CO4509 - Security Evaluation: Analysis of WidgetsInc Web-Store VM

Verified

Added on 2023/06/12

AI Summary

This report details a security evaluation conducted on WidgetsInc's web-store application by Benny Vandergast Inc. using a VMware virtual machine. The evaluation covers the investigation of system security, setup of the virtual test environment, creation of configuration files, and the testing framework. The report identifies vulnerabilities such as weak passwords, malware presence, lack of data encryption, and potential for phishing attacks. Based on these findings, the report proposes security enhancements, focusing on data encryption and stronger authentication methods to protect sensitive customer information and ensure the integrity of business transactions. Desklib provides access to this and other solved assignments.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

SECURITY EVALUATION
Insert Your Name Here
Insert Your Tutor’s Name Here
Institution Affiliation
Date

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

A report on the security testing evaluation for WidgetsInc web-store
Introduction
Web-store is the trending technologies in e-business. Most companies tend to perform their transactions
online. There is a number of advantages of incorporating e-commerce in a company. The advantages
include: increase of sales, accessing a wider market, reducing the cost of operation and increasing the
profit margin. However, the web store has some threats which could led to the failure of a system. The
failures include: password breaches, DOS attacks, ransomware, data destruction and fraud
(TechGenYZ, 2018).
The password breaches is one of the most dangerous activities with the network system. Passwords
make systems distinct from each other. The hackers tend to crack easy passwords and get the access to
the system and can steal the databases or manipulate the processes in the system. The administrative
passwords allow the users to access the hosting servers and the database servers. The password of
access the servers should be strong (Khan, 2014). The passwords should be lengthy and use high
entropy words that are hard to crack.
Secondly, DDOS attacks that means Distributed Denial of Services (Acharya and Pradhan, 2017). This
involves denying legitimate user the permission of using the system. The hackers tend to manipulate
the system and takes control of the system. The hackers inject malware by passing authentication
controls. DDoS can result to major business risks which would affect the business for long. The DDoS
attacks can take long before they are noticed by the security administrators (ZHANG and QIN, 2010).
The e-commerce site are also prone to malware and botnet attack. They would affect the transaction of
the site. There are quite a number of threats.
Security testing is quite important for the web-store application. The security testing involves testing
for the: availability of the system, confidentiality, proper authentication and the resilience of the
system. Since there are many transactions that will be performed through the web-store application the
WidgetsInc must ensure the system is secure before launching it (Giac.org, 2018).
When a system is secure then the company will be assured of customer loyalty, more customers, a
grater profit margin and less cost in the business processes. The company will also be assured of
minimal instances of downtime.
The security threats as mentioned are quite many. The system has to be safe from threats and in case of
any attack the system administrators should be aware of the problem or the attempt of an intrusion. For
assurance of the system security WidgetsInc Company delegated the test evaluation of the web-store

application to Benny Vandergast Inc. Benny Vandergast Inc. provides a VMware that was used in the
testing processes. There are four major practices that were taken into consideration in the testing
processes.
Investigation of the system security
The practices included noting down the issues that can’t be recreate, getting solutions for the collisions
that would happen during the testing, the testing can to be in control in case of the test matrix would
become difficult to manage and the team would ensure that the VMware used in testing would provide
smart monitoring of the activities that took place in the system. First, there are some error that can be
encountered but can be reproduced. In such cases, the errors could have cause the system to crash. So,
trying to produce the errors would be impossible. The solution to such a problem, is use of VMware
Snapshots tool. The tools allowed the team that was testing to go back and view the execution that
would lead to the system crash. The VMware Snapshot tools tends to save recorded session to view
them later. Secondly, there are some test would require to be tested simultaneously within a similar
environment. The situation seem a bit challenge by cloning and network fencing practices would be
applicable in such a scenario. The third point is, able to manage the process even when the test matrix
becomes challenging to manage. The team that was involved in the testing process came up with some
testing levels. The testing was divided into three testing levels. The First level involved, testing of the
servers and the databases. The second level involved testing the network and the third level involved
testing the work stations to be used. Using the level in testing eased the testing process. Finally, the
testing crew had to come up with a monitoring system whereby, the people involved in the testing
would easily identify any intrusion in the system. A VMware monitoring tool that was used was the
Opvizor. Also, Snap-watcher played a great role in the monitoring of the system. The Snapwatch is able
to capture the VMware snapshots. This makes the monitoring of the transaction easier.
The Set up and the configuration of virtual test environment.
Benny Vandergast Inc. had to set up the virtualization infrastructure. VMware ESXi Server was
installed in the infrastructure. There were a few prerequisites that were required in the set up process.
The recommended RAM of about 4 GB RAM. This was meant to ensure that multiple VMs would be
running on the top of the base OS. The machine is supposed to be 64-bit virtual Machine. That were set
to run on a disk array which was different from the operating system runs on. The Virtual Machine runs
on a different disk. The installer tends to create basic service which run on the host machine during the
installation process. The services were used in managing the virtual environment created. After the
installation was completed the computer was restarted and the testing crew also installed PowerCLI

