Risk R-003 - Compromise of Internet-facing VPS
| Field | Value |
|---|---|
| Risk ID | R-003 |
| Asset | Public VPS (Technical – Owner: Ops) |
| Scenario | S-001 - Compromise of Internet-facing VPS |
| Likelihood | 🟨 Medium - Internet-facing VPS are frequently scanned; weak SSH auth or exposed services increase probability |
| Impact | 🟥 High - service takeover enables malicious activities and potential pivot to internal infrastructure |
| Risk Level | 🟥 High |
| Owner | Ops |
| Last Review | 2026-03-08 |
| Next Review | 2026-09-08 |
Associated Controls:
- Harden SSH configuration (disable root login, enforce key-based authentication).
- Restrict administrative access via firewall rules or VPN.
- Keep operating system and services regularly patched.
- Host-based firewall and intrusion detection systems.
- CrowdSec IPS
- Forward system and authentication logs to SIEM.
- Monitor abnormal authentication attempts or service activity.
References:
- ISO 27001 - Control 5.1 Policies for information security.
- ISO 27001 - Control 8.2 Privileged access rights.
- ISO 27001 - Control 8.16 Monitoring activities.
- NIST CSF - ID.AM Asset Management.
- NIST CSF - PR.AC Identity Management, Authentication and Access Control.
- NIST CSF - PR.IP Protective Technology.
- EBIOS RM - Analysis of risks associated with public-facing systems and potential pivot to internal infrastructure.
Response Actions:
- Containment - Immediately isolate the VPS from the network and block malicious IP addresses.
- Eradication - Remove malicious processes, revoke compromised credentials, rotate SSH keys.
- Recovery - Rebuild VPS from trusted image and restore services from verified backups.
- Post-incident - Perform root cause analysis, review firewall rules and hardening baseline, and update monitoring rules.