Assignments IS3445 Security For Web

STUDENT COPY

The following sections contain student copies of the assignments. These must be distributed to students prior to the due dates for the assignments. Online students will have access to these documents in PDF format, which will be available for downloading at any time during the course.

Graded Assignment Requirements

Assignment Requirements documents provided below must be printed and distributed to students for guidance on completing the assignments and submitting them for grading.

Instructors must remind students to retain all handouts and assignment documents issued in every unit, as well as student-prepared documentation and graded deliverables. Some or all these documents will be used repeatedly across different units.

Unit 4 Discussion 1: Social Network Groups for All—“A Stupendous Idea or Security Incident Waiting to Happen?”

Learning Objectives and Outcomes
You will be able to recognize various motivations and vulnerabilities for exploiting a social network platform.

Assignment Requirements
“Social Network Groups for All” is a new online social networking platform. The company has been backed by several million dollars in venture capital funding and is expected to go online in two months. Management expects the Web site to gain over 5 million new registered users per month for the next two years.

The application allows the registered users to customize their own home page using Hypertext Markup Language (HTML) and JavaScript. Additionally, users can link up with groups of friends, business associates, family, and classmates. So instead of linking with people individually, a person links to a “group.” When someone is linked to a group, the person has direct link access to each person in the group. Each user has the option to display no personal information to non linked groups, or to allow their name, hometown, occupation, interests, and photos to be available to everyone. In fact, making information available to everyone is the default setting since so many of the people targeted by marketing will be those who use the system for business networking and finding old friends. Users can import their e-mail contact lists from various sources, including uploading an Excel spreadsheet with e-mail addresses to add to their address book. By enabling this setting, “Social Groups for All” allows users to e-mail their full contact list every time they make an update or post a message to the platform.

“Social Groups for All” also has an application programming interface (API) that allows a third party to install applications for others to use on the platform. When a user chooses to use a third party application, the user agrees to allow the application to access all personal information and available information of linked users in each linked group.

You as the newly hired Web application security analyst for “Social Groups for All” should analyze and discuss different motivations some may have to exploit weaknesses in this application:
What could be the various motivations for malicious users to exploit this platform?
How could a malicious user exploit these vulnerabilities?
You must defend your choices with valid rationale. Summarize your thoughts in a Word document and submit it to your instructor.

Required Resources
None

Submission Requirements
Format: Microsoft Word
Font: Arial, Size 12, Double-Space
Citation Style: Chicago Manual of Style
Length: 1–2 pages
Due By: Unit 4

Self-Assessment Checklist
I have shown creativity when reflecting on potential issues.
I have summarized the various motivations attackers could have for this platform.

Unit 7 Discussion 1: “Web Site Analysis—Know Your Visitors”

Learning Objectives and Outcomes
You will engage in a discussion on current methods and techniques to monitor Web applications.

Assignment Requirements
Worldwide Widget Makers sells widgets online to customers from all seven continents. It average over a million dollars a day in online sales. At a recent meeting, a senior manager asked the Web team to detail out the statistics for the last quarter. The senior manager had a list of following questions for the Web team:
How many attempted attacks have there been on the online shopping platform?
From which geographic locations do most visits to the Web site occur?
What is the most popular link that drives traffic to the site?
How many errors were experienced by users on the site?
What is the shopping cart abandonment rate?
What is the bounce rate?
How many mobile users are visiting the site?

Unfortunately, and embarrassingly, the questions could not be answered by the Web team as there is no policy or process in place to monitor the Web applications. You need to perform the following tasks:

1. Participate in a discussion to explain and defend your choices of tools or techniques that could be used to help capture this information. Take into consideration any open source or commercial tools that can adequately report on this information.
2. Discuss all additional information gained from monitoring Web traffic that may be of interest to senior manager but wasn't mentioned by the senior manager.
3. For monitoring attacks, discuss the type of attacks on the online shopping carts and make recommendations to monitor these attacks in real time.

Summarize your thoughts in a Word document and submit it to your instructor.

Required Resources
None

Submission Requirements
Format: Microsoft Word
Font: Arial, Size 12, Double-Space
Citation Style: Chicago Manual of Style
Length: 1–2 pages
Due By: Unit 7

Self-Assessment Checklist
I have recommended Web analytic tools (free or commercial) that can be used for reporting on Web site log files.
I have identified common attacks known to online shopping cart applications and made recommendations to monitor them in real time.

Unit 9 Discussion 1: “Business Anywhere—Security and the Mobile User”

Learning Objectives and Outcomes
You will be able to recognize and help mitigate risks associated with end-point communication devices.

Assignment Requirements
End-point devices such as smart phones, laptops, tablets, and even Universal Serial Bus (USB) storage drives are increasingly being used in businesses. Information technology (IT) management for National Express Packaging Company, a newly formed national service provider for overnight package delivery is considering the use of end-point communication devices for its workforce. Its requirements are as follows:
Sales team: Need to frequently check e-mail and work with contacts while traveling.
Service team: Need to check online for various packaging rates and status any time of the day, including weekends. They have mentioned that they would like the capability to chat with customers in real time and other service team members while away from their office desktop workstations.
IT team: Need to check e-mail and the status of various servers any time during the day or night.
Management: Would like to receive and send e-mail and check various travel rates or status while on the road or at home at night.

Discuss which end-point devices may be best suited for the organization and consider the risks.
Consider the following questions:
1. Should the organization provide various types of end-point devices for each department or employee depending upon the need? Why or why not?
2. What are some possible uses of end-point devices not yet mentioned by management or employees that could help employees be more productive?
3. Which end-point device(s) would you recommend?
4. What are the risks associated with the recommended device(s).
5. What processes and policies should be put in place to mitigate the associated risks?

Required Resources
None

Submission Requirements
Format: Microsoft Word
Font: Arial, Size 12, Double-Space
Citation Style: Chicago Manual of Style
Length: 1–2 pages
Due By: Unit 9

Self-Assessment Checklist
I have made a recommendation for an end-point device(s) and discussed new risks the organization could encounter.
I have expressed my opinion for having standard end-point devices or multiple types.