System Overview
There are different ISO standards that are used as a baseline for the security of the information in an organization. The ISO standards is used for avoiding breaches in the network, reassuring the customers, gaining an edge and access new market opportunities. It is internationally recognized and applied for management of the safety practices and used as a systematic approach for increasing reliability and enforcement of the security controls. There are different standards of IOS such as ISO/IEC 17025, ISO 9001, ISO/IEC 27001 and ISO 50001. The standards are used for different purpose such as ISO/IEC 17025 is used for testing and calibration, ISO 9001 is used for management of the quality, ISO/IEC 27001 is used for management of the information security and ISO 50001 is used for the management of energy.
Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper
Thus for the analysis of the security of the CloudXYZ ISO/IEC 27001 is applied and it helps the organization to securely store the information. The use if the ISO standard helps in increase the security of the data residing in the cloud platform. For the development of the network framework an authentication server should be used for permitting the user to connect with the database. The user needs to authenticate with the system for the management of the virtual server and ISO/IEC 27001 is used for the identification of the potential risk associated with the system. The privacy policy is assessed and the risk associated with it is eliminated for meeting the standard of the information security management. For analysis of the risk the following steps are performed and are given below:
Step#1: Analysis of the risk associated with the system
Step#2: Evaluation of the risk management system
Step#3: Selection of the risk management methodology
Save Time On Research and Writing
Hire a Pro to Write You a 100% Plagiarism-Free Paper.
Get My Paper
Step#4: Implementation of the risk management strategy and techniques
Step#5: Monitoring the current system and eliminate the errors for reducing the risk
Figure 1: Steps involved in risk assessment
The risk assessment is done for analysing the impact of the risk and monitoring and eliminating the performance of the network. The performance of the network should not be affected with the implementation of the system. The following figure is used for defining the security of the system and identification of the failure point of the network.
Figure 2: Overview of the network security solution
The confidentiality, availability and integrity of the system is the main factor for the management of the information security and the following framework is used for the management of the risk. The risk is assessed for prioritizing the security risks and prevention of the loss of the organizational policy and implementing a technical control on the network.
ISO/IEC 27001 Application for CloudXYZ
The HR manager is responsible for the management of the human resources of the organization and the network administrator is responsible for the management of the servers and the information residing in the database. The server manager is also responsible for the management of the configuration of the server. The owner of the system identified for the development of the system are given below:
- Employees
- Human Resource
- Development team
- Administration Department
- Management team
- Visitors /guests
- Maintenance Team
- Client
Primary Assets – The primary assets identified for the development of the risk management plan are listed below:
- Authentication Server
- Database server
- Firewall
- Web Server
- Mail Server
- Virtual Server, and
- Pc
Secondary Assets –
- Intranet
- DMZ network
- Customer Phone and
- Visitor Pc
A table is created for recording the details of the assets and is given below:
|
ID
|
Name of Asset
|
Asset type
|
Remarks
|
|
A_1
|
Mail Server
|
Primary Asset
|
Mail accounts are created for the employees for management of the internal communication securely.
|
|
A_2
|
Firewall
|
Secondary Asset
|
It is used for the management of the network traffic and filtering the unwanted traffic in the network.
|
|
A_3
|
Authentication Server
|
Primary Asset
|
It is used for authenticating the user to connect with the database and store the log details for the user accessing the resources of the organization.
|
|
A_4
|
Web Server
|
Primary Asset
|
It is used for hosting the website of the organization and storing the details of the organization.
|
|
A_5
|
Admin PC
|
Primary Asset
|
The Admin Pc is used for the management of the server and the service used for the configuration of the network solution.
|
|
A_6
|
Customer DB
|
Primary Asset
|
The customer database is used for recording the details of the customer and use it for improvement of the current business process.
|
|
A_7
|
HR PC
|
Primary Asset
|
It is used for the management of the employees and the customer information.
|
|
A_8
|
Virtual Server
|
Secondary Asset
|
It is used for the management of the loads and serve more request from the users.
