security assessment of information security for alberta small...
TRANSCRIPT
1
ATHABASCA UNIVERSITY
SECURITY ASSESSMENT OF INFORMATION SECURITY FOR SMALL
BUSINESSES
BY
DAVONG KEOMANIVONG
A project submitted in partial fulfillment
Of the requirements for the degree of
MASTER OF SCIENCE in INFORMATION SYSTEMS
Athabasca, Alberta
June, 2016
© Davong Keomanivong, 2016
2
DEDICATION I would like to dedicate this work to my wife who has supported me unconditionally from the beginning. It’s been a long road but made possible from my wife’s support.
3
ABSTRACT We hear on the news daily that there have been security breaches in large corporations affecting a
large amount of people, but what about small business. Small business have important data just same
as big companies but do not have the resources or money to put towards security, nor do they have
the knowledge or time. This essay will analyze the top common cyber attacks and how they would
affect small businesses. By evaluating common security exposures, the goal of the paper is to educate
and do case analysis of Alberta small business, in the hopes of helping small businesses. This essay
will then look at different areas of security for Alberta small businesses that could improve.
Literature review section will dive deeper into the common types of attacks and evaluate existing
literature to the better understand the types of common attacks. There will be further literature review
on existing literature of how other researchers have tried to tackle security issues. To help better
understand the exposure, this essay will do threat assessment and risk assessment to Alberta small
business. This will be followed by mock case studies on four common businesses in Alberta small
business and identify possible exposures and how they would affect the business. Finally this essay
will explore possible current solutions like Security as a Service (SeCaas), best practices of security
measures in corporation, security education and try to map that back to Alberta case studies to see if
they will help. Although the threat assessment, risk assessment and case study is on Alberta small
business, the concept of this essay can be applied to all small business.
4
ACKNOWLEDGMENTS I would like to acknowledge the support of Dr. Qing Tan who has been my professor for multiple
courses and has always provided great support and was key to the create of this paper. I would like to
thank my family for the encouragement and support.
5
TABLE OF CONTENTS
Table of Contents CHAPTER I .................................................................................................................................................................. 9
INTRODUCTION .................................................................................................................................................... 9
1.1 Statement of the Purpose ................................................................................................................................ 9
1.2 Research Methodology ................................................................................................................................... 9
1.3 Research Contribution .................................................................................................................................. 11
1.4 Definition of Terms ...................................................................................................................................... 11
CHAPTER II .............................................................................................................................................................. 13
REVIEW OF RELATED LITERATURE............................................................................................................... 13
2.1 Brief Common Types Cyber Attacks ........................................................................................................ 13
2.1.1 Broken Authentication and Session Management Attacks ................................................................... 13
2.1.2 Crimeware ............................................................................................................................................ 14
2.1.3 Injection Attacks ................................................................................................................................... 16
2.1.4 Insider and Privilege Miseuse ............................................................................................................... 17
2.1.5 Remote Code Execution Attacks .......................................................................................................... 18
2.1.6 Social Engineering Attacks .................................................................................................................. 19
2.2 Brief Protection From Cyber Attacks ........................................................................................................... 20
2.2.1 Protecting Against Web Attacks ........................................................................................................... 20
2.2.2 Protecting Against Credit Card Attacks................................................................................................ 21
2.2.3 Protection Models ................................................................................................................................. 22
2.2.4 Protection Models for Small Business .................................................................................................. 23
2.3 Case Studies .............................................................................................................................................. 25
2.4 Summary Literature Review ......................................................................................................................... 26
CHAPTER III ............................................................................................................................................................. 27
Assessment Threats, Risks and Case Study ............................................................................................................ 27
3.1 Threats Assessment ...................................................................................................................................... 27
3.1.1 Threat assessment Broken Authentication and Session Management Attacks (31%) ............................... 31
3.1.2 Threat assessment Injection Attacks (24%) .............................................................................................. 32
3.1.3 Threat assessment Crimeware Attacks (21%) ........................................................................................... 32
3.1.5 Threat assessment Insider and Privilege Misuse Attacks (17%) ............................................................... 32
3.1.6 Threat assessment Remote Code Execution Attacks (3%) ........................................................................ 33
3.1.7 Threat assessment Social Engineering Attacks (3%)................................................................................. 33
3.2 Risks Assessment ......................................................................................................................................... 34
6
3.2.1 Risk Assessment Web Business (24%) ..................................................................................................... 36
3.2.2 Risk Assessment Retail Business (17%) ................................................................................................... 36
3.2.3 Risk Assessment Tech Business (17%) ..................................................................................................... 36
3.2.4 Risk Assessment Healthcare Business (14%) ............................................................................................ 36
3.2.5 Risk Assessment Financial Business (14%) .............................................................................................. 36
3.2.6 Risk Assessment Government Business (7%) ........................................................................................... 37
3.2.7 Risk Assessment Media Business (3%) ..................................................................................................... 37
3.2.8 Risk Assessment Transport Business (3%) ............................................................................................... 37
3.3 Case Study .................................................................................................................................................... 37
3.4 Summary ...................................................................................................................................................... 45
CHAPTER IV ............................................................................................................................................................. 45
Propose Solutions for Alberta Small Business ........................................................................................................ 45
4.1 SECaaS ......................................................................................................................................................... 46
4.2 Procedures for Security improvement .......................................................................................................... 48
4.3 Education on security ................................................................................................................................... 50
4.4 Other Solutions ............................................................................................................................................. 51
CHAPTER V .............................................................................................................................................................. 52
Conclusion and Recommendations ............................................................................................................................. 52
Conclusion .......................................................................................................................................................... 52
Suggestions for Further Research ....................................................................................................................... 53
REFERENCES ........................................................................................................................................................... 54
7
LIST OF TABLES
Page
1. Summary top recent years famous cyber attacks.............................................................. 28
2. Showing type of business and type attack cyber attacks.................................................. 35
8
LIST OF FIGURES
PAGE
1. Types of attacks report …............................................................................................... 31
2. Type of Business affected by Cyber Attack................................................................... 34
3. Diagram Doctors Office Network Infrastructure............................................................ 38
4. Diagram Retailer Office Network Infrastructure............................................................ 40
5. Diagram Software Firm Office Network Infrastructure.................................................. 42
6. Diagram Shipping Company Office Network Infrastructure.......................................... 44
9
CHAPTER I
INTRODUCTION
1.1 Statement of the Purpose
The purpose of this essay is to assess security on information security for small businesses. Small
businesses have important data just as the same as big companies but do not have the resources or
money to put towards security, nor do they have the knowledge or time. This essay will analyze the
top common cyber attacks and how they would affect small businesses. This essay will then look at
different areas of security for small businesses that could improve. To help better understand the
exposure, this essay will do mock case studies on four common businesses in Alberta small
businesses; identify possible exposures and how they would affect the business. Alberta small
business makes up 95% of Alberta businesses (Service Alberta, 2014), employs 35% of the private
sector (Service Alberta, 2014) and in 2013 had over 78.6 billion in wholesale trade value and 73.1
billion in sales valued (Service Alberta, 2014). Using Alberta small business gives a excellent
representation of local small businesses. Finally this essay will explore possible current solutions
like Security as a Service (SeCaas), best practices of security measures in corporation and security
education and try map the solutions to the case studies.
1.2 Research Methodology
Since this is a Master essay research, most of the data will be retrieved from literature reviews on
and around the research questions and topics surrounding small business and cyber attacks. Using
literature searches from the Athabasca library catalogue, IEEE Electronic Library and Mendeley, the
search criteria was to look for literature for last ten years, with word matching on security, small
business, vulnerabilities, threats, exposure and security for the literature review. For the data
surrounding the top security exposures, internet searching criteria would be for last two years and
10
involve high profile company. For example around sampling of the expected data, after doing
literature review around the top cyber attacks in recent years through multiple resources, the essay
would make a generalization around the top types of cyber attacks. By describing more detail
around the context of the literature reviews, this may lessen the external validity threat. Also by
keeping to the most current literatures, this will help the validity of the data.
Measurements from the literature review would best be attained by taking ordinal
measurements and classifying the types of attacks and the threat level the attacks can have on a small
business. The reliability of the classification, we first find the most common types of attacks and
through literature review of each cyber attack match them to the type of cyber attack. This essay
will also take unobtrusive measurements by doing content analysis of the literatures around cyber
attacks. By taking the approach of thematic analysis of the literature, we can identify the themes and
major ideas of the literature around cyber attacks and types of cyber attacks.
Finally with data analysis, we would prepare all the literature reviews and organize them into
categories related the types of cyber attacks. The essay would describe the data of each type of
cyber attack in order to put context into the data categories. By using graphs from the data we would
be able to give a visual view of the data in many different views for cyber attacks. For example, a
graph could show what is the top six types of cyber attacks, another graph would show what types of
business was affected by the cyber attacks.
The research scope of this essay will be on papers in the last ten years on cyber attacks and
security exposures. The majority of the literature will be in recent years, but it is beneficial to look
at some older literature to understand the history and the changes in cyber security. The first criteria
for literature search would focus on top security breaches in the last two years. This will give a
current view on what types of attacks are common in the current industry and which industries are
most vulnerable. The second search criteria for literature would be more academic literature in last
five year, but may extend to ten years. The third search criteria will be on current possible solutions
11
to help Alberta small business around cyber security. This could range from Security as a Service
(SeCaas), Security Methodology, Risk Management and other possible venues.
1.3 Research Contribution
This essay will contribute to better understanding current security exposures to small
business, studied possible solutions to the security exposures, but also by taking out the theories and
concepts discussed in this essay; it can be applied to any small business in any region.
1.4 Definition of Terms
This section describes the common terms that will be used in this essay.
Alberta Small Business – Alberta small business as defined by Service Alberta, is any company
that employees between one and forty nine employees (Service Alberta, 2014).
Cyber Attack – Is any attempt by a person, organization and country to access any computers,
network infrastructure, information systems and personal devices without permission. The attacker
will steal, change and/or destroy the victims’ information system by multiple methods.
Broken Authentication and Session Management Attacks – Method where attackers use leaks or
flaws in the authentication and/or session management functions in exposed URL, weak passwords,
session IDs to impersonate users and gain access to data.
Crimeware/Malware/Spyware/Adware – Any installed software that is designed to grant attackers
access to information for illegal online activities. This includes software like key loggers, hijacking
browser history, password caching, remote access and even encrypting data for ransom.
