network bandwidth for downloading large multimedia files. As multimedia resources are orders of magnitude larger than static resources, bandwidth requirements are quite critical. Introducing streaming protocols increases the issues in the design of a Web site because streaming-based delivery of multimedia contents introduces real¬time constraints in packet scheduling , and often requires a network resource reservation protocol.
In particular,the system resources can be easily exhausted by a high volume of client requests. Moreover, the lack of hardware component replication prevents the fault tolerance of a single node architecture. Explicit countermeasures such as RAID storage and hotswappable redundant hardware may reduce the risks of single points of failure, but basically there is no reliability opportunity. We should also consider that placing every logical layer on the same node has a detrimental effect on system security because once the node has been violated, the whole Web system is compromised. From the above mentioned considerations, we can conclude that the single node architecture is not a viable solution for the deployment of a dynamic Web site that intends to have some performance and reliability guarantees.
Risks associated with documentation
Policies and Controls: Policies are the over arching documentation which sets the position and tone of the organization’s control posture. Controls are written and established by an organization to verify a regulatory requirement or risk is properly addressed and monitored.
A disjointed approach often leads to duplicate controls, an environment which is not easily monitored and the inability to determine if the controls are operating effectively.
Processes or Procedures – Processes and procedures are the activities that support documented controls and enforce policies or standards. These documented controls then provide measures and checks to support the policies or standards in place. Processes and procedures are usually repetitive and, based on experience, are not well documented. Unfortunately, even any Organisationm that has controls in place, lack of proper documentation can still lead to an audit finding for noncompliance.
The risk that something goes wrong with the documentation. This feeds in turn into reduced legal risk, which is included within the definition of operational risk
Operational risk has many facets, and the events which give rise to it cover a huge range from high-frequency low-impact at one end to lowfrequency high-impact at the other. There is a correspondingly wide range of controls and techniques that can be used to prevent or at least mitigate losses. Sound documentation lies at the more bread and butter end of the spectrum of such controls and techniques. But it is no less vital for all that. The Association is therefore to be congratulated for its initiative in putting in place an essential building block in the form of the standardised documentation
The identification of risk normally starts before the project is initiated, and the number of risks increase as the project matures through the lifecycle. When a risk is identified, it’s first assessed to ascertain the probability of occurring, the degree of impact to the schedule, scope, cost, and quality, and then prioritized. Risk events may impact only one or while others may impact the project in multiple impact categories. The probability of occurrence, number of categories impacted and the degree (high, medium, low) to which they impact the project will be the basis for assigning the risk priority. All identifiable risks should be entered into a risk register, and documented as a risk statement
As part of documenting a risk, two other important items need to be addressed. The first is mitigation steps that can be taken to lessen the probability of the event occurring. The second is a contingency plan, or a series of activities that should take place either prior to, or when the event occurs. Mitigation actions frequently have a cost. Sometimes the cost of mitigating the risk can exceed the cost of assuming the risk and incurring the consequences. It is important to evaluate the probability and impact of each risk against the mitigation strategy cost before deciding to implement a contingency plan.
Contingency plans implemented prior to the risk occurring are pre-emptive actions intended to reduce the impact or remove the risk in its entirety. Contingency plans implemented after a risk occurs can usually only lessen the impact. Identifying and documenting events that pose a risk to the outcome of a project is just the first step. It is equally important to monitor all risks on a scheduled basis by a risk management team, and reported on in the project status report
Risk identification consists of determining which risks are likely to affect the project and documenting the characteristics of each.
The Insert Project Name Here project manager will identify and document known risk factors during creation of the Risk Register. It is the Insert Project Name Here project manager’s responsibility to assist the project team and other stakeholders with risk identification, and to document the known and potential risks in the Risk Register. Updates to the risk register will occur as risk factors change. Risk management will be a topic of discussion during the regularly scheduled project meetings. The Insert Project Name Here project team will discuss any new risk factors or events, and these will be reviewed with the Insert Project Name Here project manager.
Small Business Risks
Data Center managers are whole responsible for saving there company confidential data from outside hackers and potential risks like small business risks. This is the common issue in all datacenters many founders and CEO’s and managers worried about the power outages which is very important for datacenter to maintain. The second important risk involve in data centers would be Malfunction plants, IT software equipment’s the other risks involves in this are flooding which means result of natural calamity which may results in damage of datacenters and releasing of poisonous gases which will effects the Datacenters in an indirect way.
This risks can be clearly categorized in two ways
1) Internal risks
2) External risks
Internal risks may include the below kinds.
a) Illness and death
b) Theft and fraud
c) Low employee moral
Illness and death:
This kind of risks may start when an employee or business owner fell sick or lost their life this risk takes place and this may result in shutdown to long run operations and cause functional issues.
