Managing Cloud Security Risks For Auric Enterprises: Threats, Vulnerabilities, And Control Measures

Threats

Auric Enterprise conducts metallurgical and mining operation in Australia. They want to move to the cloud to enhance their business activities for good. They should adopt the cloud platform provided by Microsoft Office 365 to carry out their business activities on the cloud.

This report will highlight the threats and the vulnerabilities that Auric can face while moving to the cloud platform. Also, the control measures to mitigate those risks will be showcased.

Auric Enterprises want to move to the Cloud as they want to enhance the business activities and also want to carry out their business activities in a secure manner [4]. They use IPv4 internet connectivity and a strong up-to-date firewall, however, if they migrate to the cloud they will have to face threats which must be addressed. At first, there is a chance of getting data breaches.

They use the MSSQL databases for storing the sensitive secretive data of their customers in their database. After migrating to the cloud, their cloud database will be controlled by third-party cloud vendor, if their database gets compromised then Auric will have to face devastating consequences [7]. Auric will have to pay fines of about $10,000,000. The data breach will also affect their brand name. They will lose reputation; they will lose the brand name. They will lose the customer base as well. Since they are opting to move to Microsoft Azure cloud platform, Auric will not have total control over their data, Microsoft even has the privilege to access the data, so the data is not cent percent authenticated [3]. Even though they use strong up-to-date firewall the risks still reside within.

Other than the data breaches there is still a chance of losing credentials. The enterprise’s systems use various kinds of authentication measures to safeguard their system and the database [6]. The authentication systems which is used widely applied and are quite popular are passwords and phone-based authentication. The passwords must be strong enough otherwise the data can be breached. But the enterprises use weak passwords in general which can be guessed easily and are easily recognizable. That makes the system more vulnerable to threats. Auric must implement a strong password to protect their database from the data breaches. Also, they must use two-way verification system to enhance the security of the database [8]. Auric CEO’s assistant must be aware of this fact and should not share the password and since every action is carried out online the password leaks will prove very costly to them. Often the insiders are great threats to the organization.

Data Breaches

The hackers and the intruders can attack Auric system and can make the whole system vulnerable. Auric needs to use updated hardware, software and application programs, the outdated systems are more vulnerable to threats. Auric also needs to keep a backup of data. The malware attack can lead to havoc; the intruders can steal data can also delete data permanently [6]. Again the DDoS attack or ransomware attack can lead to vulnerabilities. The attackers hijacked one’s system and then disallow the authorized to gain access to their own system. The authorized users can only gain access to their system if they are willing to pay some handsome amount of money. Also after getting access to their system, there is no guarantee the data will be retrieved back [9]. That is why the intruders is a big threat to cloud technology.

The employees of Auric are not aware of the cloud technology and the cloud services, also the management team are not much knowledgeable, they need professional assistance and also need time to learn the cloud technology from scratch [1]. Initially, they will make blunders and thus they can face huge losses initially, they can lose the market share. That is why this is a great threat for the company.

1. Lack of monitoring: The lack of active network monitoring can lead to unscrupulous activities and thus it is a possible threat.
2. Updates: The SCADA systems are inconvenient, the configuration issues arise while the software is updated. The software does not comply with the hardware components [7].
3. Lack of knowledge about the device: Auric technicians must have knowledge about the SCADA systems to use it in an effective way.
4. Not estimating the traffic: The Auric managers and Auric CIO must know the type of network via which their company’s network is going through. CIO knows the advantages of the SCADA systems but he is not aware of the risks, so he must act responsibly [8].
5. Authentic loopholes: The weak password is assign of weak authentication and the SCADA system can be vulnerable due to this reason.