(Dekens, 2016). The PowerCLI is used to connect to the local VMware ESXi Server (Ixiacom.com,
2018). The server should be connected to 192.168.1.1 and enter the credentials. There were other tools
that were required in the testing that were installed in the VM. The process makes easier and the VM
performance is improved.
After installing was complete and successful, Benny Vandergast began the testing process. The whole
process of virtualization allowed them to consolidate the service, use minimal space, perform less
coding and less power was used (Mastering Vmware Vsphere 4, 2011).
The network interface cards of the VMware ESXi Server were installed and configured, The Operating
System ought to be updates as well as the Virtual Machine IP and DNS records were update. On the
completion of the VM configuration and the configuration of the network, a snap of the VM was taken.
The caption is require to contain the initial configuration of the VM before testing commenced. The
snapshot would be used to get back to the initial step when necessary (Keikha and Sadeq, 2015).
Creating configuration files
Data about the environment in which the testing is performed is necessary. The environment can be
given a variable name. The environment could be give $testenv. The variable can be used to store
names of the Virtual Machined created or cloned, the name of the server and the database table. The
Network Interface Card installed in the Virtual Machine was used in building the configuration file to
the executions that will take place in the future. The configuration files created would also be used in
making a report. The NIC variable is used in storing information such as IP, DNS, Subnet masks and
much more information. The scripts are the combined and the VM creates a config file with the IP
being used (Offutt, 2008).
Test and the test framework
There is much customization to execute the custom scripts. Some action can be automated by copying
the files to the Guest office. The activities that were automated included: downloading and installing
the software to be tested, the sources were synced with the test and the frameworks, the management of
Microsoft products via PowerShell API (Tachev, 2016). The executable files which include ZIP files,
dll and other files were copied into the VM’s local system. After that the set were synced to the source
control repository. Any script that was executed would point to another script or to its self. When the
script ws executed, the results returned in real time during the testing phase. One the result is display in
a various test, another snapshot s necessary (LI et al., 2014).

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Creating a report
Once the test is complete, a report was generated for the outcome. The system was found to be
vulnerable. The result is based on the snapshot that are take. The system was found to have some loop
holes. The issues include the authentication, malware, phishing, unwanted scripts, and lack of
encryption of the webstore (Shmueli, 2008).
The uses of weak passwords and lack of authentication is the main root of security breaches. Some of
the users in the system has set simple passwords such as 1234.Such a password is easy to crack by
hackers. When hackers can attacks the system by cracking the weak passwords they tend to do
malicious activities such as inserting scripts that may affect the normal transaction of the business
(Merali, 2010). The web-store developers have not deployed the encryption of the password. The
hackers can easily retrieve password that are not encrypted using hash. Password is one of the key
factor that should be high enhanced by ensuring password encryption and not allowing the users to use
the weak password while logging into the system (Gualdoni et al., 2017).
Secondly, the system has a malware. This is a dominant issue with the e-businesses. The malwares can
assist the hackers to gain sensitive information from the web-store application. A malware attack can
destroy the company reputation and brand. This is because the hacker insert scripts that interfere with
business transactions. The malware can also interfere with the payment process. The hackers can access
the credit card information of the customer and use the information in other transactions. These may
lead to loss of trust from the customer and the company may end up losing most of the customer.
Malware programs could wreak havoc by adding to execution of actions. The actions include
downloading the software without permission and adding some illegal process into the system.
Malware programs enhance phishing. Whereby, a criminal would host another site that look like the
wen-store application for the company and pretend to be the actual site. Customers may end up giving
their credit card information to the hackers. This is a critical area that need to be addressed.
The data being transmitted through the network is not encrypted. Lack of data encryption is putting
customer data at risk. There are quite a number of transaction in e-commerce which results to much
data generated. The data in transit is not encrypted and the hacker gets access to the data then it is prone
to data theft or data manipulation. This many negatively affect the business by losing the trust from the
customers and losing more customers. Also lack of proper encryption can safeguard data against nearly
any threat. Encryption of programs are difficult to implement but it is important to follow the right
procedure while encrypting the data.
.
Proposal to the company

