Executive Summary
Previously identified threats were addressed from two perspectives: risk management strategies and control identification. The risks were code injection attacks, DDoS attacks, and buffer overflow vulnerability. From the risk management perspective, it was established that risk avoidance and risk acceptance strategies are inapplicable to dealing with these threats because the use of these strategies would impose limitations on the organization’s operation, thus deteriorating its current performance and hindering further development.
Instead, the risk mitigation strategy was recommended, and particular measures to be taken according to it included encrypting messages containing credentials and other types of sensitive information, protecting the server, and creating tools for detecting suspicious activities. From the control identification perspective, it was established that three major categories of controls exist: preventive, detective, and corrective. The division corresponds to their functions.
In terms of their implementation, one more category should be identified: administrative controls, i.e. such that require changes in existing policies and procedures. Preventive controls were recommended for the threats of code injection attacks (cryptographic protocols) and DDoS attacks (server protection, reverse proxies); a corrective control was recommended for DDoS attacks (obstacles for incoming data), and a detective control was recommended for buffer overflow vulnerability (data execution prevention).
Further, the importance of risk management and control identification for the organization is explained, and it is stressed that defining, prioritizing, and addressing risks, along with properly classifying the instruments needed for effective risk management and control development, are crucial in ensuring the organization’s safety and continuous development.
Strategies for Addressing the Risks
Three threats were established to be relevant to the organization: code injection, DDoS attacks, and buffer overflow vulnerability. For all three, a strategy should be selected for addressing the risk. Code injection attacks are a risk because they compromise sensitive data stored by the organization. Risk acceptance, as one of the possible risk management strategies, is inapplicable to this case because the safety of data should remain a primary consideration for any organization. Data loss or data theft lead to dramatically negative consequences, as an organization exposed to them may eventually lose money and jeopardize personal confidential information of its members.
Risk avoidance is not the optimal option either because adopting this strategy would mean reducing the amount of shared and processed data; such reduction is unreasonable because it imposes limitations on an organization and hinders its development. Therefore, what is recommended for addressing this risk is employing the risk mitigation strategy, i.e. attempting to make it harder for code injection attacks to compromise data. This can be achieved by encrypting messages instead of communicating credentials in the form of plain text.
Second, DDoS attacks are a risk because they are aimed at overloading a server, which can lead to its crash or dramatically decreased speed of its functioning. Prohibited requests attack the network of an organization, which is why the work of many employees connected to each other in this network is affected and undermined. In case of such an attack, many tasks can remain unaccomplished, and the loss of time is a major consequence.
Again, risk acceptance is not an option because the organization cannot allow the presence of a risk of temporarily decelerating or shutting down its operation due to server overload. To mitigate the risk, it is recommended to protect the server from potential attacks by implementing reverse proxies, as they prevent the infiltration of malicious data. This solution is part of the risk mitigation strategy because what is recommended prevents or makes less probable negative outcomes without restricting the operation of the organization in its present form and volume. Besides, reverse proxies can be used when an attack has already started in order to mitigate the consequences, but it is suggested to implement them beforehand.
Third, as it was previously established, buffer overflow vulnerability is a lesser risk than the previous two (primarily because buffer overflow attacks are often inconsistent), but it still requires attention from the perspective of risk management.
As with the other two risks identified for the organization, buffer overflow cannot be fully ruled out, and avoiding the risk is problematic because it would affect the organization’s operation, while accepting the risk is not recommended because sensitive data can still be stolen. The recommended solutions, which include the use of data execution prevention tools, fall into the category of risk mitigation strategy instruments.
Rice and AlMajali (2014) divide the activities of mitigating the risks of cyber attacks into two groups: “prevention (mitigations that reduce the likelihood of an event) and tolerance (mitigations that reduce the consequence of an event)” (p. 581). For all three threats identified for the organization, both prevention and tolerance measures should be taken, and the risk mitigation strategy is the optimal solution.
Potential Controls
Before developing controls for addressing the established threats, it can be useful to identify the type of controls needed in different situations. Administrative controls are those involving modifications of existing policies and internal operation procedures. Preventive controls define roles and responsibilities and describe processes according to the purpose of decreasing the probability of negative developments.
Detective controls are designed to track developments and spot unwanted ones in the areas where preventive controls failed. Corrective controls “provide recovery mechanisms to mitigate the impact of failed changes” (DiFalco, Keeler, & Warmack, 2016, para. 20). Proper functioning of systems may require combining controls for the purpose of more secure operation.
The controls recommended for addressing the risk of code injection attacks include restricting access to the FTP server, not storing passwords on local hardware, applying cryptographic network protocols instead of basic FTP, and encrypting messages containing sensitive information. Partially, the controls are administrative, as they pursue reconsidering policies associated with the employees’ use of systems.
Also, the controls are preventive, as they allow reducing the risk of code injection but do not address the issue of dealing with its consequences in case the attack has occurred. Corrective controls that might be relevant to the code injection and data loss/theft risk include minimizing the damage; for this, it should be ensured that the organization stores its important data in a way that does not allow one attack to cause significant losses.
For addressing the risk of DDoS attacks, the organization should implement proxy servers, e.g. by resorting to several hosting locations. As it was previously stressed, the main purpose here is protecting the server from being overloaded with prohibited requests, which is why the recommended control falls into the preventive and administrative categories. Also, the general idea of creating obstacles for unwanted data can be taken further, and many other available tools can be applied, some of which not only contribute to the prevention of DDoS attacks but also help support the server during an attack. The obstacles to overwhelming the server, therefore, serve as corrective controls, too.
To address the buffer overflow risk, it was recommended to create a function that will return pre-established values while checking the stack. The purpose of the function is to allow seeing alterations in the stack. Therefore, the control is detective, as it allows spotting negative developments at the stage at which effective mitigation measures can be taken. Another control is preventive, and it suggests splitting the stack into two parts; however, although this solution reduces the risk of data theft, it does not rule it out completely.
Importance of Risk Management and Control Identification
Risk management is important in any operation to prevent negative developments and effectively mitigate their consequences in case of their occurrence. Also, risk management approaches allow identifying the weaknesses of systems and organizations, which is a necessary prerequisite for successful development. Teixeira, Sou, Sandberg, and Johansson (2015) stress that the number of risks identified in an organization can be rather large, which is why “the use of risk management methods [is required] to prioritize the threats to be mitigated” (p. 24). Upon identifying and prioritizing risks, the organization needs to decide what to do with them: tolerate, avoid, or reduce.
The first two options may be inapplicable, and the third one requires developing certain controls to address the risks. Control identification is a process in which the organization needs to establish what type of measures need to be taken and what positive outcomes should be expected, i.e. what the control will do—prevent, detect, or correct. Selecting strategies and tools is crucial, which is why risk management should be approached as a complex process, and every element should be properly considered.
References
DiFalco, R. A., Keeler, K. L., & Warmack, R. L. (2016). Information technology governance and controls methods and apparatuses. Web.
Rice, E. B., & AlMajali, A. (2014). Mitigating the risk of cyber attack on smart grid systems. Procedia Computer Science, 28(1), 575-582.
Teixeira, A., Sou, K. C., Sandberg, H., & Johansson, K. H. (2015). Secure control systems: A quantitative risk management approach. IEEE Control Systems, 35(1), 24-45.