Research Paper Example: Information Assurance Corporation and Cybersecurity

Information Assurance is a startup medical research and Development Company. After five years of extraordinary success in the development of innovative medical and pharmaceutical products, Information Assurance is on its way to becoming a major player in the medical research and development industry. However, due to its success, Information Assurance has also become a major target of cybercriminals. Information Assurance has been the victim of cybercriminal attempts to steal intellectual property and sell it to Information Assurances competitors.

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Save 25%

It is suspected that the corporate network has been infiltrated from unauthorized sources more than once. In 2011, Information Assurance was falsely accused of unethical research and development practices. The false allegations resulted in the defacement of Information Assurance's public website and several Denial of Service attacks at different times over a 9 month period that brought the corporate network to its knees. These attacks had a major impact on Information Assurance's ability to conduct business and resulted in undesirable publicity for the company.

Regardless of its security problems, Information Assurance has continued to grow as a company. Its research and development departments have grown over the years, due to the expansion of the company, in proportion to the increase in its business making up over 40% of the human resources. Information Assurances innovative research and development information is paramount to its continued success as a company. Although, no known attacks have occurred in last 18 months, the security of its network and intellectual property is still a major concern for the company.

Because Information Assurance is a still fairly young company, management has been hesitant to budget for expensive security projects. However, this point of view is beginning to change. Particularly, because one of Information Assurance's competitors, a major player in the medical of dollars in research data that was stolen from its corporate network by cyberthieves.

Introduction

Considering the security breach and cyber theft that the company experienced which eventually lead to massive loss of intellectual property. The company security software and applications seems to be very vulnerable and hence need a security testing tool hat will determine the cause and loop holes for such vulnerability. After numerous researches on a number of security testing tools and software I recommend that the company executive need to consider ZED Attack Proxy (ZAP) as one of the bet security testing tool option.

ZED Attack Proxy (ZAP)

ZED Attacker Proxy (ZAP) was developed by AWASP and it is compatible with Windows, Unix/Linux, and Macintosh platforms. It has high ease of use. It can be used as a scanner or to intercept a proxy to manually test a webpage. Its key features are traditional and AJAX spiders, Fuzzer, Web socket support and a REST based API. (https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)

In most cases the security software development teams, uses web frameworks to develop most applications. They rely on build in security features without better understanding of the possible attacks circumstances.

During my research, I realized that ZAP is one of the best open-source tools that were developed at the Open Web Application Security Project (OWASP). The main goal of this security testing tool is to allow easy penetration testing to find vulnerabilities in web applications. Its the best for this company because it meets the requirements of the company needs.

Features of Zed Attack Proxy

The latest version of ZAP 2.x is a client that runs on Windows, Linux and MacOS and requires Java 7. The following are some of the features of the ZAP:

Intercepting Proxy

Automated Scanner

Passive Scanner

Brute Force Scanner

Fuzzer

Port Scanner

Spider

Web Sockets

REST API

Functionality

When you install ZAP, you will see a quick start tab. Then insert the URL of the company web application and start the attack

Legal disclaimer: Only run ZAP against your own environments, i.e. Test, Staging environments. It is illegal to attack websites from competitors.

Immediately you start the attack, ZAP will run through company web application and record all URLs from your domain. It will skip URLs that point to other domains. In the second step it will run different attack scenarios against the found URLs and record the results.

When you run ZAP against the web application that is running on a tomcat server, the following figure demonstrates how it looks like. From the figure bellow, ZAP found several warning of possible vulnerabilities. It lists the results in several categories. In this case we do not remove the examples folder that comes with the default Tomcat installation. ZAP will find several possible cross site scripting vulnerabilities that need to be fixed. Then select the warnings you are interested in and ZAP will show you the request and response raw data as well as hints on how to fix the vulnerability.

Configuring ZAP as a proxy

ZAP can be configured as a proxy. The figure below demonstrates the set up where ZAP is configured as the proxy into the company local web browser when browsing using the web application. This will allow ZAP to take record of all the traffic and use that traffic for a replay attack while modifying the request parameters.

For this kind of a set up to work, we need to activate ZAP as a proxy. Open ZAP-> Tools-> Local Proxy. Then configure the addresses and the port on which ZAP will record the requests.

This will take place under the following set up; Address to be localhost and port to be 8090 as seen in the figure below.

Finally, we change the local browser to use this proxy. Then this will allow browser to access the company web application. In this case ZAP will automatically record the traffic. Find the request that ZAP sends in the sites window. Then configure ZAP to attack the found URLs

The figure below shows the demonstration.

REFERENCES

(https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project)

http://ha.ckers.org/xss.html

http://www.cert.org/tech_tips/malicious_code_mitiga

tion.html

http://www.w3schools.com/HTML/html_entities.asp

http://www.iss.net/security_center/advice/Intrusion

s/2000639/default.htm

http://searchsecurity.techtarget.com/expert/Knowled gebaseAnswer/0,289625,sid14_gci1212217_tax299989,00

http://www.joelonsoftware.com/articles/Unicode.htm

Gregory, M., & Glance, D. (2013). Hacking. Security And The Networked Society, 3-49.

Hudaib, A. (2015). The Principles of Modern Attacks Analysis for Penetration. "International Journal Of Computer Science And Security, 9(2), 22--84.

Policy, P., & Policy, P. (2015). DoS website in Kali Linux using GoldenEye - blackMORE Ops. blackMORE Ops. Retrieved 23rd February 2017, from http://www.darkmoreops.com/2014/11/22/dos-website-with-goldeneye