Professional Documents
Culture Documents
Emmylou Bice
Ashton Mozano
As technology evolves, we start to see more systems migrate to the cloud environment.
With respect to cyber security, the threat landscape shifts slightly with this environment
migration since the cyber security responsibility is split further amongst multiple organizations
when compared to traditional systems. Some new threats have emerged, but also old threats
remain. The following details the ten of the most recent top cyber security risks to data that is
processed on, stored on, and/ or transmitted through the cloud. For each of the presented risks, I
will describe what the risk is, identify the impacts, and provide a mitigation strategy to address
each risk.
1. Malware Injection
Description and Impact: Malware injection in the cloud is similar to those for on-
premise systems where the attacker tries to insert malicious software or code into a
service or system in the cloud (Bhagat, 2017). Common malware injection attacks
include SQL injection, cross-site scripting, worms, and trojans. This can be introduced
implementing compromised software or file with a virus. The impacts of this type of
attack include loss of consumer personal data as in an SQL injection attack. Attacker
could discover unauthorized personal information which they can then sell on the dark
web. From the financial standpoint, businesses can lose millions due to a malware
Mitigation Strategy: One of the best mitigation strategies for malware injection includes
the use of an Anti-Virus (A/V) software. A/V solutions will detect (and remove) any
existing malware on a system and monitor for potential malware on the (RAPID7, n.d.).
1
Assignment 2.2
In addition to installing an A/V solution, organizations should keep it up-to-date with the
latest version of the software and definitions and signatures. This will limit the risk of
2. Insider Threat
Description and Impact: Insider threat is when an employee or someone internal to the
organization turns into an adversary. This employee or insider can either intentionally or
unintentionally cause havoc on the system and organization. Insider threat is a concern
for all organizations and is applies to the cloud. According to a Threatbuster survey on IT
respondents said cloud migration makes insider attacks harder to detect and defend”
(Armerding, 2019). The threat is a major concern as these individuals can significantly
impact business operations and cause millions of dollars in damage. For example, in the
healthcare industry, IT professionals have seen about a 31% increase in the financial cost
where the cost grew “from $8.76 million in 2018 to $11.45 million in 2020”
(FairWarning, n.d.). These costs are associated to insider threats from both careless
Mitigation Strategy: One of the best ways to mitigate the risk of an insider threat in the
Access Management (IAM) system (Armerding, 2019). With this strategy and
implementation, you limit the amount of access a single user has and provides them with
minimum amount of privileges and permissions necessary to conduct their daily tasking.
If higher privileges are needed, a manager should authorize the privilege only for limited
2
Assignment 2.2
timeframe, but then revert the user to an unprivileged status once the task is complete.
This will restrict insider access and reduce the risk of insider exploitation.
Description and Impact: A DoS attack is when legitimate users cannot access the system
or service due to the actions of a malicious cyber threat actor (US-CERT, 2009). An
example is an attacker sending so much traffic to a specific port of a target system and
causes the system to freeze up trying to process all the requests and can’t handle any
more. DDoS is similar, but involves multiple machines working together to cause a DoS.
DDoS attacks often involve botnets, hijacked systems programmed to carry out the
attacker’s requests (US-CERT, 2009). A DDoS attack representation with botnets can be
seen in as seen in Figure 1 where the attacker floods an HTTP port to cause a denial of
service on the target. These attacks are relevant to both cloud-based systems and on-
premise systems.
Figure 1: HTTP Flood. From Application Layer Attack Example, by CloudFlare, n.d.,
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/. Copyright 2020 by
Cloudflare, INC.
3
Assignment 2.2
The impact of a DoS or DDoS attack includes halting an organization’s business services
for an unknown amount of time and grow a negative reputation with consumers. From a
financial perspective, this attack could cause millions of dollars depending on the
business. Kaspersky conducted some research and found that the impact of a DDoS
Mitigation Strategy: Although there is no good way to prevent a DoS or DDoS attack,
one way to mitigate the threat is to configure your firewalls and enroll in a DoS
the traffic flowing into and out of Internet facing systems (US-CERT, 2009).
Organizations should configure Quality of Service (QoS) settings to manage the data
traffic flow and open only the necessary ports for standard operations.
4. Data Loss
Description and Impact: In the cloud, data loss is another common threat. Data loss can
result from attackers compromising data, crashing data storage servers, or accidental user
modifications to data. Data loss can result in a loss business operation productivity,
replacement and response costs, and reputation damage. Businesses may have to halt
operations due unrecoverable data loss which will result in downtime and may impact
revenue depending on duration. Additionally, the cost of replacing the data or hiring a
third party to assist with recovery and response costs eat into business profits. Outside of
the cloud, costs can range from about $20K-$30K to about $550K for smaller losses and
in the high millions like $5M-$15M for much larger data loss events (BackupWorks,
n.d.). Though I have not found evidence for the cloud, I anticipate that the costs for a
4
Assignment 2.2
plan, data loss prevention software, and backing up data via RAID or robust storages.
