Preventing Attacks on the Social Network Application

Enter New Order

Create Case Manifest

Record Order Fulfillment

Enter New Order

Create Case Manifest

Record Order Fulfillment

ChemExec will include a social network application that will be implemented as individual subsystem. Ensuring security in this subsystem should be a top priority to ensure that the subsystem is not affected by attacks from malicious users and to make sure that the privacy of the users using the system are not violated or their access devices comprised from using the application. In order to define various ways the proposed web application could be protected from threats it’s crucial to understand different types of threats that the web application may be vulnerable to and then define various ways that the threat can be prevented or a way through which the possibility of an attack can be minimized.. These threats are and their protection measures are;

• SQL injection- This form of attack involves use of reserved SQL symbols to try and make the web server to execute malicious queries other than the one it’s intended to execute. This form of attack is common because it easy as it targets SQL query construction programmatically. And because most web applications are database driven, attackers can take advantage of vulnerable points of the web application to perform this attack. There are two ways of protecting against this form of attacks;
  • Sanitizing user input– this involves the user input is sanitized to eliminate any reserved SQL symbols. Sanitization should be done both at client side and server side. Parameter binding is another great way to ensure injection is prevented.
  • Granting least possible privileges- Apart from sanitizing the user’s input to secure the system, users should be granted rights and privileges only for those actions they are supposed to perform for example giving a normal user the privilege to drop tables or truncate tables can be a vulnerability.
• Cross-site scripting (xss)- This form of attack involves use of a malicious script in a trustworthy website to cause damage to users who visit the website. There are two types of xss vulnerability categories; reflected xss and stored xss. Reflected xss is also known as no persistent xss is an attack that sends malicious content to the server so that when the server is responding the malicious content is embedded. This attack is usually used to discover whether or not the site is vulnerable so that they can plan something complex. Stored xss which is also known as persistent xss is more dangerous because it can have an impact on each user that will visit the site. The attack is transmitted to the client through HTTP requests.

XSS attacks can be prevented through filtering of the user input as discussed in SQL Injection and escaping of dangerous content to make sure the user content is never executed.

• Insecure direct object reference is where the internal value or key of the application is exposed to the user thus granting malicious users the ability to manipulate the internal keys to gain access to the things that they should not have access to. This form of attack can be prevented by obfuscating the URLs by using hash values rather than normal names thus adding a degree of complexity to the URLs.
• Denial of service (DOS) attacks

DOS attacks are intended to overload the server with illegitimate thus overwhelming the machine or network resources of the host thus preventing legitimate requests. A common policy to stop this type of threat would be to block the IP address from where the requests are originating using the firewall or apache server.

By following the measures outlined for each possible attack, the attack can be prevented or the chances of it ever happening significantly reduced.

To implement the proposed web based application the best implementation strategy to follow is parallel deployment strategy. Parallel deployment strategy involves deploying the system and using parallel to the old system until all the users and the organization is satisfied that the new system is working fine. This strategy is the best as it allows users to use the system while taking time to learn and adapt to it. Although using both systems can be tedious, this strategy minimizes the project risks that arise from project deployment as it user friendly and a fool proof strategy.

Direct Conversion

Multiple user would use the information system for the management of the inventory, delivering the orders and providing service to the patients. The following instruction should be followed such as:

Installation of multiple servers such that the secondary servers can act as a backup

Secure connection should be created for enabling for enabling the user to make payment for the medicine and the other hospital charges.

Advantages

The servers and the system should be backed up regularly and restore point should be created such that no data is lost.

The system should not fail due to overload and load balancer should be used for reducing the risk of server overload.

Disadvantages

An estimation should be done for the hardware needed for running the information system and create a budget plan

The server can breakdown or the link may get fail causing the information system collapse.

Risk Table

Risk_1: Loss of previous records and data due to no backup or restore point

Risk_2: Malicious attack on the server due to lack use of secure connection

Risk_3: risk of failure of budget

Risk_4: Lack of security measures

Risk_5: Breakdown of the server due to lack of maintenance

Risk_7: Malfunctioning of the server due to virus attacks and spywares

Risk_8: redundant storage of the information due to lack of normalization of the database tables

Mitigation of the risk

Risk_1: The data should be backed up automatically after a regular interval of time for avoiding the loss of data

Risk_2: The ISP router should be configured with access control list for restricting the user from accessing the server resources.

Risk_3: The activity of the user should be controlled for eliminating the risk of over budgeting

Risk_4: Firewall should be installed and secure connection should be used for the transmission of data

Risk_5: The server should be maintained and the health of the PC should be checked for eliminating the risk of sudden breakdown.

Risk_7: Antivirus software should be installed and the operating system should be updated for mitigating the risk.

Risk_8: Unique primary key should be used for eliminating the risk of redundant storage of the same data or information.

Risk Effect

The loss of data from the physical server would cause loss of the bank transactions and thus would have a monetary effect on the organization. The data can be misused by a third party for fraud the identity of the patient for performing illegal activity. The confidential data can be stolen for collapsing the project and crashing the website.

Jones, S.S., Rudin, R.S., Perry, T. and Shekelle, P.G., 2014. Health information technology: an updated systematic review with a focus on meaningful use. Annals of internal medicine, 160(1), pp.48-54.

Kayser, L., Kushniruk, A., Osborne, R.H., Norgaard, O. and Turner, P., 2015. Enhancing the effectiveness of consumer-focused health information technology systems through eHealth literacy: a framework for understanding users’ needs. JMIR human factors, 2(1).

Laudon, K.C. and Laudon, J.P., 2016. Management information system. Pearson Education India.

Ledikwe, J.H., Grignon, J., Lebelonyane, R., Ludick, S., Matshediso, E., Sento, B.W., Sharma, A. and Semo, B.W., 2014. Improving the quality of health information: a qualitative assessment of data management and reporting systems in Botswana. Health research policy and systems, 12(1), p.7.

Milevska, N.K., Chichevalieva, S., Ponce, N.A. and Winkelmann, J., 2017. The former Yugoslav Republic of Macedonia: Health System Review. Health systems in transition, 19(3), pp.1-160.