Injection Attacks – Focused on systems with databases that are connected to a network, where
attackers inject SQL commands to extracted important via flaw or weakness in the database system.
Insider and privilege misuse – A security exposure where people with access to critical information
steal or use the information for personal gain.
12
Remote Code Execution Attacks – A security exposure where there is a flaw in software that
attacker know about, allowing them to execute or have access to execute commands on remote
systems.
Social Engineering Attacks – The act of tricking or conning a person to bypass security process, in
order to gain access to systems and/or information for personal gain. Some examples are baiting,
phishing, impersonating and scare tactics.
Cross Site Scripting Attacks – A security exposure in web applications, where attackers can inject
client side scripts into web pages, allowing them to execute commands on remote systems in order to
gain access or retrieve information.
DNS Cache Poisoning – A technique where attackers insert in entries into the victims’ computers
DNS cache, tricking it to go to a attackers destination instead of the intended destination.
Denial of Service Attack – A technique where attackers flood a victims computer system, so that
the victims systems is overwhelmed that it cannot do its intended purpose. Analogy similar to
protestors crowding the entry way of a business and not allowing in real customers.
Security as a Service – A cloud service where the service provider provides their proven security
model to customers at a cost effective price, usually via subscription or contract.
13
CHAPTER II
REVIEW OF RELATED LITERATURE
2.1 Brief Common Types Cyber Attacks
This section of the paper will focus on literature review to help understand deeper the most
common types of cyber attacks.
2.1.1 Broken Authentication and Session Management Attacks
With the increase in web applications for many companies broken authentication and session
management attacks are increasing dramatically (Huluka, 2012). Although web application session
management and authentication was intended to make web application for efficient and user friendly,
it has also opened up a bigger vulnerability for cyber attacks. Huluka (Huluka, 2012) states the
common root cause analysis for broken authentication and session management attacks are guessable
ID, detection mechanism for guessable ID, weak cryptography, vulnerabilities of HTTP, insecure
session handling methods, solution misuse or bad configuration and weakness in the inactive session
management technique. Huluka believes that the key to resolving issues with cyber attacks around
broken authentication and session management is to understand in depth the root cause of the attacks.
By breaking down methodically how the attack happens and why, Huluka has suggested focusing on
these areas for cyber attacks around broken authentication and session management. They are lack of
metric, lack of security knowledge for programmers, wrong decisions due to lack knowledge by
programmers, less secure self developed programming, storing credentials with other applications,
allowing many guessing attempts for IDs, too much user data in systems, lack users security
knowledge, and unrealistic security rules (Huluka, 2012).
14
Another interesting aspect to authentication and session management is Secure Socket Layer
(SSL). A method developed to help encrypt communication between two endpoints that want to talk
to each other securely (Rouse, Margaret, Michael Cobb, 2015). In a paper “Session management
vulnerabilities in today's web” (Visaggio & Blasio, 2010) Visaggio and Blasio point out some
interesting vulnerabilities around authentication and session management. The first interesting point
is they noted that with SSL, there are government agencies that compel SSL certification authorities
to release false certificates so that government agencies can listen in on users’ communication
sessions. Token generation is another weakness that was identified. It is possible for attackers to
generate and use valid tokens to impersonate a real user and have access to confidential information.
Hidden sequence, time dependence and weak generation algorithm are all determined by predictable
algorithms that allow this exposure to happen. It also is possible that tokens can be stolen from logs,
URL parameters, and log out sessions timeouts. Theses sniffing methods can be carried out by four
main methods HTTP packet sniffing, log sniffing, cache sniffing and XSS cookie sniffing (Visaggio
& Blasio, 2010). Session fixation is another method where attackers modify the users token before
the user actually authenticates. HTTP response splitting is another vulnerability that Visaggio and
Blasio talk about. This is where the attacker takes advantage of HTTP response string and add other
commands in order to expose the users HTTP response.
2.1.2 Crimeware
Crimeware, Malware, Spyware, Adware are all software written to do a common purpose, to
do something dishonest to the intended target by infecting their systems. Some of these malicious
software can be harmless by spamming targets with ads, but some can be very dangerous. One such
crimeware is Zeus, which is a credential stealing Trojan horse (Etaher, Weir, & Alazab, 2015). Zeus
and it’s counter parts Zbot, WSNPOEM, NTOS, PRG, Slapper, Coreflood, Kraken, Sinit, Nugache,
15
Rustock, Conficker, Blackhole and NGR (Etaher et al., 2015) all do similar things. Some of these
crimeware software’s can be very simple code that antivirus and protection software can detect and
block, but some like Zeus can be very dynamic and almost impossible to detect. For example Zeus is
a self replicating trojan horse that uses obfuscation techniques like polymorphic, metamorphic
encryption and packers to change itself in order to defeat signature-based detection techniques(Etaher
et al., 2015). By using these techniques, Zeus re-encrypts itself automatically in each infection and
creates a new signature which makes it almost impossible to detect with most anti viruses. Between
2009 and 2010 over 3.6 million computers were infected by the Zeus virus in the united states (Etaher
et al., 2015). Another innovative Crimeware is called SpyEye. This malicious software is intended to
steal your personal information for banking by taking over your computer camera and microphone, so
that they can capture and steal your credentials and empty out your bank accounts (Etaher et al.,
2015). Another variety of Crimeware is ransomware, this is where the malicious software infects the
targets computer, and encrypts the whole hard drive. The target cannot access their information,
unless they pay the ransom. One such famous ransomware software is called “CryptoLocker” which
in 2014 infected 234,000 computers (Etaher et al., 2015). Crimeware has also gotten smarter over the
years and changed with intrusion detection systems(IDS). One method to avoid IDS is Obfuscation,
this is where the malicious software conceals itself from pattern signature matching IDS software via
data encoding/string manipulation, encrypted session and polymorphic code (Marpaung, Sain, & Lee,
2012). Another method for delivering Crimeware and avoiding IDS detection is fragmentation and
session splicing. This is where the Crimeware uses the network layer to deliver Crimeware to the
targets by fragmenting or splicing the malicious software in many packets and until it is assembled in
the target, it remains undetectable(Marpaung et al., 2012). Code reuse attacks are another way
Crimeware can evade detection and deliver malicious code. Code reuse attacks is where the
16
Crimeware uses existing running software to do its malicious acts. “Return-into-libc” and “Return-
Oriented Programming” are two examples of code reuse attacks(Marpaung et al., 2012).
2.1.3 Injection Attacks
The key to most web application is the ability to have the web application communicate with a
database and retrieve information. This can vary from shopping, social networks, banking, blogging
and even research. There is a serious threat with this interface which is called SQL Injection
vulnerabilities (SQLIV) (Sharma & Jain, 2015) is the injection of keywords in to SQL Query which
changes the logic of the query, therefore allowing attackers to access and steal important information.
The vulnerability starts with a weak design of a web application and attackers expose these weak
points to gain access and retrieve important information. Sharma and Jain describe the basic SQL
injection attack where a users SQL statement is changed after the users input and reveals more
information than expected. For example if the user wanted just query all the employees from
database who’s name starts with Joe, but the SQL statement is changed after the users input and
changed to something like select * from employee where firstname = ‘Joe’ or ‘2=2’ this would return
all rows instead of the intended rows. In the paper “Analysis and classification of SQL injection
vulnerabilities and attacks on web applications” Sharma and Jain (Sharma & Jain, 2015) categories
the types of common SQL Injections in three main categories (Orderwise, Blind and Against
Database). In Orderwise SQL injection attack, the code is injected into the users code via email or
malware, and grants the attackers access to query immediately for data. In Blind SQL injection
attacks, the attackers slowly query the database with valid allowable SQL statements which cannot be
easy detected by security but grants access for attackers to retrieve information. Finally Against
Database SQL injection is where attackers use input validation vulnerabilities to directly extract data
from the databases.
17
2.1.4 Insider and Privilege Miseuse
Firewalls, Antivirus and Intrusion Detection systems protect you from outside attack, but what
if the attack is from the inside either intentional or unintentional. Companies are always looking for a
way to protect themselves from the outside world but they should spend equal amount of effort inside
the company on protection from itself. In the paper “Detection of insider attacks in cloud based e-
healthcare environment” (Garkoti, Peddoju, & Balasubramanian, 2014), 45% of companies believe
the attacks will come from insiders, and even little higher for healthcare at 52%. Insiders may
intentionally access the data for personal gains like selling them to other companies or even deleting
or modifying them for personal revenge. Either way the damage is usually done and affected the
company before anything can be done. For example damage to healthcare has been noted around five
billion per year and survey done to the healthcare companies 73% believe they will not get notified of
the breach in a timely manner (Garkoti et al., 2014). Another form of insider attack is unintentional
insider attack, where the employee of the company is given too much authority and has access to data
they should not have access to exposing confidential information. As described in “Content-Based
Access Control: Use data content to assist access control for large-scale content-centric databases”
(Zeng, Yang, & Luo, 2015), users may be granted more access than needed because the access
controls are not finite enough to limit the users access, therefore more access is granted because the
security model cannot restrict properly. For example (Zeng et al., 2015) describes a law enforcement
agency assigning a case or cases to a agent, but also assigns all related cases associated with the
assigned case which leaves the agent access to more information than needed. Another example by
(Zeng et al., 2015) is in healthcare. More than often staff at healthcare facilities like doctors, nurses
and researchers has access to too much client information that what is needed. In both cases, the
security breach is not detected until after the incident or not detected at all.
18
2.1.5 Remote Code Execution Attacks
Remote execution attacks are attacks where the attacker takes a known security bug or flaw in
software and exposes the weakness in order to execute remotely commands. According to The Open
Web Application Security Project (OWASP) remote execution attacks is rank top 5(The Open Web
Application Security Project (OWASP), 2016). The paper “Penetration test: A case study on remote
command execution security hole” by (Mohammad & Pourdavar, 2010) describe how a security flaw
in a common bibliography automated software called Basilic was exposed and allowed for remote
execution commands. Basilic exposure consisted of bad coding in perl where a specific line in code
would return information about the remote system directory structure and files, which attackers could
execute remotely. Another form of remote execution attack is via Domain Name Server services.