One of the vulnerabilities spotted in the webstore is lack of encryption. The developer need to apply the
encryption practice in the system. Encryption is necessary when it comes to protecting the data in the
system. In most cases the critical information is an attractive target to cybercriminals. Encryption of
data should be applied correctly. The developer should analysis the data that requires to be encrypted.
The critical and the sensitive data ought to be encrypted. Encryption prevents unauthorized personnel
from acquiring the encrypted data. This allows only the people who have been authorized of access
critical or sensitive data. Example of critical information that ought to be encrypted include: credit card
information, payment details, names, birthdates, the security numbers and many more. Data in transit
need to be encrypted until it reaches the destination for decryption. The other factor to consider in the
encryption of the information is how the encryption will interact with the cloud systems. Encryption is
necessary in cloud computing. This enhance the security of the company data in cloud-based platforms
such as Saas and data analytic programs such as Google analytics. Encryption for cloud computing is a
bit complex but has to be done accordingly. Another factor to consider before the encryption process, is
that the developer have to determine the algorithm to be used in the encryption process. There are a
number of requirements for the primary encryptions. The algorithm used has to match the international
standards. Finally, proper key management has to be enhance. Use of the right key enhances protection
of the data. The administrators should ensure the decryption key is properly managed. The decryption
key should only be sent to the receivers of the data. The encryption keys should be stored in encryption
keys in a safe location.
The other vulnerability is attack of malware. Malware violates the host intrusion in the web-store
application. The malware creators e some automated tools to change the code responsibly (Imagine
Monkey, 2018). Malwares include viruses, Trojans and other malware programs. The hacker tend to
inject script which may download some of the software with some sensitive information for the
business as well as the customer data. The hackers tend to the sell the information, thus the information
could be vandalized, and there are several ways of protecting the web-store application from the
malwares. The company should have the initial inventory of products to be sold online. To follow up on
the flow of goods all transactions. The server should ensure that all the users are legitimate to use the
system. The company should also get to know the people who have access to the data. The
administrator should ensure that few people can access the database (Owasp.org, 2018). When there is
a high number of people accessing, the higher database the risks. Only the system administrator and the
key member should have access to the database. The database is a sensitive asset in the company,
which has limitations in accessing it. With few people accessing the data, it would be easy to detect an
unauthenticated access to the server. Finally, to reduce the attack by malwares the company should

have a privacy policy. This policy is should contain policy about the customer information collected.
The policy will held in building the trust with the employees.
The company is required to install a trusted antivirus software. The anti-virus will help in reducing the
attack in the system. There are a number of benefits associated with the installation of the anti-virus in
the servers. Anti-virus protect the system from attack by the virus. Customers or the employees tend to
download some files from the internet (Anon, 2018). The file that they download could contain the
virus. These virus are detected and removed by the anti-virus software. The antivirus can detect and
deleted 99 percent of the known viruses. The anti-virus is also a tools that is appropriate for protection
against spam. Spam involves the employees receiving mails which are of no use to the recipients. In
most cases one cannot tell the origin of the sender. This is a clear indication that there is a virus that is
embedded in the computer. With the help of the anti-virus, the virus will be detected and deleted from
the system after the scanning process.
Conclusion
In conclusion, the security evaluation is a basic practice, which should be done often to ensure the
system being used is safe (Kossecki, 2012). Most people believe that transaction done online are safe
compared to the transactions dine offline, this is not true, as there is a number of threats in using the
online transactions compared to the offline transactions. The online transaction has many benefits. The
benefits include, personal security, wider market access, increment of sales opportunities, transactions
can be process 24/7, the payments are flexible, greater profit margins and the system can be used
internationally. The advantages are only meaningful, only when the system is secure (Vilalta, 2012).
The security implemented is to measure the level of attack by hackers into the system. Internet security
is the most important factor in e-commerce. Without security, then e-commerce would flop.
Recommendation
From the testing that is done on the system, the company should perform such test monthly (Rajput,
2009). This is to ensure that there are no vulnerabilities found in the system. During the first security
test, some issues were detected with the system which are solvable (Smith, 2008). This issues should be
avoided at all cost. Also, the system administrator should perform daily monitoring of the system. E-
commerce is successful trend in business. The system administrator should add some e-commerce
analytic tool to the system.
An example of an e-commerce analytic tool is Google Analytic. This tool is used to monitor all the
traction in the system. The system administrator can be able to tell the behavior of the customers in the

