Different Types of Threat in IT-Free-Samples-Myassignmenthelp.com

Question: Identify a recently announced security vulnerability and write a profile of the threat. The profile should contain the name of the threat, the systems it attacks, how it performs its attack, mitigation strategies and concluding reflection. Answer: Introduction Information security is a major concern for most of the organizations today. This helps in protecting the integrity, confidentiality and the availability of data of computer system from the malicious systems. Information security is all about dealing with risk management. Some effective cryptographic tools are able to maintain the security of the different systems and mitigate the issues. The organizations take various precautionary measures in keeping their data secured and safe from the attackers. Still, there are chances that the machines will be attacked by bugs and malicious devices. The report takes into consideration the effects of the bug, DROWN and the mitigating options. Different types of threats There are various types of vulnerabilities that have come up in the recent years. Some of them have been mentioned in the table below. Year Name Vulnerability Mitigation 2016 DROWN Sites supporting SSLv2 and EXPORT cipher suites Disabling SSLv2 and/or updating OpenSSL. 2015 Logjam Servers that use Duffie-hellman key exchange are very much vulnerable to having the sessions downgraded to extremely week 512-bit k Mitigation can be done by disabling the DHE_EXPORT ciphers and clients must upgrade their browsers. 2015 FREAK Clients are forced to downgrade from strong RSA to export RSA since both the browser and the server are vulnerable. Mitigation is possible by disabling the export ciphers in the configuration of servers. Patching of the OpenSSL is also an option of mitigation. 2015 Bar Mitzvah Attack Exploits the encryption of RC4. The mitigation option is the disability of RC4. 2014 POODLE The server has the chance to fall back to SSLv3. Disability of the SSLv3 and the implementation of TLS_FALLBACK_SCSV. DROWN One of the most recent attack is the DROWN attack which is a cross-protocol security bug (Aviram et al., 2016). It is a serious threat that has the capability to affect HTTPS and several other services that depend on TLS and SSL, two significant cryptographic protocols for maintaining the security of internet. DROWN breaks the encryption and read as well as steal the sensitive information, communication, credit card numbers, passwords, trade secrets and financial data. As per the research, around 33% of all the HTTPS servers are able to be attacked by the bug (Tian et al., 2014). Figure 1.: Working of DROWN (Source: Chowdhury, Karmakar Kamruzzaman, 2017) It can affect all types of servers offering services encrypted with TLS but supporting the SSLv2. DROWN helps in exploitation of risks for a combination of protocols that are used as well as configuration of servers (Bozic et al., 2017). This exploitation takes into account a chosen-ciphertext attack with the help of SSLv2 server as Bleichenbacher oracle. Conclusion The report has inferred various mitigation techniques of DROWN. Other techniques have been included like the network administrators have to ensure that apart from the application of the patches, the private keys are not reused on any types of Web servers, IMAP and POP servers, SMTP servers and any other unmanaged software that can provide support to the SSL or TLS. As per the analysis, this will help in establishing the connection of SSLv2. The IPS devices must be set in such a way that it can filter out SSLv2 traffic. The embedded devices should use different RSA private keys to keep the systems protected. The report gives an in-depth insight into how the effects of DROWN can be mitigated to keep the systems safe in home and offices. References Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., ... Ksper, E. (2016). DROWN: Breaking TLS Using SSLv2. InUSENIX Security Symposium(pp. 689-706). Bozic, J., Kleine, K., Simos, D. E., Wotawa, F. (2017). Planning-Based Security Testing of the SSL/TLS Protocol. InSoftware Testing, Verification and Validation Workshops (ICSTW), 2017 IEEE International Conference on(pp. 347-355). IEEE. Chowdhury, A., Karmakar, G., Kamruzzaman, J. (2017). Survey of Recent Cyber Security Attacks on Robotic Systems and Their Mitigation Approaches. InDetecting and Mitigating Robotic Cyber Security Risks(pp. 284-299). IGI Global. Tian, Y., Liu, Y. C., Bhosale, A., Huang, L. S., Tague, P., Jackson, C. (2014). All your screens are belong to us: Attacks exploiting the HTML5 screen sharing API. InSecurity and Privacy (SP), 2014 IEEE Symposium on(pp. 34-48). IEEE.