CIS5205 Information Security Management System Assignment Sample

CIS5205 Information Security Management System

Executive Summary

In today’s day and age, organisations are required to be prepared for the most critical threat i.e., data breach as this may lead to financial as well as legal repercussions. The purpose of this report is to provide a security incident response work plan. In the following report, the problem analysis related to data security and information safety of PeopleShraz was done. In addition to this, a thorough threat analysis was carried out. Moreover, various stakeholders of the given case and dependencies were identified. At last, based on the analysis, certain recommendations were provided to the management of PeopleShraz and HotHost1.

There were many outcomes of this assessment. First and foremost is that it was determined that there were many loopholes and security threats in the current operation and web designing process. First and foremost was related to missing security update. Another one was weak password policy etc. The major vulnerabilities identified in the case was related to server and network. Also, SQL injection was another major threat to the data security. Also, lack of response planning was also the major issue identified in the case. It was determined that theprime stakeholders of this security assessment are users and client. At last came the recommendations. The report provided various suggestions related to SQL injection, software and infrastructure updates, password protection policy, XSS protection, content security policy, auditing expert, and website scanning to identify any vulnerabilities and take necessary steps to counter them at the earliest.

Task 1:Background and problem analysis

As given in the case, PeopleSharz is the start-up that came into existence in the year 2016 and is one of the social media platforms that runs on the Internet. It was founded by Peter Tweet (CTO) and Mark Bukerzerg (CEO). Till the early 2018, PeopleSharz had more than 1.2M users registered all around the world. This social media platform is different from others on the basis of innovation, response to the competition, and industry trends.

The major setback faced by the organisation is that the website was hacked by the hacker and all the data related to users and clients including the passwords were posted on the Pastebin. This is essential to understand that how the site got compromised. There might be certain vulnerabilities related to security that might be ignored by HotHost1 or PeopleSharz. These can be:-

• Missing Security Updates: As both parties in the case had little to no experience about security vulnerabilities and response, they might have missed a necessary security updates (Allodi&Massacci, 2017). This probably enabled the hacker to compromise the website of PeopleSharz. It is required to keep updating the add-ons, plugins, web server, and content management system to prevent hacking.
• Phishing: It could be used as a mode for entering into the system or server of PeopleSharz. There are workers who manages the operations of HotHost1 and PeopleSharz (Allodi&Massacci, 2017). The hacker might have sent a phishing mail with a link with which the hacker might got accessed of the server details and other information related to the firm.
• Insecure Plugins and Themes: being the social media platform, the themes and plugins get seldom updates. This is just for the user’s convenience and experience. Organisation was hardly working on developing new themes and plugins. Due to unpatched and outdated plugins and themes, PeopleSharz might have become vulnerable to hacker’s attack (Mazuera-Rozo, et.al, 2019).
• Weak and Insecure Passwords:The poor policies regarding the security can result in compromised situations. The weak policies such as permitting the users to set weak passwords, providing unrequired access to them, disabling HTTPS on the website and permitting them to sign in through HTTP and that too without type checking. The developers and management of PeopleSharz might be using weak passwords for accessing the servers (Mazuera-Rozo, et.al, 2019). Also, the current system lacks the two-factor authentication that increases the hackers’ ability to access the account and clients’ data.
• Data Leaks due to Misconfiguration: Another major issue can be attributed to the misconfiguration in the present system that might have made the client-related or system-related information available in the public domain. The HotHost1 and PeopleSharz might not have noticed this. Poor error-handling ability and messaging on the Internet-based application may result in leaking of confidential information of the organisation in the public.

The aforementioned points are the possible factors that might have caused website hacking and revelation of the client data in the public domain. However, the major issue that was identified in the case is the absence of regular security checks and absence response plans in case of emergency. This has caused major problems to both the parties.

Task 2: Threat Analysis

For the following case of hacking, there might be numerous loopholes in the current operations and website design of PeopleSharz. The security testing is required that would ensure that website and software system of the organisation are free from any risks, threats, and vulnerabilities. It is all about determining the loopholes that may cause loss of information or any financial or reputational risk (Allodi&Massacci, 2017). The objective of investigations are:-

• Defining website security goals as per the requirements of the site’s security
• Identifying each and every threat related to security
• Validating the proper functioning of security controls
• Eliminating the effects of security issues of the integrity and safety of the website.

The investigation is based on certain assumptions. These are:-

• The testing environment is configured properly
• The website is working properly in the testing environment
• All the features of website are assumed to be in the working phase.

Testing Strategy

The strategy of investigating the security features of the website Software Development Lifecycle (SDLC) based and comprises following stages or phases:-

1. Requirements Phase

This phase comprises the following aspects:-

Reviewing standards and policies

The investigator would ensure that the organisation has appropriate standards, policies and documentation culture. This can be done by asking for all the relevant documents related to the security features in the given business. The documents can be related to process, environment and technical security requirement (Shin & Welch, 2016).

