A SUMMER INTERNSHIP REPORT ON

CUBER SECYRITY AT

CORIZO TRAINING AND INTERNSHIP

SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIRMENTS FOR

THE
BACHEOR OF COMMERCE (B.COM)
OF
CHANDIGARH UNIVERSITY, GHARUAN, MOHALI

SUBMITTED TO: SUBMITTED BY:

Name: Prof. Swati Sharma Student name: RANJAY KUMAR

Designation: Assistant Professor UID: 22BCM70108
Chandigarh University BCOM Batch 22-25
Location: Gharuan, Mohali

CHANDIGARH UNIVERSITY

GHARUAN, MOHALI (PUNJAB)

 CERTIFICATE FROM THE INSTITUTE GUIDE

This is to certify that Final Project titled “Analysis Of Cyber security at Corizo ” is an academic

work done by “ Ranjay Kumar – 22BCM70108” submitted in the partial fulfillment of the

requirements for the award of Degree of Bachelor of Commerce at University School of Business,

Chandigarh University, Punjab under my guidance & direction.

To the best of my knowledge and belief the data & information presented by her in the project has

not seen earlier.

Name of the Faculty: Ms. Swati Sharma Mam

Designation: Assistant Professor

 STUDENT DECLARATION

This is to certify that I have completed the Final Project titled “SUMMER

INTERNSHIP” under the guidance of “Mrs. Swati Sharma” in the partial fulfillment

of the requirement for the award of Degree of Bachelor of Commerce at University

School of Business, Chandigarh University. This is an original piece work & I have

not submitted to earlier elsewhere.

DATE: 31st July, 2024 SIGNATURE:

PLACE: Chandigarh University NAME: RANJAY KUMAR

UID: 22BCM70108
CERTIFICATE OF COMPLETION
 ACKNOWLEDGEMENT

No work can be completed without other’s help or contribution. The preparation of presentation of

this humble work encompasses the immense and unlimited help and sound thought of innumerable

people.

My special thanks to Mr. Hemant ingle, for providing me this opportunity to associate myself with

them for my internship tenure and also like to express my sincere gratitude to them for providing me

the most valuable guidance and affable treatment given to me at every stage to boost my morale and

helping in learning about Ethical Networking security , its scope, types, usage , Applicability , Codes

, Programs, Finding venerability in Websites , Anti-profiteering, which helped me in various learning

experiences.

I express my deep & sincere gratitude to my guide Mrs. Swati Sharma Mam, Assistant Professor at

University School of Business at Chandigarh University for guidance, supervision, expert suggestion

& encouragement throughout the whole journey of this internship.

Last but not least my sincere gratitude to my family & friends who supported me, for my moral

during this internship.

RANJAY KUMAR

22BCM70108
 TABLE OF CONTENT:

Serial No. Topic Names

1. Executive Summary

2. Learning Outcomes

3. Introduction to Organization

4. List of symbols

5. Analysis of Cyber security

6. Indices response, Service descriptive Cyber Security

Audit and Awareness
7. Security Architecture
8. Related Work

9. Cyber Security Audit Tool

10. Conclusion

11. Bibliography

EXECUTIVE SUMMARY
During my internship I gained knowledge about Cyber security that is
considered as an appropriate means of cybercrime, cyber risk
insurance, and awareness to absorb noncoal impact caused by
computer security breaches. Since rest computer incident we have been
debating in which way cyber security can be adapted to match the
threats, vulnerabilities and losses by have impact on our world.
Nonetheless, this report demonstrates internship work- f r o m June
until August . Keep in mind that this is just small, selected segments of
what we have tackled during the internship period.

In the meantime, we provide company overview, followed by the

internship description and core objectives. Then we state the author’s
contribution to the period of internship and the report, too. Further we
notably discuss the overview of delivered services and their input. For
instance: Incident Response and digi- tall forensic service, along with
in conveying cases; followed by the attendance to NATO Advanced
Research Workshop in Kiev, likewise presented white paper re-
grading the cyber security audit service; least but not least, research
contribution to develop secure architecture for end-to-end data at REST
solution in cloud for CORIZO platform.

Moreover, we have discussed the importance of cyber security, cyber

insurance, cyber risk, coupled with the obedient approach of
computers and in-formation security. And Nally, we conclude by
pointing the accent to hence risk transfer, or in other words cyber
insurance industry.

LEARNING OBJECTIVES:
1. Understanding Basic Concepts: Interns should gain a solid understanding of basic

cybersecurity concepts, such as common types of threats (malware, phishing, ransomware,

etc.), security principles (confidentiality, integrity, availability), and common security tools

(firewalls, intrusion detection systems, etc.).

2. Hands-On Experience: Interns should have the opportunity to apply their knowledge in real-

world scenarios. This could involve setting up and configuring security systems, conducting

vulnerability assessments, or responding to security incidents.

3. Problem-Solving Skills: Interns should develop problem-solving skills, particularly in the

context of identifying and resolving security issues. This could involve troubleshooting

network issues, analysing malware, or developing security policies.

4. Risk Management: Interns should understand the principles of risk management, including

identifying, assessing, and mitigating risks. This could involve conducting risk assessments,

developing disaster recovery plans, or implementing security controls.

5. Ethical Hacking: Interns may be introduced to the concept of ethical hacking, which

involves using hacking techniques to identify and resolve security vulnerabilities. This should

always be done in a controlled and ethical manner, with appropriate permissions and

safeguards in place.

6. Regulatory Compliance: Interns should understand the importance of compliance with laws

and regulations related to information security. This could involve learning about data

protection laws, industry standards, or best practices.

7. Communication Skills: Interns should develop their communication skills, particularly in

relation to reporting security incidents, explaining technical concepts to non-technical

stakeholders, and contributing to team discussions.

8. Professional Development: Interns should have opportunities for professional development.

INTRODUCTION TO ORGANIZATION
Corizo Learning Training and Internship

Corizo is an edtech platform that offers students comprehensive learning and

training programs, as well as internship opportunities. Their focus lies in

empowering tomorrow’s leaders by providing expertise in data analysis, machine

learning, and predictive modeling. Through their intensive programs,

participants gain valuable knowledge and hands-on experience in various aspects

of cybersecurity, including machine learning and vulnerability identification.

Corizo’s training and internship programs are designed to enhance technical

skills and provide practical insights into machine learning algorithms and

applications. Participants have the opportunity to work on individual projects,

allowing them to apply theoretical knowledge and develop problem-solving skills.

The platform’s mission is to provide students with a rewarding learning

experience, equipping them with the skills and expertise needed to succeed in

their future endeavors. Corizo’s guidance and expertise are highly valued by

participants, who appreciate the knowledge gained and look forward to applying

it in their future pursuits.

Key Takeaways

 Corizo offers learning and training programs in data analysis, machine

learning, and predictive modeling

 Focus on cybersecurity, including machine learning and vulnerability

identification

 Intensive programs provide hands-on experience and practical insights

 Participants work on individual projects, developing problem-solving skills

and applying theoretical knowledge

List of Symbols
AES Advanced Encryption Standard

API Application Programming Interface

APT Advance Persistent Threats

ARQ Automatic Repeat reQuest

ARW Advanced Research Workshop

AWS Amazon Web Services

BYOD Bring Your Own Device

CI Critical Infrastructure

CII Critical Information

Infrastructure

CIP Critical Infrastructure Protection

Cloud

HSM Hardware Security Module

COBIT The Control Objectives for Information and related Technology

CSC Critical Security Controls

CSET The Cyber Security Evaluation Tool

CSP Cloud Service Provider

DH-EKE Di e-Hellman key exchange

DSS Data Security Standard

ENISA European Network and Information Security Agency

ANALYSIS OF CYBER SECURITY

 Today cybercrime is a massive challenge of cyber security
technologies. Within his in mind, we should all be talking about
how to achieve a holistic Globalized Approach to cyber
security, awareness and risk. Indeed, we need to be actively
debating respectfully in which ways cyber security can be
adapted to match the threats, vulnerabilities and the
loss/impact that we face in our interconnected world.

