Risk Analysis Framework

An introductory to risk management and risks

One ideological concept that has held fast over the last 40 to 50 years is risk management and risks itself.  During this time frame, we have seen the initial technical diaries, documentation, and assemblies that have introduced the principal thoughts and standards on the most proficient method to suitably evaluate and supervise these risks (Aven, n.d).   

These thoughts continually shape the reason for this field of study today; they have become the foundation for which risk is built upon and administration hones since around the 1980s, to a substantial degree.  In any case, this field of study has grown extensively from that point forward.  New and advanced examination strategies and systems have been produced, and as part of a segment in most societies risk investigative methodologies and techniques are currently being utilized.  A good a framework of this would be to take into consideration the scope of subject assemblies for the Society for Risk Analysis which encompasses inter alia: Environmental Threat Assessment, Industrial and Substructure, Exposure Assessment, Risk Analysis, and Safety and Protection.  In key issues, improvements have additionally been created for this particular range of study recently, moreover as they are nonspecific and can possibly impact an expansive procedure of utilization (Aven, n.d).

 There are two principal tasks within risk, to utilize the management and assessment of risk to study and manage particular risk exercises, and non-specific research of risk implementation work, which relate to theory, ideas, standards, strategies, and comprehended models, survey, convey and oversee or administer risk (Aven, & Zio, 2014).  The risk assessment that is non-specific offers ideas, assessments, and administration instruments to be utilized as a part of the particular evaluation and administration issues.  Gaining valuable knowledge of the world is the understanding of the study of risk (Aven, n.d).  

Web Server Functions

In general terms, a Web Server is a program that utilizes Hypertext Transfer Protocol (HTTP).  This protocol assists in the creation of web pages that are called upon by the operator; once a webpage is requested the HTTP of the computer forwards it to the operator.  For a clear understanding of this process as relayed by the Microsoft Corporation, (2018), below is a screenshot of a Web Servers functions and descriptions.

Web Server Cyber Attacks

With the creation of the World Wide Web came also exploitation and this problem has become a never-ending, progressive, and critical issue.  For this reason, there will always be a need for cybersecurity experts to combat Web Server cyber-attacks.  There are numerous cyber-attacks on Web Servers that occur on an hour by hour, minute by minute, and second, by the second basis, but for this blog, we will focus on only five of these attacks; Drive-By Downloads, Rogue Software; Password Attacks; Denial of Service; and Man in The Middle.

Drive-By Downloads

Using the Internet Drive-by Downloads have a very simple process and has turned into the accepted standard for distributing malware throughout vast bands.  Utilizing an operator’s computer and by way of malware which is connected to a valid website, a program can be downloaded simply by the operator viewing the site.  This is done by executing a minor concealed payload that is downloaded to the operator’s computer then scopes out another to complete the programs download.  Staying up-to-date with a system’s files and software can assist protection (Sood, & Zeadally, 2016).

Rogue Software

Rogue software is a type of application that disguises itself as a much needed or required security application, but it is only purporting to implement a required function.  In actuality, it only desires for the operator to purchase a product that has supposedly heightened functionality for security that has allegedly compromised the system.  Keeping the organization’s firewall and other pertinent files up-to-date will be the greatest defense against this type of Web Server cybersecurity attack (Pickard, & Miladinov, 2012). 

Password Attacks

Password attack also known as password cracking from a data transmission standpoint, is basically an outside (maybe sometimes inside) individual known as a third party attempting to access another individual’s password unknowingly.  With this type of attack, there are various methods utilized.  Hybrid, Rainbow table, Dictionary, and brute force attacks are used to obtain a victim’s password.  Using a strong password is one way to help protect yourself against this type of attack.  Strong passwords may consist of symbols, numbers, and lower and upper case letters.  Although, another way to protect your password is by using a stenographic password.  This type of process conceals the letter within the mediums cover (Pandya, Jhajj, & Pawar, 2017). 

