Air University, Aerospace and Aviation Campus, Kamra

Department of Computer Science

BS Cyber Security Fall 2024
Semester – III
Information Assurance (CY103)
Instructor: Mr. M. Ahsan Qureshi Assignment No: 02 Date: 13/12/2024
Total Marks 10 Due Date: 16/12/2024
CLO: 2 Domain: C5 (Evaluating) Graduate Attribute: 3
INSTRUCTIONS
1. Plagiarism, copy & paste material will lead to cancellation of your whole assignment.
2. No late submission allowed.
3. This is Hand-Written Assignment and submit the scanned PDFs.
4. Avoiding any of the above rules will lead to marks deduction.
SOLUTION
Scenario:
A major retailer is preparing to launch a new online shopping platform to enhance its business operations.
This platform will enable customers to search for and purchase products online while storing their
personal and financial information. To ensure the platform operates securely and complies with national
and international security laws and standards, the retailer has hired you as an Information Assurance
analyst. Your responsibility is to evaluate the information security risks associated with the platform using
formal methodologies, assess its compliance with relevant security regulations, and propose measures to
mitigate potential threats.
Task:

Using the risk identification and assessment techniques discussed in the course, evaluate the information
security risks for the online shopping platform. Your plan should focus on assessing compliance with
relevant security laws and standards, and mitigating potential threats. Address the following components:

Assignment Task:

As an Information Assurance analyst, evaluate the information security risks for the online shopping
platform by addressing the following components:

1. Assess the critical assets on the platform that requiring protection.

Ans: The critical assets for the online shopping platform include:

• Customer Personal Information (PII): This includes names, addresses, email addresses, and
contact numbers. It is important to protect against identity theft, fraud, and unauthorized access.

• Customer Financial Information: This includes credit card details, bank account information, and
other sensitive payment data. This is a high-value target for cybercriminals due to its potential for
financial exploitation.

• Product Data: Information about the products being sold, including descriptions, images, and
pricing. This data is vital to the platform’s operations and customer experience.

• Transaction Records: Information about past and ongoing customer transactions. Any
modification or loss could severely affect customer trust and business operations.

Page 1 of 3
 • Platform Infrastructure: Servers, databases, and other hardware or software that host the
platform. If compromised, they could be used for denial-of-service attacks or data breaches.

2. Determine potential threats to the Confidentiality, Integrity, and Availability (CIA) of these assets.

Ans:

• Confidentiality:

− Data Breaches: Unauthorized access to sensitive customer data (personal and financial) via
hacking or other means.

− Insider Threats: Employees or vendors with unauthorized access to customer information.

• Integrity:

− Data Manipulation: Unauthorized modification of customer information, product listings, or

transaction details could lead to fraudulent transactions or misinformation.

− Malicious Software: Malware or ransomware attacks that can modify or corrupt critical data.

• Availability:

− Denial of Service (DoS) or Distributed Denial of Service (DDoS) Attacks: Attackers could
overwhelm the platform’s servers, causing service outages.

− Server Failures: Hardware or software failures can result in downtime, preventing customers
from accessing the platform and making purchases.

3. Assess the values of the risk using formal methodologies as per given detail:

Retailer indicate a 10 percent chance of an attack this year, based on an estimate of one attack every 10
years. The information security and IT departments report that if the retailer is attacked, the attack has a
50 percent chance of success based on current asset vulnerabilities and protection mechanisms. The asset
is valued at a score of 50 on a scale of 0 to 100, and information security and IT staff expect that 100
percent of the asset would be lost or compromised by a successful attack. You estimate that the
assumptions and data are 90 percent accurate. The calculated risk value is assumed to be on a scale of 0
to 5.

Ans: we can calculate the risk value using the Whitman formula:

− Likelihood of an attack: 10%

− Probability of a successful attack: 50%
− Asset value: 50
− Expected loss: 100%
− Accuracy: 90%, Uncertainty: 10%

Risk value = (likelihood x Attack Success probability) x (asset value x probable Loss) + uncertainty

= (10% * 50%) x (50 x 100%) + 10% = 2.75

The calculated risk value on a scale of 0 to 5 is approximately 2.75, which indicates a moderate risk level.

Page 2 of 3
4. Evaluate compliance with key national and international security laws and standards.

The platform needs to comply with relevant national and international security laws and standards to
ensure its legality and protect user data. Some key regulations and standards include:

• General Data Protection Regulation (GDPR): For platforms operating in the EU, GDPR mandates
stringent protection of customer data and requires platforms to obtain user consent before
collecting or processing personal data.

• Payment Card Industry Data Security Standard (PCI DSS): The platform must comply with PCI DSS
for handling payment card information securely and ensuring safe transaction processes.

• California Consumer Privacy Act (CCPA): For operations in California, this law requires companies
to protect consumer privacy and provide transparency regarding data collection practices.

• Health Insurance Portability and Accountability Act (HIPAA) (if applicable, based on the nature
of products sold): Ensures protection of sensitive health information.

• ISO/IEC 27001: International standard for information security management systems (ISMS),
which may be applicable for ensuring comprehensive risk management practices.

5. Recommend risk mitigation strategies to address identified risks while ensuring legal and regulatory
compliance.

To mitigate the identified risks while ensuring compliance with laws and standards, the following
strategies are recommended:

• Data Encryption: Use encryption for customer data, both at rest and in transit, ensuring
confidentiality and integrity.

• Multi-Factor Authentication (MFA): Implement MFA for user authentication, protecting

customer accounts from unauthorized access.

• Regular Security Audits: Conduct regular security audits and penetration testing to identify and
address vulnerabilities.

• Web Application Firewall (WAF): Deploy a WAF to prevent SQL injection, XSS, and other web-
based attacks.

• DDoS Protection: Use DDoS protection services to mitigate denial-of-service attacks and ensure
availability.

• Backups: Regularly back up critical data to ensure recovery in case of ransomware or other
attacks.

• Compliance Monitoring: Continuously monitor and update compliance with GDPR, PCI DSS, CCPA,
and other relevant laws and standards.

• Security Awareness Training: Educate employees and customers about phishing, secure browsing
practices, and other security threats.

Page 3 of 3