An Overview Of The Application Software Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This risk assessment was performed in accordance with the management of ENL Consortium who require a security assessment to be performed on its key assets to ensure confidentiality, Integrity and Availability of resources required for the pre-payment system to work at all times. The purpose of this assessment is to identify vulnerabilities and threats that can occur to the key assets of the organization which include: Application software (UMS & UVS), Database, and Servers. This assessment will be used to identify the impact on the assets and, also, recommendations on how to prevent or avoid the threats and vulnerabilities.

The technique used for this risk assessment is by interviewing the participants based on how the Pre-payment system works and Policies they follow to ensure its security and dependability. The National Institute of Standard and Technology (NIST) Publication SP-800-30 was used as a guideline for the Risk assessment (the interview questions can be found in the appendices).

BACKGROUND

ENL Consortium is a company that manages Pre-payment electricity meter scheme in Abuja, Nigeria. This is in accordance with the government's decision to migrate from analog meter which used post payment billing to digital meters which is a pre-payment system. The main aim of this company is to ensure that all customers are migrated to this scheme, have all customer information in a database, and provide means for customers to purchase their electricity by setting up various outlets in strategic locations around the state. The method of purchase is either buying straight from the outlet or purchase of a recharge card.

Since this is a digital system, there is use of Information Technology in every aspect of the migration. There is a central location where application servers and database is located and all other outlets connect to this location via the internet either through a Very Small Aperture Terminal (VSAT) using a Virtual Private Network (VPN) or Radio. These outlets only have workstations and applications installed in them for normal transaction and are all connected to the central location. Furthermore, customer information such as, Name, Address, type of meter (Residential of Commercial) are all stored in the database, and also, any outstanding bill from the previous analog meter, in order to ensure customers pay their debt. All transactions made by customer s are recorded automatically in the database.

All meters have a unique number and are configured with customer details so that customers can purchase electricity with their unique meter number. These meters are offline and cannot be accessed from the application server. In addition, they are secured from the configuration in the UMS application in a way that once a meter is configured for a particular area and tariff, it cannot be used in another area or tariff.

SCOPE

The Pre-payment system comprises of several components. One of the major component is the UMS Application which is client/server application developed by Conlog (www.conlog.co.za). It is used by, data entry staff to enter or edit customer information, generate reports such as customer's history, and management staffs use it to check sales reports and audits. The cashiers that sell electricity units to customers use Ultima Vending System (UVS) a client/server application also developed by conlog. The application servers are connected to the database server via an interface; this enables all information to be stored in the database. The scratch card used in purchasing electricity units is managed by a third party but also connected to the database to ensure proper record of customer transaction. The application servers and database are physically housed in the same location.

The scope of this assessment includes all the components described except the physical meters and the scratch card system which is managed by a third party. Other components included in the scope include: Operating systems, Work stations, Electricity.

SYSTEM CHARACTERIZATION

The table 1 below shows the system characterization

COMPONENT

DESCRIPTION

APPLICATION SOFTWARE

UMS & UVS developed by conlog

DATABASE

Microsoft SQL Server 2005

OPERATING SYSTEMS

Microsoft Windows Server 2003 on Servers and Microsoft Windows XP Service Pack 2 on Workstations

NETWORK

Cisco routers, Switches, Fibre and Very Small Aperture Terminal (VSAT) connections

Table 1 System characterization

CRITICAL ASSETS

The following components have been identified to be the critical assets of the pre-payment system:

  • UMS & UVS SERVER APPLICATION: If the application crashes or is having problems the whole system will not work because staff will not be able to log in using the client software. Hence, all sales outlets will not be able to sell electricity units to customer and data entry staff will not be able to add or modify customer information.
  • DATABASE: All information is stored in the database. If there is a problem with the application managing the database or the database becomes corrupt, there will be no access to all information. Therefore the applications will not have access to customer data and this will lead to loss of revenue.
  • APPLICATION AND DATABASE SERVER: These servers have to be up and running at all times because they host the application and database. Their Operating system and Hard disk are very crucial components. If any of the Servers fails, the application running will also fail and this will affect the entire system.

The figure 1below is a network diagram showing how the central location connects to one of the outlets.