Denial of Service

DoS (Denial of Service) assaults is one assault that has risen to the top as a standout amongst the most serious system evasive practices.  This attack has postured severe dangers to the frameworks of computer systems and several organized administrations.  Elevated volumes of information are sent from an attacker or numerous connection request movement through the system until it reaches a point where the system is over-burden and in the state, it is in cannot function.  This type of attack disrupts the accessibility of the network and fissures relationship privacy and reliability.  There are several ways to commit a DoS attack, but most of the time is implemented through a DDoS (Distributed Denial of Service).  Conducting normal updates to the network is the best line of defense for this type of attack, but it does not guarantee it (Thakare, & Kaur, 2017). 

Man in The Middle

Man-in-the-Middle attacks (MITM) have the ability to imitate the endpoints during an exchange of data online such as a cellphone to website association.  Data can be acquired from an end client and any individual they are speaking with.  Access points that do not have encrypted access points (wirelessly) are at risk of a MITM attack. Various cybersecurity specialist accepts as true that using an HTTPS will aid in security, nevertheless, there have been several diverse ranges of MITM attacks on HTTPS conventions, and subsequently SSL/TLS conventions.  One way to combat MITM attacks is by putting resources into a VPN (Virtual Private Network).  The job of HTTPS is to validate the server’s uniqueness that the operator is connecting to which is an outsider organization, for example, Calibrus, whereas VPNs enable you to interface with sites through virtual private networks (Stricot-Tarboton, Chaisiri, Ko, 2016). 

Explaining the Framework for Risk Assessment

Today’s organizations are faced with ever-evolving disturbances to their critical framework due to lack of the proper critical framework for cybersecurity.  In 2013 an Executive Order (13636) was passed by President Obama to enhance these specific infrastructures for cybersecurity.  The system consolidates the working standards of the financial institution to offer quantitative evaluations of the framework of cybersecurity.  The system utilizes advanced procedures to recommend echelons of interest in risk to cyber-infrastructure and protection for basic framework proprietors and administrators (Young, Lopez, Rice, Ramsey, & McTasney, 2016). 

The frameworks fundamentally presumed principals are as follows:

        §  Sequestered and community segments

        §  Academic organizations including sequestered and community

        §  Reserves in cybersecurity miens

         The following diagram is a representation of a quantifiable cyber risk infrastructure.  Once risks

 are acknowledged, significant models are put in place to identify the cyber risk and reduce them 

(Young, Lopez, Rice, Ramsey, & McTasney, 2016).

Model by ScienceDirect                  

           The primary model incorporated in the system centers around risk probability and consistency.  The next model coordinated in the system centers around risk diminishment probability and consistency.  The execution of security controls helps to lessen risk such as programming, employees of security, training, strategies, and practices (Young, Lopez, Rice, Ramsey, & McTasney, 2016).

Risk Assessment Addressing Attacks On Web Server

The development of web innovation has made life simpler in regards to communication.  Even so, assaults on the system have transformed that simple communication into chaos due to these deliberate assaults like DDoS (Distributed Denial of Service) and DoS (Denial of Service).  In spite of all the research and numerous scientific endeavors, a solution to address these and other various HTTP attacks have still not come forth (Saleh, & Abdul Manaf, 2015). 

Shifting our focused attention to bandwidth which should not be forgotten because it is not a factor when it comes to attacks.  Private home DSL connections utilize this type of service from their IP.  Safeguarding against these types of attacks only requires binding delays to the firewall.  The request to the Web Server will not be finalized until the HTTP is no longer detained and the Web Server will not suspect any illegal behavior because all connections will be complete.  If we were to focus on flooding attacks which can be performed at various layers of the ISO, but the most common layer attack is on layers 3 and 4.  DDoS assaults positioned to the layer 7 are more complex and are compelling when particular vulnerabilities exist on the Website.  Risk assessments that are focused on specific frameworks can be quite essential at this stage (Saleh, & Abdul Manaf, 2015). 

