Threat Analysis and Risk assessment

threat Analysis and Risk judgingCase articulationStay certain(a).co.uk Ltd specialises in redress and financial services in the UK and Europe. It was formed in 2004 to propose travel insurance and expanded further to provide home, motor, health and life insurance along with around insurance products. In October 2013 Staysure.co.uk faced a auspices breach wherein over 100,00 live credit control panel details along with other(a) personalised details of the customers were compromised. This guarantor breach affected 7% of the customers who had purchased insurance from Staysure before May 2012.Before May 2012 the firm stored the board numbers of the customers along with the CVV numbers and other personal details like customer name and addresses. The card details were encrypted but the CVV numbers were feed as plain text into the selective informationbase even though the card security details should non apply been stored at all according to the industry rules. The chief execu tive of the partnership said that these details were stored in the system to help customers in their renewal process. After May 2012 the company ceased storing these details. The host on which the tissuesite host was based had a softw are vulnerability and even though a software patch was print in 2010 and 2013 the data controller failed to update software both the times due to lack of starchy process to review and apply software updates. The failure to update the database software and the security flaws in the IT security system do the company truly vulnerable to a cyber- fall upon.The security flaws in the companys JBoss coating web emcee were exploited between 14th and 28th October 2013. The attacker used the vulnerability in the lotion server to inject a malicious JavaScript order called JSPSpy on the firms website. JSPSpy enabled the attackers to remotely view and modify the ancestry code of the website and query the database containing the details of the customers . It also let the attackers open a command shell allowing them to remotely consummate privileged operating system commands. The attackers specifically tar instituteed and downloaded the payment card details. Even though the card numbers were encrypted the attackers were able to identify the keys used in the encoding and hence could decrypt the card numbers. At the time of the attack the database contained a total of 110,096 live card details, which were at a fortune of creation accessed and used in fraudulent transactions. The firm became aware of the attack on 14th November 2013 and immediately employ independent forensic data experts and wrote to 93,389 affected customers, to make them aware of the attack. The company also offered the affected customers dislodge access to Data Patrol, which is an identity fraud monitoring service.After the attack Staysure was fined with an amount of 175,00 by the ICO since the company did not comply to the Payment plank Industry Data secur ity measure Standard (PCI DSS) , which is a warning administered by PCI Security Standards Council (PCI SSC) to increase payment card security and decrease the transaction frauds over the internet.Referenceshttp//www.itgovernance.co.uk/ communicate/staysure-fails-to-comply-with-the-pci-dss-and-is-fined-175000-by-the-ico/http//www.insurancetimes.co.uk/broker-fined-175000-by-information-watchdog-after-cyber-criminals-raid-customer-records/1411917.articlehttp//securityaffairs.co/wordpress/21002/cyber-crime/staysure-hacked.htmlhttps//ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/02/ico-fines-insurance-firm-after-hacked-card-details-used-for-fraud/http//www.insuranceage.co.uk/insurance-age/news/2396976/staysure-fined-gbp175k-for-it-security-failingshttp//www.theinquirer.net/inquirer/news/2321017/staysure-travel-insurer-admits-to-credit-card-thefthttp//trainsure.com/news-posts/insurance-times-reports-another-cyber-attack/http//www.moneywise.co.uk/news/2014-01-06/staysure-i nsurance-customer-data-stolen-hackershttp//www.computerworlduk.com/it-vendors/travel-insurer-reveals-almost-100000-customer-details-in-cyber-attack-3495625/Threat Analysis and Risk assessmentThe purpose of holy terror analysis and risk assessment is to maximize the protection of the three main pillars of security namely confidentiality, impartiality and Accessibility while still providing usability and functionality. A Risk to any disposal or an individual is an interactive relationship of threat, asset and vulnerability. The various directs of risk raise be represented as the product of the bushel and probability (likelihood).Quantitative MeasureQualitattive MeasureDescription5HighA high train risk understructure travel by frequently and keister squander a drastic effect on the organization. Sever measures will be needed in order to mitigate a high level risk.4Medium HighA medium high risk slew occur/ double with high probability but might not persist. If it occurs the organization loafer have a substantive or sever effect.3MediumA medium level risk is likely to occur under many circumstances and if a medium level attack occurs it rear end have conquer to severe effects on the organization.2Low MediumA low medium risk can be considered when the organization will have a minor or moderate force as a result of an attack. A low medium risk can occur from time to time or might not occur at all and can be mitigated easily.1LowThe risk is considered to be low when the likelihood of an attack on an entity is low and the impact of the attack on the entity is negligible or minor. Low risks will never or rarely happen and can be mitigated easily. display board 1 Risk Rating ScaleFigure1.Figure 1 shows a risk matrix which represents the various levels of risk. A vulnerability is a weakness in the system that can be exploited by an attacker or can be unintentionally triggered by a person within the organization. The likelihood is the possibility that any vulnerability will be taken reward of or the vulnerability will be triggered by someone unintentionally. The likelihood is related to attackers intent, attackers ability and attackers target. If a certain vulnerability is exploited the impact on an organization can be expressed in terms like Negligible, Minor, Moderate, world-shaking, Severe.The table below shows a risk assessment architecture for Staysure.co.uk. The Firm had several(prenominal) security flaws in the system, which the attackers exploited to gain access to customer information.AssetThreatVulnerabilityThreat ActorThreat vectorConsequencesLikelihoodImpactRiskCustomer personaliseddetails toilet be assessed and manipulatedThe database had no security procedure in place hence the data was highly accessible.Hackers or a person within the