Академический Документы
Профессиональный Документы
Культура Документы
net/publication/279847563
CITATIONS READS
0 3,106
1 author:
Predrag Tasevski
14 PUBLICATIONS 26 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Cybersecurity in the Western Balkans: Policy gaps and cooperation opportunities View project
All content following this page was uploaded by Predrag Tasevski on 07 July 2015.
Predrag TASEVSKI
A thesis submitted in
EURECOM, France
08 JANUARY 2015
I hereby declare that this thesis entitled Cyber Security Researcher at iWE is
the result of my own research except as cited in the references. This thesis has
not been accepted for any degree and is not concurrently submitted in
Signature :
iii
iv
For my beloved niece, So ...
v
vi
Acknowledgement
At the very beginning, I would like to thank my adviser Christophe LAYE. Who
gave much valuable advice and review in the early stages of this internship. Ad-
ditionally his continuous availability and guidance helped me the most to nish
this internship and the report. I am grateful to him for introducing me to the
research world regarding cyber insurance, security and feeding me the basics of
this world. Moreover, he gave his attention to almost all of my requests, which
shows his great kindness. I feel very lucky to have him as my supervisor.
COM. I really enjoyed and learned a lot from the courses that I attended dur-
advice, along with others. Among the sta, also I would like to thank to Labex
UCN@SOPHIA scholarship.
continuous support of my parents and sister in my life. They always fulll all my
silly demands and keep faith on my abilities. They have always been the best
inspiration in my life. This report is devote to my lovely niece, So. Who joined
vii
viii
Abstract
breaches. Since rst computer incident we have been debating in which way that
cyber security can be adapted to match the threats, vulnerabilities and losses by
work-ow from July until December 2014. Keep in mind that this is just small
description and core objectives. Then we state the author contribution to the
period of internship and the report, too. Further we notably discuss the overview
of delivered services and their input. For instance: Incident Response and digi-
tal forensic service, along within conveying cases; followed by the attendance to
NATO Advanced Research Workshop in Kiev, likewise presented white paper re-
garding the cyber security audit service; least but not least, research contribution
to develop secure architecture for end-to-end data at REST solution in cloud for
iWE platform.
insurance, cyber risk, coupled with the obedient approach of computer and in-
formation security. And nally, we conclude by pointing the accent to hence risk
ix
x
Résumé
isation pour absorber l'impact nancier causé par les violations de la sécurité
quelle manière la cybersécurité peut être adapté pour répondre aux menaces , les
vulnérabilités et les pertes par avoir un impact sur notre monde. Néanmoins ,
Gardez à l'esprit que ce est seulement de petits segments choisis de ce que nous
outre , nous discutons notamment la liste des services oerts et de leur entrée. Par
de l'OTANa Kiev , est également présenté le livre blanc sur le service d'audit de
développer une architecture sécurisée pour les données de bout en bout à une
l'assurance cyber.
xi
xii
Contents
Declaration iii
Dedication v
Acknowledgement vii
Abstract ix
Résumé xi
List of Figures xv
1 Introduction 1
1.1 Company Overview 1
1.4 Contribution 5
1.5 Outline 7
2 Incident Response 9
2.1 Service Description 9
2.2 Case 1 12
2.2.1 Overview 12
2.2.3 Conclusion 14
2.3 Case 2 15
xiii
xiv
2.3.1 Overview 15
2.3.3 Conclusion 17
2.4 Case 3 17
2.4.1 Overview 17
2.4.3 Conclusion 19
3.1.1 Introduction 22
3.1.2 Background 24
3.1.4 Solution 30
3.1.5 Conclusion 32
4 Security Architecture 33
4.1 Introduction 34
4.3 Solutions 40
4.3.1 Client-side 1 40
4.3.2 Client-side 2 42
4.3.3 Client-side 3 43
4.3.4 Server-side 44
4.4 Discussion 45
4.5 Summary 46
5 Conclusion 47
5.1 Conclusion 47
Bibliography 49
List of Figures
is used for attacking purpose, country ISO code, category and type
of attacks. 61
xv
List of Tables
xvi
List of Appendices
A Incident Response 59
C Security Architecture 67
xvii
xviii
List of Symbols
CI Critical Infrastructure
xix
xx
P2P Peer-to-peer
PDCA Plan-Do-Check-Act
RA Risk Assessment
RM Risk Management
Introduction
The present chapter describes the company overview, followed by the internship
description and its objectives. Than the author notable highlights his contribu-
tion during six months of internship period, and in the end we provide the outline
of this report.
200 employees, specialized in risk since 1999. Main objective of the company
in the judicial system or as claims management. Thereby, initial idea for iWE
was to be created for internal use for GMC, so for this reason the Research
services in this eld for cyber insurance premiums (discussed below) and in syn-
through their services and R&D to lead cyber-risk at accepted level composed by
1
2
In this regards, cyber insurance has been identied as potential tool for
network user risks are transferred to an insurance company, in return for a fee,
i.e., the insurance premium. Likewise cyber insurance enthusiast believe that
it would lead to the design of insurance contracts that would shift appropriate
more robust [51]. Apart from transferring the risk, also in risk management
there are risk acceptance and risk mitigation techniques. Insurance premium is
paper.
Moreover, aside of GMC oers, such as: claims management and loss
• Services:
concentrating in two elds, such as, architecture and source code audit. In ar-
tructure (CII) and Critical Infrastructure (CI). Obviously, the following service is
compliance with best practices, security standards, and frameworks, for instance:
Open Web Application Security Project (OWASP), Payment Card Industry Data
Security Standard (PCI) and International Organization for Standards for Infor-
mation Security Management System (ISO/IEC 27K), but not limited. Further
3
network that has been compromised. And often involves some mitigation and it is
box (by performing manual pen-test in higher level testing) and gray-
testing). And in the end producing the nal report which is stating all
founding.
Along the above services, the company also provides research and development.
exposure rating in comparing statistics and reality. Such as, lowering the cost of
loss for insured and reducing the likelihood and magnitude of those losses for the
Chapter 4.
this in mind, we should all be talking about how to achieve holistic globalization
4
debating respectfully in which ways cyber security can be adapted to match the
world.
the end of December 2014. Since then, we have started working in dierent
problematic aspects, such as: (i) engaging with business meeting discussions to
establish the company vision, mission and goals respectfully to security laboratory
and cyber security services - discussed in next subsection; (ii) deeply on how we
could ensure and provide security controls reecting the asymmetrical character
to cyber risk assessment, cyber insurance, international standards and build risk
assessment tool, and at the same time conduct cyber risk audit for customers; (iii)
of Incident Response cases are disclosed in Chapter 2, and (iv) providing control
and transparency over how data is protected and build security architecture for
and to continue on research and development; main objective services are: audit
assessment and incident response support. Audit assessment oers the cyber risk
assessment tool and source code audit. Where digital forensics, penetration test-
ing and emergency response team are part of incident response support. Among
the services, also the company objectives are to continue and to poor time in
In this report we would like to stress and provide several of the above
mentioned aspects-cases that we have handled during this period of time. Re-
Cyber Security Audit. Within this service we have presented white paper titled:
Standards for Information Security are inappropriate fashion to assess the risk
in private companies and elsewhere . Specially this thesis has been developed
with the previous performed audits and its lesson learned, and at the same time
fundamental approach for future delivery of the service. Meanwhile, future action
Among the above services, also the author contributed in security ar-
chitecture research topic, providing zero-knowledge data at REST for iWE SaaS
In the longer run, main objectives and aim of this internship are to:
Step 1: Service Design. Studying current services and proposal of the company
policies. Furthermore, to identify and draft processes for key services. Main
outcome and deliverable are: market analysis, service delivery pack (e.g.
activities. The outcome and deliverable for the step are: gain hands-on and
identifying operational issues and potential improvement areas for the ser-
1.4 Contribution
At rst, we identify the various activities within their relation of how are related
dened the iWE security laboratory services, mission and vision, moreover objec-
tives and prospective partners. Among the preliminary business development and
establishment, also during the internship have attended several business meeting,
and taking actions of hence development and services. Additionally, our work also
encryption for iWE SaaS platform. For this purpose we design and implement
plan.
ber insurance, risk assessment, data breaches, security in cloud, and many
For instance, incident response cases, advanced analysis of log les, dynamic
and static analysis, remote support and provide rst time response when
for iWE SaaS platform by carrying out end-to-end data at REST, zero-
architecture.
1.5 Outline
The rest of this report is organized as follows. Chapter 2 covers the overview
were handled during internship period. In Chapter 3, we rst illustrate the cyber
security audit services, and then present the published white paper for NATO
ARW in Kiev, hence we distribute the cyber security audit tool map in Appendix
cuss the related work, method, implementation and discussion of the solution.
Incident Response
the incident response cases handled. First we introduce the service description
within the handling processes and work ow. Sections 2.2, 2.3 and 2.4 provides
an overview description of incidents (i.e. cases), that we have tackled during the
Nevertheless, we provide for each case what type of company was, what were the
root causes of the incident and/or fraud, impact, executive summary with nding
problems, facts and gures, and lastly we provide the conclusion for the incidents,
and arise lessons learnt. In total we have tackled three dierent cases.
When incident occurs, the following handling process is taken into account:
2. Insurance Data Breach Team lters and selects vendor and informs iWE/GM
and so on.
9
10
4. iWE emergency response team receives the incident and follows the process
Plan and communicates on daily basis with insured about activities and
steps, remediation actions and analysis of potential root causes. This report
5. After few days, iWE expects from Insured or/and Insurance to receive an
acknowledgement agreed upon that incident has been remediated and that
Figure 2.1, demonstrates the ow and it is stepwise approach that GMC-
Consultant (Crisis Management) together with iWE (Response Team) has devel-
Keep in mind, that also GMC Consultant could provide to the insurance
Among all, insurance data breach team are constantly informed and up-
Moreover, response time for any incident and the handling process is
reports the incident to iWE, iWE response team will assist to insured sta in
possible.
For further analysis the iWE response team needs to get the data acqui-
sition either on side or remotely. When the image data acquisition is received in
iWE laboratory, then the investigation starts by creating Incident Response Plan
(IRP).
The following plan is send on daily basis and communicates with the
customers (i.e., insured and insurance) for gathering further information's and
The examination has been started since the examiner team has enough
artefacts and the ngerprint of aected systems / devices, then the team creates
customer to mitigate the impact. The examiner team just recommend an action
12
plan, they do not implement it. Otherwise it could be additional service - in this
When the threat is contained the iWE distributes technical Final Report
to the customer and to GMC Consultant, with the root cause and so on. Usually
depending on the incident and the location of the customer data, this entire
has also well qualied knowledge in delivering IT Security consulting services, for
example: risk assessment, risk management, cyber security audit and others.
2.2 Case 1
2.2.1 Overview
severity impact was high and the type of incident was malware (redirect malicious
code, or in other words conditional malware). Moreover, the incident aected two
out of four servers of the insured, and the business impact was that more than
100 websites hosted on two aected servers are not visible due to conditional
malware that is redirecting the content to dierent sites by leveraging trac for
SEO purpose.
the data acquisition process that is too slow, and at the same time the insured
c for advance analysis. After all, advantages are that we established a procedure
to be deliver every day after 16:00 to the customer, dened such as Incident Re-
sponse and Action Plan (IRAP) report, and perform remediation action from the
rst day.
In short, contribution of the author regarding this case was: (i) from
backup of aected systems to identify the protection in place, such as, which
security services were enabled and disabled, running Windows Web Server 2008
R2 operating system; (ii) identify which communication ports are open, and
network vulnerability if are potentially risky. (iii) determine dierent shell scripts
13
1
and submit them in VirusTotal database to identify their identity; (iv) identify
dierent types of suspicious code, les and URLs and classify them such as, shell
scripts, Trojan infection, le permission manipulation, malicious code and script,
redirect code, and established the number of aected les; and lastly (v) from
logs analysis we have discovered brute force attacks and suspicious user account
actions.
regarding the case scenario. With main purpose, to depict the incident response
plan, time line and how the intruder has taken control over the vulnerability of
aected servers.
incident impact to CLIENT 1. Two out of four systems have been compromised
Results of ndings are that there are few known shell-script on one hand,
and on the other unknown shell-script to the security and anti-virus community.
Another important point is even if they have removed the malicious code from
and it creates and/or modies les. Besides above, the impact is on more than
150 websites that have been aected by the following incident in both aected
web servers.
The report nds the redirected URLs, malware types, determines the
categories of malicious code. As well as assuming that the attack origins are from
events logs entries, and major areas of weakness required further investigation,
The report also investigates that the conducted analysis has limitations.
Some of the limitations include: network trac sning is not provided, and not
infected system are not aected - owing to fresh install and currently there are
no hosted websites.
2.2.3 Conclusion
This attack is using multiple layer of obfuscation, evasion, misdirection and restor-
ing malware. By using any vulnerability present on the system to perform custom
payload malware, unlike the vector malware. Likewise are quick to deploy new
exploits. As a result, in total have identied from aected systems, that they
These attacks are currently having impact only on two out of four sys-
tems. It seems that exploitations are because of the vulnerabilities and disabled
security services. Such as, operating system - Windows update, audit policy, se-
curity account manage, windows rewall and so on. Also highly potential exploit
tion ranking to targeted sites. Some of the attacks are well known to security
community, where the others are new and unknown meaning not reported until
now. Meanwhile, the initial emails that had reported the attack to CLIENT 1
site are identied as phishing scam.
Even though CLIENT 1 has removed the shell scripts and malicious
code three times per day, within custom developed removing tool, yet the at-
and identied those actions because server X3 had limited security measures,
along server X0 it has less impact due to enabled few security measures.
Withal believe that these attacks are currently originating from China,
however, there are many attacks whose origin is still unknown. Ultimately they
are generating revenue by boosting the SEO ranking to dierent sites, in the same
way they have business impact on CLIENT 1 sites and business itself.
will be able to identify who is behind these attacks. Nonetheless, in this report
2.3 Case 2
2.3.1 Overview
The severity of the incident was high, while the attacking type is via SQL injec-
In addition, the incident was tackled along side with CLIENT 2 employ-
ees, where specially they have taken actions of diagnosis by applying secure VPN
access to the back-end site secure, blocking the web services used by customer de-
veloped mobile application (for iPad and iPhone) and perform advance analysis in
order to identify possible vulnerabilities to SQL and Cross Site Scripting (XSS)
injections. Also, they deleted more than 300 obsoleted les and strengthening
have conducted analysis of GET and POST queries extracted from the log les,
sequences per attack, country origin, and vulnerability scanning tools used for
concentrated to the time stamp from 1st of September until 7th of November
2014; (ii) from rigorous-script log analysis were able to determine the several types
of SQL injection attacks, for instance: blind SQL injection, union queries, string
concatenation and incorrect type handling; (iii) identify the IP address origin,
and consequently the timestamps for each attacks; (iv) determine the applications
used to conduct the attacks; (v) and lastly, mobile application vulnerability, what
launched in 2005, Figure 2.3, currently having more than one million clients.
16
Likewise any e-commerce site, the platform provides client access that
tracks orders, shipments, product comments and etc., shown in Figure 2.4:
The platform's website also oers back-end oce platform for Customer
Service.
2
The site is build on open source platform osCommerce , but according to
our interlocutor has been signicantly modied to meet the company's needs.
The company that developed the site claimed that is compliance to PCI
3
standard , and they underlined that database does not contain any information
handling, and at the same time we disclosed the vulnerability scanning tools
2.3.3 Conclusion
plication. Nevertheless, the attempt was unsuccessful due to the technology im-
records from the database. Although the intruder claimed that the customer data
was extracted from the database, after analysis we identied that the exposed in-
A.2.
2.4 Case 3
2.4.1 Overview
Incident occurred on 04.09.2014 around 13:00 - French time, and the main impact
was water leaking in data center on one of the insured cluster. The main impact
18
was faulty power fan, which was remediated immediately by the data center.
And the result impact was that two nodes were shutdown. The following case
was transferred from GMC crises management team to provide technical analysis
on the log les, by identifying the alert messages, determine shutdown time line,
aected nodes and other hardware failures. In Appendix section A.3 we present
the log analysis time line of the incident occurrence and identied failure inuence,
Shortly, contribution of the author was: (i) from the log les to identify
when did the hardware failure rstly occurred, and to determine which hardware
devices were aected; (ii) establish and present the time line for several hardware
failures.
The water leakage causes damages to the cluster, particularly regarding 5 and 7
nodes. At the same time, arises problem with NVRAM damages as well. The
damaged parts were replaced by the support team, and then restore the backup,
however the backup was not done correctly, therefore the impact on the insured
incident occurrence time line and aected nodes, hardware damages are noted in
Figure A.3. In details, analysis identies the following ndings by each node and
until 13:30:25.
• For node 7, we have dierent failure messages, for instance: watchdog failed
on CPU 0 until 7, and others. Starting from 13:04:45 until 13:10:43+2. And
2.4.3 Conclusion
The following incident occurred by water leakage in one of the insured cluster.
The impact aected two nodes: 5 and 7, and other hardware devices. The damage
was replaced by the support team in the same day, however the impact to the
customer was that the available backup was not in proper way and it was not
The present chapter lays the developed approach by using the common methods
and lesson learned by provided cyber security audits. Indeed, in the following
section we devote the time on state-of-art approach on well known cyber security
future audit service and nally discovered limitations and improvements of latest
cyber security framework developed by NIST [47], presented and published with
ment and well-known security standards and frameworks. While in Section 3.1.3
we noted what we are gaining to achieve and in Section 3.1.4 we emphases our
solution. In the end we conclude. Aside of white paper, in Appendix B.1 we il-
lustrate the map of main functions and categories that are included in our cyber
The white paper presented in Kiev, Ukraine is titled: Standards for Information
Security are inappropriate fashion to assess the risk in private companies and
elsewhere.
secure their assets. However, standards are accepted as best practices, whereas
21
22
frameworks are practices that are generally employed. And when it comes to mea-
sure the risk exposure in organization standards and frameworks are inappropriate
today's cyber space. With this in mind we tried to tackle the problem of dis-
standards and frameworks. Also, to develop tools to identify the interaction to-
gether with the assets and the questions. And at the end to present clear image
3.1.1 Introduction
Due to the ongoing conict with pro-Russian militants in eastern Ukraine, the
country has been confronted with massive number of cyber-attacks. For illus-
1
tration, in the beginning of August 2014, Financial Times and security rm
Symantec reported that dozens of computers in the Ukraine prime minister's of-
ce, and at least 10 of Ukraine's abroad embassies have been infected with a
virulent cyber espionage weapon and cyber-attack linked to Russia; later on, in
2
middle of September the South-east European Times in Kiev reported that due
to such an events, the authorities in Kiev are working on a law of cyber security
upon since the beginning of the conict, specialists said it was inuenced by one
Back in the early 80's, hacking was only considered as a simple attempt
gain [11]. After a while, where cyberspace presented the opportunities using the
World Wide Web, the threat landscape changed drastically. Not only because of
worms, viruses and so on, but also because of vulnerability, socio-technical, social
engineering and exploits, too. Consequently, the nancial, reputation and com-
mercial risks that goes with cyberspace presence are real and evolving everyday
[17].
1 Sam Jones, August 7 2014. Ukraine PM's oce hit by cyber attack linked
to Russia. Financial Times. On-line: http://www.ft.com/intl/cms/s/0/
2352681e-1e55-11e4-9513-00144feabdc0.html. Last checked on 29/09/2014.
2 Alex Statko, September 15 2014. Ukraine strengthening its cyber security. Southeast Eu-
ropean Times in Kiev. On-line: http://ukraine.setimes.com/en_GB/articles/uwi/
features/2014/09/15/feature-01. Last checked on 29/09/2014.
23
3
In addition, several countries are launching platform to stop cyber-attacks ,
such as, nancial services industry in the US, and the British Bankers Associa-
tion in the UK. More within the next few years, Information Security Standards
ment and critical infrastructure industry. Likewise to standards, we also use the
year [47].
solution of how to implement them properly into organization. Instead, their ap-
proach is based on best practices, method for program base lining and acceptance
ing practices that have positive outcome and are generally employed elsewhere.
However, existing standards and frameworks, are in fact overlapping, and are not
so well acknowledged.
compliance, and carry out advance technique such as, penetration testing and so
on.
For this reason, in this paper we tackle how standards and frameworks
we discuss their dierences, and introduce the reader with brief background infor-
observe available tools with supporting and opposing arguments, coupled with
references for specic country requirements. Keeping in mind that, the focus of
this paper, instead of reviewing, is only to deliver the available list of sources for
countries requirements. Last but not least, we argue the problem experience that
we had in past by carrying out audit coupled with risk assessment in dierent
mapping the risk exposure composed of several: standards and frameworks. After
quirement sources. Then we provide what we are willing to achieve and how we
solution in fourth section. Last but not least, our conclusions are drawn in the
nal section.
3.1.2 Background
frameworks are that, standards are accepted as best practices. Frameworks are
while frameworks are general. For example, [6] denes framework as a guide
practices gained in time of experience and their implementation into the orga-
Practice from ISF, NERC1300 and RFC2196; and frameworks are: Cybersecurity
Anyhow, each above standards and frameworks are presented within brief
cient. We presumably think that such display of standards and frameworks will
bring value to the reader. Because the top standards are usually combined from
the previous exercises and lesson learned-best practices. The following standards
February 2014) and the most suitable framework at the moment. It has divided
egories, and information references that describe specic cyber security activities
that are common across all CII/CI sector. However, the drawback is that does
25
with socio-technical aspects (i.e. taking into account that humans are the weakest
link in security [63]), yet undoubtedly it is the top-drawer standard for private
knowledge of actual attacks and eective defences of experts. They are created
open Internet. Particularly we concentrate our interest only on the quick wins
categories from total 20 controls. The quick wins categories have most immedi-
for the clients some of the controls where not necessary to be used. Instead,
need to pin-point the importance of controls (such as: 9, 20, and others). On one
hand, they provide a ground-oor sustainable and ecient way of security your
company. However, they are not easy to implement because their focuses are
against the latest Advanced Targeted Threats, with a strong emphasis on "What
tures and services are in use that have demonstrated real world eectiveness. For
this reason we support the idea that CSCs are continuing to improve. Hopefully
in near future we will see platforms and tools, to keep pace with the need for
and commercial standards [65]. Nonetheless, ISO/IEC 27000 series (also known
as the `ISMS Family of Standards' or `ISO27k' for short) comprises ISS published
mation Security Management System (ISMS). However, we will discuss only the
implement, operate, monitor, review, maintain and improve the system. Also
it is intended to be used along with ISO/IEC 27002, the Code of Practice for
26
recommendations of specic security controls. Despite the fact, that this certi-
cate is mandatory in some countries, yet it leaks the future of new technologies,
such as portable devices, bring your own device (BYOD) in organization and it
main approach.
COBIT [13]. The Control Objectives for Information and related Tech-
and other users to understand their IT systems and decide the level of security
and control that is necessary to protect their companies' assets through the de-
lines and maturity models. Although it is very well structured and combined of
wide range of components, still we have to keep in mind that main milestone is to
oer supporting tool-sets that allows managers to fulll the gap between control
technical reports, and related information that dene procedures for implement-
ing electronically secure Industrial Automation and Control Systems (IACS). The
With the main strengths that it is easy to understand and used, and designed
NIST FIS [46]. Guide for Assessing the Security Controls in Federal
Information Systems, addresses the 194 security controls that are applied to a
system to make it "more secure". Specically this standard was written for
Practice published in 1990s from Information Security Forum (ISF) was a private
document available only to its members. Later on, ISF made the full document
available for sale to the general public. It contains a comprehensive list of best
practices for information security, and it pursues it is important for those in charge
requirements.
the Internet. It provides general and broad guide overview of information security,
still supporting best-practice industry processes. Within the main set for critical
infrastructure protection.
consensus about what are the most critical web application security aws. They
emphasize that all companies should adopt this awareness document within their
organization and start the process of ensuring that their web applications do
not contain aws. It provides a list of 10 most critical web application security
risks. And for each risk it provides a description, example of vulnerabilities and
attacks, guidance on how to avoid and references to OWASP and other related
web application to meet your needs, then we urge you to adopt this awareness
document.
three main targeted group's interests, for instance: private companies, govern-
(CII)/ Critical Infrastructure (CI). Motivation of this arrange is due to fact that
neither every organization has critical information infrastructure assets, nor gov-
have as well.
tools. And when we speak about the tools, we mean tools which are either web
Thus it is worth mentioning rstly the web based tool available from
Inventory of Risk Management Risk Assessment methods and tools [18]. This
RM/RA method oers dierent country specic requirements, for instance: for
France Ebios and Marion, for Germany IT - Grundschutz, for Spain MAGERIT,
for Italy MIGRA, The Netherlands Dutch A&K Analysis and many other coun-
countries from methods as main source and guide for implementation. Besides
methods and tools for risk management, it gives a comparison tool which could
combined from the above mentioned Cybersecurity Framework [47]. This tool
provides users with systematic and repeatable approach for assessing the secu-
rity of their cyber systems and network. It includes both high-level and detailed
lessons learned, and complied with the country legislatives requirements. And
Security has dierent meanings, and it plays a vital role in organization. Such as,
in security are: Risk Assessment as a common part of Risk Management, and Risk
Audit which is minimizing risk at the acceptable level. Apparently, cyber threats
29
risks are becoming real and mount from a range of sources, such as: Advance
we could adjust in fact that standards are oering general advice. To a degree of:
best-known practices, understanding risk landscape and at the same time cyber
problem nor dierence between the information security and cyber security. Re-
cent updates of the standards raised the issue of involvement to all parties, and
that by development and adaptation new national cyber security strategies are
they are not designed to identify clearly the problem and/or the weakness in
organization. Consequently, we could not dene the matrix by assessing the risk,
or frameworks are more appropriate for their organization. As well as the issue
whether the organization can benet only if those standards/frameworks are im-
when all parties are involved . As those highlighted in [65] paper: senior man-
And in fact, standards and frameworks are avoiding this question. Such tech-
nique's are addressed in [40] that no matter how much we invest and carry out
security standards and implement security technologies, still the weakest link in
security in organizations will be the human factor. And the only way to remedy
the weakest link is to constantly support awareness raising and training for each
30
party.
