Results and analysis
Results – Vulnerabilities
The results documented in this paper are associated with dynamic risk assessment and in identifying the manner in which this mechanism improves performance through reduction of cyber incidents that cloud service providers face. The proposed mechanism required vulnerabilities to be gathered and the RSS Feed Reader to be utilized. In this case, a number of websites were used to collect information on vulnerabilities including the OWASP, CVE details as well as The NCSC (National Cyber Security Centre).
Malicious insiders
A major vulnerability identified based on information collected on software used in risk management for cloud computing was malicious insiders. Since dynamic risk assessment is linked with decision making, cloud providers need to set up security measures that will protect systems from malicious insiders. Although OWASP does not categorize this threat as a top 3 vulnerability, it still raises concerns among users or customers if an event of data theft or an attack from malicious insiders occurs. To avoid loss of trust from users and raise confidence in the reliability and safety of a risk management system, cloud providers need to understand that circumstances rapidly change in a digital environment hence the need for continuous identification of possible threats and development of measures to mitigate those risks. The information provided by OWASP regarding vulnerabilities identified in risk management software reflects low consideration for measures to mitigate attacks by malicious insiders. The website clearly explains the nature of a malicious insider and the threat that they pose to a cloud provider as well as the user or customer. A malicious insider is considered to be an employee that works in a cloud service provider and who misuses the position they hold to acquire information on users with sinister motives. The employee may, for instance, be disgruntled and seek to get back at the cloud provider for one or more reasons. Alternatively, the employee may be a ‘criminal’ who seeks to use users’ information for personal gain (OWASP, 2013). The vulnerability identified is that visibility is low on the standards applied by cloud providers when they are hiring therefore consumers have limited avenues to identify the cloud provider’s commitment to hire only employees who share similar values as the firm. In this regard, the potential for an ‘adversary’ or an individual with sinister intentions to apply for and become an employee for a cloud provider becomes enhanced. Further, the situation is exacerbated by low transparency that exists regarding the process and the procedure that the cloud provider follows. Adversaries like amateur hackers or even criminals in organizations therefore can become employees for a cloud provider and gain access to consumer information that is confidential and in extreme cases, they may be able to completely control the services of the cloud provider without being detected. Software that focus on identifying the risk of malicious insiders often employ a few measures aimed at reducing the risk of an attack by malicious insiders (OWASP, 2013). However, the vulnerability persists regarding the constantly changing circumstances that enable employees of a cloud provider to access consumer information that is confidential. Consequently, more effort may need to be done in dynamic risk assessment whereby the consumers are informed in real-time regarding the changes that they need to make to their security protocols to reduce possible occurrence of a malicious insider attack. For instance, once the software identifies a new risk associated with changing circumstances and that increases the likelihood of a consumer becoming a victim of malicious insider attack, an alert can be sent to consumers to inform them accordingly. For instance, the software can inform the consumer that they need to keep their encryption key with themselves as opposed to storing it in the cloud. In 2013, though, malicious insiders represented a major risk in cloud computing because their threat increased in rank to third. The security assessment approaches utilized by OWASP (2013)are wide ranging including approaches like security threat assessment and security architecture review.
Data loss
Another vulnerability is on data loss whereby information on consumers may get lost in the event that the storage media becomes damaged or the hard drive is destroyed and a back up was not created. The severity of this threat is exhibited by its movement from number 5 (based on rankings of CSA in 2013) to number 2 in 2017. The development is associated with an increasing number of cases associated with data loss among cloud providers. A poll by Symantecs in 2017 illustrated that of the 3200 firms that were surveyed, 43 percent experienced loss of data in the cloud. Of these firms, a large number did not have backup for data hence they incurred significant losses as well as loss in trust from their customers. The companies that had backup benefited and exhibited their adherence to ensuring security for their customers. Vulnerability assessment represents an essential step in managing risk especially for cloud providers because it involve examination of weaknesses that may be contained in the system and that may expose either the consumers or the cloud providers to risk and sometimes both parties may experience negative outcomes. Data loss is one such that represents a threat in dynamic risk assessment in cloud computing because when data is accedintally deleted or an attacker intentionally removes consumer information, both the consumer and the cloud provider get exposed to significant inconveniences. This factor especially affects the two parties if there was no backup plan in place. In this regard, NCSC explains that dynamic risk assessment should incorporate real-time evaluation of threats in order to identify potential threats early enough and enhance development of measures that will reduce potential attacks or deletion of information in the cloud. Most software, though, recognize the need to create backup systems given that their evaluation in the past has illustrated the threat that is posed by the threat of data loss.
