SlideShare a Scribd company logo

Cyber Security Risk Assessment for Critical Assets at AMC (39

A
AkankshaPathak27

The document identifies 19 assets for AMC and classifies them based on their financial value, mission criticality, impact on business processes, and legal protection requirements. Each asset is given a score out of 18. Based on the scores, the top 5 critical assets identified are: 1. Patient Database 2. Emergency Care Data System Server 3. PMS Server 4. FRKS Server 5. Employee and department database The document analyzes each of these critical assets to identify vulnerabilities, threats, and risks in order to develop an appropriate cybersecurity risk management strategy.

Education
1 of 51
Download to read offline
Cyber Security Risk Assessment for AMC ISTM 635-602 Akanksha Pathak Balvaishwer Singh David Zuniga Pratima Purohit Tushara Chigicherla Kamalakar The Specialists
Aggie Code of Honor Aggie Code of Honor For many years Aggies have followed a Code of Honor, which is stated in this very simple verse: An Aggie does not lie, cheat or steal or tolerate those who do. The Aggie Code of Honor is an effort to unify the aims of all Texas A&M men and women toward a high code of ethics and personal dignity. For most, living under this code will be no problem, as it asks nothing of a person that is beyond reason. It only calls for honesty and integrity, characteristics that Aggies have always exemplified. The Aggie Code of Honor functions as a symbol to all Aggies, promoting understanding and loyalty to truth and confidence in each other. We have followed the strictures of Texas A&M University Aggie code of Honor throughout this project. Akanksha Pathak ______________________ Balvaishwer Singh ______________________ David Zuniga ______________________ Pratima Purohit ______________________ Tushara Chigicherla Kamalakar ______________________
0 Table of Contents Executive Summary 1 Asset Identification 2 Asset Classification 6 Vulnerability and Threat Identification 9 Cybersecurity Rick Estimation 17 Cybersecurity Risk Management Strategy 26 Appendix A 29 Appendix B 30 Appendix C 40 Appendix D 40 Appendix E 41 References 44 Glossary 45 Team Work 46
1 Executive Summary No organization is immune to cyber-attacks. However, if effective controls are in place, we can reduce the likelihood and impact of attacks. Preventive controls keep attacks from occurring. Detective controls aid in monitoring assets and alert the organization in case of attack. Corrective controls help limit the impact and mitigate attacks. In this project, we analyze Aggie Medical Center (AMC) situated in Bryan/ College Station. We gather information about assets, management perspective of cyber security, operational view, etc. We provide risk assessment and mitigation strategies based on the information in the case. The initial step is to identify critical assets in AMC. Once the assets are listed down, we score them based on financial, operational and legal impacts of asset failure. This would yield a maximum score of 18 for each asset. Next, we select five critical assets based on the asset value score. For each of the critical assets we give a tree analysis and identify technical, non-technical threats, vulnerabilities and exploits. Next, we find impact scores for each of the vulnerabilities and then calculate the likelihood of these vulnerabilities. Once we have the impact and likelihood scores, we use the risk matrix to estimate the risk associated with vulnerabilities for each of the assets. Based on the risk assessment we provide a risk management strategy for the same. These are the major tasks and objectives in this project. According to our analysis we found - Patient Database, Emergency Care Data System Server, PMS Server, FRKS Server, Employee and department database – to be the critical assets. Most of the vulnerabilities can be mitigated by installing software updates and security patches regularly. And other non-technical vulnerabilities can be mitigated or avoided with providing proper training to all workers and employing additional invigilation strategies – installing security cameras, hiring more security guards, etc. Accepting a risk means no action needs to be taken. The organization can simply accept the risk and has to do little or nothing to deal with it. This would be a good strategy for risks that are ranked low to medium. Avoiding the risk is a good strategy when a risk has a comparatively large impact on the organization. A risk can be avoided by eliminating technologies or activities that can cause the risk. Mitigating a risk – the impact of risk is limited. This is the most common risk management strategy employed by organizations. Transferring the risk, here the organization transfer the impact and management of the risk to someone else (contractors, insurance company, etc.). Sharing the risk, we share part of the responsibility for risk management. This happens when one department is dependent on the services provided by the other. Based on the level of risk, financial impact of the risk and implementing control, we have devised the best strategy to accept, avoid, mitigate, transfer or share the risk. In this report, we bring out detailed analysis and assessment strategies to overcome the vulnerabilities identified for the critical assets. The project aided us in understanding a. how assets are identified, scored and ranked; b. identifying vulnerabilities and threats; c. finding the impact scores for the vulnerabilities and assessing the probable risks and suggesting risk mitigation strategies. The report is a consolidated cyber security risk management document that AMC can utilize to handle vulnerabilities
2 Asset Identification The following is a list of assets that our group identified from the case study. Table #1: Asset Identification: Asset Code/ ID Asset Name Asset Description Reason for Cybersecurity Risk Assessment 1 Workstation Workstation in administration(W7) with windows 7 running on it. Windows has a lot of vulnerabilities that can be exploited by the attackers. For instance - internet explorer vulnerabilities (MS15-079), Redirect to SMB Vulnerability (CVE-2015-5143), etc. Making sure that the system is up to date is essential in preventing any attacks. Also update and install latest patches for all the applications (firewall, anti-virus, etc.). 2 Personal Computer PC in the labs(RH6) with red hat Linux 6 running on it. These are vulnerable to phishing, spoofing attacks. Also, malware can be easily introduced into the system if the owner of the computer is given a compromised USB/thumb drive. Attackers can use social engineering attacks to gain personal information that could help in cracking the passwords to these machines. Unauthorized access could lead to system failure, loss or manipulation of critical information. 3 Personal Computer PC in the treatment rooms (W8) with windows 8 running on it. These are vulnerable to phishing, spoofing attacks. Also, malware can be easily introduced into the system if the owner of the computer is given a compromised USB/thumb drive. Attackers can use social engineering attacks to gain personal information that could help in cracking the passwords to these machines. Unauthorized access could lead to system failure, loss or manipulation of critical information. 4 Switch Switch that uses Cisco SG100D-08- NA If attackers gain access to switches they can use it to map the entire network of the organization, trace the network topology, sniff to change the routing table contents. They can also launch session hijacking attacks.
3 5 Router The router that uses Cisco 2951 Attackers can use spoofed ARP messages to modify the target’s ARP table mapping. Attackers can play man in the middle and modify packets. They can spoof the victim’s IP address. 6 PMS Server Server that uses MS Access 2016 for the Personnel Management System Servers are susceptible to DoS attacks. Attackers can continuously overwhelm the server with multiple requests leading to server crash. If default passwords are used, attackers can gain access to the server, enabling them to reroute, modify or delete the traffic. There will be high impact on availability of the server. 7 FRKS Server Server that uses Oracle 10g for the Financial Record Keeping System This again is a very important asset. If this asset were to be compromised, a lot of people would have a lot of problems. Insurance details, bank statements, medical payment records, etc. This data can be used to extrapolate the financial details of an individual and attackers can use this data to extract monetary or other favors (basically blackmail). Proper access control needs to be put in place in order to prohibit unauthorized access 8 ECDS Server Server that uses 2016 SQL Server for the Emergency Care Data System Servers are susceptible to DoS attacks. Attackers can continuously overwhelm the server with multiple requests leading to server crash. If default passwords are used, attackers can gain access to the server, enabling them to reroute, modify or delete the traffic. All the data that this server routes is highly confidential, as it affects peoples lives. 9 MLS Server Server that uses Solaris/AIX for the Medical Logistics System Servers are susceptible to DoS attacks. Attackers can continuously overwhelm the server with multiple requests leading to server crash. If default passwords are used, attackers can gain access to the server, enabling them to reroute, modify or delete the traffic. The data within the packets that are exchanged over this server include details about patient medical records. This data is personal and confidential to each patient. Access to this server should be restricted. 10 UTP wires All lines that are connected will use Unshielded Twisted Pair wires If an attack is launched against the signal on the wire, hackers might be able to copy information as it flows in the form of bits. This might not be as dangerous if an appropriate software encryption mechanism is employed in the transmission. Depending on the communication medium, hackers
4 might be able to steal either information or bandwidth. Distribution and core devices must be secured from unauthorized access. At the same time, authorized personnel must be ready to access to patch panels, and cables must be clearly marked and available for visual inspection. 11 Patient Database Database of most of the important patient information, OS10, MongoDB The PDI System could be vulnerable if default credentials were still in use, or if there is no proper assessment of user access. The information stored itself could be vulnerable to SQL or command injection attacks. The data is vulnerable to modification and theft, firewall breach, etc. The attackers can also cause system failure. All these reasons make this a highly critical asset that needs utmost security. The availability of the system, the integrity, and confidentiality of the data within the system are in danger here. 12 Paper medical records Complete patient records are on paper Paper records are susceptible to getting lost or being stolen. The sheer number of records make it very easy to lose track of these records. A simple misplacement of record can cause unforeseen problems or chaos even. These records may contain confidential patient information which in the wrong hands spells disaster. The availability, integrity, and confidentiality of the records are vulnerable. 13 Emergency Care Data System Server Diagnosis, who saw patients, what was done, billing support, patient demographics, types of care, etc Disclosing information stored in this system would be trespassing into private lives of patients. For instance - A VIP might be sick and would not want this information out in the public. If attackers get access to this information, it could lead to bad publicity and public shaming of that VIP. Individuals can use such information to vandalize the competition. The Server is a 2016 SQL server. Due to the type of data that it handles, there needs to be high level access controls in place. 14 Email Server A common server with important information, historical data If email server is hacked into, emails would become transparent. Any email sent or received will be at the scrutiny of the attackers. They can read, modify or delete the message itself. All of the historical emails could be destroyed or manipulated. They can cause the system to fail or play man in the middle and read/manipulate/sell data exchanged in the emails.
5 15 Employee and department database Demographics, work histories, assignments, skills, disciplinary records Work histories, disciplinary records, demographics are all confidential information. If attackers gain access to these data, they can use it to threaten (or blackmail) the individual record holders. They can cause this system to fail. This system could be vulnerable to DoS, command injection attacks. 16 Medical Logistics Database Inventory of Supplies, real property, equipment, and medicines, etc Information such as inventory supplies, equipment usage, can give insight into the demand and necessity of any organization. Attackers can sell this information to equipment companies or pharma companies, which in turn can use such logistics to influence the type of equipment AMC would purchase in the future. They can cause negative publicity for the medicines generally prescribed by AMC mostly by discrediting the medicines they use. 17 Pharmacy System database supports automated drug dispensing If attackers gain control of this system, they could control the dosage of drugs that are dispensed every time. They could literally kill someone. Incorrect dosage amount or wrong medication is one of the leading causes of death in the world. Attackers could cause mass murder (genocide) - every patient’s life would be at the whim of the attacker. There should be strict access control for these systems. The personnel with access to these machines should be well trained and well informed about all the complications that would arise if access were to fall in wrong hands. 18 ABC Systems manages all major changes, maintenance, and upkeep It is always important to check the level of access that needs to be provided to the maintenance teams. Unnecessary access could cause problems - attackers could exploit this loophole to gain unauthorized access and install backdoors into the system. Leak confidential information and cause system failure, thus making the system unavailable. 19 AMC Help Desk five PC technicians (not part of core IT staff Proper Training and mandatory courses are a must for the help desk members, because in absence of proper cybersecurity risks that can be at times become the mode of transferring virus and programs through their machines and resources when they connect their machine with other nodes.
6 Asset Classification The next step after asset identification is classifying the assets and scoring them on various criteria. The following tables describe the scale and the measures used to classify the assets. 1. Scale - Financial Value Table2: Measures for classifying asset as per their financial value 2. Mission Criticality Table3: Measures for classifying asset as per their mission criticality 3. Business Process (BP1) – Seeking Appointment This business process starts with a patient contacting the hospital to book an appointment. The appointments can be made via telephone, emails and in-person. Important assets are servers/workstation that host the appointment scheduler, if the appointment scheduler is a web- based application. It would successfully end when the patient is able to book an appointment remotely or in-person. 4. Business Process (BP2) – Claim Insurance This is the business process that involves claiming insurance. It involves, the hospital submitting a request to the insurance company and then claim the required insurance amount. 5. Business Process (BP3) – Payment Processing The process of payment processing involves billing patient after the claim deductions have been made. The billing report is generated for each successful payment processed. Very High (3) High (2) Medium (1) Low (0) $3K+ $1K-$3K $500-$1K <$500 Very High (3) High (2) Medium (1) Low (0) Critical Important Supportive No impact
7 6. Legal Protection Requirement Table4: Measures for classifying asset as per the legal protection requirement Table #5 Asset ID Financial Value Mission Criticality Protection Requirement Develop $ Maintain $ Replace$ BP1(appoi ntment) BP2(ins urance) BP3(pa yment) Industry Standard Score 1 1 1 1 2 2 1 No 8 2 1 1 1 2 0 0 N 5 3 1 1 1 2 0 0 N 5 4 0 0 1 0 0 0 N 1 5 1 1 2 1 1 1 N 7 6 2 2 3 2 3 2 Y 15 7 2 2 3 1 2 3 Y 14 8 2 2 3 0 1 1 Y 10 9 2 2 3 0 0 0 Y 8 10 1 0 3 1 1 1 N 7 11 2 2 3 2 3 2 Y 15 12 1 0 2 0 1 1 N 5 13 3 2 3 0 2 2 Y 13 14 1 0 2 1 0 0 Y 5 Very High (3) High (2) Medium (1) Low (0) Critical Important Supportive No Impact
8 15 2 2 3 1 1 1 Y 11 16 2 2 3 0 0 0 N 7 17 2 2 3 0 1 1 Y 10 18 2 2 3 2 1 1 N 11 19 3 2 3 0 0 1 Y 10 7. Ranking Assets Table #6 Asse t Rank Asset Code/I D Asset Name Asset Description Researcher 1 11 Patient Database Database of most of the important patient information, OS10, MongoDB Balvaishwer 2 13 Emergency Care Data System Server Diagnosis, who saw patients, what was done, billing support, patient demographics, types of care, etc Tushara 3 6 PMS Server Server that uses MS Access 2016 for the Personnel Management System David 4 7 FRKS Server Server that uses Oracle 10g for the Financial Record Keeping System Akanksha 5 15 Employee and department database Demographics, work histories, assignments, skills, disciplinary records Pratima
9 Vulnerability and Threat identification Asset 1: Patient Database Patient database consists of the records that are specific to the patient. These records need to be protected so that there is no misuse of the information. It needs to have: Confidentiality - so that no source from outside office could retrieve the information when accessed away from the hospital premise Integrity - so that whenever required the data remain accurate and no one could change it. Availability - so that the information remains in the server whenever needed for internal or external purposes. i. Documenting the Threat Statement Table #7 Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider Yes (Modification of patient information) Employees Hackers Threats & Threat Agents Patient Database CVE-2013- 3969 Employees Hackers Employees Hackers Employees Hackers Stolen- Passwords/Spe arfishing 1.1 1.2 1.3 1.4 Asset Failure Impacts (Ref.-Note 1) Vulnerability Due to (Ref.- Note 2) Yes Yes Yes Lack of training/aware ness among staff Unaware about how to store logs for PDIS Sharing of Passwords DOS attack Yes Yes Poor design and implementatio n of PDIS application with no Auto- logout mechanism Doctors log-in to TSP’s from multiple location without logging out. Leaving TSPs unattended in public area Unauthorized access to important patient information NO NO Yes CVE-2017- 14227 MongoDB libson 1.7.0 can be exploited by attackers by miscalculating bson_utf8_validate length argument No Yes Yes Yes Execute arbitrary code via an invalid RefDB object No Denial of Service Execute Code
