As a cyber security architect, you have been hired by the CEO of a start-up who is looking to transition to selling their goods on the Internet. A team of developers have been hired to develop the e-commerce application and are targeting launch in the next 8 weeks. The CEO is well aware of the cyber security risks applicable in the online world and the impact a cyber security incident could have on the business. Hence, he has taken the decision to hire you, a cyber security professional, early on in the development so that security can be embedded into the design. As a business, they expect to scale 10x from their current size over the next 2 years. They are very bullish on their business outlook.You are required to perform a detailed analysis of the various design choices and explain your approach and recommendations on each of them. You are required topick six (6) of the following eight (8) domains to include in your analysis.
1. Authentication
a. What are the key attack vectors applicable from an authentication perspective?
b. User authentication Process
c. Initial Password Communication and Password Reset Processd. Storage of passwords in the backend systeme. Approaches to authentication for administrative user’s v/s customers.
2. Authorisation
a. What are the key attack vectors applicable from an authorisation perspective?
b. Ability for the system to provision access on the principles of least privilege.
c. Definition of Roles and User Profiles
3. Security of Sensitive Dataa. What are the key attack vectors applicable related to storage of sensitive data?
b. Approach to store, process and transmit sensitive data
2c. Security of sensitive data at rest and in transitd. Data Retention
4. Payment Dataa. What are the key risks associated with handling of payment data?
b. Approach to be adopted for collecting and processing payments
c. How should the payment data be collected and stored?
d. What are the compliance obligations that may need to be fulfilled?
5. Network Design
a. What are the key attack vectors applicable from a network design perspective?
b. High level network design identifying the security controls to be considered
c. Ensuring adequate coverage of controls to identify/detect/prevent the applicable attack vectors.
d. Summary of the various security technologies to be considered as a part of the design.
6. Operational Security
a. What are the key attack vectors that are applicable from an operational security b. perspective?c. Outline the recommended approach to operational processes such as Patch d. Management, Vulnerability Management, Change Managemente. Provide recommendations on any tools that you would recommend to facilitate the f. process. Explain how would the tool help.
7. User Security (Employees of the start-up)
a. What are the key attack vectors that are applicable from a user/employee perspective?
b. Outline your approach to security awareness trainingsc. Provide a summary of the controls that you would seek to implement on the user d. laptops. Explain the rationale of the control.
8. Logging and Monitoringa. What are the key risks that are applicable from a logging/monitoring perspective?
b. Outline your recommended approach to logging events and monitoring for security
c. events?
d. Recommendations on tools to be considered to facilitate this process. Explain how the tools would help.
