Question

Risks for people in a small to medium business (Employee/ non employee) include Data Leakage, DDOS and Malware.

Document in detail the results of a risk assessment for the three identified risks including reasons justifying it as being significant, and risk assessment factors. For each of the identified risks propose potential mitigation and control measures, and what actions would appear in a risk control strategy plan to demonstrate confidence in the effectiveness of the suggested mitigation and control measures

Answer 1

Although small and medium-sized enterprises (SMEs) are very important and represent the vast bulk of businesses worldwide, many of them fail to grow or even survive.In today’s business environment, organisations handle a vast amount of data that is increasingly easy to access and share.The major risks for people in SME icnludes Data leakage, DDoS and Malware.

Data leakage is the unauthorized transmission of data from within an organization to an external destination or recipient. Data can be leaked to unscrupulous competitors, organised criminal groups and other entities via a multitude of channels, including email, the internet, portable storage devices and cloud services. Risk assessment of Data Leakage includes identifying the different types of data leaks, who will be harmed and how, taking necessary mitigation and control measures for it which are given below:

Different types of Data Leakage:

1. The Accidental Breach: "Unauthorized" data leakage does not necessarily mean intended or malicious. Majority of data leakage incidents are accidental. For example, an employee may unintentionally choose the wrong recipient when sending an email containing confidential data.
2. The Disgruntled or Ill-Intentioned Employee:The vast majority of data loss does not occur over an electronic medium; it occurs via printers, cameras, photocopiers, removable USB drives and even dumpster diving for discarded documents. An employee with a bad intention may leak confidential information and this type of data leakage is often referred to as data exfiltration.
3. Electronic Communications with Malicious Intent: Many organizations give employees access to the internet, email, and instant messaging as part of their role. For example, a cybercriminal could quite easily spoof a legitimate business email account and request sensitive information to be sent to them. The user would unwittingly send the information, which could contain financial data or sensitive pricing information.
4. Phishing attacks are another cyber attack method with a high data leakage success rate. Simply by clicking on a link and visiting a web page that contains malicious code could allow an attacker to access a computer or network to retrieve the information they need.

How data leaks are exploited and what makes Data leaks a significant risk factor:

1. Social engineering: The most effective social engineering operations are known as spear phishing. This is when a cyber criminal sends a targeted fake email based on known information to better impersonate an authority figure or executive.
2. Doxxing: Personally identifiable information (PII) can be used for more than credit card fraud. Doxxing is a practice of acquiring and publishing a person's information against their will.
3. Surveillance and intelligence: Psychographic data has many uses. It’s very purpose is to predict and shape opinions. Political campaigns use it to win votes and businesses use it to win customers.
4. Disruption: Data leaks can be used to slow or stop business operations can expose sensitive information to the public. Information exposed in a data leak can have drastic consequences for government, businesses and individuals.

Data leak mitigation and control measures:

The three common ways to prevent data leaks are as follows:

1. Validation: As cloud storage becomes more common, the amount of data that is being moved in and out of cloud storage is increasing exponentially. Without proper process, sensitive data can be exposed in an unsecured bucket. This is why cloud storage configurations must be validated at deployment and during their time hosting sensitive data.
2. Automation: At a large enough scale, validation becomes difficult to police. Computers are far better at maintaining uniformity than people. Automated process controls should act as executable documentation that ensure all cloud storage is secured and stays secure.
3. Third-party risk: Vendors can expose your information as easily as you can. Even if a business enterprise don't expose its customer's data, they will still be held accountable for the data leak in the eyes of thecustomers. This makes assessing third-party risk, fourth-party risk and cyber security risk assessments as important as in-house cyber security and information risk management. ​​​​​​​

Distributed Denial of Service or DDoS:

Distributed Denial of Service, which is a malicious network attack that involves hackers forcing numerous Internet-connected devices to send network communication requests to one specific service or website with the intention of overwhelming it with false traffic or requests.

Risk assessment of DDoS includes identifying the different types of DDoS attack that can happen, why attacks happen and how, taking necessary mitigation and control measures for it which are given below:

Common types of DDoS attacks

Different DDoS attack vectors target varying components of a network connection.

1. Application Layer Attacks: Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model), the goal of these attacks is to exhaust the resources of the target. The attacks target the layer where web pages are generated on the server and delivered in response to HTTP requests.
2. Protocol Attacks :Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by consuming all the available state table capacity of web application servers or intermediate resources like firewalls and load balancers. Protocol attacks utilize weaknesses in layer 3 and layer 4 of the protocol stack to render the target inaccessible.
3. Volumetric Attacks:This category of attacks attempts to create congestion by consuming all available bandwidth between the target and the larger Internet. Large amounts of data are sent to a target by using a form of amplification or another means of creating massive traffic, such as requests from a botnet.

