Professional Documents
Culture Documents
ARMGT305 Group 5 Assignment
ARMGT305 Group 5 Assignment
DoS Denial-of-Service
ID Identification
ISO International Organisation for Standardisation
SMS Short Message Service
SQL Structured Query Language
SSL Secure Sockets Layer
TLS Transport Layer Security
WAF Web Application Firewalls
Question:
Your company is intending to expand its operations to the electronics space. However, the
management expressed concerns over the security issues involved in web trading. As the
security expert of the organization, explain to the management of the organization on the
possible methods you can implement to protect the website from being hacked. [25 Marks]
Response:
Dear Management,
I have received notice of your apparent concerns regarding the organisation’s intention to
introduce its goods and services to the online space. Whilst I genuinely appreciate these
concerns, I wish to inform you of the methods we can to mitigate the risks of our website being
hacked, as an attempt to assure your worries.
Before I get to that, I’d firstly like to acknowledge that your fears are not misplaced. I am aware
that as management, your primary objectives regarding cybersecurity are to ensure that:
As informed by the ISO 27001 Standard (2005), cited in the works of Junaid (2023). As such, you
have a right to be concerned. Upon the launch date of the site, the firm will become vulnerable
to threats that could infiltrate and possibly attack not only the website itself, but the entire
computerised information system. The key threats to take note of are:
Phishing: As explained by researchers Kosinski (2024) and Lötter & Futcher (2015),
Phishing is a fraudulent attempt to obtain sensitive information such as login credentials,
financial information, or personal data by impersonating legitimate people or entities.
Author Pande (2017) adds that these attacks can lead to unauthorized access to sensitive
information, e.g. username, passwords, business and financial accounts, and can be
1
carried out via Smishing (using SMS texts or messages), Pharming (redirecting to
fraudulent websites), Vishing (voice) etc.
o Virus – code written to corrupt or damage the host computer. Can self-replicate
without the consent of the user, but requires human intervention (Pande, 2017);
o Worm – another self-replicating program with the same properties as a virus, but
requires no human invention, used in breaching network security (Jenab and
Moslehpour, 2016);
o Trojan - a code that at first appears to be a useful software, but once activated, it
damages the host computer by manipulating the data and creates a backdoor in
the host computer so that it could be controlled by a remote computer;
o Spyware – software that gathers information about users without their knowledge.
Denial of Service (DoS) Attack: DoS attacks involve flooding the website platform with
useless traffic, thus preventing the legitimate network traffic from operating. Researcher
Gebreyes (2020) noted that this can lead to significant losses in finances and reputation ;
Spamming: These are infected and unsolicited commercial bulk messages with links sent
via email or social media, harmful websites to reduce the performance of the trading
platform. These messages may be unwanted and may contain harmful links;
SQL injection: SQL injection is a type of attack where an attacker exploits vulnerabilities in
databases to execute unauthorized SQL commands, by submitting malicious input through
a web form. The web application then constructs an SQL query using the user input, then
the malicious input alters the SQL query, allowing the attacker to access or modify data.
This can lead to unauthorized access to sensitive data and data tampering.
2
To mitigate these threats, it is essential for the firm to implement the following:
o Strong Password Policies: Enforcing strong password policies for both users and
administrators by way of requiring complex passwords, regular password
changes, and implementing multi-factor authentication for added protection;
o Use of special IDs, such as digital private keys (secret recovery passwords);
o Storing data website/audit logs: These are logs that capture data such as the IP
addresses of the users accessing our website, as well as their request methods,
response codes, timestamps etc. (Sitelock, 2023).
3
Firewalls and Web Application Firewalls (WAF): WAFs act as a barrier between the
website server and incoming traffic, filtering out malicious requests and preventing
common attacks such as SQL injection and cross-site scripting. WAFs help in blocking
suspicious traffic before it reaches the website and the browser;
Backup and Recovery Procedures: Regularly backing up website data and having
robust recovery procedures in place are essential in case of a successful hacking
attempt. Being able to restore the website quickly from a backup can mitigate
potential damages caused by a security breach.
There are various other techniques not mentioned that we will discuss in future. PLEASE
NOTE that these methods carry their own inherent limitations, and will not guarantee
with 100% certainty that the risks are eradicated. For example:
Mitek Systems (2021) pointed out that consumer friction can develop due to high
authentication controls. People who want to login to their accounts as quickly and
smoothly as possible will feel frustrated and decide to abandon the whole process;
Firewalls cannot directly forbid users from accessing potentially malicious websites;
Hopefully the information I have provided is sufficient to help you make a more informed
decision on the next steps to take before the launch of the website.
Yours Sincerely,
Security Expert.
4
REFERENCES
1. Fortra (2024) "Non-repudiation: Your Virtual Shield in Cybersecurity". Available at:
https://www.tripwire.com/state-of-security/nonrepudiation-your-virtual-shield-cybersecurity
2. Gebreyes, A. (2020) "Denial of Service Attacks: Difference in Rates, Duration, and Financial
Damages and the Relationship Between Company Assets and Revenues". Walden Dissertations
and Doctoral Studies Collection, pp. 1-147. Available at:
https://scholarworks.waldenu.edu/cgi/viewcontent.cgi?article=11004&context=dissertations
4. Jenab, K., and Moslehpour, S. (2016), “Cyber Security Management: A Review”. Business
Management Dynamics, Vol.5, No.11, pp.16-39. ISSN: 2047-7031
7. Lötter, A. and Futcher, L. (2015), "A framework to assist email users in the identification of
phishing attacks". Information and Computer Security, Vol. 23 No. 4, pp. 370-381. Available at:
https://doi.org/10.1108/ICS-10-2014-0070
9. Pande, J. (2017), “Introduction to Cyber Security”. Uttarakhand Open University, ISBN 978-93-
84813-96-3.
10. Sitelock (2023) "How to Check Website Logs & Why Businesses Need to Do So". Available at:
https://www.sitelock.com/blog/importance-of-website-logs/
11. Zhang, Y., Wu, L., and Luo, Z. (2015), "An immunity-inspired relocation method for unknown
5
malware detection". Available at: https://doi.org/10.2991/esac-15.2015.19