Possible Causes of Breach
The third party ‘NetBest IT Service’ is being hired by the GambleBet for the management and delivery of the IT operations for managing the entire operational activities. The received notification from the bank responds that the network of the Gamblebet has been breached by some of the intruder and it has been identified that many of the credit cards used for making transaction with the GambleBet that is being used for making certain transactions without the authorization of the real user. The security of the GambleBet has been compromised and the fraud is increasing in exponential way every day that needs to be controlled by certain measures. As per the agreement, the bank could certainly take the action and thus, the bank has appointed IT security specialists for the following accomplishments:
- Review the security of GambleBet IT systems and applications
- Determine whether GambleBet is the source of the fraud
- And if so, report on what can be done to mitigate security issues now and ongoing to minimise the likelihood of further fraud.
There are many possible causes those could have allowed the breach to the network and un-authorizing access of the credit cards that needs to be identified as being delivered using this document. The expose of such sensitive information is a serious problem for the consumers of the GambleBet and if this information is conveyed to the consumers, it could possibly ruin the entire business and impact on the revenue of the GambleBet as the 99% of the investment and the money exchange is being accomplished through the credit card access. The Bank is also blaming the GambleBet that there might be the possibility that they might be making fraud with the customers and stealing the money for personal benefits. Following are the different types of attacks those might have breached the web server:
DOS attack: Attacker might have used the denial of the service attack through transferring heavy amount of the service request packets overwhelming the servicing capability of the web server (Hossain, Fotouhi and Hasan 2015). There is another possibility that the intruder might have exploited certain programming error in the application that might have caused DOS attack.
Website Defacement: Intruders might have chosen to inject the malicious SQL injection to the website causing defacing to the website. This could be utilized by the intruder for storing the unrelated and the malicious data in the database and thus, irrelevant data could be displayed reflecting defaced website (Almorsy, grundy and Muller 2016).
Directory Traversal: The intruders might have get the access beyond the root directory from utilizing the programming through certain application and this could have allowed them to execute OS commands for extracting the sensitive and personal information related to the credit card details.
Ranking of the Audit
Misconfiguration Attacks: for the instance, if the GambleBet enabled certain unnecessary services or the default configuration files, there are the possibilities that the intruder could enter the database and use the saved information related to the credit card details and utilized them for personal benefits (Zhao et al. 2016).
The ranking of the audit
The expose of the personal information including digital identity, personal details and the bank details. It also include confidential information that concerned with customer’s card numbers, their bank information and many vulnerable data that can possibly harm people. IT department involve the alignment of the businesses, criticality of the application and the security of all the information that have been used or accessed under the organization under the audit ranking perspective (Lin and Liao 2017). IT department availability will be helpful in critically analyzing the critical factors related to the technical skills and supports those could possibly influence the security aspect of the project.
Universal Scoring of IT
The ranking of the risk based on the scoring of the IT universe can be an effective idea, which is interrelated with this case. According to this case, the data breach could hamper the security and create a huge impact over GambleBet because there was a loophole in one of the security aspect of the application. This led to the hacking of the information of many customer’s debit and credit cards related sensitive data (Stojmenovic and Wen 2014). According to the rating, the GambleBet have given its log system a rank of mission critical to handle their operations. This lead the GambleBet to incur a huge loss of data and the system was prone to intrusion or breach. The data breach had created a scaring effect on the GambleBet’s customers, whose information were hacked and the hacked data and information led to the unauthorized transaction. The bank faces a breach of personal information, which included the payment cards numbers and CVV, which have created a threat for the customers as well as the organization (Beberlein et al. 2017). The customers might not feel comfortable in sharing their personal information with the GambleBet for further transactions.
The final stage, which completed the security assessment audit of the GambleBet was done to calculate the total risk faced by each application by scoring them. The list can be beneficial in identifying the list of all the capable IT audits. The listing of the project help in ranking the highest to lowest risk score (Loo, Mauri and Ortiz 2016). These scores signified specific categories that helped to identify the highest risk system from the review.