With the above, cyber security internship started in the beginning of June until
the August. Since then, we have started working in di event problematic
aspects, such as: (i) engaging with business meeting discussions to establish
the company vision, mission and goals respectfully to security laboratory and
cyber security services - discussed in next subsection; (ii) deeply on how we
could ensure and provide security controls re etching the asymmetrical
character to cyber risk assessment, cyber insurance, international standards and
build risk assessment tool, and at the same time conduct cyber risk audit for
customers; (iii) employing procedures for erring incident/attack response -
sample and overview of Incident Response cases are disclosed , and (iv)
providing control and transparency over how data is protected and build
security architecture for trustworthy cloud service providers (CSP), presented
in. Moreover, we pose published white paper presented in NATO ARW
(Advanced Research Workshop - ), titled: Strengthening Cyber Defense for
Critical Infrastructure held in Kiev, Ukraine from 30 until 31 of October 2014.
Additionally, to the publication, also the author contributed to panel
discussion, topic: Security standards in private companies.

Notably the innovative objectives of the company are to provide services and
to continue on research and development; main objective services are: audit
assessment and incident response support. Audit assessment. the cyber risk
assessment tool and source code audit. Where digital forensics, penetration
test- ing and emergency response team are part of incident response support.
Among the services, also the company objectives are to continue and to
poor time in R&D, particularly in prediction and/or forecast of cyber risk,
cyber insurance by exposure rating, and correlation event methodologies
and tools, as well as end-to-end cloud encryption for their platform.

In this report we would like to stress and provide several of the above-
mentioned aspects cases that we have handled during this period of time. Re-
spec fully, in we have attached overview description of Incident Re- sponge
Reports, by performing incident response, such as static analysis, log analysis,
and so forth.

Additionally to incident responses, author has draw attention, Highlighted second

most adequate service 0by the company - Cyber Security

Audit. Within this service we have presented white paper titled:

Standards for Information Security are inappropriate fashion to assess the risk in
private companies and elsewhere . Specially this thesis has been developed with the
previous performed audits and its lesson learned, and at the same time fundamental
approach for future delivery of the service. Meanwhile, future action plans and
what is an outcome, has been noted.

Among the above services, also the author contributed in security ar- chitecture
research topic, providing zero-knowledge data at REST for CORIZO SaaS
platform. Such details are noted

Internship Objectives

In the longer run, main objectives and aim of this internship are to:

Step 1: Service Design. Studying current services and proposal of the company
to establish new strengthen services based on research on existing cyber policies.
Furthermore, to identify and draft processes for key services. Main outcome and
deliverable are: market analysis, service delivery pack (e.g. slide decks, surveys,
etc.) and so forth.

Step 2: Enabling and Delivering Services. Taking participation to service deliv-

ery. Followed by identifying and if required building tools to support service
activities. The outcome and deliverable for the step are: gain hands-on and practical
experience of cyber cases.

Step 3: Lessons Learnt, subjects to further investigations and/or research.

Hence, identifying operational issues and potential improvement areas for the
ser- vices. In addition, to make sure delivering repeatable services,
which are based on previous outcomes, and least identify research area of interests.

Contribution

At rst, we identify the various activities within their relation of how are related to
each other, from: pre-sales, awareness training, pen-testing, forensics, incident
response, identify the competitors, market analysis and so on. Consequently,
The CORIZO security laboratory services, mission and vision, moreover
objec- tives and prospective partners. Among the preliminary business
development andestablishment, also during the internship have attended
several business meeting, and taking actions of hence development and
services. Additionally, our work also was focused on research targeted
features and challenges to facilitate end-to-end encryption for CORIZO
SaaS platform. For this purpose we design and implement security
architecture solution for zero- knowledge data at REST, which provides
data protection, password veri cation and data recovery explanation.

Main contributions of internship are as follows:

1. We designed and identified the main objectives of the company services.

By introducing contemporary service, research and development
objectives, as consequence of market analysis, recognizing the
competitors in the eld of security, specially to cyber security. Thereby,
we have determined the security laboratory, in fact, main services and
research and development plan.

2. During the six months, author had an opportunity to attend to several

business meetings, for already existing or potential clients. Such clients,
were insurance companies 0cyber insurance policies. Meanwhile, he was
engaged in discussions to identify the challenges regarding cyber insur-
ance, as well as processed slide-show presentations within main intention
to demonstrate company technical skills, for example: incident handling
process, pen-testing, digital forensics, etc.

3.Establishment and structure of procedures and process for . services.

Whereas, main intention was to build customer trust and particularly to
be more e cient and bene cial to customer needs. Likewise to
produce supported templates for future service release and/or delivery.

4.Studying of current available solutions respectfully to cyber security,

cy- ber insurance, risk assessment, data breaches, security in cloud, and
many others. And oversee imposture to design and develop cornerstone
approach relying on research exposure and lessons learnt.

5. In the meantime, author has contributed in technical delivery of

services. For instance, incident response cases, advanced analysis of log
les, dynamic and static analysis, remote support and provide rst
time response when there is data breach detected and/or reported, and so
forth.
Lastly, dedicate research task to design and build security architecture for
CORIZO SaaS platform by carrying out end-to-end data at REST, zero-
knowledge encryption solution for cloud based client-side and server-side
architecture.

Outline

The rest of this report is organized as follows. covers the overview description of
Incident Response service, by delivering real-case scenarios whichwere handled
during internship period. In we rst illustrate the cyber security audit services, and
then present the published white paper for NATO ARW in Kiev, hence we
distribute the cyber security audit tool map in Appendix

includes research solution, contribution to implement and design secure

architecture for end-to-end data at REST solution. Subsequently, we dis- cuss the
related work, method, implementation and discussion of the solution. Lastly, we
conclude

Incident Response

The following section presents a small overview portion of reports, and distributes
the incident response cases handled. First, we introduce the service description
within the handling processes and work ow. and provides an overview
description of incidents (i.e. cases), that we have tackled during the internship.
However, due to con identicality we do not disclose the clients names.
Nevertheless, we provide for each case what type of company was, what were the
root causes of the incident and/or fraud, impact, executive summary with nding
problems, facts and gures, and lastly, we provide the conclusion for the incidents,
and arise lessons learnt. In total we have tackled three. cases.
Service Description

When incident occurs, the following handling process is taken into account:

Incident is reported from Insured to Insurance, through Data Breach Team.

Insurance Data Breach Team lters and selects vendor and informs
CORIZO/Consultant, crisis management team about the incident.

Crisis Management team preliminary step is to identify if this incident could be

handled by CORIZO IT Security team or not. In addition GMC can when- ever
it is necessary trigger legal activities, such as, evidences preservation and so on.

CORIZO emergency response team receives the incident and follows

the process detailed by Incident Response Handling Process, shown in
Figure

After initial preparation phase, CORIZO response team builds an

Incident Responses Plan and communicates on daily basis with insured
about activities and progress in regards to this plan.
In addition, an executive summary (named Feedback ) document is also
communicated with the insurance. When examination (i.e, via static or
dynamic analysis) is completed the CORIZO response team recommends
to insured some remediation actions. Finally, CORIZO response team
publishes an Incident Report including investigation steps, remediation
actions and analysis of potential root causes. This report is distributed to
both parties.

After few days, CORIZO expects from Insured or/and Insurance to receive
an acknowledgement agreed upon that incident has been remediated and
that by consequence this incident case can be closed.
 Figure 2.1: Incident Handling Flow.

Figure 2.1, demonstrates the ow and it is stepwise

approach that GMC- Consultant (Crisis Management) together
with CORIZO (Response Team) has devel- oped for handling
cases.

Keep in mind, that also GMC Consultant could

provide to the insurance loss adjusting service.

Among all, insurance data breach team are constantly

informed and up- dated with latest information regarding the
incident.
 Moreover, response time for any incident and the
handling process is displayed in Figure 2.2.

Figure 2.2: Incident Response Handling Process.

In Figure 2.2 is illustrated that from the day 0 when

GMC-Consultant reports the incident to CORIZO, CORIZO
response team will assist to insured sat in order to
attempt to remediate/reduce the incident remotely or
internally, if it is possible.

For further analysis the CORIZO response team needs to get the data acquit-
section either on side or remotely. When the image data acquisition is received in
CORIZO laboratory, then the investigation starts by creating an Incident Response
Plan (IRP).

The following plan is send on daily basis and communicates with the
customers (i.e., insured and insurance) for gathering further information's and
delivering the action plan.

