|
Table A1 reference
|
Threats to "Back-end servers"
|
Ref
|
Mitigation
|
|
1.1 & 3.1
|
Abuse of privileges by staff (insider attack)
|
M1
|
Security Controls are applied to back-end systems to minimise the risk of insider attack
|
|
1.2 & 3.3
|
Unauthorised internet access to the server (enabled for example by backdoors, unpatched system software vulnerabilities, SQL attacks or other means)
|
M2
|
Security Controls are applied to back-end systems to minimise unauthorised access. Example Security Controls can be found in OWASP
|
|
1.3 & 3.4
|
Unauthorised physical access to the server (conducted by for example USB sticks or other media connecting to the server)
|
M8
|
Through system design and access control it should not be possible for unauthorised personnel to access personal or system critical data
|
|
2.1
|
Attack on back-end server stops it functioning, for example it prevents it from interacting with vehicles and providing services they rely on
|
M3
|
Security Controls are applied to back-end systems. Where back-end servers are critical to the provision of services there are recovery measures in case of system outage. Example Security Controls can be found in OWASP
|
|
3.2
|
Loss of information in the cloud. Sensitive data may be lost due to attacks or accidents when data is stored by third-party cloud service providers
|
M4
|
Security Controls are applied to minimise risks associated with cloud computing. Example Security Controls can be found in OWASP and NCSC cloud computing guidance
|
|
3.5
|
Information breach by unintended sharing of data (e.g. admin errors, storing data in servers in garages)
|
M5
|
Security Controls are applied to back-end systems to prevent data breaches. Example Security Controls can be found in OWASP
|