Theft and fraud:
Even though employer conducts a background check Datacenters have some risks in having unfaithful employees who may attempts to theft the company’s property or transferring accounts in to their personal accounts will be a big threat this kind of threat may also come under account transfer threats. Not only that transferring confidential data from the company’s computers to their personal pen drives or hard disks may also come under the one of the fraud activities.
Low Employee moral:
Employee with no organizational ethics and unhappy will come under this activity, employee negligence will be the most considered reason for cause of this risk. For instance if employee forgot to reorder the stuff from inventory it’s a big risk to business sales team because orders may get cancelled if they are trying to do it for the second time. Another example for this is deleting data from the servers accidentally will be a big risk to the company because it may lose the entire confidential data and customer information.
Equipment and business risks also comes under small business risks this type talks about older equipment and new equipment’s. Older equipment might be slow in process where as newer equipment will take some time to get adjust with existing equipment’s so it’s always a risk to change the equipment’s and software’s.
Another wellspring of hazard may be the physical plant of your business. Telephone lines and different utilities are dangers to a business. The presence of a building for example, its dividers, windows, and entryways may expect support to proceed drawing clients. Wounds and harms might be caused by your business or your business may get harm. For instance, a tempest may make harm a business or a business may cause harm by offering a flawed item. In any case, wounds furthermore, harms accompany a cost.
Income is the help of a business. At the point when sudden costs influence the capacity of a business to meet month to month costs or at the point when credit lines are lost, a business may come up short. An arrangement to keep up income is pivotal.
Indeed, even new financing has its own particular cost-related dangers. The dangers can incorporate the accompanying:
• Appraisal costs
• Closing expenses
• Costs for focuses to purchase down rates
• Deposits set on hold as security
External risks may contain below points:
External risks may contain market challenge, employee may leave or rent increases. Market changes will impact the business profit and loss if your competitor company plays strategy to in the market your entire business may go up or down. If a good resource or a employee who knows in and out of your company all of sudden without transferring the knowledge to co employees will also impact the productivity and delay for the business in getting their things on time and also for client delivery’s.
Business environment risks also includes in the small business risks like below:
a) Natural disasters: Which may affect your business and cause a short business shutdown time.
b) Federals and state rules: Will often changes and impact the business
Individual clashes are outside dangers for both entrepreneurs and workers. Families and homes don’t stop to exist at the beginning of a work day. Youngsters turn out to be sick. Restorative crises, or more awful, may happen. Repairs and upkeep will be required at home. For an entrepreneur, inclusion in the network makes In any case, the accompanies a cost. Workers and their youngsters are engaged with outside exercises too. We don’t more often than not consider outside exercises as a hazard, yet consider how you would deal with this circumstance your most dependable chief needs to go to an out of-town playoff amusement with her youngster on the busiest day of the month.
Recommended solutions to prevent attacks on cloud computing environments:
Threats to cloud computing security affect a wide range of users, not just large companies and organizations, also affecting their willingness to implement cloud in their businesses or activities. Hence, it is critical that certain arrangements and solutions have been put in place to minimize cloud security attacks and challenges. Some of these include finding cloud service providers with high levels of security and data management as well as effective data recovery facilities. High attention is paid to cloud infrastructure to ensure that it is able to support and handle high-end security components that prevents all types of cyber-attacks. Applications are developed to provide data encryption and user authorization services as well as data leakage and intrusion detection systems. Data flow, location and user activities should be very well planned and monitored so as to detect any unauthorized access on their cloud environment. Data encryption is to be made commonly available, especially at critical network points such as data transmission points. A common cloud attack involves the creation and distribution of viruses, where computer programs or codes designed to cause damage to the computer systems of end user. As a result, anti-virus programs and other related applications have been developed and implemented to prevent and resolve virus attacks.
Another important security challenge is Session Hijacking. A session will be created when a cloud system user logs on to a web application and stores his authentication details on cloud servers. A session hijacker takes over a user’s session by gaining access to his ID and then carry out a different session activities under the same username, breaching his information and increasing the vulnerability of cloud services. This kind of attack can be detected through WLAN (Wireless Local Area Network) intrusion detection system and MAC (Media Access Control) address monitoring and verification. It can be prevented using HTTPS, which is a combination of the HTTP protocol and the Secure Sockets Layer (SSL) to enable secure network communication and to prevent packet sniffing for ID theft. One-Time Cookies (OTCs) may also be used to avoid session hijacking by attaching private information to the user’s request that is securely stored in the browser. Session Shield, which is an external proxy that inspects incoming and outgoing network requests, can be used as well in the case of Cross-site scripting (XSS) which can be used in session hijacking. Security awareness among authorized cloud users is also need to be created so as not to expose the cloud system to security risks that have end users as their points of entry. Due to lack of effecting security awareness programs lead to slower processes of threat handling and social engineering attacks. To assure the best quality of service, the cloud service providers are responsible for ensuring the cloud environment is secure. This can be achieved by defining below stringent security policies and by implementing advanced security technologies.
