University of XYZ: CIS2005 GambleBet Security Audit Report

Verified

Added on 2023/06/04

AI Summary

This report presents a security audit of GambleBet, a fictitious company facing a credit fraud system breach. The analysis identifies vulnerabilities like SQL injection, cross-site scripting, and other web application attacks. It outlines a phased approach to address the security issues, including establishing security baselines, conducting assessments, identifying attack origins, notifying affected users, and restoring system normalcy. The report emphasizes the importance of senior management support, stakeholder identification, and third-party assessments. Recommendations include installing antivirus software, updating operating systems, using strong passwords, educating clients, avoiding dynamic SQL, updating firewalls, installing web application firewalls, and using appropriate privileges to enhance security. The report concludes by highlighting the need for continuous improvement and preparedness for future attacks, providing a detailed framework for strengthening GambleBet's information security posture.

Principles of
Information Security
(Student’s Name)
(Professor’s Name)
(Course Title)
(Date of Submission)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Introduction
 The company of Gamble Bet IT security has been comprised
 The credit fraud system was raising alarm bells. The fraud
originated from credit card numbers of the company clients
 This presentation will perform a threat analysis where the
report will state what ought to be tested and investigated.
 We will outline what measures the organization need to
implement to mitigate the situation. In here the report will
outline security controls so that web applications and web
servers are not comprised again (Gallegos, 2016)

Background and problem analysis
 Web applications and servers are popular
target for hackers and attackers
URL interpretation attack
SQL injection attack
Cross-site scripting
Cross-site request forgery (CSRF)

 Parameter tampering
GambleBet system were
vulnerable to directly traversal
type of attack
LDAP injection
 XML type on injection
Cont.…

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Threat analysis
The impact of these attacks can range
beyond comprise of the credit card
numbers system example lead to web-
application defacement
SQL injection, can hinder the normal
functioning of the organization web-
application.
This attacks can also lead to huge financial
loss

Cont..
 Phase one: First establish the security baseline
policies
 the organization need to review the security
mechanism which are configured at firewall point
 Phase two: to do a very quick assessment which
should not take more than 10 hours
 Phase three: establishing the where the attack
could have originated

Cont…
Phase four: notifying those account
holders that have been affected
Phase five: Restoring the organization
assets back to normalcy
The last phase is preparing for the next
attack or system comprise (Jaeger,2008)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Dependencies and critical success factors
 First secure support from the senior management
 the team need to establish what they know about
the company: Example is to establish both
external and internal stakeholders
 The team also need to establish the architecture
structure of the organization and how information
follows from the CEO to the lowest level (Gupta,
2015).

Cont….
 The audit team also need to establish third party
example the service providers.
 The audit team need to prepare questionnaires, and
interviews with the key staff
 the audit team need to know measurements taken by
the bank and the Gamble Bet to protect where the
web-application reside
 One of the tool required in their audit which ought
to be provided by the company is 05 FTK manager

Recommendation
 install antivirus software in its web-server
 the organization need to keeping its operating
system updated on daily basis
 the organization need to use very strong passwords
for every application and site they use
 Educate their clients on the various forms of
attacks (Pawar, 2015)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Cont.…
 one should not use dynamic SQL in their web-
applications
 updating firewall and patch which hackers can exploit
 the organization need to consider installing web-
application firewall
 the organization need to always use appropriate
privileges
 it is always important to keep the organization secrets
secret

References
Gallegos, F., 2016. Audit and control of information system by
Frederick Gallegos. 2st ed. Cincinnati: South-Western Pub.
Gupta, A. a. S. S., 2015. Information System Audit. A study for
security and challenges in, 2(III), pp. 45-67.
Halfond, W. V. J. a. O. A., 2016. A classification of SQL-injection
attacks and countermeasure. In Proceedings of the IEEE International
Symposium on Secure Software Engineering , 1(II), pp. 13-15.
Jaeger, T., 2008. Operating system security by Trent Jaeger. 1st ed.
Chicago: Morgan & Claypool Publishers.
Pawar, 2015. SQL Injection Attacks. KHOJ: Journal of Indian
Management Research and Practices, 4(II), pp. 125-129.