DNS is responsible for turn names on the internet to IP addresses so that users are directed to the
intended destination. The paper “IRONSIDES: DNS with no single-packet denial of service or
remote code execution vulnerabilities” by (Carlisle & Fagin, 2012) describes the vulnerability with
DNS due to its relationship with Berkeley Internet Name Domain (BIND). BIND has three main
issues around legacy coding, writing on C language which has well known security exposure and
BIND is open source which allows attackers access to source code. The DNS security exposure for
remote execution is when the attacker sends a non-standard query that diverts execution flow to
malicious code; this in turn gives the attacker control of DNS on the target machine. The paper “Path
sensitive static analysis of web applications for remote code execution vulnerability detection” by
(Zheng & Zhang, 2013) describes another security flaw in a very common database software called
MySQL. MySQL is open source database software and the version with the security flaw has been
downloaded over two million times (Zheng & Zhang, 2013). The security flaw exists in the
management tool called phpMyAdmin where remote executions can be executed due to exposures in
19
multiple PHP files in the sources code files. This allows attackers to remotely execute commands and
have control of the MySQL database.
2.1.6 Social Engineering Attacks
We all use online social networks like Facebook, LinkedIn and MySpace to name a few.
What we don’t know is there existing web attacks using these online social networks. In the paper
“Vulnerabilities in Social Networking Sites” by (Jagnere, 2012) describes how Online social
networking can be used for distributed denial of service (DDoS) attacks, Spamming, Malware
distribution, violating privacy and even compromising computer disks. Jagnere focuses specifically
on Facebook and how this online social networking site can be used to attack any host on the internet.
Facebook allows for attackers to develop Facebook applications via many programming languages,
and then use the Facebook relationships to propagate their destructive application to many users,
which can in turn attack a single host or many hosts. These destructive Facebook applications are
hidden in images, text files, media files that the Facebook user interacts with and unknowingly
distributes to all their friends and social networks(Jagnere, 2012). In the paper “Social engineering
attack framework” by (Mouton, Malan, Leenen, & Venter, 2014) describes social engineered attacks
by the ‘art’ of influencing people to divulge sensitive information. Social engineering attacks can be
implemented by phishing, pretexting, baiting and Quid Pro Quo. How the victim falls into these
social attacks is via friendship or liking on social media, scarcity, reciprocity, social validation and
authority. (Mouton et al., 2014) describes how media like email, face to face, telephone, SMS, web
pages, storage media and even snail mail can be used as a medium to transport social engineered
attacks. These type of attacks are geared towards individuals, groups and organizations in order to
get financial gain, disrupt service and get unauthorized access to systems.
20
2.2 Brief Protection From Cyber Attacks
This section of the paper will focus on literature to help protect against most common types of
cyber attacks.
2.2.1 Protecting Against Web Attacks
These days it is rare to find any businesses big or small to not have presence on the web. This
is one of the first places companies should look to protect against attackers. In the paper “Secure E-
business Transactions By Securing Web Services” (Siddiqui & Singh, 2012), they talk about issues
surrounding web services, like denial of services, data session hacking, SQL injection, and security
holes in security access. To protect yourself (Siddiqui & Singh, 2012) suggest some areas of focus
for companies. The first is to use HTTP with authentication, which will prevent unauthorized access
to confidential information. Secondly companies may look at narrowing down access by granting IP
addresses or even restricting by domain. To protect against SQL injections, coders should avoid or
disable HTTP post and get protocols, as this allows for SQL injections to happen. Along with this
coders should also avoid inline queries in their code, as again it opens it up for SQL injections. Using
XML aware firewalls and also encrypting all data communication would drastically improve a
company’s exposure to attackers. To protect against internal attackers, company’s should have
security processes that ensures accountability. Monitoring SOAP request is another method of
proactively protecting yourself, as it will help identify odd or dangerous web request. (Wazzan,
2015) suggests even more to focus on monitoring web activities surround the company’s transactions.
By adding a filtering model, it would construct logs that could help in analyzing the payload and
headers of the request and response. Using a signature base detection model for HTTP request could
also help detect suspicious activity. Wazzan also suggests have a baseline for normal web request
activity and then doing an anomaly analysis would help intrusion detection. Finally the security
21
model should have the capabilities to correlate different events, to give a better picture of the overall
company security.
2.2.2 Protecting Against Credit Card Attacks
One of the most uses of web presence is the ability for customers to pay for their purchases
online and have customer profiles on a company’s web site. Unfortunately this information is
valuable to attackers and can be a main focus to attacks. The paper “The Management of Online
Credit Card Data using the Payment Card Industry Data Security Standard” by (Blackwell, 2008)
suggest a framework that company’s can use to protect their data. Blackwell focuses on the
framework of Payment Card Industry Data Security Standard (PCI DSS). Some guidelines to follow
for credit card security for companies are as follows. First the company should only store card
holders name, PAN and expire date. They should not store complete data on strip or CVC CVV code
for authentication on internet. This way if the credit card information is stolen or accessed, the
attackers do not have the full information and could not use the credit card. Second is to secure the
network that the credit card machine that handle the cardholder data. A suggestion was to use wired
network, isolated from other computer networks, and should be physically secure area. This comes
from previous known major attacks like TK Maxx case (BBC, 2007), where over 46 million
cardholder were stolen. A common pattern to avoid is using vendor supplied defaults for passwords
and configurations as attackers always try these known default password and configurations first to
gain access. Blackwell also suggests encrypting the data that is stored and transmitted, to make it
more complex for attackers to retrieve information. Maintain vulnerability management program like
antivirus, malware and firewall rules. Companies should implement strong access control measures
to cardholder data, only people who need to know should be allowed access. Physical access to the
cardholder data should also be enforced. Regularly monitor and testing of the networks for intrusion
22
detection should be done to ensure security and test security processes. Finally, companies should
have a information security policy that is written and understood by all employees, followed by
background checks.
2.2.3 Protection Models
In this section of the literature review we examine some theoretical protections models to
protect companies from cyber attacks. One interesting paper is “Defending On-Line Web
Application Security with User-Behavior Surveillance” by (Cheng, Laih, Lai, Chen, & Chen, 2008).
The paper proposes the best way to protect a company from cyber attacks is set a baseline of what
normal activities of the certain web application, and then using their system and algorithm recognize
what is abnormal behaviour and alert on it. The system uses Embedded Markov model (EMM)
(Cheng et al., 2008) to set the baseline for the first phase, and in the second phase they build a user
behaviour model to detect anomalies which could flag potential misuse or attack. Although this
model is a unique idea, their study and sample testing was too small to determine real world
application. Another novel idea that (Grandison, Bilger, & O’Connor, 2007) had was to wrap
security around business direction and have the executives of a company have direct input to where
security should be focused. They proposed using a model called Data Centric Security Model
(DCSM) (Grandison et al., 2007). The model theorizes that for each data class, the company should
put appropriate controls for data protection according to uniqueness requirements. For example in
their model more security focus would be put around research and development since it is the bread
and butter of certain companies, where in other companies, customer data would have more of a focus
for security. The DCSM model lets the company see return on investment faster as they can put
different layers of security depending on the business directions. Another benefit to this DCSM
model is it require little or no change to the IT infrastructure. The downside to this model is at a high
23
level the generic model of DCSM can be used but it has to be customized per company when you dig
lower, which means longer implementation costs.
2.2.4 Protection Models for Small Business
We have talked in general how companies can protect themselves from cyber attacks, this
section talks more closely to protection models for small business. Just like big companies, small
business have sensitive data, and the exposure of sensitive data undermines the credibility of their
business and can result in costly legal action (Conner & Conner, 2013). Unfortunately small business
have been found to not take security as serious as they should (Campus, Sangani, & Vijayakumar,
2012) and most believe installing a antivirus or anti malware software is good enough for protection.
Most small business believe that since they are small, that they do not hold information that beneficial
for hackers to attack them which is far from the truth. Hackers are increasingly focusing on smaller
business because they are a easier target with less security (Alexander, 2005). Small business can
protect themselves with simple process change and putting security as a priority. The paper “Cyber
security scenarios and control for small and medium enterprises” by (Campus et al., 2012) discusses
some simple measures to protect small business. First look at internal process to protect against
insider attacks. A small company should identify and protect the business critical assets, limit
physical and network access to data but security role measures. Have a formal hiring process with
background check and conduct regular employee training on the importance of security. The next
area focus that Campus focuses on is wireless network for small business. Small business should
amend the default password immediately after installing, turn on encryption at the wireless router and
endpoint levels, enable MAC filtering so only known computers for the business is allowed on the
wireless network. Changing the SSID from the default also prevents unwanted access and blocking
WAN request to keep outside traffic outside. Finally enable the firewalls that come with the wireless
24
router and keep the firmware version current as they help protect from new exposures. After the
changes have been done to small business the next step should be figuring out the security posture for
the small business. In the paper “Information Security in Small and Medium-Sized Companies” by
(Král, 2011), he proposes a five phase approach to increase security for small businesses. The first
phase is to do a pre audit of the small business to determine where the security holes maybe. The pre
audit questions would be around annual budget for security, how many employees, dependence on IT,
impact of IT downtime, partner and customer sensitivity to security exposure, reputation impact, third
party influence and what sensitive data the small business has that can be exposed. The second phase
is interpretation of the results from the pre audit. Depending on the results from second phase, the
third phase is to propose solutions to fix the security holes. Fourth phase is the actual implementation
of the proposed solutions. Finally the last phase is to audit the small business again to ensure the
security holes are closed to a satisfactory level.
Another option for small business is to hire a IT person to help with security and the IT
infrastructure. The IT person would be the champion for implementing security measures but they
too face same issues (Onwubiko & Lenaghan, 2007) but would have more knowledge to give a
deeper security assessment and implementation. The downside to hiring an IT person is the extent of
their knowledge about security. It is almost an impossible tasks for a IT person to keep up with the
ever changing security exposures. Small business in recent years are also using the cloud services to
handle some of their security needs along with a IT Person (Sangani, Velmurugan, Vithani, &
Madiajagan, 2012). With the combination of IT person and cloud services in Software as a service
(SaaS) the exposure is less but the IT person has still have local controls for the small business like
access identity control, web security, email security, disaster recovery, intrusion detection and
network security (Sangani et al., 2012).
25
2.3 Case Studies
In this section we look at some literature around case studies in implementing security, which
will help us understand better the implications of applying security measures.
The first case study is on implementing security in healthcare facilities. The paper “A Practical
Approach to Health Care Information Security” by (Chaudhary & Ward, 2014) talks about the
increased need for security to healthcare business due to the Health Insurance Portability and
Accountability Act (HIPAA). HIPAA forces a more stringent rule around security and protection of
healthcare patients. The paper points out like other business, healthcare providers face same issues
around security implementation with finding resources, assigning responsibilities, finding a starting
point and managing the complete scope of the project. This case study pointed out three main areas
that need to be governed which is policies and procedures, roles and responsibilities and risk
management. The case study also pointed out eleven security domains that must be addressed during
security implementation for a healthcare organization. They are third party risk management,
regulatory compliance, data protection, logical security, employee management, logging and
monitoring, business continuity management, security configuration management, physical security,
security change management and threat and vulnerability management.