The examination has been started since the examiner team has enough
information by performing binary analysis and depending on the incident / threat
static and / or dynamic reverse engineering analysis. By gathering all the artefacts
and the underprint of a acted systems / devices, then the team creates a
recommendation list of remediation actions that are required to be taken by the
customer to mitigate the impact. The examiner team just recommend an action
plan, they do not implement it. Otherwise it could be additional service -
in this case IT Security Consulting.

When the threat is contained the CORIZO distributes

technical Final Report to the customer and to GMC Consultant,
with the root cause and so on. Usually depending on the
incident and the location of the customer data, this entire
process takes around 5 to 20 days.

Additionally to the forensics and incident responses

services, the team has also well quali ed knowledge in
delivering IT Security consulting services, for example: risk
assessment, risk management, cyber security audit and others.

Case 1

Overview

Incident was detected on 02.06.2014, consequently reported on

24.07.2014. The severity impact was high and the type of incident was
malware (redirect malicious code, or in other words conditional malware).
Moreover, the incident a ected two out of four servers of the insured, and
the business impact was that more than 100 websites hosted on two a
ected servers are not visible due to conditional malware that is
redirecting the content to . sites by leveraging tra c for SEO purpose.

Anyhow, after the deliverable we setup meeting to discuss the re ections

regarding what went wrong and advantages. As a disadvantages we
emphasize the data acquisition process that is too slow, and at the same
time the insured personal was not so technically knowledgeable to perform
network capturing traf- c for advance analysis. After all, advantages are
that we established a procedure to be deliver every day after 16:00 to the
customer, de ned such as Incident Re- sponse and Action Plan (IRAP)
report, and perform remediation action from the rst day.

In short, contribution of the author regarding this case was: (i) from
backup of a ected systems to identify the protection in place, such as,
which security services were enabled and disabled, running Windows Web
Server 2008 R2 operating system; (ii) identify which communication
ports are open, and network vulnerability if are potentially risky. (iii)
determine . shell scripts

Burp Suite in Cybersecurity

Burp Suite is a proprietary software tool for security assessment and penetration testing of web
applications. Developed by Port Swigger, it is a comprehensive platform that supports the entire testing
process, from initial mapping and analysis to discovery and exploitation of security flaws.
Key Features
 Intercepting Proxy: Allows users to see and modify the contents of requests and responses while
they are in transit, enabling thorough analysis and manipulation of web traffic.
 Scanner: Automates vulnerability scanning, identifying potential issues such as SQL injection, cross-
site scripting (XSS), and cross-site request forgery (CSRF).
 Intruder: Enables users to perform automated attacks, such as brute-force password cracking and
parameter tampering, to test an application’s defenses.
 Repeater: Allows users to manually send and modify individual requests, useful for testing specific
scenarios or debugging issues.
Advantages
 Usability: Burp Suite is renowned for its user-friendly interface, making it accessible to both novice
and experienced security professionals.
 Customizability: Users can tailor scans and attacks to their specific needs, allowing for targeted and
efficient testing.
 Powerful: Burp Suite’s extensive feature set and automation capabilities enable rapid and thorough
testing, reducing the time and effort required to identify vulnerabilities.
Use Cases
 Web Application Security Testing: Burp Suite is ideal for testing web applications, including
identifying vulnerabilities, testing authentication and authorization mechanisms, and simulating
attacks.
 Penetration Testing: The tool is useful for red teaming exercises, allowing security teams to simulate
real-world attacks and assess an organization’s defenses.
 Vulnerability Remediation: Burp Suite’s findings and recommendations can help developers and
security teams prioritize and remediate vulnerabilities, improving overall application security.
Conclusion
Burp Suite is a powerful and versatile tool that plays a vital role in enhancing the security of web
applications. Its comprehensive feature set, customizability, and usability make it an essential tool for
cybersecurity professionals, from beginner to expert
and submit them in VirusTotal1 database to identify their identity; (iv)
identify . types of suspicious code, les and URLs and classify them such as,
shell scripts, Trojan infection, le permission manipulation, malicious code and
script, redirect code, and established the number of a ected les; and lastly (v)
from logs analysis we have discovered brute force attacks and suspicious user
account actions.

In the following subsections we distribute the executive summary and the

conclusion, while in Appendix 5.1, we provided additional details and
illustrations regarding the case scenario. With main purpose, to depict the
incident response plan, time line and how the intruder has taken control over
the vulnerability of a ected servers.

This report provides an incident response and remediation measures of business

incident impact to CLIENT 1. Two out of four systems have been
compromised within conditional malware by redirecting CLIENT 1 website
to . URLs with main purpose in mind to leverage the tra c for SEO purpose.

Results of ndings are that there are few known shell-script on one hand, and on
the other unknown shell-script to the security and anti-virus community.
Another important point is even if they have removed the malicious code
from a ected system, the attack is reproducing. Thus that it is remotely
controlled and it creates and/or modi es les. Besides above, the impact is on
more than 150 websites that have been a ected by the following incident in
both a ected web servers.

The report nds the redirected URLs, malware types,

determines the categories of malicious code. As well as
assuming that the attack origins are from China. Additionally,
states the di erent types of attacking methods reported by
events logs entries, and major areas of weakness required
further investigation, and remedial action by internal or
external actor.
 Incident response recommendation is by preliminary
enabling security mechanisms in Operating System and then
implement best security practice. Advance recommendations
are emphasized by auditing web application code
- externally, and implying advance intrusion, prevention detection systems.
 CONCLUSION

This attack is using multiple layer of obfuscation, evasion,

misdirection and restor- ing malware. By using any
vulnerability present on the system to perform custom payload
malware, unlike the vector malware. Likewise are quick to
deploy new exploits. As a result, in total have identi ed
from a ected systems, that they have compromised more than
150 web sites.

These attacks are currently having impact only on two out of four sys-
tems. It seems that exploitations are because of the vulnerabilities and
disabled security services. Such as, operating system - Windows update,
audit policy, se- curity account manage, windows rewall and so on. Also
highly potential exploit is due to web application weakness. Particularly
attacks are redirecting visiting users to . conditional criteria URLs, by
leveraging search engine optimiza- tion ranking to targeted sites. Some of
the attacks are well known to security community, where the others are
new and unknown meaning not reported until now. Meanwhile, the initial
emails that had reported the attack to CLIENT 1 site are identi ed as
phishing scam.

Even though CLIENT 1 has removed the shell scripts and malicious
code three times per day, within custom developed removing tool, yet
the at- tack is return due to system security vulnerability, such as
back-door which is remotely controlled. Currently security measures
don't mitigate these methods and identi ed those actions because server
X3 had limited security measures, along server X0 it has less impact due
to enabled few security measures.

Withal believe that these attacks are currently originating from China,
however, there are many attacks whose origin is still unknown. Ultimately
they are generating revenue by boosting the SEO ranking to . sites, in the
same way they have business impact on CLIENT 1 sites and business
itself.

As result, the dynamic analysis will reveal further information, and it

will be able to identify who is behind these attacks. Nonetheless, in this
report lastly provides the suggested remediation actions that could be
 categorizing them as basic and advance security actions.

Case 2

Overview

The following incident was detected on 03.11.2014 and reported on 13.11.2014.

The severity of the incident was high, while the attacking type is via SQL injec-
tion. Initially, CLIENT 2 received e-mail indicating an extraction of 27 customer
records.

In addition, the incident was tackled along side with CLIENT 2 employ- ees,
where specially they have taken actions of diagnosis by applying secure VPN
access to the back-end site secure, blocking the web services used by customer de-
veloped mobile application (for iPad and iPhone) and perform advance analysis in
order to identify possible vulnerabilities to SQL and Cross Site Scripting (XSS)
injections. Also, they deleted more than 300 obsoleted les and strengthening
protections for the treatment of parametrized queries. While on CORIZO side
we have conducted analysis of GET and POST queries extracted from the log
les, by identify the types of attacks performed by the intruder, number of queries
sequences per attack, country origin, and vulnerability scanning tools used
for attack. Technical details are presented in Appendix A.2.