Security Audit Work Plan
Planned audits: Planned security audit work plan
Planned security audit work plan, which was the result of the assessment security, was being able to identify the paramount audits. The paramount audits helps in analyzing the security work plan and top five security assessments can be applicable in managing the security of the network. Some of the audits in the list do not qualify to be as an application audits. However, their association with any potential area is at GambleBet System is always on the highest risk (Mann 2017). It is the highest requirement to make the system highly established and well maintained.
Application audits treasuring Gamblebet
The reason behind the inherent risk was that the security of the payments were at risk. There was a lack of security in securing the data related to payment transfers. The application considering two treasure application audits is in this phase of the audit. These application include the RTAX online card payment and BTAX renewal system, the two applications use to handle the online payment for GambleBet security system (Perlman, Kaufman and Speciner 2016). The estimated time taken by each application is almost up to 450 hours.
Provisioning audit or the SAP user access;
This audit mainly looks forward into to access that is granted by SAP, these take care of the level of the privileged user accounts. If there is any duty, conflict arising this might lead in modifying the controls and revise the process of the access creation. An estimated time of the 450 hours will be crucial in handling the audit.
The GambleBet data center security audit;
As stated earlier, the identification and the risk assessment in this research, there is a chance to perform an audit, contacted by the third party IT controls through GambleBet. Being specific, it is a necessity to be more specific and in order to do that we may look forward into Net Best, which is an IT based services to create a security management and integration. This audit provides benefits like reviewing the contractual management of the security system (Pathan 2016). The methodology we use make the services accountable as stated according to the requirements. This would mainly focus on the integration of GambleBet and NetBest IT services. These IT service plan will need the estimated time of 450 hours.
NextBest system implementation audit;
The cursory audit will be delivering under NextBest, this NextBest is planning for enabling software implementation this year. In order to ensure the risk identification, managing the process system and look forward to the proper system or software implementation is considerable for the assurance of the security in a correct manner (Allan et al. 2015). The estimated hours for using this cursory audit will be requiring about 200 hours and this will be crucial for the management and delivery of the security for GambleBet.
Future Security Risk Assessment
Availability of the resources and the audit hours
Approximately 2000 hours availability of work will be necessary for the required security audit plan in order to implement all the security plans during the remaining year of 2016. Future security risk assessment and methodology modifications of GambleBet. The COBIT framework and ISACA guide sheets can be applicable in the NextBest while performing the security audits and so it is a considerable fact for the audit. The reason behind this was the COBIT framework could segregate and prioritize the security audits as domain, processes and activities (Chaple, Stewart and Gibson 2018). The classification of these security audits made the work easier and more manageable than before, while considering this fact, there is no full information available that could help to rank the process in more better, precise and inclusive manner. The process that was carried before for the GambleBet. The main aim was to create a better system than that of GambleBet that could arrange better system and security, The manual ranking of the process was a big problem that have occurred in this case. When the manual ranking was done, it was mandatory to use and utilize the application portfolio (Kim and Solomon 2016). The manual application process made the work plan procedure very slow. This could require the 2016, fiscal security assessment work plan.
The main goal in the future is to have the ability to rank the GambleBet Domain according to their process, activities and other use of these security frameworks to cancel the security threats that could hamper the system later.
The Fundamental objective of the security audit is to identify the vulnerabilities within the existing network infrastructure of the organization. This include the identification of the paining sectors those might influence the entire security of the established network. The primary analysis will be first dependency for the delivery of the audit program. The GambleBet hired the third party for the management and delivery of the network and hence, the primary activity will be to analyses the policies and regulations of the third party that will be the dependency for all other activities involved in the project (Acar et al. 2017). The security policies will be helpful in transferring some of the risks to the third party as the entire management and maintenance was expected to be delivered by the third party only. Thus, it is a considerable fact that the audit needs to focus on the security policies and regulations. For the instance, if the security policies does not follow the risk occurring than the further attempts will be null and so the audit cannot further focus on the vulnerabilities in the activities from the third party side. Further the next dependency will be possibilities of risk occurring and the risks occurring in the existing network and how much severe could be the threat for the functioning of the GambleBet. The next dependency of planning for the delivery of the Audit plan and analyze the different objectives those need to be considered while preparing the audit for the smooth and concentric delivery of the security audit (Merkow and Breithaupt 2014). For the final recommendations and countermeasures of the threat, the dependency will be the analysis and finding of the risks those have severely impact the existing network and assuring that the developed security audit was successful and efficient enough for the management and delivery of the threat and risk identification and their solution. The above dependencies are crucial and vital for the delivery of the project and assuring that the final delivery of the project could be delivered that include the proposition of the solutions and recommendations those could be efficient and effective enough for the management and elimination of the security issues related to the GambleBet (Thome, Shar and Briand 2015).