Information gathered from CVE details shows that threats exist despite use of software to mitigate risks among cloud providers. However, changing trends and continuous improvement have facilitated the ability of cloud providers to identify software that offer effective risk management approaches. CVE details represents an appropriate means by which users as well as cloud providers can determine the vulnerabilities that software pose. While cloud providers and software providers rarely inform consumers of the vulnerabilities that particular software in risk management pose, CVE details represents an unbiased and reliable tool that clearly outlines the vulnerabilities they have identified. A good example is List Site Pro 2.0 that is focused on identification of vulnerability types as well as creating security for digital systems but according to CVE details, the software possesses a vulnerability as it facilitate hijacking by remote hackers who insert an ‘I’ (pipe) and gain access to the accounts of users (CVE Details, 2017).
Account Hijacking
Losing a username or a password among other vulnerabilities like software exploitation and phishing cause control over an account to be lost. The account becomes breached in that, the hacker gets to access the account of the user easily and they can eavesdrop on transactions in addition to other risks like potential to spread false information fabricate information and damage the business’ response to consumers. In this regard, account hijacking represents a serious threat that some software are yet to overcome in their features given that make it possible for hijackers to bypass security systems and gain access to users’ accounts. The resultant outcome is loss of integrity as well as trust among consumers regarding the ability of the cloud provider to keep their information confidential. Consequently, when a cloud provider is adopting software that is aimed at risk management, they should ensure that this system does not possess vulnerabilities that will provide access to unauthorized individuals to access customer information. Babcock (2017) also indicates that account hijacking may result in cloud services becoming unavailable to customers since the hacker gains control of services that the cloud provider is in charge of.
Insecure APIs
The appropriateness of dynamic risk assessment is evidenced by the effectiveness of the approach in identifying potential threats well before they materialize into attacks or negative outcomes. Basically API security involves improvement in authentication as well as potential encryption of information technology services. Consider the discussion provided by OWASP (2016) that indicates that few number of APIs engage in rigorous testing that is aimed at securing systems from potential attacks. Many cloud providers who seek to adopt or recommend APIs that are sensitive fail to consider that numerous APIs contain vulnerabilities associated with lack of undergoing rigorous testing aimed at making the systems more secure against attacks. OWASP (2016) therefore determines an opportunity in underscoring the risks that potentially exist in various software (linked with dynamic risk assessment) in order to offer software developers with information that will enable them to reduce the risks that their software pose to users and cloud providers among other stakeholders. As was noted based on information collected on security assessment techniques, there are numerous ways through which security in a technological system can be evaluated. One such approach is the security cheat sheet and that involves creation as well as evaluation of projects that seek to make APIs more sensitive regarding security (OWASP, 2016). The process followed is underscoring highly common risks in this field and creation of a document portal that developers can use to create APIs that are more secure. Consequently, the value of dynamic risk assessment is exhibited because the need to continuously monitor changing circumstances and respond appropriate to them is emphasized. Further, the prioritization of risk management (through use of technology) as a means by which cloud providers can overcome threats is exhibited.
Similar to other risk management approaches, API security involves identification and possible mitigation of risks in information technology through interventions like authentication, federation, authorization as well as encryption. Since cyber security represents a significant threat to digital firms like cloud providers, it is essential to provide security to users and in turn, improve trust of users in cloud services. However, the software applied to facilitate encryption and other security measures like authentication and authorization may contain limitations that pose risks to the cloud provider. In this regard, one needs to understand that software available in risk management may not necessarily be secure. The inference is that dynamic risk assessment should be avoided but that caution should be made by cloud providers and customers or users before they select a software that is linked with risk management.
