BICTH1 – Advanced Cybersecurity

DECLARATION

1. I know and understand that plagiarism is using another person’s work and pretending it is
one’s own, which is wrong.

2. This essay/report/project is my own work.

3. I have appropriately referenced the work of other people I have used.

4. I have not allowed, and will not allow, anyone to copy my work with the intention of
passing it off as his or her own work.

Signature

WENDY NHLEKO

Name (in capital letters)

21922142

Student Number
Question 1: Cloud Security
a) Which cloud deployment model do you think is best, balancing cost and security
requirements? Motivate your answer.
A hybrid cloud deployment model, given the scenario involving a web app portal with four
distinct environments, emerges as the most appropriate choice, effectively striking a
balance between cost considerations and security requirements.
Because:
 Production Environment: The main production environment (with client data)
requires a high level of security and compliance. By keeping this environment on-
premises, the organization can maintain full control over security measures, data
protection, and compliance with regulatory requirements. This ensures that sensitive
client data remains within the organization's secure infrastructure.
 Quality Assurance and Development Environments: The QA and development
environments, which do not contain client data, are suitable for cloud deployment.
They can benefit from the scalability and flexibility of the cloud, allowing resources
to be provisioned as needed for testing and development purposes. This can help
optimize costs by avoiding the need to maintain idle on-premises resources.
 Disaster Recovery Environment: The disaster recovery environment can also be
hosted in the cloud. It should be configured to be highly available and scalable to
meet the organization's disaster recovery needs. Storing data and backup copies in
the cloud ensures data redundancy and availability during emergencies, while cost-
effectively scaling resources only when needed.
By adopting a hybrid cloud model, the organization can strike a balance between cost-
efficiency and security, keeping sensitive client data on-premises while leveraging the
cloud's benefits for non-production environments.
b) Which cloud service model do you think is best for this situation (SaaS, PaaS, IaaS), and
what security responsibilities would be allocated to your organization and the cloud
service provider? Motivate your answer.
The recommendation of the IaaS model for the production environment is based on a
careful consideration of the critical security and control requirements associated with this
environment:
1. Control and Security: The production environment houses sensitive client data,
making control over security measures paramount. With IaaS, your organization
retains control over the virtual machines (VMs), operating system, and application
configurations. This control ensures that robust security measures, including access
controls, encryption, identity and access management (IAM), and compliance
standards, can be implemented effectively.
 2. Data Protection: The IaaS model enables your organization to maintain a high level
of data protection. Client data can be safeguarded within the VMs, allowing for
encryption at rest and in transit, as well as data access controls tailored to the
organization's specific requirements.
3. Compliance: Many industries have stringent compliance requirements, such as GDPR
or HIPAA. By opting for IaaS, the organization can maintain compliance more
effectively by implementing and controlling the necessary security measures and
data protection practices.
4. Customization: IaaS provides the flexibility for customizing security configurations,
such as firewalls, intrusion detection, and security policies. This level of
customization is essential to align with the organization's unique security needs.
Security Responsibilities: The allocation of security responsibilities in the IaaS model is as
follows:
 Organization's Responsibilities:
 The organization assumes responsibility for securing the VMs, including
configuring and maintaining the operating system, application stacks, and
access controls.
 Data protection measures, including encryption and access controls for client
data, fall under the organization's purview.
 Compliance with industry-specific regulations and standards, as well as
security best practices, is the organization's responsibility.
 Cloud Service Provider's Responsibilities:
 The cloud service provider manages the physical security of data centers,
network infrastructure, and the availability of the virtualization layer (e.g.,
hypervisor).
 They ensure the availability and redundancy of infrastructure components,
including network connectivity and server resources.
The selection of the IaaS model for the production environment provides a robust
framework for maintaining control, security, and compliance over sensitive client data. By