Another case study is on a South Africa secondary school having security issues around personal
information for educators, students, creditors and financials. The paper “Information Security Risk
Management in Small Scale Organisations: A Case Study of Secondary Schools Computerised
Information System” by (Moyo, Abdullah, & Nienaber, 2013) talks about using risk management
program to deal with security issues. The methodology is called Operationally Critical Threat, Asset,
and Vulnerability Evaluation (OCTAVE). In this security methodology, they ask five risk
management questions and depending on the answers they can lower the risk of security exposure.
Questions like what information CIS assets in secondary schools require protection, what threats or
26
vulnerabilities should the schools’ CIS assets be protected against, what is the level of information
security breaches in these CIS assets, what level of protection is needed to mitigate risks, what is the
impact on a CIS if the existing protection fails (Moyo et al., 2013).
The last case study analyzed in this literature review is around how security is managed in small
businesses in Iran and Turkey (Laleh, Masoudi, Fathy, & Ghorbani, 2013). The study consisted of 33
questions surrounding security in physical aspect, accessibility control, data protection and
commercial information management. Sixty companies participated and range from different areas of
industry, goverence education, goverence corporation, individual corporation, banks and individual
education. The results from the study determined that most of the businesses are reactive to security
and do not have in depth knowledge of security management standards. The study also pointed out
that security management standards have to be implemented, and each business would need a custom
security management implementation due to their adversity.
2.4 Summary Literature Review
In Summary, the literature review first looked at some common cyber attacks like Broken
Authentication and Session Management Attacks, Crimeware, Injection Attacks, Insider and privilege
misuse, Remote Code Execution Attacks, Social Engineering Attacks. The literature review
discussed the protection from cyber attacks, specifically web attacks, credit card attacks, protection
models and protection models for small business. Finally three cases studies were examined to help
understand the implications of security for small business. In the next chapter III, the paper looks at
assessing the security threat through a study in the top thirty cyber attacks in recent years, risk
assessment for small business from these cyber attacks and case studies using mock up Alberta small
business.
27
CHAPTER III
Assessment Threats, Risks and Case Study
3.1 Threats Assessment
In this section of the paper, literature was reviewed around the top cyber attacks in recent
years through multiple resources. The data is then generalized to top types of cyber attacks and put in
a table for analysis. Also by keeping to the most current literatures (last two years), this will help the
validity of the data.
Measurements from the literature review were best attained by taking ordinal measurements,
classifying the types of attacks and the type of business. The reliability of the classification, we first
find the most common types of attacks and through literature review of each cyber attack match them
to the type of cyber attack. This paper took unobtrusive measurements by doing content analysis of
the literatures around cyber attacks. By taking the approach of thematic analysis of the literature, we
can identify the themes and major ideas of the literature around cyber attacks and types of cyber
attacks.
Finally with data analysis, we would prepare all the literature reviews and organize them into
categories related the types of cyber attacks. The paper describes the data of each type of cyber attack
in order to put context into the data categories. By using graphs from the data we would be able to
give a visual view of the data in many different views for cyber attacks. For example, one graph
shows what is the top six types of cyber attacks, second graph shows what types of business was
affected by the cyber attacks
28
Table 1: Summary top recent years famous cyber attacks
Victim Description YEAR Business Type Attack Reference
Adobe
38 Million Adobe customers
personal information leaked after
hackers obtained access to Adobe
systems 2014 tech
Broken
Authentication and
Session
Management
Attacks (Verge), 2013)
Anthem
Around Feb 2015, client personal
information was accessed by
hackers 2015 healthcare Injection Attacks (Anthem, 2015)
AOL
AOL noticed big increase in the
amount of spam around spoofed
emails from AOL Mail addresses.
Spoofing is a tactic used by
spammers to make it appear that the
message is from an email user
known to the recipient in order to
trick the recipient into opening it. 2014 web
Social Engineering
Attacks (AOL, 2014)
Ashley
Madison
Hackers exposed millions of its
customers personal information and
posted 10GB of personal data for its
tens of millions of customers 2015 web Injection Attacks (Dreyfuss, 2015)
Australian
Immigrati
on
Departme
nt
An employee of the agency
inadvertently sent the passport
numbers, visa details and other
personal identifiers of all world
leaders attending the G20 Brisbane
summit to the organizers of the
Asian Cup football tournament.
Barack Obama, Vladimir Putin,
Angela Merkel, Xi Jinping,
Narendra Modi, David Cameron
and many others. 2015 government
Insider and
privilege misuse (Guardian), 2015)
British
Airways
Hackers have accessed tens of
thousands of British Airways
frequent-flyer accounts 2015 retail Injection Attacks (Guardian, 2015)
Communit
y Health
Services
In Aug 2014 the U.S. Community
Health Systems had 4.5 million
patients personal data stolen, this
included 206 hospitals across the
US 2014 healthcare Crimeware (Pagliery, 2014)
Dominios
Pizzas
(France)
Hackers stole Dominios customer
database information, and held the
data ransom for 600,000 French and
Belgian customers 2014 web
Broken
Authentication and
Session
Management
Attacks (Gibbs, 2014)
Ebay
The company has said hackers
attacked between late February and
early March with login credentials
obtained from “a small number” of
employees. They then accessed a
database containing all user records
and copied “a large part” of those
credentials. 2014 web
Insider and
privilege misuse (Epstein, 2014)
European Sensitive personal information 2014 financial Injection Attacks (Ehrenberg, 2014)
29
Central
Bank
leaked from the European Central
Bank (ECB) because their website
was hacked and was blacked mailed
Gmail
5 million gmail account passwords
leaked to a forum. Weak passwords
were exposed and attack was to
multiple individual not one big
dataleak. 2014 web
Broken
Authentication and
Session
Management
Attacks (Google, 2014)
Hacking
Team
Company
Spyware company got hacked and
lost 400GB of internal information
2015
tech
Broken
Authentication and
Session
Management
Attacks
(Ragan, 2015)
Home
Depot
Malware installed on POS systems
across 2,200 HomeDepot stores
stole credit card information from
about 56 million customers 2014 retail Crimeware
(Krebsonsecurity.co
m, 2014)
JP Morgan
Chase
July 2014: Hackers had access to 76
million client and 7 million
business information. The hackers
got access tohighest level of
administrative privilege to many
bank’s servers. 2014 financial
Broken
Authentication and
Session
Management
Attacks
(Jessica Silver-
Greenberg
(NewYork Times),
2014)
Korea
Credit
Bureau
The personal data of at least 20
million bank and credit card users
in South Korea has been leaked 2014 financial
Insider and
privilege misuse (AFP, 2014)
LexisNexi
s
LexisNexis, Dunn & Bradstreet and
Kroll Data Brokerages was hacked
and Hackers stole millions of social
security numbers 2014 tech Crimeware (Today), 2013)
MacRumo
urs.com
Hackers access MacRumors forums
and exposes password data for
860,000 users 2014 web
Broken
Authentication and
Session
Management
Attacks (Goodin, 2014)
Mozilla
Mozilla leaks of 76,000 developer
email addresses and passwords 2014 web
Insider and
privilege misuse (Hern, 2014)
NASDAQ
Nasdaq forum website hacked by
hacking ring, email addresses and
passwords compromised 2014 financial
Broken
Authentication and
Session
Management
Attacks (McCrank, 2013)
Neiman
Marcus
1.1 million credit and debit cards
stolen from luxury retailer 2014 retail Crimeware
(ELIZABETH A.
HARRIS, 2014)
New York
Taxis
A freedom of information request
resulted in the release of data on all
173 million journeys undertaken by
New York taxis in one year. Due to
weak encryption hackers easily
decode it and could gather personal
information 2014 transport
Insider and
privilege misuse
(Pandurangan,
2014)
Premera
Detected 29th Jan 2015. Occured
May 2014. Personal information
from clients was accessed by
hackers 2015 healthcare Injection Attacks (BlueCross, 2015)
Slack hackers were able to access Slack’s 2015 tech Injection Attacks (Kumparak, 2015)
30
central database for up to four days
Sony
Pictures
Sony got hacked and leaked
internal company data to public by
Guardians of Peace hackers. 2014 media
Remote Code
Execution Attacks (Tom Gara, 2014)
Target
Target exposes 40 million
customers credit and debit cards.
The data was obtained via software
installed on machines that
customers use to swipe magnetic
strips on their cards 2014 retail Crimeware (Reuters, n.d.)
Twitch.tv
All Twitch's 10 million users have
been requested to change their
passwords 2014 healthcare
Broken
Authentication and
Session
Management
Attacks (Twitch, 2015)
Uber
Occured Sep 2014 but announced
Feb 2015. Hackers accessed Ubers
database and got Names & license
plates of 50,000 driver partners. 2015 tech Injection Attacks (Uber, 2015)
UPS
Malware was discovered in the
credit & debit card processing
systems at 51 branches in 24 states. 2014 retail Crimeware (Rogers, 2014)
US Office
Of
Personnel
Managem
ent
A Independent agency of the
United States that works to recruit,
retain and honor a world-class
workforce for the American people.
Their data as accessed and exposed
22 million current and former
federal workers personal
information 2015 government
Broken
Authentication and
Session
Management
Attacks (Eng, 2015)
31
Types of attacks report Percentage
Broken Authentication and Session Management Attacks 31%
Crimeware 21%
Injection Attacks 24%
Insider and privilege misuse 17%
Remote Code Execution Attacks 3%
Social Engineering Attacks 3%
Figure 1: Types of attacks report
3.1.1 Threat assessment Broken Authentication and Session Management Attacks (31%)
As discussed in the earlier literature review “Broken Authentication and Session Management
Attacks” are based on stealing information from web sessions due to guessable ID, detection
mechanism for guessable ID, weak cryptography, vulnerabilities of HTTP, insecure session handling
methods, solution misuse or bad configuration and weakness in the inactive session management
technique. From the chart it seems this is the top type of cyber attack in recent years and the threat is
high for business, as seen by table Adobe, Dominios Pizzas (France), Gmail, Hacking Team
Company, JP Morgan Chase, MacRumours.com, NASDAQ, Twitch.tv and US Office Of Personnel
Management. Since all business these days have some form of authentication in order access
applications and information from the web, this threat will be ever changing and hard to prevent.
