Page 1 of 13 - Cover Page Submission ID trn:oid:::2:769251904

MOHAMMAD MUNEM SARWAR

196750_MOHAMMAD_MUNEM_SARWAR_L5DC_NSC_NCP.docx
EcoMart Digital Marketplace

L5DC NSC

Daffodil Institute of IT

Document Details

Submission ID

trn:oid:::2:769251904 11 Pages

Submission Date 2,212 Words

Apr 30, 2024, 8:59 AM GMT+1

13,018 Characters

Download Date

Apr 30, 2024, 9:26 AM GMT+1

File Name

196750_MOHAMMAD_MUNEM_SARWAR_L5DC_NSC_NCP.docx

File Size

147.1 KB

Page 1 of 13 - Cover Page Submission ID trn:oid:::2:769251904

 Page 2 of 13 - AI Writing Overview Submission ID trn:oid:::2:769251904

How much of this submission has been generated by AI?

67%
Caution: Percentage may not indicate academic misconduct. Review required.

It is essential to understand the limitations of AI detection before making decisions

about a student's work. We encourage you to learn more about Turnitin's AI detection
capabilities before using the tool.
of qualifying text in this submission has been determined to be
generated by AI.

Frequently Asked Questions

What does the percentage mean?

The percentage shown in the AI writing detection indicator and in the AI writing report is the amount of qualifying text within the
submission that Turnitin's AI writing detection model determines was generated by AI.

Our testing has found that there is a higher incidence of false positives when the percentage is less than 20. In order to reduce the
likelihood of misinterpretation, the AI indicator will display an asterisk for percentages less than 20 to call attention to the fact that
the score is less reliable.

However, the final decision on whether any misconduct has occurred rests with the reviewer/instructor. They should use the
percentage as a means to start a formative conversation with their student and/or use it to examine the submitted assignment in
greater detail according to their school's policies.

How does Turnitin's indicator address false positives?

Our model only processes qualifying text in the form of long-form writing. Long-form writing means individual sentences contained in paragraphs that make up a
longer piece of written work, such as an essay, a dissertation, or an article, etc. Qualifying text that has been determined to be AI-generated will be highlighted blue
on the submission text.

Non-qualifying text, such as bullet points, annotated bibliographies, etc., will not be processed and can create disparity between the submission highlights and the
percentage shown.

What does 'qualifying text' mean?

Sometimes false positives (incorrectly flagging human-written text as AI-generated), can include lists without a lot of structural variation, text that literally repeats
itself, or text that has been paraphrased without developing new ideas. If our indicator shows a higher amount of AI writing in such text, we advise you to take that
into consideration when looking at the percentage indicated.

In a longer document with a mix of authentic writing and AI generated text, it can be difficult to exactly determine where the AI writing begins and original writing
ends, but our model should give you a reliable guide to start conversations with the submitting student.

Disclaimer
Our AI writing assessment is designed to help educators identify text that might be prepared by a generative AI tool. Our AI writing assessment may not always be accurate (it may misidentify
both human and AI-generated text) so it should not be used as the sole basis for adverse actions against a student. It takes further scrutiny and human judgment in conjunction with an
organization's application of its specific academic policies to determine whether any academic misconduct has occurred.

Page 2 of 13 - AI Writing Overview Submission ID trn:oid:::2:769251904

 Page 3 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

Task 1:

a) After reading and analyzing the scenario, the identification of the 5 most important
electronically held information by the EcoMart are justified below:

❖ Customer Information Database: The fact that this asset holds the personal and
payment information of clients makes it a very important asset. It is possible that if
the security is breached, there could be immediate financial repercussions as well
as a loss of trust from customers, which will result in harm to EcoMart's reputation
as well as possible legal liabilities. When it comes to identity theft or financial fraud,
it is quite beneficial to those who commit these crimes.

❖ E-commerce Website Database: The website serves as the main platform for
interacting with customers, where it displays product catalogs, descriptions, and
reviews. Any interruption or compromise of data might result in a decline in sales
and consumer discontent. Additionally, it encompasses backend data that is
crucial for the operation of the e-commerce platform.