In brief, contribution of the author was: (i) log analysis, particularly

concentrated to the time stamp from 1st of September until 7th of November
2014; (ii) from rigorous-script log analysis were able to determine the several types
of SQL injection attacks, for instance: blind SQL injection, union queries, string
concatenation and incorrect type handling; (iii) identify the IP address origin,
and consequently the timestamps for each attacks; (iv) determine the applications
used to conduct the attacks; (v) and lastly, mobile application vulnerability, what
kind of personal data are disclosed.

Executive Summary
The CLIENT 2 manages website dedicated to equipment and home decoration,
launched in 2005, Figure 2.3, currently having more than one million clients.
 Figure 2.3: Dxxxxx.fr website screen-shot.

Likewise any e-commerce site, the platform provides

client access that tracks orders, shipments, product comments
and etc., shown in Figure 2.4:

The platform's website also . back-end o ce platform for Customer

Service.

The site is build on open source platform, but according

to our interlocutor has been signi cantly modi ed to meet the
company's needs.

The company that developed the site claimed that is

compliance to PCI standard 3, and they underlined that
database does not contain any information about the
payment details of customers.

Anyhow, we investigated that the intruder performed

the following SQL injection techniques: blind, union queries,
string concatenation, incorrect type handling, and at the same
time we disclosed the vulnerability scanning tools used for
such attack.
 Figure 2.4: Dxxxxxx.fr tracking order form - screen-shot.

Conclusion

The intruder used the vulnerability of open-source e-commerce

osCommerce ap- plication. Nevertheless, the attempt was
unsuccessful due to the technology im- plementation, and the
impact is successfully recover of a small number of limited
records from the database. Although the intruder claimed that
the customer data was extracted from the database, after
analysis we identi ed that the exposed in- formation was not
matching with the database itself.

This incident was quickly corrected by CLIENT 2,

while CORIZO dis- tributed results of technical analysis,
technical details presented in Appendix A.2.

Case 3
Overview

Incident occurred on 04.09.2014 around 13:00 - >time, and the

main impactwas water leaking in data center on one of the
insured cluster. The main impact
was faulty power fan, which was remediated immediately by the data center. And
the result impact was that two nodes were shutdown. The following case was
transferred from GMC crises management team to provide technical analysis on the
log les, by identifying the alert messages, determine shutdown time line, a ected
nodes and other hardware failures. In Appendix section A.3 we present the log
analysis time line of the incident occurrence and identi ed failure in uence, for dates
04.09.2014 and 05.09.2014.

Shortly, contribution of the author was: (i) from the log les to identify when
did the hardware failure rstly occurred, and to determine which hardware devices
were a ected; (ii) establish and present the time line for several hardware failures.

Executive Summary

The water leakage causes damages to the cluster, particularly regarding 5 and 7
nodes. At the same time, arises problem with NVRAM damages as well. The
damaged parts were replaced by the support team, and then restore the backup,
however the backup was not done correctly, therefore the impact on the insured was
high, and the impact loss was enormous.

CORIZO has performed technical analysis of the log les. Illustration of

incident occurrence time line and a ected nodes, hardware damages are noted in
Figure A.3. In details, analysis identi es the following ndings by each node and
RAM error for 04.09.2014 date:

• Node 5 battery light failed messages were recorded between 04/09/2014 from
13:00:05+2 until 13:30:12+2. Additionally, there was ATTENTION and
error messages logged regarding power failure starting from 13:28:10 until
13:30:25.

• For node 7, we have . failure messages, for instance: watchdog failed on CPU
0 until 7, and others. Starting from 13:04:45 until 13:10:43+2. And power
button pressed at 13:10:39.

• For node 22, reboot message was recorded at 13:33:32.

• NVRAM error occurred between 13:33:00 until 15:43:24.

Conclusion

The following incident occurred by water leakage in one of the

insured cluster. The impact a ected two nodes: 5 and 7, and
other hardware devices. The damage was replaced by the
support team in the same day, however the impact to the
customer was that the available backup was not in proper
way and it was not able

Cyber Security Audit and

Awareness

The present chapter lays the developed approach by using the

common methods and lesson learned by provided cyber
security audits. Indeed, in the following section we devote the
time on state-of-art approach on well known cyber security
standards and framework, followed by what tool / application
we developed for future audit service and nally discovered
limitations and improvements of latest cyber security
framework developed by NIST presented and published with
the context of the attached white paper.

In a nutshell, we introduce the problem state- ment

and well-known security standards and frameworks. While we
noted what we are gaining to achieve and we emphases our
solution. In the end we conclude. Aside of white paper, in
Appendix we il- lustrate the map of main functions and
categories that are included in our cyber security audit tool.
 The white paper presented in Kiev, Ukraine is titled: Standards for
Information Security are inappropriate fashion to assess the risk in
private companies and elsewhere.

Abstract - Today organizations are using standards

and frameworks to secure their assets. However, standards are
accepted as best practices, where as frameworks are practices that
are generally employed. And when it comes to mea- sure the risk
exposure in organization standards and frameworks are
inappropriate and not su cient way. Simultaneously, if your
organization is in compliance with some security standard, is it
an evidence that such organization is quali ed for today's cyber
space. With this in mind we tried to tackle the problem of
dis- covering fundamental solution by constructing inquiries
based on several existing standards and frameworks. Also, to
develop tools to identify the interaction to- gether with the assets
and the questions. And at the end to present clear image of what
is
cyber risk and how to reduce its exposure.

Introduction

Due to the ongoing con ict with pro-Russian militants in eastern

Ukraine, the country has been confronted with massive number
of cyber-attacks. For illus- tration, in the beginning of August
2014, Financial Times1 and security rm Symantec reported that
dozens of computers in the Ukraine prime minister's of- ce, and at
least 10 of Ukraine's abroad embassies have been infected with
a virulent cyber espionage weapon and cyber-attack linked to
Russia; later on, in middle of September the South-east
European Times in Kiev2 reported that due to such an events,
the authorities in Kiev are working on a law of cyber security
strategy. Pursuing to enhance the protection of critical
infrastructure. There- upon since the beginning of the con ict,
specialists said it was in uenced by one the most powerful
cyber-attack over the past few years.

Back in the early 80's, hacking was only considered as a

simple attempt to gain government's or enterprise's network
access. Within preliminary image of hacker typi ed by a teenagers
willing to obtain more knowledge than nancial gain [11]. After a
while, where cyberspace presented the opportunities using the
World Wide Web, the threat landscape changed drastically. Not
only because of worms, viruses and so on, but also because of
vulnerability, socio-technical, social engineering and exploits, too.
Consequently, the nancial, reputation and com- mercial risks that goes with
cyberspace presence are real and evolving everyday
Background

Before we go to list of standards and frameworks, rst and foremost, we need to

discuss their di erences. And in a nutshell, di erence between standards and
frameworks are that, standards are accepted as best practices. Frameworks are
practices that are generally employed. Supplementary, standards are speci c,
while frameworks are general. For example, [6] de nes framework as a guide
to provide a direct correlation to the level of maturity of information and cyber
security. While, standard is when organizations need to choose some standard
method for program base lining and international/global acceptance. Standard is
used within the context of information security policies, by completing inter-
national recognized certi cation. While framework is shared community best
practices gained in time of experience and their implementation into the orga-
nization - without getting any acknowledgement. For illustration, standards are
such as ISO/IEC 27000 series, ANSI/ISA-62443, NIST-FIS, Standard of Good
Practice from ISF, NERC1300 and RFC2196; and frameworks are: Cybersecurity
Framework, Critical Security Controls (CSC), COBIT, and many others.

Anyhow, each above standards and frameworks are presented within brief
background information below. Obviously, the approach that we present is from
top-to-down approach, top e cient and bene t standards/frameworks to less ef- cient.
We presumably think that such display of standards and frameworks will bring
value to the reader. Because the top standards are usually combined from the
previous exercises and lesson learned-best practices. The following standards and
frameworks are:

Cybersecurity Framework [47]. It is core, latest (introduced in

February 2014) and the most suitable framework at the moment. It has divided the
format of framework core presenting: a listing of functions, categories, subcat-
egories, and information references that describe speci c cyber security activities
that are common across all CII/CI sector. However, the drawback is that does
 not suggest a speci c implementation order or imply a degree of importance of
categories, subcategories, and information references. In addition, does not deal with
socio-technical aspects (i.e. taking into account that humans are the weakest link in
security [63]), yet undoubtedly it is the top-drawer standard for private and other
organization, nowadays.