10 ii. Evidence for each vulnerability Vulnerability 1: Under the assumption made in the class that the Patient Database Information System, the database is mongoDb there were many potential vulnerabilities that could be exploited for this open source software. Also, there were several concerns that were raised by the senior management regarding the risk of intrusion from an outside attack. Ref table 2 from case study “Senior Management Areas of concern for important assets” Vulnerability 2: Under the assumption made in the class that the Patient Database Information System, the database is mongoDb there were many potential vulnerabilities that could be exploited for this open source software. Also, the concerned raised by general staff and the senior management regarding the dropping of connection with the PDIS points to many potential vulnerabilities that could be exploited. Ref table 2 from case study “Senior Management Areas of concern for important assets” and Table 10 “General Staff Security concerns for important assets” Vulnerability 3: Refer to Table 9 “General Staff Security concerns for important assets” where the operational manager raises the concern about improper viewing mechanism serving as a ground for potential vulnerabilities. In the conversation with the general staff they revealed that the doctor may log and from one system and keep logging in from other systems without proper logging in mechanism. This may lead to vulnerability that can be exploited with poor implementation of the system design. Vulnerability 4: Refer to Table 5 “General Staff Security concerns for important assets” where the operational manager raises the concern about too many people having access to too much information and no proper access control management system has been devised. This leads to the potential vulnerability of no access management and people sharing passwords. Also, in the conversation with General Staff they mentioned the lack of training and password protection. Asset 2: Emergency Care Data System Server Emergency Care Data System Server consists of the records that are specific to the patient’s medical report which are used by the insurance department and for billing purpose. These records need to be protected so that there is no misuse of the information. It needs to have: Confidentiality - so that no source from outside office could retrieve the information by gaining unauthorized access
11 Integrity - so that the information that needs to be send and verified by other departments is accurate. Availability - so that the records are ready to be used whenever required by the respective departments. i. Documenting the Threat Statement Table #8 ii. Evidence for each vulnerability Vulnerability 1: ECDS is an SQL server, this is evident from Figure 2 of the case. SQL server is prone to injection attacks. Attackers could modify the queries via unspecified vectors for the 2016 SQL server and get hold of sensitive information. The senior management specifically state that the information on this server is highly sensitive and confidential; access needs to be granted only on a need to know basis. Also, it is mentioned in table 5 that ECDS servers are susceptible to getting Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider Firewall Configuratio n Hackers HackersColleagues Colleagues Hackers Improper Training Colleagues Hackers Emergency Care Data System Server 2.1 2.2 2.3 2.4 Colleagues No Yes No None Too many people are entering the wrong data; Multiple records for same patient None Crafted byte value in a BRIN index Yes Yes Yes None None Unguarded server room; Lack of security personnel Server Location Threats & Threat Agents Asset Failure Impacts (Ref.- Note 1) Vulnerability Due to (Ref.- Note 2) Yes No No Yes No Yes CVE-2016- 3065 Leaving TSPs unattended in public area None CVE-2016- 1035 Leaving Tablets and Smartphones (TSPs) unattended in public area None Unspecified Vectors
12 hacked because of the location. Lack of security personnel is suggested under operational practices at AMC. Vulnerability 2: ECDS is an SQL server, this is evident from Figure 2 of the case. SQL Server has a vulnerability that lets the attackers to bypass access restrictions by making use of byte index and get hold of the sensitive data stored on the server. Confidentiality is critical for ECDS server. Also, it is mentioned in table 5 that ECDS servers are susceptible to getting hacked because of the location. Lack of security personnel is suggested under operational practices at AMC. Vulnerability 3: The operational managers have concerns that ECDS is susceptible to attacks because of its location, firewall configuration. Evidence for this is in table 5 of the case. Vulnerability 4: The senior management also had a concern that the multiple employees could access, create, overwrite patient records, which could result in incorrect or multiple records for a patient. Evidence for this can be found in table 5 from the case. Asset 3: PMS Server PMS Server consists of the records that internal to the organization which is related to the work, assignments and skills available in the organization. These records need to be protected so that there is no misuse of the information. It needs to have: Confidentiality - so that no source from outside office could retrieve the information when accessed away from the hospital premise Integrity - so that whenever required the data remain accurate and no one could change it. Availability - so that the information remains in the server whenever needed for internal or external purposes.
13 i. Documenting the Threat Statement Table #8 ii. Evidence for each vulnerability Vulnerability 1: The senior management pointed out a concern for the important assets under table 2 in AMC case study that “Power outages can lead to a denial of access to PMS. Vulnerability 2: The senior management also had a concern that the employees could create harm to the system because they may have access and they also pointed out that “Staff could disclose confidential patient financial information”. Reference: Table 2 - AMC case study This shows that the data is not properly encrypted and is comprehendible by anyone who has access to the system. Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider 3.2 No No Yes Power outages done intentionally or unintentionally Lack of sufficient power backup for the PMS server Denial of Service Workers, Staff Members, Power Suppliers Attackers who can gain access into the power supply room 3.3 No No Yes CVE#2019-2411 Running MS Access version 8.0.8 is vulnerable None Server Location Colleagues Attackers 3.4 Yes Yes Yes CVE #2017-10389 Allows login to anyone with the same MS Access infrastructure None Improper Training Colleagues Attackers Attacker who has gained unauthorize d access into the premise PMS Server (Personnel Management System) 3.1 Colleagues Threats & Threat Agents Asset Failure Impacts (Ref.- Note 1) Vulnerability Due to (Ref.- Note 2) Yes Yes Yes Lack of Encryption Using laptop in public areas and/or leaving laptop logged-in while taking a break Lack of physical security in the room from where PMS system can be logged into Unauthorized access; Modification of patient information
14 Vulnerability 3: PMS server is based on Microsoft Access 2016 as is evident from Figure 2: Infrastructure Map, Critical Assets, and Systems of Interest in the Aggie Medical Center (AMC) case study. In figure 2 in the case, it shows the route of the network and it displays how a Denial of Access attack can happen in that there are many servers connected to one switch and that one switch can be compromised because of the connection to multiple departments. Vulnerability 4: PMS server is based on Microsoft Access 2016 as is evident from Figure 2: Infrastructure Map, Critical Assets, and Systems of Interest in the Aggie Medical Center (AMC) case study. In figure 2 in the case, it shows the route of the network and it displays how this type of vulnerability can happen. Often, and this case, companies have one route from the workstations through the switch to the server. Also, the workstations could share the same login credentials for MS Access, which causes a major problem if one workstation is compromised or someone shoulder surfs. Asset 4: FRKS Server FRKS Server is a record keeping server where information related to insurance, billing records, patient’s confidential information, etc. is stored. Hence it has a prime placement in security world. It is important that this asset should have: Confidentiality - so that even the insiders who can access this record are not able to comprehend it. Integrity - so that the information that needs to be send and verified by other departments is accurate. Availability - so that the records are ready to be used whenever required by the respective departments.
15 i. Documenting the Threat Statement Table #9 ii. Evidence for each vulnerability Vulnerability 1: The senior management pointed out a concern for the important assets under table 2 in AMC case study that “Power outages can lead to a denial of access to FRKS. We’d have to deal with a potentially large backlog of data entry and verification to do billing and insurance”. Thus, there is an evidence that this could occur. Vulnerability 2: The senior management also had a concern that the employees could create harm to the system because they may have access and they also pointed out that “Staff could disclose confidential patient financial information”. Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider 4.2 Yes Yes Yes Lack of Encryption Lack of physical security in the room from where FRKS system can be logged into Unauthorized access Colleagues Attackers who can gain access into the power supply room 4.3 Yes Yes (Modification of patient information) Yes CVE# 2006-0272 "Using laptop in public areas and/or leaving laptop logged-in while taking a break " Buffer Overflow Insider with admin credentials Attackers 4.4 Yes Yes Yes CVE #2006-6703 If mod security is not enabled or the latest patch is not updated CrossSite Scripting User who knows simple SQL coding and has access to the system Attackers Attackers who can gain access into the power supply room FRKS Server (Financial Record Keeping System) 4.1 Workers, Staff Members, Power Suppliers Threats & Threat Agents Asset Failure Impacts (Ref.- Note 1) Vulnerability Due to (Ref.- Note 2) No No Yes Power outages done intentionally or unintentionally Using laptop in public areas and/or leaving laptop logged-in while taking a break Lack of sufficient power backup for the FRKS server Denial of access
16 Reference: Table 2 - AMC case study This shows that the data is not properly encrypted and is comprehendible by anyone who has access to the system. There is thus, a security requirement to keep the data confidential. Vulnerability 3: FRKS Server is based on Oracle 10G as is evident from Figure 2: Infrastructure Map, Critical Assets, and Systems of Interest in the Aggie Medical Center (AMC) case study. Oracle 10G has listed this vulnerability of high risk and criticality. This figure also shows that the FRKS Server is placed for the administration department. It has the workstations that has windows as an operating system. Link: https://nvd.nist.gov/vuln/detail/CVE-2006-0272 Vulnerability 4: FRKS Server is based on Oracle 10G as is evident from Figure 2: Infrastructure Map, Critical Assets, and Systems of Interest in the Aggie Medical Center (AMC) case study. Oracle 10G has listed this vulnerability of high risk and criticality. Link: https://nvd.nist.gov/vuln/detail/CVE-2006-6703 Asset 5: Employee and department database As the name indicates this database has information about the employees working in the medical center and the various department there. Breach of this information would not only be detrimental for the organization but would disrupt it internally. Hence, to protect this information is deemed to be of high importance. It needs to have: Confidentiality- so that no outside source could take advantage of the employees in any possible way Integrity - so that the information is not altered and is verified on a timely basis to ensure the trust in the organization Availability - so that information could be retrieved whenever needed especially for auditing and verification purposes.
17 i. Documenting the Threat Statement Table #10 ii. Evidence for each vulnerability Vulnerability 1: In the operational practices, authentication and authorization survey results, the operational manager is unclear about the access control and user authentication. The policy do not clearly specify the authentication and authorization restrictions which might result in the introduction of CVE-2017-5653 in the system. Vulnerability 2: In the operational practices, authentication and authorization results, no validation of responses takes place when the data is committed to the database servers, due to which the CVE- 2002-0570 vulnerability may be introduced in the system. Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider 5.1 Yes Yes Yes CVE-2002-0570 No proper authentication of the entity thatis encrypting thedata, which allows localusers to modify encrypted datawithout knowing thekey. None Sniffing datapackets on thenetwork; Refabricating employee information Employees Hackers 5.2 Yes Yes Yes CVE-2017-5653 Notvalidating thatthe serviceresponsewas signed or encrypted, thereby allowing anyoneto spoof servers remotely. None DoS attack;Refabricating employeeinformation; Modifying codeto monitor thenetwork data; Cross-SiteScripting Employees (Peoplewho havebasic knowledgeof computers) Hackers 5.3 Yes Yes (Modification of patientinformation) Yes Employeeand departmentdata stored in unencrypted format Using laptops running on publicWi-Fi/ keeping systems logged in whileleaving the system. Placementof employeedatabase on machines that can beaccessed by allmembers in the organization Unauthorized access to importantemployee information Employees Hackers 5.4 Yes Yes Yes Employee No knowledgeof the employeeupdatelogs in thesystem Inefficienttraining/ skillsetof employees using thedatabase Modification of the employeeinformation Employees Hackers Threats & Threat Agents Asset Failure Impacts (Ref.-Note 1) Vulnerability Due to (Ref.- Note 2) Employeeand Department Database
18 Vulnerability 3: As mentioned in the table 2 containing different assets for the systems, it is seen that there is no physical security for the room to access the systems as anyone could wander and see the confidential information displayed on the workstations. Vulnerability 4: As mentioned in the table 2 containing the different assets for the systems, it is seen that due to improper training staff could intentionally enter erroneous data into the system. Hence, there is evidence of this vulnerability being present in the system. Cybersecurity Risk Estimation Figure# 1 Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. We have identified 1. Relevant threats to the organization 2. Technical and non-technical vulnerabilities 3. Impact if those vulnerabilities are exploited 4. Likelihood of exploitation For each non-technically we have identified its impact score and the exploitability using the vulnerability calculator and estimating the parameters to the best of our guess. Using those score we have identified the impact score and the likelihood. Similarly, for the technical vulnerabilities we used the national vulnerability database to know the impact score and the likelihood score. Negligible Minor Moderate Significant Severe Very Likely Low Med Medium Medium High High High Likely Low Low Med Medium Medium High High Possible Low Low Med Medium Medium High Medium High Unlikely Low Low Med Low Med Medium Medium High Very Unlikely Low Low Low Med Medium Medium
19 Qualitative Scale to Measure Threat Likelihood TABLE: Qualitative Scale to Measure Threat Likelihood Table #11 Table #12 - FRKS Server Threat due to Likelihood Power outages done intentionally or unintentionally Highly Unlikely (Score 0.2) Lack of encryption Highly Unlikely (Score 0.3) CVE# 2006-0272 Very Likely (Score 8.0) CVE# 2006-6703 Very Likely (Score 8.6) Table #13 - ECDS Server Threat due to Likelihood CVE-2016-1035 Unlikely (Score 3.9) CVE-2016-3065 Unlikely (Score 3.9) Unguarded server room; Lack of security personnel Highly Unlikely (Score 0.9) Too many people are entering the wrong data; Multiple records for same patient Unlikely (Score 2.1) Table #14 - PMS Server Threat due to Likelihood Power outages done intentionally or unintentionally Highly Unlikely (Score 0.2) Very Likely Likely Possible Unlikely Highly Unlikely 8<Exploitability Score<=10 6<Exploitability Score<=8 4<Exploitability Score<=6 2<Exploitability Score<=4 Exploitability Score<=2
20 Lack of encryption Highly Unlikely (Score 0.3) CVE# 2019-2411 Likely (Score 7.6) CVE# 2017-10389 Possible (Score 5.7) Table #15 - Patient Database Threat due to Likelihood Poor design and implementation of PDIS application with no Auto- logout mechanism Highly Unlikely (Score 0.9) Lack of training/awareness among staff Highly Unlikely (Score 0.9) CVE-2013-3969 Very Likely (Score 8.0) CVE-2017-14227 Very Likely (Score 3.9) Table #16 – Employee and Department Database Threat due to Likelihood CVE# 2017-5653 Very likely (Score 10.0) CVE# 2002-0570 Unlikely (Score 3.9) Lack of encryption Highly Unlikely (Score 0.3) Lack of training/awareness among staff Highly Unlikely (Score 0.9) Qualitative Scale to Measure Final Impact Value Estimate of Final Impact Value (FIV) Associated with Each Threat Statement Table #17 - FRKS Server Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS Power outages done 14 (FRKS Server)/19 4/10 = 0.4 1.14
21 intentionally or unintentionally =0.74 Lack of encryption 14 (FRKS Server)/19 =0.74 4.7/10 = 0.47 1.21 CVE# 2006-0272 14 (FRKS Server)/19 =0.74 10/10 = 1 1.74 CVE# 2006-6703 14 (FRKS Server)/19 =0.74 6.4/10 = 0.64 1.38 Table#18 - PMS Server Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS Power outages done intentionally or unintentionally 15 (PMS Server) / 19 = .79 4/10 = 0.4 1.19 Lack of encryption 15 (PMS Server) / 19 = .79 4.7/10 = 0.47 1.26 CVE# 2019-2411 15 (PMS Server) / 19 = .79 7.6/10 = 0.76 1.55 CVE# 2017-10389 15 (PMS Server) / 19 = .79 5.7/10 = 0.57 1.36 Table #19 - Patient Database Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS Poor design and implementation of PDIS application with no Auto- logout mechanism 15 (PDS)/19 =0.78 6/10 = 0.6 1.38 Lack of training/awareness among staff 15 (PDS)/19 =0.78 6.7/10 = 0.6 1.38 CVE-2013-3969 15 (PDS)/19 =0.78 6.4/10 = 0.64 1.42
22 CVE-2017-14227 15 (PDS)/19 =0.78 3.6/10 = 0.36 1.14 Table#20 - ECDS Server Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS CVE-2016-1035 13/19 = 0.68 7.5/10 = 0.75 1.43 CVE-2016-3065 13/19 = 0.68 5.2/10 = 0.52 1.2 Unguarded server room; Lack of security personnel 13/19 = 0.68 5.9/10 = 0.59 1.27 Too many people are entering the wrong data; Multiple records for same patient 13/19 = 0.68 3.6/10 = 0.36 1.04 Table #21 – Employee and Department Database Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS CVE# 2017-5653 11/19 = 0.58 2.9/10 = 0.29 0.87 CVE# 2002-0570 11/19 = 0.58 3.9/10 = 0.39 0.97 Lack of encryption 11/19 = 0.58 4.7/10 = 0.47 1.05 Lack of training/awareness among staff 11/19 = 0.58 6.7/10 = 0.67 1.25 Qualitative Scale to Measure the Impact of a Cybersecurity Threat Table #22 Severe Significant Moderate Minor Negligible 1.6<FIV<=2 1.2<FIV<=1.6 0.8<FIV<=1.2 0.4<FIV<=0.8 FIV<=0.4
