QUESTION
This assessment assesses your understanding in relation to the following four course learning
objectives:
1. have a strong understanding of the vulnerabilities and threats relating to information
systems and the controls which can be implemented to mitigate their effect
2. describe various network related threats and controls as covered in this course
3. understand that incidents can still occur and have knowledge of procedures to be put
in place to facilitate appropriate incident and disaster response
4. recognise the ongoing commitment to information systems security that is imperative
for organisations to maintain reasonably secure information systems and understand
the concept of continual improvement.
This assignment assesses the following graduate skills: Problem Solving, Academic &
Professional Literacy, Oral and Written Communication and Teamwork at level 2.
This assignment relates to the topics covered in modules 1 to 12. This is a team assignment
which will be completed by groups of two students. Details regarding the allocation of
students to teams will be provided on the course study desk. Each student team will be
allocated their own discussion forum for assignment 3 to specifically work collaboratively as
a team in developing and discussing their approach to assignment 3 case study and the
required Security report and presentation. Regular participation in each team’s discussion
forum by the team members each week from Monday 12 September until Friday 14 October
is expected. Each team member will also be required to keep a journal of their activities and
progress related to completing this assignment and will form part of the assessment for
assignment 3. In date order clearly list the following:
• date of research activity/discussion
• topics researched or discussed
• time duration of activity.
Submit this journal for each team member as an appendix to the assignment 3
Recommendations report. Any reference to web pages and on line resources such white
papers, blogs, wikis etc. should be listed at the end of the journal.
Regular participation on the discussion forums dedicated for this assessment is highly
recommended and can assist greatly with this assessment item. Also note that you are
expected to do research outside of the course materials provided.
th
October
2011
Case Study: WebSec Consultings Services (WCS)
Student Notes
Insecure and poorly developed websites allow unauthorised people (“hackers” if you will) to access,
modify and steal confidential information. The media is constantly reporting new “hacks” and data
theft almost everyday. The problem is prevalent across the whole Internet.
The threats to businesses and individuals can range from nuisance value defacement of sites to
enormous business threatening breaches.
The reality is that most website developers focus solely on delivering functionality required by the
business and clients they work for, and few have a good understanding of how to develop secure
websites to keep hackers out.
But, as more and more organizations engage specialist security companies to test their websites for
vulnerabilities, (e.g. penetration testing or source code reviews), the focus is being put on developers
to improve the security of their products. But, there is a long way to go.
While websites can never be guaranteed 100% secure, poor software development practices are still
rife across all industries. Many estimate that upwards of 80% of websites have major to critical
vulnerabilities – most due to poor coding, almost all avoidable, (had better coding practices and
controls been put into place). The OWASP web site is an excellent site for understanding the extent of
the problem and what is being done at an industry level and in terms of standards to address
improving the security of web services and web application software.
Module 9 Email Web and Software security and selected readings 9.1 Rice, D 2008 Geekonomics: the
real cost of insecure software, Pearson Education, pp. 19-71; 9.2 McGraw 2006, Software security:
building security in, pp. 3–13 & 25–38 and Murray, M 2010, ‘Database security: what students need
to know’, Journal of Information Technology Education: Innovations in Practice , vol. 9, pp. 61-8,
available
http://www.jite.org/documents/Vol9/JITEv9IIPp061-077Murray804.pdf are very relevant
for some aspects of this assignment in particular understanding some of the reasons why information
security is not built into software from the design phase onwards and rather is considered reactively as
an add on later to deal with the vulnerabilities in software and systems.
Aside: one of the best books talking about the implications of poor software and a thoroughly
recommended read is Geekonomics: the real cost of insecure software:
<
http://www.geekonomicsbook.com/>. Note selected reading 9.1 is taken from chapter 2 of this book
SOLUTION
Executive summary
Information security is one of the biggest concerns for all the businesses which are going online. The current report highlights the importance of online website security. Through a case study of ‘Health and Fitness Web Pvt. Ltd. (HFW)’, various security threats to an online business website are discussed. The organization is planning to conduct a web application penetration test on its website. It has appointed WebSec Consulting Services (WCS) to advice on the security testing and the solutions to be implemented.
There is a basic classification of these threats and most vulnerable of them are found to be network threats. The report highlights the commitment and co-ordination amongst various internal stakeholders in order to carry out the testing in a proper manner and implement the solutions suggested.