Fundamental Objective of the Security Audit
The success factor for the entire audit will be to evaluate the compliance of the existing policies of the third party with the GambleBet’s policies and assuring the security of the network.
The security audit must focus on the policies and regulations related to the threats and risks occurring in the network of the GambleBet and make sure that every sector is being identified in an efficient and effective manner. The survey should be effective and efficient enough that it covers the entire policies and regulations of both the third party and the GambleBet (Aljawarneh, Alawneh and Jaradat 2017). The proposed recommendation should be capable of eliminating the identified threats and risks to the network. The network audit should be eliminating the existing issues and delivering the necessary objectives and goals of the audit being delivered. The planning of the delivery of the IT security audit should be emphasizing on the development of the daily strategies those could meet the needs and requirements of the users (Andress 2014). The development and delivery of the audit plan must be delivered considering the defined dependencies in manner to assure that the developed strategies are capable enough for the management and delivery of the necessary project goals and objectives. Some of the accountable recommendations are:
- Using Firewall
- Encryption
- TCP/IP protocol
- COBIT compliance
- IT team for managing the security
- Regular audit
- Anti-virus
|
Date |
Activity |
Explain how activity contributed to completing report |
Participant(s) completing activity |
Time duration activity. |
|
14-10-2018 |
GambleBet risk assessment |
Identification of the threating areas was accomplished using this activity along with the probability of the possible causes those might have influenced the network breach (Jacobs 2015) |
<Please Fill> |
16 hrs |
|
14-10-2018 |
Define the whole system audit Universe |
Helped in developing the list of the different activities those were structured for delivering the documentation of the report and development of the better strategies |
<Please Fill> |
20 hrs |
|
14-10-2018 |
Analysis of Information system of the companies |
Contributed in understanding the scenarios those needed to be considered while talking about the various strategies those could possibly influence the system (Pohl et al. 2015) |
<Please Fill> |
15 hrs |
|
14-10-2018 |
chance the system portfolio |
System portfolio was very helpful in developing the structure of the document developed |
<Please Fill> |
15 hrs |
|
14-10-2018 |
Narrow down and figure out active information |
Briefing was noted related to the ongoing investigation and the strategies those are necessary for the development and execution of the (Khari et al. 2018) |
<Please Fill> |
16 hrs |
|
15-10-2018 |
Identification of the risks and ranking |
It helped in identifying the possible risks and ranking them as per the order and submitting the assignment accordingly |
<Please Fill> |
12 hrs |
|
15-10-2018 |
Defining measurable factors |
Measurable factors will allow the quantitative analysis of the factors related to the and taking actions accordingly (Joshi and Singh 2016) |
<Please Fill> |
18 hrs |
|
15-10-2018 |
Threat analysis (Audit Ranking) |
Audit ranking defines the severity of the active risks and the strategies those could allow the auditing to be precise and specific as per the requirement of the ongoing project |
<Please Fill> |
12 hrs |
|
15-10-2018 |
IT universe scoring |
IT related issues and threats need to be categorized as per the severity and impact on the GambleBet company for delivering necessary operational activities |
<Please Fill> |
13 hrs |
|
15-10-2018 |
Planned Audits |
Planning is always crucial for the successful and efficient delivery of the audit plan and work and hence, the structure was prepared for the project (Dubey and Misra 2016) |
<Please Fill> |
15 hrs |
|
16-10-2018 |
Nextbest system implementation |
For developing a sophisticated research, it is very necessary to consider the implementation strategy being adopted by the Nextbest system engineering |
<Please Fill> |
20 hrs |
List of References
Acar, Y., Stransky, C., Wermke, D., Weir, C., Mazurek, M.L. and Fahl, S., 2017, September. Developers Need Support, Too: A Survey of Security Advice for Software Developers. In Cybersecurity Development (SecDev), 2017 IEEE (pp. 22-26). IEEE.