23 Table #23 - FRKS Server Threat due to FIV Power outages done intentionally or unintentionally Moderate (Score 1.14) Lack of encryption Significant (Score 1.21) CVE# 2006-0272 Severe (Score 1.74) CVE# 2006-6703 Significant (Score 1.38) Table #24 - Patient Database Threat due to FIV Poor design and implementation of PDIS application with no Auto- logout mechanism Severe (1.38) Lack of training/awareness among staff Severe (1.38) CVE-2013-3969 Severe (1.42) CVE-2017-14227 Moderate (1.14) Table #25 - PMS Server Threat due to FIV Power outages done intentionally or unintentionally Moderate (1.19) Lack of encryption Significant (1.26) CVE #2019-2411 Significant (1.55) CVE #2017-10389 Significant (1.36) Table #26 - ECDS Server Threat due to FIV CVE-2016-1035 Significant (1.43)
24 CVE-2016-3065 Moderate (1.2) Unguarded server room; Lack of security personnel Significant (1.27) Too many people are entering the wrong data; Multiple records for same patient Moderate (1.04) Table #27 - Employee and Department Database Threat due to FIV CVE# 2017-5653 Moderate (Score 0.87) CVE# 2002-0570 Moderate (Score 0.97) Lack of encryption Moderate (Score 1.05) Lack of training/awareness among staff Significant (Score 1.25) RISK ESTIMATION Table #28 VULNERABI LITY ID LIKELIHOOD IMPACT RISK 1,1 Highly Unlikely Severe Medium 1.2 Highly Unlikely Severe Medium 1.3 Very Likely Severe High 1.4 Very Likely Moderate Med Hi 2.1 Unlikely Significant Medium 2.2 Unlikely Moderate Low Med 2.3 Highly Unlikely Significant Medium 2.4 Unlikely Moderate Low Med
25 3.1 Highly Unlikely Moderate Low Med 3.2 Highly Unlikely Significant Medium 3.3 Likely Significant Med Hi 3.4 Possible Significant Med Hi 4.1 Highly Unlikely Moderate Low Med 4.2 Highly Unlikely Significant Medium 4.3 Very Likely Severe High 4.4 Very Likely Significant High 5.1 Very likely Moderate Med Hi 5.2 Unlikely Moderate Low Med 5.3 Highly Unlikely Moderate Low Med 5.4 Highly Unlikely Significant Medium Cyber Security Risk Management Strategy Table #29 Threat ID Mitigation Strategy 1,1 Replace the vulnerable MongoDB 2.4.0 with the stable release 2.6.1 so that the exploitability for the invalid pointer reference to the RefDb can be avoided. This comes free of cost since the source code of MongoDb is an OSS. Regular updates and patches of the software needs to be installed. 1.2 To protect the organization from this threat, an updated most stable version of MongoDB libson needs to be installed replacing the 1.7.0 in order to stop the attacker to execute remote commands and cause DDOS. This strategy also does not cost since the source code of MongoDb is an OSS. Regular updates and patches of the software needs to be installed. 1.3 To deal with this threat the design of the application needs to be redesigned. The entire application needs to be redesigned taking into consideration the log- out mechanism when the user is inactive for 20 minutes or a user login from multiple locations.
26 1.4 This threat can be controlled by implementing a policy of updating passwords every 6 months and the employees need to be trained in regard to cyber security practice and the IT team need to know how to store and access the logs of the PDIS serves Cost of training is estimated to be $290K per year for large enterprises with employees between 1000 - 5000(1). 2.1 Since the asset is at medium risk due to this vulnerability we mitigate this risk. Adobe Server has released a hotfix for this vulnerability. Update to the latest version of the server at no additional costs. Install regular updates and security patches. 2.2 Since the asset is at Low - Medium risk due to this vulnerability we mitigate this risk. The vendor has released a software patch for this vulnerability. Installing security patches regularly should help mitigate such vulnerabilities. 2.3 This vulnerability is due to human behavior and error. It can be avoided by having guards work in shifts and placing security cameras and enabling remote invigilation of the premises. However, this would incur additional cost to the organization - extra guards, security cameras. It is advised to avoid, because we cannot mitigate such risks. 2.4 The organization should avoid this risk. To avoid this vulnerability there must be strict read-write access controls in place. For instance - allowing only one person to modify the records or disabling multiple writes. 3.1 The organization should mitigate this risk. There is a lack of encryption within the server and although encryption helps to better secure it, there is not a way to totally fix this problem due to the constant danger of attackers. A way to mitigate this is to add an encryption software to the server. 3.2 The organization should mitigate this risk. They should do so by constant and regular backups. Training can also be done to help the employees backup data properly. Regular reminders would also help. 3.3 The organization should avoid this risk instead of mitigating. The server should be updated with the latest version as early as possible. This should come of no cost to the company, but it does take some time. Also, implementing backups for the servers when the updates take place would be beneficial in data retention. The cost for backing up depends on the amount of data that is backed up. Manual backups can cost around $100. 3.4 The organization should mitigate this risk instead of avoiding it. Instead, they could obtain different logins for MS Access instead of using the same login.
27 When they figure out that one login has been compromised, then they should alert others to not use that login anymore and to get more. Also, backing up their data is a good way to not lose their progress if and when the login is compromised. Manual backups can cost around $100. 4.1 This vulnerability depends on the risk of the power outages. This concern could be addressed by two ways. The first is there should be a backup storage power like UPS for the main server, that supports it for a short time in case of power outage. Second could be restricting any unauthorized access to the power house. 4.2 This vulnerability could be addressed by proper training with the employees who plan to use their personal asset outside to not use it in public places. Also, unauthorized access to the system should be restricted. Along with this, the confidential data should be encrypted so that it is not comprehensible even if it is accessed. 4.3 This vulnerability could be addressed if no one can access or edit the source code. Before any code movement it needs to test, validated in the quality system and only then moved to the production environment. 4.4 Since this vulnerability is related to cross scripting we need to make sure that no data from the data source should be allowed to make changes to the JavaScript used. We could use the also implement a security policy for the content. 5.1 The organization should update the system with the latest v3 patches to reduce the risk associated with the vulnerability. This will not only reduce the risk of attacks due to unencrypted data but also reduces the impact score to 1.4 from a significant 2.9. 5.2 This risk can be avoided by the organizations by introducing encryption and certificate management that verifies the authenticity of the service response obtained sent by the receiver. This will prevent the remote spoofing of servers. 5.3 This can be avoided by introducing systems having software like Symantec Encryption which performs end to end encryption of all the connected devices. This will not only eliminate the risk due to unencrypted data but also prevent the data loss, data corruption and data interception on the way 5.4 This vulnerability is due to human staff intentionally trying to introduce erroneous data into the database. This can be avoided by performing background check of all the employees. Also conducting security checks and having thorough check throughout the premises where the sensitive data is stored.
28 Appendix A Measurement scales used for Asset Classification 1. Scale - Financial Value Table2: Measures for classifying asset as per their financial value 2. Mission Criticality Table3: Measures for classifying asset as per their mission criticality 3. Business Process (BP1) – Seeking Appointment This business process starts with a patient contacting the hospital to book an appointment. The appointments can be made via telephone, emails and in-person. Important assets are servers/workstation that host the appointment scheduler, if the appointment scheduler is a web- based application. It would successfully end when the patient is able to book an appointment remotely or in-person. 4. Business Process (BP2) – Claim Insurance This is the business process that involves claiming insurance. It involves, the hospital submitting a request to the insurance company and then claim the required insurance amount. 5. Business Process (BP3) – Payment Processing The process of payment processing involves billing patient after the claim deductions have been made. The billing report is generated for each successful payment processed. 6. Legal Protection Requirement Table4: Measures for classifying asset as per the legal protection requirement Very High (3) High (2) Medium (1) Low (0) $3K+ $1K-$3K $500-$1K <$500 Very High (3) High (2) Medium (1) Low (0) Critical Important Supportive No impact Very High (3) High (2) Medium (1) Low (0) Critical Important Supportive No Impact
29 Appendix B Vulnerability-Threat identification tree(s) Tree analysis: - FRKS Server Figure# 2
30 Tree Analysis PMS Server Figure# 3
31 Tree Analysis for Patient Database: Figure# 4
32 Tree Analysis for ECDS Server: Figure# 5
33 Tree Analysis Employee and Department Database Figure #6
34 Vulnerability Matrix for FRKS Database Threats: Figure# 7 Figure# 8
35 Figure# 9
36 Vulnerability Matrix for Patient Database Threats: 1. Poor design and implementation of PDIS application with no Auto- logout mechanism Figure #10
37 2. Lack of training/awareness among staff Figure #11
38 3. CVE-2013-3969 Figure #12 4. CVE-2017-14227 Figure #13
39 Vulnerability Matrix for ECDS Server Threats: Figure #14 Figure #15 Figure #16
40 Figure #17 Vulnerability Matrix for Employee and Department Database Threats: Figure #18
41 Figure #19 Figure #20
42 Figure #21 Appendix C Qualitative Scale to Measure Threat Likelihood TABLE: Qualitative Scale to Measure Threat Likelihood Table #11 Qualitative Scale to Measure the Impact of a Cybersecurity Threat Table #22 Very Likely Likely Possible Unlikely Highly Unlikely 8<Exploitability Score<=10 6<Exploitability Score<=8 4<Exploitability Score<=6 2<Exploitability Score<=4 Exploitability Score<=2 Severe Significant Moderate Minor Negligible 1.6<FIV<=2 1.2<FIV<=1.6 0.8<FIV<=1.2 0.4<FIV<=0.8 FIV<=0.4
43 Appendix D Qualitative Scale to Measure the Impact of a Cybersecurity Threat Table #22 Appendix E Cybersecurity risk matrix and risk management strategy Risk Matrix Risk Management Strategy Threat ID Mitigation Strategy 1,1 Replace the vulnerable MongoDB 2.4.0 with the stable release 2.6.1 so that the exploitability for the invalid pointer reference to the RefDb can be avoided. This comes free of cost since the source code of MongoDb is an OSS. Regular updates and patches of the software needs to be installed. 1.2 To protect the organization from this threat, an updated most stable version of Severe Significant Moderate Minor Negligible 1.6<FIV<=2 1.2<FIV<=1.6 0.8<FIV<=1.2 0.4<FIV<=0.8 FIV<=0.4 Negligible Minor Moderate Significant Severe Very Likely Low Med Medium Medium High High High Likely Low Low Med Medium Medium High High Possible Low Low Med Medium Medium High Medium High Unlikely Low Low Med Low Med Medium Medium High Very Unlikely Low Low Low Med Medium Medium
44 MongoDB libson needs to be installed replacing the 1.7.0 in order to stop the attacker to execute remote commands and cause DDOS. This strategy also does not cost since the source code of MongoDb is an OSS. Regular updates and patches of the software needs to be installed. 1.3 To deal with this threat the design of the application needs to be redesigned. The entire application needs to be redesigned taking into consideration the log- out mechanism when the user is inactive for 20 minutes or a user login from multiple locations. 1.4 This threat can be controlled by implementing a policy of updating passwords every 6 months and the employees need to be trained in regard to cyber security practice and the IT team need to know how to store and access the logs of the PDIS serves Cost of training is estimated to be $290K per year for large enterprises with employees between 1000 - 5000(1). 2.1 Since the asset is at medium risk due to this vulnerability we mitigate this risk. Adobe Server has released a hotfix for this vulnerability. Update to the latest version of the server at no additional costs. Install regular updates and security patches. 2.2 Since the asset is at Low - Medium risk due to this vulnerability we mitigate this risk. The vendor has released a software patch for this vulnerability. Installing security patches regularly should help mitigate such vulnerabilities. 2.3 This vulnerability is due to human behavior and error. It can be avoided by having guards work in shifts and placing security cameras and enabling remote invigilation of the premises. However, this would incur additional cost to the organization - extra guards, security cameras. It is advised to avoid, because we cannot mitigate such risks. 2.4 The organization should avoid this risk. To avoid this vulnerability there must be strict read-write access controls in place. For instance - allowing only one person to modify the records or disabling multiple writes. 3.1 The organization should mitigate this risk. There is a lack of encryption within the server and although encryption helps to better secure it, there is not a way to totally fix this problem due to the constant danger of attackers. A way to mitigate this is to add an encryption software to the server. 3.2 The organization should mitigate this risk. They should do so by constant and regular backups. Training can also be done to help the employees backup data properly. Regular reminders would also help.
45 3.3 The organization should avoid this risk instead of mitigating. The server should be updated with the latest version as early as possible. This should come of no cost to the company, but it does take some time. Also, implementing backups for the servers when the updates take place would be beneficial in data retention. The cost for backing up depends on the amount of data that is backed up. Manual backups can cost around $100. 3.4 The organization should mitigate this risk instead of avoiding it. Instead, they could obtain different logins for MS Access instead of using the same login. When they figure out that one login has been compromised, then they should alert others to not use that login anymore and to get more. Also, backing up their data is a good way to not lose their progress if and when the login is compromised. Manual backups can cost around $100. 4.1 This vulnerability depends on the risk of the power outages. This concern could be addressed by two ways. The first is there should be a backup storage power like UPS for the main server, that supports it for a short time in case of power outage. Second could be restricting any unauthorized access to the power house. 4.2 This vulnerability could be addressed by proper training with the employees who plan to use their personal asset outside to not use it in public places. Also, unauthorized access to the system should be restricted. Along with this, the confidential data should be encrypted so that it is not comprehensible even if it is accessed. 4.3 This vulnerability could be addressed if no one can access or edit the source code. Before any code movement it needs to test, validated in the quality system and only then moved to the production environment. 4.4 Since this vulnerability is related to cross scripting we need to make sure that no data from the data source should be allowed to make changes to the JavaScript used. We could use the also implement a security policy for the content. 5.1 The organization should update the system with the latest v3 patches to reduce the risk associated with the vulnerability. This will not only reduce the risk of attacks due to unencrypted data but also reduces the impact score to 1.4 from a significant 2.9. 5.2 This risk can be avoided by the organizations by introducing encryption and certificate management that verifies the authenticity of the service response obtained sent by the receiver. This will prevent the remote spoofing of servers. 5.3 This can be avoided by introducing systems having software like Symantec
46 Encryption which performs end to end encryption of all the connected devices. This will not only eliminate the risk due to unencrypted data but also prevent the data loss, data corruption and data interception on the way 5.4 This vulnerability is due to human staff intentionally trying to introduce erroneous data into the database. This can be avoided by performing background check of all the employees. Also conducting security checks and having thorough check throughout the premises where the sensitive data is stored. References ● National Vulnerability Database Website ○ https://nvd.nist.gov/ ● Lucidchart ○ https://www.lucidchart.com/documents ● Common Vulnerability Scoring System ○ https://www.first.org/cvss/calculator/3.0 ● Aggie Medical Center Case ○ https://tamu.blackboard.com/bbcswebdav/pid-5479845-dt-content-rid- 43604608_1/courses/ISTM.635.1911.M1/Aggie%20Medical%20Center- ISTM635.pdf ● Risk Mitigation Strategies ○ https://www.infosecurity-magazine.com/news/cost-of-user-security-training/ ○ https://www.thesslstore.com/blog/cyber-risk-assessment/
47 Glossary • AMC - Aggie Medical Center • TSPs - Tablets and Smartphones • CVE - Common Vulnerabilities and Exposure • PC - Personal Computer • PMS - Personal Management System • FRKS - Financial Record Keeping System • ECDS - Emergency Care Data System • MLS - Medical Logistics System • UTP wires - Unshielded Twisted Pair wires • BP - Business Process • Switch - device for controlling the connection in an electric circuit • Router - device that routes data from LAN to network connection • Server - computer that provides data to other devices • UTP - copper cabling used in for wiring in LANs • Buffer Overflow - coding mistake in a program’s software that allows an attacker to gain • access into your system • Cross Site Scripting - allows attackers to inject client side scripts into web pages • Denial of Service Attack - occurs when users are unable to access devices and network • resources due to malicious actions of a malicious cyber party • Encryption - translates data into a code so that people with the access key can read the • data • Vulnerability - weakness that can be exploited by attacker to perform unauthorized • actions • Exploit - software or code that takes advantage of vulnerability to cause unintended • behavior • Threat - possible danger that can exploit the vulnerability to breach security • Threat agent - the thing that is the origin of threat
48 Team Work Each team member worked equally in identifying all the assets in AMC. Assets were divided equally amongst members for scoring based on impact to business processes, financial impact, etc. After identifying five critical assets, each member was assigned one asset to work upon. The tasks in final report were dividing equally among team members for content and consolidation. Team Member Contribution Akanksha Pathak 20% Balvaishwer Singh 20% David Zuniga 20% Pratima Purohit 20% Tushara Chigicherla Kamalakar 20%