Critical Security Controls (CSC

It re ects the combined knowledge of actual attacks and e ective defences of

experts. They are created by the Council on CyberSecurity, established in 2013 as an
independent, expert, non-for-pro t organization with a global scope committed to
the security of an open Internet. Particularly we concentrate our interest only on the
quick wins categories from total 20 controls. The quick wins categories have most immedi-
ate impact on preventing attacks for . organization structure. Speci cally for the
clients some of the controls where not necessary to be used. Instead, in other
organizations particular control, for instance, developing company will need to pin-point
the importance of controls (such as: 9, 20, and others). On one hand, they provide a
ground- oor sustainable and e cient way of security your company. However, they
are not easy to implement because their focuses are against the latest Advanced
Targeted Threats, with a strong emphasis on "What Works". Through which
security controls where products, processes, architec- tures and services are in use
that have demonstrated real world e ectiveness. For this reason we support the idea that
CSCs are continuing to improve. Hopefully in near future we will see platforms and
tools, to keep pace with the need for improved visibility, compliance and risk
posture.

ISO/IEC 27000 series [2]. The International Organization for Stan-

dards least update 2013, known as ISO , is an international-standard-setting body
composed of representatives from various national standards organizations. Founded on
February 1947, they promulgates world-wide proprietary industrial and commercial
standards [65]. Nonetheless, ISO/IEC 27000 series (also known as the
`ISMS Family of Standards' or `ISO27k' for short) comprises ISS published jointly by
the ISO and International Electrotechnical Commission (IEC). The set of series
provides recommendations on information security management, risk handling and
controls implementations within the context of an overall Infor- mation Security
Management System (ISMS). However, we will discuss only the ISO/IEC 27001
standard sets, and it is required for an organization's ISMS to achieve certi cation. It
is compiled of seven key elements. These are: establish, implement, operate, monitor,
review, maintain and improve the system. Also it is intended to be used along with
ISO/IEC 27002, the Code of Practice for information Security
 Management, which lists security controls objectives and recommendations of speci
c security controls. Despite the fact, that this certi - cate is mandatory in some
countries, yet it leaks the future of new technologies, such as portable devices, bring
your own device (BYOD) in organization and it is using only selected decision making
process - PDCA (plan-do-check-act), as a main approach.

COBIT The Control Objectives for Information and related Tech- nology
(COBIT) is a set of best practices (framework) for information technology
management created by the Information Systems Audit and Control Association
(ISACA), and the IT Governance Institute (ITGI). Within preliminary mission to
research, develop, publicize and promote an authoritative, up-to-date, inter- national
set of generally accepted information technology control objectives for day-to-day
use by business managers and auditors. It helps managers, auditors, and other
users to understand their IT systems and decide the level of security and control
that is necessary to protect their companies' assets through the de- velopment of
an IT governance model [65]. In addition, COBIT components include:
framework, process descriptions, control objectives, management guide- lines and
maturity models. Although it is very well structured and combined of wide range of
components, still we have to keep in mind that main milestone is to o er supporting
tool-sets that allows managers to ful ll the gap between control requirements,
business risk and technical issues, as a disadvantage.

ANSI/ISA 62443 (formerly ISA-99) [19, 20] is a set of standards,

technical reports, and related information that de ne procedures for implement- ing
electronically secure Industrial Automation and Control Systems (IACS). The guide
is applicable to end-users, which is asset owner, system integrators, security
practitioners, and control systems manufacturers in charge for manufacturing, de-
signing, implementing, or managing industrial automation and control systems.
With the main strengths that it is easy to understand and used, and designed around
small organizations.

NIST FIS [46]. Guide for Assessing the Security Controls in Federal
Information Systems, addresses the 194 security controls that are applied to a
system to make it "more secure". Speci cally this standard was written for
those people in the federal government representatives, responsible for handling
sensitive systems. However, it is a document which emphasizes the importance of
self-assessments as well as risk assessments. Notable, could be implement not only
on government organizations, but also for individual organizations requiring
and desired more security.

Standard of Good Practice [22]. Originally, Standard of Good

Practice published in 1990s from Information Security Forum (ISF) was a private
document available only to its members. Later on, ISF made the full document
available for sale to the general public. It contains a comprehensive list of best
practices for information security, and it pursues it is important for those in charge of
security management to understand and adhere to NERC CIP compliance
requirements.

RFC2196 [23]. It a Request For Comments (RFC) memorandum for

developing security policies and procedures for information systems connected on
the Internet. It provides general and broad guide overview of information security,
network security, incident response, or security policies. In fact the handbook is very
practical and it is focusing on day-to-day operations.

NERC 1300 [44]. Standard 1300, recognized as NERC 1300, or in other

words is called CIP-002-3 (Critical Infrastructure Protection) are used to secure bulk
electric systems, such as providing network security administration while still
supporting best-practice industry processes. Within the main set for critical
infrastructure protection.

OWASP TOP 10 [50]. It is an awareness documentation for web ap-

plication security, rather than standard or framework. It represents a broad
consensus about what are the most critical web application security aws. They
emphasize that all companies should adopt this awareness document within their
organization and start the process of ensuring that their web applications do not
contain aws. It provides a list of 10 most critical web application security risks. And
for each risk it provides a description, example of vulnerabilities and attacks,
guidance on how to avoid and references to OWASP and other related resources. In
our opinion, if your organization implements or design a custom web application to
meet your needs, then we urge you to adopt this awareness document.

Thoroughly, from above we can arrange standards and frameworks within three
main targeted group's interests, for instance: private companies, govern- ment
and/or federal and industries within Critical Information Infrastructure (CII)/
Critical Infrastructure (CI). Motivation of this arrange is due to fact that neither
every organization has critical information infrastructure assets, nor gov-
ernment/federal interests. In lieu, most of the government organizations have crit-
ical infrastructure, while some private or multi-stakeholder organizations could
have as well.

Aside from standards, we would like to emphasize the freely available

tools. And when we speak about the tools, we mean tools which are either web base
applications or speci cally designed application for pursuing the implemen- tation of
speci c standard and/or framework.

Thus it is worth mentioning rstly the web based tool available from
European Network and Information Security Agency (ENISA), presenting the
Inventory of Risk Management Risk Assessment methods and tools [18]. This
RM/RA method o ers di erent country speci c requirements, for instance: for France
Ebios and Marion, for Germany IT - Grundschutz, for Spain MAGERIT, for Italy
MIGRA, The Netherlands Dutch A&K Analysis and many other coun- try required
standards. Additionally, it o ers 12 tools developed for di erent countries from
methods as main source and guide for implementation. Besides methods and tools
for risk management, it gives a comparison tool which could be used for comparing
two individual risk management methods or tools.

Second, The Cyber Security Evaluation Tool (CSET) [31], it is an ap-

plication to assists organizations in protecting their key national cyber assets,
combined from the above mentioned Cybersecurity Framework [47]. This tool
provides users with systematic and repeatable approach for assessing the secu- rity
of their cyber systems and network. It includes both high-level and detailed
questions related to all industrial control and IT systems.

In spite of all, we emphasize that the country speci c requirement stan-

dards are formally based on acknowledgement of best practice, in other words
lessons learned, and complied with the country legislatives requirements. And for
this reason, we could not discuss all of them.

3.1.3 What to achieve?

Security has . meanings, and it plays a vital role in organization. Such as, for .
industrial classi cation, . adherent security measures should be agreed-upon. In the
same line, is for security standards, . objectives and controls, . industry/business
classi cations. Another important roles in security are: Risk Assessment as a
common part of Risk Management, and Risk Audit which is minimizing risk at the
acceptable level. Apparently, cyber threats
 are continue to evolve, by representing real risk to business. Consequently, cyber
. risks are becoming real and mount from a range of sources, such as: Advance
Persistent Threats (APTs), cyber-criminal, espionage, security and foreign intel-
ligence, poor software development methods, malware, external actors, malicious
insiders, social aspects, etc.

