List of Abbreviations
Chapter 4. New Models
4.3 Infrastructure Vulnerability and Risk Assessment Framework
4.3.2 Framework Application Example
4.3.2.3 Vulnerability, Countermeasure, and Impact Assessment
The section rates the vulnerabilities and countermeasures. This corresponds to Steps 2 to 4 in the framework.
Table 4.8: Threat Ratings
Attack Capability Prevalence/Likelihood Overall Rating
DoS High Low Medium
Breach confidentiality Medium Very High High
Attack on client
vulnerabilities Medium Medium Medium
Malware High High High
Attack on wireless services Medium High High
Exposure due to mobile
devices Medium High High
Social engineering High High High
Political attack High Low Medium
Steps 2A, 3A, and 4A: Non-technical factors
For this example there are only a few non-technical factors; these ratings will be from an organisational perspective. The legal liability when considering cloud computing is uncertain as there is no universal standard that governs this. A reasonable control will be a strong service agreement which clearly defines the security responsibilities and liabilities. Due to the legal uncertainty, this can be rated as medium. Any breach could leave the organisation open to legal proceedings; therefore the capability to exploit this vulnerability is low. Using Table 4.5, this gives a vulnerability rating of high. The impact from legal issues can be rated as medium; they use organisation resources and may provide negative publicity.
An organisation does not have the political power of a full nation; therefore the required capability to politically attack the organisation is low. The only protection against this is to have strong political connections; however even this will be unable to prevent any attack, therefore the control can be considered as low. The vulnerability is therefore high; however the impact will not be great, and can be rated as low.
A broad social attack, where malicious rumours are used to damage the organisations image, only requires low capability; however, laws and strong corporate communications will be a strong control to illustrate the false nature of the claims. This gives a social vulnerability to perception
137
management as medium. The social impact can be considered as low, due to the origin of the rumours. However, should this be coupled with a data breach, both the impact and vulnerability will be high.
Employees who are unaware of potential threats may fall victim to social engineering. Due to the widespread use of social networks, this has become an ideal social engineering tool through which employees can be targeted (Trustwave, 2011). As social networks can be accessed on personal mobile devices that are outside of the organisation's network blocking employee access will have little affect; employee awareness training is cited as the most effective measure (Cisco, 2011;
Trustwave, 2011). The required capability to conduct social engineering is low. As it preys on human weaknesses and creates uncertainty, the affects of awareness training will have it limits;
therefore the control strength can be rated as medium. This results in a high vulnerability to social engineering. Using the information gained from social engineering, such as logon details, an attacker may breach confidentiality and integrity; this has a very high impact.
Steps 2B, 3B, and 4B: Technical factors
Cloud services may be physically located outside of the physical and network perimeter of the organisation; therefore any data being retrieved from or sent to the cloud will pass through the organisation's network gateway. As the connectivity to the cloud is dependent on the functioning of the gateway, this can be considered as a singularity, or a central point. Should the organisation's gateway be subjected to a DoS attack, the availability of the cloud services will be severely hampered. Little can be done to protect from large quantities of illegitimate traffic overloading the gateway; filtering may help to a small extent. The control strength against a DoS attack is very low.
To conduct a DoS attack a botnet needs to be created and maintained, however there are tools available on the Internet to do so. The required capability can therefore be rated as medium; using Table 4.5 the vulnerability rating is seen to be high.
In April 2011 Amazon's cloud services experienced an outage (Brooks, 2011); the potential impact of an outage can be illustrated by this incident, where organisations that relied on these services were badly affected. For the SaaS and PaaS models, where the applications reside on the cloud, an outage may have a high impact as the client organisation will lose the availability of the applications or the ability to run them. For an IaaS model, where the cloud services can be seen as an extension to the client organisation's network, the impact will be low as the internal network will remain functional.
138
As the client used to access the cloud services is installed on all end-user machines, any design flaw or vulnerability will be repeated for every installation of the client. This is applicable to the concept of homogeneity; in this case it is high, and therefore the vulnerability will increase. Possible solutions to homogeneity proposed in Anderson et al. (1999) do not apply here; segmentation of the network will not remove the client vulnerabilities, and heterogeneity is not possible; therefore the control strength can be considered as very low. The client will not be freely available as it is for subscribers to the cloud services; any potential attack would first need to acquire the software in order to discover potential vulnerabilities prior to exploiting them. Therefore the capability required to exploit this is very high. This gives a vulnerability rating of medium. Should a vulnerability be exploited, an attacker may be able to access sensitive information, corrupt the information, or temporarily deny the user access to services. According to Hayden's priorities (described in Section 4.3.2.2), the impact due to a breach of confidentiality or integrity can be rated as very high;
temporarily denying a user access can be rated as low.