Broken Authentication and Session Management
Attacks 31%
Crimeware 21%
Injection Attacks 24%
Insider and privilege misuse 17%
Remote Code Execution Attacks 3%
Social Engineering Attacks 3% Percentage Broken Authentication and Session
Management Attacks
Crimeware
Injection Attacks
Insider and privilege misuse
Remote Code Execution Attacks
Social Engineering Attacks
32
3.1.2 Threat assessment Injection Attacks (24%)
At second place “Injection Attacks” are vulnerabilities due to a weak design of a web
application and attackers expose these weak points to gain access and retrieve important information.
The threat is high also as majority of business will have some kind of database or querying
application in order to get data. As Anthem, Ashley Madison, British Airways, European Central
Bank, Premera, Slack and Uber found out, having information stolen or leaked is damaging to
business and profit.
3.1.3 Threat assessment Crimeware Attacks (21%)
“Crimeware” attacks or Malware, Spyware and Adware are all software written to do a
common purpose, to do something dishonest to the intended target by infecting their systems. Some
of these malicious software can be harmless by spamming targets with ads, but some can be very
dangerous and can encrypt and hold a business hostage. As Community Health Services, Home
Depot, LexisNexis, Neiman Marcus, Target and UPS found out, having a infected machine with
Crimeware can cause them lose their customers confidential information. Crimeware is in third place
and should be considered a high threat.
3.1.5 Threat assessment Insider and Privilege Misuse Attacks (17%)
“Insider and Privilege Misuse” attacks is when there is a security exposure where people with
access to critical information steal or use the information for personal gain or sometimes by accident.
This kind of attack was noted at Australian Immigration Department, Ebay, Korea Credit Bureau,
Mozilla and New York Taxis. This type of attack in recent year should be considered medium threat.
33
3.1.6 Threat assessment Remote Code Execution Attacks (3%)
“Remote Code Execution” attacks is where the attackers takes a known security bug or flaw in
software and exposes the weakness in order to execute remotely commands. Although in the top
recent cyber attacks research the hit was low for this threat (Sony pictures), this threat should be taken
seriously.
3.1.7 Threat assessment Social Engineering Attacks (3%)
“Social Engineering” attacks is the act of tricking or conning a person to bypass security
process, in order to gain access to systems and/or information for personal gain. This can be
execution sometimes called baiting, phishing, impersonating and scare tactics. Although in the top
recent cyber attacks research the hit was low for this threat (AOL), this threat should be taken
seriously.
34
3.2 Risks Assessment
This section of the paper describes what business types are at risk for cyber attacks which was
derived from the top cyber attacks of recent years.
Type of Business affected by Cyber Attacks Percentage
web 24%
retail 17%
tech 17%
financial 14%
healthcare 14%
government 7%
media 3%
transport 3%
Figure 2: Type of Business affected by Cyber Attacks
financial 14% government 7%
healthcare 14%
media 3% retail 17%
tech 17%
transport 3%
web 24%
Percentage
financial
government
healthcare
media
retail
tech
transport
web
35
Table 2: Showing type of business and type attack cyber attacks
Type of Business and type Cyber Attacks Type Attack Percentage
Financial
Broken Authentication
and Session
Management Attacks 50%
Financial Injection Attacks 25%
Financial
Insider and privilege
misuse 25%
government
Broken Authentication
and Session
Management Attacks 50%
government
Insider and privilege
misuse 50%
healthcare
Broken Authentication
and Session
Management Attacks 25%
healthcare Crimeware 25%
healthcare Injection Attacks 50%
media
Remote Code Execution
Attacks 100%
retail Crimeware 80%
retail Injection Attacks 20%
tech
Broken Authentication
and Session
Management Attacks 40%
tech Crimeware 20%
tech Injection Attacks 40%
transport
Insider and privilege
misuse 100%
web
Broken Authentication
and Session
Management Attacks 43%
web Injection Attacks 14%
web
Insider and privilege
misuse 29%
web
Social Engineering
Attacks 14%
36
3.2.1 Risk Assessment Web Business (24%)
From the research, due to the nature of web business and having exposure to the internet its
primary source for business, this type of business is at the highest risk at 24%, and have 43% chance
attacked by Broken Authentication and Session Management Attacks, 14% Injection Attacks and
Insider and Privilege Misuse attacks.
3.2.2 Risk Assessment Retail Business (17%)
Retail business because of its rich customer database and credit card information is tied at the
second highest risk for business to get cyber attacked, and more likely have 80% chance of it being
Crimeware and 20% Injection Attacks.
3.2.3 Risk Assessment Tech Business (17%)
Tech business due to their dependency on the internet is tied at the second highest risk for
business to get cyber attacked and more likely 40% Broken Authentication and Session Management
Attacks, 40% Injection Attacks and 20% Crimeware Attacks.
3.2.4 Risk Assessment Healthcare Business (14%)
Healthcare business hold patient confidential information which makes them a good target for
cyber attacks and third at the risk for types of business that tend get cyber attack in recent years and
more likely 25% Broken Authentication and Session Management Attacks, 50% Injection Attacks
and 25% Crimeware Attacks.
3.2.5 Risk Assessment Financial Business (14%)
Financial business is also third on the list for their wealth of financial information/money and
more likely 50% Broken Authentication and Session Management Attacks, 25% Injection Attacks
and 25% Insider and Privilege Misuse.
37
3.2.6 Risk Assessment Government Business (7%)
Government business are lower on the risk list because they tend to have more security
processes and scare off some attackers as it’s not as easy of prey, but if they were attacked the odds
are 50% Broken Authentication and Session Management Attacks and 50% Insider and Privilege
Misuse.
3.2.7 Risk Assessment Media Business (3%)
Media businesses from the research seem to be lower on the list, due to less valuable
information attacker can use for personal gain and if there was a attack from current top attacks 100%
would be Remote Code Execution Attacks.
3.2.8 Risk Assessment Transport Business (3%)
Transport business from the research seem to be lower on the list, due to less valuable
information attacker can use for personal gain and if there was a attack from current top attacks 100%
would be Insider Privilege Misuse.
3.3 Case Study
In this section we do a mock case study of four Alberta businesses and how research can point out
what types of Cyber Attacks would affect these Alberta businesses.
Case Study Family Doctor Office in Alberta (4 employees)
Environment: Dr. Singh and Dr. Ziee have a small practice in a small town in Fort Saskatchewan,
Alberta. The small doctor office has two doctor assistances that deal with the day to day business
aspects so that the doctors can focus on the patients. Jill deals with Dr. Singh patients and paperwork
and is backup for Dr. Ziee when Judith is away. Judith deals with Dr. Ziee patients and paperwork
and is bakup for Dr. Singh when Jill is away. The computer environment in this small town doctor’s
office consists of two workstations that handle patient database and bookings, a wireless router to
connect the workstations to a common printer and a internet model modem to allow internet access
38
for the workstations. Both workstations run Anti-virus software that was installed by Geek Squad
from Bestbuy.
Figure 3: Diagram Doctors Office Network Infrastructure
High Risk Attack Type:
50% Injection Attacks – This Alberta doctor office has a high risk similar to Orderwise SQL injection
attack, the code is injected into the user code via email or malware, and grants the attackers access to
query immediately for patient data.
25% Broken Authentication and Session Management Attacks - This Alberta doctor office does not
have the security procedures and methods to enforce security, so it is high risk for Broken
Authentication and Session Management attacks like guessable ID’s and weak password.
39
25% Crimeware Attacks - This Alberta doctor office has a high risk for Crimeware attacks via email
or downloaded programs. Even with Antivirus and desktop firewall installed, there is a considerable
amount of Crimeware undetectable. E-mails with attached Trojan horses and key loggers are famous
for attracting office staff to open up the attachment and infect or open up their local computer to
attackers.
Low Risk Attack Type:
Insider and privilege misuse – Insider privilege misuse should be low because there are only four
people in office and everyone has access to everything due to limited resources. Although there is a
risk of Judith and Jill using the information for personal gain, the accountability so high due to small
staff (two) it would easily be detected.
Remote Code Execution Attacks - This small doctor office has limited software, mostly Microsoft
Office to hold patient information and office documents which would be automatically updated with
Windows updates. It has a low risk of Remote Code Execution attacks.
Social Engineering Attacks – Although Judith and Jill have Facebook and other social media
accounts, they would be lower on the scale of Social Engineering attacks due to lower financial gain
of the attackers.
Case Study Local Sporting Goods retailer in Alberta (10 employees)
Environment: Joe’s Sporting Goods is a Alberta small business specializing in outdoor sporting goods
products like custom bicycles, hockey equipment, soccer and most outdoor activities. Joe’s Sporting
Goods has ten employers which consist of owner/manager Joe Speel, business manager Tammy who
handles the financials/business aspects and eight part time employees who handle the servicing of
customers via shift work. The IT infrastructure consists of four Windows computers running terminal
client, Windows Terminal server, MS SQL server to hold business database of inventory and a print
40
server to print out receipts and documents. They are all connected with wireless router and can
access the internet via Internet Modem. Each computer runs a local copy of antivirus and is updated
manually via internet connection.
Figure 4: Diagram Retailer Office Network Infrastructure
High Risk Attack Type:
80% Crimeware Attacks – Joe’s eight part time employees when not busy has ability to access their
personal email and the internet which leaves a very high risk of any of Joe’s Sporting Goods four
computers to be under Crimeware attacks.
50% Injection Attacks – Joe’s Sporting Goods also has a web page where customers can order online
and come locally pickup their products. The web page was created by a local IT shop and has not
been maintained and hosted on a free domain, which leaves the web page open to Injection attacks.
Low Risk Attack Type:
41
Broken Authentication and Session Management Attacks - Joe’s Sporting Good does have a web
small web presence, but it is not high traffic so it’s less attractive for attacker and Broken
Authentication and Session Management attacks.
Insider and privilege misuse – This type of attack is lower risk because there is only eight part time
employees and Joe personally knows them and keeps a close eye on his small business. It is a low
risk of Insider and Privilege misuse as Joe only allows himself and Tammy access to business and
financial information.
Remote Code Execution Attacks – Joe’s Sporting Good does not have a lot of software, mostly
Microsoft products which are updated automatically with Windows Updates. It is a lower risk for
Remote Code Execution attacks due to basic setup and no custom code.