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

site. This would be an important tool of tracking malicious visitors on the site. All the events about a
customer are logged into the Google Analytic tool (Farney and McHale, 2013). Google Analytic tool is
free and the tools displayed graphical reports on the events taking place on the web-store. Google
Analytic help the company to make valid decision based on the report given by Google Analytic tool
(Brock, 2017).
Finally, the security aps of the system opt to be fixed immediately. Once WidgetsInc has implanted the
proposed way of solving the problems that were identified, the company will make huge profit
margins. The business should always aim in having a system with accurate, up-to-date and reliable
data.

Reference
Ixiacom.com. (2018). The Ixia Difference in Virtualization Testing | Ixia. [online] Available at:
https://www.ixiacom.com/resources/ixia-difference-virtualization-testing [Accessed 22 May 2018].
Anon, (2018). [online] Available at: http://www.toptenreviews.com/software/articles/the-benefits-of-
having-anti-virus-protection/ [Accessed 23 May 2018].
Owasp.org. (2018). Top 10 2014-I2 Insufficient Authentication/Authorization - OWASP. [online]
Available at: https://www.owasp.org/index.php/Top_10_2014-I2_Insufficient_Authentication/
Authorization [Accessed 23 May 2018].
Imagine Monkey, I. and Imagine Monkey (2018). Malware: Protecting Your eCommerce Website -
Imagine Monkey, Inc.. [online] Imagine Monkey, Inc. Available at:
https://www.imaginemonkey.com/ecommerce-malware/ [Accessed 23 May 2018].
Giac.org. (2018). [online] Available at: https://www.giac.org/paper/gsec/2067/strong-user-
authentication-electronic-mobile-commerce/103557 [Accessed 23 May 2018].
Khan, R. (2014). Open Disclosure of Vulnerabilities and Hackers. SSRN Electronic Journal.
ZHANG, J. and QIN, Z. (2010). Modified method of detecting DDoS attacks based on entropy.
Journal of Computer Applications, 30(7), pp.1778-1781.
Acharya, S. and Pradhan, N. (2017). DDoS Simulation and Hybrid DDoS Defense Mechanism.
International Journal of Computer Applications, 163(9), pp.20-24.
Brock, T. (2017). Performance Analytics: The Missing Big Data Link Between Learning Analytics and
Business Analytics. Performance Improvement, 56(7), pp.6-16.
Gualdoni, J., Kurtz, A., Myzyri, I., Wheeler, M. and Rizvi, S. (2017). Secure Online Transaction
Algorithm: Securing Online Transaction Using Two-Factor Authentication. Procedia Computer
Science, 114, pp.93-99.

Shmueli, G. (2008). Statistical Inference with Large (eCommerce) Datasets. SSRN Electronic Journal.
Keikha, Z. and Sadeq, M. (2015). The E-readiness Assessment Pattern Designing with an Approach to
Ecommerce (a Case Study Conducted in Sistan and Balouchestan Province of Iran). International
Journal of Engineering Research, 4(2), pp.85-92.
LI, H., WANG, S., LIU, C., ZHENG, J. and LI, Z. (2014). Software Reliability Model Considering
both Testing Effort and Testing Coverage. Journal of Software, 24(4), pp.749-760.
Vilalta, A. (2012). Online Dispute Resolution & eCommerce. IN3 Working Paper Series.
Merali, Z. (2010). Hackers blind quantum cryptographers. Nature.
Tachev, T. (2016). API (API Economy). SSRN Electronic Journal.
Kossecki, P. (2012). Building Trust in eCommerce - Quantitative Analysis. SSRN Electronic Journal.
Rajput, W. (2009). E-Commerce systems architecture and applications. Boston, Mass.: Artech House.
Dekens, L. (2016). VMware vSphere powerCLI reference. Indianapolis: Sybex, a Wiley brand.
TechGenYZ. (2018). What is e-commerce and what are the major threats to e-commerce security?.
[online] Available at: https://www.techgenyz.com/2017/04/05/e-commerce-major-threats-e-commerce-
security/ [Accessed 22 May 2018].
Offutt, J. (2008). Editorial: Software testing is an elephant. Software Testing, Verification and
Reliability, 18(4), pp.191-192.
Farney, T. and McHale, N. (2013). Maximizing Google Analytics. Chicago, IL: ALA TechSource.
Mastering Vmware Vsphere 4. (2011). Sybex Inc.