Without doubt, by knowing the background information of standards, we

could adjust in fact that standards are 0general advice. To a degree of: best-known
practices, understanding risk landscape and at the same time cyber threat pro ling,
compliance with regulatory requirements, and so on. Unfortu- nately, standards do
not relate to crucial issue of implementation. Also, they do not declare that
security is too di cult or cumbersome, neither emphasizing problem nor di erence
between the information security and cyber security. Re- cent updates of the
standards raised the issue of involvement to all parties, and highlighted that cyber
security is a business problem, not an IT problem. And that by development and
adaptation new national cyber security strategies are an emerging trend
characterized by its dynamism, will emphasize better pro les, which leads to greater
assurance in security overall.

On the other hand, cyber security standards, in other words, frameworks are
de ning a common vocabulary. Additionally, they de ne a common set of
practices in order to address implementation of security. However, originally
they are not designed to identify clearly the problem and/or the weakness in
organization. Consequently, we could not de ne the matrix by assessing the risk, or
more importantly measure the risk exposure in organization.

Consequently, companies today are facing with issue of which standards or

frameworks are more appropriate for their organization. As well as the issue
whether the organization can bene t only if those standards/frameworks are im-
plemented properly? Therefore, we can point out that security in organization is
when all parties are involved . As those highlighted in [65] paper: senior man-
agement, information security practitioners, IT professionals and users which all
play a role in securing the assets of an organization.

Lastly, socio-technical aspects have gained importance in the recent years.

And in fact, standards and frameworks are avoiding this question. Such tech- nique's
are addressed in [40] that no matter how much we invest and carry out security
standards and implement security technologies, still the weakest link in security in
organizations will be the human factor. And the only way to remedy the weakest
link is to constantly support awareness raising and training for each
 Ultimately we observed several times that they lacks precision: that the
.
main purpose of standards is to acknowledge certi cation by increasing customers
con dence and the level of trust; breaking down trade barriers and competitive
advantages for the industry; and lastly, it creates a common language when talk- ing
about security. In addition, it is costs a lot of investment for organization, it might
create false sense of security and turns out to compliance culture.

Having in mind the problems, we can solve and identify the risk exposure in
organization, by the use of several existing standards and frameworks in order to
perform risk assessment or audit after cyber breaches or cyber incidents have
occurred. In previous time performances we have realized that strict compliance to
standards are helping to identify and/or raise security weaknesses. By having an
accurate measures of risk exposure.

We then opted for selecting the best and most suitable standards and
frameworks (several ones) for audit and risk assessment. Thereupon, outcome can
be combined to build our own model to ful ll the gaps of standards and frameworks.
By nding correlation between the weaknesses and vulnerabilities and it could be e
ectively used in . industrial and business needs.

3.1.4 Solution

Related works and literature remain quite limited. Specially most of the re- searches
have engaged in proposing relationship and mapping between several standards and
frameworks [35, 65, 34, 62]. Nonetheless, none of them are ad- dressing the
problems of: implementation, past experience, cost, socio- technical aspects, and so
forth. However, in our case, we have tackled the problem through past experience
gained from previously carried out audits and risk assessments. In fact, our handling
method of understanding the risk exposure in organization is through performing
risk assessment right after occurrence of cyber breach or cyber threat. In the
meantime, we use several existing standards and frameworks to generate the
questionnaires with the aim to help identify weaknesses, vulnera- bilities and to
reduce the risk in a system. And lastly, to identify the correlation between the assets
and the questions.

Moreover, our cornerstone approach and method seems to be well sup-

ported by diverse business industries. For instance, for private companies, gov-
ernment organization or even for organization with multi stakeholder approach
having critical infrastructure and critical information infrastructure. And more
importantly, from merging and mapping standards we use existing maturity mod-
els, or other sources to assist in determining their desired levels. Such mapping
example is the SANS draft poster for Standard Mapping to the Critical Secu-
rity Controls [60]. Nevertheless, our fundamental approach has more or less 300
questions and characteristics process. Meanwhile, it provides clear guidelines and
have built-in questions not just repeatedly, but also measurable. Essential
process is by: identifying, protecting, detecting, responding and recovering any
event of cyber attacks into organizations. We have tried to engage in the problem of
what is missing and what we have learned from past audits. Consequently we apply
them into hence audit, or in other words we build our own standard.

Additionally, we are handling the problem not only through conducting the
questionnaires within organization, but also by building a tool which will nd the
correlation between the assets and the questions. For illustration, if we identify
weak password in organization asset and they have answered to the question that
complex password is implemented, then in this case we can identify weakness
(complex password not implemented and the organization is not aware of this issue),
therefore will respectfully be marked as high risk. Because, probably there will be
other weakness and/or vulnerabilities too. Thus, we consider risk as a function of
threats intersected with the likelihood of vulnerabilities, and the business impact if
they materialize.

In details, underlying that 300 questions are built on several existing

standards and frameworks. For instance: ISO27k, COBIT and NIST-FIS stan- dards,
and also Cybersecurity framework and "quick wins" categories from CSC. Together
with inquiries collected from Cyber Security Evaluation Tool (CSET). Likelihood to
questions, we would like to accent the undertaking future work to design a tool
which will discover the interrelationship between the assets and the inquiries. As a
consequence, this will produce a comprehensive and cost-e ective module for
organizations. And at the same time, understanding correlation be- tween
weaknesses and vulnerabilities into the systems, with tendency to business impact.
Altogether, will give clear image of what is organizational cyber risk.
3.1.5 Conclusion

The companies are ultimately doomed if they do not have implemented nor planned
in near future any security standard or framework for their organiza- tion. And
indeed, security plays an important role in protecting the assets of an organization.
Bear in mind that there is no single formula that can guarantee 100% security.
Therefore there is a need for a set of strategy and standards to help ensuring an
adequate level of security. Implementing the proper standard or framework for a
particular industry application can reduce weaknesses, vul- nerabilities and threats
into the systems. However, the success of cyber security can only be achieved by
full cooperation at all levels of an organization, together with considering the socio-
technical and social engineering aspects and so on.

However, standards and frameworks for information security in organi-

zation are quite di cult to implement. In addition, there is a vast amount of
standards, frameworks, country requirements and tools, too. Therefore, orga-
nizations either: private, government or with multi stakeholder structure, are facing
the issue of choosing the right and ideal standard/framework to meet their needs. For
this reason in this paper we have introduced the problem of standards and
frameworks coupled with the limited tools and country speci c requirements. By
drawing focus on the recommendation that standards and frameworks, used alone,
in fact are inappropriate constituting way to assess the risk in private com- panies
and elsewhere. And that fundamental solution for achieving such task is by
reconstructing inquiries based on several existing standards and frameworks.
Simultaneously to develop a tool to identify the interaction among assets and the
questions.

Our future work should concentrate on designing a comprehensive and cost-

e ective module for organizations by emphasizing importance, and under- standing
the correlation between weaknesses and vulnerabilities into the systems, likelihood
the impact. Which will aim to provide clear image of what is an orga- nization cyber
risk and how to reduce its exposure.
 Security Architecture

This chapter de nes the security architecture implementation by oversee the end- to-
end solution for data at REST, mainly intent designed for CORIZO SaaS platform.
For this reason we need to adopt appropriate measures to secure customer's data at
REST. However, data at REST is used as a complement to the terms datain use
and data in motion which together with data at REST de nes the three states of
digital data [48].

Data in use is active data under constant change stored physically in

databases, data warehouses, spreadsheets, etc. While data in motion deals with data
that is traversing a network or temporarily residing in computer memory to be
read or upload. And nally, data at REST looks at inactive data stored physically in
databases, data warehouses, spreadsheets, archives, tapes, o -site backups, etc. [48].

Anyway, the main aim of this study is to identify and valid technical
solution for enforcing by design a very high level of protection of customer data con
dentiality. Which will position CORIZO platform as one of the few secure
storagefor business data and for collaboration.