allocating responsibilities as outlined, the organization can implement strong security
measures while leveraging the cloud provider's infrastructure. This approach offers a
balanced and secure solution that aligns with the organization's critical data protection and
regulatory compliance needs.
c) From a security perspective, indicate for each of the four environments if they are
suitable to be hosted in the cloud? Motivate your answer for each.
1. Production Environment (Client Data)
Suitability for Cloud Hosting:
  From a security perspective, hosting the production environment in the cloud may
not be the most suitable choice due to the presence of sensitive client data. Client
data often falls under strict regulatory and compliance requirements, making
security paramount.
Justification:
 Data Security and Compliance: The production environment houses client data,
which is often subject to stringent data security and compliance regulations (e.g.,
GDPR, HIPAA). Maintaining this data on-premises provides the organization with
direct control over security measures, access controls, and data protection practices,
ensuring compliance.
 Control over Infrastructure: In the cloud, while certain security aspects can be
controlled, the organization may have limited control over the underlying
infrastructure. For sensitive data, maintaining full control over the infrastructure can
be essential to implement customized security measures tailored to specific
compliance requirements.
 Risk Mitigation: Hosting sensitive client data in the cloud may introduce potential
risks, such as data breaches or unauthorized access, which can have severe
consequences. By keeping this environment on-premises, the organization can more
effectively manage and mitigate these risks.
2. Quality Assurance Environment (Patch Testing)
Suitability for Cloud Hosting:
 From a security perspective, the quality assurance (QA) environment, used for patch
testing and software updates, is suitable for cloud hosting.
Justification:
 Data Sensitivity: The QA environment does not contain client data, reducing data
sensitivity and compliance concerns. This makes it well-suited for cloud hosting.
 Scalability and Flexibility: The cloud provides scalability and flexibility, allowing
resources to be provisioned and deprovisioned as needed for testing purposes. This
can enhance cost-efficiency without compromising security.
 Security Testing: Cloud environments can facilitate robust security testing for
patches and updates, ensuring that security measures are thoroughly evaluated
before deployment in the production environment.
3. Development Environment (Coding and Testing)
Suitability for Cloud Hosting:
 From a security perspective, the development environment, used for coding,
programming, and bug fixing, is suitable for cloud hosting.
Justification:
 No Client Data: Like the QA environment, the development environment does not
contain client data, minimizing data security and compliance concerns.
 Scalability and Collaboration: Cloud hosting enables scalable development
environments, facilitating collaboration among developers in a cost-effective
manner. This enhances development efficiency without compromising security.
 Resource Isolation: Cloud providers often offer isolation mechanisms that help
protect data and applications in multi-tenant environments. Properly configured
cloud environments can provide adequate security for development activities.
4. Disaster Recovery Environment (Data Backup and Recovery)
Suitability for Cloud Hosting:
 From a security perspective, the disaster recovery (DR) environment is suitable for
cloud hosting.
Justification:
 Availability and Redundancy: The DR environment is typically not actively used but
needs to be readily available during emergencies. Cloud hosting ensures high
availability and redundancy of resources, aligning with disaster recovery
requirements.
 Data Backup and Restoration: Cloud storage and backup solutions can securely store
data and backup copies. This ensures data redundancy and availability during
disasters while controlling costs by scaling resources only when needed.
 Cost-Effective Scaling: Cloud hosting allows for cost-effective scaling of resources in
response to disaster recovery needs. This flexibility ensures that resources are
available when required without incurring excessive costs during non-emergencies.
Basically, the suitability of each environment for cloud hosting depends on data sensitivity,
compliance requirements, and specific use-case needs. While the production environment
may be better suited for on-premises hosting due to the presence of sensitive client data,
the QA, development, and disaster recovery environments can benefit from the scalability,
flexibility, and cost-effectiveness offered by cloud hosting, provided proper security
measures are in place.
Question 2: Incident Investigation:
a)
Based on the analysis of the provided logs, these are some possible threats or security concerns that
can be identified:

