FACULTY OF BUSINESS MANAGEMENT SCIENCES AND ECONOMICS

DEPARTMENT OF FINANCE AND ACCOUNTING

COURSE: ARMGT305 (CYBERSECURITY)

LECTURER: MR M. MUDUVA
SUBMITTED: THURS. 6TH JUNE 2024
GROUP ASSIGNMENT: METHODS OF MITIGATING WEBSITE HACKS

GROUP 5 MEMBERS, CHARITY CONSULTANTS

SURNAME NAME REG NUMBER PROGRAM
CHIBANDA CARLTON B. R225796S HARMGT
MADHAURE MEDELINE R225772P HARMGT
MARIKOSI GODFREY R225829Q HARMGT
MASANGUDZA FAITH R. R228912U HARMGT
MAUNGWA NYASHA E.T. R225854K HARMGT
MUSASA TINOVONGA C. R225776Z HARMGT
MUSUKU MOVEN R225851G HARMGT
NDLOVU LETHUBUHLE R225826Y HARMGT
NHENGA CHARITY M. R225869T HARMGT
SHAMU TAPIWANASHE R228288N HARMGT
SHONIWA KEITH M.T. R225774M HARMGT
List of Abbreviations

DoS Denial-of-Service
ID Identification
ISO International Organisation for Standardisation
SMS Short Message Service
SQL Structured Query Language
SSL Secure Sockets Layer
TLS Transport Layer Security
WAF Web Application Firewalls
Question:

Your company is intending to expand its operations to the electronics space. However, the
management expressed concerns over the security issues involved in web trading. As the
security expert of the organization, explain to the management of the organization on the
possible methods you can implement to protect the website from being hacked. [25 Marks]

Response:
Dear Management,

I have received notice of your apparent concerns regarding the organisation’s intention to
introduce its goods and services to the online space. Whilst I genuinely appreciate these
concerns, I wish to inform you of the methods we can to mitigate the risks of our website being
hacked, as an attempt to assure your worries.

Before I get to that, I’d firstly like to acknowledge that your fears are not misplaced. I am aware
that as management, your primary objectives regarding cybersecurity are to ensure that:

1. Information is only accessible to authorised persons (Confidentiality),

2. Data is only changed in an authorised manner (Integrity), and
3. Information is available to the system or to authorised persons whenever it is needed
(Availability).

As informed by the ISO 27001 Standard (2005), cited in the works of Junaid (2023). As such, you
have a right to be concerned. Upon the launch date of the site, the firm will become vulnerable
to threats that could infiltrate and possibly attack not only the website itself, but the entire
computerised information system. The key threats to take note of are:

 Phishing: As explained by researchers Kosinski (2024) and Lötter & Futcher (2015),
Phishing is a fraudulent attempt to obtain sensitive information such as login credentials,
financial information, or personal data by impersonating legitimate people or entities.
Author Pande (2017) adds that these attacks can lead to unauthorized access to sensitive
information, e.g. username, passwords, business and financial accounts, and can be

1
 carried out via Smishing (using SMS texts or messages), Pharming (redirecting to
fraudulent websites), Vishing (voice) etc.

 Malware: Malware, as noted by Zhang, Wu and Lao (2015), is ‘malicious software’

designed to disrupt operations, steal data, or gain unauthorized access to trading
platforms. It is designed to harm and exploit the host computer system(s) for the benefit
of a third party, either in the form of a:

o Virus – code written to corrupt or damage the host computer. Can self-replicate
without the consent of the user, but requires human intervention (Pande, 2017);

o Worm – another self-replicating program with the same properties as a virus, but
requires no human invention, used in breaching network security (Jenab and
Moslehpour, 2016);

o Trojan - a code that at first appears to be a useful software, but once activated, it
damages the host computer by manipulating the data and creates a backdoor in
the host computer so that it could be controlled by a remote computer;

o Spyware – software that gathers information about users without their knowledge.

 Denial of Service (DoS) Attack: DoS attacks involve flooding the website platform with
useless traffic, thus preventing the legitimate network traffic from operating. Researcher
Gebreyes (2020) noted that this can lead to significant losses in finances and reputation ;

 Spamming: These are infected and unsolicited commercial bulk messages with links sent
via email or social media, harmful websites to reduce the performance of the trading
platform. These messages may be unwanted and may contain harmful links;

 SQL injection: SQL injection is a type of attack where an attacker exploits vulnerabilities in
databases to execute unauthorized SQL commands, by submitting malicious input through
a web form. The web application then constructs an SQL query using the user input, then
the malicious input alters the SQL query, allowing the attacker to access or modify data.
This can lead to unauthorized access to sensitive data and data tampering.

