Web Application Attack Scenario

The majority of web application attacks occur through three avenues Cross-site scripting (XSS), SQL injection attacks and Phishing.

Security flaws or vulnerabilities have increased and spread rapidly over the past several years. More and more vulnerabilities are being discovered by security experts worldwide. Some of these flaws have proved to be extremely dangerous and lethal as they have caused unmeasurable damages to industries and organizations as well as individual users. Security vulnerability can be identified as a fault or weakness in a product or system that allows an attacker to exploit and manipulate that particular vulnerability and compromise the confidentiality, integrity and availability of that product or system (Definition of a Security Vulnerability ).

The purpose of the report is to explore the current vulnerabilities in the information system network and outline potential

System/application attacks fall within three categories: denial or destruction, alteration, and disclosure. This paper will cover some common system/application domain vulnerabilities: unauthorized physical and logical access to resources, weaknesses in server operating system and application software, and data loss.

2) Poorly implemented new system that is heavily reliant on an outside vendor: The introduction of any new IT system increases risk because the controls previously in place may not be updated and/or sufficient to meet the needs of the new system. Additionally, the website programmed by MWD has experienced many crashes and is reliant on MWD for all fixes.

In this era of globalization and cut-throat world of competition, it is virtually impossible to do business without using the internet and web applications. Internet gets used for processing the credit card or debit card sale and even for using to save the data of customers to the merchant’s database for future reference and to send promotional offers to the previous and patron customers. And on the other hand, hackers are trying their best to get the data stored on the merchant’s server by spoofing

Information systems are known to be at risk from malicious attacks, user error, and from other disasters. As technology is relied upon more heavily and computer systems become interdependent and accessible by more individuals, the susceptibility to threats increases. In addition, individuals are developing high levels of computer skills that results in an increased risk of intrusion from outsiders. The Information Security Risk Assessment will determine the assets of the company, organizational risks, the current security posture, any areas of risk for GDI, and recommend a mitigation strategy for reducing information security risks and implementing strategies to reduce these risks. Through the Information Security Risk Assessment, GDI is taking steps to ensure that the organization identifies significant risks and determines the best method to mitigate the risks.

In security engineering, a vulnerability causes errors and weakness to the IT systems. Environment vulnerabilities in combination with an internal or external threats leads to a security failure. For example, vulnerabilities may result from input validation errors, memory safety violations, weak passwords, viruses, or other malware. In recent years, software companies and government agencies have become particularly aware of security risks that vulnerabilities impose on the system security and have started analyzing and reporting detected vulnerabilities of products and services (Ogut, Cavusoglu & Raghunathan (2008).

Information Security and the breaches are the major concerns for any organization. Maintaining the data safely against the unauthorized access, data loss and modification of data is very important. Because any organization runs on the credibility of the customers.

The threat intended for this vital business asset is sometimes uncontrollable by management. Information system vulnerabilities are often introduced due to human and organizational factors.

Numerous attacks are against the database, the most widely recognized one is SQL attack. SQL language is a programming language to connect with the database, an SQL attack is to embed the SQL statements to the database control language by the external

Because these vulnerabilities can provide access to the sensitive information, this can result in loss of confidential data. In some cases, the attacker can take control the host web application by using SQL injection.

Confidentiality, Integrity and Availability are the three hardest aspects to preserve in information Security. Confidentiality, being the most important aspect, is the prevention of unauthorized disclosure of information. Integrity protects the information within the document by making certain that only authorized users and parties can modify the information. Lastly availability insures that information and services are available when needed. These three aspects form a bond between companies and consumers insuring the information is in safe hands. However, IT systems and networks are prone to more malicious attacks then ever before and the number of computer crimes is increasing every day. Examples include Hacking, Viruses and vulnerabilities,

Interruptions: interruption refers to the situation where an IT component, typically a hardware or a software, gets corrupted or is completely lost. The main issue behind this kind of thread consists of the disruption of service provided by that IT component. An example could be someone performing a denial of service on an IT system by overwhelming network connections.

Almost all kind of large and small organizations might face increasing number of attacks into their network or intellectual property. This may lead to data disclosure, data destruction, and damage of organization’s reputation. There are numerous threats in the cyber space which might be capable of stealing, destroying or making use of out sensitive data for financial and non-financial gains. As the amount of computer, mobile and internet users increases, so does the number of exploiters.