❖ Order Management System: The system manages and monitors consumer

orders, inventories, and the delivery of digital items. Disruption may result in clients
not receiving their items, which can lead to customer service complications and
financial losses. Ensuring company continuity is of utmost importance.

❖ Employee Payroll Information and Tax Records: This encompasses

confidential employee data, including salary information, banking particulars, and
social security numbers. Illegitimate entry can result in breaches of privacy, and
financial misappropriation, and possibly be exploited for nefarious purposes such
as identity theft or extortion.

❖ Digital Product Repository: This is the central aspect of EcoMart's products,

encompassing the tangible digital items that are being sold, such as e-books, audio
tracks, and digital artwork. Unauthorized access or distribution can result in the
loss of intellectual property and revenue, as well as legal complications related to
copyright infringement.

Page 3 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

 Page 4 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

b)
Likelihoo
Asset Threat CIA? d Impact Risk

Customer Information
Database Phishing Attack C,I Medium High High

SQL Injection C,I Low High Medium

Insider Threat C,I Low High Medium

E-commerce Website
Database DDoS Attack A Medium High High

Unauthorized Access C,I Low High Medium

Code Exploits C,I Medium High High

Order Management System Ransomware C,I,A Low High Medium

System Outage A Medium Medium Medium

Data Manipulation C,I Low High Medium

Employee Payroll
Information Insider Threat C Low High Medium

Accidental Data Leak C Medium Medium Medium

Malware Infection C,I,A Low High Medium

Intellectual Property
Digital Product Repository Theft C,I Medium High High

Data Corruption I,A Low High Medium

Unauthorized
Distribution C,I Medium High High

2|Page
Page 4 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 5 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

Task 2:

a) Threats and Security Implementations:

Based on the above situation, we will now examine the security measures that might
reduce the identified risks.

Threat: Server Failure (Customer Information Database)

Security Implementation:

Redundancy: Implement a duplicated server configuration, such as RAID, to guarantee

that data is replicated over several drives.

Backup and Disaster Recovery: Ensure the frequent implementation of automatic

backups and establish a comprehensive plan for disaster recovery.

High Availability: Implement a High Availability setup that enables automatic switching

to a backup server in case the main server has a failure. Threat: Employee Theft

(Employee Payroll Information)

Security Implementation:

Access Control: Enforce the use of role-based access control (RBAC) to restrict access
to sensitive data to only authorized workers.

User Activity Monitoring: Implement systems that actively monitor and record user
actions to identify and investigate instances of illegal access or suspicious conduct.

Encryption: Guarantee that confidential information is encoded while stored and during
transmission to prevent unauthorized access, even if the data is intercepted.

Threat: Unauthorized Access (E-commerce Website Database)

Security Implementation:

3|Page
Page 5 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 6 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

Firewall and Intrusion Detection Systems (IDS): Utilize a web application firewall
(WAF) and intrusion detection systems (IDS) to oversee and prevent harmful network
traffic.

Regular Security Audits and Penetration Testing: Perform routine security audits and
penetration testing to detect and address problems.

Threat: Intellectual Property Theft (Digital Product Repository)

Security Implementation:

Digital Rights Management: Use digital rights management (DRM) software to

safeguard digital goods against illegal duplication and distribution.

Secure Access: When sending and receiving files from NAS devices, use secure
protocols like Secure File Transfer Protocol (SFTP) rather than FTP.

Threat: Data Corruption (Order Management System)

Security Implementation:

Data Validation: Prevent SQL injection and other types of data corruption by
implementing input validation tests for data.

Transaction Logging: To revert changes in the case of corruption, it is recommended to

enable comprehensive transaction logs.

b) Known Vulnerabilities and Security Recommendations:

Vulnerabilities in NAS Devices

QNAP NAS Vulnerabilities: There have been several security issues with QNAP NAS
equipment in the past, such as ransomware and illegal access. Issues with inappropriate
access controls are exemplified by CVE-2021-28799.

Security Recommendations:

4|Page
Page 6 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 7 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

Firmware Updates: Ensure that the firmware of the NAS is regularly updated to address
and minimize any known security weaknesses.

Disable Unnecessary Services: Disable services such as Telnet and FTP if they are not
being used, or substitute them with more secure options such as SSH and SFTP.