The figure 2 below shows a high level diagram showing how pre-payment works (Firewall information is not disclosed in this report due to Company policy and privacy)

RISK MODEL

The risk identification process consists of three phases:

  • Vulnerability identification
  • Threat identification
  • Pair 1 and 2 to identify the risk

In determining risks associated with the pre-payment system, the following model for classifying risk was used.

RISK = THREAT PROBABILITY MAGNITUDE OF IMPACT

THREAT PROBABILITY

The following factors are considered in determining the probability of a potential vulnerability to be exercised:

  1. The vulnerability nature.
  2. How capable and what motivates the threat.
  3. The efficiency of controls in existence.

The table 2 below describes the levels of threat probability

THREAT PROBABILITY

DEFINITION

HIGH (3)

The threat is highly motivated and adequately capable. Controls to prevent the vulnerability are futile.

MEDIUM (2)

The threat is motivated and capable. Controls that could obstruct the success of vulnerability is in place

LOW (1)

The threat either lacks motivation or capability. Controls to prevent the vulnerability are in place.

Table 2 Threat probability levels

MAGNITUDE OF IMPACT

This is based on the impact of a security event that occurs in terms of loss or degradation to any of the three security goals: Confidentiality, Integrity, and Availability, or any two of them. The table below describes the levels of impact. The table 3 below describes the magnitude of impact levels.

IMPACT

DEFINITION

HIGH (3)

Loss of Confidentiality, Integrity or Availability. This has a critical or disastrous effect on the organization

MEDIUM (2)

Loss of Confidentiality, Integrity or Availability. This has a serious effect on the organization.

LOW (1)

Loss of Confidentiality, Integrity or Availability. This causes a partial problem to the organization.

Table 3 Magnitude of impact levels

The table 4 below shows the Risk which is derived from the multiplication of Threat probability and magnitude of Impact.

THREAT PROBABILITY

MAGNITUDE OF IMPACT

LOW (1)

MEDIUM (2)

HIGH (3)

HIGH (3)

LOW RISK

(31=3)

MEDIUM RISK

(23=6)

HIGH RISK

(33=9)

MEDIUM (2)

LOW RISK

(21=2)

MEDIUM RISK

(22=4)

MEDIUM RISK

(32=6)

LOW (1)

LOW RISK

(11=1)

LOW RISK

(21=2)

LOW RISK

(31=3)

Table 4 Risk level

where 1 - 3 = Low, 4 - 6 = Medium, 7 - 9 = High

VULNERABILITY ASSESSMENT

The table 5 below shows the vulnerabilities that have been identified.

VULNERABILITY

DESCRIPTION

DOCUMENTATION

Operating process, System specification and design are not well documented

INTEGRITY CHECKS

There is not enough Integrity checks on data that goes into the database

DISASTER RECOVERY

In the event of a major disaster, there are not enough procedures that ensure the system continues to operate.

UNNECESSARY SERVICES

The Servers have unnecessary services such as telnet and File Transfer Protocol (FTP) running.

PASSWORD

Password policy used to log into Applications and Works stations are not strong enough (i.e. they do not meet the required password strength). Regular password changes not enforced.

UMS & UVS User Identifiers (ID's)

ID of staff no longer working in the organization not removed immediately

Wet-Pipe Sprinkler in Server Room

Use of Sprinklers in fire emergencies will damage the Servers.

Table 5 Vulnerabilities

THREAT

The table 6 below shows the potential threats identified.

THREAT

THREAT ACTION

CYBER CRIMINAL

Unauthorized access to systems

Social Engineering

Denial of Service (DoS) attack

System Intrusion

HUMAN ERROR

This is caused by poorly trained staff and has effect on the operation of the system.

NATURAL DISASTER ( Fire, Flood)

System Collapse

LOSS OF POWER

System collapse

HARDWARE FAILURE

System Collapse

CRIMINALS

Steal or vandalise Servers and other networking components

INSIDERS (terminated, displeased, corrupt employees)

Unauthorized system access

Injection of malicious code into system e.g Virus

Stealing information

Blackmail

AIR CONDITION FAILURE

Over heating of servers

Table 6 Threats

The Risks are identified by matching the identified threats and vulnerabilities which is shown in the table 6 below.