Recommended

kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
2022 Cybersecurity Predictions
2022 Cybersecurity Predictions2022 Cybersecurity Predictions
2022 Cybersecurity PredictionsMatthew Rosenquist
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 

Recommended

kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3Shawn Croswell
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
2022 Cybersecurity Predictions
2022 Cybersecurity Predictions2022 Cybersecurity Predictions
2022 Cybersecurity PredictionsMatthew Rosenquist
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Preventiondj1arry
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceTom K
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backendAPIsecure_ Official
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
Bilgi Güvenliği Bilinçlendirme
Bilgi Güvenliği BilinçlendirmeBilgi Güvenliği Bilinçlendirme
Bilgi Güvenliği BilinçlendirmeMesut Güngör
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security FundamentalsJosé Haro Peralta
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Zero Trust
Zero TrustZero Trust
Zero TrustBoaz Shunami
 
AWS Security Week: Incident Response
AWS Security Week: Incident ResponseAWS Security Week: Incident Response
AWS Security Week: Incident ResponseAmazon Web Services
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Rui Miguel Feio
 
Data loss prevention (dlp)
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)Hussein Al-Sanabani
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) BGA Cyber Security
 
Best cloud security practices with MITRE ATT&CK
Best cloud security practices with MITRE ATT&CKBest cloud security practices with MITRE ATT&CK
Best cloud security practices with MITRE ATT&CKShriya Rai
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 

More Related Content

What's hot

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backendAPIsecure_ Official
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applicationsForcepoint LLC
 
Bilgi Güvenliği Bilinçlendirme
Bilgi Güvenliği BilinçlendirmeBilgi Güvenliği Bilinçlendirme
Bilgi Güvenliği BilinçlendirmeMesut Güngör
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
AWS Security Week: Incident Response
AWS Security Week: Incident ResponseAWS Security Week: Incident Response
AWS Security Week: Incident ResponseAmazon Web Services
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Rui Miguel Feio
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) BGA Cyber Security
 
Best cloud security practices with MITRE ATT&CK
Best cloud security practices with MITRE ATT&CKBest cloud security practices with MITRE ATT&CK
Best cloud security practices with MITRE ATT&CKShriya Rai
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 

What's hot (20)

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
2022 APIsecure_Method for exploiting IDOR on nodejs+mongodb based backend
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loop
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
CASB: Securing your cloud applications
CASB: Securing your cloud applicationsCASB: Securing your cloud applications
CASB: Securing your cloud applications
 
Bilgi Güvenliği Bilinçlendirme
Bilgi Güvenliği BilinçlendirmeBilgi Güvenliği Bilinçlendirme
Bilgi Güvenliği Bilinçlendirme
 
API Security Fundamentals
API Security FundamentalsAPI Security Fundamentals
API Security Fundamentals
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Zero Trust
Zero TrustZero Trust
Zero Trust
 