Social Engineering Attacks – This type of attack is lower risk due to the small presence Joe’s
Sporting Good has on the Internet and Social Engineering attacks would have small impact on Joe’s
business.
Case Study Software firm in Alberta (25 Employees)
Environment: Inspired is a web advertising company that specializes in creating web advertisements
for businesses web pages. The company has twenty five employees which consist of owner/manager
Bill Mulsk, financial/business manager Angela, web coder manager Michael, arts designer manager
Felicia, sales manager Bob, nine full time web coders, nine full time graphic arts and two sales reps.
The IT infrastructure has Windows workstations for web coders, iMacs for graphic arts employees,
Macbook Pros/Laptop PC for managers and sales reps. The office has domain server for
authentication of users, database server to hold customer information, print/file server for sharing files
and a web server to host the company web site. The infrastructure has a firewall provided by their
Internet Service Provider which has the basic rules for all small business and manager by the
provider.
42
Figure 5: Diagram Software Firm Office Network Infrastructure
High Risk Attack Type:
20% Crimeware Attacks – Inspired employees all have access to the internet and email addresses,
which opens them up the Crimeware attacks.
40% Injection Attacks – Inspired employees are mostly coders and graphic arts people. The database
infrastructure is a secondary concern and is irregularly maintained along with web server. Their main
concern is to develop the web advertisement for their customers. This leave a high risk for Injection
attacks.
40% Broken Authentication and Session Management Attacks - Inspired employees are mostly
coders and graphic arts people. The web infrastructure is a secondary concern and is irregularly
maintained. Their main concern is to develop the web advertisement for their customers. This leave
a high risk for Broken Authentication and Session Management attacks.
Low Risk Attack Type:
43
Insider and Privilege misuse – The Domain server has multiple access roles which limits what the
coders and artist can access for data, leaving Insider and Privilege misuse attacks lower risk.
Remote Code Execution Attacks – Although Inspired has a web presence, it’s only to advertise what
the company does and doesn’t hold customer data online or orders online and has lower risk of
Remote Code Execution attacks.
Social Engineering Attacks – Most of the employees for Inspired are tech savy enough to not fall for
most online Social Engineering attacks, which put them at lower risk for these attacks.
Case Study Shipping Company in Alberta (49 Employees)
Environment: Northern Connection is a Alberta truck shipping company that deliveries products to
northern Alberta towns. Northern Connections main office is in Edmonton Alberta where majority of
the staff reside. In the main office there is general manager/owner Al Fitz, business
manager/financials Geoff, central operations manager Linda, IT person Fred, seven district managers
and thirty nine location managers across northern Alberta towns. Northern Connections IT
infrastructure consists of Windows workstations, iMacs, Macbook Pros and laptop PC’s in the main
office in Edmonton and dumb terminal workstation in all the northern Alberta towns to access the
shipping database in main office. The main office has domain server for all the main office
computers to authenticate. There is central database server that holds all the customer information
and shipping schedules. There is a shared print/file server for the main office. Terminal server
handles all the remote connections from northern Alberta town locations. The web server and
ecommerce server handle the online request and tracking for Northern Connection customers.
44
Figure 6: Diagram Shipping Company Office Network Infrastructure
High Risk Attack Type:
100% Insider and Privilege misuse – Northern Connection has a custom made database that holds
customer data, shipping schedule and shipping information. When the database was built ten years
ago, security was not a concern so all user ID can access all information on the database. This poses
data security issues of theft of customer data to competitors from remote office and data integrity due
to everyone having edit access. Northern Connection is at high risk for Insider and Privilege misuse
attacks.
Low Risk Attack Type:
Crimeware Attacks – Lower risk for Northern Connection because IT person Fred keeps upto date
with known viruses and antivirus updates.
45
Injection Attacks – Lower risk for Northern Connection because IT person Fred keeps close eye on
the database and web server.
Broken Authentication and Session Management Attacks - Lower risk for Northern Connection
because IT person Fred keeps close eye on the infrastructure servers.
Remote Code Execution Attacks - Lower risk for Northern Connection because IT person Fred keeps
close eye on the infrastructure servers.
Social Engineering Attacks – Lower risk as the Owner Al Fitz has put out memo of no social sites to
all employees on company computers.
3.4 Summary
In this section of the paper, literature was reviewed around the top cyber attacks in recent years
through multiple resources and a table was created summarizing the attacks, categorizing the attacks
and type of businesses affected by the attacks. This section then did a data analysis on the data and
found that the threat assessment was highest in Broken Authentication and Session Management
Attacks, Crimeware and Injection attacks. The type of business that were at highest risk assessment
were web, retail and tech businesses. Finally this section did mock case study of four common
Alberta businesses and pointed out which types of attacks were highest for them from the data
analyzed from the data analysis.
CHAPTER IV
Propose Solutions for Alberta Small Business
46
4.1 SECaaS
A common trend that is happening in small business is they are starting to use cloud services to
reduce costs and manage infrastructure (Korongo, Samoei, & Gichoya, 2013). According to some
recent study done by Leger (Fisher, 2015) around forty six percent of Canadian small business are
using one or more services in the cloud. According to Forbes, United States small business are
expecting to reach seventy eight percent by 2020 and be over a fifty five billion dollar business
(Louise, 2015). The main reason small businesses are moving to Cloud is cost and convenience.
With just a monthly bill, a small business can have essential IT services provided, without incurring
the upfront costs of software, hardware and IT support. As with any new technology, come new
problems. One problem with cloud services is the providers use the same images for all tenants. If
there is a security exposure, the exposure tends to be at mass scale due to the same image being
replicated for many customers. Another main exposure is tenant to tenant attacks. One tenant of a
cloud service could attack another tenant of the same cloud service provider via security exposure
called VM Escape (Vijayan, 2015). Essentially the tenant uses this exposure and can control the host
of the cloud which contains all the tenants of the cloud providers Virtual machines. The attackers can
steal resources away from other tenants and even access other tenants VM’s. Lastly another known
type of exposure in cloud services is where a VM is compromised on cloud service provider
environment, and is used for denial of service attacks (DoS). This attack not only causes havoc on
the victim’s hosts, but also racks up the charges on the host machine spamming out the attack, as
cloud service providers charge per usage. Cloud services fit into three main categories of
Infrastructure as a Service (IaaS), Software as a Service (SaaS) and Platform as a Service (PaaS). A
new cloud service is starting to trend called Security as a Service (SECaaS). This is where cloud
service providers along with the other Cloud Services offer security as a service to protect business IT
infrastructure in cloud (Vivek Mehta, 2012). SECaaS has been debated and many different
47
architectures and solutions have been proposed like paper by (Varadharajan & Tupakula, 2014) which
talks about Service Provider Attack Detection (SPAD) and (Dawoud, Takouna, & Meinel, 2010)
where they focus on security model for IaaS. In the end SECaaS will be essential going forward and
will evolve as more business move to cloud services.
In the case study for Dr. Singh/Dr. Ziee who have four employees, SECaas may help if they
sign up for cloud service in storage or SaaS where their booking system is hosted by a cloud provider.
To keep their clients data secure, they should look into paying for SECaaS to protect their data.
In the case study for Joe’s Sporting Goods who have ten employees, SECaas may help if they
sign up for IaaS and SaaS to host their servers and online applications to support their business.
SECaas would help protect their online presence, and their inventory database from cyber attacks.
In the case study for Inspired software company, who have twenty five employees, database
servers, print server, web server, it makes sense to cut costs and improve reliability by moving most
of the infrastructure to IaaS for their servers, SaaS for hosting databases and other applications and
PaaS for their developers. Inspire would more heavily depend on cloud services since most their
infrastructure would make sense to be in the cloud, which makes SECaaS a more crucial service to
help protect their data.
In the case study for Northern Connection company, wh have forty nine employees, domain
server, database server, print server, web servers, terminal server and ecommerce server, it makes
sense that Northern Connections would sign up for array of cloud services. IaaS to host all the
infrastructure servers. SaaS to provide database and front end applications for their business.
Northern connection having a high risk for insider and privilege misuse would also benefit from
SECaaS and putting more monitoring around their online resources.
48
4.2 Procedures for Security improvement
Tools cannot exist without process and small business should have some security process in order
to protect them against cyber attacks. This section describes some areas that process should cover.
First area is around security control elements where small business should look at:
Identification – Small businesses should do background checks on the employees they are
about to hire or existing employees. This would help you understand your employee’s history, after
all these employees will have access to important data and intimate with your company. Along with
this, employees should have some form of identification to prove they are employees and what access
they are allowed.
Authentication - Small businesses should have individual to system authentication. This will
set clear lines what data employees should be able to access and help hold accountability.
Authorization - Small businesses should have a approval process that the business owner or
manager has to approve the different levels of access for authentication. Without these levels of
approval, it would negate identification and authentication processes.
Information Protection & Confidentiality - Small businesses should have process to protect
the critical information. They should have a process to encrypted their data and/or stored in a secure
location with control measures. Small businesses should also keep in mind residual information that
can be left behind that can be used.
Service Integrity & Availability - Small businesses should have a process that checks that
their system is up and available. This area can be big depending on how complicated the small
business IT infrastructure is. It can range from operating system resource management, vulnerability
scanning, security advisory patch management, server/service activation/deactivation and time limits.
49
Activity Auditing - Small businesses should have a process where if a attack happens, the
business should have a audit trail it could follow to find the root cause. This would prevent future
attacks of the same nature and help plug security holes.
Assurance - Small businesses should have process to test their security measures. Like with
(Král, 2011) paper, there should be a pretest, evaluation, solution, implementation and retest of the
security processes.
Security Incident Reporting & Management - Small businesses should have a process to report
security incidents, access violations and also misuse of access. This holds accountability and shows
that security processes are working.
Physical Access Controls - Small businesses should have process to physically protect the
business data. It can be the physical access to main IT infrastructure, to the physical storage of
media.
In the case study for Dr. Singh/Dr. Ziee, since there is only four people, processes for security
improvement could be implemented quickly and easy to maintain. The key is to make the processes
simple for two assistants and have the process written down.
In the case study for Joe’s Sporting Goods, since there is high turn around for the front staff, it
is crucial they have security procedures for hiring and background check, process for physically
access the data, process for identification and authorization for audit/access purposes.
In the case study for Inspired software company, since they have a large amount developers
and multilevel access, process for identification and authorization is crucial, along with process for
incident and security management.