|
|
A_9
|
Cloud Storage
|
Primary Asset
|
The cloud storage is used for uploading the data in the cloud servers and provide access to the users to access the data from remote location.
|
|
A_10
|
Visitor PC
|
Secondary Asset
|
It is used for allowing the visitors to give access to the core network and recording the details.
|
|
A_11
|
Mobile Device
|
Secondary Device
|
It is used for connecting with the wireless network of the organization and access the information stored in the server of the organization.
|
|
A_12
|
Staff PC
|
Primary Asset
|
The staff PC are used for the management of the technical works, data of the enterprise and management of the information.
|
|
Name of the Asset
|
Threat
|
Level
|
Source
|
|
Mail Server
|
Malware
|
High level
|
Receiving malicious emails from unknown sources
|
|
Spam
|
Medium level
|
Outside source is used for implementation of the spam mails
|
|
Social Engineering
|
Low level
|
It is used for getting the login credentials of the user by the hackers
|
|
Firewall
|
Shared secret
|
High level
|
The system can be hacked from outside sources
|
|
Phishing attack
|
Medium level
|
It can occur from hacker for duplicating the identity of the user
|
|
Domain Hijacking
|
Low level
|
It is used for getting the access of the data traffic by the outsiders.
|
|
Authentication Server
|
Dictionary attack
|
High level
|
It is used by the hacker for trying different combination of password
|
|
Password authentication
|
Medium level
|
Outsiders accessing the server from remote location.
|
|
Brute force attack
|
Medium level
|
Outsider from remote location
|
|
Web Server
|
Open relay attacks
|
High level
|
Outsider from any place
|
|
Cross Site Scripting
|
Medium level
|
Outsider from any place
|
|
SQL injection attacks
|
Low level
|
Outsider from any place
|
|
Admin PC
|
Ransomware
|
High level
|
From external device and internet
|
|
Malware
|
Medium level
|
From external device and internet
|
|
Spam
|
Low level
|
From external device and emails
|
|
Customer DB
|
Rainbow table
|
High level
|
|
|
Passphrase, and
|
Medium level
|
|
|
Ownership factor
|
Low level
|
|
|
HR PC
|
Ransomware
|
High level
|
From external device and internet
|
|
Malware
|
High level
|
From external device and internet
|
|
Spam
|
Low level
|
From external device and emails
|
|
Virtual Server
|
Lack of integration of application
|
High level
|
Internal sources and hackers
|
|
Inadequate recovery point
|
Low level
|
Internal sources and hackers
|
|
Restoring granularity
|
Low level
|
Internal sources and hackers
|
|
Cloud Storage
|
Hacking
|
High level
|
Outside hackers for accessing the sensitive information
|
|
Visitor PC
|
Ransomware
|
Low level
|
From external device and internet
|
|
Malware
|
Low level
|
From external device and internet
|
|
Spam
|
High level
|
From external device and emails
|
|
Mobile Device
|
System hacking
|
High level
|
hackers
|
|
Virus
|
High level
|
Internet and external sources
|
|
Spoofing attack
|
High level
|
Hacker and external sources
|
|
Staff PC
|
Ransomware
|
High level
|
From external device and internet
|
|
Malware
|
Medium level
|
From external device and internet
|
|
Spam
|
Low level
|
From external device and emails
|
Virtual Server
CVE-Modified – The JSON vulnerability and the XML vulnerability are analysed for analysing the security flaws that are used as a link for the reference and identification of the weakness of the network configuration.
Mail server
CVE-Recent – It is used for interaction with the security standard practice and it differs from the traditional attacks for the exploitation of the system and the software. The social engineering attacks are used by the hackers to gain the access of the confidential information. It consists of baiting, phasing, pretexting and spear phasing. False communication is created with the victim using chats, phone calls, spoofed website for gathering personal information and using it for illegal use.
