NotWorx Solution: Improving The Situation of a Hypothetical Online Business

2 116
Avatar for wrabbiter
3 years ago

NotWorx Background

As a company that sells sporting equipment online, NotWorx hosts a website in which clients can inquire about their products and services and pay for those via credit cards. But just recently, they suffered a hacking incident in which the hackers used a password dictionary software to guess the administrator password.

By taking advantage of a WordPress plugin within the company’s website, the hackers were able to obtain the credit card information of their clients. Consequently, they were able the data to other companies. In this paper, details about how to prevent such an attack from ever happening again are given and discussed.

The problem is mainly about administering policies and upgrading some network components in the virtual aspect, or within the software level only. To put it simply, there is no major reason to resort to any hardware upgrade, unless the company demands it.

Solution Details

To simplify the approach of solving the problem, the implementation of the Ubuntu Web Server version 20.04. Its power lies in the popular virtual private network (VPN) named WireGuard, which is included for every installation of it. Why choosing a Linux web server operating system such as Ubuntu is a very wise choice is because of 2 good reasons: 1. ) It is open-source, meaning its internal functions can be modified by any skilled programmer, and 2.) It is totally available for free. There is no need to license it and it can be freely distributed to any interested users.

By choosing to implement Ubuntu, the concerns from the Requirement Specs section namely 1.1) DMZ, and 1.2.) Secure services will be efficiently addressed. Also, the budget issue stated by the NotWorx boss which is the very first of his/her concerns will be handled as well since all Linux distributions, including Ubuntu itself, is totally free.

The only expenses to procure would be for manpower services, and for some minor equipment to be purchased, though they would not be truly necessary for this project. The standard payment for a network technician costs around $20 to $30. Typically configuring a web server within software-level in a medium-sized company shouldn’t take more than a day, although it could vary depending on the size of the network or on the number of equipment involved.

In addition to the Ubuntu implementation, the usage of WordPress plugins, as well as other financial-related apps should be regulated. This is to make sure that sensitive data such as credit card information will never be sent to the wrong hands. So far, the most ideal plugin that can handle payment online payment transactions is WooCommerce. To have access to its full functionality, a payment of $100 per year is required. That should be affordable enough if securing the payment system of NotWorx is the main concern.

To address the hackers’ usage of the Secure Shell method (SSH), the recommended solution is to use Neo4J – a top-notch open source database software. Because of its dominance within others of its kind, it can make financially-related data truly secure. One of its major advantages is that it has its own query language called Cypher. If it uses a querying method that exclusive to itself, then it is a bit harder for hackers to exploit and penetrate. And since it is also open-source like Ubuntu, it wouldn’t cost the company anything.

Firewall Rules

To make a firewall truly secure, the following guidelines must be followed by the network administrator at all times:

Choosing the “block setting” as a default – This is to ensure that any incoming activity would have to be authenticated first. Any incoming messages or file transferring act should be evaluated first before they can get inside the system. This is a strategy that can provide excellent control over any traffic or any possible security breach.

Allowing only specific traffic – When traffic is suspicious, or if it comes from an invalid source, it should not be permitted to get inside the system. This can be done by identifying the source or range of the IP address, the destination port, and the protocol of the traffic. This is where the efficiency of the chosen Linux web server comes into play.

Specifying IP address and port sources – In the network administrative panel of the chosen web server OS, this can be configured in such a way that only a specific pattern of IP addresses can be admitted into the system. One main idea pertaining to this is emphasizing to the personnel in charge that anything that doesn’t have “HTTPS” on a web address is suspicious and is often a red flag for threats. The same rule should apply to ports. Generally, it can just be thought of as specifying the sources and destinations of both IP addresses and ports.

Username/Password Policy

The best way to prevent anyone from ever guessing passwords is to make them alphanumeric. This means that every password to be used by the employees or even the administrators themselves must not be too short, they have to be at least 12 characters in length. While most online portals recommend choosing passwords that are 6-8 characters, a system that houses very crucial data such as credit card information should have a higher standard.

If a password is comprised of more than 10 characters and has numbers and special characters on it, it will be very secure and will be very hard to guess. Even for a supercomputer, it would take years to crack it. But the problem with passwords that are very long is that they can be hard to remember.

The solution to that is to let the personnel involved pick a word that they can mix with special characters, which they can still read and remember easily. For instance, they could choose the word “bikingatthepark” as a password, and make it “B!king@t_Th3Park.” Furthermore, employees should be encouraged to periodically change their passwords. This is to make sure that hackers will not figure out a pattern and so that they will fail to eventually guess a password.

Also, they have to make sure that they will store their passwords in their minds only. Sometimes though, this is a very hard thing to fully implement, considering that the employees themselves could be storing lots of personal passwords already in their heads. The possibility of keying in too many passwords could have disastrous results since the most effective systems would limit the number of times a user may do some inputs.

In this case, it would be wise to let the user store their passwords in an encrypted file so that only authorized people can open them. Another option is to store them as picture files so that only human eyes can view them. In case the users will choose to write their passwords on paper, they have to make sure that it will not be openly accessible by outsiders, even by other employees within the building where they work.

5
$ 5.07
$ 4.87 from @TheRandomRewarder
$ 0.10 from @gertu13
$ 0.10 from @MizLhaine
Sponsors of wrabbiter
empty
empty
empty
Avatar for wrabbiter
3 years ago

Comments

I am an IT prof. with no such expertise on network security, maybe, if I will be given a related task I will be compelled to learn. For now, I'm leaving this task to our IT services unit head. I see how you promote open source software. That's commendable.

$ 0.00
3 years ago

I've been a fan of Linux and open source for many years now Miz. In fact, I've been using Linux for years now, since I owned a laptop. I rarely use Windows, it's so baduy and you can't hack that much with that OS. hehe.

$ 0.00
3 years ago