Data loss prevention software will “ensure that sensitive data is not lost, misused, or
accessed by unauthorized users” (Zhang, 2020). For RAID, in the cloud, service
providers typically offer robust storage options and scalable server options.
Organizations utilizing the cloud should take advantage of these services to increase the
likelihood data will not be lost in some unforeseen event. Implementing RAID is
especially important as RAID storage provides fault tolerance and improves overall
5. Insecure APIs
Description and Impact: Insecure APIs is when attacker take advantage of the
Middle. When implemented poorly, APIs are the equivalent to having insecure interfaces
allowing attackers to pursue an easy target. One example is a developer leaving an API
open to access privileged functions. An attacker can take advantage of this to access the
system and information. With is threat, results in the same impacts as data loss as
previously detailed as attackers can extract sensitive data causing millions of dollars of
Mitigation Strategy: A mitigation strategy for insecure APIs includes “adopting and
effective security model for Cloud provider’s interfaces” (Thor, 2019). This security
5
Assignment 2.2
Connect, the principle of least privilege to restrict privilege creep, and limited access
control by determining resources the user can access (Imperva, n.d.). This will help limit
6. Account Hijacking
login information and remotely access sensitive data stored in the cloud (Evangelist,
2019). Account hijacking can be devasting for a company depending on the access
permissions of the account. Business reputation and integrity can be destroyed and
customers may lose trust in the business depending on what was accessed and what the
Mitigation Strategy: One mitigation strategy or solution to protect and reduce the risk of
cloud solutions that offer multi-factor authentication mechanisms like requiring users to
input a password and either a dynamic one-time password (hard token or SMS message)
user as it verifies a user’s identity by requiring two types of credentials the user has from
the following: something the user knows (password), something the user has (token, one-
time generated pin) and something the user is (biometrics like fingerprint or iris scan).
7. Social Engineering
Description and Impact: Social Engineering is when an adversary tricks a user into
6
Assignment 2.2
engineering attacks include phishing and ransomware. The financial impact of this type
of attack can result in millions of dollars. For ransomware, the FBI released statistics
stating that in “2018 alone U.S. businesses paid more than $3.6 million to hackers in
these kinds of attacks” (Suros, 2019). Not only that, there are additional financial and
non-financial costs including business fees, time, reputation, data loss, and payments to
Mitigation Strategy: One of the main victims to social engineering tactics are people.
One of the ways to mitigate against social engineering includes educating employees
about the social engineering tactics and send out mock phishing attempts periodically to
keep them aware. Organizations should emphasize that employees should never respond
educating the main component in an organization, employees, the less risk a company has
8. Supply Chain
Description and Impact: The risk with supply chain involves the compromising systems
prior to being deployed for operations. Attackers target third-party suppliers to inject
malicious software or backdoors and gain access to secure systems (Behrens, 2020).
entire system right out of the gate. The impact of an attacker succeeding in a supply
chain attack includes similar impacts of previously mentioned risks. The component
implemented could be incorporating a back door or other malicious code which could
result in serious damage to the business both from financial wise and reputation wise.
Mitigation Strategy: To help mitigate against the supply chain risk, organizations should
7
Assignment 2.2
develop and implement a supply chain risk management plan (SCRMP) in accordance
with Figure 2 and the NIST SP 800-161. In Figure 2, we see that the Enterprise is
responsible for making a SCRM Policy and integrate that into the different risk
with policies and procedures in place to include the use of only approved and trusted
vendors, and conduct thorough analysis and testing to identify defects, counterfeits, and
malicious parts. This testing should be conducted by multiple individuals for each of the
HW and SW components prior to approving use in the overall design of the system. For
systems deployed in the cloud, organizations should verify the cloud provider’s SCRMP
and take it into consideration when selecting a service provider to house their system.
Figure 2: ICT SCRM Activities in Risk Management Process. From Supply Chain Risk
Management Practices for Federal Information Systems and Organizations. By J. Boyens, C.