WCS is expected to pin-point all possible security threats and to prepare a strategic roadmap to mitigate all these threats. WSC is also expected to co-ordinate with the internal stakeholders, understand the systems and process within HFW and finally communicating the whole security plan along with the logic to all.
Background
The case discusses the importance of online website security for a business. The case study in context is of ‘Health and Fitness Web Pvt. Ltd. (HFW)’, which sells gym equipment and apparel. Many of its customers interact with them through online route. The organization is seriously taking up the issue of online website security since it has seen a precedent where one of its competitors has been hacked. Such an incident led to the data theft and thus resulted in loss of customers’ confidence. The loss of business is aggravated since no new clients are coming up for that company following this incidence.
Keeping all above factors in mind, HFW is thinking to carry out a web application penetration test and identify the security threats in their system. At the same time, the organization is worried about the budget constraints that would be imposed on such a test. They have shortlisted WebSec Consulting Services (WCS) to carry out a due diligence on their existing web based systems and give the findings in a report suggesting if they should go for security overhaul.
WCS is supposed to identify all possible security threats and suggest the steps to mitigate the risks associated them. WCS is also supposed to develop a plan to implement their recommendations.
Threat analysis
(Security threats to websites and web application, 2009)
A business website is vulnerable to many types of online security threats. Most critical of them is the threat to the data centres which manage huge data for the organizations. Apart from that, there may be other threats which need not be ignored as they can play havoc with the online business.
Classification of threats
Threats can be classified as-
- Manual errors
There may be errors due to human negligence. The person handling the website may accidently pose a threat to it. He may delete the data or accidently delete some important files that may be required to run a particular application or software. There may be faulty hardware configurations as a result of human misjudgement. The other critical errors that can happen, include-
- Unauthorised access: It includes giving unauthorised rights to external users of the system.
- Improper authentication: It comes into picture when website authentication security certificates are not proper and can be breached and bypassed to pose a security threat from hackers.
- Encryption issues: There may be incorrect encryption done by the administrator which can be easily tracked by the external hackers and hence give them free access to sensitive data.
- Faulty session management: Properties of session are defined during website creation. If proper session expiration is not set, then the website may be accessed by outside users without the knowledge of the legitimate user.
- Software malfunction threats
These threats occur when there is no in-built security checks are put in the system while developing the website. Some malware software may also cause system Malfunctioning. Such kinds of malware software are spread through various networks Malware, or malicious software, comes in many guises. Web servers are popular targets to aid distribution of such code and sites which have vulnerabilities that allow this are popular targets.
- External threats:
These kinds of threats are mostly caused by the hackers. Some of them are:
- Scanning: The hackers may use software applications that may scan the confidential usernames and passwords of the users. They can also hack the encryption keys and thus making whole data vulnerable.
- Spamming:
Spamming is an unauthorised practice, where users are sent unwanted mails. The mass mails can also lead to system failures due to excessive load on the servers.
- Network attacks:
- Spoofing
Since the exchange of information over the internet happens through the exchange of IP address, a network hacker may aim at playing with the IP address of the information sender. This is commonly known as IP spoofing. Once the attacker is able to do such an act, there can be no track of the host. Hence, real information about the visitor may not be available in the database.
- Sniffing
The information exchanged through website is in the form of data packets. Some hackers run sniffer programs especially in Ethernet that may capture the website traffic and divert it. It is best to detect the sniffing as early as possible as they seem to be passive but are very dangerous.
- Mapping
This is an activity of gathering valuable user information such as IP address or the OS. The hackers capture the communications happening on the website and with that information they reach to the final information. Once this information is gathered, a hacker can breach the network any number of times and change the sensitive data.
- Hijacking
A hijacker can act as an interceptor when two persons are communicating over the network. Once a network is hijacked, the entire communication happening can be monitored and side by side diverted. The hijacker can re-route the data which is being exchanged. He can also act as the person with whom the actual communication is going on and can get the information without being traced.
- Denial-of-Service attack (DoS)
A denial of service attack causes an unwanted flooding of traffic on the website with unauthorised requests by the hackers. The real requests are not sent to the server and hence the true responses don’t always reach to the users. Such an attack wastes the memory at web server and it may play with the overall bandwidth. As a result, the response time as well as server space for the website get badly affected. There may be spamming also which may cause users a different set of problems.