Reasons for DDoS attacks

Attackers are primarily motivated by:

1. Ideology – People may use DDoS attacks as a means of targeting websites they disagree with ideologically.
2. Business feuds – Businesses can use DDoS attacks to strategically take down competitor websites, e.g., to keep them from participating in a significant event, such as Cyber Monday.
3. Boredom – Cyber vandals use prewritten scripts to launch DDoS attacks. The perpetrators of these attacks are typically bored, would-be hackers looking for an adrenaline rush.
4. Extortion – Perpetrators use DDoS attacks, or the threat of DDoS attacks as a means of extorting money from their targets.
5. Cyber warfare – Government authorized DDoS attacks can be used to both cripple opposition websites and an enemy country’s infrastructure

Mitigation and control measures for DDoS Attacks:

1. Black Hole Routing: One solution available to virtually all network admins is to create a blackhole route and funnel traffic into that route.If an Internet property is experiencing a DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a blackhole as a defense.
2. Rate Limiting :Limiting the number of requests a server will accept over a certain time window is also a way of mitigating denial-of-service attacks. But it alone will likely be insufficient to handle a complex DDoS attack effectively.
3. Web Application Firewall: A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By putting a WAF between the Internet and a origin server, the WAF may act as a reverse proxy, protecting the targeted server from certain types of malicious traffic.
4. Anycast Network Diffusion : This mitigation approach uses an Anycast network to scatter the attack traffic across a network of distributed servers to the point where the traffic is absorbed by the network.

MALWARE

Malware is an abbreviation of the words malicious and software. The term refers to software that is deployed with malicious intent. Malware is easy to deploy remotely, and tracking the source of malware is hard.Malware may take as many forms as software. It may be deployed on desktops, servers, mobile phones, printers, and programmable electronic circuits. Malware has been known to disable information security protection mechanisms such as desktop firewalls and anti-virus programs.

Risk assessment of Malware includes  identifying the different types of Malware,how it is exploited and taking necessary mitigation and control measures for it which are given below:

Types of Malware:

1. Virus : Viruses attach their malicious code to clean code and wait for an unsuspecting user or an automated process to execute them. They are usually contained within an executable file.
2. Worms : Worms get their name from the way they infect systems. Starting from one infected machine, they weave their way through the network, connecting to consecutive machines in order to continue the spread of infection. This type of malware can infect entire networks of devices very quickly.
3. Spyware: Spyware is designed to spy on what a user is doing. Hiding in the background on a computer, this type of malware will collect information without the user knowing, such as credit card details, passwords and other sensitive information.
4. Trojans: This type of malware hides within or disguises itself as legitimate software. Acting discretely, it will breach security by creating backdoors that give other malware variants easy access.
5. Ransomware: Also known as scareware, it is able to lockdown networks and lock out users until a ransom is paid, ransomware has targeted some of the biggest organizations in the world today.

Malware affects a sytem in the following way:

Machines infected with these types of malware capture the user’s personal or financial information, then forward it to the hacker, who uses it for purposes of financial fraud or identity theft.It may be deployed on desktops, servers, mobile phones, printers, and programmable electronic circuits. Sophisticated attacks have confirmed data can be stolen through well written malware residing only in system memory without leaving any footprint in the form of persistent data.

Malware Mitigation and control measures:

• Anti-malware software – A company must have the latest version of a common malware-seeking program installed on all devices to seek and destroy rogue programs such as viruses. Scan personal or business computers regularly and update the software often.
• Anti-spyware software – These packages provide real-time protection for computers against the installation of malware by scanning incoming traffic and blocking threats.
• Spam filters – These block or quarantine email messages with suspicious content or from unknown senders to alert users not to open or respond. Most enterprises have centralized spam mitigation in place, and many personal email providers also provide this service.
• Firewalls and IDS – Firewalls and intrusion detection systems act as traffic cops for network activity and block anything suspicious. This is enterprise-grade technology that protects user computers, servers or networks from malicious applications or cyberattack. Firewalls may not prevent malware installation, but they can detect nefarious in-process operations.
• Security scans – This activity tests business websites and enterprise software for known malware that may have infected application code. Many app stores execute basic scans on software they host and sell, but this is no guarantee of safety so vigilance is needed.

Thus, Risk assessment in the workplace is a central issue for all employers. Risk management encompasses a whole range of solutions, which includes control measures and prevention from the three main risks that small and medium buisnesses face which are Data leakage, DDoS and Malware.