Denial of Service
The information collected from NCSC illustrates that denial of service is a significant threat for cloud providers. Denial of service (DoS) refers to an attack is made by making the website to stop functioning or services in the website stop running (NCSC, 2015). Appropriate risk management software are expected to identify areas where the risk of a DoS attack is high and recommend ways to introduce additional security measures in order to mitigate this risk. However, NCSC identifies that some risk management software may fail to identify the risk of DoS attacks because the vulnerabilities they address do not cover DoS attacks. Denial of service involves preventing legitimate service users from getting access to the service. Rarely does one individual act alone in generating adequate traffic that will be more than a service’s connection bandwidth or that will be more than the service’s connection processing capability. DoS attacks are more lethal if the attack is distributed across numerous computers hence harnessing the combined bandwidth as well as processing power of the team of attackers and the victim’s capacity becomes exceeded. The computers which are utilized in attacking a target usually constitute botnet members and are referred to as ‘zombies’. A botnet refers to several computers that run malware and are often being controlled by a third party. The term zombie is applied because the user of the computer being used to propagate the attack is often unaware that they are participating in the attack (NCSC, 2015). Due to malware infection, a third party has the ability to control the computers silently hence the attacker’s identity remains hidden. In some cases, though, the computers being used to propagate the attack may be offered willingly by malicious users to be a part of a botnet. Dynamic risk assessment represents an appropriate means by which Dos attacks can be mitigated because traditional risk management does not accommodate real-time and continuous efforts to identify various threats and instead focuses on a particular threat at a time. Such an approach at identification and mitigation of risk would not be effective in the case of DoS attack because the approaches used to propagate attacks vary and in this regard, different strategies need to be implemented for each method in order to mitigate risk of the attack. As an example, SYN Flood is a method that involves sending numerous SYN requests repeatedly resulting in the device holding open more connections until it is no longer able to respond to requests (NCSC, 2015). SYN refers to the initial message in a TCP handshake when communication between two devices starts. When the device becomes exhausted and can no longer respond to requests, connections become timed out and they are dropped. The strategy in this attack method is therefore speed of the attacker in making more requests than they can be dropped. In mitigating this DoS attack, there are network devices that have the capability to manage possibility of a SYN flood attack through developing a blacklist of users who make repeated SYN requests yet they do not complete the entire TCP handshake (NCSC, 2015). While this measure will protect the service from being attacked, there is vulnerability of the bandwidth becoming exhausted.
Another example of the vulnerabilities that exist when relying on software to identify risk of DoS attack is that no software can have the capability to identify all types of cyber security threats. In most cases, software developed to identify security risks and manage them is programmed to specifically identify one or several types of threats. For instance, in mitigating low-rate DoS attacks, there are algorithms whose design enables them to identify a low-rate attack. A low-rate attack is a type of DoS attack that relies entirely on the safeguards that have been built in TCP (NCSC, 2015). A burst of traffic gets sent by the attacker to the server and the traffic is expected to last approximately the same time taken by data that is sent to the server to cover a round trip. Consequentially, a majority of TCP flows that are active enter backoff. The attacker pauses until the backoff time is exhausted and retransmits an entire bandwidth burst. In this regard, the attacker can successfully propagate a DoS attack without necessarily sending much data. However, as is discussed by NCSC (2015) the measures used to mitigate risk of this Dos attack type involve use of an algorithm that is specially designed to identify the threat. The vulnerability in software identified is that the threat of another attack would require another software.
Perhaps a DoS attack that is common and that both customers as well as cloud providers have heard being mentioned at one time is the peer-to-peer attacks. This type of attack targets users who use a file sharing network since such a network can be utilized in creating a DoS condition. The attack is performed by including the IP address of the target as a location where popular files can be downloaded. In order to mitigate this risk, a software that identifies connection requests that are normally not made on the service would be helpful as it would recommend such connection requests to be dropped (NCSC, 2015).
Vulnerabilities identified through RSS Feed Reader
The above vulnerabilities were also identified from the RSS Feed Reader. Since installation of this tool by the researcher involved linking it with websites like OWASP and NCSC, the notifications that the researcher received contained information that was collected from the websites in the first step – gathering vulnerabilities. New vulnerabilities that were sent to the researcher through email by the RSS Feed Reader advanced on the basic vulnerabilities that were initially gathered. For instance, malicious insiders was identified as a threat and the RSS Feed Reader notified the researcher that the information leak is a vulnerability that is contained in IBM. Leak disclosure can occur due to malicious insiders who have access to client’s information and can leak the information in order to satisfy individual interests.
Analysis
The appropriateness of dynamic risk assessment in mitigating cyber security threats
Based on the results generated by gathering vulnerabilities from relevant websites such as OWASP and NCSC, the value of dynamic risk assessment over traditional risk management is evidenced. Traditional risk assessment is time intensive and often the assessment of risk is done on paper. Given advancements in technology, dynamic risk assessment presents a preferable and more efficient means of assessing risk especially because there are software available for this purpose. While results from OWASP show that the software available contain some vulnerabilities, they represent the best alternative to traditional risk management given the dynamic and highly complex nature of cloud computing. Additionally, dynamic risk assessment has been shown to provide real-time response to risk assessment and development of measures to mitigate identified risks. Consider the case of malicious insiders identified to be a significant threat by OWASP. While there are vulnerabilities in software that assess this threat (such as low transparency in hiring process of cloud providers), the software can identify an employee who does not share the cloud provider’s values or has in the past accessed unauthorized information and provide an alert to both the cloud provider and the customers (who have access to this software) to change their security protocols in light of the new developments. Such an intervention occurs in real-time hence reflecting the value of dynamic risk assessment when compared to the traditional approach to risk assessment.
