3. REPORT OF IDENTIFIED RISKS
3.1 Identification of risks in the system and/or security vulnerabilities
Risks or security vulnerabilities identified in Dynamic company systems include:
3.1.1 Physical location of web servers is easily accessible by employees
The company has insufficient physical controls protecting equipment as the location of web servers are easily accessible by employees. According to Landoll (2011:312) humans pose a security risk to equipments. The controls over employees, visitors and outsiders should be put in place. Such controls include barriers used to limit access to physical premises and preventing unauthorized entry and removal.
3.1.2 Users are allowed to install their own software as needed
The company is exposed to Windows file system vulnerabilities as users are allowed to install their own software. The information that users create and Operating System (OS) files that are needed to boot the system are organised by the file system. The file system is therefore the most vital part of the operating system. Allowing users access the file system is as good as exposing it to risk (Simpson, Backman & Corley 2011: 205). Network security controls should be in place.
3.1.3 Running Ubuntu Server 7.1, Apache version 2.2.12, with a MySQL 3.23 back- end
Microsoft SQL Server is vulnerable to SQL injection attacks that can be used to attack the system. All versions before SQL Server 2005 could allow remote users to gain access to the System Administrator (SA) through the SA account on the server (Simpson, Backman & Corley 2011: 209). As the company is running its Server with MySQL 3.23, it is therefore exposed to the risk of allowing users to access the SA and perform malicious activities or the third party can access the SA through users and perform malicious.
3.1.4 No firewall installed
Lack of firewall exposes computers to risks such as fire that can attack hardware systems such as computers. Malware attacks pose a risk to computer software as viruses can be spread between computer softwares in the absence of firewalls (Ciampa 2010:91). Antivirus and other malware prevention tools must be used to prevent attacks.
3.1.5 The website was developed by the third party that is responsible for releasing security patches
Most third-party applications are vulnerable to known exploits that allow malicious attackers to access company website and launch spams, SQL injection. Attackers may get access to usernames. Application with known vulnerabilities open the company to targeted attacks (Carabott 2011).
3.2 Identification of measures/tools/methodologies to address risks and
Based on the identified risks or security vulnerabilities and the assessment tools that can be used to detect and stop them from attempting to crack computer systems, the following measures are necessary to make sure that company systems are protected from attacks:
3.2.1 Patching system
A security patch should be used to...