Paulsen, R. Moorthy, and N. Bartol, 2015,
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf
8
Assignment 2.2
Description and Impact: Due diligence is when organizations take thorough steps to
mitigations to reduce risks. When organizations migrate to the cloud, sometimes they
don’t understand the full scope of what it means to move to the cloud as far as what the
cloud service provider provides in terms of security measures and what the organization
is responsible for (Morrow, 2018). The impact of not minimizing the risk of insufficient
due diligence can result in adversaries exploiting other mentions risks such as system
exploiting any one of these will cost the business their public reputation as well as
Mitigation Strategy: A mitigation strategy to implement for this risk involves “digging
deeper” and ask the CSP about their certifications or industry affiliations to understand
what security measures are already in place and which ones do the organization need to
cover (ICorps Technologies, 2014). Businesses should understand their service level
agreements (SLA), understand the expectations of the CSP, and investigate the security
measures that the CSP provides to ensure they implement sufficient due diligence on their
end. Afterall, the business is the face of the system, not the CSP and if the system is
Description and Impact: System vulnerabilities is when businesses do not maintain the
security posture of the systems. Old ad outdated software is exposed to the internet
9
Assignment 2.2
vulnerability is exploited, the attacker will automatically gain privileged access. For the
cloud, the infrastructure has more exposure to system vulnerabilities due the complexity
of the networks and environment (Evangelist, 2019). System vulnerabilities can result in
vulnerabilities like malware injection. Like the previous discussed risks, systems
ensure that every system is up-to-date on both the software version and any released
patches. For example, Microsoft releases patches every Tuesday of the month. In the
cloud, organizations should ensure there is a security management domain separate from
normal operations and that every machine is scanned for outdated patches at least once a
month. Tools to help assist with ensuring the systems are patched include Nessus on the
10
Assignment 2.2
References
Armerding, T. (2019, May 16). Don’t let insider threats rain on your cloud deployment.
threats-cloud/
BackupWorks. (n.d.). Financial Impact of Data Loss for Business. Retrieved May 25, 2020, from
https://www.backupworks.com/financial-impact-data-loss.aspx
Behrens, A (2020, January 29). Accenture cybersecurity report sees risks from hacker groups and
vulnerabilities in supply chains, the cloud. Retrieved May 25, 2020, from
https://spendmatters.com/2020/01/29/accenture-cybersecurity-report-sees-risks-from-
hacker-groups-and-vulnerabilities-in-supply-chains-the-cloud/
Berard, D. (2018, February 22). DDoS Breach Costs Rise to over $2M for Enterprises finds
https://usa.kaspersky.com/about/press-releases/2018_ddos-breach-costs-rise-to-over-2m-
for-enterprises-finds-kaspersky-lab-report
Bhagat, B. (2017, August 12). Major attacks on Cloud Computing with countermeasures.
cloud-computing-with-countermeasures/
Boyens, J., Paulsen, C., Moorthy, R., & Bartol, N. (2015). ICT SCRM Activities in Risk
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf.
Boyens, J., Paulsen, C., Moorthy, R., & Bartol, N. (2015). Supply chain risk management
practices for federal information systems and organizations. Gaithersburg, MD: U.S. Dept.
11
Assignment 2.2
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/
Evangelist, C. (2019, September 7). Top 5 Cloud Computing Security Issues; and How they are
https://www.cloudmanagementinsider.com/top-5-cloud-computing-security-issues-and-
strategies-used-by-hackers/
FairWarning. (n.d.). The Cost of Insider Threats in Healthcare and How to Reduce Them.
threats-in-healthcare-and-how-to-reduce-them/
ICorps Technologies. (2014, September 11). Lack of Due Diligence: How It Can Hurt Your
lack-of-due-diligence-can-hurt-your-company
Imperva. (n.d.). Web API Security. Retrieved May 24, 2020, from
https://www.imperva.com/learn/application-security/web-api-security/
Lord, N. (2018, September 11). What is Cloud Account Hijacking?. Retrieved May 25, 2020,
from https://digitalguardian.com/blog/what-cloud-account-hijacking
Morrow, T. (2018, March 5). 12 Risks, Threats, & Vulnerabilities in Moving to the Cloud.
threats-vulnerabilities-in-moving-to-the-cloud.html
RAPID7. (n.d.). Malware Attacks: Examined and Best Practices. Retrieved May 25, 2020, from
https://www.rapid7.com/fundamentals/malware-attacks/
Singh, G. (2019, March 12). Types of RAID Storage for Databases in Public Cloud. Retrieved
12
Assignment 2.2
Suros, T. (2019, August 26). Voices On ransomware: How to stay safe in the cloud. Retrieved
stay-safe-in-the-cloud
Thor, D. (2019, April 30). Cloud APIs and How to Mitigate the Security Risks. Retrieved May
risks
US-CERT. (2009, November 4). Understanding Denial-of-Service Attacks. Retrieved May 25,
Zhang, E. (2020, January 27). What is Data Loss Prevention (DLP)? A Definition of Data Loss
prevention-dlp-definition-data-loss-prevention
13