As the cloud services require network connections, the proper functioning of the internal organisational network will affect availability of the cloud services. Should the internal network be operating very close to its maximum capacity it may be susceptible to internal DoS attacks. This can be created by propagating malware as the infect systems, or a few infected machines transmitting large quantities of data packets; this will degrade legitimate traffic and thus the accessibility to the cloud services. Antivirus applications can be considered to be able to detect and remove a large proportion of known malware; however, they are not effective against previously unseen malware. Therefore they can be rated as having a high control strength. Malware creation kits are freely available on the Internet (Fisher, 2011c), yet the attacker still requires some technical ability; this will therefore be rated as medium. Provided the anti-virus applications are updated regularly, the vulnerability to malware can be rated as low.
The impact of a malware infection will be temporary; the infected machines can be removed from the network and cleaned, but the network services will not be available during recovery. Therefore the impact can be rated as medium for all cloud service models. Some malware, such as keyloggers and backdoors, allow for the retrieval of information from systems and logon details; this will then provide the attackers with the information to gains access to the cloud servers and corrupt the data and breach confidentiality. The vulnerability and threat ratings are the same for malware, however the impact will be more severe, and can be rated as very high.
139
The introduction of mobility into an organisation's ICT increases vulnerability. The use of wireless networks and mobile communications results in electro-magnetic exposure, which is susceptible to jamming (denial of service) and interception. Whilst there are security measures on both wireless and mobile communications to prevent interception, these measures can still be broken (Nohl &
Paget, 2009). The control strength against interception can be considered to be medium. Very little can be done regarding the jamming of wireless communications, except for removing the interference source; the control can therefore be considered as very low. The required capability to jam a connection is low as sufficient interference will do the job; however to break the encryption will be more difficult, and to breach integrity even more so. In addition to this, the attacker would need to be physically within signal range to conduct any of these attacks; this indicates a high level of planning would be required. The required capability will therefore be listed as very high to corrupt integrity, high to breach confidentiality, and low to jam the signal. This results in the respective vulnerabilities being high for jamming, and low for intercepting or corrupting the data in transit. The impact of jamming a mobile wireless connection is low; the user will only lose connectivity briefly. Breaches of integrity and confidentiality will be as before: very high.
Mobile devices may also be lost or stolen which increases physical exposure. The information contained thereon can be used to access cloud services. Whilst there are methods of remotely wiping the devices of all information, the attacker may retrieve the required logon details before the owner realises the device is missing and locks it. The control strength can therefore be considered to be medium. Low capability is required to steal the device. The vulnerability is therefore high. The impact is as before: very high for the breach of confidentiality and integrity.
There is also a degree of physical exposure of an organisation's internal network, and the connection points to the external Internet. An attacker may attempt to gain access in order to breach confidentiality or integrity, or disrupt services. With reasonable physical security and awareness training, gaining access may be difficult; therefore the control strength can be considered as high.
The required capability to gain access can be considered to be medium, as there is a risk of getting caught and possibly inside information or assistance would be required to gain full access. This results in a low vulnerability. To cut external physical connections, however, may be simpler, and the required capability is low, with low control strength. This gives a high vulnerability to denial of external connectivity. As before, the impact of breaching confidentiality or integrity is very high, and the impact of denying services is low.
140
The data residing on the cloud infrastructure (for the IaaS model), and the data in transit between the organisation's network and the cloud infrastructure may also be targeted. Encryption provides a strong control, however it can be broken. It can therefore be rated as high for preventing a breach of confidentiality, and very high for detecting corruption. The required effort to break the encryption can also be rated as high for breaching confidentiality and very high for corrupting the information;
this results in a low and very low vulnerability, respectively. The impact for these breaches will be very high.
The functioning of cloud services is dependent on the correct functioning of the organisation's Internet service provider (ISP). Should a DoS attack be successfully mounted against the ISP, the organisation will lose access to the cloud services; no control can be provided by the organisation for this, and the strength can be considered to be very low. However, the ISPs are resilient, and have their own control measures; the required capability to disrupt them would be very high. The vulnerability is therefore medium. As for a DoS attack on the organisation's gateway, the impact will be low for IaaS and high for both SaaS and PaaS models.