The findings made also exhibit the need for risk assessment to accommodate more than one software given that some threats are only identified by a particular software. There is presently no software that has the capability to identify all types of cyber security threats and often a software is programmed to identify and facilitate mitigation of one or several security threats. DoS attacks have been discussed in the ‘results’ section and it was illustrated that different DoS attack methods exist. One such method is low-rate attack whereby an attacker sends a burst of traffic to the server – one that lasts the same time as a round trip of data sent to the server would take. As a result of this action, a majority of TCP flows that are active enter backoff. The attacker pauses until the backoff time is exhausted and then retransmits the entire bandwidth burst. The measure recommended to mitigate this risk is use of an algorithm that is specially designed to identify the threat. This is just one method that applies in DoS attacks. There are more than 4 ways through which a DoS attack is performed. Further, there exists numerous threat types in cyber security that applies to cloud computing. A dynamic process that accommodates various software to identify risks is hence necessary for cloud providers because the numerous threats that exist need to be evaluated based on software that is designed to identify them.
The vulnerabilities that were identified from the selected websites were then processed in the Automated Response Software. The software was downloaded by the researcher online from Optimal. The software engages in identification, assessment, monitoring and mitigation of risk. Upon processing the vulnerabilities that were gathered, a number of outcomes with regards to risk assessment were exhibited. In general, the software was determined to be an effective tool in dynamic risks assessment especially given its features on email notifications that enhance real-time reporting and response to identified threats. With regards to the vulnerability on low visibility that exists among cloud providers about their hiring practices and operational procedures, the software explored the risks posed by this vulnerability and identified 5 key threats that this vulnerability poses. One of the threats is loss of trust from customers because they may determine that their information is not safe on the cloud since they are not sure which processes were followed in hiring employees. A second threat is the risk of more than just malicious attack since insiders who have sinister motives can engage in other cyber security threats like abuse of cloud services and shared technology issues. The third threat is that the firm’s services may be controlled without the cloud provider being aware hence creating a significant operational, ethical and business challenge. Having control over the cloud’s services for an extended period without being detected means that the operations of the cloud provider during the time that the services were under control of an employee would be questioned. Further, the cloud provider may even be subject to legal action by clients as well as other stakeholders. The Automated Response Software was effective in developing the above risk scenarios as they provide the cloud provider with adequate information to resolve the threats identified in each of the risk scenarios.
Regarding the information processed regarding malicious insiders, the software was able to create a clear framework regarding the threats that cloud providers experience if they have an employee who have malicious intent. The software could be customized to provide risk assessment on cyber security threats that apply only to cloud service providers. In this way, the software was highly effective in saving time that would otherwise be used in sorting through the risks that do not apply to cloud providers and was context specific. The recommendations made regarding the threat of malicious insiders closely reflect those provided by OWASP. Among the recommendations made were for cloud providers to be more transparent about their hiring processes and operational procedures in order to build trust in their clients regarding the integrity, professionalism and ethical superiority of their employees. In addition, the software provided some scenarios in which employee recruitment and selection by cloud providers can identify candidates whose values are not aligned with those of the company.
The other vulnerability that was assessed by the software was on account hijacking whereby the software identifies loopholes in cloud software that could be exploited in order for an attacker to take control of an account. The threat that exists is that the client’s account may be compromised is they lose their username or password. By gaining access to a user’s account, the hacker is able to listen in or view the client’s transactions without the client’s knowledge and utilize the client’s information for a number of suspicious, damaging and criminal actions. The notification provided by the Automated Response Software upon assessing the vulnerability existent in cloud software and that exposes cloud services to the threat of account hijacking highlighted the need for cloud providers to adopt software that tested and re-tested to ensure that it does not possess vulnerabilities that can be exploited. The essential element that was determined is that adoption of software that are vulnerable to hacking exposes the cloud provider to potential account hijacking. The responsibility is hence on the cloud provider to develop a system that uses high quality software that acknowledges and has safeguards against potential hacking by either insiders or other hackers.
