In today’s day and age, organisations are required to be prepared for the most critical threat i.e., data breach as this may lead to financial as well as legal repercussions. The purpose of this report is to provide a security incident response work plan. In the following report, the problem analysis related to data security and information safety of PeopleShraz was done. In addition to this, a thorough threat analysis was carried out. Moreover, various stakeholders of the given case and dependencies were identified. At last, based on the analysis, certain recommendations were provided to the management of PeopleShraz and HotHost1.
There were many outcomes of this assessment. First and foremost is that it was determined that there were many loopholes and security threats in the current operation and web designing process. First and foremost was related to missing security update. Another one was weak password policy etc. The major vulnerabilities identified in the case was related to server and network. Also, SQL injection was another major threat to the data security. Also, lack of response planning was also the major issue identified in the case. It was determined that theprime stakeholders of this security assessment are users and client. At last came the recommendations. The report provided various suggestions related to SQL injection, software and infrastructure updates, password protection policy, XSS protection, content security policy, auditing expert, and website scanning to identify any vulnerabilities and take necessary steps to counter them at the earliest.
As given in the case, PeopleSharz is the start-up that came into existence in the year 2016 and is one of the social media platforms that runs on the Internet. It was founded by Peter Tweet (CTO) and Mark Bukerzerg (CEO). Till the early 2018, PeopleSharz had more than 1.2M users registered all around the world. This social media platform is different from others on the basis of innovation, response to the competition, and industry trends.
The major setback faced by the organisation is that the website was hacked by the hacker and all the data related to users and clients including the passwords were posted on the Pastebin. This is essential to understand that how the site got compromised. There might be certain vulnerabilities related to security that might be ignored by HotHost1 or PeopleSharz. These can be:-
The aforementioned points are the possible factors that might have caused website hacking and revelation of the client data in the public domain. However, the major issue that was identified in the case is the absence of regular security checks and absence response plans in case of emergency. This has caused major problems to both the parties.
For the following case of hacking, there might be numerous loopholes in the current operations and website design of PeopleSharz. The security testing is required that would ensure that website and software system of the organisation are free from any risks, threats, and vulnerabilities. It is all about determining the loopholes that may cause loss of information or any financial or reputational risk (Allodi&Massacci, 2017). The objective of investigations are:-
The investigation is based on certain assumptions. These are:-
Testing Strategy
The strategy of investigating the security features of the website Software Development Lifecycle (SDLC) based and comprises following stages or phases:-
This phase comprises the following aspects:-
Reviewing standards and policies
The investigator would ensure that the organisation has appropriate standards, policies and documentation culture. This can be done by asking for all the relevant documents related to the security features in the given business. The documents can be related to process, environment and technical security requirement (Shin & Welch, 2016).
Developing measurement criteria
This stage is all about planning the measurements and defining the metrics to be collected. The overall purpose of this stage is to prepare a checklist of all the crucial aspects of the application.
Analysis of Security Requirements
In this stage, the investigator tries to understand the security requirements appropriate to the website. In addition to this, the gaps existing in the current system get revealed during analysis phase. The security properties that are to be tested during this stage are (Shin & Welch, 2016):-
This phase comprises review of design standards and processes and much more.
Reviewing of Design and Architecture
It is related to static manual testing in which the investigator would study the design and standards along with the architecture of the website for identifying the loopholes and flaws. These flaws might have caused the data security breach. For that purpose, the investigator can make use of comprehensive method for reviewing architecture. The list of metrics comprises number of loopholes or flaws found (Nunes, et.al, 2019).
Creating and Reviewing UML Model
The UML model would permit the investigator to identify incompliances on the previous stages of investigation and respond immediately. It will result in the formation of UML class diagram (Nunes, et.al, 2019).
Creating a Threat Tree
A threat tree can help in creating breakdown threats for processing easily. The tree depicts all the internal as well as external threats that website has. The list of metrics would consist of number of threats.
This phase comprises the following:-
Static Analysis
It is a white-box testing approach that allows identification of all errors and inconsistencies leading to critical vulnerabilities. It comprises:-
The list of metric would comprise:-
Dynamic Testing
Dynamic testing is carried out on the operational or running phase of the website. The widely used typology of the dynamic testing is penetration testing (Movahedi et.al, 2019).
Penetration Testing
Penetration testing is carried out in two ways, namely manually and automatically.
The main attacks carry out for penetration testing are given below (Movahedi et.al, 2019):-
Results of Vulnerabilities Testing
The findings show that PeopleSharz’s web application is vulnerable to medium to high level. The vulnerabilities associated with the servers are high and probably this might have caused data breach.
Type of Vulnerability
Description of Result
Cross-Site Scripting
This is related to JavaScript of the website and can provide a loophole for the hacker to take the information. Hackers can steal the sessional cookies from the servers. This is primarily associated with the social networking applications.
SQL Injection
The hacker might take an advantage of SQLi vulnerability to exploit the weakness introduced in the website. This can be due to the poor web design practices followed in developing the site of the PeopleShraz. Due to this, the hacker can inject SQL command into the code and gain an illicit access to the client’s data and information stored in the backend database.
Transport Layer Security
TLS is used in the designing of the website for securing the transfer of data between stakeholders and server. TLS is not updated regularly by the organisation, thereby increasing the vulnerabilities associated with it.
Host Header Attack
It was also noticed that the external party can control the operations within the website as it is hosted on HTTP rather than HTTPS. This can be controlled by the hacker.
Design Related
The website was designed on PHP platform due to the popularity over ASP. However, it was noticed that PHP-based websites are less secure.
Vulnerability by Web Server
On scanning, it was found that organisation does not have a secured web server for storing data. The present servers has innumerable vulnerabilities.
Network Related
The company makes use of networks that provide permits the remote users to access the confidential data and information from servers. This was also seen that the admin has not disabled the mail server due to default setting of OS.
Key stakeholders
Here, the major dependency identified is between PeopleShraz and HotHost1. The former is dependent on the latter for its environment hosting services. In addition to this, HotHost1 stores the data of PeopleShraz on its cloud-based services. The stakeholders of this security assessment are Users, client, software developers, software testing teams, management staff, and HotHost1’s team (Williams, et.al, 2014).
Role
Responsibilities
Contact Information
Team Lead
Setting up and adjusting the test processes.
Creating a security test plan
Authorising test strategies for the dealing with the future threats
Tracking the progress of each activity related to the vulnerability assessment or scanning (Shin & Welch, 2016).
Providing the final conclusion and presentation of the identified vulnerabilities and recommendations.
Email ID
Testing Engineer
Noting the progress of test cases.
Determining and pinpointing the defects or security holes in the current design of the websites.
Analysing the final outputs of the vulnerability testing and making inferences out of it.
Creating the test reports
Testing Designer
Creating the security models and overall scope of the project
Creating and updating the test suites and test cases
Key Requirement and Support Needed
Apart from these interdependencies, there are other factors also that can be stated as technical dependencies for vulnerabilities testing:-
From the complete analysis of the vulnerabilities by making use of static and dynamic testing, it is determined that PeopleShraz and HotHost1 need to incorporate the following suggestions in their current functioning:-
just share your requirements and get customized solutions on time
offer valid for limited time only*
someone in is bought