Attempt all the following tasks in the assignment. Marks will be awarded for producing a documented system that meets the requirements as specified below.
Task 1: Security vulnerabilities
You are an Information Security officer working for InfoIT Limited. You have been informed of some vulnerabilities in your company's web server. These can be seen in the following list:
- Missing authorisation
- Download of codes without integrity checks
- Broken Authentication and Session Management
- Missing data encryption
- Cross-site-scripting vulnerabilities
a.Give a detailed explanation of how each vulnerability from the above list can be exploited and give recommendations on what should be done against each of them.
b.You have been told that one of your application has a "SQL injection" vulnerability. What tool/techniques can be used to detect and exploit "SQL injection"? Perform a SQL injection using an appropriate tool and demonstrate the steps with a brief explanation.
Task 2: Security tools/Techniques
You are an Information Security officer working on TechnoIT Limited. The managing director calls you one day; he looks concerned and says "The festivities will soon be upon us and we have a new range of products ready to market. For operational reasons, all product files need to be kept on the local server for use by our managers. However, I fear our competitors will hire hackers to access our servers and steal or corrupt our files." The managing director outlines the need for three different methods of protections and requires expert opinion on a relevant technology for each.
a.For each of the following instances, choose a technology that would best serve the required need, describe its operation and justify your choice. Each instance should describe a different technology.
- Prevent hackers from finding a file. Evaluate and justify your answer using literature for the scenario above.
- Prevent hackers from reading a file. Evaluate and justify your answer using literature for the scenario above.
- Enable alteration of a file by a hacker to be detected. Evaluate and justify your answer using literature for the scenario above.
b.For each of the three choices of technology discussed in (a) above, critically analyse how a hacker might attempt to counteract your protection.
Task 3: Social engineering and BCM
The 2018 information security breaches surveys reveal that in 2017, 13% of large companies found hackers have penetrated their corporate defences, compared with 1% in 2016. The report, based on responses from more than 1,000 large companies, shows hackers are "using social engineering attacks to lure staff in insecure behaviour. Insiders have always been the biggest threat, so it is now essentials that boards improve security awareness and practice among staffs”. (Computer Weekly, 2018).
Could Business Continuity Management (BCM) be a solution to deal above breach scenario?
a.Describe the two main methods employed by social engineers to 'lure staff into insecure behaviour'.
b.Give a detailed explanation of BCM and its functions (purpose and benefits).
c.What are the three types of backup sites that an organisation can use? Evaluate them with examples.
Task 4: Ethical hacking
- With the aid of a diagram, outline the phases of ethical hacking steps.
- The first step of hacking is also called Footprinting and information gathering Phase. Name the types of Footprinting and explain this by giving examples.
- Perform network scanning using any appropriate tools (such as Nmap/Zenmap) and analyse their result. Choose any 1 tool to do this task.