1. Predictable session identifiers: The Base 64 can be decided by the attackers and the attackers can reverse engineer the algorithm for their convenience.
2. Over-dependence on client-side validation: The hackers by changing the settings of browser security and disallow JavaScript to bypass the validation procedures [5].
3. SQL injection: The hackers can exploit the SQL injection weakness and vulnerabilities and their operations range from excavating database access to acquire command execution.
4. Unauthorised execution of operations: The hackers by gaining credentials and session tokens can exploit the system and can make the whole system vulnerable, thus the system can lose authorization [10].
5. Cross-Site Scripting: The hackers can steal cookies and vital data of the browser session and make the system vulnerable. The hackers having extensible knowledge on HTML and also on the scripting language exploit the security of the system.
6. File upload issues: The applications, as well as the files, are vulnerable to malware attacks. The XSS exploits and Trojans and the virus can make the whole system and the database vulnerable to attack [12].
7. Lack of account lockout: The absence of account lockout can make the whole system and the database liable to hackers’ attacks and they will access the attack multiple times and will steal information according to their convenience and steal information data. They will also keep an eye on the website constantly to know the secrets of the organization.
8. No rules for passwords: The weak passwords can lead them to access the database and the system at will. The hackers by Brute-Force method enters the system with ease and can exploit the system [6].
9. Storing unencrypted passwords in the database: The hackers by installing virus can know the hidden passwords and can also access the hidden files stored in the system which are unencrypted [11].
10. Username enumeration: By the method of phishing the hackers can acquire the username and the password to access the cloud system and thus it is a vulnerable issue.
11. Session Timeout: The authenticated user does not sign out the database after the usage of the cloud platform or often they forget to log out, thus provides the opportunity for the hackers to exploit the system with ease [13].
12. Not displaying the previous sessions: Often the users or the customers are not displayed the time and the source of previous logins. The users unknowingly enter the credentials that is the username and the password and their privacy can be compromised in this way. This is a sort of phishing and the cloud data can be breached.
13. Cookie Secure Flag Not Setting properly: The hackers can engineer a connectivity between server and the client and in this way the cookies which gets transmitted via these connectivity channel and the hackers can exploit the system by accessing those cookies [15].
14. Weak ciphers that are enabled in web server SSL configuration: The hackers can exploit the network and can record the conversion in transit and thus can crack the SSL key.

The data breaches generally occur accidentally or they are carried out by the intruders. He breaches are quite difficult to recognise, thus to stay at the safe side Auric Enterprise must install antivirus software at their premises, the antivirus can protect Auric from any kind of threats and vulnerabilities [15]. The malware and the virus attack can be mitigated to a large extent simply by installing this software. The software can cater real-time protection. Auric can stay in peace by simply updating the antivirus software. The finance data of the database can be well secured.

The CEO of Auric Enterprise should be careful of the malicious insiders. It may happen that his assistant shares the passwords with others, and the CEO is completely unaware of that. He must monitor the system and the database regularly and should keep track of any unscrupulous activities within the system. Instead he gives full responsibility to his assistant [16]. Again, he should hire an assistant that knows English, in this way he can communicate well with his assistant.

The intruder attack can be mitigated or can be controlled by applying certain encryption procedures alongside firewall while conducting business activities on the cloud platform [13]. The data can be encrypted by Advanced Encryption Standard (AES) 256. Again, the network must be secure enough to carry out the cloud computing activities. All the data must be transmitted via secured HTTP success utilizing SSL [5]. Only the managers must be given the permission to access the entire database and the rest of the employees must be given control over certain areas of the database.

Malicious Insiders

Auric must hire a professional who is knowledgeable about all the products of the cloud platform and who is expert in accessing the cloud platform [2].  The managers should learn all the aspects of the cloud technology and should help the subordinates and also encourage the subordinates so that they can learn the cloud technology as soon as possible and can use the technology in agile effective manner [13]. Though they will face issues initially, will make blunders, however they should adopt the cloud technology for good and this will certainly help them in long run.

SCADA system can be protected and secured if the system is well monitored by the managers and admins of Auric. The hardware and the software must be updated simultaneously the SCADA system should be built keeping in mind the software must comply with the hardware configuration [14]. Also in this case the managers should hire a professional who will assist the managers and his subordinates to apply the SCADA systems in an efficient way. Besides they should know the traffic type which is transmitting through network and analyzing the traffic the managers can take effective decisions [8]. Only the authorized users must be given the control to access the SCADA system completely. In this way the SCADA system can be secured.