In the case study for Northern Connection company, since they are spread out across multiple
sites, security process becomes paramount, especially since they are at higher risk for insider and
privilege misuse. Northern connection would benefit from processes controlling identification,
50
authorization, service integrity and availability, auditing, incident reporting/management and physical
access control.
4.3 Education on security
The best way to protect your small business is to get educated around security measures.
There are online government security resources that would help like OnGuardOnline (Onguardonline,
2016), which is led by U.S. Homeland security to educate small business about cyber security. The
Canadian government also has resources to educated small business on cyber security (getcybersafe,
2015) by educating the on the main issues surround cyber security and what small business would
face.
Alberta colleges and universities also have courses on security like the University of Calgary
has course called “Security Management Certificate” (University of Calgary, 2016) which is a three
hundred hour certificate covering multiple course. The aim of the certificate is to train the individual
to be a security person for a company. If three hundred hours is too intense, small business could also
look at specific courses offered by colleges like fourteen hour courses “Vulnerability Assessment” or
“Intrusion Detection/Prevention” (NAIT, 2016).
These are some starting points for cyber security education for small business in Alberta, there
are numerous other resources showing up often.
In all case studies for Dr. Singh/Dr. Ziee, Joe’s Sporting Goods, Inspired software company,
and Northern Connection, taking online education and even signing up for classes at a institution for
owners/managers and employees would help educate and make them aware of the dangers.
51
4.4 Other Solutions
Other possible solutions for security for small business is to engage security consultants to assess
and provide solutions custom to your business. The following are some suggestions.
a) Cigital (Cigital, 2016)
b) Stellar Solutions (Stellar Solutions, 2016)
c) SecureSenses (SecureSenses, 2016)
In all case studies for Dr. Singh/Dr. Ziee, Joe’s Sporting Goods, Inspired software company,
and Northern Connection, getting external professional help if it fits in their business model would be
a great benefit. Dr. Singh/Dr. Ziee small office may find benefits for a consultant to come in and
point out some critical areas of concerns and provide solutions. Joe’s Sporting Goods may hiring a
external auditor to help track down exposures and advise on ways to improve security. Inspired and
Northern Connection may just outsource their security to a external company.
52
CHAPTER V
Conclusion and Recommendations
Conclusion
In this paper we wanted to study how vulnerable small business is to cyber attacks. First
the paper studied the common type web attacks through literature review. Broken
Authentication/Session Management, Crimeware, Injection, Insider/Privilege Misuse, Remote Code
Execution and Social Engineering attacks were discussed and studied. The literature review further
studied how to protect against cyber attacks by looking at protection against web attacks, credit card
fraud, general protection models and protection models for small businesses. To help apply this
knowledge, the literature review looked at case studies on healthcare, South African school and
small businesses in Iran and Turkey.
Next section of this paper we looked at the recent two years of the most famous cyber attacks.
Measurements from the literature review were best attained by taking ordinal measurements,
classifying the types of attacks and the type of business. The reliability of the classification was first
to find the most common types of attacks and through literature review of each cyber attack match
them to the type of cyber attack. This paper took unobtrusive measurements by doing content
analysis of the literatures around cyber attacks. By taking the approach of thematic analysis of the
literature, we can identify the themes and major ideas of the literature around cyber attacks and types
of cyber attacks. In data analysis, the data was prepared and organize them into categories related to
the types of cyber attacks. The paper describes the data of each type of cyber attack in order to put
context into the data categories. By using graphs from the data we would be able to give a visual
view of the data in many different views for cyber attacks. For example, one graph shows what is
the top six types of cyber attacks, second graph shows what types of business was affected by the
cyber attacks. Finally we extrapolated the data and applied it to how it could affect Alberta small
businesses.
53
To help better understand the impact to Alberta small business security position and the data that
was analyzed, four mock cased studies of typical Alberta small business was done to show what type
of attacks are prevalent to them. The first case study looked at a small doctor’s office with four
people and how Injection attacks could be the most concern. The second case study looked at
sporting goods retailer with ten employees and how Crimeware would be the highest risk. The third
case study was on a software firm with twenty five employees and where Broken
Authentication/Session Management/Injection attacks would be the highest risks. Last case study
looked at a shipping company with forty nine employees and the highest risk could be
Insider/Privilege Misuse.
The last section of this paper looked at possible solutions for Alberta small business. SECaaS
was looked at as a possible solution for Alberta small business that uses Cloud services. Processes
could also help Alberta small businesses by looking internally what could be done to close security
holes. Education on security would help the employees and owners understand better how to prevent
security attacks. Finally the other option is to engage security consultants to help protect Alberta
small business.
Final thought about this paper is the concepts and ideas discussed around Alberta Small business
are not limited to Alberta, but can be applied to any small business in any region.
Suggestions for Further Research
Although this paper was a literature review on Alberta small business security posture, it could be
suggested further research could be to survey Alberta small business via web survey, in person, mail
and email. Collecting more current data from actual Alberta small businesses would have more
accurate study.
54
REFERENCES
AFP. (2014). South Korea Bank Leak. Retrieved February 4, 2016, from
http://www.securityweek.com/20-million-people-fall-victim-south-korea-data-leak
Alexander, P. (2005). business - Is Your Biz Safe From Internet Security Threats? Retrieved
April 24, 2016, from https://www.entrepreneur.com/article/78616
Anthem. (2015). Anthem Hacked. Retrieved February 3, 2016, from
https://www.anthemfacts.com/faq
AOL. (2014). AOL Security spoofing mail hack. Retrieved February 4, 2016, from
http://blog.aol.com/2014/04/28/aol-security-update/
BBC. (2007). BBC NEWS | Business | Q&A: TK Maxx credit card fraud. Retrieved April 23,
2016, from http://news.bbc.co.uk/2/hi/business/6509993.stm
Blackwell, C. (2008). The management of online credit card data using the payment card
industry data security standard. 3rd International Conference on Digital Information
Management, ICDIM 2008, 838–843. http://doi.org/10.1109/ICDIM.2008.4746843
BlueCross. (2015). Premera Blue Cross. Retrieved February 3, 2016, from
https://www.premera.com/wa/visitor/about-the-
cyberattack/?WT.z_redirect=www.premera.com/cyberattack/
Campus, D., Sangani, N. K., & Vijayakumar, B. B. (2012). Cyber security scenarios and control
for small and medium enterprises. Informatica Economică, 16, 58–72.
Carlisle, M., & Fagin, B. (2012). IRONSIDES: DNS with no single-packet denial of service or
remote code execution vulnerabilities. GLOBECOM - IEEE Global Telecommunications
Conference, 839–844. http://doi.org/10.1109/GLOCOM.2012.6503217
Chaudhary, R., & Ward, J. J. (2014). A Practical Approach to Health Care Information Security,
(June).
Cheng, Y.-C. C. Y.-C., Laih, C.-S. L. C.-S., Lai, G.-H. L. G.-H., Chen, C.-M. C. C.-M., & Chen,
55
T. C. T. (2008). Defending On-Line Web Application Security with User-Behavior
Surveillance. 2008 Third International Conference on Availability Reliability and Security,
410–415. http://doi.org/10.1109/ARES.2008.127
Cigital. (2016). How to Get Started with a Software Security Initiative | Cigital. Retrieved May
27, 2016, from https://www.cigital.com/services/software-security-strategy/software-
security-in-a-box/
Conner, R., & Conner, D. (2013). Riding the Waves of Technology Without Capsizing : Data
Security That Makes Sense for Small Business, 22–26. Retrieved from
http://www.pensionpro.com/News/Jul032013
Dawoud, W., Takouna, I., & Meinel, C. (2010). Infrastructure as a Service Security : Challenges
and Solutions. Security, 1–8. Retrieved from
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5461732
Dreyfuss, E. (2015). Ashley Madison Hack. Retrieved February 4, 2016, from
http://www.wired.com/2015/08/check-loved-one-exposed-ashley-madison-hack/
Ehrenberg, B. (2014). Hacked European Central Bank website. Retrieved February 4, 2016,
from http://www.cityam.com/1406190300/ecb-website-hacked
ELIZABETH A. HARRIS, N. P. and N. P. (NewYork T. (2014). Neiman Marcus Data Breach.
Retrieved February 4, 2016, from http://www.nytimes.com/2014/01/24/business/neiman-
marcus-breach-affected-1-1-million-cards.html?_r=0
Eng, J. (2015). OPM Hack: Government Finally Starts Notifying 21.5 Million Victims - NBC
News. Retrieved February 4, 2016, from http://www.nbcnews.com/tech/security/opm-hack-
government-finally-starts-notifying-21-5-million-victims-n437126
Epstein, Z. (2014). eBay Hack: 145 million accounts compromised in massive breach | BGR.
Retrieved February 4, 2016, from http://bgr.com/2014/05/27/ebay-hack-145-million-
accounts-compromised/
Etaher, N., Weir, G. R. S., & Alazab, M. (2015). From ZeuS to Zitmo : Trends in Banking
56
Malware 1, 1386–1391. http://doi.org/10.1109/Trustcom.2015.535
Fisher, B. (2015). The Time Is Right For Small Businesses To Embrace The Cloud | Brad
Fisher. Retrieved May 27, 2016, from http://www.huffingtonpost.ca/brad-fisher/cloud-
small-businesses_b_8554500.html
Garkoti, G., Peddoju, S. K., & Balasubramanian, R. (2014). Detection of insider attacks in cloud
based e-healthcare environment. Proceedings - 2014 13th International Conference on
Information Technology, ICIT 2014, 195–200. http://doi.org/10.1109/ICIT.2014.43
getcybersafe. (2015). Get Cyber Safe Guide for Small and Medium Businesses. Retrieved from
http://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx
Gibbs, S. (2014). Domino’s Pizza faces ransom demand after hack | Technology | The Guardian.
Retrieved February 4, 2016, from
http://www.theguardian.com/technology/2014/jun/16/dominos-pizza-ransom-hack-data
Goodin, D. (2014). Hack of MacRumors forums exposes password data for 860,000 users
(Wired UK). Retrieved February 4, 2016, from http://www.wired.co.uk/news/archive/2013-
11/13/mac-rumours-forums-hacked
Google. (2014). 5 Million Gmail Passwords Leak, Google Says No Compromise. Retrieved
February 3, 2016, from http://thenextweb.com/google/2014/09/10/4-93-million-gmail-
usernames-passwords-published-google-says-evidence-systems-compromised/
Grandison, T., Bilger, M., & O’Connor, L. (2007). Elevating the discussion on security
management: The data centric paradigm. IT Management, 1–10.
http://doi.org/10.1109/BDIM.2007.375015
Guardian), P. F. (The. (2015). Australian Immigration Department. Retrieved February 3, 2016,
from http://www.theguardian.com/world/2015/mar/30/personal-details-of-world-leaders-
accidentally-revealed-by-g20-organisers
Guardian, T. (2015). British Airways frequent-flyer accounts hacked | Business | The Guardian.