PC
CVE-2018 – The dictionary attacks can be used by the attacker to determine the decryption or the passphrase key and gain the access of the computer. The brute force attack are used for searching password systematically and rainbow table are used for reducing the preparation time by analysing the pre computerised dictionary and reducing the storage requirement.
Web server
CVE-2017 – cross site scripting are used for identification of the flaws in the network and identification of the web application uses. The cookies can be accessed by the malicious codes for rewriting the content and using sql injection attacks for modification of the content of the servers.
Firewall
CVE-2016 – It is used as a cryptography for securing the communication and establishing the communication between the different users. The key agreement protocol and the use of the symmetric key cryptography are used for authentication. Unique session should be used for the authentication and responding against the challenges for derivation of the unique key for each of the transaction. The domain hijacking are used for the changing the permission and abusing the privileged for the domain hosting. The hijacker can use the domain name for implementing illegal activity and gain the access of the private information for logging into the servers.
Risk Analysis
Database server
CVE-2015 – The cost of the ownership should be identified for finding the inheritance factor and the device or information affected with the compromising the security. The loss of the resources and the information should be analysed for management of the elements and reducing the effect on the network information system. The rainbow table are used for listing the plaintext by permutation of the password that is specified from the hash table. It is used as a cracking software for the network security attacks.
Authentication Server
CVE-2014 – The brute force attacks are used for the guessing the possible password configuration and checking the password and passphrase for finding the correct one. This can be used as an exhaustive key search and also known as cryptanalytic attack. The dictionary attack are used for the harvesting the email and the pre computed tables are used for analysis of the issues and the major cost for storage of the disk storage. A refined approach should be used for the reducing the storage and lookup the hash values and matching with the existing password for getting the feasible salt values. The common password should be stored in the table and different combination can eb tried for getting the access of the server.
The main risk that the system would be facing are:
The risk likelihood of the risk level is provided in the table below:
|
Colours
|
Frequency
|
Relative Frequency
|
|
Red
|
9
|
36%
|
|
Yellow
|
8
|
32%
|
|
Green
|
8
|
32%
|
|
Total
|
25
|
100%
|
The specification of the impact table is provided below:
|
Impact Definitions
|
|
Rating –>
|
Very Low
|
Low
|
Moderate
|
High
|
Very High
|
|
Cost Impact of Threat
|
Insignificant cost increase
|
<5% cost increase
|
5-10% cost increase
|
10-20% cost increase
|
>20% cost increase
|
|
Cost Impact of Opportunity
|
Insignificant cost reduction
|
<1% cost decrease
|
1-3% cost decrease
|
3-5% cost decrease
|
>5% cost decrease
|
|
Schedule Impact of Threat
|
Insignificant slippage
|
<1 month slippage
|
1-3 months slippage
|
3-6 months slippage
|
>6 months slippage
|
|
Schedule Impact of Opportunity
|
Insignificant improvement
|
<1 month improvement
|
1-2 months improvement
|
2-3 months improvement
|
>3 months improvement
|
|
Probability
|
1–9%
|
10–19%
|
20–39%
|
40–59%
|
60–99%
|
|
|
Impact Rating
|
|
|
1
|
2
|
4
|
7
|
10
|
|
|
Very Low
|
Low
|
Moderate
|
High
|
Very High
|
|
Risk Matrix
|
|
5 – Very High
|
5
|
10
|
20
|
35
|
50
|
|
4 – High
|
4
|
8
|
16
|
28
|
40
|
|
3 – Moderate
|
3
|
6
|
12
|
21
|
30
|
|
2 – Low
|
2
|
4
|
8
|
14
|
20
|
|
1 – Very Low
|
1
|
2
|
4
|
7
|
10
|
Risk Identification with level
The risk identification level is provided below:
|
Risks
|
level
|
Description
|
Number
|
Mitigation
|
|
Domain Hijacked
|
High
|
The domain of the network is hijacked and the hackers able to extract the data from the servers and updates the data with errors in them.