Network Segmentation: Implement network segmentation by isolating the NAS devices

on a distinct network segment to restrict access.

Vulnerabilities in Shopping Feed PrestaShop Plugin

Plugin Vulnerabilities: Plugin vulnerabilities refer to security weaknesses that may be

found in plugins, which can be exploited by unauthorized individuals to obtain access or
disrupt services. Examples of vulnerabilities include SQL injection and cross-site scripting
(XSS).

Security Recommendations:

Regular Updates: Maintain the plugin's currency by installing the most recent security
updates.

Code Review and Testing: Conduct code review and testing to detect vulnerabilities in
the plugin before they may be maliciously exploited.

Security Risks and Countermeasures for Email Delivery of Download Links:

Risk: Interception of Download Links

Countermeasures:

Encryption: Utilize email encryption to safeguard the contents from potential interception.

One-time Links: Incorporate links that automatically expire after being accessed once
to safeguard against unwanted downloading in the event of interception.

Risk: Phishing

Countermeasures:

5|Page
Page 7 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 8 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

Email Authentication: Employ DMARC, DKIM, and SPF protocols to verify the
authenticity of emails and deter spoofing.

Customer Education: Provide consumers with information regarding the appearance of

official correspondence to aid in the detection of phishing efforts.

Task 3:

a) Key Features of a VPN and Application to the Scenario:

A Virtual Private Network (VPN) makes a safe, protected link over a less safe network,
like the internet. The most important parts of a VPN are:

Encryption: This makes sure that anyone who gets a hold of the data sent between the
faraway user and the company network can't read it.

Authentication: VPNs need authentication to make sure that the people or machines
trying to connect to the network are who they say they are.

Data Integrity: VPNs can check to see if data has been changed while it's being sent
and received, making sure that what was sent and received are the same.

For EcoMart, a VPN would be beneficial for:

Secure Remote Access: Employees may safely access the e-commerce website and
NAS from remote places, preventing the exposure of sensitive data over the internet.

Data Protection: Implementing encryption ensures the safeguarding of consumer and

corporate data throughout its transmission across the network.

Some types of VPN links that could work for EcoMart are:

Site-to-Site VPN: Because EcoMart may have more than one address, a site-to-site VPN
could safely connect the networks of these sites.

Remote Access VPN: A remote access VPN is helpful for employees who need to
connect to the company network from home.

6|Page
Page 8 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 9 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

b) Firewalls, DMZ, and Network Diagram:

Firewalls prevent unauthorized access to private networks. They can be used with
hardware, software, or both. Firewalls check all network data, in and out, and make
decisions based on rules.

A Demilitarized Zone (DMZ) allows an untrusted network, such the internet, to access an
organization's public services. A DMZ protects an organization's LAN. Only DMZ
equipment may be directly accessed by an outside attacker.

Figure: Network Diagram

Justification:

7|Page
Page 9 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 10 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

To defend the network from internet threats, a firewall would be installed at the network's
edge. It would filter both incoming and outgoing data. To prevent attacks from the DMZ
from reaching the internal network, a second firewall would be installed. By encrypting
data and authenticating users, the VPN makes sure that remote access is safe. While
maintaining the security of the internal network, the DMZ grants public access to the
ecommerce site.

c) Improving NAS Security:

To improve the security of network services enabled on the NAS devices, consider the
following:

Network Segmentation: Deploy NAS devices on a distinct network segment or VLAN to

limit access.

Firewalls: It is important to place NAS systems behind a firewall to regulate and restrict
access.

Access Controls: Enforce stringent access restrictions that adhere to the idea of granting
the minimum necessary privileges. Enable just essential services and restrict access to
those who need it.

Protocols: Disable obsolete and vulnerable protocols such as SMBv1 and FTP. Utilize
secure protocols such as SMBv3, SFTP, or SCP to transfer files.

Regular Updates: Ensure that the firmware and software of your NAS are regularly
updated to safeguard against known vulnerabilities.

Physical Security: Ensure that the Network Attached Storage (NAS) device is stored in
a safe location, to prevent any unwanted physical access.

Encryption: Encryption should be employed to safeguard data at rest, hence mitigating

the risk of data breaches in the event of physical theft of the NAS.

