As the organization moves into the e-commerce model, new risks will be introduce

Question

As the organization moves into the e-commerce model, new risks will be introduced to the organization. As the junior information security analyst, it will be your role to summarize the business impact of these new risks, the motivating factors that one may have to exploit vulnerabilities, and how the risks can be mitigated. Prepare a report for presentation to senior management to assist the team in understanding IT security risks associated with an e-commerce model.Identify the roles such as system administrator, developer, security engineer, and quality assurance analyst for each classification.

Explain the business impacts of a successful exploit on a Web application’s weakness. Write 5 full paragraphs. Please do not copy/paste from old Chegg answers or word from word using websites unless cited. No uploaded paper sheet answers.

Explanation / Answer

Q1) Explain the business impacts of a successful exploit on a Web application’s weakness. Write 5 full paragraphs

1. Phishing Attacks - Phishing scams are often in the form of emails that look legitimate or like they come from someone you know, although phishing through phone calls also occurs. These scams usually include a link or direction to a page that if accessed will take over an email account or install malware on your computer that can steal personal information, access your microphone and camera, or log keystrokes. Targeted phishing attacks can be very convincing, and if a company employee falls for one they could inadvertently give an attacker access to their administrative account and other information that poses a risk to your website and company.

2. Distributed Denial of Service or DDoS Attacks - A Denial of Service (DOS) or Distributed Denial of Service (DDoS) attack aims to take down your site by overwhelming servers with requests. In its distributed form, the attack will come from hundreds or thousands of IP addresses which usually have been compromised themselves and tricked into requesting your website over and over again. This attack type overloads your servers, slowing them down significantly or taking your site temporarily offline, preventing legitimate users from accessing your site or completing orders. DDoS attacks are difficult to stop by simple IP blocking since they come from many sources, and those sources often look similar to your legitimate traffic. As more devices are connected to the Internet, DDoS attacks have grown both in prevalence and strength, meaning even websites with a large number of powerful servers are unable to withstand them. High-profile ecommerce sites are susceptible to this type of attack, and smaller ecommerce sites may also be vulnerable if their web host or DNS provider is targeted: For example, in October 2016 DNS provider Dyn was targeted by a DDoS attack and thousands of websites were taken offline as a result.

3. Bad Bots Targeting Ecommerce - Bots are prevalent all over the Internet, and can be both good and bad. “Good” bots are used by search engine sites such as Google and Bing to crawl and index your site for their search results. You want your site to be visible to these bots so that when someone searches for keywords related to your site it will show up in the results. However, there are also malicious bots which gather information from your website such as pricing data, hold products in carts without intending on buying them, buy up your inventory of a limited release to resell it at a higher price, or take over real accounts by guessing the passwords. Some bad bots can also access your database and gather a list of user account logins that can be resold later.

A recent report by Distil networks found that 97% of sites are hit with some sort of bad bots. For ecommerce sites, bad bots account for an average of 15.6% of a website’s traffic, with good bots accounting for 9.3% of traffic. Bots can be programmed to perform a wide range of activities, but here are the most common for ecommerce sites:

Price Scraping: If your site has unique pricing and product information, the chances are extremely high (around 97% according to Distil) that you will be hit by scraping bots. These bots collect pricing and product data and send it back to the bot-maker, who could be a competitor, so they can lower their prices and take sales away from you.

Scraping can also hurt SEO and the likelihood that potential customers find your product, as the scrapers may create duplicate content which search engine then take into account when ranking websites. This type of bot can be extremely hurtful if you are selling the same product as other websites and trying to price competitively.

Login Fraud: Bots can attempt to login using one of your real user’s credentials by guessing the password by rapidly going through a dictionary of words and number combinations (a brute-force approach), or by testing known credentials that have been leaked elsewhere. If bots are successful at logging in, they may not use the account information immediately, but sell the information to a third party.

If a purchase is made using a stolen account and stored credit card information it will compromise the trust your users have in your site and result in a loss of money if an order ships and you need to refund the customer. If admin accounts are compromised using these same tactics, you could be unwittingly giving away a larger list of account logins.

Bots can also create new accounts in order to test stolen credit card numbers. If bots are able to access an account by guessing the login, they can guess the expiration date and CVV number of stored credit cards and make a fraudulent purchase.

Holding Items: Because bots can act more quickly than human browsers, they are able to refresh pages many times over to check for sales or limited-release products. Bots can add items to a cart, limiting inventory for actual users who came to your site looking for a specific product. If the item has a high resale value, bots may purchase it and resell it at a higher price on a third party website such as eBay. Even if bots do not ultimately purchase the product, your actual visitors may abandon your site if it appears an item is out of stock, and when the bot releases the product your cart abandonment rate will go up.

Incorrect Analytics: A secondary effect of bad bot traffic is that it can significantly impact the analytics you track. Over 50% of bots can load JavaScript, which is the mechanism most analytics tools use to measure page views, bounce rate, conversion rate, and more. Since bots are imitating human behavior, they will be included in your analytics and can do harm to these important metrics, lowering your average conversion rate or convincing you to spend more money on advertising.

Bots can also make it falsely appear that one advertising campaign is working better than another, or in other ways encourage you to target specific keywords or interests which are unlikely to have good a good click through rate.

4. Man in the Middle Attacks - A man in the middle attack is when an attacker listens in on a user’s communication with your website. This could happen because a user is connected to an unsecure public wifi network, has been tricked into connecting into a vulnerable network, or because a hacker has targeted a specific network and gained unauthorized access to it. If the connection between the user and website is not encrypted, a man in the middle attack could see all of the pages a user is visiting, view emails they are sending, and intercept usernames, passwords, and credit card numbers. Even if a website has a SSL/TLS certificate to encrypt data with the HTTPS protocol, there are a number of ways hackers can trick the user’s browser and gain access to unencrypted data. In addition, websites who only use HTTPS on certain pages (for example on the payment or login pages) are leaving their users more susceptible to this type of attack, as attackers could steal session cookies or other sensitive information when users browse an unsecured page on the same website after they have logged in.

5. Cross Site Scripting AND SQL Injection:-

Cross Site Scripting: In this form of attack, an attacker will insert a JavaScript snippet on a vulnerable web page that to a browser looks like a normal script and is therefore executed. This can then perform a number of harmful actions such as accessing a user’s cookie information to impersonate them. This technique can also give attackers access to other information on the user’s computer and leave them vulnerable to phishing attempts or malware installation. Although this form of attack may not be targeting the website itself, it is targeting your website’s users which can still impact your business. In 2016, one attack of this type impacted over 6,000 ecommerce websites by stealing customer credit card data. Even when those websites use a 3rd party payment processor or HTTPS encryption they were still vulnerable, and some did not patch the issue for months.

SQL Injection: SQL injection can affect any website or web application using a SQL database, which includes ecommerce platforms such as Magento. In this type of attack a hacker can insert malicious SQL statements in a payload which will be included as part of a legitimate-seeming SQL inquiry. If the attacker gains access to the database they can create an administrative account for themselves, delete database entries, or view sensitive information.

Please let me know in case of any clarifications required. Thanks!

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.