AWS Security Week: Incident Response
AWS Security Week: Incident ResponseAWS Security Week: Incident Response
AWS Security Week: Incident Response
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
Implementation of RBAC and Data Classification onto a Mainframe system (v1.5)
 
Data loss prevention (dlp)
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC) Cyber Security Operations Center (C-SOC)
Cyber Security Operations Center (C-SOC)
 
Best cloud security practices with MITRE ATT&CK
Best cloud security practices with MITRE ATT&CKBest cloud security practices with MITRE ATT&CK
Best cloud security practices with MITRE ATT&CK
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
 

Similar to Cyber Security Risk Assessment for Critical Assets at AMC (39

Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Information System Security
Information System Security Information System Security
Information System Security Syed Asif Sherazi
 
Strategies for Data Leakage Prevention
Strategies for Data Leakage PreventionStrategies for Data Leakage Prevention
Strategies for Data Leakage PreventionIRJET Journal
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesIJNSA Journal
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESIJNSA Journal
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemIlonaThornburg83
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptxlochanrajdahal
 

Similar to Cyber Security Risk Assessment for Critical Assets at AMC (39 (20)

Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Avoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of ITAvoiding The Seven Deadly Sins of IT
Avoiding The Seven Deadly Sins of IT
 
CLOUD COMPUTING.pptx
CLOUD COMPUTING.pptxCLOUD COMPUTING.pptx
CLOUD COMPUTING.pptx
 
Information System Security
Information System Security Information System Security
Information System Security
 
Strategies for Data Leakage Prevention
Strategies for Data Leakage PreventionStrategies for Data Leakage Prevention
Strategies for Data Leakage Prevention
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Complete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resourcesComplete network security protection for sme's within limited resources
Complete network security protection for sme's within limited resources
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCESCOMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
COMPLETE NETWORK SECURITY PROTECTION FOR SME’SWITHIN LIMITED RESOURCES
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Assess risks to IT security.pptx
Assess risks to IT security.pptxAssess risks to IT security.pptx
Assess risks to IT security.pptx
 
Measures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacksMeasures to Avoid Cyber-attacks
Measures to Avoid Cyber-attacks
 
Measure To Avoid Cyber Attacks
Measure To Avoid Cyber AttacksMeasure To Avoid Cyber Attacks
Measure To Avoid Cyber Attacks
 

Recently uploaded

Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 

Recently uploaded (20)

Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 

Cyber Security Risk Assessment for Critical Assets at AMC (39

  • 1. Cyber Security Risk Assessment for AMC ISTM 635-602 Akanksha Pathak Balvaishwer Singh David Zuniga Pratima Purohit Tushara Chigicherla Kamalakar The Specialists
  • 2. Aggie Code of Honor Aggie Code of Honor For many years Aggies have followed a Code of Honor, which is stated in this very simple verse: An Aggie does not lie, cheat or steal or tolerate those who do. The Aggie Code of Honor is an effort to unify the aims of all Texas A&M men and women toward a high code of ethics and personal dignity. For most, living under this code will be no problem, as it asks nothing of a person that is beyond reason. It only calls for honesty and integrity, characteristics that Aggies have always exemplified. The Aggie Code of Honor functions as a symbol to all Aggies, promoting understanding and loyalty to truth and confidence in each other. We have followed the strictures of Texas A&M University Aggie code of Honor throughout this project. Akanksha Pathak ______________________ Balvaishwer Singh ______________________ David Zuniga ______________________ Pratima Purohit ______________________ Tushara Chigicherla Kamalakar ______________________
  • 3. 0 Table of Contents Executive Summary 1 Asset Identification 2 Asset Classification 6 Vulnerability and Threat Identification 9 Cybersecurity Rick Estimation 17 Cybersecurity Risk Management Strategy 26 Appendix A 29 Appendix B 30 Appendix C 40 Appendix D 40 Appendix E 41 References 44 Glossary 45 Team Work 46
  • 4. 1 Executive Summary No organization is immune to cyber-attacks. However, if effective controls are in place, we can reduce the likelihood and impact of attacks. Preventive controls keep attacks from occurring. Detective controls aid in monitoring assets and alert the organization in case of attack. Corrective controls help limit the impact and mitigate attacks. In this project, we analyze Aggie Medical Center (AMC) situated in Bryan/ College Station. We gather information about assets, management perspective of cyber security, operational view, etc. We provide risk assessment and mitigation strategies based on the information in the case. The initial step is to identify critical assets in AMC. Once the assets are listed down, we score them based on financial, operational and legal impacts of asset failure. This would yield a maximum score of 18 for each asset. Next, we select five critical assets based on the asset value score. For each of the critical assets we give a tree analysis and identify technical, non-technical threats, vulnerabilities and exploits. Next, we find impact scores for each of the vulnerabilities and then calculate the likelihood of these vulnerabilities. Once we have the impact and likelihood scores, we use the risk matrix to estimate the risk associated with vulnerabilities for each of the assets. Based on the risk assessment we provide a risk management strategy for the same. These are the major tasks and objectives in this project. According to our analysis we found - Patient Database, Emergency Care Data System Server, PMS Server, FRKS Server, Employee and department database – to be the critical assets. Most of the vulnerabilities can be mitigated by installing software updates and security patches regularly. And other non-technical vulnerabilities can be mitigated or avoided with providing proper training to all workers and employing additional invigilation strategies – installing security cameras, hiring more security guards, etc. Accepting a risk means no action needs to be taken. The organization can simply accept the risk and has to do little or nothing to deal with it. This would be a good strategy for risks that are ranked low to medium. Avoiding the risk is a good strategy when a risk has a comparatively large impact on the organization. A risk can be avoided by eliminating technologies or activities that can cause the risk. Mitigating a risk – the impact of risk is limited. This is the most common risk management strategy employed by organizations. Transferring the risk, here the organization transfer the impact and management of the risk to someone else (contractors, insurance company, etc.). Sharing the risk, we share part of the responsibility for risk management. This happens when one department is dependent on the services provided by the other. Based on the level of risk, financial impact of the risk and implementing control, we have devised the best strategy to accept, avoid, mitigate, transfer or share the risk. In this report, we bring out detailed analysis and assessment strategies to overcome the vulnerabilities identified for the critical assets. The project aided us in understanding a. how assets are identified, scored and ranked; b. identifying vulnerabilities and threats; c. finding the impact scores for the vulnerabilities and assessing the probable risks and suggesting risk mitigation strategies. The report is a consolidated cyber security risk management document that AMC can utilize to handle vulnerabilities
  • 5. 2 Asset Identification The following is a list of assets that our group identified from the case study. Table #1: Asset Identification: Asset Code/ ID Asset Name Asset Description Reason for Cybersecurity Risk Assessment 1 Workstation Workstation in administration(W7) with windows 7 running on it. Windows has a lot of vulnerabilities that can be exploited by the attackers. For instance - internet explorer vulnerabilities (MS15-079), Redirect to SMB Vulnerability (CVE-2015-5143), etc. Making sure that the system is up to date is essential in preventing any attacks. Also update and install latest patches for all the applications (firewall, anti-virus, etc.). 2 Personal Computer PC in the labs(RH6) with red hat Linux 6 running on it. These are vulnerable to phishing, spoofing attacks. Also, malware can be easily introduced into the system if the owner of the computer is given a compromised USB/thumb drive. Attackers can use social engineering attacks to gain personal information that could help in cracking the passwords to these machines. Unauthorized access could lead to system failure, loss or manipulation of critical information. 3 Personal Computer PC in the treatment rooms (W8) with windows 8 running on it. These are vulnerable to phishing, spoofing attacks. Also, malware can be easily introduced into the system if the owner of the computer is given a compromised USB/thumb drive. Attackers can use social engineering attacks to gain personal information that could help in cracking the passwords to these machines. Unauthorized access could lead to system failure, loss or manipulation of critical information. 4 Switch Switch that uses Cisco SG100D-08- NA If attackers gain access to switches they can use it to map the entire network of the organization, trace the network topology, sniff to change the routing table contents. They can also launch session hijacking attacks.
  • 6. 3 5 Router The router that uses Cisco 2951 Attackers can use spoofed ARP messages to modify the target’s ARP table mapping. Attackers can play man in the middle and modify packets. They can spoof the victim’s IP address. 6 PMS Server Server that uses MS Access 2016 for the Personnel Management System Servers are susceptible to DoS attacks. Attackers can continuously overwhelm the server with multiple requests leading to server crash. If default passwords are used, attackers can gain access to the server, enabling them to reroute, modify or delete the traffic. There will be high impact on availability of the server. 7 FRKS Server Server that uses Oracle 10g for the Financial Record Keeping System This again is a very important asset. If this asset were to be compromised, a lot of people would have a lot of problems. Insurance details, bank statements, medical payment records, etc. This data can be used to extrapolate the financial details of an individual and attackers can use this data to extract monetary or other favors (basically blackmail). Proper access control needs to be put in place in order to prohibit unauthorized access 8 ECDS Server Server that uses 2016 SQL Server for the Emergency Care Data System Servers are susceptible to DoS attacks. Attackers can continuously overwhelm the server with multiple requests leading to server crash. If default passwords are used, attackers can gain access to the server, enabling them to reroute, modify or delete the traffic. All the data that this server routes is highly confidential, as it affects peoples lives. 9 MLS Server Server that uses Solaris/AIX for the Medical Logistics System Servers are susceptible to DoS attacks. Attackers can continuously overwhelm the server with multiple requests leading to server crash. If default passwords are used, attackers can gain access to the server, enabling them to reroute, modify or delete the traffic. The data within the packets that are exchanged over this server include details about patient medical records. This data is personal and confidential to each patient. Access to this server should be restricted. 10 UTP wires All lines that are connected will use Unshielded Twisted Pair wires If an attack is launched against the signal on the wire, hackers might be able to copy information as it flows in the form of bits. This might not be as dangerous if an appropriate software encryption mechanism is employed in the transmission. Depending on the communication medium, hackers
  • 7. 4 might be able to steal either information or bandwidth. Distribution and core devices must be secured from unauthorized access. At the same time, authorized personnel must be ready to access to patch panels, and cables must be clearly marked and available for visual inspection. 11 Patient Database Database of most of the important patient information, OS10, MongoDB The PDI System could be vulnerable if default credentials were still in use, or if there is no proper assessment of user access. The information stored itself could be vulnerable to SQL or command injection attacks. The data is vulnerable to modification and theft, firewall breach, etc. The attackers can also cause system failure. All these reasons make this a highly critical asset that needs utmost security. The availability of the system, the integrity, and confidentiality of the data within the system are in danger here. 12 Paper medical records Complete patient records are on paper Paper records are susceptible to getting lost or being stolen. The sheer number of records make it very easy to lose track of these records. A simple misplacement of record can cause unforeseen problems or chaos even. These records may contain confidential patient information which in the wrong hands spells disaster. The availability, integrity, and confidentiality of the records are vulnerable. 13 Emergency Care Data System Server Diagnosis, who saw patients, what was done, billing support, patient demographics, types of care, etc Disclosing information stored in this system would be trespassing into private lives of patients. For instance - A VIP might be sick and would not want this information out in the public. If attackers get access to this information, it could lead to bad publicity and public shaming of that VIP. Individuals can use such information to vandalize the competition. The Server is a 2016 SQL server. Due to the type of data that it handles, there needs to be high level access controls in place. 14 Email Server A common server with important information, historical data If email server is hacked into, emails would become transparent. Any email sent or received will be at the scrutiny of the attackers. They can read, modify or delete the message itself. All of the historical emails could be destroyed or manipulated. They can cause the system to fail or play man in the middle and read/manipulate/sell data exchanged in the emails.
  • 8. 5 15 Employee and department database Demographics, work histories, assignments, skills, disciplinary records Work histories, disciplinary records, demographics are all confidential information. If attackers gain access to these data, they can use it to threaten (or blackmail) the individual record holders. They can cause this system to fail. This system could be vulnerable to DoS, command injection attacks. 16 Medical Logistics Database Inventory of Supplies, real property, equipment, and medicines, etc Information such as inventory supplies, equipment usage, can give insight into the demand and necessity of any organization. Attackers can sell this information to equipment companies or pharma companies, which in turn can use such logistics to influence the type of equipment AMC would purchase in the future. They can cause negative publicity for the medicines generally prescribed by AMC mostly by discrediting the medicines they use. 17 Pharmacy System database supports automated drug dispensing If attackers gain control of this system, they could control the dosage of drugs that are dispensed every time. They could literally kill someone. Incorrect dosage amount or wrong medication is one of the leading causes of death in the world. Attackers could cause mass murder (genocide) - every patient’s life would be at the whim of the attacker. There should be strict access control for these systems. The personnel with access to these machines should be well trained and well informed about all the complications that would arise if access were to fall in wrong hands. 18 ABC Systems manages all major changes, maintenance, and upkeep It is always important to check the level of access that needs to be provided to the maintenance teams. Unnecessary access could cause problems - attackers could exploit this loophole to gain unauthorized access and install backdoors into the system. Leak confidential information and cause system failure, thus making the system unavailable. 19 AMC Help Desk five PC technicians (not part of core IT staff Proper Training and mandatory courses are a must for the help desk members, because in absence of proper cybersecurity risks that can be at times become the mode of transferring virus and programs through their machines and resources when they connect their machine with other nodes.
  • 9. 6 Asset Classification The next step after asset identification is classifying the assets and scoring them on various criteria. The following tables describe the scale and the measures used to classify the assets. 1. Scale - Financial Value Table2: Measures for classifying asset as per their financial value 2. Mission Criticality Table3: Measures for classifying asset as per their mission criticality 3. Business Process (BP1) – Seeking Appointment This business process starts with a patient contacting the hospital to book an appointment. The appointments can be made via telephone, emails and in-person. Important assets are servers/workstation that host the appointment scheduler, if the appointment scheduler is a web- based application. It would successfully end when the patient is able to book an appointment remotely or in-person. 4. Business Process (BP2) – Claim Insurance This is the business process that involves claiming insurance. It involves, the hospital submitting a request to the insurance company and then claim the required insurance amount. 5. Business Process (BP3) – Payment Processing The process of payment processing involves billing patient after the claim deductions have been made. The billing report is generated for each successful payment processed. Very High (3) High (2) Medium (1) Low (0) $3K+ $1K-$3K $500-$1K <$500 Very High (3) High (2) Medium (1) Low (0) Critical Important Supportive No impact
  • 10. 7 6. Legal Protection Requirement Table4: Measures for classifying asset as per the legal protection requirement Table #5 Asset ID Financial Value Mission Criticality Protection Requirement Develop $ Maintain $ Replace$ BP1(appoi ntment) BP2(ins urance) BP3(pa yment) Industry Standard Score 1 1 1 1 2 2 1 No 8 2 1 1 1 2 0 0 N 5 3 1 1 1 2 0 0 N 5 4 0 0 1 0 0 0 N 1 5 1 1 2 1 1 1 N 7 6 2 2 3 2 3 2 Y 15 7 2 2 3 1 2 3 Y 14 8 2 2 3 0 1 1 Y 10 9 2 2 3 0 0 0 Y 8 10 1 0 3 1 1 1 N 7 11 2 2 3 2 3 2 Y 15 12 1 0 2 0 1 1 N 5 13 3 2 3 0 2 2 Y 13 14 1 0 2 1 0 0 Y 5 Very High (3) High (2) Medium (1) Low (0) Critical Important Supportive No Impact
  • 11. 8 15 2 2 3 1 1 1 Y 11 16 2 2 3 0 0 0 N 7 17 2 2 3 0 1 1 Y 10 18 2 2 3 2 1 1 N 11 19 3 2 3 0 0 1 Y 10 7. Ranking Assets Table #6 Asse t Rank Asset Code/I D Asset Name Asset Description Researcher 1 11 Patient Database Database of most of the important patient information, OS10, MongoDB Balvaishwer 2 13 Emergency Care Data System Server Diagnosis, who saw patients, what was done, billing support, patient demographics, types of care, etc Tushara 3 6 PMS Server Server that uses MS Access 2016 for the Personnel Management System David 4 7 FRKS Server Server that uses Oracle 10g for the Financial Record Keeping System Akanksha 5 15 Employee and department database Demographics, work histories, assignments, skills, disciplinary records Pratima
  • 12. 9 Vulnerability and Threat identification Asset 1: Patient Database Patient database consists of the records that are specific to the patient. These records need to be protected so that there is no misuse of the information. It needs to have: Confidentiality - so that no source from outside office could retrieve the information when accessed away from the hospital premise Integrity - so that whenever required the data remain accurate and no one could change it. Availability - so that the information remains in the server whenever needed for internal or external purposes. i. Documenting the Threat Statement Table #7 Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider Yes (Modification of patient information) Employees Hackers Threats & Threat Agents Patient Database CVE-2013- 3969 Employees Hackers Employees Hackers Employees Hackers Stolen- Passwords/Spe arfishing 1.1 1.2 1.3 1.4 Asset Failure Impacts (Ref.-Note 1) Vulnerability Due to (Ref.- Note 2) Yes Yes Yes Lack of training/aware ness among staff Unaware about how to store logs for PDIS Sharing of Passwords DOS attack Yes Yes Poor design and implementatio n of PDIS application with no Auto- logout mechanism Doctors log-in to TSP’s from multiple location without logging out. Leaving TSPs unattended in public area Unauthorized access to important patient information NO NO Yes CVE-2017- 14227 MongoDB libson 1.7.0 can be exploited by attackers by miscalculating bson_utf8_validate length argument No Yes Yes Yes Execute arbitrary code via an invalid RefDB object No Denial of Service Execute Code