5. Threats related to e-commerce transactions:
(Mookhey, K. K., 2009)
- SQL Injection: This type of attack modifies the way the data is accessed by the user. The attacker inserts the meta-characters in the database queries in order to manipulate the output as seen by the user.
- Price manipulation: If the website has the facility of online money transactions, then a hacker can manipulate the total price of the items purchased. Since the price is stored in the website code automatically, the amount payable and the actual amount charged from the user may be different and hence a fraud may occur because of that.
Dependencies and critical success factors to the job
WCS recommends a step-wise testing procedure for web application penetration test. These steps exhaustively identify all the threats described above. But there has to be the support of all stakeholders who are associated with the online website. The dependency on stakeholders as well as the steps to carry out the testing is discussed below.
Steps to carry out Web Application penetration test
(Hope, Walther; 2008)
WCS recommends specific testing phases that need to be conducted. These phases are:
- Authentication Testing phase:
Here the system should be tested to correctly identify and validate the users who are communicating through the network. The test cases must be run for the following scenarios:
- Simple test cases to check whether various input variables like usernames and passwords are entered as per correct standards.
- Test cases to check if the data routed through the secured protocols established in the system even when an external user attempts to bypass it
- Test cases to check if the session stores usernames and passwords even on expiry.
- Test cases for proper log-out and cache clearance
- Authorization Testing
Here, the system checks must be tested for the access rights and privileges of the users. Only the authorised users should be able to perform the functions allowed to them. Some of the test cases for this scenario are:
- Logic should be tested to trace the path traversed right from the input to the final operation performed by user
- Test cases to check the privileges of different users by performing functions that they are not allowed to and check the error messages
- Session Management Testing
This test does the end-to-end testing right from login to logout activity. Since multiple requests are involved when a user browses through the webpages, these requests are stored in ‘session’. A session is like a cache of the website that stores the selected browsing data such as username and password that may help in browsing further down the website. Two types of protocols for sessions are- HTTP and HTTPS. In order to test for proper session management, some test cases are:
- Test cases to check if the cookies are deleted automatically once the user logs out
- Test cases to check if the session automatically expires after set time interval of inactivity
- Test cases to check if multiple users log-in with same user-id and password, the system throws error messages or warnings
- Data Validation Testing
These tests are necessary to check whether the data picked up by the system, after user inputs, is in correct and validated format. This is necessary to check if the system is vulnerable to attacks like- cross site scripting, SQL injection, file system attacks, buffer overflows etc. Some of the testing scenarios can be as follows:
- Test cases to check if the desired output is generated by the system for different set of inputs
- Test cases to check if the data reaching at the database is in correct form and is updated in all necessary tables
- Test cases to run multiple database queries to load test the system
- Test cases to check the documents uploaded in database are in correct formats and are not getting corrupted
- Test cases to check the data update done through remote applications
- Test case to check code injection by observing if it is possible to inject into application data
- Test cases to check memory overflows
Recommended security solutions
As an experienced player in the field of online security, WSC recommends some of the basic control modules which can be incorporated in HFW website to make it more secure. Following are the recommended measures for different threats as discussed in previous section:
- Preventing manual errors:
Manual errors occur mainly at two stages- while developing the website; and while operating the website through information and data exchange.
WSC recommends best coding practices to the website developers. Following are some of the measures that can be taken in this regard:
- Add necessary validation checks at different access points such as login page
- Incorporate encryption checks at those points where sensitive user inputs are taken
- Website authentication certificate checks must be updated and the certificates must be renewed from time to time
- Session expiry time should be set in the global module
- Add descriptive error messages and logs in the code
- Follow best coding practices while setting variables and reusing different functions
- Preventing software malfunction threats:
These threats can be prevented by using firewalls in the network. More stringent website browsing can be followed by adding secured protocols like HTTPS.
- Preventing network attacks:
As discussed, networks are the most critical assets and are most vulnerable to security threats. Some of the recommendations in their prevention are:
- Avoiding spoofing of the network and DOS:
It is advisable to use ingress filtering. For this purpose WCS will provide special routers that will check the incoming IP addresses and check whether they can be traced back to their host. If there is no trace then the website will not respond to such requests.
- Avoiding sniffing of the network:
WSC will implement a stringent encryption in the website modules wherever it is possible. An end-to-end user encryption will be implemented to avoid any threat.