organization (insider).Gaining access to the database by getting access to the webserver or SQL injections.Personal details of the employees like name, address, phone can be accessed a nd used or even modified.Possible(3/5)Significant(4/5)MediumHighCompany websiteSource code of the website can be modified and malicious code can be injected and made to run on the browser (Cross site scripting).Cross site scripting can be performed on the website if security measures are not taken care of while developing the website.Hackers or an insider. vane pagesMalicious code can be injected into the web pages therefore allowing access to the web server and the database.Very probably(5/5)Severe (5/5)HighData controllers systemNo intrusion detection system.A system with no proper security measures can be easily penetrated.Hackers or an insider trying to get unauthorized access.Backdoor created in the web server.Getting access to the data controllers system enables the threat actor to execute Privileged operating system commandsVery likely(5/5)Severe(5/5)HighFinancial card detailsStoring financial data incorrectly.Unencrypted card details stored in the databaseHackers or an ins ider trying to get unauthorized access.Web site source code can be used to query the databaseCard details can be used to make fraudulent transaction and cloning.Very likely(5/5)Severe(5/5)High encodingkeyEncryption algorithms can be used to calculate the encryption keySimple encryption algorithm used to form an encryption key.Hackers or an insider.Reverse engineering.If the encryption key is compromised all the encrypted data can be decrypted.Possible(3/5)Severe(5/5)MediumHighCVV numberStoring CVV numbers in the database is a high risk.CVV numbers if not encrypted can be easily read if the attacker gets access to the database.Hackers or an insider.Web site source code can be used to query the database for CVV numbers.CVV numbers can be used to prove authentication while doing online transactions.Very likely(5/5)Severe(5/5)HighJBossApplication ServerUnpatched and out of date softwares and no intrusion detection systemScripts can be uploaded to the server which when executed gives rem ote administration access to the server.Hackers or an unauthorised insider.Backdoors created on the server via malicious script. at a time administration access is acquired on the server various admin activities can be initiated and the hosted web servers can be accessed.Likely(4/5)Severe(5/5)HighDatabaseDatabase injections and unmanaged dataThe data in the database can highly vulnerable to SQL injections and can be highly inconsistent.HackersSQLinjectionsData can be erased and stolen from the database and used in a fraudulent manner.Likely(4/5)Severe(5/5)Highhttps//www.towergateinsurance.co.uk/liability-insurance/smes-and-cyber-attacks remove laterhttp//resources.infosecinstitute.com/how-to-prevent-cross-site-scripting-attacks/ remove laterSecurity ArchitectureFigure 2 Figure 2 shows security architecture for Staysure during the time of the attackSecurity RecommendationsStaysure.co.uk had no security policies in place which can be sited as the base for the cyber-attack. Being an i nsurance company and holding personal records of millions of customers the company should have had security procedures in place. It is important that the employees of a company are trained and made aware of the importance of information data security. The fact that the attackers took advantage of the software vulnerability in the JBoss action server even though there were patches available to fix the vulnerabilities shows the ignorance of the data controller towards information security. Table 2 lists security recommendations which would have prevented the attack.Security RecommendationsDescriptionsSecurity policiesSecurity policies is an integral part of any organization. Staysure be an insurance company and handling millions of customer records should have had strict company security policies which could have prevented the attack.Security training and awarenessThe employees of Staysure were clearly not aware of the importance of data security and management. The employees should have been provided reliable data security and data management training and made aware of information security.Payment Card Industry Data Security Standard (PCI DSS) add appendixWhen an organization handles personal records of customers it is needed that the organization follows certain industry standards for data storage. According to PCI DSS the CVV numbers should not have been stored in the database. If the standards were followed the attack would not have a major impact.Data storage and data securityData storage has both physical and logical security aspects. The logical aspect being data authorization, authentication and encryption. The physical aspects allow in the place in which the servers are placed, it should be safe from heat-waves, power fluctuations and other physical elements. In eccentric of Staysure the payment card details and the CVV numbers should have been encrypted with a beefed-up encryption algorithm from the very beginning and the database server should have had an intrusion detection and prevention system which would have prevented access to the database. set up managementUnpatched systems and softwares pose a big threat to an organization. The most efficient way to shield from attacks is to have patch management procedure to make sure that all the systems and softwares are patched on continuous basis. If Staysure had patched the vulnerabilities in the Jboss application server and software, the attackers would not have been able to exploit the vulnerability.demilitarized zone (Demilitarized Zone)The servers that are faced towards the public should be kept in the DMZ, so that they can be separated from the offstage network. If a malicious party gains access to the server, he will be isolated in the DMZ and will not be able to attack the private network. If Staysure had a DMZ the attackers would not be able to access data on the private network.EncryptionEncrypting any valuable information of customers is necessary in order to pr otect customer data from being accessible and using a strong encryption key is vital to serve the purpose of encryption. The data controller should have had made sure to encrypt the CVV and the card number and should have used a strong encryption key.IDSStaysure should have had violation detection systems so that the intrusion by the attacker could have been detected and would alert the authorities thus preventing high impactFirewallsPrevention of human errorshttp//www.ibm.com/support/knowledgecenter/SSTFWG_4.3.1/com.ibm.tivoli.itcm.doc/CMPMmst20.htm patch management policy.High level security diagram to prevent attacks