8|Page
Page 10 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 11 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

By integrating these technologies, protocols, and methodologies, EcoMart may greatly

improve the security of its NAS systems and entire network architecture.

Task 4:

In order to ensure the ongoing efficacy of the security policies that have been put in place,
I would build a systematic and uninterrupted security management process. This process
would involve periodic updates, audits, training sessions, and real-time monitoring.

Regular Updates and Patch Management: Make sure that all systems, like the firmware
on your VPN and router, always have the most recent security fixes installed. Set up a
patch control program to make this process go more quickly.

Security assessments: Conduct frequent security assessments to evaluate the

effectiveness of security measures. This involves conducting security assessments to
identify any vulnerabilities that might be exploited for unauthorized access.

Employee Training: Ensure that all workers, particularly those with managerial privileges,
get periodic security training to enable them to promptly identify and respond to security
risks.

Real-Time Monitoring: Employ security information and event management (SIEM)

solutions to actively observe and analyze security warnings transmitted by network
hardware and software in real time. Configure notifications for any anomalous activity that
may indicate a security breach or an attempted intrusion.

Incident Response Plan: Develop and maintain an incident response strategy to ensure
prompt and efficient action in the event of a security breach. Incorporate routine exercises
to ensure that all team members has the necessary skills and knowledge.

9|Page
Page 11 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 12 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

Review and Adjust: Establishing security measures is an ongoing and continuous

activity, rather than a singular event. Regularly assess the degree of protection and
modify it as necessary to address emerging dangers, changes in the business
environment, or advancements in technology.

By incorporating these techniques into the day-to-day functioning of EcoMart, the security
tactics may be actively supervised to adjust to a changing threat environment.

Task 5:

I learned more about how hard it is to balance security measures with operational
efficiency as I thought about the task. Some problems came up when trying to find the
best security options that would work with EcoMart's design and not slow it down or make
it harder to use. To solve this problem, I did a lot of study on a variety of security options,
looking at things like how easy they are to integrate, how much they cost, and how
scalable they are.

Ensuring the comprehensibility of the technical recommendations for all stakeholders

was an additional challenge. To address this issue, I focused on elucidating technical
terminology and providing rationales using plain English, so enabling non-technical
personnel to comprehend the concepts and appreciate their potential benefits.

Upon reflection, my action plan would encompass:

1. Starting with a more thorough risk assessment that took into account feedback
from different areas to make sure that all possible threats were taken into account.
2. Putting more weight on solutions that strike a better balance between security and
user experience, possibly by looking into more case studies or examples from the
industry.
3. By giving people more time to look into other answers, more choices will be
available to EcoMart.
4. Improving contact with partners by giving them regular updates and making sure
their opinions were taken into account when decisions were being made.

10
Page 12 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904
 Page 13 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904

MOHAMMAD_MUNEM_SARWAR_P00196750_NSC

|Page

If I had to do it all over again, I would involve more people from the start and make sure
that the solutions were not only technically sound but also fit with the user needs and the
business's strategic goals.

References:

1. Wright, G. (2023) information asset, WhatIs. Available

at: https://www.techtarget.com/whatis/definition/information-assets.
2. Boogaard, K. (2022) What Is a Risk Matrix?, Blog Wrike. Available at:
https://www.wrike.com/blog/what-is-risk-matrix/.
3. What is a VPN? Why Should I Use a VPN? | Microsoft Azure (no date). Available
at:https://azure.microsoft.com/en-gb/resources/cloud-computing-
dictionary/whatis-vpn.
4. Types of VPN protocols | NordLayer Learn (no date) NordLayer. Available at:
https://nordlayer.com/learn/vpn/types-and-protocols/.
5. What are best practices for enhancing NAS security? (no date) QNAP Systems,
Inc. - Network Attached Storage (NAS). Available at:
https://www.qnap.com/en/how-to/faq/article/what-is-the-best-practice-
forenhancing-nas-security.
6. How To Monitor And Maintain Your ITS Security Strategy - FasterCapital (no date)
FasterCapital. Available at: https://fastercapital.com/questions/How-to-
monitorand-maintain-your-ITS-security-strategy.html.

11
Page 13 of 13 - AI Writing Submission Submission ID trn:oid:::2:769251904