1. Security Policy Enhancement
With a valid credit card, everyone can register to utilize resources offered by cloud service providers. This is causing hackers to take advantage of the powerful computing power of clouds to conduct malicious activities, such as spamming and attacking other corporate computing systems. By mitigating such abuse behavior caused by weak registration systems, credit card fraud monitoring and block of public black lists could be applied. Also, implementation of security policies could reduce the risk of abuse use of cloud computational power. Well established rules and regulations can help network administrators manage the clouds more effectively. For example, Amazon has defined a clear user’s policy and isolates (or even terminates) any offending instances whenever they receive a complaint of spam or malware coming through Amazon Web Services EC2.
2. Access Management
The end users or customer data stored in the cloud is sensitive, confidential and private. Access control mechanisms could be applied to ensure only authorized users for that account can have access to their data. Not only do the physical computing systems (where data is stored) have to be continuously monitored, the traffic access to the data should be controlled or restricted by security techniques and policies. Firewalls and intrusion detection systems are common tools that are used to restrict access from unauthorized resources and to monitor malicious activities. In addition, authentication standards, Security Assertion Markup Language (SAML) and eXtensible Access Control Markup Language (XACML), can be used to control and manage access to cloud applications and data. SAML focuses on the means for transferring authentication and authorization decisions between cooperating entities, where as XACML focuses on the mechanism for arriving at authorization decisions.
3. Data Protection
Data breaches caused by insiders could be either accidental or intentional. Since it is very challenging to identify the authorized users behavior, it is better to apply proper security tools to deal with insider threats. The tools like data loss prevention systems, anomalous behavior pattern detection tools, format preserving and encryption tools, user behavior profiling, decoy technology, and authentication and authorization technologies. These tools provide functions such as real-time detection on monitoring incoming and outgoing traffic, audit trails recording for future forensics and trapping suspicious activity into decoy documents.
4. Security Techniques Implementation
The malware injection attack has become a major security concern in cloud computing systems. It can be prevented by using File Allocation Table (FAT) system architecture. From the FAT table, the instance (code or application) that a customer is going to run can be identified in advance. By comparing the instance with previous ones that had already been executed from the International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 3, June 2013 87 customer’s machine, the validity and integrity of the new instance can therefore be determined. Another way to prevent malware injection attacks is to store a hash value on the original service instance’s image file. By performing an integrity check between the original and new service instance’s images, malicious instances can be identified. For XML signature wrapping attacks on web services, a variety of techniques have been proposed to fix the vulnerability found in XML-based technologies. For example, XML Schema Hardening technique is used to strengthen XML Schema declarations. A subset of XPath called FastXPath is proposed to resist the malicious elements that attackers inject into the SOAP message structure.
Methods of handling or managing cloud security are currently being investigated and improved by cloud service providers. Some concepts such as Cryptography, Secure Hashing Algorithm (SHA) and Cloud virtualization are already being used in most cloud systems by cloud service providers and are providing efficient security levels and measures. However there is a great need for high security in cloud computing models today, more efficient methods and algorithms to safeguard cloud data and offer cloud security are called for.
New Security Architecture for IoT Network – Science Direct
by F Olivier – ?2015 – ?Cited by 31 – ?Related articles
2014;Online. Available: http://www.internetworldstats.com/stats.htm/. 2:Internet Security Threat Report 2014. Online. Available: http://www.symantec.com/.
WannaCrypt attack should make us wanna cry about our vulnerability …
Web Application Security | Application Security Checklist | Incapsula
Web application security is the practice of defending websites and online … against different security threats that exploit vulnerabilities in an application’s code. Common targets for web application attacks are content management … denial of service threats by testing for anti-automation, account lockout,HTTP protocol DoS …
Risk Management 101 for Small Business Owners | OPEN Forum …
Sep 9, 2010 – Risk is an inherent part of being in business. It can be managed and its adverse outcomes can be mitigated. The greatest challenge for small …
Margaret Rouse (21st Sep 2016). Physical Security. Retrieved on 21st Sep 2018, from: https://searchsecurity.techtarget.com/definition/physical-security
Harris, S. (2013). Physical and Environmental Security. In CISSP Exam Guide (6th ed., pp. 427-502). USA McGraw-Hill;
Harris, S. (2013). Access Control. In CISSP Exam Guide (6th ed., pp. 97, 98, 157- 277). USA McGraw-Hill;
Harris, S. (2013). Information Security Governance and Risk Management. In CISSP Exam Guide (6th ed., pp. 21-141). USA McGraw-Hill;
Lynn III, W. J. (2010, September 30). Defending a New Domain. Retrieved May 17, 2016, from https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain
Security Threats on Cloud Computing. International Journal of Computer Science & Information Technology (IJCSIT) Vol 5, No 3, June 2013.