In the following Section we introduce the problem statement and challenges

facing with zero-knowledge data at REST. we disclose the related work, followed
by the cornerstone designed methodological approach and implementation . While
we discuss the limitation and the advantages of our security architecture design.
Last but not least, we concluded.
Introduction

In October 2014 hackers claim that they have stolen nearly seven million Drop- box 1
passwords [68]. These information have been published in Pastebin 2, and through di
erent websites. Additionally, Moertel back in December 2006 [43], posted a blog
post that we should never store passwords in a database, rather than we should
use di erent cryptography solutions. Undoubtedly, most cur- rent web
authentication solutions use a login forms, which sends the username and password
to the server as a HTTP request or sometimes as HTTPS request. Thereby in most
case, the password is sent in plain text or sometimes through SSL connection. On
the server, then the password is hashed and compared to a stored hash. Advance
solution is also available called salting in which random bits are added to the end of
password before it is hashed to prevent attacks through pre- computed hash tabled
[72]. However there are several major attacks vectors which are applicable for this
current systems, few of them noted in [57], such as: brute- force hash cracking, wire
sni ng, servers stored passwords insecurely (in particular, in plain text or hashed
without salting), server itself could behave ma- liciously or vulnerable (Heartbleed
bug3), and so on. Apart from authentication, also another challenge is storing data
into the cloud and provide collaboration.

Cloud storage has draw attention to a lot of users lately, reported in

Techcrunch beginning of April 20144, by uploading and sharing their personal
photographs, documents, and so on accessible by service providers. Consequently
possible privacy concerns are not taken into account due to lack of awareness.
As well as, most people are unaware of the infrastructure and the underlying
technology or Cloud Service Provider (CSP). Moreover, throughout the later half of
2013, NSA's PRISM surveillance program was disclosed and it has caught attention,
and indeed increased the concern towards user privacy. Obviously, that user data is
being leaked from many large corporations (examples shown in [21, 36]). Despite
unawareness of privacy among mass people, we believe that e ective solutions of
end-to-end encryption for cloud services is a demand of time [38].
 de ne the term zero knowledge proof. And zero knowledge proof has been for-
malized by [58] and it described as challenge response authentication protocols, in
which parties are required to provide the correctness of their secrets, with- out
revealing these secrets [28]. This challenge applies to both segments, for
example for authentication and data storage solutions. Additionally, to cloud
ecosystem facilitating end-to-end or in other words zero knowledge encryption, the
main challenge is to manage keys among . devices of the same user and between
di erent users [38]. We have seen in recent years, that several encrypted
cloud storage services (e.g., Mega5, Viivo6, Wuala7, SpiderOak8 and
Boxcryptor [10]) have been launched. In view of this, main approaches are
[38]:

1. Encryption with public key with/without 0several popular features like

syncing, sharing (e.g., Syme - Google chrome extension [26], Tresorit [69],
etc. );

2. Encryption with user chosen password (e.g., Boxcryptor [10], Pandor

[52], end-to-end [27], Safebox [59], etc.); and

3. Relying on a third-party key server (e.g., CaaS [61], FriendlyMail [5],

and others).

Related Work

Owing to surveillance and privacy issues for cloud services, in recent year, end- to-
end encryption solution for cloud services are getting popular. In this section, we
focus on the main approaches available to facilitate end-to-end encryption for cloud
services. Have in mind that we could not cover all of them, but we have
concentrated only on the related solutions. Simultaneously, we name several
shortcomings in existing approaches, such as client-side and server-side, which are
addressed in our solution and provide comparison table.

Pedersen and Dahl [53], or also known as Crypton9 discussed challenges

in designing an encryption application intended to work on multi- ple devices,
by providing high-level APIs for user accounts, robust data storage, and sharing
information between users. The following zero-knowledge applica- tion framework
is implemented in , online le sharing and secure
cloud backup solution. Such solution is implemented within Node.js10 platform;
Redis11 an open source advanced key-value cache and store; PostgreSQL12
advanced open source database; and distributed via Docker13 open platform for
developers and sysadmins to build, and run distributed applications. User
authentication is done through Secure Remote Password (SRP) protocol, and within
the front-end communication, client-server approach with RESTfully - JSON over
HTTPS. Major requirement is asymmetry cryptosystem for user- level keys
deployment, and encryption storage is accomplished with symmetric algorithm
AES-256 through cipher feedback (CFB) mode and hash-based mes- sage
authentication code (HMAC) and cryptographic hash function SHA-256. Therefore,
SpiderOak is based on password-based encryption, by 0both syncing and
sharing. And the encryption keys are protected by the user password. However to
facilitate sharing, SpiderOak requires a user to create a share room. Where each
share room has a password, which is used to encrypt all data in that room.
Consequently all the members of a room know the password for the room.
However, Crypton and Crypton v1.0 in fact are facing with some weakness of the
key schedule algorithms when using 256 bits user keys, noted by Yuechuan et al.

Similarly, Dodesigned a cryptographic three structure which facilitates

access control in le systems operating on untrusted storage. And it is designed
for Wuala another encrypted cloud storage service, which derives the master
key from the user-chosen password. The master key encrypts the root directory.
While the other encryption keys reside in the parent directory so that a user having
the encryption key of a folder can access all the le and sub- les inside the
folder [38]. Implementation of Wuala is using the hybrid architecture - P2P,
by error-control method for data transmission that uses ac- knowledgements
ARQ. In addition, requires user-level keys and encrypts the data with symmetric
algorithms such as: AES-128 or AES-256. Another advanced fu- ture of Wuala is
when someone loses access to an item, that item needs to be encrypted with a new
key in order to prevent the former accessors to access the item in future. Therefore,
it is using the lazy revocations which allow to post- pone this (expensive) re-
encryption until the next update of the item. Engaging measurement study has been
conducted by Mager [] by emphasizing: in- frastructure, data placement, coding
techniques and transport protocol adopted by undergone between 2010 and 2012.
 Another client-side storage encryption plugin solution is Boxcryptor [10],
works with major cloud storage providers (e.g., Dropbox, Google Drive, OneDrive,
etc.), similarly protects private keys by user-chosen password. Where each le is
encrypted by a random key and each user has a public/private key pairs. Ran-
dom keys are encrypted by public keys of each user, who has access to that le
and stored in the local cloud storage directory. And all public keys are in the
clear and private keys are encrypted by user password; both keys are stored in
the cloud storage server to facilitate sharing and syncing. To share a le with
other users, the le key is encrypted with the receiver's public key and submitted
to the cloud so that the receiver can retrieve the le key by decrypting using her
private key [25, 38]. Additionally, secure le encryption is using the AES-256
standard.

Tresorit [69, 67] is another commercial secure cloud solution, imple-

mented in C++, using client-side encryption AES-256 standard and authorization
using asymmetric key pair algorithm RSA-2048 applied on hash function SHA-
512. Transmission of data is done through TLS cryptographic protocol and the
invitation and key agreements are ICE and TGDH protocol [37]. The following
cloud storage provider, as well as SpiderOAK and Wuala have been examined
for weaknesses associated with their sharing functions, by performing reverse en-
gineering techniques, handled by Wilson and Ateniese [70]. For each provider they
highlighted the disadvantages and proposed several alternative approached to
address the weakness identi ed.

Last commercial client-side solution is provided by nCrypted Cloud14 by

a patent [45], however within . approach from the above. Firstly, the data protection
is accomplished by symmetric algorithm AES-256 by encrypting the les and
directories as archive ZIP le format with XML comments. Second, password veri
cation, or in other words user authorization is via key derivation function that is part
of RSA series, such as PBKDF2. Thirdly, data recovery is provided by generated
key pairs (public/private keys) and it is upload to the cloud by protecting it with
personal key (containing username and password).

Interestingly from aside of commercial solutions, two students from Canada

have been tackling the issue of end-to-end cloud solution with in client-side pur-
pose, and published in master thesis reports. Such as, Totolici [66] designed the
Crypstor a storage platform that addresses data security in the cloud computing
context through the use of encryption, while maintaining the desirable properties
14
nCrypted Cloud, https://www.encryptedcloud.com/. Last checked 15.12.2014.
of e cient storage and sharing. While Majumdar [38] propose the Keyfob, a
key management scheme for easy key transfer between user-owned devices, and
between users. Crypstor merges a number of existing cryptographic building
blocks in order to archive its intended security properties. For example, hashing is
done via the SHA-384, symmetric authenticated encryption is carried out using the
AES-256 in Galois/Counter Mode (GCM) and Rijndael as current algorithm of the
standard [1, 15]. Symmetric signing is accomplished by HMACs, and public key
cryptosystem (PKCS) is RSAES-OAEP [33]. And nally the key stretching is
realized by applying scrypt [55, 54] to the user's password. Whereas, Key-
fob uses high-entropy random key for encryption instead of password-derived keys,
and leverage's Di e-Hellman key exchange (DH-EKE) with weak secrets for secure
key transfer. Each user need to manage one user-master key, and all other keys are
derived from that master key or a pairwise shared master key. It is implemented as
Firefox extension using Firefox Sync service, which implements an EKE [8]
variant. And it can be used to support encryption on Dropbox - in desktop and
Android, and Gmail - in desktop.