5. Conclusion

It can be concluded from the above discourse that Auric can be greatly benefitted from the cloud technology and Microsoft cloud platform. Microsoft 365 Office Suite has the capabilities to offer them the best cloud solutions to scale up the business. Thus they should adopt the cloud technology for good. The threats associated with adopting the cloud technology have been discussed in this report. Also the vulnerabilities or the weakness of the cloud technology has been detailed in the report as well. The threats like data breaches, intruders attack, inadequate diligence have been elaborated. Again, the threats associated with SCADA systems have been showcased thus a detailed insight or the overview of the company’s business activities can be received. At last, the control measures to mitigate those five threats have been detailed.

6. References

[1] Hashizume, Keiko, David G. Rosado, Eduardo Fernández-Medina, and Eduardo B. Fernandez. “An analysis of security issues for cloud computing.” Journal of Internet Services and Applications 4, no. 1, 2013: 5.

[2] Islam, Tariqul, D. Manivannan, and Sherali Zeadally. “A classification and characterization of security threats in cloud computing.” Int. J. Next-Gener. Comput 7, no. 1, 2016.

[3] Chou, Te-Shun. “Security threats on cloud computing vulnerabilities.” International Journal of Computer Science & Information Technology 5, no. 3, 2013: 79.

[4] AlZadjali, Amira M., Ali H. Al-Badi, and Saqib Ali. “An Analysis of the Security Threats and Vulnerabilities of Cloud Computing in Oman.” In Intelligent Networking and Collaborative Systems (INCOS), 2015 International Conference on, pp. 423-428. IEEE, 2015.

[5] Xiao, Zhifeng, and Yang Xiao. “Security and privacy in cloud computing.” IEEE Communications Surveys & Tutorials 15, no. 2, 2013: 843-859.

[6] Zhang, Su, Xinwen Zhang, and Xinming Ou. “After we knew it: empirical study and modeling of cost-effectiveness of exploiting prevalent known vulnerabilities across iaas cloud.” In Proceedings of the 9th ACM symposium on Information, computer and communications security, pp. 317-328. ACM, 2014.

[7] Khalil, Issa M., Abdallah Khreishah, and Muhammad Azeem. “Cloud computing security: a survey.” Computers 3, no. 1, 2014: 1-35.

[8] Tari, Zahir. “Security and privacy in cloud computing.” IEEE Cloud Computing1, no. 1, 2014: 54-57.

[9] Rasheed, Hassan. “Data and infrastructure security auditing in cloud computing environments.” International Journal of Information Management34, no. 3, 2014: 364-368.

[10] Lin, Guoyuan, Danru Wang, Yuyu Bie, and Min Lei. “MTBAC: a mutual trust based access control model in cloud computing.” China Communications 11, no. 4, 2014: 154-162.

[11] Latif, Rabia, Haider Abbas, Saïd Assar, and Qasim Ali. “Cloud computing risk assessment: a systematic literature review.” In Future Information Technology, pp. 285-295. Springer, Berlin, Heidelberg, 2014.

[12] Jula, Amin, Elankovan Sundararajan, and Zalinda Othman. “Cloud computing service composition: A systematic literature review.” Expert Systems with Applications 41, no. 8, 2014: 3809-3824.

[13] Hutchings, Alice, Russell G. Smith, and Lachlan James. “Criminals in the Cloud: Crime, Security Threats, and Prevention Measures.” Cybercrime Risks and Responses: Eastern and Western Perspectives 2015: 146.

[14] Ali, Mazhar, Samee U. Khan, and Athanasios V. Vasilakos. “Security in cloud computing: Opportunities and challenges.” Information Sciences 305, 2015: 357-383.

[15] Mi, Qing, Zhen-tao Ni, and Xiao-duan Wang. “Research on security threats and Countermeasures for Cloud Computing.” 2015.

[16] McGrath, Michael P., Matthew Hicks, Thomas Wiest, and Daniel C. McPherson. “Controlling utilization in a multi-tenant platform-as-a-service (PaaS) environment in a cloud computing system.” U.S. Patent 8,850,432, issued September 30, 2014.