VULNERABILITY

THREAT

RISK

RISK LIKELIHOOD RATING

Wet-pipe sprinkler in Server room

Fire

Fire will activate sprinkler causing damage to the hard drives and other server components

MEDIUM

UMS & UVS User Identifiers (ID's)

INSIDERS (terminated, displeased, corrupt employees)

Unauthorised access to application software by terminated or displeased staff can compromise availability and integrity of data

MEDIUM

PASSWORD

Cyber criminal, Human Error

Gaining access to user password either by hacking or due to human error of writing it down in a visible place can compromise the systems integrity of resources

MEDIUM

UNNECESSARY SERVICES

Cyber criminal

A Cyber criminal can easily gain access to the system when unnecessary services are left to run on the servers causing loss of integrity and availability of resources.

MEDIUM

INTEGRITY CHECKS

Cyber criminal

A Cyber criminal can inject the server with malicious codes. If data going into the database is not checked properly

MEDIUM

DISASTER RECOVERY

NATURAL DISASTER ( Fire, Flood)

A disaster can happen at any time, without a proper disaster recovery plan there will be total system failure

MEDIUM

Table 7 Risk identification

ANALYSIS OF RISK ASSESSMENT

The table 8 below shows the analysis of the risk assessment.

OBSERVATIONS

EXISTING CONTROLS

RISK IMPACT

RISK IMPACTRATING

User Passwords for software application and Workstations can be guessed or cracked easily

Workstation passwords meet the required strength but all work stations have the same password. UMS & UVS allows 6 characters of any combination without restriction.

Unauthorized disclosure or modification of UMS data

MEDIUM

Passwords are not set to expire or changed regularly

Passwords only changed on users request

Compromised passwords will not be detected and used to carry out malicious acts

MEDIUM

There is no established Disaster recovery plan

Data is backed up once in a week only. Back up is transferred online to head quarters in Lagos

There will be total system collapse for a longer time than supposed

HIGH

Application and Database Server running needless services

There is no existing control

Servers can be compromised

MEDIUM

Data could be removed or falsely injected into the database by entering wrong commands while using the software application

There is limited checks on data before it is stored in database

It will compromise the

Integrity and Availability of data

MEDIUM

Epileptic Power supply

Use of Uninterrupted Power Supply (UPS) and small power supply generator as back up

Lack of power supply for a long time continuously will weaken the UPS and the generator is not strong enough to carry the Air Conditioners in the server room. This will affect the servers

HIGH

Wrong method of putting out fire in server room due to damaging effect

Use of Sprinkler in Server room

Water will damage the hard drive and data will not be retrievable from hard drives. This will compromise the availability of data.

HIGH

Table 8 Risk assessment analysis

SUMMARY AND RECOMMENDATION

The key assets of the Pre-payment system which include: UMS & UVS application software, Database and Servers has been assessed and their vulnerability and threats analysed thoroughly to avoid any form of compromise that will hinder the system from functioning. The Risk model was used to measure the impact of risk some of the vulnerability and threats can cause. From this assessment some risks have been found in the system. As a result, the following recommendations and changes are advised to be followed to ensure proper availability, confidentiality and integrity of resources needed for the Pre-payment system.

  • The use of general password is not a good security practice .All workstations password must not be the same. Instead staff should have personal passwords used to log into their workstations. This is good because another staff will not be able to use another staff workstation without their permission to gain access to confidential information or use it maliciously.
  • UMS & UVS minimum password requirement should be changed to eight characters that must contain alpha-numeric and special character. This will make cracking or guessing of password by a hacker very difficult.
  • User passwords on UMS & UVS, and workstations should be set to expire every two months. This will ensure that any compromised password will be invalid after it expires.
  • Management should promptly inform IT department once staff has been dismissed, retired, transferred, or does not need certain privileges he/she has on UMV & UMS. So that prompt action can be taken irrespective of the situation.
  • A disaster recovery plan should be developed and tested. Backups should be done daily and a closer warm site should be developed for storage of data and should have copies of the applications as well. This will be very useful in an emergency situation because data will be easily recovered and the warm site can quickly be set up and running. In addition, backups should be routinely checked to ensure that data can be recovered.
  • Servers should be checked and reconfigured to ensure that all needless services running are stopped or blocked permanently so that such services cannot be used to compromise the servers.
  • All data that are going to be stored in the database should be validated. Validation should be done from the application server before data is transferred to the database and the database management server should also validate any data before it accepts it for storage.
  • There should be a bigger stand-by generator that can carry Air conditioner to cool the server room because the UPS can only carry the servers. Since the power supply is erratic it means the servers are exposed to a hot temperature because Nigeria has a hot weather and the server room is always closed.
  • The air conditioner should be serviced and gas refilled periodically to ensure it is always working and cooling the room. This will help avoid breakdown.
  • Wet- pipe sprinklers should be removed and replaced with fire extinguishers. The fire extinguishers should be placed in strategic ally inside and outside of the server room. It should also be serviced regularly to ensure it is functioning properly in case of an emergency.

