Contents
Question 1:..................................................................................................................2
Question 2:..................................................................................................................4
Question 3:..................................................................................................................6
Question 4:..................................................................................................................8
Question 5:..................................................................................................................9
1
�Question 1:
1.1) Logical
1.2) Physical
1.3) Administrative
1.4)
Description:
An attacker equipped with a laptop and a large antenna is stationed in the parking lot
of a Lowe's store, monitoring the wireless traffic of the store's Wi Fi network using
eavesdropping techniques. After several hours of data collection, the attacker
successfully cracks the WEP key used for securing the Wi Fi network. With this
compromised access, the attacker then infiltrates an existing connection between the
local Lowe's store and the franchise headquarters, aiming to intercept and download
sensitive credit card data.
Asset:
Sensitive customer credit card data transmitted between the Lowe's store and
franchise headquarters.
Threat Category:
Network Security Threat.
Risk:
Data Breach: The attacker could successfully intercept and download credit card
data, leading to a significant data breach.
Reputation Damage: The Store could suffer severe reputation damage due to failing
to protect customer data, potentially leading to loss of trust among customers and
stakeholders.
Legal and Compliance Issues: The breach may lead to legal liabilities and non-
compliance fines.
Mitigation:
2
�Encryption Upgrade: Replace the outdated WEP protocol with a more secure
encryption protocol like WPA2/3.
Continuous Monitoring: Implement continuous monitoring of network traffic for
suspicious activities and anomalies.
VPNs: Make use of VPNs for all communications between store locations and
headquarters to encrypt data in transit.
Strong Authentication: Use strong authentication mechanisms such as multi factor
authentication, to prevent unauthorized access to network resources.
Security Awareness Training: Train employees so they know about the risks of
insecure wireless networks and the importance of following security protocols.
3
�Question 2:
Heap Smashing Attack:
Heap smashing is a type of attack where an attacker exploits vulnerabilities in
memory management within an application, specifically targeting the heap
memory. This can lead to buffer overflows or corruption of heap data
structures, potentially allowing the attacker to execute arbitrary code or gain
unauthorized access.
Mitigation Strategies:
Input Validation:
Implement strict input validation to ensure that data entered by users or
received from external sources does not exceed expected boundaries.
Use of Safe Libraries and Functions:
Use secure coding practices and libraries that provide safer alternatives to
standard memory management functions
Use memory safe languages where possible that prevent these types of
vulnerabilities.
Memory Corruption Detection Mechanisms:
Implement runtime memory corruption detection tools and techniques during
development and testing phases.
Monitor runtime behaviour of the application to detect unexpected heap
modifications.
Secure Coding Practices:
Train devs on secure coding practices, emphasizing the importance of
handling memory securely and avoiding common pitfalls that lead to heap
vulnerabilities.
Conduct regular code reviews and code analysis to identify and address
potential heap related vulnerabilities.
4
�Use of Heap Security Mechanisms:
Consider using heap protection mechanisms provided by the operating
system or development environment to make exploitation more difficult for
attackers.
Stack Smashing Attack:
Stack smashing is an attack where an attacker exploits vulnerabilities in the
stack memory of an application. By overflowing buffers allocated on the stack,
the attacker can overwrite function return addresses or local variables,
potentially leading to ramdom code execution.
Mitigation Strategies:
Stack Overflow Protection:
Implement stack protection mechanisms such as stack canaries detect buffer
overflows.
Compiler Security Upgrade:
Configure the compiler to enable stack protection features that automatically
insert stack protection code during compilation.
Segmentation Protection:
Utilize operating system features to randomize memory addresses and make
it harder for attackers to predict stack memory layout.
Security Monitoring:
Implement logging and monitoring mechanisms to detect unusual behaviour
or attempts to exploit stack vulnerabilities in real time.
5
�Question 3:
a.)
Threats
Access to sensitive information: When designing the banking app confidentiality
should be considered. The company should be clear in what information can be seen
and shared throughout their system, who has access to view this information and
how this information is stored.
1. Potential Leaks: Trusted shareholders, employees and users should be the
only personnel allowed to view or edit information. When viewing the
information, the user’s permission needs to be granted to access it, threat
comes in when corruption comes into play and employees and shareholders
abuse their access to this to this information and eventually result in leaks or
sold data.
2. Insider Threats: Insider threats involve employees or shareholders who
misuse their authorized access to sensitive information for malicious
purposes. This can include leaking customer data, selling information to third
parties, or using data for personal gain. Insider threats can lead to significant
reputational damage and financial loss
3. Third-Party Risk: Banks often rely on third-party vendors and service
providers to handle various aspects of their operations. If these third parties
are not secured, they can become a starting point for attackers to gain access
to sensitive information. A compromise of a third-party systems or inadequate
security measures can lead to unauthorized access to the banking app's
sensitive information. This can result in data breaches and financial fraud
b) A distributed denial-of-service (DDoS) attack targeting the app's servers could
overwhelm them with a flood of illegitimate traffic, causing the app to become
inaccessible to users. This could be escalated if the app's infrastructure lacks
scalability and redundancy measures to handle sudden spikes in traffic. Secondly, a
critical software bug or a flawed update deployment could lead to unexpected
crashes or system failures within the app, rendering it temporarily unusable until the
6
�issue is identified and resolved. Thirdly, infrastructure failures, such as power
outages or hardware malfunctions in the data centre hosting the app's servers, could
disrupt service availability if contingency plans like backup power systems or failover
mechanisms are not in place to swiftly restore operations.
c)
To enhance the app's availability, a comprehensive strategy combining preventive
and responsive measures is recommended. Preventive
The app should be hosted on a cloud platform that offers high availability features
like auto-scaling and load balancing. Responsive Measures
Have a incident response plan that includes rapid incident detection, escalation
procedures, and clear communication ensures that any disruptions are promptly
addressed.
7
�Question 4:
4.1) Command injection is a security vulnerability where an attacker injects
malicious commands into a system command that is executed by the application.
This can lead to unauthorized execution of arbitrary commands on the server,
potentially compromising its security.
import subprocess
def search_product(product_name):
# Validate user input to prevent command injection
if not product_name.isalnum(): # Ensures input contains only alphanumeric
characters
return "Invalid product name."
# Construct the command safely using subprocess module
command = ['grep', product_name, 'products.txt'] # Example command to search
for product in products.txt
try:
result = subprocess.run(command, capture_output=True, text=True,
check=True)
return result.stdout
except subprocess.CalledProcessError as e:
return f"Error: {e}"
# Example usage:
product_name = input("Enter product name to search: ")
print(search_product(product_name))
8
�Question 5:
5.1): ShopSecure ensures payment system security through rigorous encryption
protocols and HIPAA compliance.
5.2) ShopSecure makes use of a Secure Payment Gateway which enhances its
security, The Secure Payment Gateway adds an additional layer of protection by
securely handling transaction data and preventing interception by unauthorized
parties.
5.3) ShopSecure makes use of a fraud detection system that employs machine
learning algorithms to detect and prevent fraudulent activities;
This enhances transaction security as it prevents attacks from occurring and
stops malicious attempts to gain access to the payment system. Detecting the
fraudulent activity before hand gives the system enough time to blacklist the
users IP address and account to prevent them from attempting such attacks in
the future. This also helps identify flaws in the system so that it can be
maintained and adjusted to suit the security needs of the users.
5.4) ShopSecure makes use of three measures to ensure protection of user,
advanced encryption, customer support, and administrators.
The advanced encryption makes sure that data stored is kept safe with the
use of firewalls, two factor authentication and biometrics, with these measures
instilled it provides a safe experiences for users and employees.
Customer Support, 24/7 customer support with live chat, email and phone.
This provides clarity to the user as to who is helping them, prevents potential
scams.
Administrators, admins are the only people who have full access to the
platform, this includes user management, systems configs, and financial reports,
this builds a good trust with the user and admins as they know who exactly is
viewing their data.
9
� 5.5) Users are educated about secure payment practices and fraud prevention
through regular email newsletters, in-app notifications, social engineering, and
interactive tutorials within the ShopSecure platform.
10