Recommended Mitigation of Web Server Assaults and Framework Dependency

There are specific places that wireless system security is the only choice because a wired connection may not be feasible, but these types of connections are more susceptible to vulnerabilities.  This would include colleges and universities because of lack of proper security measures.  To aid in mitigating these vulnerabilities it would be astute to conduct a risk assessment and implement a penetration test to assess the cause that is denoted by the system.  Security threats exist in various Wi-Fi systems and there are system threats that are common in packet capturing, evil twin, and concealed SSID attacks. (A, Mohan, & M, 2017). 

Implementation of weakness has been provided by various hackers across the Internet and well-known publishings such as that of Robyns et al who provided detour instructions of Apple iOS certification and authenticity validation.  Validating user certificates, utilizing WIDS, and binding cryptography are just a few of the recommended mitigation strategies for Web Server attacks.  Not to mention standard audits such as PCI DSS, NIST SP800-48, AND ISO 27001.  Splitting the network into sub-networks which are simply reduced portions of the network assist in securing it as suggested by ISO 27001 and control A.13.1 .3 (A, Mohan, & M, 2017). 

  

References

A, A. D., Mohan, A. K., & M, S. (2017). Wireless Security Auditing: Attack Vectors and Mitigation Strategies. Procedia Computer Science, 115(7th International Conference on Advances in Computing & Communications, ICACC-2017, 22-24 August 2017, Cochin, India), 674-682. doi:10.1016/j.procs.2017.09.153

Aven, T. (n.d). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1), 1-13.

Aven, T., & Zio, E. (2014). Foundational Issues in Risk Assessment and Risk Management. Risk Analysis: An International Journal, 34(7), 1164-1172. doi:10.1111/risa.12132n

Microsoft Corporation, (2018).  Web Server Functions (Windows CE 5.0).  retrieved from https://msdn.microsoft.com/en-us/library/aa450256.aspx

Pandya, I., Jhajj, S., & Pawar, R., (2017).  A stenographic approach to mitigate password attacks. 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), Advances in Computing, Communications and Informatics (ICACCI), 2017 International Conference on, 248. doi:10.1109/ICACCI.2017.8125848

Pickard, C., & Miladinov S., (2012).  Rogue software: Protection against potentially unwanted applications.  2012 7th International Conference on Malicious and Unwanted Software, Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on, 1. doi:10.1109/MALWARE.2012.6461001

Robyns P, et al., (2014).  Short Paper: Exploiting WPA2-Enterprise Vendor Implementation Weaknesses through Challenge Response Oracles. ACM Conference on Security and privacy in wireless & mobile networks 2014; 189–194.  Retrieved from https://ac-els-cdn-com.proxy1.ncu.edu/S1877050917319853/1-s2.0-S1877050917319853- main.pdf?_tid=26e61cc4-e991-4fba-967b-fcb71608f0ae&acdnat=1520660325_22cf7b590bad009dc164ceee40483ff4

Saleh, M. A., & Abdul Manaf, A. (2015). A Novel Protective Framework for Defeating HTTP-Based Denial of Service and Distributed Denial of Service Attacks. Thescientificworldjournal, 2015238230. doi:10.1155/2015/238230

Sood, A. K., & Zeadally, S., (2016).  Drive-By Download Attacks: A Comparative Study.  IT Professional, IT Prof, (5), 18. doi:10.1109/MITP.2016.85

Stricot-Tarboton, S., Chaisiri, S., Ko, R., K., L., (2016).  Taxonomy of Man-in-the-Middle Attacks on HTTPS. (2016). 2016 IEEE Trustcom/BigDataSE/ISPA, Trustcom/BigDataSE/I SPA, 2016 IEEE, trustcom-bigdatase-ispa, 527 – 534. doi:10.1109/TrustCom.2016.0106

Thakare, S. S., & Kaur, P., (2017).  Denial-of-service attack detection system.  2017 1st International Conference on Intelligent Systems and Information Management (ICISIM), Intelligent Systems and Information Management (ICISIM), 2017 1st International Conference on, 281. doi:10.1109/ICISIM.2017.8122186

Young, D., Lopez, J. J., Rice, M., Ramsey, B., & McTasney, R. (2016). A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection, 1443-57. doi:10.1016/j.ijcip.2016.04.001