  • 13. 10 ii. Evidence for each vulnerability Vulnerability 1: Under the assumption made in the class that the Patient Database Information System, the database is mongoDb there were many potential vulnerabilities that could be exploited for this open source software. Also, there were several concerns that were raised by the senior management regarding the risk of intrusion from an outside attack. Ref table 2 from case study “Senior Management Areas of concern for important assets” Vulnerability 2: Under the assumption made in the class that the Patient Database Information System, the database is mongoDb there were many potential vulnerabilities that could be exploited for this open source software. Also, the concerned raised by general staff and the senior management regarding the dropping of connection with the PDIS points to many potential vulnerabilities that could be exploited. Ref table 2 from case study “Senior Management Areas of concern for important assets” and Table 10 “General Staff Security concerns for important assets” Vulnerability 3: Refer to Table 9 “General Staff Security concerns for important assets” where the operational manager raises the concern about improper viewing mechanism serving as a ground for potential vulnerabilities. In the conversation with the general staff they revealed that the doctor may log and from one system and keep logging in from other systems without proper logging in mechanism. This may lead to vulnerability that can be exploited with poor implementation of the system design. Vulnerability 4: Refer to Table 5 “General Staff Security concerns for important assets” where the operational manager raises the concern about too many people having access to too much information and no proper access control management system has been devised. This leads to the potential vulnerability of no access management and people sharing passwords. Also, in the conversation with General Staff they mentioned the lack of training and password protection. Asset 2: Emergency Care Data System Server Emergency Care Data System Server consists of the records that are specific to the patient’s medical report which are used by the insurance department and for billing purpose. These records need to be protected so that there is no misuse of the information. It needs to have: Confidentiality - so that no source from outside office could retrieve the information by gaining unauthorized access
  • 14. 11 Integrity - so that the information that needs to be send and verified by other departments is accurate. Availability - so that the records are ready to be used whenever required by the respective departments. i. Documenting the Threat Statement Table #8 ii. Evidence for each vulnerability Vulnerability 1: ECDS is an SQL server, this is evident from Figure 2 of the case. SQL server is prone to injection attacks. Attackers could modify the queries via unspecified vectors for the 2016 SQL server and get hold of sensitive information. The senior management specifically state that the information on this server is highly sensitive and confidential; access needs to be granted only on a need to know basis. Also, it is mentioned in table 5 that ECDS servers are susceptible to getting Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider Firewall Configuratio n Hackers HackersColleagues Colleagues Hackers Improper Training Colleagues Hackers Emergency Care Data System Server 2.1 2.2 2.3 2.4 Colleagues No Yes No None Too many people are entering the wrong data; Multiple records for same patient None Crafted byte value in a BRIN index Yes Yes Yes None None Unguarded server room; Lack of security personnel Server Location Threats & Threat Agents Asset Failure Impacts (Ref.- Note 1) Vulnerability Due to (Ref.- Note 2) Yes No No Yes No Yes CVE-2016- 3065 Leaving TSPs unattended in public area None CVE-2016- 1035 Leaving Tablets and Smartphones (TSPs) unattended in public area None Unspecified Vectors
  • 15. 12 hacked because of the location. Lack of security personnel is suggested under operational practices at AMC. Vulnerability 2: ECDS is an SQL server, this is evident from Figure 2 of the case. SQL Server has a vulnerability that lets the attackers to bypass access restrictions by making use of byte index and get hold of the sensitive data stored on the server. Confidentiality is critical for ECDS server. Also, it is mentioned in table 5 that ECDS servers are susceptible to getting hacked because of the location. Lack of security personnel is suggested under operational practices at AMC. Vulnerability 3: The operational managers have concerns that ECDS is susceptible to attacks because of its location, firewall configuration. Evidence for this is in table 5 of the case. Vulnerability 4: The senior management also had a concern that the multiple employees could access, create, overwrite patient records, which could result in incorrect or multiple records for a patient. Evidence for this can be found in table 5 from the case. Asset 3: PMS Server PMS Server consists of the records that internal to the organization which is related to the work, assignments and skills available in the organization. These records need to be protected so that there is no misuse of the information. It needs to have: Confidentiality - so that no source from outside office could retrieve the information when accessed away from the hospital premise Integrity - so that whenever required the data remain accurate and no one could change it. Availability - so that the information remains in the server whenever needed for internal or external purposes.
  • 16. 13 i. Documenting the Threat Statement Table #8 ii. Evidence for each vulnerability Vulnerability 1: The senior management pointed out a concern for the important assets under table 2 in AMC case study that “Power outages can lead to a denial of access to PMS. Vulnerability 2: The senior management also had a concern that the employees could create harm to the system because they may have access and they also pointed out that “Staff could disclose confidential patient financial information”. Reference: Table 2 - AMC case study This shows that the data is not properly encrypted and is comprehendible by anyone who has access to the system. Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider 3.2 No No Yes Power outages done intentionally or unintentionally Lack of sufficient power backup for the PMS server Denial of Service Workers, Staff Members, Power Suppliers Attackers who can gain access into the power supply room 3.3 No No Yes CVE#2019-2411 Running MS Access version 8.0.8 is vulnerable None Server Location Colleagues Attackers 3.4 Yes Yes Yes CVE #2017-10389 Allows login to anyone with the same MS Access infrastructure None Improper Training Colleagues Attackers Attacker who has gained unauthorize d access into the premise PMS Server (Personnel Management System) 3.1 Colleagues Threats & Threat Agents Asset Failure Impacts (Ref.- Note 1) Vulnerability Due to (Ref.- Note 2) Yes Yes Yes Lack of Encryption Using laptop in public areas and/or leaving laptop logged-in while taking a break Lack of physical security in the room from where PMS system can be logged into Unauthorized access; Modification of patient information
  • 17. 14 Vulnerability 3: PMS server is based on Microsoft Access 2016 as is evident from Figure 2: Infrastructure Map, Critical Assets, and Systems of Interest in the Aggie Medical Center (AMC) case study. In figure 2 in the case, it shows the route of the network and it displays how a Denial of Access attack can happen in that there are many servers connected to one switch and that one switch can be compromised because of the connection to multiple departments. Vulnerability 4: PMS server is based on Microsoft Access 2016 as is evident from Figure 2: Infrastructure Map, Critical Assets, and Systems of Interest in the Aggie Medical Center (AMC) case study. In figure 2 in the case, it shows the route of the network and it displays how this type of vulnerability can happen. Often, and this case, companies have one route from the workstations through the switch to the server. Also, the workstations could share the same login credentials for MS Access, which causes a major problem if one workstation is compromised or someone shoulder surfs. Asset 4: FRKS Server FRKS Server is a record keeping server where information related to insurance, billing records, patient’s confidential information, etc. is stored. Hence it has a prime placement in security world. It is important that this asset should have: Confidentiality - so that even the insiders who can access this record are not able to comprehend it. Integrity - so that the information that needs to be send and verified by other departments is accurate. Availability - so that the records are ready to be used whenever required by the respective departments.
  • 18. 15 i. Documenting the Threat Statement Table #9 ii. Evidence for each vulnerability Vulnerability 1: The senior management pointed out a concern for the important assets under table 2 in AMC case study that “Power outages can lead to a denial of access to FRKS. We’d have to deal with a potentially large backlog of data entry and verification to do billing and insurance”. Thus, there is an evidence that this could occur. Vulnerability 2: The senior management also had a concern that the employees could create harm to the system because they may have access and they also pointed out that “Staff could disclose confidential patient financial information”. Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider 4.2 Yes Yes Yes Lack of Encryption Lack of physical security in the room from where FRKS system can be logged into Unauthorized access Colleagues Attackers who can gain access into the power supply room 4.3 Yes Yes (Modification of patient information) Yes CVE# 2006-0272 "Using laptop in public areas and/or leaving laptop logged-in while taking a break " Buffer Overflow Insider with admin credentials Attackers 4.4 Yes Yes Yes CVE #2006-6703 If mod security is not enabled or the latest patch is not updated CrossSite Scripting User who knows simple SQL coding and has access to the system Attackers Attackers who can gain access into the power supply room FRKS Server (Financial Record Keeping System) 4.1 Workers, Staff Members, Power Suppliers Threats & Threat Agents Asset Failure Impacts (Ref.- Note 1) Vulnerability Due to (Ref.- Note 2) No No Yes Power outages done intentionally or unintentionally Using laptop in public areas and/or leaving laptop logged-in while taking a break Lack of sufficient power backup for the FRKS server Denial of access
  • 19. 16 Reference: Table 2 - AMC case study This shows that the data is not properly encrypted and is comprehendible by anyone who has access to the system. There is thus, a security requirement to keep the data confidential. Vulnerability 3: FRKS Server is based on Oracle 10G as is evident from Figure 2: Infrastructure Map, Critical Assets, and Systems of Interest in the Aggie Medical Center (AMC) case study. Oracle 10G has listed this vulnerability of high risk and criticality. This figure also shows that the FRKS Server is placed for the administration department. It has the workstations that has windows as an operating system. Link: https://nvd.nist.gov/vuln/detail/CVE-2006-0272 Vulnerability 4: FRKS Server is based on Oracle 10G as is evident from Figure 2: Infrastructure Map, Critical Assets, and Systems of Interest in the Aggie Medical Center (AMC) case study. Oracle 10G has listed this vulnerability of high risk and criticality. Link: https://nvd.nist.gov/vuln/detail/CVE-2006-6703 Asset 5: Employee and department database As the name indicates this database has information about the employees working in the medical center and the various department there. Breach of this information would not only be detrimental for the organization but would disrupt it internally. Hence, to protect this information is deemed to be of high importance. It needs to have: Confidentiality- so that no outside source could take advantage of the employees in any possible way Integrity - so that the information is not altered and is verified on a timely basis to ensure the trust in the organization Availability - so that information could be retrieved whenever needed especially for auditing and verification purposes.
  • 20. 17 i. Documenting the Threat Statement Table #10 ii. Evidence for each vulnerability Vulnerability 1: In the operational practices, authentication and authorization survey results, the operational manager is unclear about the access control and user authentication. The policy do not clearly specify the authentication and authorization restrictions which might result in the introduction of CVE-2017-5653 in the system. Vulnerability 2: In the operational practices, authentication and authorization results, no validation of responses takes place when the data is committed to the database servers, due to which the CVE- 2002-0570 vulnerability may be introduced in the system. Asset Vulnerability ID Exploit C I A Tech Admin Phys Exploit Insider Outsider 5.1 Yes Yes Yes CVE-2002-0570 No proper authentication of the entity thatis encrypting thedata, which allows localusers to modify encrypted datawithout knowing thekey. None Sniffing datapackets on thenetwork; Refabricating employee information Employees Hackers 5.2 Yes Yes Yes CVE-2017-5653 Notvalidating thatthe serviceresponsewas signed or encrypted, thereby allowing anyoneto spoof servers remotely. None DoS attack;Refabricating employeeinformation; Modifying codeto monitor thenetwork data; Cross-SiteScripting Employees (Peoplewho havebasic knowledgeof computers) Hackers 5.3 Yes Yes (Modification of patientinformation) Yes Employeeand departmentdata stored in unencrypted format Using laptops running on publicWi-Fi/ keeping systems logged in whileleaving the system. Placementof employeedatabase on machines that can beaccessed by allmembers in the organization Unauthorized access to importantemployee information Employees Hackers 5.4 Yes Yes Yes Employee No knowledgeof the employeeupdatelogs in thesystem Inefficienttraining/ skillsetof employees using thedatabase Modification of the employeeinformation Employees Hackers Threats & Threat Agents Asset Failure Impacts (Ref.-Note 1) Vulnerability Due to (Ref.- Note 2) Employeeand Department Database
  • 21. 18 Vulnerability 3: As mentioned in the table 2 containing different assets for the systems, it is seen that there is no physical security for the room to access the systems as anyone could wander and see the confidential information displayed on the workstations. Vulnerability 4: As mentioned in the table 2 containing the different assets for the systems, it is seen that due to improper training staff could intentionally enter erroneous data into the system. Hence, there is evidence of this vulnerability being present in the system. Cybersecurity Risk Estimation Figure# 1 Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. We have identified 1. Relevant threats to the organization 2. Technical and non-technical vulnerabilities 3. Impact if those vulnerabilities are exploited 4. Likelihood of exploitation For each non-technically we have identified its impact score and the exploitability using the vulnerability calculator and estimating the parameters to the best of our guess. Using those score we have identified the impact score and the likelihood. Similarly, for the technical vulnerabilities we used the national vulnerability database to know the impact score and the likelihood score. Negligible Minor Moderate Significant Severe Very Likely Low Med Medium Medium High High High Likely Low Low Med Medium Medium High High Possible Low Low Med Medium Medium High Medium High Unlikely Low Low Med Low Med Medium Medium High Very Unlikely Low Low Low Med Medium Medium
  • 22. 19 Qualitative Scale to Measure Threat Likelihood TABLE: Qualitative Scale to Measure Threat Likelihood Table #11 Table #12 - FRKS Server Threat due to Likelihood Power outages done intentionally or unintentionally Highly Unlikely (Score 0.2) Lack of encryption Highly Unlikely (Score 0.3) CVE# 2006-0272 Very Likely (Score 8.0) CVE# 2006-6703 Very Likely (Score 8.6) Table #13 - ECDS Server Threat due to Likelihood CVE-2016-1035 Unlikely (Score 3.9) CVE-2016-3065 Unlikely (Score 3.9) Unguarded server room; Lack of security personnel Highly Unlikely (Score 0.9) Too many people are entering the wrong data; Multiple records for same patient Unlikely (Score 2.1) Table #14 - PMS Server Threat due to Likelihood Power outages done intentionally or unintentionally Highly Unlikely (Score 0.2) Very Likely Likely Possible Unlikely Highly Unlikely 8<Exploitability Score<=10 6<Exploitability Score<=8 4<Exploitability Score<=6 2<Exploitability Score<=4 Exploitability Score<=2
  • 23. 20 Lack of encryption Highly Unlikely (Score 0.3) CVE# 2019-2411 Likely (Score 7.6) CVE# 2017-10389 Possible (Score 5.7) Table #15 - Patient Database Threat due to Likelihood Poor design and implementation of PDIS application with no Auto- logout mechanism Highly Unlikely (Score 0.9) Lack of training/awareness among staff Highly Unlikely (Score 0.9) CVE-2013-3969 Very Likely (Score 8.0) CVE-2017-14227 Very Likely (Score 3.9) Table #16 – Employee and Department Database Threat due to Likelihood CVE# 2017-5653 Very likely (Score 10.0) CVE# 2002-0570 Unlikely (Score 3.9) Lack of encryption Highly Unlikely (Score 0.3) Lack of training/awareness among staff Highly Unlikely (Score 0.9) Qualitative Scale to Measure Final Impact Value Estimate of Final Impact Value (FIV) Associated with Each Threat Statement Table #17 - FRKS Server Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS Power outages done 14 (FRKS Server)/19 4/10 = 0.4 1.14
  • 24. 21 intentionally or unintentionally =0.74 Lack of encryption 14 (FRKS Server)/19 =0.74 4.7/10 = 0.47 1.21 CVE# 2006-0272 14 (FRKS Server)/19 =0.74 10/10 = 1 1.74 CVE# 2006-6703 14 (FRKS Server)/19 =0.74 6.4/10 = 0.64 1.38 Table#18 - PMS Server Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS Power outages done intentionally or unintentionally 15 (PMS Server) / 19 = .79 4/10 = 0.4 1.19 Lack of encryption 15 (PMS Server) / 19 = .79 4.7/10 = 0.47 1.26 CVE# 2019-2411 15 (PMS Server) / 19 = .79 7.6/10 = 0.76 1.55 CVE# 2017-10389 15 (PMS Server) / 19 = .79 5.7/10 = 0.57 1.36 Table #19 - Patient Database Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS Poor design and implementation of PDIS application with no Auto- logout mechanism 15 (PDS)/19 =0.78 6/10 = 0.6 1.38 Lack of training/awareness among staff 15 (PDS)/19 =0.78 6.7/10 = 0.6 1.38 CVE-2013-3969 15 (PDS)/19 =0.78 6.4/10 = 0.64 1.42
  • 25. 22 CVE-2017-14227 15 (PDS)/19 =0.78 3.6/10 = 0.36 1.14 Table#20 - ECDS Server Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS CVE-2016-1035 13/19 = 0.68 7.5/10 = 0.75 1.43 CVE-2016-3065 13/19 = 0.68 5.2/10 = 0.52 1.2 Unguarded server room; Lack of security personnel 13/19 = 0.68 5.9/10 = 0.59 1.27 Too many people are entering the wrong data; Multiple records for same patient 13/19 = 0.68 3.6/10 = 0.36 1.04 Table #21 – Employee and Department Database Threat Due to Asset Value Score (/19) (AVS) CVSS V3 Impact Score (/10) (CIS) Final Impact Value (FIV) AVS+CIS CVE# 2017-5653 11/19 = 0.58 2.9/10 = 0.29 0.87 CVE# 2002-0570 11/19 = 0.58 3.9/10 = 0.39 0.97 Lack of encryption 11/19 = 0.58 4.7/10 = 0.47 1.05 Lack of training/awareness among staff 11/19 = 0.58 6.7/10 = 0.67 1.25 Qualitative Scale to Measure the Impact of a Cybersecurity Threat Table #22 Severe Significant Moderate Minor Negligible 1.6<FIV<=2 1.2<FIV<=1.6 0.8<FIV<=1.2 0.4<FIV<=0.8 FIV<=0.4
  • 26. 23 Table #23 - FRKS Server Threat due to FIV Power outages done intentionally or unintentionally Moderate (Score 1.14) Lack of encryption Significant (Score 1.21) CVE# 2006-0272 Severe (Score 1.74) CVE# 2006-6703 Significant (Score 1.38) Table #24 - Patient Database Threat due to FIV Poor design and implementation of PDIS application with no Auto- logout mechanism Severe (1.38) Lack of training/awareness among staff Severe (1.38) CVE-2013-3969 Severe (1.42) CVE-2017-14227 Moderate (1.14) Table #25 - PMS Server Threat due to FIV Power outages done intentionally or unintentionally Moderate (1.19) Lack of encryption Significant (1.26) CVE #2019-2411 Significant (1.55) CVE #2017-10389 Significant (1.36) Table #26 - ECDS Server Threat due to FIV CVE-2016-1035 Significant (1.43)