- Avoiding mapping of the network:
WSC proposes to implement cryptography techniques in the website. Since original website is already developed, a number of tools will be provided in order to integrate the cryptography in the existing web modules.
Implementation strategy and stakeholders involved
Since this is the first time the organization is undergoing web application penetration test, some inertia is bound to happen within the system. It must however be appreciated that a successful implementation of testing for, as well as developing a fully secure web based system should involve three main components of the organization- People, processes and systems.
People are the internal stakeholders of the organization that are associated with website. They include- Software designers, software developers, software testers and website users such as administrators. In order to exhaustively conduct the test, designers must be allowed to present their logic of website development and further brainstorming should be done among other stakeholders as well as representatives from WSC. Software developers should understand the best coding practices and cross-check if they have followed them all. Some of the best coding practices are mentioned in the next section. Software testers should be given special training to understand the end-to-end functionality of the website. They should be trained to prepare the test cases as per the requirements and run those using standard testing tools. Finally, the users such as administrators should be imparted the knowledge about the new security systems and they should work with testers to test for the system’s vulnerability.
The processes refer to the business processes that are a part of online website. All the functions that are carried online such as- customer interaction, online transactions, promotion etc. must be re-engineered to incorporate new security provisions. It should be kept in mind that the new website should have all the existing functionalities along with added features for online security provisions. There should be no deviation from the way the users were browsing through website pre-testing.
The system refers to the existing departments within the organization who use the website such as- sales department, advertising department, data analysts etc. The new security features must get consent from all the departments. Each department must be asked for its inputs and expectations from the newly developed website solutions. There must be one representative from each department who should act as user along with the software testers to test all the functionalities related to his department.
Since, the security testing is being done for the very first time the support of the senior management is very much needed. The human resources as well as financial resources utilization may or may not happen as per plan and some deviations may creep in. In such a case, higher management should be patient and should give full support to the testing team. The recommendations after system testing can only be implemented if senior management approves and hence senior management should be open to all such changes and be willing to implement them.
Hence, all the internal stakeholders must contribute if proper online testing needs to be done and further changes must be incorporated in the system. WCS can perform its duties freely if they have support of these stakeholders and there is a two way communication amongst them.
Conclusion
A number of security threats have been identified. The focus is to ensure the data and information security and to keep web browsing safe for the users. Manual errors can be removed by defining the standard operating procedures for website developers. Proper training should be given to them for this purpose. In-house software testing teams should be made aware of all the security threats and must be trained to run the test cases based on that. A set of tools and applications have been recommended for encryption and other secured frameworks. It is recommended that all new security checks including certificates must be integrated in the current business website without affecting its existing functionalities.
Since this whole exercise involves internal stakeholders within the organization, it is therefore advised that they all should co-ordinate and support throughout the testing phases. The solutions recommended can only be implemented if there is full support from all stakeholders including management. In order to make the solutions sustainable, it is suggested that proper standards must be set and well documented.
It is also advisable to frequently update the security checks in future as well. Once the organization becomes aware of all these processes, it will be able to serve its clients in much better manner and give them a good experience which ultimately will boost the brand equity.
References
Hope, Paco; Walther, Ben; 2008; Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast
Security threats to websites and web application; 2009; viewed 19 October 2011; <https://www.watsonhall.com/methodology/security-threats.pl>
Mookhey, K. K.; 2009; Common Security Vulnerabilities in e-commerce Systems; viewed 19 October 2011; <http://www.symantec.com/connect/articles/common-security-vulnerabilities-e-commerce-systems>
Unknown; Testing for authentication; viewed 19 October 2011; <https://www.owasp.org/index.php/Testing_for_authentication>
Unknown; Testing for authorization; viewed 19 October 2011; <https://www.owasp.org/index.php/Testing_for_Authorization>
Unknown; Testing for session management; viewed 19 October 2011; <https://www.owasp.org/index.php/Testing_for_Session_Management>
Unknown; Testing for data validation; viewed 19 October 2011; <https://www.owasp.org/index.php/Testing_for_Data_Validation>
GH74
But you can order it from our service and receive complete high-quality custom paper. Our service offers “Information security” essay sample that was written by professional writer. If you like one, you have an opportunity to buy a similar paper. Any of the academic papers will be written from scratch, according to all customers’ specifications, expectations and highest standards.”