Case: Clinic staff log on to the MHC-PMS with a username and password. The syste
ID: 3750822 • Letter: C
Question
Case: Clinic staff log on to the MHC-PMS with a username and password. The system requires passwords to be at least eight letters long but allows any password to be set without further checking. A criminal finds out that a well-paid sports star is receiving treatment for mental health problems. He would like to gain illegal access to information in this system so that he can blackmail the star.
Task 1: For the above MHC-PMS case, suggest an example of an asset, exposure, vulnerability, attack, threat, And control.
Task 2: assess the risks associated with that system and propose two system requirements that might reduce these risks.
(intro to software and security) computer hand writing pleace
Explanation / Answer
Task 1:
Asset: An asset can be a single or collection of data from the perspective of software or it can be a server or a database from hardware perspective. In the case of MHC-PMS, data signifies to user or admin credentials (user or admin username and password) and hardware may imply the backend server or the database. An asset should always be protected from criminal hands to prevent an individual or an enterprise against data misuse.
Exposure: An exposure indicates some negligence in data protection policies which sometimes become the most crucial point for data compromise. An exposure is a kind of loophole in software or server that may exist and can eventually pave the way for a hacker to enter without anyone’s knowledge. In above scenario, not asking for password confirmation is one such exposure.
Vulnerability: Vulnerability is a genuine mistake either in the frontend application or in the backend system that leads hacker(s) to create a backdoor (temporary or persistent) so as to gain access there. In other words, vulnerability is the reason for a cyber security threat. For the above picture, the password not being alphanumeric (at least: 1 Capital letter, 1 small letter, 1 number and 1 special character) is definitely a vulnerability of the system – hackers can easily guess and brute force single word passwords using a properly created wordlist.
Attack: An attack depicts a situation where hacker(s) have already gained unauthorized access to an asset either to use it illegally or to destroy it permanently. If the target is any system, for example, a computer, or a database, or a server, the attack is called a Network Attack. If the target is any website or any web server, then the attack is called a Web Attack. In this case, as the hacker is planning to gain access to the MHC-PMS system, the attack can be depicted as a Network Attack.
Threat: When an exposure or vulnerability has enough capacity or potential so as to result into an attack, it can be described as a Threat. A threat can be as small as that of a minor Trojan, a Backdoor or a Phishing link for any social media, to mass compromise as that of DDoS (Distributed Denial of Service) attack, or a Ransomware.
Control: These are countermeasures or more specifically, protection for assets, so as to minimize or eliminate future chances of data theft or hack. For example, updating the security patches of a server, or installing a good defender or an antivirus is an example of a control measure against Cyber Attacks.
Task 2:
Risks associated with the system are as follows:
Proposed System Requirements: