Post Master Report TASEVSKIv3

See discussions, stats, and author profiles for this publication at: https://www.researchgate.
net/publication/279847563
Cyber Security Researcher - Internship report at iWE
Thesis · January 2015

DOI: 10.13140/RG.2.1.3141.7443
CITATIONS READS
0 3,106
1 author:
Predrag Tasevski
14 PUBLICATIONS 26 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Cybersecurity in the Western Balkans: Policy gaps and cooperation opportunities View project
All content following this page was uploaded by Predrag Tasevski on 07 July 2015.
The user has requested enhancement of the downloaded file.

Cyber Security Researcher
Internship at iWE
Predrag TASEVSKI
A thesis submitted in
fulllment of the requirement for the award of the
Degree for Post - Master of Security in computer systems and communications
Networking and Security Department at
EURECOM, France
08 JANUARY 2015
I hereby declare that this thesis entitled Cyber Security Researcher at iWE is
the result of my own research except as cited in the references. This thesis has
not been accepted for any degree and is not concurrently submitted in
candidature of any other degree.
Signature :
Student : Predrag TASEVSKI
Date : 08 January 2015
Academical Supervisor: Prof. David BALZAROTTI
Company Supervisor: Christophe LAYE
iii
iv
For my beloved niece, So ...
v
vi
Acknowledgement
At the very beginning, I would like to thank my adviser Christophe LAYE. Who
gave much valuable advice and review in the early stages of this internship. Ad-
ditionally his continuous availability and guidance helped me the most to nish
this internship and the report. I am grateful to him for introducing me to the
research world regarding cyber insurance, security and feeding me the basics of
this world. Moreover, he gave his attention to almost all of my requests, which
shows his great kindness. I feel very lucky to have him as my supervisor.
I also like to thank all other company members of iWE, as well as
Graduated School and Research Center in Communication Systems - EURE-
COM. I really enjoyed and learned a lot from the courses that I attended dur-
ing my post-master's program. I would like to show my gratitude to prof.
David BALZAROTTI and prof. Aurélien FRANCILLON for their insightful
advice, along with others. Among the sta, also I would like to thank to Labex
UCN@SOPHIA scholarship.
At the end, I would like to acknowledge the unconditional aection and
continuous support of my parents and sister in my life. They always fulll all my
silly demands and keep faith on my abilities. They have always been the best
inspiration in my life. This report is devote to my lovely niece, So. Who joined
us in this world while I was in internship and writing this report.
Predrag TASEVSKI, Sophia-Antipolis, France
vii
viii
Abstract
Cyber security is considered as appropriate means of cyber crime, cyber risk,
insurance, and awareness to absorb nancial impact caused by computer security
breaches. Since rst computer incident we have been debating in which way that
cyber security can be adapted to match the threats, vulnerabilities and losses by
have impact on our world. Nonetheless, this report is demonstrating internship
work-ow from July until December 2014. Keep in mind that this is just small
selected segments of what we have tackled during the internship period.
In a meantime, we provide company overview, followed by the internship
description and core objectives. Then we state the author contribution to the
period of internship and the report, too. Further we notably discuss the overview
of delivered services and their input. For instance: Incident Response and digi-
tal forensic service, along within conveying cases; followed by the attendance to
NATO Advanced Research Workshop in Kiev, likewise presented white paper re-
garding the cyber security audit service; least but not least, research contribution
to develop secure architecture for end-to-end data at REST solution in cloud for
iWE platform.
Moreover, we have discussed the importance of cyber security, cyber
insurance, cyber risk, coupled with the obedient approach of computer and in-
formation security. And nally, we conclude by pointing the accent to hence risk
transfer, or in other words cyber insurance industry.
ix
x
Résumé
La cybersécurité est considérée comme un moyen approprié pour combattre la
cybercriminalité , an de dimunier les cyber risques, l'assurance , et la sensibil-
isation pour absorber l'impact nancier causé par les violations de la sécurité
informatique. Depuis le premier incident informatique , nous avons débattu de
quelle manière la cybersécurité peut être adapté pour répondre aux menaces , les
vulnérabilités et les pertes par avoir un impact sur notre monde. Néanmoins ,
ce rapport démontre le ux de travail à partir de Juillet jusqu'à Décembre 2014.
Gardez à l'esprit que ce est seulement de petits segments choisis de ce que nous
avons abordé au cours de la période de stage.
Dans un même temps , nous vous fournissons un aperçu de l'entreprise ,
suivie par la description de stages et les objectifs fondamentaux. Ensuite , nous
vous exposons notre contribution à la période de stage et le rapport , aussi. En
outre , nous discutons notamment la liste des services oerts et de leur entrée. Par
exemple : réponse aux incidents et le service médico-légal numérique , le long dans
les cas de transport; suivie par la participation à l'atelier de recherche avancée
de l'OTANa Kiev , est également présenté le livre blanc sur le service d'audit de
sécurité de cyber; et surtout le rapport de la contribution sur la recherche pour
développer une architecture sécurisée pour les données de bout en bout à une
solution de REST dans les nuages pour la plateforme iWE.
En outre , nous avons discuté de l'importance de la cybersécurité ,
l'assurance cyber , le risque de cyber , couplée avec l'approche obéissant de la
sécurité informatique et de l'information. Et enn , nous concluons en pointant
l'accent sur transferts a hauts risques l , ou en d'autres termes: industrie de
l'assurance cyber.
xi
xii
Contents
Declaration iii
Dedication v
Acknowledgement vii
Abstract ix
Résumé xi
List of Figures xv
List of Tables xvi
List of Appendices xvii
List of Symbols xxi
1 Introduction 1
1.1 Company Overview 1
1.2 Internship Description 3
1.3 Internship Objectives 5
1.4 Contribution 5
1.5 Outline 7
2 Incident Response 9
2.1 Service Description 9
2.2 Case 1 12
2.2.1 Overview 12
2.2.2 Executive Summary 13
2.2.3 Conclusion 14
2.3 Case 2 15
xiii
xiv
2.3.1 Overview 15
2.3.3 Conclusion 17
2.4 Case 3 17
2.4.1 Overview 17
2.4.3 Conclusion 19
3 Cyber Security Audit and Awareness 21

3.1 White paper 21
3.1.1 Introduction 22
3.1.2 Background 24
3.1.3 What to achieve? 28
3.1.4 Solution 30
3.1.5 Conclusion 32
4 Security Architecture 33
4.1 Introduction 34
4.2 Related Work 36
4.3 Solutions 40
4.3.1 Client-side 1 40
4.3.4 Server-side 44
4.4 Discussion 45
4.5 Summary 46
5 Conclusion 47
5.1 Conclusion 47
Bibliography 49
List of Figures
2.1 Incident Handling Flow. 10
2.2 Incident Response Handling Process. 11
2.3 Dxxxxx.fr website screen-shot. 16
2.4 Dxxxxxx.fr tracking order form - screen-shot. 17
A.1 Case 1: Incident response plan and time line. 60
A.2 Case 1: Vulnerability attacking owchart. 61
A.3 Case 2: Log analysis: GET requests, identifying IP address, time
stamp (starting and ending point on the attack), which application
is used for attacking purpose, country ISO code, category and type
of attacks. 61
A.4 Case 2: Exploit-DB, list of osCommerce exploits. 62
A.5 Case 3: Log analysis time line. 63
B.1 Cyber Security Audit TOOL map. 66
C.1 Client-side 1: Key generation for a new user. 69
C.2 Client-side 1: Encryption of le - sender. 69
C.3 Client-side 1: Decryption of le for the recipient. 70
C.4 Client-side 2: Key generation for a new user. 70
C.5 Client-side 2: Key generation for a new group. 71
C.6 Server-side: Envelope encryption [7]. 71
xv
List of Tables
C.1 Comparing dierent existing solutions for secured cloud storage. 68
xvi
List of Appendices
A Incident Response 59
B Cyber Security Audit 65
C Security Architecture 67
xvii
xviii
List of Symbols
AES Advanced Encryption Standard
API Application Programming Interface
APT Advance Persistent Threats
ARQ Automatic Repeat reQuest
ARW Advanced Research Workshop
AWS Amazon Web Services
BYOD Bring Your Own Device
CI Critical Infrastructure
CII Critical Information Infrastructure
CIP Critical Infrastructure Protection
CloudHSM Hardware Security Module
COBIT The Control Objectives for Information and related Technology
CSC Critical Security Controls
CSET The Cyber Security Evaluation Tool
CSP Cloud Service Provider
DH-EKE Die-Hellman key exchange
DSS Data Security Standard
ENISA European Network and Information Security Agency
xix
xx
GCM Galois/Counter Mode
HMAC Hack-based message authentication code
IACS Industrial Automation and Control Systems
ICE Interactive Connectivity Establishment
IEC International Electrotechnical Commission
IRAP Incident Response and Action Plan
ISACA Information Systems Audit and Control Association
ISF Information Security Forum
ISMS Information Security Management System
ISO International Organization for Standards
ITGI IT Governance Institute
JSON JavaScript Object Notation
KMI Key Management Infrastructure
OWASP Open Web Application Security Project
P2P Peer-to-peer
PBKDF2 Password-Based Key Derivation Function 2
PCI Payment Card Industry
PDCA Plan-Do-Check-Act
PGP Pretty Good Privacy
PKCS Public Key Cryptosystem
RA Risk Assessment
RFC Request For Comments
RM Risk Management
S/MIME Secure/Multipurpose Internet Mail Extensions
SaaS Software as a Service
SEO Search Engine Optimization

xxi
SHA Secure Hash Algorithm
SPRNG Secure Pseudo-Random Number Generator
SRP Secure Remote Password
SSL Secure Sockets Layer
TGDH Three-based Group Die-Helman
TLS Transport Layer Security
VPN Virtual Private Network
XML Extensible Markup Language
XSS Cross Site Scripting injection

Chapter 1
Introduction
The present chapter describes the company overview, followed by the internship
description and its objectives. Than the author notable highlights his contribu-
tion during six months of internship period, and in the end we provide the outline
of this report.
1.1 Company Overview
iWE is a software company specialized in SaaS applications development and
cyber security as a spin-o of GM Consultant (GMC). The company was founded
in 2013. Moreover, GM Consultant is a French leader company within more than
200 employees, specialized in risk since 1999. Main objective of the company
is to take care of cases involving professional liability or damage claims, either
in the judicial system or as claims management. Thereby, initial idea for iWE
was to be created for internal use for GMC, so for this reason the Research
and Development (R&D) team was established and it is located in EURECOM
premises. Additionally, the company headquarter is based in Paris region.
Along with development, additionally iWE has initiated security labora-
tory within main mission to be recognized cyber security company by delivering
services in this eld for cyber insurance premiums (discussed below) and in syn-
chronous to build Security Excellence Center. The vision of the company is
through their services and R&D to lead cyber-risk at accepted level composed by
insurance and assessment.
1
2
In this regards, cyber insurance has been identied as potential tool for
eective risk management. And it is a risk management technique via which
network user risks are transferred to an insurance company, in return for a fee,
i.e., the insurance premium. Likewise cyber insurance enthusiast believe that
it would lead to the design of insurance contracts that would shift appropriate
amounts of self-defence liability to the clients, thereby making the cyberspace
more robust [51]. Apart from transferring the risk, also in risk management
there are risk acceptance and risk mitigation techniques. Insurance premium is
oered by insurer/insurance and the client is insured in further content of this
paper.
Moreover, aside of GMC oers, such as: claims management and loss
adjustment, iWE is introducing dierent services and software solutions, divided
into two main aspects: services and R&D. For instance:
• Services:
Pre-Audit Assessment, by delivering Security Risk Assessment and
Source Code Audit.
Incident Response Support, delivering digital forensics, penetration
testing and assists as emergency response team.
• Research and Development:
Prediction and/or forecast cyber-risk exposure by brand-new rating
methodology and tools.
Security architecture providing zero knowledge end-to-end cloud solu-
tion for the iWE platform.
Pre-Audit assessment service preliminary covers the security risk assessment, by
concentrating in two elds, such as, architecture and source code audit. In ar-
chitecture we primarily identify vulnerabilities and potential threats by applying
adequate countermeasures. At the same time assess Critical Information Infras-
tructure (CII) and Critical Infrastructure (CI). Obviously, the following service is
compliance with best practices, security standards, and frameworks, for instance:
Open Web Application Security Project (OWASP), Payment Card Industry Data
Security Standard (PCI) and International Organization for Standards for Infor-
mation Security Management System (ISO/IEC 27K), but not limited. Further
3
details are disclosed in Chapter 3.
In addition to pre-audit assessment services, company distinguished the
incident response support. Within main focus on the analysis of a system or a
network that has been compromised. And often involves some mitigation and it is
specied for systems suspected to be the victim of a crime or damage. Otherwise
provides the following solutions:
• Digital Forensics, with in main objectives of: acquisition, examination and
analysis, for instance: data, network, disk/le system, memory, mobile,
database, allocation, images, and etc. Consequently with center of attrac-
tion to digital evidence, restoring artefacts and reporting.
• Penetration Testing, by delivering two type of services, for example: black-
box (by performing manual pen-test in higher level testing) and gray-
box/white-box testing (performing either automatic or manual lower levels
testing). And in the end producing the nal report which is stating all
founding.
• Emergency Response Team, by delivering on and/or o site emergency re-
sponse to attacks and threats.
Along the above services, the company also provides research and development.
Ultimately, by constituting the prediction and/or forecast model for cyber-risk
exposure rating in comparing statistics and reality. Such as, lowering the cost of
loss for insured and reducing the likelihood and magnitude of those losses for the
insurer of potential risk. Likewise, the aggregation of lowering level to enterprise
CI/CII level. Subsequently, we also research event correlation techniques, by
discovering, monitoring, diagnosing, identication of vulnerabilities and threats,
through continues security bulletins publication. Simultaneously, part of iWE
platform SaaS solution, we have developed a state-of-the-art approach for se-
cure architecture for end-to-end cloud encryption solution, further discussed in
Chapter 4.
1.2 Internship Description
Today cyber crime is a massive challenge of cyber security technologies. Within
this in mind, we should all be talking about how to achieve holistic globalization
4
approach to cyber security, awareness and risk. Indeed, we need to be actively
debating respectfully in which ways cyber security can be adapted to match the
threats, vulnerabilities and the loss/impact that we face in our interconnected
world.
Withal above, cyber security internship started in begging of July until
the end of December 2014. Since then, we have started working in dierent
problematic aspects, such as: (i) engaging with business meeting discussions to
establish the company vision, mission and goals respectfully to security laboratory
and cyber security services - discussed in next subsection; (ii) deeply on how we
could ensure and provide security controls reecting the asymmetrical character
to cyber risk assessment, cyber insurance, international standards and build risk
assessment tool, and at the same time conduct cyber risk audit for customers; (iii)
employing procedures for oering incident/attack response - sample and overview
of Incident Response cases are disclosed in Chapter 2, and (iv) providing control
and transparency over how data is protected and build security architecture for
trustworthy cloud service providers (CSP), presented in Chapter 4. Moreover, in
Chapter 3 we pose published white paper presented in NATO ARW (Advanced
Research Workshop - (ISEG.NUKR.ARW 984708)), titled: Strengthening Cyber
Defence for Critical Infrastructure held in Kiev, Ukraine from 30 until 31 of
October 2014. Additionally to the publication, also the author contributed to
panel discussion, topic: Security standards in private companies.
Notably the innovative objectives of the company are: to provide services
and to continue on research and development; main objective services are: audit
assessment and incident response support. Audit assessment oers the cyber risk
assessment tool and source code audit. Where digital forensics, penetration test-
ing and emergency response team are part of incident response support. Among
the services, also the company objectives are to continue and to poor time in
R&D, particularly in prediction and/or forecast of cyber risk, cyber insurance
by exposure rating, and correlation event methodologies and tools, as well as
end-to-end cloud encryption for their platform.
In this report we would like to stress and provide several of the above
mentioned aspects-cases that we have handled during this period of time. Re-
spectfully, in Chapter 2 we have attached overview description of Incident Re-
sponse Reports, by performing incident response, such as static analysis, log
analysis, and so forth.
Additionally to incident responses, author has draw attention, high-

5
lighted in Chapter 3, second most adequate service oering by the company -
Cyber Security Audit. Within this service we have presented white paper titled:
Standards for Information Security are inappropriate fashion to assess the risk
in private companies and elsewhere . Specially this thesis has been developed
with the previous performed audits and its lesson learned, and at the same time
fundamental approach for future delivery of the service. Meanwhile, future action
plans and what is an outcome, has been noted.
Among the above services, also the author contributed in security ar-
chitecture research topic, providing zero-knowledge data at REST for iWE SaaS
platform. Such details are noted in Chapter 4 of this report.
1.3 Internship Objectives
In the longer run, main objectives and aim of this internship are to:
Step 1: Service Design. Studying current services and proposal of the company
to establish new strengthen services based on research on existing cyber
policies. Furthermore, to identify and draft processes for key services. Main
outcome and deliverable are: market analysis, service delivery pack (e.g.
slide decks, surveys, etc.) and so forth.
Step 2: Enabling and Delivering Services. Taking participation to service deliv-
ery. Followed by identifying and if required building tools to support service
activities. The outcome and deliverable for the step are: gain hands-on and
practical experience of cyber cases.
Step 3: Lessons Learnt, subjects to further investigations and/or research. Hence,
identifying operational issues and potential improvement areas for the ser-
vices. In addition, to make sure delivering repeatable services, which are
based on previous outcomes, and least identify research area of interests.
1.4 Contribution
At rst, we identify the various activities within their relation of how are related
to each other, from: pre-sales, awareness training, pen-testing, forensics, incident
response, identify the competitors, market analysis and so on. Consequently, we

6
dened the iWE security laboratory services, mission and vision, moreover objec-
tives and prospective partners. Among the preliminary business development and
establishment, also during the internship have attended several business meeting,
and taking actions of hence development and services. Additionally, our work also
was focused on research targeted features and challenges to facilitate end-to-end
encryption for iWE SaaS platform. For this purpose we design and implement
security architecture solution for zero-knowledge data at REST, which provides
data protection, password verication and data recovery explanation.
Main contributions of internship are as follows:
1. We designed and identied the main objectives of the company services. By
introducing contemporary service, research and development objectives, as
consequence of market analysis, recognizing the competitors in the eld
of security, specially to cyber security. Thereby, we have determined the
security laboratory, in fact, main services and research and development
plan.
2. During the six months, author had an opportunity to attend to several
business meetings, for already existing or potential clients. Such clients,
were insurance companies oering cyber insurance policies. Meanwhile, he
was engaged in discussions to identify the challenges regarding cyber insur-
ance, as well as processed slide-show presentations within main intention
to demonstrate company technical skills, for example: incident handling
process, pen-testing, digital forensics, etc.
3. Establishment and structure of procedures and process for dierent services.
Whereas, main intention was to build customer trust and particularly to
be more ecient and benecial to customer needs. Likewise to produce
supported templates for future service release and/or delivery.
4. Studying of current available solutions respectfully to cyber security, cy-
ber insurance, risk assessment, data breaches, security in cloud, and many
others. And oversee imposture to design and develop cornerstone approach
relying on research exposure and lessons learnt.
5. In the meantime, author has contributed in technical delivery of services.
For instance, incident response cases, advanced analysis of log les, dynamic
and static analysis, remote support and provide rst time response when
there is data breach detected and/or reported, and so forth.

7
6. Lastly, dedicate research task to design and build security architecture
for iWE SaaS platform by carrying out end-to-end data at REST, zero-
knowledge encryption solution for cloud based client-side and server-side
architecture.
1.5 Outline
The rest of this report is organized as follows. Chapter 2 covers the overview
description of Incident Response service, by delivering real-case scenarios which
were handled during internship period. In Chapter 3, we rst illustrate the cyber
security audit services, and then present the published white paper for NATO
ARW in Kiev, hence we distribute the cyber security audit tool map in Appendix
B.1. Chapter 4 includes research solution, contribution to implement and design
secure architecture for end-to-end data at REST solution. Subsequently, we dis-
cuss the related work, method, implementation and discussion of the solution.
Lastly, we conclude and future work are placed in Chapter 5.

8
Chapter 2
Incident Response
Following section presents a small overview portion of reports, and distributes
the incident response cases handled. First we introduce the service description
within the handling processes and work ow. Sections 2.2, 2.3 and 2.4 provides
an overview description of incidents (i.e. cases), that we have tackled during the
internship. However, due to condentiality we do not disclosed the clients names.
Nevertheless, we provide for each case what type of company was, what were the
root causes of the incident and/or fraud, impact, executive summary with nding
problems, facts and gures, and lastly we provide the conclusion for the incidents,
and arise lessons learnt. In total we have tackled three dierent cases.
2.1 Service Description
When incident occurs, the following handling process is taken into account:
1. Incident is reported from Insured to Insurance, through Data Breach Team.
2. Insurance Data Breach Team lters and selects vendor and informs iWE/GM
Consultant, crisis management team about the incident.
3. Crisis Management team preliminary step is to identify if this incident could
be handled by iWE IT Security team or not. In addition GMC can when-
ever it is necessary trigger legal activities, such as, evidences preservation
and so on.
9
10
4. iWE emergency response team receives the incident and follows the process
detailed by Incident Response Handling Process, shown in Figure 2.1. After
initial preparation phase, iWE response team builds an Incident Responses
Plan and communicates on daily basis with insured about activities and
progress in regards to this plan. In addition, an executive summary (named
Feedback ) document is also communicated with the insurance. When
examination (i.e, via static or dynamic analysis) is completed the iWE
response team recommends to insured some remediation actions. Finally,
iWE response team publishes an Incident Report including investigation
steps, remediation actions and analysis of potential root causes. This report
is distributed to both parties.
5. After few days, iWE expects from Insured or/and Insurance to receive an
acknowledgement agreed upon that incident has been remediated and that
by consequence this incident case can be closed.
Figure 2.1: Incident Handling Flow.
Figure 2.1, demonstrates the ow and it is stepwise approach that GMC-
Consultant (Crisis Management) together with iWE (Response Team) has devel-
oped for handling cases.
Keep in mind, that also GMC Consultant could provide to the insurance
loss adjusting service.
Among all, insurance data breach team are constantly informed and up-
dated with latest information regarding the incident.

11
Moreover, response time for any incident and the handling process is
displayed in Figure 2.2.
Figure 2.2: Incident Response Handling Process.
In Figure 2.2 is illustrated that from the day 0 when GMC-Consultant
reports the incident to iWE, iWE response team will assist to insured sta in
order to attempt to remediate/reduce the incident remotely or internally, if it is
possible.
For further analysis the iWE response team needs to get the data acqui-
sition either on side or remotely. When the image data acquisition is received in
iWE laboratory, then the investigation starts by creating Incident Response Plan
(IRP).
The following plan is send on daily basis and communicates with the
customers (i.e., insured and insurance) for gathering further information's and
delivering the action plan.
The examination has been started since the examiner team has enough
information by performing binary analysis, and depending on the incident / threat
static and / or dynamic reverse engineering analysis. By gathering all the
artefacts and the ngerprint of aected systems / devices, then the team creates
a recommendation list of remediation actions that are required to be taken by the
customer to mitigate the impact. The examiner team just recommend an action
12
plan, they do not implement it. Otherwise it could be additional service - in this
case IT Security Consulting.
When the threat is contained the iWE distributes technical Final Report
to the customer and to GMC Consultant, with the root cause and so on. Usually
depending on the incident and the location of the customer data, this entire
process takes around 5 to 20 days.
Additionally to the forensics and incident responses services, the team
has also well qualied knowledge in delivering IT Security consulting services, for
example: risk assessment, risk management, cyber security audit and others.
2.2 Case 1
2.2.1 Overview
Incident was detected on 02.06.2014, consequently reported on 24.07.2014. The
severity impact was high and the type of incident was malware (redirect malicious
code, or in other words conditional malware). Moreover, the incident aected two
out of four servers of the insured, and the business impact was that more than
100 websites hosted on two aected servers are not visible due to conditional
malware that is redirecting the content to dierent sites by leveraging trac for
SEO purpose.
Anyhow, after the deliverable we setup meeting to discuss the reections
regarding what went wrong and advantages. As a disadvantages we emphasize
the data acquisition process that is too slow, and at the same time the insured
personal was not so technically knowledgeable to perform network capturing traf-
c for advance analysis. After all, advantages are that we established a procedure
to be deliver every day after 16:00 to the customer, dened such as Incident Re-
sponse and Action Plan (IRAP) report, and perform remediation action from the
rst day.
In short, contribution of the author regarding this case was: (i) from
backup of aected systems to identify the protection in place, such as, which
security services were enabled and disabled, running Windows Web Server 2008
R2 operating system; (ii) identify which communication ports are open, and
network vulnerability if are potentially risky. (iii) determine dierent shell scripts
13
1
and submit them in VirusTotal database to identify their identity; (iv) identify
dierent types of suspicious code, les and URLs and classify them such as, shell
scripts, Trojan infection, le permission manipulation, malicious code and script,
redirect code, and established the number of aected les; and lastly (v) from
logs analysis we have discovered brute force attacks and suspicious user account
actions.
In the following subsections we distribute the executive summary and the
conclusion, while in Appendix 5.1, we provided additional details and illustrations
regarding the case scenario. With main purpose, to depict the incident response
plan, time line and how the intruder has taken control over the vulnerability of
aected servers.
2.2.2 Executive Summary
This report provides an incident response and remediation measures of business
incident impact to CLIENT 1. Two out of four systems have been compromised
within conditional malware by redirecting CLIENT 1 website to dierent URLs

with main purpose in mind to leverage the trac for SEO purpose.
Results of ndings are that there are few known shell-script on one hand,
and on the other unknown shell-script to the security and anti-virus community.
Another important point is even if they have removed the malicious code from
aected system, the attack is reproducing. Thus that it is remotely controlled
and it creates and/or modies les. Besides above, the impact is on more than
150 websites that have been aected by the following incident in both aected
web servers.
The report nds the redirected URLs, malware types, determines the
categories of malicious code. As well as assuming that the attack origins are from
China. Additionally, states the dierent types of attacking methods reported by
events logs entries, and major areas of weakness required further investigation,
and remedial action by internal or external actor.
Incident response recommendation is by preliminary enabling security
mechanisms in Operating System and then implement best security practice.
Advance recommendations are emphasized by auditing web application code -
externally, and implying advance intrusion, prevention detection systems.
1 VirusTotal: https://www.virustotal.com/, last checked 03/01/2015.

14
The report also investigates that the conducted analysis has limitations.
Some of the limitations include: network trac sning is not provided, and not
infected system are not aected - owing to fresh install and currently there are
no hosted websites.
2.2.3 Conclusion
This attack is using multiple layer of obfuscation, evasion, misdirection and restor-
ing malware. By using any vulnerability present on the system to perform custom
payload malware, unlike the vector malware. Likewise are quick to deploy new
exploits. As a result, in total have identied from aected systems, that they
have compromised more than 150 web sites.
These attacks are currently having impact only on two out of four sys-
tems. It seems that exploitations are because of the vulnerabilities and disabled
security services. Such as, operating system - Windows update, audit policy, se-
curity account manage, windows rewall and so on. Also highly potential exploit
is due to web application weakness. Particularly attacks are redirecting visiting
users to dierent conditional criteria URLs, by leveraging search engine optimiza-
tion ranking to targeted sites. Some of the attacks are well known to security
community, where the others are new and unknown meaning not reported until
now. Meanwhile, the initial emails that had reported the attack to CLIENT 1
site are identied as phishing scam.
Even though CLIENT 1 has removed the shell scripts and malicious
code three times per day, within custom developed removing tool, yet the at-
tack is return due to system security vulnerability, such as back-door which is
remotely controlled. Currently security measures don't mitigate these methods
and identied those actions because server X3 had limited security measures,
along server X0 it has less impact due to enabled few security measures.
Withal believe that these attacks are currently originating from China,
however, there are many attacks whose origin is still unknown. Ultimately they
are generating revenue by boosting the SEO ranking to dierent sites, in the same
way they have business impact on CLIENT 1 sites and business itself.
As result, the dynamic analysis will reveal further information, and it
will be able to identify who is behind these attacks. Nonetheless, in this report
lastly provides the suggested remediation actions that could be considered by

15
categorizing them as basic and advance security actions.
2.3 Case 2
2.3.1 Overview
The following incident was detected on 03.11.2014 and reported on 13.11.2014.
The severity of the incident was high, while the attacking type is via SQL injec-
tion. Initially , CLIENT 2 received e-mail indicating an extraction of 27 customer

records.
In addition, the incident was tackled along side with CLIENT 2 employ-
ees, where specially they have taken actions of diagnosis by applying secure VPN
access to the back-end site secure, blocking the web services used by customer de-
veloped mobile application (for iPad and iPhone) and perform advance analysis in
order to identify possible vulnerabilities to SQL and Cross Site Scripting (XSS)
injections. Also, they deleted more than 300 obsoleted les and strengthening
protections for the treatment of parametrized queries. While on iWE side we
have conducted analysis of GET and POST queries extracted from the log les,
by identify the types of attacks performed by the intruder, number of queries
sequences per attack, country origin, and vulnerability scanning tools used for
attack. Technical details are presented in Appendix A.2.
In brief, contribution of the author was: (i) log analysis, particularly
concentrated to the time stamp from 1st of September until 7th of November
2014; (ii) from rigorous-script log analysis were able to determine the several types
of SQL injection attacks, for instance: blind SQL injection, union queries, string
concatenation and incorrect type handling; (iii) identify the IP address origin,
and consequently the timestamps for each attacks; (iv) determine the applications
used to conduct the attacks; (v) and lastly, mobile application vulnerability, what
kind of personal data are disclosed.
The CLIENT 2 manages website dedicated to equipment and home decoration,
launched in 2005, Figure 2.3, currently having more than one million clients.
16
Figure 2.3: Dxxxxx.fr website screen-shot.
Likewise any e-commerce site, the platform provides client access that
tracks orders, shipments, product comments and etc., shown in Figure 2.4:
The platform's website also oers back-end oce platform for Customer
Service.
2
The site is build on open source platform osCommerce , but according to
our interlocutor has been signicantly modied to meet the company's needs.
The company that developed the site claimed that is compliance to PCI
3
standard , and they underlined that database does not contain any information
about the payment details of customers.
Anyhow, we investigated that the intruder performed the following SQL
injection techniques: blind, union queries, string concatenation, incorrect type
handling, and at the same time we disclosed the vulnerability scanning tools
used for such attack.
2 osCommerce: http://www.oscommerce.com/, last checked 07/12/2014.

3 PCI SSC Data
Security Standards Overview, on-line available https://www.
pcisecuritystandards.org/security_standards/, last check 07/12/2014.
17
Figure 2.4: Dxxxxxx.fr tracking order form - screen-shot.
2.3.3 Conclusion
The intruder used the vulnerability of open-source e-commerce osCommerce ap-
plication. Nevertheless, the attempt was unsuccessful due to the technology im-
plementation, and the impact is successfully recover of a small number of limited
records from the database. Although the intruder claimed that the customer data
was extracted from the database, after analysis we identied that the exposed in-
formation was not matching with the database itself.
This incident was quickly corrected by CLIENT 2, while iWE dis-
tributed results of technical analysis, technical details presented in Appendix
A.2.
2.4 Case 3
2.4.1 Overview
Incident occurred on 04.09.2014 around 13:00 - French time, and the main impact
was water leaking in data center on one of the insured cluster. The main impact
18
was faulty power fan, which was remediated immediately by the data center.
And the result impact was that two nodes were shutdown. The following case
was transferred from GMC crises management team to provide technical analysis
on the log les, by identifying the alert messages, determine shutdown time line,
aected nodes and other hardware failures. In Appendix section A.3 we present
the log analysis time line of the incident occurrence and identied failure inuence,
for dates 04.09.2014 and 05.09.2014.
Shortly, contribution of the author was: (i) from the log les to identify
when did the hardware failure rstly occurred, and to determine which hardware
devices were aected; (ii) establish and present the time line for several hardware
failures.
The water leakage causes damages to the cluster, particularly regarding 5 and 7
nodes. At the same time, arises problem with NVRAM damages as well. The
damaged parts were replaced by the support team, and then restore the backup,
however the backup was not done correctly, therefore the impact on the insured
was high, and the impact loss was enormous.
iWE has performed technical analysis of the log les. Illustration of
incident occurrence time line and aected nodes, hardware damages are noted in
Figure A.3. In details, analysis identies the following ndings by each node and
RAM error for 04.09.2014 date:
• Node 5 battery light failed messages were recorded between 04/09/2014
from 13:00:05+2 until 13:30:12+2. Additionally, there was ATTENTION

and error messages logged regarding power failure starting from 13:28:10
until 13:30:25.
• For node 7, we have dierent failure messages, for instance: watchdog failed
on CPU 0 until 7, and others. Starting from 13:04:45 until 13:10:43+2. And
power button pressed at 13:10:39.
• For node 22, reboot message was recorded at 13:33:32.
• NVRAM error occurred between 13:33:00 until 15:43:24.

19
2.4.3 Conclusion
The following incident occurred by water leakage in one of the insured cluster.
The impact aected two nodes: 5 and 7, and other hardware devices. The damage
was replaced by the support team in the same day, however the impact to the
customer was that the available backup was not in proper way and it was not
able to be restored in new nodes, due to technical issues.

20
Chapter 3
Cyber Security Audit and Awareness
The present chapter lays the developed approach by using the common methods
and lesson learned by provided cyber security audits. Indeed, in the following
section we devote the time on state-of-art approach on well known cyber security
standards and framework, followed by what tool / application we developed for
future audit service and nally discovered limitations and improvements of latest
cyber security framework developed by NIST [47], presented and published with
the context of the attached white paper.
In a nutshell, in Sections 3.1.1 and 3.1.2 we introduce the problem state-
ment and well-known security standards and frameworks. While in Section 3.1.3
we noted what we are gaining to achieve and in Section 3.1.4 we emphases our
solution. In the end we conclude. Aside of white paper, in Appendix B.1 we il-
lustrate the map of main functions and categories that are included in our cyber
security audit tool.
3.1 White paper
The white paper presented in Kiev, Ukraine is titled: Standards for Information
Security are inappropriate fashion to assess the risk in private companies and
elsewhere.
Abstract - Today organizations are using standards and frameworks to
secure their assets. However, standards are accepted as best practices, whereas
21
22
frameworks are practices that are generally employed. And when it comes to mea-
sure the risk exposure in organization standards and frameworks are inappropriate
and not sucient way. Simultaneously, if your organization is in compliance with
some security standard, is it an evidence that such organization is qualied for
today's cyber space. With this in mind we tried to tackle the problem of dis-
covering fundamental solution by constructing inquiries based on several existing
standards and frameworks. Also, to develop tools to identify the interaction to-
gether with the assets and the questions. And at the end to present clear image
of what is cyber risk and how to reduce its exposure.
3.1.1 Introduction
Due to the ongoing conict with pro-Russian militants in eastern Ukraine, the
country has been confronted with massive number of cyber-attacks. For illus-
1
tration, in the beginning of August 2014, Financial Times and security rm
Symantec reported that dozens of computers in the Ukraine prime minister's of-
ce, and at least 10 of Ukraine's abroad embassies have been infected with a
virulent cyber espionage weapon and cyber-attack linked to Russia; later on, in
2
middle of September the South-east European Times in Kiev reported that due
to such an events, the authorities in Kiev are working on a law of cyber security
strategy. Pursuing to enhance the protection of critical infrastructure. There-
upon since the beginning of the conict, specialists said it was inuenced by one
the most powerful cyber-attack over the past few years.
Back in the early 80's, hacking was only considered as a simple attempt
to gain government's or enterprise's network access. Within preliminary image
of hacker typied by a teenagers willing to obtain more knowledge than nancial
gain [11]. After a while, where cyberspace presented the opportunities using the
World Wide Web, the threat landscape changed drastically. Not only because of
worms, viruses and so on, but also because of vulnerability, socio-technical, social
engineering and exploits, too. Consequently, the nancial, reputation and com-
mercial risks that goes with cyberspace presence are real and evolving everyday
[17].
1 Sam Jones, August 7 2014. Ukraine PM's oce hit by cyber attack linked
to Russia. Financial Times. On-line: http://www.ft.com/intl/cms/s/0/
2352681e-1e55-11e4-9513-00144feabdc0.html. Last checked on 29/09/2014.
2 Alex Statko, September 15 2014. Ukraine strengthening its cyber security. Southeast Eu-
ropean Times in Kiev. On-line: http://ukraine.setimes.com/en_GB/articles/uwi/
features/2014/09/15/feature-01. Last checked on 29/09/2014.
23
3
In addition, several countries are launching platform to stop cyber-attacks ,
such as, nancial services industry in the US, and the British Bankers Associa-
tion in the UK. More within the next few years, Information Security Standards
(ISS) are sets to become an important components in every company, govern-
ment and critical infrastructure industry. Likewise to standards, we also use the
term "framework" or also known as "Cybersecurity Framework" referring to a
risk-based approach to reduce cyber security risk, as introduced in February this
year [47].
Despite their eorts, standards themselves do not provide foundation
solution of how to implement them properly into organization. Instead, their ap-
proach is based on best practices, method for program base lining and acceptance
in international level, and in the end acknowledged by certicate. Due to this
restraint, security community nowadays draws its focus on frameworks by provid-
ing practices that have positive outcome and are generally employed elsewhere.
However, existing standards and frameworks, are in fact overlapping, and are not
so well acknowledged.
De facto, eective risk assessment requires a consistent approach, tailored
to the needs of the organization. As a consequence, most of the organizations
nowadays perform risk assessments by triggering questionnaires based on stan-
dard or framework. Sometimes the questions are liable to interviews, IT standard
compliance, and carry out advance technique such as, penetration testing and so
on.
For this reason, in this paper we tackle how standards and frameworks
are complementary in respect to measure risk exposure in organization. Further,
we discuss their dierences, and introduce the reader with brief background infor-
mation of commonly known world standards and frameworks. Additionally, we
observe available tools with supporting and opposing arguments, coupled with
references for specic country requirements. Keeping in mind that, the focus of
this paper, instead of reviewing, is only to deliver the available list of sources for
countries requirements. Last but not least, we argue the problem experience that
we had in past by carrying out audit coupled with risk assessment in dierent
organization industries. Consequently, we discuss our approach in assessing and
mapping the risk exposure composed of several: standards and frameworks. After
we provide recommendations, and in the end we conclude.
3 Hannag Kuchler, September 24 2014. US nancial industry launches platform to

thwart cyber attacks. Financial Times. On-line: http://www.ft.com/intl/cms/s/0/
080092b2-437a-11e4-8a43-00144feabdc0.html. Last checked on 29/09/2014.
24
The paper is organized as follows. The next section provides background
information of well-known: standards, frameworks and tools within country re-
quirement sources. Then we provide what we are willing to achieve and how we
identied the problem in the third section. Further, we suggest recommendation
solution in fourth section. Last but not least, our conclusions are drawn in the
nal section.
3.1.2 Background
Before we go to list of standards and frameworks, rst and foremost, we need
to discuss their dierences. And in a nutshell, dierence between standards and
frameworks are that, standards are accepted as best practices. Frameworks are
practices that are generally employed. Supplementary, standards are specic,
while frameworks are general. For example, [6] denes framework as a guide
to provide a direct correlation to the level of maturity of information and cyber
security. While, standard is when organizations need to choose some standard
method for program base lining and international/global acceptance. Standard
is used within the context of information security policies, by completing inter-
national recognized certication. While framework is shared community best
practices gained in time of experience and their implementation into the orga-
nization - without getting any acknowledgement. For illustration, standards are
such as ISO/IEC 27000 series, ANSI/ISA-62443, NIST-FIS, Standard of Good
Practice from ISF, NERC1300 and RFC2196; and frameworks are: Cybersecurity
Framework, Critical Security Controls (CSC), COBIT, and many others.
Anyhow, each above standards and frameworks are presented within brief
background information below. Obviously, the approach that we present is from
top-to-down approach, top ecient and benet standards/frameworks to less ef-
cient. We presumably think that such display of standards and frameworks will
bring value to the reader. Because the top standards are usually combined from
the previous exercises and lesson learned-best practices. The following standards
and frameworks are:
Cybersecurity Framework [47]. It is core, latest (introduced in
February 2014) and the most suitable framework at the moment. It has divided
the format of framework core presenting: a listing of functions, categories, subcat-
egories, and information references that describe specic cyber security activities
that are common across all CII/CI sector. However, the drawback is that does
25
not suggest a specic implementation order or imply a degree of importance of
categories, subcategories, and information references. In addition, does not deal
with socio-technical aspects (i.e. taking into account that humans are the weakest
link in security [63]), yet undoubtedly it is the top-drawer standard for private
and other organization, nowadays.
Critical Security Controls (CSC) [49]. It reects the combined
knowledge of actual attacks and eective defences of experts. They are created
by the Council on CyberSecurity, established in 2013 as an independent, expert,
non-for-prot organization with a global scope committed to the security of an
open Internet. Particularly we concentrate our interest only on the quick wins
categories from total 20 controls. The quick wins categories have most immedi-
ate impact on preventing attacks for dierent organization structure. Specically
for the clients some of the controls where not necessary to be used. Instead,
in other organizations particular control, for instance, developing company will
need to pin-point the importance of controls (such as: 9, 20, and others). On one
hand, they provide a ground-oor sustainable and ecient way of security your
company. However, they are not easy to implement because their focuses are
against the latest Advanced Targeted Threats, with a strong emphasis on "What
Works". Through which security controls where products, processes, architec-
tures and services are in use that have demonstrated real world eectiveness. For
this reason we support the idea that CSCs are continuing to improve. Hopefully
in near future we will see platforms and tools, to keep pace with the need for
improved visibility, compliance and risk posture.
ISO/IEC 27000 series [2]. The International Organization for Stan-
dards least update 2013, known as ISO , is an international-standard-setting
body composed of representatives from various national standards organizations.
Founded on February 1947, they promulgates world-wide proprietary industrial
and commercial standards [65]. Nonetheless, ISO/IEC 27000 series (also known
as the `ISMS Family of Standards' or `ISO27k' for short) comprises ISS published
jointly by the ISO and International Electrotechnical Commission (IEC). The
set of series provides recommendations on information security management, risk
handling and controls implementations within the context of an overall Infor-
mation Security Management System (ISMS). However, we will discuss only the
ISO/IEC 27001 standard sets, and it is required for an organization's ISMS to
achieve certication. It is compiled of seven key elements. These are: establish,
implement, operate, monitor, review, maintain and improve the system. Also
it is intended to be used along with ISO/IEC 27002, the Code of Practice for
26
Information Security Management, which lists security controls objectives and
recommendations of specic security controls. Despite the fact, that this certi-
cate is mandatory in some countries, yet it leaks the future of new technologies,
such as portable devices, bring your own device (BYOD) in organization and it
is using only selected decision making process - PDCA (plan-do-check-act), as a
main approach.
COBIT [13]. The Control Objectives for Information and related Tech-
nology (COBIT) is a set of best practices (framework) for information technology
management created by the Information Systems Audit and Control Association
(ISACA), and the IT Governance Institute (ITGI). Within preliminary mission
to research, develop, publicize and promote an authoritative, up-to-date, inter-
national set of generally accepted information technology control objectives for
day-to-day use by business managers and auditors. It helps managers, auditors,
and other users to understand their IT systems and decide the level of security
and control that is necessary to protect their companies' assets through the de-
velopment of an IT governance model [65]. In addition, COBIT components
include: framework, process descriptions, control objectives, management guide-
lines and maturity models. Although it is very well structured and combined of
wide range of components, still we have to keep in mind that main milestone is to
oer supporting tool-sets that allows managers to fulll the gap between control
requirements, business risk and technical issues, as a disadvantage.
ANSI/ISA 62443 (formerly ISA-99) [19, 20] is a set of standards,
technical reports, and related information that dene procedures for implement-
ing electronically secure Industrial Automation and Control Systems (IACS). The
guide is applicable to end-users, which is asset owner, system integrators, security
practitioners, and control systems manufacturers in charge for manufacturing, de-
signing, implementing, or managing industrial automation and control systems.
With the main strengths that it is easy to understand and used, and designed
around small organizations.
NIST FIS [46]. Guide for Assessing the Security Controls in Federal
Information Systems, addresses the 194 security controls that are applied to a
system to make it "more secure". Specically this standard was written for
those people in the federal government representatives, responsible for handling
sensitive systems. However, it is a document which emphasizes the importance
of self-assessments as well as risk assessments. Notable, could be implement not
only on government organizations, but also for individual organizations requiring

27
and desired more security.
Standard of Good Practice [22]. Originally, Standard of Good
Practice published in 1990s from Information Security Forum (ISF) was a private
document available only to its members. Later on, ISF made the full document
available for sale to the general public. It contains a comprehensive list of best
practices for information security, and it pursues it is important for those in charge
of security management to understand and adhere to NERC CIP compliance
requirements.
RFC2196 [23]. It a Request For Comments (RFC) memorandum for
developing security policies and procedures for information systems connected on
the Internet. It provides general and broad guide overview of information security,
network security, incident response, or security policies. In fact the handbook is
very practical and it is focusing on day-to-day operations.
NERC 1300 [44]. Standard 1300, recognized as NERC 1300, or in other
words is called CIP-002-3 (Critical Infrastructure Protection) are used to secure
bulk electric systems, such as providing network security administration while
still supporting best-practice industry processes. Within the main set for critical
infrastructure protection.
OWASP TOP 10 [50]. It is an awareness documentation for web ap-
plication security, rather than standard or framework. It represents a broad
consensus about what are the most critical web application security aws. They
emphasize that all companies should adopt this awareness document within their
organization and start the process of ensuring that their web applications do
not contain aws. It provides a list of 10 most critical web application security
risks. And for each risk it provides a description, example of vulnerabilities and
attacks, guidance on how to avoid and references to OWASP and other related
resources. In our opinion, if your organization implements or design a custom
web application to meet your needs, then we urge you to adopt this awareness
document.
Thoroughly, from above we can arrange standards and frameworks within
three main targeted group's interests, for instance: private companies, govern-
ment and/or federal and industries within Critical Information Infrastructure
(CII)/ Critical Infrastructure (CI). Motivation of this arrange is due to fact that
neither every organization has critical information infrastructure assets, nor gov-
ernment/federal interests. In lieu, most of the government organizations have crit-

28
ical infrastructure, while some private or multi-stakeholder organizations could
have as well.
Aside from standards, we would like to emphasize the freely available
tools. And when we speak about the tools, we mean tools which are either web
base applications or specically designed application for pursuing the implemen-
tation of specic standard and/or framework.
Thus it is worth mentioning rstly the web based tool available from
European Network and Information Security Agency (ENISA), presenting the
Inventory of Risk Management Risk Assessment methods and tools [18]. This
RM/RA method oers dierent country specic requirements, for instance: for
France Ebios and Marion, for Germany IT - Grundschutz, for Spain MAGERIT,
for Italy MIGRA, The Netherlands Dutch A&K Analysis and many other coun-
try required standards. Additionally, it oers 12 tools developed for dierent
countries from methods as main source and guide for implementation. Besides
methods and tools for risk management, it gives a comparison tool which could
be used for comparing two individual risk management methods or tools.
Second, The Cyber Security Evaluation Tool (CSET) [31], it is an ap-
plication to assists organizations in protecting their key national cyber assets,
combined from the above mentioned Cybersecurity Framework [47]. This tool
provides users with systematic and repeatable approach for assessing the secu-
rity of their cyber systems and network. It includes both high-level and detailed
questions related to all industrial control and IT systems.
In spite of all, we emphasize that the country specic requirement stan-
dards are formally based on acknowledgement of best practice, in other words
lessons learned, and complied with the country legislatives requirements. And
for this reason, we could not discuss all of them.
3.1.3 What to achieve?
Security has dierent meanings, and it plays a vital role in organization. Such as,
for dierent industrial classication, dierent adherent security measures should
be agreed-upon. In the same line, is for security standards, dierent objectives
and controls, dierent industry/business classications. Another important roles
in security are: Risk Assessment as a common part of Risk Management, and Risk
Audit which is minimizing risk at the acceptable level. Apparently, cyber threats
29
are continue to evolve, by representing real risk to business. Consequently, cyber
risks are becoming real and mount from a range of sources, such as: Advance
Persistent Threats (APTs), cyber-criminal, espionage, security and foreign intel-
ligence, poor software development methods, malware, external actors, malicious
insiders, social aspects, etc.
Without doubt, by knowing the background information of standards,
we could adjust in fact that standards are oering general advice. To a degree of:
best-known practices, understanding risk landscape and at the same time cyber
threat proling, compliance with regulatory requirements, and so on. Unfortu-
nately, standards do not relate to crucial issue of implementation. Also, they
do not declare that security is too dicult or cumbersome, neither emphasizing
problem nor dierence between the information security and cyber security. Re-
cent updates of the standards raised the issue of involvement to all parties, and
highlighted that cyber security is a business problem, not an IT problem. And
that by development and adaptation new national cyber security strategies are
an emerging trend characterized by its dynamism, will emphasize better proles,
which leads to greater assurance in security overall.
On the other hand, cyber security standards, in other words, frameworks
are dening a common vocabulary. Additionally, they dene a common set of
practices in order to address implementation of security. However, originally
they are not designed to identify clearly the problem and/or the weakness in
organization. Consequently, we could not dene the matrix by assessing the risk,
or more importantly measure the risk exposure in organization.
Consequently, companies today are facing with issue of which standards
or frameworks are more appropriate for their organization. As well as the issue
whether the organization can benet only if those standards/frameworks are im-
plemented properly? Therefore, we can point out that security in organization is
when all parties are involved . As those highlighted in [65] paper: senior man-
agement, information security practitioners, IT professionals and users which all
play a role in securing the assets of an organization.
Lastly, socio-technical aspects have gained importance in the recent years.
And in fact, standards and frameworks are avoiding this question. Such tech-
nique's are addressed in [40] that no matter how much we invest and carry out
security standards and implement security technologies, still the weakest link in
security in organizations will be the human factor. And the only way to remedy
the weakest link is to constantly support awareness raising and training for each
30
party.
Ultimately we observed several times that they lacks precision: that the
main purpose of standards is to acknowledge certication by increasing customers
condence and the level of trust; breaking down trade barriers and competitive
advantages for the industry; and lastly, it creates a common language when talk-
ing about security. In addition, it is costs a lot of investment for organization, it
might create false sense of security and turns out to compliance culture.
Having in mind the problems, we can solve and identify the risk exposure
in organization, by the use of several existing standards and frameworks in order
to perform risk assessment or audit after cyber breaches or cyber incidents have
occurred. In previous time performances we have realized that strict compliance
to standards are helping to identify and/or raise security weaknesses. By having
an accurate measures of risk exposure.
We then opted for selecting the best and most suitable standards and
frameworks (several ones) for audit and risk assessment. Thereupon, outcome
can be combined to build our own model to fulll the gaps of standards and
frameworks. By nding correlation between the weaknesses and vulnerabilities
and it could be eectively used in dierent industrial and business needs.
3.1.4 Solution
Related works and literature remain quite limited. Specially most of the re-
searches have engaged in proposing relationship and mapping between several
standards and frameworks [35, 65, 34, 62]. Nonetheless, none of them are ad-
dressing the problems of: implementation, past experience, cost, socio-technical
aspects, and so forth. However, in our case, we have tackled the problem through
past experience gained from previously carried out audits and risk assessments.
In fact, our handling method of understanding the risk exposure in organization
is through performing risk assessment right after occurrence of cyber breach or
cyber threat. In the meantime, we use several existing standards and frameworks
to generate the questionnaires with the aim to help identify weaknesses, vulnera-
bilities and to reduce the risk in a system. And lastly, to identify the correlation
between the assets and the questions.
Moreover, our cornerstone approach and method seems to be well sup-
ported by diverse business industries. For instance, for private companies, gov-
31
ernment organization or even for organization with multi stakeholder approach
having critical infrastructure and critical information infrastructure. And more
importantly, from merging and mapping standards we use existing maturity mod-
els, or other sources to assist in determining their desired levels. Such mapping
example is the SANS draft poster for Standard Mapping to the Critical Secu-
rity Controls [60]. Nevertheless, our fundamental approach has more or less
300 questions and characteristics process. Meanwhile, it provides clear guidelines
and have built-in questions not just repeatedly, but also measurable. Essential
process is by: identifying, protecting, detecting, responding and recovering any
event of cyber attacks into organizations. We have tried to engage in the problem
of what is missing and what we have learned from past audits. Consequently we
apply them into hence audit, or in other words we build our own standard.
Additionally, we are handling the problem not only through conducting
the questionnaires within organization, but also by building a tool which will
nd the correlation between the assets and the questions. For illustration, if
we identify weak password in organization asset and they have answered to the
question that complex password is implemented, then in this case we can identify
weakness (complex password not implemented and the organization is not aware
of this issue), therefore will respectfully be marked as high risk. Because, probably
there will be other weakness and/or vulnerabilities too. Thus, we consider risk
as a function of threats intersected with the likelihood of vulnerabilities, and the
business impact if they materialize.
In details, underlying that 300 questions are built on several existing
standards and frameworks. For instance: ISO27k, COBIT and NIST-FIS stan-
dards, and also Cybersecurity framework and "quick wins" categories from CSC.
Together with inquiries collected from Cyber Security Evaluation Tool (CSET).
Likelihood to questions, we would like to accent the undertaking future work to
design a tool which will discover the interrelationship between the assets and the
inquiries. As a consequence, this will produce a comprehensive and cost-eective
module for organizations. And at the same time, understanding correlation be-
tween weaknesses and vulnerabilities into the systems, with tendency to business
impact. Altogether, will give clear image of what is organizational cyber risk.
32
3.1.5 Conclusion
The companies are ultimately doomed if they do not have implemented nor
planned in near future any security standard or framework for their organiza-
tion. And indeed, security plays an important role in protecting the assets of an
organization. Bear in mind that there is no single formula that can guarantee
100% security. Therefore there is a need for a set of strategy and standards to
help ensuring an adequate level of security. Implementing the proper standard
or framework for a particular industry application can reduce weaknesses, vul-
nerabilities and threats into the systems. However, the success of cyber security
can only be achieved by full cooperation at all levels of an organization, together
with considering the socio-technical and social engineering aspects and so on.
However, standards and frameworks for information security in organi-
zation are quite dicult to implement. In addition, there is a vast amount of
standards, frameworks, country requirements and tools, too. Therefore, orga-
nizations either: private, government or with multi stakeholder structure, are
facing the issue of choosing the right and ideal standard/framework to meet their
needs. For this reason in this paper we have introduced the problem of standards
and frameworks coupled with the limited tools and country specic requirements.
By drawing focus on the recommendation that standards and frameworks, used
alone, in fact are inappropriate constituting way to assess the risk in private com-
panies and elsewhere. And that fundamental solution for achieving such task is
by reconstructing inquiries based on several existing standards and frameworks.
Simultaneously to develop a tool to identify the interaction among assets and the
questions.
Our future work should concentrate on designing a comprehensive and
cost-eective module for organizations by emphasizing importance, and under-
standing the correlation between weaknesses and vulnerabilities into the systems,
likelihood the impact. Which will aim to provide clear image of what is an orga-
nization cyber risk and how to reduce its exposure.

Chapter 4
Security Architecture
This chapter denes the security architecture implementation by oversee the end-
to-end solution for data at REST, mainly intent designed for iWE SaaS platform.
For this reason we need to adopt appropriate measures to secure customer's data
at REST. However, data at REST is used as a complement to the terms data
in use and data in motion which together with data at REST denes the three
states of digital data [48].
Data in use is active data under constant change stored physically in
databases, data warehouses, spreadsheets, etc. While data in motion deals with
data that is traversing a network or temporarily residing in computer memory
to be read or upload. And nally, data at REST looks at inactive data stored
physically in databases, data warehouses, spreadsheets, archives, tapes, o-site
backups, etc. [48].
Anyway, the main aim of this study is to identify and valid technical
solution for enforcing by design a very high level of protection of customer data
condentiality. Which will position iWE platform as one of the few secure storage
for business data and for collaboration.
In the following Section 4.1 we introduce the problem statement and
challenges facing with zero-knowledge data at REST. In Section 4.2 we disclose
the related work, followed by the cornerstone designed methodological approach
and implementation in Section 4.3. While in Section 4.4 we discuss the limitation
and the advantages of our security architecture design. Last but not least, in
Section 4.5 we conclude.
33
34
4.1 Introduction
In October 2014 hackers claim that they have stolen nearly seven million Drop-
1 2
box passwords [68]. These information have been published in Pastebin , and
through dierent websites. Additionally, Moertel back in December 2006 [43],
posted a blog post that we should never store passwords in a database, rather
than we should use dierent cryptography solutions. Undoubtedly, most cur-
rent web authentication solutions use a login forms, which sends the username
and password to the server as a HTTP request or sometimes as HTTPS request.
Thereby in most case, the password is sent in plain text or sometimes through
SSL connection. On the server, then the password is hashed and compared to a
stored hash. Advance solution is also available called salting in which random bits
are added to the end of password before it is hashed to prevent attacks through
pre-computed hash tabled [72]. However there are several major attacks vectors
which are applicable for this current systems, few of them noted in [57], such as:
brute-force hash cracking, wire sning, servers stored passwords insecurely (in
particular, in plain text or hashed without salting), server itself could behave ma-
3
liciously or vulnerable (Heartbleed bug ), and so on. Apart from authentication,
also another challenge is storing data into the cloud and provide collaboration.
Cloud storage has draw attention to a lot of users lately, reported in

4
Techcrunch beginning of April 2014 , by uploading and sharing their personal
photographs, documents, and so on accessible by service providers. Consequently
possible privacy concerns are not taken into account due to lack of awareness.
As well as, most people are unaware of the infrastructure and the underlying
technology or Cloud Service Provider (CSP). Moreover, throughout the later half
of 2013, NSA's PRISM surveillance program was disclosed and it has caught
attention, and indeed increased the concern towards user privacy. Obviously,
that user data is being leaked from many large corporations (examples shown in
[21, 36]). Despite unawareness of privacy among mass people, we believe that
eective solutions of end-to-end encryption for cloud services is a demand of time
[38].
In order to ameliorate these threats and challenges, the scholars have
1 Dropbox, https://www.dropbox.com/. Last checked on 15.12.2014.

2 Pastebin,http://pastebin.com/. Last checked on 15.12.2014.
3 The Heartbleed Bug, http://heartbleed.com/. Last checked 15.12.2014.
4 Techcrunch.com, Dropbox Hits 275M Users And Launches New
Business Product To All. http://techcrunch.com/2014/04/09/
dropbox-hits-275m-users-and-launches-business-product-to-all/. Last checked
15.12.2014.
35
dene the term zero knowledge proof. And zero knowledge proof has been for-
malized by [58] and it described as challenge response authentication protocols,
in which parties are required to provide the correctness of their secrets, with-
out revealing these secrets [28]. This challenge applies to both segments, for
example for authentication and data storage solutions. Additionally, to cloud
ecosystem facilitating end-to-end or in other words zero knowledge encryption,
the main challenge is to manage keys among dierent devices of the same user
and between dierent users [38]. We have seen in recent years, that several
encrypted cloud storage services (e.g., Mega5 , Viivo6 , Wuala7 , SpiderOak8

and Boxcryptor [10]) have been launched. In view of this, main approaches
are [38]:
1. Encryption with public key with/without oering several popular features
like syncing, sharing (e.g., Syme - Google chrome extension [26], Tresorit
[69], etc. );
2. Encryption with user chosen password (e.g., Boxcryptor [10], Pandor

[52], end-to-end [27], Safebox [59], etc.); and
3. Relying on a third-party key server (e.g., CaaS [61], FriendlyMail [5],
and others).
Noteworthy is that such solutions are implemented either through client-side or
server-side. Client-side interest are that each data before transferring to cloud
storage rstly is encrypted on the client machine, and then transmitted encrypted
to targeted cloud storage, notably the keys as well. While server-side is the
data is pushed through secured cryptography protocol in plain text and then
is encrypted on the server side by using third-party hardware and/or software
available solutions for key management.
Aside from cloud storage services, email communication is also a potential
candidate for end-to-end encryption, such implementation of PGP and S/MIME
email encryption, but unfortunately they have not gained much popularity, noted
in [38]. And for purpose of our study and implementation such solution is out
of scope and not discussed any further in this report.
Considering the growing interest on the topics with noticeable privacy
5 Mega, https://mega.co.nz/. Last checked 15.12.2014.

6 Viivo https://www.viivo.com/. Last checked 15.10.2014.
7 Wuala, https://www.wuala.com/. Last checked 15.12.2014.
8 SpiderOak, https://spideroak.com/. Last checked 15.12.2014.
36
breaches in the news, discussions on the right to be forgery, and on law enforce-
ment agencies surveillance in the cloud. We need to oer to our customer through
iWE platform, control and transparency over how personal data is protected as
key elements for trustworthy cloud service. Therefore, there are multiple chal-
lenges to tackle, provided the multiplicity of service delivery models in the cloud
and the diculties in tracking meta-data across the cloud middle-ware. One of the
existing approaches consists in using encryption to protect the data. When data
must be deleted, the encryption keys are discarded. In case of losing credentials,
how the encrypted data could be accessed/recovered by the users. Additionally,
sharing protected data with the group, individuals and in the company, as well.
Lastly, how to ensure that even the developers from iWE side will not have access
to the data, as well as CSPs, and etc.
By knowing the challenges, we have investigated what are the most
promising secure approaches for our end-to-end zero knowledge solution and carry
out a proof of concept supporting it. For this reason in next section we discuss
the related work, followed by the methods that we are taking into consideration
for handling data into the cloud. Then how the methods are implemented. And
before we conclude, we show the advantages and disadvantages to our methods
and implementation solution.
4.2 Related Work
Owing to surveillance and privacy issues for cloud services, in recent year, end-
to-end encryption solution for cloud services are getting popular. In this section,
we focus on the main approaches available to facilitate end-to-end encryption for
cloud services. Have in mind that we could not cover all of them, but we have
concentrated only on the related solutions. Simultaneously, we name several
shortcomings in existing approaches, such as client-side and server-side, which
are addressed in our solution and provide comparison table.
9
Pedersen and Dahl [53], or also known as Crypton discussed dierent
challenges in designing an encryption application intended to work on multi-
ple devices, by providing high-level APIs for user accounts, robust data storage,
and sharing information between users. The following zero-knowledge applica-
tion framework is implemented in SpiderOak, online le sharing and secure
9 Crypton.io, https://crypton.io/Last checked 15.12.2014.

37
Node.js10 platform;
cloud backup solution. Such solution is implemented within
Redis11 an open source advanced key-value cache and store; PostgreSQL12

13
advanced open source database; and distributed via Docker open platform
for developers and sysadmins to build, and run distributed applications. User
authentication is done through Secure Remote Password (SRP) protocol, and
within the front-end communication, client-server approach with RESTfully -
JSON over HTTPS. Major requirement is asymmetry cryptosystem for user-
level keys deployment, and encryption storage is accomplished with symmetric
algorithm AES-256 through cipher feedback (CFB) mode and hash-based mes-
sage authentication code (HMAC) and cryptographic hash function SHA-256.
Therefore, SpiderOak is based on password-based encryption, by oering both
syncing and sharing. And the encryption keys are protected by the user password.
However to facilitate sharing, SpiderOak requires a user to create a share room.

Where each share room has a password, which is used to encrypt all data in that
room. Consequently all the members of a room know the password for the room.
However, Crypton and Crypton v1.0 in fact are facing with some weakness of the
key schedule algorithms when using 256 bits user keys, noted by Yuechuan et al.
[71].
Similarly, Dominik et al. [16] designed a cryptographic three structure
which facilitates access control in le systems operating on untrusted storage.
And it is designed for Wuala another encrypted cloud storage service, which
derives the master key from the user-chosen password. The master key encrypts
the root directory. While the other encryption keys reside in the parent directory
so that a user having the encryption key of a folder can access all the le and
sub-les inside the folder [38]. Implementation of Wuala is using the hybrid
architecture - P2P, by error-control method for data transmission that uses ac-
knowledgements ARQ. In addition, requires user-level keys and encrypts the data
with symmetric algorithms such as: AES-128 or AES-256. Another advanced fu-
ture of Wuala is when someone loses access to an item, that item needs to be
encrypted with a new key in order to prevent the former accessors to access the
item in future. Therefore, it is using the lazy revocations [42] which allow to post-
pone this (expensive) re-encryption until the next update of the item. Engaging
measurement study has been conducted by Mager et al. [64] by emphasizing: in-
frastructure, data placement, coding techniques and transport protocol adopted
by Wuala, undergone between 2010 and 2012.
10 Nodejs.org, http://nodejs.org/. Last checked 15.12.2014.

11 Redis.io,http://redis.io/. Last checked 15.12.2014.
12 Postgresql.org, http://www.postgresql.org/. Last checked 15.12.2014.
13 Docker.com, https://www.docker.com/Last checked 15.12.2014.
38
Another client-side storage encryption plugin solution is Boxcryptor [10],

works with major cloud storage providers (e.g., Dropbox, Google Drive, OneDrive,
etc.), similarly protects private keys by user-chosen password. Where each le is
encrypted by a random key and each user has a public/private key pairs. Ran-
dom keys are encrypted by public keys of each user, who has access to that le
and stored in the local cloud storage directory. And all public keys are in the
clear and private keys are encrypted by user password; both keys are stored in
the cloud storage server to facilitate sharing and syncing. To share a le with
other users, the le key is encrypted with the receiver's public key and submitted
to the cloud so that the receiver can retrieve the le key by decrypting using her
private key [25, 38]. Additionally, secure le encryption is using the AES-256
standard.
Tresorit [69, 67] is another commercial secure cloud solution, imple-
mented in C++, using client-side encryption AES-256 standard and authorization
using asymmetric key pair algorithm RSA-2048 applied on hash function SHA-
512. Transmission of data is done through TLS cryptographic protocol and the
invitation and key agreements are ICE and TGDH protocol [37]. The following
cloud storage provider, as well as SpiderOAK and Wuala have been examined
for weaknesses associated with their sharing functions, by performing reverse en-
gineering techniques, handled by Wilson and Ateniese [70]. For each provider
they highlighted the disadvantages and proposed several alternative approached
to address the weakness identied.
Last commercial client-side solution is provided by nCrypted Cloud14

by a patent [45], however within dierent approach from the above. Firstly, the
data protection is accomplished by symmetric algorithm AES-256 by encrypting
the les and directories as archive ZIP le format with XML comments. Second,
password verication, or in other words user authorization is via key derivation
function that is part of RSA series, such as PBKDF2. Thirdly, data recovery
is provided by generated key pairs (public/private keys) and it is upload to the
cloud by protecting it with personal key (containing username and password).
Interestingly from aside of commercial solutions, two students from Canada
have been tackling the issue of end-to-end cloud solution with in client-side pur-
pose, and published in master thesis reports. Such as, Totolici [66] designed the
Crypstor a storage platform that addresses data security in the cloud computing
context through the use of encryption, while maintaining the desirable properties
14 nCrypted Cloud, https://www.encryptedcloud.com/. Last checked 15.12.2014.

39
of ecient storage and sharing. While Majumdar [38] propose the Keyfob, a
key management scheme for easy key transfer between user-owned devices, and
between users. Crypstor merges a number of existing cryptographic building
blocks in order to archive its intended security properties. For example, hashing
is done via the SHA-384, symmetric authenticated encryption is carried out using
the AES-256 in Galois/Counter Mode (GCM) and Rijndael as current algorithm
of the standard [1, 15]. Symmetric signing is accomplished by HMACs, and public
key cryptosystem (PKCS) is RSAES-OAEP [33]. And nally the key stretching
is realized by applying scrypt [55, 54] to the user's password. Whereas, Key-
fob uses high-entropy random key for encryption instead of password-derived
keys, and leverage's Die-Hellman key exchange (DH-EKE) with weak secrets
for secure key transfer. Each user need to manage one user-master key, and all
other keys are derived from that master key or a pairwise shared master key. It is
implemented as Firefox extension using Firefox Sync service, which implements
an EKE [8] variant. And it can be used to support encryption on Dropbox - in
desktop and Android, and Gmail - in desktop.
Amazon Web Services (AWS) oers encryption of data at REST within
three dierent models [7, 12], such as:
• Model A, by carrying out client-side encryption solution: using customer-
management keys (CMK) or using partner solution of key management
infrastructure (KMI) for CMK.
15
• Model B, accomplished by CMK using the dedicated CloudHSM (Hard-
ware Security Module) appliances within the AWS cloud, and
• Model C, server-side encryption using AWS KMSManaged Keys (SSE-
KMS) [3], which provides available API's embedded into the AWS platform
and its integration is available in Java, Ruby, PHP, etc.
Knowing the available cloud CSPs mentioned above, within their advantages and
disadvantages we have prepared comparison table (see Appendix section C.1) by
asserting the implementations, encryption transport and storage, requirements
and what are the possible attacks, seized from related work [70, 64, 41, 9, 38].
15 AWS CloudHSM, http://aws.amazon.com/cloudhsm/. Last checked 16.12.2014.

40
4.3 Solutions
Here we reveal the solutions separated into two dierent implementation methods,
such as client-side and server-side encryption. Meanwhile, our solutions merges a
number of existing cryptographic building blocks in order to achieve its intended
security properties. We describe these blocks here, and how they are combined
and used. Thereby, our system requires algorithms for hashing, symmetric en-
cryption, symmetric message signing, asymmetric cryptography (public/private
key pairs), and key stretching. And in the end, we summaries the advantages and
disadvantages for each solution.
4.3.1 Client-side 1
Following solution could be implement only for one owner and one recipient.
Obviously, in a similar fashion if we want to share the le with more than one
recipient we will need to use asymmetric encryption for the random generated
number to encrypted with each public key of the recipients and store them in to
the cloud.
Hashing is done via bcrypt [56], we selected the following hash function
because it has been already implemented beforehand in iWE platform. Sym-
metric authenticated encryption is carried out using the AES-256 and symmet-
ric signing is accomplished by HMACs [29]. While public key cryptosystem is
RSAES-OAEP [39], and key stretching is realized by applying brypt to the
user's password.
All of the selected building blocks are used in manner that allows for easy
replacement of any one of them, if attacks are discovered in the future. Nonethe-
less, the choice of algorithms is not sucient to ensure either condentiality or
security, merely is depending on the password strength dene of the user.
Here we depict the following scenarios, and for each scenario we have
provided sequence diagram in Appendix section C.2.1.
New User
1. User password is hashed with bcrypt.
2. Generate a public/private key pairs for each user.

41
3. Encrypt the private key with symmetric (AES-256) encryption with the
user password, and store them along with public key to the cloud. Public
key remains not encrypted.
Encryption of le
1. Generate random number (session key):
a) Generate random number (session key):
i. Asymmetric encryption twice (RSAES-OAEP):
A. With Sender Public key and
B. With Recipient Public key
b) And store them in the cloud. If we have more than one recipient, then
there will be more than one encrypted session keys.
2. Symmetric (AES-256) encryption to encrypt the le using the plain session
key (which is the random generated number) as the symmetric key. Then
upload the le in the cloud. Encryption could be done with JavaScript
library CryptoJS [32, Online: https://code.google.com/p/crypto-js/].
Decryption of le for the recipient and/or sender
1. Decipher private key with user password.
2. Use private key to decipher the recipients encrypted (RSA-OAEP) session
key.
3. Use symmetric (AES-256) decryption to decipher the encrypted le.
Advantages of solution are that developers will not be able to access the data,
neither the CSP. Also, user could read the le from any device and at the same
time access the data from multiple devices. Bright side is if le is uploaded with
new version then it could be use the same session key to encrypt and decrypt the
le. And last, although if intruder is able to access the server data, still he will
not be able to decrypt the le, without the user password.

42
Disadvantages are if user loses its password, than the data could not be
retrieved. Also, for each le we have to generate random session keys and encrypt
them with the user's public keys and upload them in to the cloud. For instance,
if we have one le shared with 20 people, then will have 20 encrypted session
keys with public keys for each recipient for one le, and so on. Last, if revoke is
required for a le, then we have to re-encrypt the le with new session key.
4.3.2 Client-side 2
Dierent from the previous solution, is using the key derivation function and
creates group key for sharing les with other recipients.
The main building blocks are accomplished by: hashing is done via secure
hash function, 384-bit digest (SHA-384) or via bcrypt. Symmetric authenticated
encryption is carried out using the AES - 256. Symmetric signing is accomplished
by HMAC. Key Pair cryptosystem by RSAES-OAEP. Key stretching is realized
by applying scrypt [55] to the user password, functioning as key derivation
function (KDF).
New User
• User password is used as input to the scrypt function, which is conjunc-
tion with a randomly-generated salt from Secure Pseudo-Random Number
Generator (SPRNG) . And the derived key is used as a wrapper key.
• Generate master key with SPRNG.
• Generate public/private key pair generated from the SPRNG, and public
key is saved to the cloud server.
• While the private key and the master key are encrypted via AES-256 under
the wrapper key, and are stored in to the cloud.
New Group
• Generates randomly a symmetric group key.
• Encrypts (RSA) the group key with the public key for each of the intended
recipients.
43
• Encrypted material is then shared with the rest of the participating users
via a secondary channel, such as e-mail, or some other solution.
Encryption of the le
• Master key is used to encrypt the le with AES-256.
Decryption of the le
• Decipher master key with the wrapper key.
• Use symmetric encryption to decipher the encrypted le.
In this solution advantages are that its allows user to change their password
without having to re-encrypt all of the data. As well as, user will be able to read
the le from any device. And it provides revoke function for the group, if needed,
then the old group key is encrypted under prime and sorted as metadata. This
is due to only read access is allowed.
On the other hand, disadvantages are for instance if master key changes
than it requires a full re-encryption of the user's les. Lastly, in group share, if
we want to revoke access, then the les have to be re-encrypted.
4.3.3 Client-side 3
Last client-side solution is carried out via Crypton JavaScript framework, which
is mainly used by SpiderOak. It is developed as client - side, server acts as
dumb pipe to store and retrieve data. It is compatible with Node.js and many
others.
Advantages using are due to following reasons, such as: it has been used
for SpiderOak as main solution, it is open source and publicly available, user
will be able to read the le from any device, the framework has been maintained
since 2013, and importantly they have conducted two security audits, which are
transparently available [14]. While disadvantages are that it is not well doc-
umented, their documentation is not completed yet, and it requires additional
implementation on iWE platform side.

44
4.3.4 Server-side
Unlike the client-side solutions, here we consider only the server-side implemen-
tation. Realized by AWS solution, and such available model solutions have been
explain in Section 4.2. Even though there are three possible models, for both
client-side and server-side encryption, here we focus only on model C (server-side
encryption using AWS-Managed Keys). Which allows AWS controls the encryp-
tion method and the entire KMI [7, page 12-17.]. In other words, AWS provides
server-side encryption of the data, transparently managing the encryption method
and the keys.
Such solution has been carried out with AWS Key Management Service
(KMS), and other services that encrypt the data directly use a method called
envelope encryption to provide a balance between performance and security. En-
velope encryption is described in Appendix section C.2.3, Figure C.6.
In a nutshell, based on the introduction of [4, 30, pp 37-38.], the encryp-
tion process is described as follows:
1. The encryption client or server-side with AWS Key Management Service
generates a one-time-use symmetric key, it is called envelope symmetric
key. This key is used to automatically encrypt data on the cloud.
2. The Assignment of a unique encryption key. This key could be symmetric
key or asymmetric key (public/private key). It is used to encrypt the en-
velope symmetric key. This key should be properly stored and managed,
backup should be made in case of losing or storage media damage.
3. Data is encrypted with the envelope symmetric key. Encrypted data and the
encrypted envelope symmetric key are uploaded to cloud. The encrypted
envelope symmetric key is stored as part of the object metadata.
Advantages are, that it is quite well documented, available APIs, straight-forward
solution and implementation, client has the complete ownership of keys. Thus
the chances of data theft from CSP side are eliminated.
Disadvantages are since client has the complete control of keys, and if in
any case loses the key, so the client will lose the data as well. The CSPs will not
be responsible for recovering the data.

45
4.4 Discussion
Encryption of sensitive data is an essential and standard approach to preserve
privacy in cloud. Thereby encryption based approaches are classied into two
general types: client-side and server-side encryption. Chunguang [30, p. 37-58]
discusses the advantages and disadvantages of both types in details in his report.
Exceptionally, emphasizing that client-side encryption could achieve better con-
dentiality and privacy protection. While server-side encryption could achieve
a better performance. However, the main problem is that key management and
encryption/decryption process are performed by CSPs, hence trust need to be
improved to achieve better privacy protection in the cloud, by transparently dis-
playing the audit reports.
Moreover, in this research we oer an end-to-end encryption solutions
for iWE platform. Addressing the privacy issues for cloud services, control and
transparency over how customer data is protected as key element for trustworthy
cloud service. Within multiple challenges to tackled, and each of them taken into
account of our solutions. We divided our solutions into two group types, such
as client-side encryption and server-side encryption. For client-side encryption
we endeavour the implementation through state-of-the-art design, coupled with
open source JavaScript libraries, and open source JavaScript framework. Whole
are facing with unique advantages and disadvantages, given above. Whereas for
server-side encryption solution we suggest the oering by AWS.
The dierence between client-side and server-side encryption is due to
fact that customers can not trust the CSP. As well as, the solution providers, as
we are. Therefore, for the need of the customers, we have designed zero knowledge
encryption solutions which will meet our customer condentiality and privacy
demands, as well as can meet the usage in multiple devices simultaneously. And
if in any case, intruder gain access to the cloud storage, he could not be able to
retrieve nor read the data without knowing the user password. Likewise, neither
the developers nor CSP employees could have access to the data. However, the
down side of this implementation is, if in any chance the user loses his password,
therefore the data is lost too. Among other things, if the user password is changed,
then the les are required to be re-encrypted, which is aecting the performance,
and so on.
46
4.5 Summary
Encrypting data in the cloud could eciently protect data condentiality and
privacy, only if it is implemented in proper fashion. In this chapter, we introduce
the problem statement and challenges facing implementation of zero-knowledge
data at REST benecent to iWE platform. Available solutions are reviewed, and
hand over solutions for client-side and server-side encryption. General approaches
are discussed in Section 4.3, with there advantages and disadvantages. Where in
the end, we discuss the privacy and trust problem, coupled with the possible
scenario if the intruder gain access to the cloud storage, if the user loses and/or
changes the password, what are further actions.
To sum, data condentiality can be achieved not only if the solutions are
designed and implemented properly, but signicant factor is the awareness of the
user too, that are: using complex password, be aware of security best practice,
and so forth.
Chapter 5
Conclusion
This report is set out to demonstrate the everyday handling activities related to
cyber security researcher internship at iWE for duration of six months.
5.1 Conclusion
In Europe cyber insurance is arising, and in the same time insurance companies
are starting to a greater extent oering cyber insurance policies, in other words
premiums. In the same fashion, we have increasingly data breaches, followed
by incidents aecting IT assets and having impact on the businesses. Growing
number of available vulnerabilities and exploits are contributing to businesses
risk. Where Freund and Jones later this year noted in their book that today
risk is the probable frequency and probable magnitude of future loss [24]. And
indeed, having this in mind, we are craving to provide solutions and services to
those issues.
Accordingly, iWE as a spin-o company of GMC loss adjuster, have
devoted the period of six months to initialize and set up security laboratory
within main focus on providing services respectfully to cyber security. At the
same time, during this period, we have managed to handled three cases regarding
incident response service. Moreover, one cyber security audit was conducted for
CII company and we designed tools for hence service delivery. Last but not least,
in the meantime we have designed cornerstone approach for placing iWE SaaS
platform to be one of the few utmost secure collaboration application in to the
47
48
cloud, by implementing end-to-end data at REST secure architecture.
In the long run, rst we have conducted market analysis, recognizing
the competitors in the eld of security, specially to cyber security. Based on the
analysis we have conclusively determined the needed services, and established
working, procedures and process ow. By producing supported templates and
tools for future delivery. Aside of marker analysis, secondly we handled several
cases and audits respectfully to already dened services. Where we prepared and
presented white paper in NATO ARW. And nally, we propose zero knowledge
end-to-end cloud encryption for iWE platform.
Obviously in this report we have stress the importance on the risk mitiga-
tion and risk acceptance, yet we tried to emphasis the importance of risk transfer,
too. And in reality, cyber space faces risks due to security attacks, as well as risks
due to non-security related failures (e.g., our case example: water leak, hardware
crash, buer overow, hazards, etc.). However, cyber insurance agencies would
most likely insure risks only due to security attacks (e.g., data breach, malware,
conditional redirect, etc.).
In this regard we believe that six months of internship period was dy-
namic and extremely interesting. Facing with dierent challenges everyday, and
at the same time providing eective and benecial services to customers, without
a signicant degradation in performance. Undoubtedly, cases regarding incident
response and digital forensics in coming months will increase, as well as cyber
security audit and so on.

Bibliography
[1] NIST-FIPS PUB 197. Advanced encryption standard (aes). On-line avail-
able: http://csrc.nist.gov/publications/ps/ps197/ps-197.pdf, November
2001. 4.2
[2] ISO/IEC 27001. Information technology - security techniques - information
security management systems - requirements. On-line. 3.1.2
[3] Amazon. Protecting data using server-side encryp-
tion with aws kms-managed keys (sse-kms). Online:
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html,
2014. 4.2
[4] Amazon. Amazon web services documenta-
tion: Amazon simple storage service. On-line:
http://docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html,
21.02.2014. 4.3.4
[5] Mohammad Mannan Atieh Saberi Pirouz, Vladimir Rabotka. Friendlymail:
Condential and veried emails among friends. Concordia University, Mon-
treal, Canada, March 14, 2014. 3
[6] Je Bardin. A standard, a framework or a standard framework? On-line
available, April 2009. Retrieved on 15/10/2014. 3.1.2
[7] Ken Beer and Ryan Holland. Encrypting data at rest. Technical report,
Amazon Web Services, November 2014. (document), 4.2, 4.3.4, C.6
[8] S.M. Bellovin and M. Merrit. Augmented encrypted key exchange: a
password-based protocol secure against dictionary attacks and password le
49
50
compromise. In ACM Computer and Communications Security (CCS'93),
pages 244250, 1993. 4.2
[9] Karthikeyan Bhargavan and Antoine Delignat-Lavaud. Web-based attacks
on host-proof encrypted storage. 2012. 4.2
[10] Boxcryptor. Homepage. On-line: https://www.boxcryptor.com/. 4.1, 2, 4.2
[11] A. Calder and S. Watkins. IT Governance. A Manager's Guide to Data
Security and ISO 27001/ISO 27002. Kogan Page Limited, 2008. 3.1.1
[12] Matthew Campagna. Aws key management service cryptographic details.
Technical report, Amazon Web Services, November 2014. 4.2
[13] COBIT. Control objectives for information and related technology (cobit).
On-line: http://www.isaca.org/COBIT/Pages/default.aspx. 3.1.2
[14] Crypton. Audits. On-line: https://crypton.io/docs/security/audits.html,
2014. 4.3.3
[15] J. Daemen and V. Rijmen. The block cipher rijndael. in smart card research
and applications. Springer, pages 277284, 2000. 4.2
[16] Stefan Schmid Roger Wattenhofer Dominik Grolimund, Luzius Meisser.
Cryptree: A folder tree structure for cryptographic le systems. 2006. 4.2
[17] Steve Durbin. Cyber crime: battling a growth industry. Financial Times,
September 5 2014. 3.1.1
[18] ENISA. Inventory of risk management - risk assessment methods and tools.
On-line available: http://rm-inv.enisa.europa.eu/, 2014. 3.1.2
[19] Security for Industrial Automation, Control Systems: Establishing an Indus-
trial Automation, and Control Systems Security Program. Ansi/isa-62443-
2-1 (99.02.01)-2009, 2009. 3.1.2
[20] Security for Industrial Automation, Control Systems: System Security Re-
quirements, and Security Levels. Ansi/isa-62443-3-3 (99.03.03)-2013, 2013.
3.1.2
[21] Forbes.com. The nsa's slideshow explaining its prism surveillance pro-
51
gram. On-line: http://www.forbes.com/pictures/mhl45eedji/prism-slide-1-
5/, April 2013. 4.1
[22] Information Security Forum. The Standard of Good Practice for Information
Security. Information Security Forum, March 2003. 3.1.2
[23] B. Fraser. Site security handbook. network working group and internet en-
gineering task force. On-line, September 1997. 3.1.2
[24] Jack Freund and Jack Jones. Measuring and Managing Information Risk: A
FAIR Approach. Butterworth-Heinemann, August 22, 2014. 5.1
[25] Boxcryptor Secomba GmbH. Technical overview. On-line:
https://www.boxcryptor.com/en/technical-overview, 2014. 4.2
[26] Google. Syme. Google Chrome extension:
https://chrome.google.com/webstore/detail/syme/kebgjahkgfpaeidbimpiefobehkjmani.
[27] Google. End-to-end google code. On-line: https://code.google.com/p/end-
to-end/, 2014. 2
[28] Slawomir Grzonkowski and Wojciech Zaremba. Extending web applications
with a lightweight zero knowledge proof authentication. CSTST 2008, Oc-
tober 27-31, 2008. 4.1
[29] R. Canetti H. Krawczyk and M. Bellare. Hmac: Keyed-hashing for message
authentication. February 1997. 4.3.1
[30] Chunguang Hao. A survey and classication of privacy-preservation mech-
anisms for cloud data management. Master's thesis, University Magdeburg,
Faculty for Computer Science, April 2, 2014. 4.3.4, 4.4
[31] Department of Homeland Security (DHS) ICS-CERT. Assessments: The
cyber security evaluation tool, May 2014. 3.1.2
[32] Je.Mott.OR. Crypto-js: Javascript implementations of standard
and secure cryptographic algorithms. Google code, 2014. On-line:
https://code.google.com/p/crypto-js/. 2
[33] J. Jonsson and B. Kaliski. Public-key cryptography standards (pkcs) 1: Rsa

52
cryptography specications version 2.1. RFC 3447 (Informational), Feb.
2003. On-line: http://www.ietf.org/rfc/rfc3447.txt. 4.2
[34] Christine Kuligowski. Comparison of it security standards. Master's thesis,
Master of Science Information Security and Assurance., 2009. 3.1.4
[35] Idaho National Laboratory. A comparison of cross-sector cyber security
standards, September 9 2005. 3.1.4
[36] John Landy. Your sensitive information could be at
risk: File sync and share security issue. On-line:
http://blogs.intralinks.com/collaborista/2014/05/sensitive-information-
risk-le-sync-share-security-issue/, May 6 2014. 4.1
[37] L. Buttyán Lám, Sz. Szebeni. Invitation-oriented tgdh: Key management
for dynamic groups in an asynchronous communication model. Interna-
tional Workshop on Security in Cloud Computing (CloudSec), Pittsburgh,
PA, September 2012. 4.2
[38] Suryadipta Majumdar. On end-to-end encryption for cloud-based services.
Master's thesis, Applied Science in Information Systems Security at Concor-
dia University Montréal, Québec, Canada, September 2014. 4.1, 4.1, 4.2
[39] James Manger. A chosen ciphertext attack on rsa optimal asymmetric en-
cryption padding (oaep) as standardized in pkcs 1 v2.0. CRYPTO '01 Pro-
ceedings of the 21st Annual International Cryptology Conference on Advances
in Cryptology, 2001. 4.3.1
[40] Ian Mann. Hacking the Human: Social Engineering Techniques and Security
Countermeasures. Gower, November 2008. 3.1.3
[41] Manuel Leithner Markus Huber Edgar Weippl Martin Mulazzani, Sebas-
tian Schrittwieser. Dark clouds on the horizon: Using cloud storage as attack
vector and online slack space. Presentation by SBA Research, 2011. 4.2
[42] Christian Cachin Michael Backes and Alina Oprea. Secure key-updating for
lazy revocation. 2006. 4.2
[43] Tom Moertel. Never store passwords in a database! Blog post, On-
line: http://blog.moertel.com/posts/2006-12-15-never-store-passwords-in-a-
database.html, December 15 2006. 4.1

53
[44] North American Electric Reliability Corporation (NERC). Draft standard
1300 - cyber security. On-line, September 2004. 3.1.2
[45] Igor Odnovorov Nicholas Stamos. Seamless secure private collaboration
across trust boundaries, Oct 29, 2013. 4.2
[46] NIST. NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision
4, Security and Privacy Controls for Federal Information Systems and Or-
ganizations. NIST, April 2013 (including updates as of January 15, 2014).
3.1.2
[47] NIST. Framework for improving critical infrastruc-
ture cybersecurity, version 1.0. On-line available:
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-
021214-nal.pdf, February 12, 2014. 3, 3.1.1, 3.1.2, B.1
[48] Nortoninternetsecurity.cc. Data loss prevention | norton internet se-
curity. Online: http://www.nortoninternetsecurity.cc/2011/03/data-loss-
prevention.html, 2011. Retrieved 13.12.2014. 4
[49] Council on Cyber Security. The critical security controls for eective cyber
defense. On-line available: https://www.sans.org/media/critical-security-
controls/CSC-5.pdf. 3.1.2
[50] OWASP. The open web application security project. On-line available, 14
August 2014. Retrieved on 14/10/2014. 3.1.2
[51] Ranjan Pal. Improving Network Security Through Cyber-Insurance. PhD
thesis, UNIVERSITY OF SOUTHERN CALIFORNIA, December 2014. 1.1
[52] Pandor. Website: https://pandor.me/, 2014. 2
[53] Cam Pedersen and David Dahl. Crypton: Zero-knowledge application frame-
work. September 2014. Project homepage: https://crypton.io. 4.2
[54] C. Percival. Stronger key derivation via sequential memory-hard functions.
BSDCan 2009, pages 116, 2009. 4.2
[55] C. Percival and S. Josefsson. The scrypt password-based key derivation
function draft-josefsson-scrypt-kdf-01. Network Working Group, September
24 2012. 4.2, 4.3.2

54
[56] Niels Provos and David Mazieres. A future-adaptable password scheme.
USENIX 1999, June 1999. 4.3.1
[57] Alexander Lin Ryan Cheu, Patrick Yang and Alexander Jae. Narwhal: An
implementation of zero knowledge authentication. Massachvsetts Institvte of
Technology, May 14, 2014. 4.1
[58] S. Micali S. Goldwasser and C. Racko. The knowledge complexity of inter-
active proof-systems. In STOC '85: Proceedings of the seventeenth annual
ACM symposium on Theory of computing, ACM Press, pages pages 291304,
1985. 4.1
[59] Safebox. Safeboxapp.com. On-line: http://safeboxapp.com/. 2
[60] SANS. Nerc cip standard mapping to the critical security controls - draft.
On-line: On-line available: https://www.sans.org/media/critical-security-
controls/nerc-cip-mapping-sans20-csc.pdf, Retrieved on 08/10/2014. 3.1.4
[61] Thomas Muders Matthew Smith Sascha Fahl, Marian Harbach. Condential-
ity as a service - usable security for the cloud. 2012 IEEE 11th International
Conference on Trust, Security and Privacy in Computing and Communica-
tions, 2012. 3
[62] Razieh Skeikhpour and Nasser Modiri. An approach to map cobit processes
to iso/iec 27001 information security management controls. International
Journal of Security and Its Applications Vol. 6. No. 2, April 2012. 3.1.4
[63] Predrag Tasevski. Interactive Cyber Security Awareness Program. LAP Lam-
bert Academic Publishing, August 2012. 3.1.2
[64] Ernst Biersack Thomas Mager and Pietro Michiardi. A measurement study
of the wuala on-line storage service. IEEE P2P 2012, 2012. 4.2
[65] Dan C. Tofan. Information security standards. Journal of Mobile, Embedded
and Distributed Systems, vol. III, no. 3, 2011. 3.1.2, 3.1.3, 3.1.4
[66] Alexandru Totolici. Crypstor: A platform for secure storage. Master's thesis,
The University of British Columbia, Vancouver, Canada, June 2013. 4.2
[67] Tresorit. White paper. Technical report, Tresorit, 2013. 4.2

55
[68] Dylan Tweney. Hackers claim they have stolen nearly 7 million dropbox pass-
words (updated). Online: http://venturebeat.com/2014/10/13/apparent-
hackers-claim-they-have-stolen-nearly-7-million-dropbox-passwords/, Octo-
ber 13 2014. 4.1
[69] Tresorit website. Tresorit, 2014. On-line:
https://tresorit.com/business/upgrade?free-trial&gclid=CMmJ0-
Lsx8ICFcvpwgodFUsABw. 1, 4.2
[70] Duane C. Wilson and Giuseppe Ateniese. "to share or not to share" in client-
side encrypted clouds. Information Security, Lecture Notes in Computer
Science Volume 8783, pages 401412, 10 Apr 2014. 4.2
[71] Bing Sun Yuechuan Wei, Chao Li. Related-key impossible dierential crypt-
analysis on crypton and crypton v1.0. 2011 IEEE, 2011. 4.2
[72] Minqi et al Zhou. Services in the cloud computing era: A survey. Universal
Communication Symposium (IUCS), 2010 4th International 18, pages 4046,
Oct. 2010. 4.1

56
APPENDICES
Appendix A
Incident Response
The following Appendix section provides a further details regarding the services
for particular cases in subsections.
A.1 Case 1
In Figure A.1 we have illustrated the Incident Response Plan for Case 1. The main
reason for such illustration is to be able to identify the behaviour, functionality
and operation of the incident.
59
60
Figure A.1: Case 1: Incident response plan and time line.
Figure A.2 illustrates the discovered vulnerability used by the intruder,
and it demonstrates the preliminary motivation of the attack.

61
Figure A.2: Case 1: Vulnerability attacking owchart.
A.2 Case 2
From log analysis, we reconstructed the following sequence, shown in Figure
A.3:
Figure A.3: Case 2: Log analysis: GET requests, identifying IP address, time
stamp (starting and ending point on the attack), which application
is used for attacking purpose, country ISO code, category and type
of attacks.
62
From the above gure we can identify that the rst attack was on Septem-
ber 28 2014, followed by a second on November 6 2014. However, we have not
identied in the footsteps of explicit query to retrieve the contents of a columns
(customers _ mobile, customers _ password, customers _ emailaddress ) from
the table of the database of insured website.
In addition, on 8 September 2014 a vulnerability on the open source
platform used by the insured was identied, Figure A.4. The following exploits
1
are from Exploit-DB website.
Figure A.4: Case 2: Exploit-DB, list of osCommerce exploits.
Finally, we were able to identify the following types SQL injections, used
to exploit the web site vulnerability: blind, union queries, string concatenation
and incorrect type handling. Among the types of attacks we also were able to
identify what vulnerability scanning tools were used to exploit the web site, such
as, Acunetix2 , Havij3 , and sqlmap4 .
A.3 Case 3
For better understating the log analysis, and what had happened we have pro-
vided the time line, which is illustrated in Figure A.5.
1 Exploit-DB: http://www.exploit-db.com/search/?action=search&filter_page=1&
filter_description=oscommerce&filter_exploit_text=&filter_author=&filter_
platform=0&filter_type=0&filter_lang_id=0&filter_port=&filter_osvdb=
&filter_cve=. Last checked 10/12/2014.
2 Acunetix: https://www.acunetix.com/. Last checked on 09/12/2014.
3 Havij Advanced SQL Injection: http://www.itsecteam.com/products/
havij-advanced-sql-injection/. Last checked on 09/12/2014
4 sqlmap: automatic SQL injection and database takeover tool, http://sqlmap.org/. Last
checked on 09/12/2014.
63
Figure A.5: Case 3: Log analysis time line.

64
Appendix B
Cyber Security Audit
Here we provide further details regarding the build and developed cyber security
audit tool, with couple of illustrations and so on.
B.1 Cyber Security Audit Tool
The cyber security audit tool (see Figure B.1) identies the four essential process
of our developed tool for cyber security audit service. For instance functions
are: identifying, protecting, detecting, responding and recovering any event of
cyber attacks into organizations. Such methodological approach was seized from
NIST Framework [47]. Among the functions we additionally added several other
categories, which in our opinion were missing from the framework and will lead
to customers needs. And at the same time to bring more value and to be in fact
benecial and ecient by covering the latest technologies and threats, such as,
bring your own device (BYOD), human factor, etc.
65
66
Figure B.1: Cyber Security Audit TOOL map.

Appendix C
Security Architecture
In present section we provide comparison of several dierent existing CSPs, se-
quence diagrams for client-side solutions, and server-side envelope encryption.
C.1 Comparison of cloud storage providers
Table C.1 compares dierent existing solutions. Here for each secure cloud stor-
age providers we address the implementation, encryption of personal/master key,
transport encryption methodology, with what algorithm data is encrypted, what
are their requirements, and least the possible attacks, such as: brute force pass-
word attack, replacing public keys, counterfeiting certication, and N/A means
not applicable, because we were not able to nd any related work regarding the
weakness of nCrypted Cloud solution.
67
68
Crypton Cryptree (aka BoxCryptor Tresorit nCrypted Cloud Amazon AWS

(aka SpiderOak) Wuala)
Implementation Client-side Client-side Client-side Client-side Client-side Client/server-
side
Personal Key Crypton Cryptree AES-256 AES-256 in AES 256 ZIP, Customer/KMI/
CFB mode PBKDF2 CloudHSM/
SHA256 AWS-Managed
Keys
Encryption transport SRP ARQ Data Space TLS and ICE Twisted/SSH OpenSLL
Sync
Encryption storage AES-256 CFB AES-128/256 EncFS - RSA or TGDH AES and RSA Custom/TDE/
& AES-256 NNE
HMAC-SHA256
Requirements User-level keys User-level keys Pre-key- User-level keys User-level keys Pre-key-
exchange & exchange
user-level keys & user-level
keys
Attacks brute force brute force brute force counterfeit N/A brute force
password, password, password, certication password,
replacing replacing replacing replacing
pub-keys pub-keys pub-keys pub-keys
& counterfeit
certication
Table C.1: Comparing dierent existing solutions for secured cloud storage.
69
C.2 Solutions
C.2.1 Client-side 1
Figure C.1: Client-side 1: Key generation for a new user.
Figure C.2: Client-side 1: Encryption of le - sender.

70
Figure C.3: Client-side 1: Decryption of le for the recipient.
C.2.2 Client-side 2
Figure C.4: Client-side 2: Key generation for a new user.

71
Figure C.5: Client-side 2: Key generation for a new group.
C.2.3 Server-side
Figure C.6: Server-side: Envelope encryption [7].
View publication stats

Post Master Report TASEVSKIv3

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Post Master Report TASEVSKIv3

Загружено:

Авторское право:

Доступные форматы

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

Cyber Security Researcher - Internship report at iWE

Thesis · January 2015

The user has requested enhancement of the downloaded file.

fulllment of the requirement for the award of the

Degree for Post - Master of Security in computer systems and communications

Networking and Security Department at

candidature of any other degree.

Student : Predrag TASEVSKI

Date : 08 January 2015

Academical Supervisor: Prof. David BALZAROTTI

Company Supervisor: Christophe LAYE

I also like to thank all other company members of iWE, as well as

Graduated School and Research Center in Communication Systems - EURE-

ing my post-master's program. I would like to show my gratitude to prof.

David BALZAROTTI and prof. Aurélien FRANCILLON for their insightful

At the end, I would like to acknowledge the unconditional aection and

us in this world while I was in internship and writing this report.

Predrag TASEVSKI, Sophia-Antipolis, France

Cyber security is considered as appropriate means of cyber crime, cyber risk,

insurance, and awareness to absorb nancial impact caused by computer security

have impact on our world. Nonetheless, this report is demonstrating internship

selected segments of what we have tackled during the internship period.

In a meantime, we provide company overview, followed by the internship

Moreover, we have discussed the importance of cyber security, cyber

transfer, or in other words cyber insurance industry.

La cybersécurité est considérée comme un moyen approprié pour combattre la

cybercriminalité , an de dimunier les cyber risques, l'assurance , et la sensibil-

informatique. Depuis le premier incident informatique , nous avons débattu de

ce rapport démontre le ux de travail à partir de Juillet jusqu'à Décembre 2014.

avons abordé au cours de la période de stage.

Dans un même temps , nous vous fournissons un aperçu de l'entreprise ,

suivie par la description de stages et les objectifs fondamentaux. Ensuite , nous

vous exposons notre contribution à la période de stage et le rapport , aussi. En

exemple : réponse aux incidents et le service médico-légal numérique , le long dans

les cas de transport; suivie par la participation à l'atelier de recherche avancée

sécurité de cyber; et surtout le rapport de la contribution sur la recherche pour

solution de REST dans les nuages pour la plateforme iWE.

En outre , nous avons discuté de l'importance de la cybersécurité ,

l'assurance cyber , le risque de cyber , couplée avec l'approche obéissant de la

sécurité informatique et de l'information. Et enn , nous concluons en pointant

l'accent sur transferts a hauts risques l , ou en d'autres termes: industrie de

List of Tables xvi

List of Appendices xvii

List of Symbols xxi

1.2 Internship Description 3

1.3 Internship Objectives 5

2.2.2 Executive Summary 13

2.3.2 Executive Summary 15

2.4.2 Executive Summary 18

3 Cyber Security Audit and Awareness 21

3.1.3 What to achieve? 28

4.2 Related Work 36

2.1 Incident Handling Flow. 10

2.2 Incident Response Handling Process. 11

2.3 Dxxxxx.fr website screen-shot. 16

2.4 Dxxxxxx.fr tracking order form - screen-shot. 17

A.1 Case 1: Incident response plan and time line. 60

A.2 Case 1: Vulnerability attacking owchart. 61

A.3 Case 2: Log analysis: GET requests, identifying IP address, time

stamp (starting and ending point on the attack), which application

A.4 Case 2: Exploit-DB, list of osCommerce exploits. 62

A.5 Case 3: Log analysis time line. 63

fulllment of the requirement for the award of the

At the end, I would like to acknowledge the unconditional aection and

insurance, and awareness to absorb nancial impact caused by computer security

cybercriminalité , an de dimunier les cyber risques, l'assurance , et la sensibil-

ce rapport démontre le ux de travail à partir de Juillet jusqu'à Décembre 2014.

sécurité informatique et de l'information. Et enn , nous concluons en pointant

A.2 Case 1: Vulnerability attacking owchart. 61

C.2 Client-side 1: Encryption of le - sender. 69

C.3 Client-side 1: Decryption of le for the recipient. 70

C.1 Comparing dierent existing solutions for secured cloud storage. 68

DH-EKE Die-Hellman key exchange

TGDH Three-based Group Die-Helman

cyber security as a spin-o of GM Consultant (GMC). The company was founded

eective risk management. And it is a risk management technique via which