Retrieved February 3, 2016, from
57
http://www.theguardian.com/business/2015/mar/29/british-airways-frequent-flyer-
accounts-hacked
Hern, A. (2014). Mozilla confirms leak of 76,000 developer email addresses | Technology | The
Guardian. Retrieved February 3, 2016, from
http://www.theguardian.com/technology/2014/aug/05/mozilla-leak-developer-email-
addresses-passwords-firefox
Huluka, D. (2012). Root Cause Analysis of Session Management and Broken Authentication
Vulnerabilities, 82–86.
Jagnere, P. (2012). Vulnerabilities in Social Networl<ing Sites, 463–468.
Jessica Silver-Greenberg (NewYork Times). (2014). JPMorgan Chase Hacking Affects 76
Million Households - The New York Times. Retrieved February 3, 2016, from
http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cyber-security-
issues/?_php=true&_type=blogs&_r=1
Korongo, J. N., Samoei, D. K., & Gichoya, D. M. (2013). Cloud Computing : An Emerging
Trend for Small and Medium Enterprises. IST-Africa 2013 Conference Proceedings, 1–7.
Retrieved from
http://ieeexplore.ieee.org.elib.tcd.ie/stamp/stamp.jsp?tp=&arnumber=6701778
Král, D. (2011). Information Security in Small and Medium-Sized Companies. Economic
Studies & Analyses / Acta VSFS, 5(1), 61–74.
Krebsonsecurity.com. (2014). HomeDepot Credit Card Breach. Retrieved February 3, 2016,
from http://krebsonsecurity.com/2014/09/banks-credit-card-breach-at-home-depot/
Kumparak, G. (2015). Slack Got Hacked. Retrieved February 3, 2016, from
http://techcrunch.com/2015/03/27/slack-got-hacked/#.yzw5cyq:VkGB
Laleh, E., Masoudi, Y., Fathy, F., & Ghorbani, S. (2013). Influencing Factors of Information
Security Management in Small- and Medium-Sized Enterprises and Organizations. 2013
International Conference on Communication Systems and Network Technologies, 445–449.
58
http://doi.org/10.1109/CSNT.2013.99
Louise, C. (2015). Roundup Of Small & Medium Business Cloud Computing Forecasts And
Market Estimates, 2015 - Forbes#7403ffce1646#7403ffce1646. Retrieved May 27, 2016,
from http://www.forbes.com/sites/louiscolumbus/2015/05/04/roundup-of-small-medium-
business-cloud-computing-forecasts-and-market-estimates-2015/#7403ffce1646
Marpaung, J. a P., Sain, M., & Lee, H.-J. (2012). Survey on Malware Evasion Techniques: State
of the Art and Challenges. 14th International Conference on Advanced Communication
Technology (ICACT), (Mic), 744–749.
McCrank, J. (2013). Nasdaq forum website hacked, passwords compromised | Reuters.
Retrieved February 4, 2016, from http://www.reuters.com/article/net-us-nasdaq-
cybercrime-website-idUSBRE96H1F520130718
Mohammad, S., & Pourdavar, S. (2010). Penetration test: A case study on remote command
execution security hole. 2010 5th International Conference on Digital Information
Management, ICDIM 2010, 412–416. http://doi.org/10.1109/ICDIM.2010.5664671
Mouton, F., Malan, M. M., Leenen, L., & Venter, H. S. (2014). Social engineering attack
framework. 2014 Information Security for South Africa - Proceedings of the ISSA 2014
Conference. http://doi.org/10.1109/ISSA.2014.6950510
Moyo, M., Abdullah, H., & Nienaber, R. C. (2013). Information security risk management in
small-scale organisations: A case study of secondary schools computerised information
systems. 2013 Information Security for South Africa, (February), 1–6.
http://doi.org/10.1109/ISSA.2013.6641062
NAIT. (2016). NAIT Security Courses. Retrieved May 15, 2016, from
http://www.nait.ca/program_home_81889.htm
Onguardonline. (2016). Featured: Info for Small Business | OnGuard Online. Retrieved May 15,
2016, from https://www.onguardonline.gov/features/feature-0007-featured-info-small-
business
59
Onwubiko, C., & Lenaghan, A. P. (2007). Managing Security Threats and Vulnerabilities for
Small to Medium Enterprises. 2007 IEEE Intelligence and Security Informatics, 244–249.
http://doi.org/10.1109/ISI.2007.379479
Pagliery, J. (CNN). (2014). Hospital network hacked, 4.5 million records stolen. Retrieved
February 4, 2016, from http://money.cnn.com/2014/08/18/technology/security/hospital-chs-
hack/
Pandurangan, V. (2014). NYC Taxis Hack. Retrieved February 4, 2016, from
https://medium.com/@vijayp/of-taxis-and-rainbows-f6bc289679a1#.ixtywnnp9
Ragan, S. (2015). Hacking Team hacked, attackers claim 400GB in dumped data | CSO Online.
Retrieved February 4, 2016, from http://www.csoonline.com/article/2943968/data-
breach/hacking-team-hacked-attackers-claim-400gb-in-dumped-data.html
Reuters. (n.d.). Target Hacked exposes 40 Million customers. Retrieved February 4, 2016, from
http://articles.chicagotribune.com/2013-12-24/news/sns-rt-us-target-breach-
20131218_1_data-theft-card-data-earnings-forecast
Rogers, A. (2014). UPS: We’ve Been Hacked. Retrieved February 4, 2016, from
http://time.com/3151681/ups-hack/
Rouse, Margaret, Michael Cobb, B. C. (2015). What is Secure Sockets Layer (SSL)? -
Definition from WhatIs.com. Retrieved April 9, 2016, from
http://searchsecurity.techtarget.com/definition/Secure-Sockets-Layer-SSL
Sangani, N. K., Velmurugan, P., Vithani, T., & Madiajagan, M. (2012). Security & Privacy
Architecture as a service for Small and Medium Enterprises. Proceedings of 2012
International Conference on Cloud Computing Technologies, Applications and
Management, ICCCTAM 2012, 16–21. http://doi.org/10.1109/ICCCTAM.2012.6488064
SecureSenses. (2016). Intelligence driven cyber security consulting. Retrieved May 27, 2016,
from https://www.securesenses.com/
Service Alberta, A. G. (2014). Alberta Small Business Stats 2014. Retrieved from
60
http://albertacanada.com/business/statistics/small-business-highlights.aspx
Sharma, C., & Jain, S. C. (2015). Analysis and classification of SQL injection vulnerabilities
and attacks on web applications. 2014 International Conference on Advances in
Engineering and Technology Research, ICAETR 2014.
http://doi.org/10.1109/ICAETR.2014.7012815
Siddiqui, A. T., & Singh, A. K. (2012). Secure E-business transactions by securing web services.
Proceedings - 2012 International Conference on Management of E-Commerce and E-
Government, ICMeCG 2012, 79–84. http://doi.org/10.1109/ICMeCG.2012.11
Stellar Solutions. (2016). Cybersecurity Consulting Services - Stellar Solutions. Retrieved May
27, 2016, from http://www.stellarsolutions.ca/
The Open Web Application Security Project (OWASP). (2016). PHP Top 5 - OWASP.
Retrieved April 16, 2016, from https://www.owasp.org/index.php/PHP_Top_5
Today), B. A. (USA. (2013). LexisNexis, Dunn & Bradstreet, Altegrity hacked. Retrieved
February 4, 2016, from http://www.usatoday.com/story/cybertruth/2013/09/26/lexisnexis-
dunn--bradstreet-altegrity-hacked/2878769/
Tom Gara, C. W. (BuzzFeed). (2014). The Sony Pictures Data Hack. Retrieved February 3,
2016, from http://www.buzzfeed.com/tomgara/sony-hack#.bb78xnrJ1k
Twitch. (2015). Twitch. Retrieved February 3, 2016, from
http://blog.twitch.tv/2015/03/important-notice-about-your-twitch-account/
Uber. (2015). Uber Statement | Uber Global. Retrieved February 3, 2016, from
https://newsroom.uber.com/uber-statement/
University of Calgary. (2016). University of Calgary Continuing Education. Retrieved May 15,
2016, from
http://conted.ucalgary.ca/public/category/courseCategoryCertificateProfile.do?method=loa
d&certificateId=1706248
Varadharajan, V., & Tupakula, U. (2014). Security as a Service Model for Cloud Environment.
61
Network and Service Management, IEEE Transactions on, 11(1), 60–75.
http://doi.org/10.1109/TNSM.2014.041614.120394
Verge), C. W. (The. (2013). Adobe Hacked. Retrieved February 4, 2016, from
http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-records-from-
adobe-hack-surface-online
Vijayan, J. (2015). Xen Patches “Worst”-Ever Virtual Machine Escape Vulnerability. Retrieved
May 27, 2016, from http://www.darkreading.com/endpoint/xen-patches-worst-ever-virtual-
machine-escape-vulnerability/d/d-id/1322925
Visaggio, C., & Blasio, L. C. (2010). Session management vulnerabilities in today’s web. IEEE
Security and Privacy, 8(5), 48–56. http://doi.org/10.1109/MSP.2010.114
Vivek Mehta, B. R. (2012). Security As A Service In Cloud(SECaaS). Retrieved May 27, 2016,
from http://www.slideshare.net/ahlamansari/security-as-a-service-in-cloudsecaas
Wazzan, M. A. (2015). Towards Improving Web Attack Detection : Highlighting the Significant
Factors.
Zeng, W., Yang, Y., & Luo, B. (2015). Content-Based Access Control: Use data content to assist
access control for large-scale content-centric databases. Proceedings - 2014 IEEE
International Conference on Big Data, IEEE Big Data 2014, 701–710.
http://doi.org/10.1109/BigData.2014.7004294
Zheng, Y., & Zhang, X. (2013). Path sensitive static analysis of web applications for remote
code execution vulnerability detection. Proceedings - International Conference on Software
Engineering, 652–661. http://doi.org/10.1109/ICSE.2013.6606611