Statistical analysis
The findings collected from the Automated Response Software and that are associated with vulnerabilities collected from the relevant websites were further analyzed based on identification of patterns through frequency distribution and consideration of general demographics. The vulnerabilities and the outcomes documented from the Automated Response Software were summarized in a score-card hence providing numerical information that can be evaluated by determining aggregate score (from the score-card) and inputting variables and their data in a frequency table. A chi-square test was then conducted as can be seen in the tables and findings documented in the Appendix. In conducting statistical analysis, the experimental variable was classified as the independent variable and this case, the experimental variable was represented by cloud characteristics, namely; broad network access, shared resources, self-service, elasticity and measured services. The variables were evaluated with an objective of identifying whether they influence privacy assessment questions. The Chi-Square test and Spearmans’s correlation performed appropriately assessed the effectiveness of dynamic risk assessment in identifying and mitigating cyber security threats. The appropriateness of a Chi-square test in this study is that it is easy to calculate as well as interpret. There is need to test associated between the variables in this study and Chi-square supports this function. Further, a chi-square test illustrates variations that may exist between the values that were identified and those that were expected. Having developed hypotheses regarding the value of dynamic risk assessment over traditional risk assessment and the influence of dynamic risks assessment in mitigating cyber security threats among cloud providers, the data generated from the study process facilitated confirmation of the hypotheses validity. Rejection of the null hypothesis was based on the decision rule and in determining the validity of the alternative hypothesis, the relation between the test statistics and its probability was performed.
In the first section of analysis, a logical approach to evaluating the results from vulnerabilities gathered was conducted. Unlike statistical analysis, evaluation of the results by using theoretic information from previous research enhances comparison of the relationship between study variables. Further, the researcher was able to explore the topic on vulnerabilities that exist in cloud computing and the appropriate approaches in mitigating these vulnerabilities. A case study approach that utilized the Automated Response Software was effective in providing a real-life context in dynamic risk assessment. The inference made is that in the business environment where advancements in technology, dynamism and competition are prevalent, new approaches to risk management are needed. Considering the threat that clients on the cloud face due to cyber security threats, it is essential to equally employ an automated system to anticipate and respond to risks. The traditional approach to risk assessment has limitations especially because they are time intensive and involve paper-based evaluation. Dynamic risk assessment is shown to be speedy and response is provided in real-time. In this regard cloud providers and clients get to identify risks early enough and respond hastily to prevent possible occurrence of the identified threats. The case of Automated Response Software illustrated numerous risks exist in cloud computing and reliance on traditional approaches to risk assessment greatly disadvantages cloud providers. Rather than prioritize one risk at a time, automated risk assessment cover a wide range of risks that are associated with cyber security threats hence enabling cloud providers to put in place adequate safeguards against identified risks. Prioritization of one risk at a time, exposes cloud providers to risk of an alternative threat thereby making cloud services less secure. However, with dynamic risk assessment, all existing vulnerabilities can be processed by a selected software and notifications given to cloud providers through email to inform them of identified risks and facilitate development of measures to mitigate the identified risks. The Automated Response System was, for instance, able to process the risks that were gathered from relevant websites like OWASP and NCSC and identify risks existent in each of the collected vulnerabilities. The recommendations made by the software to both clients and cloud providers are practical and based on accurate information generated from processing identified vulnerabilities. The inference is that dynamic risk assessment accommodates automated assessment that has more benefits compared to the time, effort and resources put into the initiative. A cost-benefit analysis illustrates that dynamic risk assessment provides more value to cloud providers compared to the costs or resources incurred in adopting and implementing the practice.
Limitations
A major limitation identified in this study was failure to discuss the legal compliance of the Automated Response Software despite the need for cloud providers to ensure that they conform to industry and legal standards in their efforts to mitigate cyber security threats. The study also fails to link identified vulnerabilities with their vulnerability IDs based on individual cloud providers. Further, there is no mention of the vulnerability type. There are a number of vulnerability types including information leak, use of hard-coded credentials, input validation and insufficient information. However, under the score-card, the researcher ensured that the vulnerabilities were ranked in severity under two frameworks – CVSS Severity (V3) and CVSS Severity (V2).
Chapter summary
In this chapter, the results generated from vulnerability gathering and the RSS Feed Reader are presented and discussed. Among the issues taken into consideration are the threats associated with malicious insiders, Insecure APIs, Account Hacking, Denial of Service and Data loss. The use of Automated Response Software was explained and the risks identified from this software presented. In analyzing the results, the researcher engaged in a short discussion that compares findings with previous literature documented on the subject. Statistical analysis then followed with independent and dependent variables being selected, a score-card being used to facilitate calculation of the aggregate score and use of a Chi-Square to validate the hypotheses developed. The study, though, contains some limitation including failure to link gathered vulnerabilities with vulnerability IDs and in classifying vulnerability types in association with the individual vulnerabilities gathered. Further, there is no mention of legal considerations that were met in using the Automated Response Software hence one may infer that legal compliance was not necessarily prioritized. In general, though, dynamic risk assessment is shown to be effective in identifying security scenarios that cloud providers may face. The Automated Response Software also illustrated that dynamic risk assessment is superior to tradition risk assessment.