Ultimately we observed several times that they lacks precision: that the
condence and the level of trust; breaking down trade barriers and competitive
advantages for the industry; and lastly, it creates a common language when talk-
might create false sense of security and turns out to compliance culture.
Having in mind the problems, we can solve and identify the risk exposure
to perform risk assessment or audit after cyber breaches or cyber incidents have
We then opted for selecting the best and most suitable standards and
frameworks (several ones) for audit and risk assessment. Thereupon, outcome
can be combined to build our own model to fulll the gaps of standards and
3.1.4 Solution
Related works and literature remain quite limited. Specially most of the re-
standards and frameworks [35, 65, 34, 62]. Nonetheless, none of them are ad-
aspects, and so forth. However, in our case, we have tackled the problem through
past experience gained from previously carried out audits and risk assessments.
cyber threat. In the meantime, we use several existing standards and frameworks
to generate the questionnaires with the aim to help identify weaknesses, vulnera-
bilities and to reduce the risk in a system. And lastly, to identify the correlation
ported by diverse business industries. For instance, for private companies, gov-
31
importantly, from merging and mapping standards we use existing maturity mod-
els, or other sources to assist in determining their desired levels. Such mapping
example is the SANS draft poster for Standard Mapping to the Critical Secu-
rity Controls [60]. Nevertheless, our fundamental approach has more or less
and have built-in questions not just repeatedly, but also measurable. Essential
event of cyber attacks into organizations. We have tried to engage in the problem
of what is missing and what we have learned from past audits. Consequently we
apply them into hence audit, or in other words we build our own standard.
the questionnaires within organization, but also by building a tool which will
nd the correlation between the assets and the questions. For illustration, if
we identify weak password in organization asset and they have answered to the
question that complex password is implemented, then in this case we can identify
weakness (complex password not implemented and the organization is not aware
of this issue), therefore will respectfully be marked as high risk. Because, probably
there will be other weakness and/or vulnerabilities too. Thus, we consider risk
standards and frameworks. For instance: ISO27k, COBIT and NIST-FIS stan-
dards, and also Cybersecurity framework and "quick wins" categories from CSC.
Together with inquiries collected from Cyber Security Evaluation Tool (CSET).
design a tool which will discover the interrelationship between the assets and the
module for organizations. And at the same time, understanding correlation be-
tween weaknesses and vulnerabilities into the systems, with tendency to business
impact. Altogether, will give clear image of what is organizational cyber risk.
32
3.1.5 Conclusion
The companies are ultimately doomed if they do not have implemented nor
planned in near future any security standard or framework for their organiza-
tion. And indeed, security plays an important role in protecting the assets of an
organization. Bear in mind that there is no single formula that can guarantee
100% security. Therefore there is a need for a set of strategy and standards to
nerabilities and threats into the systems. However, the success of cyber security
with considering the socio-technical and social engineering aspects and so on.
facing the issue of choosing the right and ideal standard/framework to meet their
needs. For this reason in this paper we have introduced the problem of standards
and frameworks coupled with the limited tools and country specic requirements.
alone, in fact are inappropriate constituting way to assess the risk in private com-
panies and elsewhere. And that fundamental solution for achieving such task is
Simultaneously to develop a tool to identify the interaction among assets and the
questions.
standing the correlation between weaknesses and vulnerabilities into the systems,
likelihood the impact. Which will aim to provide clear image of what is an orga-
Security Architecture
This chapter denes the security architecture implementation by oversee the end-
to-end solution for data at REST, mainly intent designed for iWE SaaS platform.
For this reason we need to adopt appropriate measures to secure customer's data
in use and data in motion which together with data at REST denes the three
databases, data warehouses, spreadsheets, etc. While data in motion deals with
to be read or upload. And nally, data at REST looks at inactive data stored
Anyway, the main aim of this study is to identify and valid technical
solution for enforcing by design a very high level of protection of customer data
condentiality. Which will position iWE platform as one of the few secure storage
and implementation in Section 4.3. While in Section 4.4 we discuss the limitation
and the advantages of our security architecture design. Last but not least, in
33
34
4.1 Introduction
In October 2014 hackers claim that they have stolen nearly seven million Drop-
1 2
box passwords [68]. These information have been published in Pastebin , and
posted a blog post that we should never store passwords in a database, rather
rent web authentication solutions use a login forms, which sends the username
Thereby in most case, the password is sent in plain text or sometimes through
SSL connection. On the server, then the password is hashed and compared to a
stored hash. Advance solution is also available called salting in which random bits
are added to the end of password before it is hashed to prevent attacks through
pre-computed hash tabled [72]. However there are several major attacks vectors
which are applicable for this current systems, few of them noted in [57], such as:
brute-force hash cracking, wire sning, servers stored passwords insecurely (in
particular, in plain text or hashed without salting), server itself could behave ma-
3
liciously or vulnerable (Heartbleed bug ), and so on. Apart from authentication,
also another challenge is storing data into the cloud and provide collaboration.
possible privacy concerns are not taken into account due to lack of awareness.