POLICIES TO ADOPT

  • System components should be examined routinely. This should be in the form of Network scans, analyses of router and switch settings, and penetration testing. These controls will help to monitor activities that are going on within the network and facilitate detection of any security violation.
  • More training should be given to employees so that they can fulfil their security responsibilities.
  • Servers and Workstations use screen lock system once they are not in use.
  • The following Session controls should be adopted:
  • Account Lockout: This will limit the number of failed attempts a user can make before an account is disabled temporarily. It will help control password guessing.
  • Screen Saver Locks: They should be pre-configured to activate when a user is not actively using the Server or Work station
  • System timeouts: A control that logs users out automatically after a certain period of inactivity. This is very useful for users who forget to log out while leaving their desk.
  • Warning banners: A legal notification that helps to identify acceptable and unacceptable rules. This banner should come up while users are logging into the system.

RECOMMENDED UPGRADE

The following upgrades have been recommended for the Operating system used on Servers, Workstations and the DBMS :

1. DBMS: the current one used is Microsoft SQL 2005. This should be upgraded to Microsoft SQL 2008 which offers the following :

  • Ability to encrypt the entire database using a transparent data encryption method.
  • Encrypt backup to prevent tampering and ensure integrity of backed up data
  • Better auditing that monitors data access
  • Improved performance and data compression
  • It has an improved memory management and better rendering of Server reporting services

2. SERVER OPERATING SYSTEM: The current OS on all servers is Window Server 2003. It should be upgraded to Window Server 2008 which offers the following:

  • There is increase in efficiency of Server
  • Reduction in power consumption with the support of Advance Configuration and Power Interface (ACPI), Processor Power management (PPM), and Power idle sleep states on multiprocessors.
  • Each and every folder has a shadow copy
  • Introduction of Hyper-V (V for Virtualization) on 64-bit version. This helps to reduce hardware cost by running several Virtual servers on only one physical machine

3. WORKSTATION OPERATING SYSTEM: The current OS on all workstation is Windows XP Service pack 2. This also, should be upgraded to Windows Vista which offers the following :

  • Bitlocker-To-Go which offers full drive encryption
  • Power Configuration utility that provides reports on identified problems , settings and applications that reduce power efficiency
  • Start up repair which appears automatically and fixes any problem when a workstation cannot boot properly
  • A VPN reconnect feature that automatically re-establishes a lost VPN connection
  • It does not have as many security exploits like Windows XP

APPENDICES

QUESTIONS ASKED DURING INTERVIEW

  1. What is the mission of the company?
  2. How does the prepayment system work?
  3. What components are required to be working at all times?
  4. What assets do you consider critical to the system?
  5. Do outsiders have access to the network?
  6. How many people have access to your server room?
  7. How often do you back up your data and where is it backed up to?
  8. Where and how do you store your customer information?
  9. How do staffs access your software applications?
  10. What is your minimum password requirement on applications and computers, and do they expire?
  11. Do you validate all data going into your database?
  12. How often do you train your staff on latest security issues that they should be aware of?
  13. What Operating system is used on your workstations and Servers?
  14. What DBMS do you use?
  15. What type of firewall do you use? ( Question was not answered due to company policy)
  16. What alternative method do you use when there is no regular electricity supply?
  17. What disaster recovery plans do you have?
  18. How do you intend to put out fire in an emergency situation?

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.