Amazon Web Services (AWS) . encryption of data at REST within three

. models [7, 12], such as:

• Model A, by carrying out client-side encryption solution: using customer-

management keys (CMK) or using partner solution of key management
infrastructure (KMI) for CMK.

• Model B, accomplished by CMK using the dedicated CloudHSM15 (Hard-

ware Security Module) appliances within the AWS cloud, and
 • Model C, server-side encryption using AWS KMS Managed Keys (SSE-
KMS) [3], which provides available API's embedded into the AWS platform
and its integration is available in Java, Ruby, PHP, etc.

Knowing the available cloud CSPs mentioned above, within their advantages and
disadvantages we have prepared comparison table (see Appendix section C.1) by
asserting the implementations, encryption transport and storage, requirements and
what are the possible attacks, seized from related work [70, 64, 41, 9, 38].

Solutions

Here we reveal the solutions separated into two . implementation methods, such as
client-side and server-side encryption. Meanwhile, our solutions merges a number
of existing cryptographic building blocks in order to achieve its intended security
properties. We describe these blocks here, and how they are combined and used.
Thereby, our system requires algorithms for hashing, symmetric en- cryption,
symmetric message signing, asymmetric cryptography (public/private key pairs),
and key stretching. And in the end, we summaries the advantages and disadvantages
for each solution.

Client-side 1

Following solution could be implement only for one owner and one recipient.
Obviously, in a similar fashion if we want to share the le with more than one
recipient we will need to use asymmetric encryption for the random generated
number to encrypted with each public key of the recipients and store them in to the
cloud.

Hashing is done via bcrypt [56], we selected the following hash function
because it has been already implemented beforehand in CORIZO platform. Sym-
metric authenticated encryption is carried out using the AES-256 and symmet- ric
signing is accomplished by HMACs [29]. While public key cryptosystem is
RSAES-OAEP [39], and key stretching is realized by applying brypt to the user's
password.

All of the selected building blocks are used in manner that allows for easy
replacement of any one of them, if attacks are discovered in the future. Nonethe-
less, the choice of algorithms is not su cient to ensure either con dentiality or
security, merely is depending on the password strength de ne of the user.

Here we depict the following scenarios, and for each scenario we have
provided sequence diagram in Appendix section C.2.1.

New User

1. User password is hashed with bcrypt.

2. Generate a public/private key pairs for each user.

 3. Encrypt the private key with symmetric (AES-256) encryption with the user
password, and store them along with public key to the cloud. Public key
remains not encrypted.

Encryption of le

1. Generate random number (session key):

a) Generate random number (session key):

i. Asymmetric encryption twice (RSAES-OAEP):

A. With Sender Public key and

B. With Recipient Public key

b) And store them in the cloud. If we have more than one recipient, then
there will be more than one encrypted session keys.

2. Symmetric (AES-256) encryption to encrypt the le using the plain session

key (which is the random generated number) as the symmetric key. Then
upload the le in the cloud. Encryption could be done with JavaScript
library CryptoJS [32, Online: https://code.google.com/p/crypto-js/].

Decryption of le for the recipient and/or sender

1. Decipher private key with user password.

2. Use private key to decipher the recipients encrypted (RSA-OAEP) session

key.

3. Use symmetric (AES-256) decryption to decipher the encrypted le.

Advantages of solution are that developers will not be able to access the data,
neither the CSP. Also, user could read the le from any device and at the same
time access the data from multiple devices. Bright side is if le is uploaded with new
version then it could be use the same session key to encrypt and decrypt the le. And
last, although if intruder is able to access the server data, still he will not be able
to decrypt the le, without the user password.
 Disadvantages are if user loses its password, than the data could not be
retrieved. Also, for each le we have to generate random session keys and encrypt
them with the user's public keys and upload them in to the cloud. For instance, if we
have one le shared with 20 people, then will have 20 encrypted session keys with
public keys for each recipient for one le, and so on. Last, if revoke is required for a
le, then we have to re-encrypt the le with new session key.

4.3.2 Client-side 2

. from the previous solution, is using the key derivation function and creates
group key for sharing les with other recipients.

The main building blocks are accomplished by: hashing is done via secure
hash function, 384-bit digest (SHA-384) or via bcrypt. Symmetric authenticated
encryption is carried out using the AES - 256. Symmetric signing is accomplished
by HMAC. Key Pair cryptosystem by RSAES-OAEP. Key stretching is realized by
applying scrypt [55] to the user password, functioning as key derivation
function (KDF).

New User

• User password is used as input to the scrypt function, which is conjunc-

tion with a randomly-generated salt from Secure Pseudo-Random Number
Generator (SPRNG) . And the derived key is used as a wrapper key.

• Generate master key with SPRNG.

• Generate public/private key pair generated from the SPRNG, and public
key is saved to the cloud server.

• While the private key and the master key are encrypted via AES-256 under
the wrapper key, and are stored in to the cloud.

New Group

• Generates randomly a symmetric group key.

• Encrypts (RSA) the group key with the public key for each of the intended
recipients.
 • Encrypted material is then shared with the rest of
the participating users via a secondary channel, such
as e-mail, or some other solution.

Encryption of the le

• Master key is used to encrypt the le with AES-256.

Decryption of the le

• Decipher master key with the wrapper key.

• Use symmetric encryption to decipher the encrypted le.

In this solution advantages are that its allows user to change

their password without having to re-encrypt all of the data. As
well as, user will be able to read the le from any device. And it
provides revoke function for the group, if needed, then the old
group key is encrypted under prime and sorted as metadata.
This is due to only read access is allowed.

On the other hand, disadvantages are for instance if

master key changes than it requires a full re-encryption of
the user's les. Lastly, in group share, if we want to revoke
access, then the les have to be re-encrypted.

4.3.3 Client-side 3

Last client-side solution is carried out via Crypton

JavaScript framework, which is mainly used by SpiderOak.
It is developed as client - side, server acts as dumb pipe to
store and retrieve data. It is compatible with Node.js and
many others.
 Advantages using are due to following reasons, such
as: it has been used for SpiderOak as main solution, it is
open source and publicly available, user will be able to read
the le from any device, the framework has been maintained
since 2013, and importantly they have conducted two security
audits, which are transparently available [14]. While
disadvantages are that it is not well doc- umented, their
documentation is not completed yet, and it requires additional
implementation on CORIZO platform side.

Cyber Security Audit Tool

The cyber security audit tool (see Figure B.1) identi es the four essential process of
our developed tool for cyber security audit service. For instance functions are:
identifying, protecting, detecting, responding and recovering any event of cyber
attacks into organizations. Such methodological approach was seized from NIST
Framework [47]. Among the functions we additionally added several other
categories, which in our opinion were missing from the framework and will lead to
customers needs. And at the same time to bring more value and to be in fact bene
cial and e cient by covering the latest technologies and threats, such as, bring your
own device (BYOD), human factor, etc.
 CONCLUSION

 The internship provided valuable hands-on

experience in various aspects of cybersecurity,
allowing individuals to gain practical skills and
knowledge.
 One of the highlights was the opportunity to

work on an individual minor project, where

interns identified vulnerabilities in a machine,
demonstrating their ability to apply theoretical
concepts to real-world scenarios.
 The internship experience is considered valuable

for career advancement, as it provides a

competitive edge when looking for jobs and
serves as a reference point for future employers.
 Corizo’s cyber security program is well-

structured, with expert mentorship and industry-

leading solutions, ensuring a comprehensive
understanding of cybersecurity concepts and
practices.
Overall, the cyber security internship at Corizo offers a unique opportunity for

individuals to develop their skills, gain practical experience, and build a strong
 BIBLIOGRAPHY

https://cyber.harvard.edu

https://resumeworded.com

https://www.iit.edu

https://thecyberexpress.com

https://www.cisa.gov

https://www.cyber.gov.au

https://www.cybercrime.gov.in

https://cybersecurityventures.com

https://www.nsa.gov/Cybersecurity

https://niccs.cisa.gov