Possible Threats:
1. Outdated Antivirus: The antivirus logs indicate that multiple users had out-of-date
antivirus software. While not a direct threat, outdated antivirus can leave systems
vulnerable to malware and attacks. This threat could potentially be exploited by
attackers in the future.
2. Suspicious File Detection: The antivirus logs also show instances of suspicious file
detection, including a "Generic Trojan." This suggests the presence of potentially
harmful files or malware on the network.
3. Host Sweep: The firewall logs contain entries related to "Host Sweep" activities from
an external IP address (195.22.126.180). Host sweeping can be an initial
reconnaissance step by attackers to identify vulnerable hosts on the network.
4. Unusual URL Access: The web proxy logs show access to websites related to job
dissatisfaction ("what-to-do-when-you-hate-your-job," "job-hate") and gambling
("onlinegambling.com"). While not necessarily threats, these activities could indicate
employee dissatisfaction or potentially inappropriate internet usage.
5. Access to WikiLeaks: Access to wikileaks.org can be a concern as it may involve the
exposure of sensitive information or potential data leaks. It's important to monitor
such accesses to ensure data security.
b)
Threat Assessment:
1. Outdated Antivirus: While outdated antivirus software can make systems vulnerable
to malware and attacks, the provided logs do not directly link this threat to the
information leak. The logs only indicate that antivirus updates were overdue, but
they do not show any malware detections or breaches.
2. Suspicious File Detection: The antivirus logs show instances of suspicious file
detections, including a "Generic Trojan." This raises concerns about the presence of
potentially harmful files on the network. However, the logs do not provide evidence
of these files causing the information leak.
3. Host Sweep: The firewall logs indicate activities related to a "Host Sweep" from an
external IP address (195.22.126.180). While host sweeping can be an initial
reconnaissance step by attackers, there is no direct evidence in the logs linking this
activity to the information leak.
 4. Unusual URL Access: The web proxy logs show access to websites related to job
dissatisfaction and gambling. These activities, while potentially concerning, are
unlikely to be the direct cause of the information leak, as they do not involve data
exfiltration.
5. Access to WikiLeaks: Access to wikileaks.org could potentially lead to exposure of
sensitive information or data leaks. However, the logs do not provide evidence of
actual data exfiltration or unauthorized access to sensitive information.
Evidence-Based Assessment:
Based on the evidence in the provided logs, none of the identified threats can be definitively
linked to the information leak. The logs do not show direct evidence of data exfiltration,
unauthorized access, or a breach of sensitive information. While some threats, such as
outdated antivirus and suspicious files, raise concerns about system security, they do not
establish a clear connection to the leak.
Conclusion:
The logs do not provide conclusive evidence to determine which of the identified threats
caused the information leak. Further investigation and analysis, including examining
additional log sources and conducting forensic analysis, may be necessary to pinpoint the
source of the leak.
c)
Mini-Report: Analysis of Potential Information Leak Threats
Prepared by: [Wendy Nhleko]
Date: [04/10/2023]
Executive Summary:
This mini-report presents an analysis of potential threats related to an information leak
within the organization. The analysis is based on the examination of provided log files from
various sources, including antivirus, firewall, and web proxy logs. The primary objectives
were to identify possible threats, assess their likelihood of causing the information leak, and
provide evidence-based conclusions.
1. Identified Threats:
The following threats were identified based on the analysis of log files:
1. Outdated Antivirus: The antivirus logs indicated instances of outdated antivirus
software.
2. Suspicious File Detection: The antivirus logs also showed instances of suspicious file
detection, including a "Generic Trojan."
3. Host Sweep: The firewall logs contained entries related to "Host Sweep" activities
from an external IP address (195.22.126.180).
4. Unusual URL Access: The web proxy logs revealed access to websites related to job
dissatisfaction and gambling.
5. Access to WikiLeaks: The logs indicated access to wikileaks.org.
2. Threat Assessment:
In assessing the likelihood of each threat causing the information leak, the following
observations were made:
 Outdated Antivirus: While outdated antivirus software can pose security risks, the
logs did not provide direct evidence linking this threat to the information leak. No
malware detections or breaches were recorded.
 Suspicious File Detection: Although the logs showed instances of suspicious file
detection, they did not establish a direct connection to the information leak. No
evidence of data exfiltration was present.
 Host Sweep: The firewall logs indicated activities related to a "Host Sweep."
However, there was no direct evidence in the logs linking this activity to the
information leak.
  Unusual URL Access: Access to websites related to job dissatisfaction and gambling,
while concerning, was not directly associated with the information leak, as it did not
involve data exfiltration.
 Access to WikiLeaks: While access to wikileaks.org could potentially lead to
information exposure, the logs did not provide evidence of actual data exfiltration or
unauthorized access to sensitive information.
3. Conclusion:
Based on the evidence in the provided logs, none of the identified threats can be definitively
linked to the information leak. The logs do not show direct evidence of data exfiltration,
unauthorized access, or a breach of sensitive information. While some threats raised
concerns about system security, they do not establish a clear connection to the leak.
4. Recommendations:
To determine the source of the information leak and enhance security measures, the
following recommendations are proposed:
 Conduct further investigation and forensic analysis to identify the source of the leak.
 Implement measures to address outdated antivirus software and enhance system
security.
 Monitor network activities for any signs of data exfiltration or suspicious behaviour.
5. Next Steps:
The organization should prioritize the investigation and resolution of the information leak to
prevent further incidents and safeguard sensitive data.
REFERENCES:
Abawajy, J., Huda, S., Sharmeen, S., Hassan, M.M. and Almogren, A., 2018. Identifying
cyber threats to mobile-IoT applications in edge computing paradigm. Future Generation
Computer Systems, 89, pp.525-538.
Diaby, T. and Rad, B.B., 2017. Cloud computing: a review of the concepts and deployment
models. International Journal of Information Technology and Computer Science, 9(6),
pp.50-58.
Drissi, S., Houmani, H. and Medromi, H., 2013. Survey: risk assessment for cloud
computing. International Journal of Advanced Computer Science and Applications, 4(12),
pp.143-148.
Latif, R., Abbas, H., Assar, S. and Ali, Q., 2014. Cloud computing risk assessment: a
systematic literature review. Future Information Technology: FutureTech 2013, pp.285-295.
Manuele, F.A., 2014. Incident investigation: Our methods are flawed. Professional
Safety, 59(10), pp.34-43.
Savu, L., 2011, May. Cloud computing: Deployment models, delivery models, risks and
research challenges. In 2011 International Conference on Computer and Management
(CAMAN) (pp. 1-4). IEEE.