Aljawarneh, S.A., Alawneh, A. and Jaradat, R., 2017. Cloud security engineering: Early stages of SDLC. Future Generation Computer Systems, 74, pp.385-392.
Allan, D., Hahn, T., Szakal, A., Whitmore, J. and Buecker, A., 2015. Security in development: The IBM secure engineering framework.
Almorsy, M., Grundy, J. and Müller, I., 2016. An analysis of the cloud computing security problem. arXiv preprint arXiv:1609.01107.
Andress, J., 2014. The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
Beberlein, L.T., Dias, G., Levitt, K.N., Mukherjee, B. and Wood, J., 2017. Network attacks and an Ethernet-based network security monitor.
Chapple, M., Stewart, J.M. and Gibson, D., 2018. (ISC) 2 CISSP Certified Information Systems Security Professional Official Study Guide. John Wiley & Sons.
Dubey, A. and Misra, A., 2016. Android security: attacks and defenses. Auerbach Publications.
Hossain, M.M., Fotouhi, M. and Hasan, R., 2015, June. Towards an analysis of security issues, challenges, and open problems in the internet of things. In Services (SERVICES), 2015 IEEE World Congress on (pp. 21-28). IEEE.
Jacobs, S., 2015. Engineering information security: the application of systems engineering concepts to achieve information assurance. John Wiley & Sons.
Joshi, C. and Singh, U.K., 2016. Security Testing and Assessment of Vulnerability Scanners in Quest of Current Information Security Landscape. International Journal of Computer Applications, 145(2), pp.1-7.
Khari, M., Shrivastava, G., Gupta, S. and Gupta, R., 2018. Role of Cyber Security in Today’s Scenario. In Cyber Security and Threats: Concepts, Methodologies, Tools, and Applications (pp. 1-15). IGI Global.
Kim, D. and Solomon, M.G., 2016. Fundamentals of information systems security. Jones & Bartlett Publishers.
Lin, I.C. and Liao, T.C., 2017. A Survey of Blockchain Security Issues and Challenges. IJ Network Security, 19(5), pp.653-659.
Loo, J., Mauri, J.L. and Ortiz, J.H. eds., 2016. Mobile ad hoc networks: current status and future trends. CRC Press.
Mann, I., 2017. Hacking the human: social engineering techniques and security countermeasures. Routledge.
Merkow, M.S. and Breithaupt, J., 2014. Information security: Principles and practices. Pearson Education.
Pathan, A.S.K. ed., 2016. Security of self-organizing networks: MANET, WSN, WMN, VANET. CRC press.
Perlman, R., Kaufman, C. and Speciner, M., 2016. Network security: private communication in a public world. Pearson Education India.
Pohl, C., Schlierkamp, K. and Hof, H.J., 2015. BREW: A Breakable Web Application for IT-Security Classroom Use. arXiv preprint arXiv:1506.03325.
Stallings, W., 2017. Cryptography and network security: principles and practice (p. 743). Upper Saddle River, NJ: Pearson.
Stojmenovic, I. and Wen, S., 2014, September. The fog computing paradigm: Scenarios and security issues. In Computer Science and Information Systems (FedCSIS), 2014 Federated Conference on (pp. 1-8). IEEE.
Thome, J., Shar, L.K. and Briand, L., 2015, November. Security slicing for auditing XML, XPath, and SQL injection vulnerabilities. In Software Reliability Engineering (ISSRE), 2015 IEEE 26th International Symposium on (pp. 553-564). IEEE.
Zhao, N., Yu, F.R., Li, M., Yan, Q. and Leung, V.C., 2016. Physical layer security issues in interference-alignment-based wireless networks. IEEE Communications Magazine, 54(8), pp.162-168.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