Developing measurement criteria

This stage is all about planning the measurements and defining the metrics to be collected. The overall purpose of this stage is to prepare a checklist of all the crucial aspects of the application.

Analysis of Security Requirements

In this stage, the investigator tries to understand the security requirements appropriate to the website. In addition to this, the gaps existing in the current system get revealed during analysis phase. The security properties that are to be tested during this stage are (Shin & Welch, 2016):-

• Privacy
• Tiered System Segregation
• Data Confidentiality
• Authentication
• User Management
• Session Management
• Integrity
• Authorisation

2. Designing Phase

This phase comprises review of design standards and processes and much more.

Reviewing of Design and Architecture

It is related to static manual testing in which the investigator would study the design and standards along with the architecture of the website for identifying the loopholes and flaws. These flaws might have caused the data security breach. For that purpose, the investigator can make use of comprehensive method for reviewing architecture. The list of metrics comprises number of loopholes or flaws found (Nunes, et.al, 2019).

Creating and Reviewing UML Model

The UML model would permit the investigator to identify incompliances on the previous stages of investigation and respond immediately. It will result in the formation of UML class diagram (Nunes, et.al, 2019).

Creating a Threat Tree

A threat tree can help in creating breakdown threats for processing easily. The tree depicts all the internal as well as external threats that website has. The list of metrics would consist of number of threats.

3. Development Phase

This phase comprises the following:-

Static Analysis

It is a white-box testing approach that allows identification of all errors and inconsistencies leading to critical vulnerabilities. It comprises:-

• Code Review:This comprises review of the codes and determining the flaws in it.
• Source Code Analysis: This is usually done with the help of source code analyser

The list of metric would comprise:-

• Vulnerabilities found
• Percentage of code taken from other projects
• Percentage of code taken from 3^rd party suppliers.

Dynamic Testing

Dynamic testing is carried out on the operational or running phase of the website. The widely used typology of the dynamic testing is penetration testing (Movahedi et.al, 2019).

Penetration Testing

Penetration testing is carried out in two ways, namely manually and automatically.

• Manually: Using a set guideline or procedure for a particular type of risks
• Automatically: This would be done using proxy tools, binary analysis tools, vulnerabilities scanners, and web application

The main attacks carry out for penetration testing are given below (Movahedi et.al, 2019):-

• Platform vulnerabilities
• Buffer Overflows
• Form Manipulation
• Weak Session Management
• SQL Injection
• Cross Site Scripting

Results of Vulnerabilities Testing

The findings show that PeopleSharz’s web application is vulnerable to medium to high level. The vulnerabilities associated with the servers are high and probably this might have caused data breach.

Task 3: Dependencies and critical success factors

Key stakeholders

Here, the major dependency identified is between PeopleShraz and HotHost1. The former is dependent on the latter for its environment hosting services. In addition to this, HotHost1 stores the data of PeopleShraz on its cloud-based services. The stakeholders of this security assessment are Users, client, software developers, software testing teams, management staff, and HotHost1’s team (Williams, et.al, 2014).

Key Requirement and Support Needed

Apart from these interdependencies, there are other factors also that can be stated as technical dependencies for vulnerabilities testing:-

• Monitoring:The main achievement factor is ages of fast checking reports. There are a few tests that are to be directed to check the vulnerabilities and dangers so it is significant that the reports are created in a brisk way.
• Investigating:As this is a cyber-security issue, the greater part of the examination must be done naturally to dispose of any sort of shortcoming in the examination.
• Infrastructural: Company is depended on other players for meeting its infrastructural requirements. Support of the infrastructural assessment would be needed for examining the dangers and vulnerabilities in the security arrangement of the business.

Task 4: Recommendations

From the complete analysis of the vulnerabilities by making use of static and dynamic testing, it is determined that PeopleShraz and HotHost1 need to incorporate the following suggestions in their current functioning:-