2
To mitigate these threats, it is essential for the firm to implement the following:

 Authentication controls: Refers to a process of identifying an individual and confirming

that the individual is who they claim to be. When employees or other parties are
logging on the website, it is essential to validate that they are the rightful owners of
that identity. Three common control techniques to confirm authentication are:

o Strong Password Policies: Enforcing strong password policies for both users and
administrators by way of requiring complex passwords, regular password
changes, and implementing multi-factor authentication for added protection;

o Use of special IDs, such as digital private keys (secret recovery passwords);

o Biometric authentication, such as fingerprint scans (if accessing on mobile).

 Non-repudiation: As informed by Fortra (2024), this is a legal term referring to the

ability of the actions of an individual on a computerized system being recorded and
verified, to ensure that no party can “repudiate” (deny) that it sent or received a
message or made a transaction. Common methods used are:

o Encryption: a technique to convert the data in unreadable form before

transmitting it over the internet. Pande (2017) confirms that only the person
who has the access to the key to the data can convert it to the readable form
and read it. Types of encryption include Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) that provide secure communication over a
computer network. They ensure that all data transmitted between the web
server and browsers remain encrypted and inaccessible to hackers;

o Storing data website/audit logs: These are logs that capture data such as the IP
addresses of the users accessing our website, as well as their request methods,
response codes, timestamps etc. (Sitelock, 2023).

3
 Firewalls and Web Application Firewalls (WAF): WAFs act as a barrier between the
website server and incoming traffic, filtering out malicious requests and preventing
common attacks such as SQL injection and cross-site scripting. WAFs help in blocking
suspicious traffic before it reaches the website and the browser;

 Anti-Malware Software: Installing and regularly updating anti-malware software is

crucial for detecting and removing malicious programs that could compromise our
website's security. These tools scan our system for potential threats and neutralize
them before they cause harm;

 Backup and Recovery Procedures: Regularly backing up website data and having
robust recovery procedures in place are essential in case of a successful hacking
attempt. Being able to restore the website quickly from a backup can mitigate
potential damages caused by a security breach.

There are various other techniques not mentioned that we will discuss in future. PLEASE
NOTE that these methods carry their own inherent limitations, and will not guarantee
with 100% certainty that the risks are eradicated. For example:

 Mitek Systems (2021) pointed out that consumer friction can develop due to high
authentication controls. People who want to login to their accounts as quickly and
smoothly as possible will feel frustrated and decide to abandon the whole process;

 Implementing and maintaining non-repudiation measures can be expensive;

 Firewalls cannot directly forbid users from accessing potentially malicious websites;

 Anti-virus do not necessarily provide full protection

Hopefully the information I have provided is sufficient to help you make a more informed
decision on the next steps to take before the launch of the website.

Yours Sincerely,

Security Expert.

4
 REFERENCES
1. Fortra (2024) "Non-repudiation: Your Virtual Shield in Cybersecurity". Available at:
https://www.tripwire.com/state-of-security/nonrepudiation-your-virtual-shield-cybersecurity

2. Gebreyes, A. (2020) "Denial of Service Attacks: Difference in Rates, Duration, and Financial
Damages and the Relationship Between Company Assets and Revenues". Walden Dissertations
and Doctoral Studies Collection, pp. 1-147. Available at:
https://scholarworks.waldenu.edu/cgi/viewcontent.cgi?article=11004&context=dissertations

3. International Organization for Standardisation (2005), "ISO/IEC 27001:2022". Available at:

https://www.iso.org/standard/27001

4. Jenab, K., and Moslehpour, S. (2016), “Cyber Security Management: A Review”. Business
Management Dynamics, Vol.5, No.11, pp.16-39. ISSN: 2047-7031

5. Junaid, T. (2023), "ISO 27001: Information Security Management Systems". Faculty of

Computer Science and Engineering, Frankfurt University of Applied Sciences. DOI:
10.13140/RG.2.2.36267.52005

6. Kosinski, M. (2024), "What is a phishing attack?” Available at:

https://www.ibm.com/topics/phishing

7. Lötter, A. and Futcher, L. (2015), "A framework to assist email users in the identification of
phishing attacks". Information and Computer Security, Vol. 23 No. 4, pp. 370-381. Available at:
https://doi.org/10.1108/ICS-10-2014-0070

8. Mitek Systems (2021) "Costs and benefits of authentication". Available at:

https://www.miteksystems.com/blog/costs-and-benefits-of-authentication

9. Pande, J. (2017), “Introduction to Cyber Security”. Uttarakhand Open University, ISBN 978-93-
84813-96-3.

10. Sitelock (2023) "How to Check Website Logs & Why Businesses Need to Do So". Available at:
https://www.sitelock.com/blog/importance-of-website-logs/

11. Zhang, Y., Wu, L., and Luo, Z. (2015), "An immunity-inspired relocation method for unknown

5
malware detection". Available at: https://doi.org/10.2991/esac-15.2015.19