Blogger news

Wednesday, 26 December 2012

List of System Risks and Recommended ways to Control Them

List of System Risks and Recommended ways to Control Them

  1. Sensitive Account Information can be Lost to Hackers Using spoofing and spamming
  2. Recommended controls
    •    Enforce customers’ use of secure web connections (HTTPS)
    •    Help customer to develop and configure filters using such technologies as “black list” and Microsoft Intelligent Message Filter to prevent phishing and pharming sites and spoofed-emails (E-mail Spoofing, 2009) from reaching customers.
    •    Implement new filter technologies such as “white-list”, which automatically record legitimate website based on URL address, page features, and DNS-IP
  3.   Application Servers are Subject to PHP Remote File Include
    Use PHP versions that has secured register_globals, allow_url_fopen (Remote File Inclusion, 2009).
    • Enforce PHP program security, e.g. input check to filter out executable remote file include as passed parameter from client web browsers to web and application servers.
  4. The Database Systems are Vulnerable to SQL Injection.
  5. The system can be affected by worms, viruses, spyware and other malicious code
    Recommended Control
    Deploy new techniques, such as Vigilante, that can  pose Contain Internet Worm Epidemics
    • Use up to date anti-virus and anti-spyware software
    • Enable TCP Wrapper/libwrap service deaemons. Khusial, D., McKegney(2005)
    • Deploy Intrusion detection system and ACLs
  6. Stealing of  User Data and Account Information
    Recommended Control
    •    Implement RDBMS vendor’s new security technologies, such as Oracle Transparent Data Encryption and column labeling (Oracle, 2009) to enforce database security at different gratuity level (e.g. database, table, column level).
    •    Proactive action to prevent suspicious and malicious SQL queries to access
  7. User account/password can Subject to Dictionary Attacks
    Enforce strong password policy to ensure it has certain complexity, length and mix of cases and numbers.
    Use incremental delay response after each failed login. Pinkas, B., Sander, T. (2002)

No comments:

Post a Comment

Do not post any un-related message...