|
CVE-2018
|
The for the mitigation all the access points to the network must be sealed off and the direct access to the servers from the client should also be restricted.
|
|
SQL injection attacks
|
Medium
|
The SQL injection attacks hampers the database server and make invalid updates in the database which increase the time for the processor to fetch the data.
|
CVE-2017
|
To stop this type of attacks in the network the access level in the database are required to be specified. It should also be ensured that the access grants are not revoked without prior restriction of the administrator.
|
|
No recovery and data loss
|
Very High
|
The data of the servers lost when there are no options to save and backup the data and important data of the server is lost
|
CVE-2016
|
The data is to be backed up regularly and data storage facilities are to be maintained efficiently.
|
|
Data Loss by Phishing
|
High
|
The phishing attack is the one where the hackers hacks the password
|
CVE-2015
|
For the phishing attack to be avoided the network should be installing an efficient firewall and use a well-protected
|
|
Malware
|
Low
|
The malware is inserted into the network by a file or a software and the malware then the data in the network is distraught
|
CVE-2014
|
To avoid this type of threat the network is to the protected with the firewalls.
|
|
Spam
|
Low
|
The spam file is inserted into the network and these files keep on providing irrelevant data to the user
|
CVE-2013
|
To protect the system from spam the server access should be restricted.
|
The risk identified for the development of the secure network solution is important for the success of the network. The network should be flexible and all the servers should be installed in the DMZ zone. The In the current network solution the cloud storage, authentication server, customer database and the virtual servers are connected with the intranet and is exposed to the vulnerability of different kind of attacks that can rise from the internal users. The server needs to be secured from the internal as well as the external users connected with the network. The installation of the server in the DMZ network helps in controlling the network traffic and secure the data residing in the cloud and the customer database from illegal usage. The customer and the visitor network device should be provided the access of the resources of the organization and ISO standards should be followed for the configuration of the network. Following the standard helps in reducing the errors in the configuration and increase the flexibility of the network.
AlHogail, A., 2015. Design and validation of information security culture framework. Computers in Human Behavior, 49, pp.567-575.
Baskerville, R., Spagnoletti, P. and Kim, J., 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51(1), pp.138-151.
De Lange, J., Von Solms, R. and Gerber, M., 2016, May. Information security management in local government. In IST-Africa Week Conference, 2016 (pp. 1-11). IEEE.
Dotcenko, S., Vladyko, A. and Letenko, I., 2014, February. A fuzzy logic-based information security management for software-defined networks. In Advanced Communication Technology (ICACT), 2014 16th International Conference on(pp. 167-171). IEEE.
Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.
Narain Singh, A., Gupta, M.P. and Ojha, A., 2014. Identifying factors of “organizational information security management”. Journal of Enterprise Information Management, 27(5), pp.644-667.
Oppliger, R., 2015. Quantitative risk analysis in information security management: a modern fairy tale. IEEE Security & Privacy, 13(6), pp.18-21.
Pathan, A.S.K. ed., 2016. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press.
Peltier, T.R., 2016. Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.
Safa, N.S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N.A. and Herawan, T., 2015. Information security conscious care behaviour formation in organizations. Computers & Security, 53, pp.65-78.
Siponen, M., Mahmood, M.A. and Pahnila, S., 2014. Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), pp.217-224.
Soomro, Z.A., Shah, M.H. and Ahmed, J., 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), pp.215-225.
Webb, J., Ahmad, A., Maynard, S.B. and Shanks, G., 2014. A situation awareness model for information security risk management. Computers & security, 44, pp.1-15.
Zammani, M. and Razali, R., 2016. An empirical study of information security management success factors. International Journal on Advanced Science, Engineering and Information Technology, 6(6), pp.904-913.
Turn in your highest-quality paper
Get a qualified writer to help you with
“ Risk Assessment Report For CloudXYZ Network System Based On ISO/IEC 27001 Standard ”
Get high-quality paper
NEW! AI matching with writer
