Computer Security. Refer to the attachment for the question.
References is APA
Planet of the Grapes, a local wine and spirit merchant
currently operates in three stores around Perth. Stores are independent from
one another and there is no data sharing between stores, although this is not
by design but simply a by-product of faster than expected expansion. The
organisation is now moving into the online arena and has contracted your
computer consulting company to perform a variety of audits on their computer
network. The owners have never employed any IT security staff in the past and
have preferred to set up systems for themselves. However, it has become
apparent that the risks of moving business systems online are not to be
ignored. For this reason you are being asked to investigate the security of the
system and make recommendations.
There are two distinct tasks being requested in this
phase of the audit. Each of these should be answered separately.
Legacy code (40 marks)
The Internet in Perth is notoriously bad and the
Internet connection between Planet of the Grapes and their bank is down on a
regular basis. To avoid losing out on any purchases during outages, Planet of
the Grapes intends to allow offline purchases (as in the good old times).
However, credit card data entered by a customer still needs to be verified
offline to prevent malicious users from trying to buy goods with fake credit
Planet of the Grapes staff have acquired an
application that can do this, but they suspect that this program (supposedly
implemented in C) is vulnerable to a critical and very common type of software
security vulnerability. Planet of the Grapes has supplied you with a copy of
the program (part of
http://www.it.murdoch.edu.au/szander/ICT287/assignment1/form.php.) When you
inquire about this software you learn that it cannot be patched as the code is
part of a suite of utilities supplied by the financial provider and Planet of
the Grapes cannot get access to the code.
Name and explain the type of vulnerability. Discuss
what types of systems it affects and why it happens (what is the issue?).
Discuss the impact of the vulnerability and how it may be exploited
Besides discussing how the vulnerability may be
exploited in general, discuss the impact of the vulnerability in this specific
case of the credit card validation tool and describe and demonstrate (e.g.
screenshot) how it can be exploited. It is not required to use a disassembler
for this task, simply manipulating the tool’s input directly is sufficient.
Given that it is not possible to patch the code
directly, there is no vendor update and it must remain in use, make at least 3
different recommendations that would reduce the risk this application poses.
The recommendation must be specific to this case and not general mitigation
strategies that do not apply in this case.
These description of the vulnerability and the
recommendations should be presented in a format suitable for a general
technical audience – i.e. someone who is proficient in IT in general, but may
not be a security expert. Citations should be used where appropriate.
The expected answer length is approximately 2-3 pages
and the answer must not be longer 4 pages.