  • 27. 24 CVE-2016-3065 Moderate (1.2) Unguarded server room; Lack of security personnel Significant (1.27) Too many people are entering the wrong data; Multiple records for same patient Moderate (1.04) Table #27 - Employee and Department Database Threat due to FIV CVE# 2017-5653 Moderate (Score 0.87) CVE# 2002-0570 Moderate (Score 0.97) Lack of encryption Moderate (Score 1.05) Lack of training/awareness among staff Significant (Score 1.25) RISK ESTIMATION Table #28 VULNERABI LITY ID LIKELIHOOD IMPACT RISK 1,1 Highly Unlikely Severe Medium 1.2 Highly Unlikely Severe Medium 1.3 Very Likely Severe High 1.4 Very Likely Moderate Med Hi 2.1 Unlikely Significant Medium 2.2 Unlikely Moderate Low Med 2.3 Highly Unlikely Significant Medium 2.4 Unlikely Moderate Low Med
  • 28. 25 3.1 Highly Unlikely Moderate Low Med 3.2 Highly Unlikely Significant Medium 3.3 Likely Significant Med Hi 3.4 Possible Significant Med Hi 4.1 Highly Unlikely Moderate Low Med 4.2 Highly Unlikely Significant Medium 4.3 Very Likely Severe High 4.4 Very Likely Significant High 5.1 Very likely Moderate Med Hi 5.2 Unlikely Moderate Low Med 5.3 Highly Unlikely Moderate Low Med 5.4 Highly Unlikely Significant Medium Cyber Security Risk Management Strategy Table #29 Threat ID Mitigation Strategy 1,1 Replace the vulnerable MongoDB 2.4.0 with the stable release 2.6.1 so that the exploitability for the invalid pointer reference to the RefDb can be avoided. This comes free of cost since the source code of MongoDb is an OSS. Regular updates and patches of the software needs to be installed. 1.2 To protect the organization from this threat, an updated most stable version of MongoDB libson needs to be installed replacing the 1.7.0 in order to stop the attacker to execute remote commands and cause DDOS. This strategy also does not cost since the source code of MongoDb is an OSS. Regular updates and patches of the software needs to be installed. 1.3 To deal with this threat the design of the application needs to be redesigned. The entire application needs to be redesigned taking into consideration the log- out mechanism when the user is inactive for 20 minutes or a user login from multiple locations.
  • 29. 26 1.4 This threat can be controlled by implementing a policy of updating passwords every 6 months and the employees need to be trained in regard to cyber security practice and the IT team need to know how to store and access the logs of the PDIS serves Cost of training is estimated to be $290K per year for large enterprises with employees between 1000 - 5000(1). 2.1 Since the asset is at medium risk due to this vulnerability we mitigate this risk. Adobe Server has released a hotfix for this vulnerability. Update to the latest version of the server at no additional costs. Install regular updates and security patches. 2.2 Since the asset is at Low - Medium risk due to this vulnerability we mitigate this risk. The vendor has released a software patch for this vulnerability. Installing security patches regularly should help mitigate such vulnerabilities. 2.3 This vulnerability is due to human behavior and error. It can be avoided by having guards work in shifts and placing security cameras and enabling remote invigilation of the premises. However, this would incur additional cost to the organization - extra guards, security cameras. It is advised to avoid, because we cannot mitigate such risks. 2.4 The organization should avoid this risk. To avoid this vulnerability there must be strict read-write access controls in place. For instance - allowing only one person to modify the records or disabling multiple writes. 3.1 The organization should mitigate this risk. There is a lack of encryption within the server and although encryption helps to better secure it, there is not a way to totally fix this problem due to the constant danger of attackers. A way to mitigate this is to add an encryption software to the server. 3.2 The organization should mitigate this risk. They should do so by constant and regular backups. Training can also be done to help the employees backup data properly. Regular reminders would also help. 3.3 The organization should avoid this risk instead of mitigating. The server should be updated with the latest version as early as possible. This should come of no cost to the company, but it does take some time. Also, implementing backups for the servers when the updates take place would be beneficial in data retention. The cost for backing up depends on the amount of data that is backed up. Manual backups can cost around $100. 3.4 The organization should mitigate this risk instead of avoiding it. Instead, they could obtain different logins for MS Access instead of using the same login.
  • 30. 27 When they figure out that one login has been compromised, then they should alert others to not use that login anymore and to get more. Also, backing up their data is a good way to not lose their progress if and when the login is compromised. Manual backups can cost around $100. 4.1 This vulnerability depends on the risk of the power outages. This concern could be addressed by two ways. The first is there should be a backup storage power like UPS for the main server, that supports it for a short time in case of power outage. Second could be restricting any unauthorized access to the power house. 4.2 This vulnerability could be addressed by proper training with the employees who plan to use their personal asset outside to not use it in public places. Also, unauthorized access to the system should be restricted. Along with this, the confidential data should be encrypted so that it is not comprehensible even if it is accessed. 4.3 This vulnerability could be addressed if no one can access or edit the source code. Before any code movement it needs to test, validated in the quality system and only then moved to the production environment. 4.4 Since this vulnerability is related to cross scripting we need to make sure that no data from the data source should be allowed to make changes to the JavaScript used. We could use the also implement a security policy for the content. 5.1 The organization should update the system with the latest v3 patches to reduce the risk associated with the vulnerability. This will not only reduce the risk of attacks due to unencrypted data but also reduces the impact score to 1.4 from a significant 2.9. 5.2 This risk can be avoided by the organizations by introducing encryption and certificate management that verifies the authenticity of the service response obtained sent by the receiver. This will prevent the remote spoofing of servers. 5.3 This can be avoided by introducing systems having software like Symantec Encryption which performs end to end encryption of all the connected devices. This will not only eliminate the risk due to unencrypted data but also prevent the data loss, data corruption and data interception on the way 5.4 This vulnerability is due to human staff intentionally trying to introduce erroneous data into the database. This can be avoided by performing background check of all the employees. Also conducting security checks and having thorough check throughout the premises where the sensitive data is stored.
  • 31. 28 Appendix A Measurement scales used for Asset Classification 1. Scale - Financial Value Table2: Measures for classifying asset as per their financial value 2. Mission Criticality Table3: Measures for classifying asset as per their mission criticality 3. Business Process (BP1) – Seeking Appointment This business process starts with a patient contacting the hospital to book an appointment. The appointments can be made via telephone, emails and in-person. Important assets are servers/workstation that host the appointment scheduler, if the appointment scheduler is a web- based application. It would successfully end when the patient is able to book an appointment remotely or in-person. 4. Business Process (BP2) – Claim Insurance This is the business process that involves claiming insurance. It involves, the hospital submitting a request to the insurance company and then claim the required insurance amount. 5. Business Process (BP3) – Payment Processing The process of payment processing involves billing patient after the claim deductions have been made. The billing report is generated for each successful payment processed. 6. Legal Protection Requirement Table4: Measures for classifying asset as per the legal protection requirement Very High (3) High (2) Medium (1) Low (0) $3K+ $1K-$3K $500-$1K <$500 Very High (3) High (2) Medium (1) Low (0) Critical Important Supportive No impact Very High (3) High (2) Medium (1) Low (0) Critical Important Supportive No Impact
  • 32. 29 Appendix B Vulnerability-Threat identification tree(s) Tree analysis: - FRKS Server Figure# 2
  • 33. 30 Tree Analysis PMS Server Figure# 3
  • 34. 31 Tree Analysis for Patient Database: Figure# 4
  • 35. 32 Tree Analysis for ECDS Server: Figure# 5
  • 36. 33 Tree Analysis Employee and Department Database Figure #6
  • 37. 34 Vulnerability Matrix for FRKS Database Threats: Figure# 7 Figure# 8
  • 39. 36 Vulnerability Matrix for Patient Database Threats: 1. Poor design and implementation of PDIS application with no Auto- logout mechanism Figure #10
  • 40. 37 2. Lack of training/awareness among staff Figure #11
  • 41. 38 3. CVE-2013-3969 Figure #12 4. CVE-2017-14227 Figure #13
  • 42. 39 Vulnerability Matrix for ECDS Server Threats: Figure #14 Figure #15 Figure #16
  • 43. 40 Figure #17 Vulnerability Matrix for Employee and Department Database Threats: Figure #18
  • 45. 42 Figure #21 Appendix C Qualitative Scale to Measure Threat Likelihood TABLE: Qualitative Scale to Measure Threat Likelihood Table #11 Qualitative Scale to Measure the Impact of a Cybersecurity Threat Table #22 Very Likely Likely Possible Unlikely Highly Unlikely 8<Exploitability Score<=10 6<Exploitability Score<=8 4<Exploitability Score<=6 2<Exploitability Score<=4 Exploitability Score<=2 Severe Significant Moderate Minor Negligible 1.6<FIV<=2 1.2<FIV<=1.6 0.8<FIV<=1.2 0.4<FIV<=0.8 FIV<=0.4
  • 46. 43 Appendix D Qualitative Scale to Measure the Impact of a Cybersecurity Threat Table #22 Appendix E Cybersecurity risk matrix and risk management strategy Risk Matrix Risk Management Strategy Threat ID Mitigation Strategy 1,1 Replace the vulnerable MongoDB 2.4.0 with the stable release 2.6.1 so that the exploitability for the invalid pointer reference to the RefDb can be avoided. This comes free of cost since the source code of MongoDb is an OSS. Regular updates and patches of the software needs to be installed. 1.2 To protect the organization from this threat, an updated most stable version of Severe Significant Moderate Minor Negligible 1.6<FIV<=2 1.2<FIV<=1.6 0.8<FIV<=1.2 0.4<FIV<=0.8 FIV<=0.4 Negligible Minor Moderate Significant Severe Very Likely Low Med Medium Medium High High High Likely Low Low Med Medium Medium High High Possible Low Low Med Medium Medium High Medium High Unlikely Low Low Med Low Med Medium Medium High Very Unlikely Low Low Low Med Medium Medium
  • 47. 44 MongoDB libson needs to be installed replacing the 1.7.0 in order to stop the attacker to execute remote commands and cause DDOS. This strategy also does not cost since the source code of MongoDb is an OSS. Regular updates and patches of the software needs to be installed. 1.3 To deal with this threat the design of the application needs to be redesigned. The entire application needs to be redesigned taking into consideration the log- out mechanism when the user is inactive for 20 minutes or a user login from multiple locations. 1.4 This threat can be controlled by implementing a policy of updating passwords every 6 months and the employees need to be trained in regard to cyber security practice and the IT team need to know how to store and access the logs of the PDIS serves Cost of training is estimated to be $290K per year for large enterprises with employees between 1000 - 5000(1). 2.1 Since the asset is at medium risk due to this vulnerability we mitigate this risk. Adobe Server has released a hotfix for this vulnerability. Update to the latest version of the server at no additional costs. Install regular updates and security patches. 2.2 Since the asset is at Low - Medium risk due to this vulnerability we mitigate this risk. The vendor has released a software patch for this vulnerability. Installing security patches regularly should help mitigate such vulnerabilities. 2.3 This vulnerability is due to human behavior and error. It can be avoided by having guards work in shifts and placing security cameras and enabling remote invigilation of the premises. However, this would incur additional cost to the organization - extra guards, security cameras. It is advised to avoid, because we cannot mitigate such risks. 2.4 The organization should avoid this risk. To avoid this vulnerability there must be strict read-write access controls in place. For instance - allowing only one person to modify the records or disabling multiple writes. 3.1 The organization should mitigate this risk. There is a lack of encryption within the server and although encryption helps to better secure it, there is not a way to totally fix this problem due to the constant danger of attackers. A way to mitigate this is to add an encryption software to the server. 3.2 The organization should mitigate this risk. They should do so by constant and regular backups. Training can also be done to help the employees backup data properly. Regular reminders would also help.
  • 48. 45 3.3 The organization should avoid this risk instead of mitigating. The server should be updated with the latest version as early as possible. This should come of no cost to the company, but it does take some time. Also, implementing backups for the servers when the updates take place would be beneficial in data retention. The cost for backing up depends on the amount of data that is backed up. Manual backups can cost around $100. 3.4 The organization should mitigate this risk instead of avoiding it. Instead, they could obtain different logins for MS Access instead of using the same login. When they figure out that one login has been compromised, then they should alert others to not use that login anymore and to get more. Also, backing up their data is a good way to not lose their progress if and when the login is compromised. Manual backups can cost around $100. 4.1 This vulnerability depends on the risk of the power outages. This concern could be addressed by two ways. The first is there should be a backup storage power like UPS for the main server, that supports it for a short time in case of power outage. Second could be restricting any unauthorized access to the power house. 4.2 This vulnerability could be addressed by proper training with the employees who plan to use their personal asset outside to not use it in public places. Also, unauthorized access to the system should be restricted. Along with this, the confidential data should be encrypted so that it is not comprehensible even if it is accessed. 4.3 This vulnerability could be addressed if no one can access or edit the source code. Before any code movement it needs to test, validated in the quality system and only then moved to the production environment. 4.4 Since this vulnerability is related to cross scripting we need to make sure that no data from the data source should be allowed to make changes to the JavaScript used. We could use the also implement a security policy for the content. 5.1 The organization should update the system with the latest v3 patches to reduce the risk associated with the vulnerability. This will not only reduce the risk of attacks due to unencrypted data but also reduces the impact score to 1.4 from a significant 2.9. 5.2 This risk can be avoided by the organizations by introducing encryption and certificate management that verifies the authenticity of the service response obtained sent by the receiver. This will prevent the remote spoofing of servers. 5.3 This can be avoided by introducing systems having software like Symantec
  • 49. 46 Encryption which performs end to end encryption of all the connected devices. This will not only eliminate the risk due to unencrypted data but also prevent the data loss, data corruption and data interception on the way 5.4 This vulnerability is due to human staff intentionally trying to introduce erroneous data into the database. This can be avoided by performing background check of all the employees. Also conducting security checks and having thorough check throughout the premises where the sensitive data is stored. References ● National Vulnerability Database Website ○ https://nvd.nist.gov/ ● Lucidchart ○ https://www.lucidchart.com/documents ● Common Vulnerability Scoring System ○ https://www.first.org/cvss/calculator/3.0 ● Aggie Medical Center Case ○ https://tamu.blackboard.com/bbcswebdav/pid-5479845-dt-content-rid- 43604608_1/courses/ISTM.635.1911.M1/Aggie%20Medical%20Center- ISTM635.pdf ● Risk Mitigation Strategies ○ https://www.infosecurity-magazine.com/news/cost-of-user-security-training/ ○ https://www.thesslstore.com/blog/cyber-risk-assessment/
  • 50. 47 Glossary • AMC - Aggie Medical Center • TSPs - Tablets and Smartphones • CVE - Common Vulnerabilities and Exposure • PC - Personal Computer • PMS - Personal Management System • FRKS - Financial Record Keeping System • ECDS - Emergency Care Data System • MLS - Medical Logistics System • UTP wires - Unshielded Twisted Pair wires • BP - Business Process • Switch - device for controlling the connection in an electric circuit • Router - device that routes data from LAN to network connection • Server - computer that provides data to other devices • UTP - copper cabling used in for wiring in LANs • Buffer Overflow - coding mistake in a program’s software that allows an attacker to gain • access into your system • Cross Site Scripting - allows attackers to inject client side scripts into web pages • Denial of Service Attack - occurs when users are unable to access devices and network • resources due to malicious actions of a malicious cyber party • Encryption - translates data into a code so that people with the access key can read the • data • Vulnerability - weakness that can be exploited by attacker to perform unauthorized • actions • Exploit - software or code that takes advantage of vulnerability to cause unintended • behavior • Threat - possible danger that can exploit the vulnerability to breach security • Threat agent - the thing that is the origin of threat
  • 51. 48 Team Work Each team member worked equally in identifying all the assets in AMC. Assets were divided equally amongst members for scoring based on impact to business processes, financial impact, etc. After identifying five critical assets, each member was assigned one asset to work upon. The tasks in final report were dividing equally among team members for content and consolidation. Team Member Contribution Akanksha Pathak 20% Balvaishwer Singh 20% David Zuniga 20% Pratima Purohit 20% Tushara Chigicherla Kamalakar 20%