As well as, most people are unaware of the infrastructure and the underlying
technology or Cloud Service Provider (CSP). Moreover, throughout the later half
of 2013, NSA's PRISM surveillance program was disclosed and it has caught
attention, and indeed increased the concern towards user privacy. Obviously,
that user data is being leaked from many large corporations (examples shown in
[21, 36]). Despite unawareness of privacy among mass people, we believe that
[38].
dene the term zero knowledge proof. And zero knowledge proof has been for-
in which parties are required to provide the correctness of their secrets, with-
out revealing these secrets [28]. This challenge applies to both segments, for
the main challenge is to manage keys among dierent devices of the same user
and between dierent users [38]. We have seen in recent years, that several
are [38]:
like syncing, sharing (e.g., Syme - Google chrome extension [26], Tresorit
[69], etc. );
and others).
server-side. Client-side interest are that each data before transferring to cloud
storage rstly is encrypted on the client machine, and then transmitted encrypted
to targeted cloud storage, notably the keys as well. While server-side is the
data is pushed through secured cryptography protocol in plain text and then
email encryption, but unfortunately they have not gained much popularity, noted
in [38]. And for purpose of our study and implementation such solution is out
breaches in the news, discussions on the right to be forgery, and on law enforce-
ment agencies surveillance in the cloud. We need to oer to our customer through
iWE platform, control and transparency over how personal data is protected as
key elements for trustworthy cloud service. Therefore, there are multiple chal-
lenges to tackle, provided the multiplicity of service delivery models in the cloud
and the diculties in tracking meta-data across the cloud middle-ware. One of the
existing approaches consists in using encryption to protect the data. When data
must be deleted, the encryption keys are discarded. In case of losing credentials,
sharing protected data with the group, individuals and in the company, as well.
Lastly, how to ensure that even the developers from iWE side will not have access
promising secure approaches for our end-to-end zero knowledge solution and carry
out a proof of concept supporting it. For this reason in next section we discuss
the related work, followed by the methods that we are taking into consideration
for handling data into the cloud. Then how the methods are implemented. And
Owing to surveillance and privacy issues for cloud services, in recent year, end-
to-end encryption solution for cloud services are getting popular. In this section,
cloud services. Have in mind that we could not cover all of them, but we have
9
Pedersen and Dahl [53], or also known as Crypton discussed dierent
ple devices, by providing high-level APIs for user accounts, robust data storage,
Node.js10 platform;
cloud backup solution. Such solution is implemented within
for developers and sysadmins to build, and run distributed applications. User
algorithm AES-256 through cipher feedback (CFB) mode and hash-based mes-
syncing and sharing. And the encryption keys are protected by the user password.
room. Consequently all the members of a room know the password for the room.
However, Crypton and Crypton v1.0 in fact are facing with some weakness of the
key schedule algorithms when using 256 bits user keys, noted by Yuechuan et al.
[71].
And it is designed for Wuala another encrypted cloud storage service, which
derives the master key from the user-chosen password. The master key encrypts
the root directory. While the other encryption keys reside in the parent directory
so that a user having the encryption key of a folder can access all the le and
sub-les inside the folder [38]. Implementation of Wuala is using the hybrid
architecture - P2P, by error-control method for data transmission that uses ac-
knowledgements ARQ. In addition, requires user-level keys and encrypts the data
with symmetric algorithms such as: AES-128 or AES-256. Another advanced fu-
ture of Wuala is when someone loses access to an item, that item needs to be
encrypted with a new key in order to prevent the former accessors to access the
item in future. Therefore, it is using the lazy revocations [42] which allow to post-
pone this (expensive) re-encryption until the next update of the item. Engaging
measurement study has been conducted by Mager et al. [64] by emphasizing: in-
etc.), similarly protects private keys by user-chosen password. Where each le is
encrypted by a random key and each user has a public/private key pairs. Ran-
dom keys are encrypted by public keys of each user, who has access to that le
and stored in the local cloud storage directory. And all public keys are in the
clear and private keys are encrypted by user password; both keys are stored in
the cloud storage server to facilitate sharing and syncing. To share a le with
other users, the le key is encrypted with the receiver's public key and submitted
to the cloud so that the receiver can retrieve the le key by decrypting using her
private key [25, 38]. Additionally, secure le encryption is using the AES-256
standard.
using asymmetric key pair algorithm RSA-2048 applied on hash function SHA-
512. Transmission of data is done through TLS cryptographic protocol and the
invitation and key agreements are ICE and TGDH protocol [37]. The following
cloud storage provider, as well as SpiderOAK and Wuala have been examined
for weaknesses associated with their sharing functions, by performing reverse en-
gineering techniques, handled by Wilson and Ateniese [70]. For each provider
the les and directories as archive ZIP le format with XML comments. Second,
function that is part of RSA series, such as PBKDF2. Thirdly, data recovery
have been tackling the issue of end-to-end cloud solution with in client-side pur-
pose, and published in master thesis reports. Such as, Totolici [66] designed the
Crypstor a storage platform that addresses data security in the cloud computing
context through the use of encryption, while maintaining the desirable properties
of ecient storage and sharing. While Majumdar [38] propose the Keyfob, a
key management scheme for easy key transfer between user-owned devices, and
blocks in order to archive its intended security properties. For example, hashing
is done via the SHA-384, symmetric authenticated encryption is carried out using
of the standard [1, 15]. Symmetric signing is accomplished by HMACs, and public
key cryptosystem (PKCS) is RSAES-OAEP [33]. And nally the key stretching
is realized by applying scrypt [55, 54] to the user's password. Whereas, Key-
fob uses high-entropy random key for encryption instead of password-derived
keys, and leverage's Die-Hellman key exchange (DH-EKE) with weak secrets
for secure key transfer. Each user need to manage one user-master key, and all
other keys are derived from that master key or a pairwise shared master key. It is
15
• Model B, accomplished by CMK using the dedicated CloudHSM (Hard-
KMS) [3], which provides available API's embedded into the AWS platform
Knowing the available cloud CSPs mentioned above, within their advantages and
and what are the possible attacks, seized from related work [70, 64, 41, 9, 38].
4.3 Solutions
Here we reveal the solutions separated into two dierent implementation methods,
security properties. We describe these blocks here, and how they are combined
and used. Thereby, our system requires algorithms for hashing, symmetric en-
key pairs), and key stretching. And in the end, we summaries the advantages and
4.3.1 Client-side 1
Following solution could be implement only for one owner and one recipient.
Obviously, in a similar fashion if we want to share the le with more than one
recipient we will need to use asymmetric encryption for the random generated
number to encrypted with each public key of the recipients and store them in to
the cloud.
Hashing is done via bcrypt [56], we selected the following hash function
because it has been already implemented beforehand in iWE platform. Sym-
metric authenticated encryption is carried out using the AES-256 and symmet-
user's password.
