Vulnerability Assessment for a fictional e-commerce | Vulnerability Assessments
In this hands-on activity from the Google Cybersecurity Professional I simulated being a new cybersecurity analyst for an e-commerce company, that identified a critical vulnerability: the company’s remote database server, accessible to employees globally, has been publicly exposed since launch. Recognizing this as a significant security risk, I was tasked with conducting a vulnerability assessment to outline the potential threats this exposure poses to business operations, and recommending security measures to protect the server from unauthorized access.
The scenario was described as such:
“You are a newly hired cybersecurity analyst for an e-commerce company. The company stores information on a remote database server, since many of the employees work remotely from locations all around the world. Employees of the company regularly query, or request, data from the server to find potential customers. The database has been open to the public since the company’s launch three years ago. As a cybersecurity professional, you recognize that keeping the database server open to the public is a serious vulnerability.
You are tasked with completing a vulnerability assessment of the situation to communicate the potential risks to decision makers at the company. You must create a written report that explains how the vulnerable server is a risk to business operations and how it can be secured.”
The vulnerability assessment I produced is the following:
Vulnerability Assessment Report
1st January 2024
System Description
The server hardware consists of a powerful CPU processor and 128GB of memory. It runs on the latest version of Linux operating system and hosts a MySQL database management system. It is configured with a stable network connection using IPv4 addresses and interacts with other servers on the network. Security measures include SSL/TLS encrypted connections.
Scope
The scope of this vulnerability assessment relates to the current access controls of the system. The assessment will cover a period of three months, from June 20XX to August 20XX. NIST SP 800-30 Rev. 1 is used to guide the risk analysis of the information system.
Purpose
Since the company is an ecommerce, the database is a fundamental, even essential part of it, since it’s where clients and their information is stored; it’s also the source of new leads to offer products.
Since the database is so essential to the success and operation of the company, it is of paramount importance to protect it against threats that could corrupt it, steal, and sell the data or even gain access to the company’s whole network. So, periodic vulnerability assessments are a very necessary precaution.
Due to the high importance of the database, any threat that compromises it would likely mean a financial, operational, and reputational catastrophe for the company.
Risk Assessment
| Threat Source | Threat Event | Likelihood | Severity | Risk |
|---|---|---|---|---|
| Competitor | Obtain sensitive information via exfiltration | 1 | 3 | 3 |
| Disgruntled employee | Alter/Delete critical information | 2 | 3 | 6 |
| Hacker | SQL injection | 3 | 3 | 9 |
Approach
The risks of having a public access database were measured considering the importance of the database to the company’s day-to-day operations and the likelihood of them occurring.
Threat sources were determined by identifying the most likely actors that would exploit such a vulnerability.
The severity of the incidents was considered by the potential consequences that the threat could cause to the company.
Remediation Strategy
Implementing and enforcing authentication, authorization, and auditing mechanisms to ensure that only authorized users access the database server. This includes using strong passwords, role-based access controls, and multi-factor authentication to limit user privileges. It also implies applying the least privilege principle in user access to the database and separation of duties principle. Likewise, deleting unused user accounts would reduce the risks associated with disgruntled employees or customers. It is also necessary to configure firewall rules so that only authorized IP’s have access to the database. Finally, implementing periodic vulnerability assessments is highly recommended to protect that invaluable asset to the company.