• It is advised to both of them to keep their software updated in order to secure the website. This is applicable for both servers and operating system that would be used to run the website. Also, in case of any error and security holes, the management should take immediate action in order to avoid any abuse from hackers (Ismailova, 2017).
• PeopleShraz is advised to take SQL injection seriously in order to avoid any attack from URL parameter or web form field. These would protect the data manipulation. The developers should check for rogue code in order to restrict the attackers’ access to the information or gaining control to change the data. Also, it is advised to the organisation to parameterised queries (Mazuera-Rozo, et.al, 2019).
• In addition to this, cross-site scripting is required to be avoided and restricted to be introduced into the code or system. It is advised to make use of certain front-end frameworks, such as Ember and Angular. These would help in providing a better and effective XSS protection. Furthermore, these has the power to tackle other challenges, such as client rendering and server mixing. Moreover, PeopleShraz can also inject JavaScript in its HTML code or can run codes by adding Ember helpers or Angular directives (Ismailova, 2017).
• Apart from these, there is another suggestion which is CSP (Content Security Policy). It is one of those headers that the servers of the PeopleShraz can return that provide information about browser’s ability to limit and execute the JavaScript. For instance, CSP can deny permission for running any script hosted on organisation’s server or domain. This would make it very difficult for the hacker to work and enter into the system and gain a control over the information of the client (Mazuera-Rozo, et.al, 2019).
• In order to avoid phishing, it is strictly advised to the management and employees of both business entities to avoid opening the error messages or spam links. The employees are required to be extra aware of such phishing mails and error messages. It is required to ensure that secrets’ or any other information does not get leaked. These mails can be a source of SQL injection (Wadkar, et.al, 2017).
• Also, it is suggested to the organisation to enforce a stringent password policy. Hackers nowadays make use of advanced and sophisticated software for gaining access to the information of targets. These software are very much capable for cracking the passwords. Therefore, to safeguard the password protected information, it is advised to have a complex password that should contain lowercase, uppercase, numeric, and a special character. Also, the length of the password should be more than 10 characters. The organisation should maintain and update the password policy on regular basis.
• It is also advised to PeopleShraz that it should encrypt each and every login page. For this purpose, the SSL encryption is best as it permits variety of information, such as social security number, phone number, personal details of clients, and most importantly login credentials to be transferred securely. Any encrypted information is useless for the third-party who attempts to intercept it (Padyab, et.al, 2017). This way the companies can prevent its data and information from hackers with an evil motive. The developers should check for rogue code in order to restrict the attackers’ access to the information or gaining control to change the data (Ismailova, 2017).
• PeopleSharz should also make use of secured host for its website. Selecting a secured and reputed web host entity is very crucial for the companies dealing in the social media domain. However, it is important for PeopleSharz to enhance its understanding about the likely threats and devote some efforts in choosing the right host that suits to the business goals and security requirements. It is also required that the web host back up the organisation’s information and data to any remotely located server and also provide necessary technical support whenever required by the firm (Nunes, et.al, 2019).
• At last, it is recommended to the company to hire a security expert that can be beneficial in the long-run. The expert will not only handle the short-term and long-term threats but also benefits the firm by providing necessary advices to grow. The organisation providing such security auditing services can scan the vulnerabilities and monitor any threat or malicious activity attempting to harm the firm. Also, the expert will carry out any repair needed to protect data breach (Nunes, et.al, 2019).
• At last, it is recommended to the PeopleShraz to carry out website scanning to identify any vulnerabilities. It would help in determining security holes related to website or server. A schedule should be prepared and an external agency can be hired for this purpose. However, in order to save funds, organisation can make use of freely available tools for scanning that can be used to measure how protective the website is. However, it is important to understand that these tools won’t help the firm in detecting all the vulnerabilities in the site. For that purpose, manual plans for scanning are made (Nunes, et.al, 2019).

References

• Allodi, L., &Massacci, F. (2017). Security events and vulnerability data for cybersecurity risk estimation.  Risk Analysis,37(8), 1606-1627. doi:10.1111/risa.12864
• Mazuera-Rozo, A., Bautista-Mora, J., Linares-Vásquez, M., Rueda, S., &Bavota, G. (2019). The android os stack and its vulnerabilities: An empirical study.  Empirical Software Engineering : An International Journal,24(4), 2056-2101. doi:10.1007/s10664-019-09689-7
• Movahedi, Y., Cukier, M., Andongabo, A., &Gashi, I. (2019). Cluster-based vulnerability assessment of operating systems and web browsers.  Computing,101(2), 139-160. doi:10.1007/s00607-018-0663-0
• Nunes, P., Medeiros, I., Fonseca, J., Neves, N., Correia, M., & Vieira, M. (2019). An empirical study on combining diverse static analysis tools for web security vulnerabilities based on development scenarios.  Computing,101(2), 161-185. doi:10.1007/s00607-018-0664-z
• Padyab, A., Päivärinta, T., &Harnesk, D. (2014). Genre-based approach to assessing information and knowledge security risks.  International Journal of Knowledge Management (ijkm),10(2), 13-27. doi:10.4018/ijkm.2014040102
• Shin, E., & Welch, E. (2016). Socio-technical determinants of information security perceptions in us local governments.  International Journal of Electronic Government Research (ijegr),12(3), 1-20. doi:10.4018/IJEGR.2016070101
• Wadkar, H., Mishra, A., & Dixit, A. (2017). Framework to secure browser using configuration analysis.  International Journal of Information Security and Privacy (ijisp),11(2), 49-63. doi:10.4018/IJISP.2017040105
• Williams, C., Wynn, D., Madupalli, R., Karahanna, E., & Duncan, B. (2014). Explaining users' security behaviors with the security belief model.  Journal of Organizational and End User Computing (joeuc),26(3), 23-46. doi:10.4018/joeuc.2014070102
• Ismailova, R. (2017). Web site accessibility, usability and security: A survey of government web sites in kyrgyz republic. Universal Access in the Information Society : International Journal, 16(1), 257-264. doi:10.1007/s10209-015-0446-8