All of the selected building blocks are used in manner that allows for easy
replacement of any one of them, if attacks are discovered in the future. Nonethe-
Here we depict the following scenarios, and for each scenario we have
New User
3. Encrypt the private key with symmetric (AES-256) encryption with the
user password, and store them along with public key to the cloud. Public
Encryption of le
b) And store them in the cloud. If we have more than one recipient, then
2. Symmetric (AES-256) encryption to encrypt the le using the plain session
key (which is the random generated number) as the symmetric key. Then
upload the le in the cloud. Encryption could be done with JavaScript
key.
Advantages of solution are that developers will not be able to access the data,
neither the CSP. Also, user could read the le from any device and at the same
time access the data from multiple devices. Bright side is if le is uploaded with
new version then it could be use the same session key to encrypt and decrypt the
le. And last, although if intruder is able to access the server data, still he will
Disadvantages are if user loses its password, than the data could not be
retrieved. Also, for each le we have to generate random session keys and encrypt
them with the user's public keys and upload them in to the cloud. For instance,
if we have one le shared with 20 people, then will have 20 encrypted session
keys with public keys for each recipient for one le, and so on. Last, if revoke is
required for a le, then we have to re-encrypt the le with new session key.
4.3.2 Client-side 2
Dierent from the previous solution, is using the key derivation function and
The main building blocks are accomplished by: hashing is done via secure
encryption is carried out using the AES - 256. Symmetric signing is accomplished
function (KDF).
New User
• Generate public/private key pair generated from the SPRNG, and public
• While the private key and the master key are encrypted via AES-256 under
New Group
• Encrypts (RSA) the group key with the public key for each of the intended
recipients.
43
• Encrypted material is then shared with the rest of the participating users
In this solution advantages are that its allows user to change their password
without having to re-encrypt all of the data. As well as, user will be able to read
the le from any device. And it provides revoke function for the group, if needed,
then the old group key is encrypted under prime and sorted as metadata. This
On the other hand, disadvantages are for instance if master key changes
than it requires a full re-encryption of the user's les. Lastly, in group share, if
4.3.3 Client-side 3
Last client-side solution is carried out via Crypton JavaScript framework, which
is mainly used by SpiderOak. It is developed as client - side, server acts as
dumb pipe to store and retrieve data. It is compatible with Node.js and many
others.
Advantages using are due to following reasons, such as: it has been used
for SpiderOak as main solution, it is open source and publicly available, user
will be able to read the le from any device, the framework has been maintained
since 2013, and importantly they have conducted two security audits, which are
transparently available [14]. While disadvantages are that it is not well doc-
4.3.4 Server-side
Unlike the client-side solutions, here we consider only the server-side implemen-
tation. Realized by AWS solution, and such available model solutions have been
explain in Section 4.2. Even though there are three possible models, for both
encryption using AWS-Managed Keys). Which allows AWS controls the encryp-
tion method and the entire KMI [7, page 12-17.]. In other words, AWS provides
Such solution has been carried out with AWS Key Management Service
(KMS), and other services that encrypt the data directly use a method called
velope symmetric key. This key should be properly stored and managed,
3. Data is encrypted with the envelope symmetric key. Encrypted data and the
solution and implementation, client has the complete ownership of keys. Thus
Disadvantages are since client has the complete control of keys, and if in
any case loses the key, so the client will lose the data as well. The CSPs will not
4.4 Discussion
privacy in cloud. Thereby encryption based approaches are classied into two
discusses the advantages and disadvantages of both types in details in his report.
a better performance. However, the main problem is that key management and
for iWE platform. Addressing the privacy issues for cloud services, control and
transparency over how customer data is protected as key element for trustworthy
cloud service. Within multiple challenges to tackled, and each of them taken into
account of our solutions. We divided our solutions into two group types, such
open source JavaScript libraries, and open source JavaScript framework. Whole
are facing with unique advantages and disadvantages, given above. Whereas for
fact that customers can not trust the CSP. As well as, the solution providers, as
we are. Therefore, for the need of the customers, we have designed zero knowledge
encryption solutions which will meet our customer condentiality and privacy
demands, as well as can meet the usage in multiple devices simultaneously. And
if in any case, intruder gain access to the cloud storage, he could not be able to
retrieve nor read the data without knowing the user password. Likewise, neither
the developers nor CSP employees could have access to the data. However, the
down side of this implementation is, if in any chance the user loses his password,
therefore the data is lost too. Among other things, if the user password is changed,
then the les are required to be re-encrypted, which is aecting the performance,
and so on.
46
4.5 Summary
Encrypting data in the cloud could eciently protect data condentiality and
data at REST benecent to iWE platform. Available solutions are reviewed, and
hand over solutions for client-side and server-side encryption. General approaches
are discussed in Section 4.3, with there advantages and disadvantages. Where in
the end, we discuss the privacy and trust problem, coupled with the possible
scenario if the intruder gain access to the cloud storage, if the user loses and/or
To sum, data condentiality can be achieved not only if the solutions are
designed and implemented properly, but signicant factor is the awareness of the
user too, that are: using complex password, be aware of security best practice,
and so forth.
Chapter 5
Conclusion
This report is set out to demonstrate the everyday handling activities related to
5.1 Conclusion
In Europe cyber insurance is arising, and in the same time insurance companies
are starting to a greater extent oering cyber insurance policies, in other words
risk. Where Freund and Jones later this year noted in their book that today
risk is the probable frequency and probable magnitude of future loss [24]. And
indeed, having this in mind, we are craving to provide solutions and services to
those issues.
devoted the period of six months to initialize and set up security laboratory
same time, during this period, we have managed to handled three cases regarding
incident response service. Moreover, one cyber security audit was conducted for
CII company and we designed tools for hence service delivery. Last but not least,
in the meantime we have designed cornerstone approach for placing iWE SaaS
47
48
the competitors in the eld of security, specially to cyber security. Based on the
tools for future delivery. Aside of marker analysis, secondly we handled several
cases and audits respectfully to already dened services. Where we prepared and
presented white paper in NATO ARW. And nally, we propose zero knowledge
Obviously in this report we have stress the importance on the risk mitiga-
tion and risk acceptance, yet we tried to emphasis the importance of risk transfer,
too. And in reality, cyber space faces risks due to security attacks, as well as risks
due to non-security related failures (e.g., our case example: water leak, hardware
crash, buer overow, hazards, etc.). However, cyber insurance agencies would
most likely insure risks only due to security attacks (e.g., data breach, malware,
In this regard we believe that six months of internship period was dy-
namic and extremely interesting. Facing with dierent challenges everyday, and
at the same time providing eective and benecial services to customers, without
response and digital forensics in coming months will increase, as well as cyber
[1] NIST-FIPS PUB 197. Advanced encryption standard (aes). On-line avail-
2001. 4.2
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html,
2014. 4.2
http://docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html,
21.02.2014. 4.3.4
[7] Ken Beer and Ryan Holland. Encrypting data at rest. Technical report,
49
50
Security and ISO 27001/ISO 27002. Kogan Page Limited, 2008. 3.1.1
[13] COBIT. Control objectives for information and related technology (cobit).
