Performed a thorough vulnerability assessment to identify and mitigate potential threats to an e-commerce company's information system. Developed a remediation plan to proactively prevent attacks and ensure the organisation's security.
23rd January 2024
The server hardware comprises a robust CPU processor and 128GB of memory. It operates on the latest Linux operating system, hosting a MySQL database management system. The system is equipped with a stable network connection utilising IPv4 addresses, ensuring interaction with other servers on the network. Security measures include SSL/TLS encrypted connections.
This vulnerability assessment focuses on the current access controls of the system. The assessment spans a three-month period, from February 2024 to April 2024. NIST SP 800-30 Rev. 1 is employed as a guide for risk analysis of the information system.
The database server, a centralised system, stores and manages large volumes of data. It houses customer, campaign, and analytic data, crucial for tracking performance and tailoring marketing efforts. Securing the system is paramount due to its frequent use in marketing operations.
| Threat source | Threat event | Likelihood | Severity | Risk |
|---|---|---|---|---|
| Hacker | Obtain sensitive information via exfiltration | 3 | 3 | 9 |
| Employee | Disrupt mission-critical operations | 2 | 3 | 6 |
| Customer | Alter/Delete critical information | 1 | 3 | 3 |
Risk assessment considered the data storage and management procedures of the business. Potential threat sources and events were identified based on the likelihood of a security incident given the open access permissions of the information system. The severity of potential incidents was evaluated in relation to their impact on day-to-day operational needs.
To ensure only authorised users access the database server, authentication, authorisation, and auditing mechanisms will be implemented. This involves enforcing strong passwords, employing role-based access controls, and implementing multi-factor authentication to limit user privileges. Data in motion will be encrypted using TLS instead of SSL. Additionally, IP allow-listing to corporate offices will be established to prevent random internet users from connecting to the database.