2014. 4.3.3
[15] J. Daemen and V. Rijmen. The block cipher rijndael. in smart card research
Cryptree: A folder tree structure for cryptographic le systems. 2006. 4.2
[17] Steve Durbin. Cyber crime: battling a growth industry. Financial Times,
[18] ENISA. Inventory of risk management - risk assessment methods and tools.
[20] Security for Industrial Automation, Control Systems: System Security Re-
3.1.2
[21] Forbes.com. The nsa's slideshow explaining its prism surveillance pro-
51
[22] Information Security Forum. The Standard of Good Practice for Information
[23] B. Fraser. Site security handbook. network working group and internet en-
[24] Jack Freund and Jack Jones. Measuring and Managing Information Risk: A
https://chrome.google.com/webstore/detail/syme/kebgjahkgfpaeidbimpiefobehkjmani.
to-end/, 2014. 2
https://code.google.com/p/crypto-js/. 2
http://blogs.intralinks.com/collaborista/2014/05/sensitive-information-
dia University Montréal, Québec, Canada, September 2014. 4.1, 4.1, 4.2
[39] James Manger. A chosen ciphertext attack on rsa optimal asymmetric en-
[40] Ian Mann. Hacking the Human: Social Engineering Techniques and Security
[41] Manuel Leithner Markus Huber Edgar Weippl Martin Mulazzani, Sebas-
tian Schrittwieser. Dark clouds on the horizon: Using cloud storage as attack
vector and online slack space. Presentation by SBA Research, 2011. 4.2
[42] Christian Cachin Michael Backes and Alina Oprea. Secure key-updating for
[43] Tom Moertel. Never store passwords in a database! Blog post, On-
line: http://blog.moertel.com/posts/2006-12-15-never-store-passwords-in-a-
[46] NIST. NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision
4, Security and Privacy Controls for Federal Information Systems and Or-
3.1.2
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-
[49] Council on Cyber Security. The critical security controls for eective cyber
controls/CSC-5.pdf. 3.1.2
[50] OWASP. The open web application security project. On-line available, 14
[53] Cam Pedersen and David Dahl. Crypton: Zero-knowledge application frame-
[57] Alexander Lin Ryan Cheu, Patrick Yang and Alexander Jae. Narwhal: An
1985. 4.1
[60] SANS. Nerc cip standard mapping to the critical security controls - draft.
[61] Thomas Muders Matthew Smith Sascha Fahl, Marian Harbach. Condential-
ity as a service - usable security for the cloud. 2012 IEEE 11th International
tions, 2012. 3
[62] Razieh Skeikhpour and Nasser Modiri. An approach to map cobit processes
Journal of Security and Its Applications Vol. 6. No. 2, April 2012. 3.1.4
[63] Predrag Tasevski. Interactive Cyber Security Awareness Program. LAP Lam-
[64] Ernst Biersack Thomas Mager and Pietro Michiardi. A measurement study
of the wuala on-line storage service. IEEE P2P 2012, 2012. 4.2
and Distributed Systems, vol. III, no. 3, 2011. 3.1.2, 3.1.3, 3.1.4
[66] Alexandru Totolici. Crypstor: A platform for secure storage. Master's thesis,
[68] Dylan Tweney. Hackers claim they have stolen nearly 7 million dropbox pass-
hackers-claim-they-have-stolen-nearly-7-million-dropbox-passwords/, Octo-
https://tresorit.com/business/upgrade?free-trial&gclid=CMmJ0-
Lsx8ICFcvpwgodFUsABw. 1, 4.2
[70] Duane C. Wilson and Giuseppe Ateniese. "to share or not to share" in client-
[71] Bing Sun Yuechuan Wei, Chao Li. Related-key impossible dierential crypt-
[72] Minqi et al Zhou. Services in the cloud computing era: A survey. Universal
Incident Response
The following Appendix section provides a further details regarding the services
A.1 Case 1
In Figure A.1 we have illustrated the Incident Response Plan for Case 1. The main
59
60
A.2 Case 2
A.3:
Figure A.3: Case 2: Log analysis: GET requests, identifying IP address, time
stamp (starting and ending point on the attack), which application
is used for attacking purpose, country ISO code, category and type
of attacks.
62
From the above gure we can identify that the rst attack was on Septem-
platform used by the insured was identied, Figure A.4. The following exploits
1
are from Exploit-DB website.
Finally, we were able to identify the following types SQL injections, used
to exploit the web site vulnerability: blind, union queries, string concatenation
and incorrect type handling. Among the types of attacks we also were able to
identify what vulnerability scanning tools were used to exploit the web site, such
A.3 Case 3
For better understating the log analysis, and what had happened we have pro-
1 Exploit-DB: http://www.exploit-db.com/search/?action=search&filter_page=1&
filter_description=oscommerce&filter_exploit_text=&filter_author=&filter_
platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=
&filter_cve=. Last checked 10/12/2014.
2 Acunetix: https://www.acunetix.com/. Last checked on 09/12/2014.
3 Havij Advanced SQL Injection: http://www.itsecteam.com/products/
havij-advanced-sql-injection/. Last checked on 09/12/2014
4 sqlmap: automatic SQL injection and database takeover tool, http://sqlmap.org/. Last
checked on 09/12/2014.
63
Here we provide further details regarding the build and developed cyber security
The cyber security audit tool (see Figure B.1) identies the four essential process
of our developed tool for cyber security audit service. For instance functions
cyber attacks into organizations. Such methodological approach was seized from
NIST Framework [47]. Among the functions we additionally added several other
categories, which in our opinion were missing from the framework and will lead
to customers needs. And at the same time to bring more value and to be in fact
benecial and ecient by covering the latest technologies and threats, such as,
65
66
Security Architecture
Table C.1 compares dierent existing solutions. Here for each secure cloud stor-
are their requirements, and least the possible attacks, such as: brute force pass-
word attack, replacing public keys, counterfeiting certication, and N/A means
not applicable, because we were not able to nd any related work regarding the
67
68
C.2 Solutions
C.2.1 Client-side 1
C.2.2 Client-side 2
C.2.3 Server-side