Introduction
Security is a significant component that need to be integrated in any organization. It is important to have an assessment of vulnerabilities so that the solutions can be sought and implemented in a better way. With the popularity of the internet and computer systems use, there has been the rise of insecurity issues in many organizations which has called for the need to have measures to ensure vulnerabilities are sealed. This paper will focus on security of Amazon Company and will look at how the security posture of the company will be done and solved.
Foot printing information about Amazon
Amazon is a company that has established itself as an online store that serves as a retail shop that serves online clients. It is an e-commerce company that was started in 1996. The company has many products that are being sold on the website which will range from merchandise to purchases that are made by corporate institutions so that they make resale of these goods. These are the sales that are offered by the company for profits. There are third-party products that Amazon offers too that are sold through various categories with the use of the real websites and mobile application procedures and processes. There are also electronic devices sales and manufacture that is done by the company. These include Kindle readers, fire tablets, Fire TVs, and Fire Phones (Zhang et al., 2012).
The company has programs that have been developed to enable the clients to be able to make their sales. The sales that the clients make will be on their own websites which has enabled the company to be able to have ways in which they will be able to have the procedures and processes to be able to achieve these aspects. The company also serves developers and enterprises of various different sizes through the use of Amazon Web Services (AWS) which offers global computing, analytics, applications and services for deployment. There are authors and publishers that get their services through the Kindle applications because of the hosting that the company offers on their website. On the Kindle Direct Publishing, the publishers and authors choose to have 70% of the royalty of their publications so that they are able to have their books available on Kindle. With this arrangement, they will be able to make their applications available with Amazon Publishing. They also have programs that will enable the publishers, filmmakers, authors, and developers of applications be able to make publications of their content and have a way in which they will be able to market their content.
The company operates in North America and on the International scene. On the North America segments, the company focuses on the marketing of their products through their websites that focus on North America. On the international websites, the company does retail business on the international market and sells commodities on their websites. It offers platforms that enables companies and clients to sell their products on the internet. It is one of the ways in which the company ensures that they are able to have ways to market their services.
One of the security area of concern for the company is the platforms that are being developed for the customers. The platforms that are offered by the company to be used by customers to sell their merchandise is one of the ways in which insecurity will be a concern for the parties that are concerned. Any insecure platform will be a source of attacks for the people who will use these platforms. It will affect the business of their customers.
Another vulnerability that is possible to be achieved and met in the company is that of their online sale process. Their retail business which is done on the online platform is a possible way in which there can be an attack. It is important to have ways in which the company will be able to protect their sale process and have procedures that will enable them to have protection of the sale process. It is possible that their website can be attacked and the transactions will be tampered with.
Another area of security concern is Amazon Web Services which offers cloud computing services for customers. The aspect of cloud computing is an issue of concern that has to be addressed and will have to be done such that the services that are offered and the storage of customer data will be safe. There are security threats that have been reported in company websites which need to be addressed in the future. All these have to be done and assessed with the use of company websites. The cloud is one place where security should be addressed. It is a place where there are many challenges because of the customer data that are stored on these platforms. It is important to have ways in which these will be done and assessed in such a way that the data and the services in these platforms will be safe for business.
How this information can be used to attack
The information that has been gathered in the foot printing could be utilized to initiate an attack in that the information can be used to get to the customer websites. By getting the account details of the customers who have purchased from the company, it will be possible to have customer financial information to initiate attacks to the company client. These are the issues that will be able to be used in the entire working of the website and have ways in which the websites will be attacked. It will be possible to initiate attacks on the websites of the clients. By getting the data using the website of Amazon, it will be possible to get accounts of customers and will indeed be sufficient information to initiate attacks on the customers who make businesses with Amazon.
Another use of the foot printing information that has been gathered is that the customer websites will be used to harvest information about the customers of those websites. The re-sellers of the merchandise will have their information at the mercy of the attackers. Anytime the attackers will get hold of this information, they will be able to initiate the attacks.
Another way in which attacks can be initiated is through the use of Amazon Web Services and their platforms which, if they are not secured, will be the source of attacks to the clients. One of the ways in which to have an assurance of the security of the data will be to have secure cloud architecture and platforms offered for the clients. One of the easiest ways in which the platforms and the architecture will be compromised will be to have ways in which client information will be accessed through the cloud platform. Because the companies store client information, it will be possible to have access to this information. It is important to have these issues in place and make sure that there is an understanding of the data and information in place.
Social engineering techniques
There are social engineering techniques that can be used to access the data of the company and have an attack. One of the social engineering attacks that can be planned against the company is for an attacker to get hold of the administrators of the cloud infrastructure of the customers who have their cloud hosted at AWS. They can then pose as the legitimate administrators of the companies and request to access the data of their respective companies. The attackers will then access the data and use them to exploit the data of the clients. This social engineering technique that is possible with Amazon because of the weakness of the information identification that is needed by the company. It is important to have procedures that will enable the company to be able to authenticate the users and know that they who they are online. With the trends in the industry that users are required to provide some information that are considered to be personal, attackers have made use of this information to access customer data and be able to bring attacks to the systems. Most of this information is no longer a secret because they can be obtained from Google and will bring the attacks that are not required in the entire aspects of the company.
Another way in which social engineering can take place is to have login details of the clients and then access the system of Amazon posing as clients. One of the requirements in order to have access to customer information. Amazon have not been serious in screening consumers and will not be able to know if the consumers are who they say they are in real life. It is hard to have an understanding of the data and information about the data and the issues that are associated with the data.
Another social engineering technique that can be used is the posing of an attacker as a publisher. An attacker will pose as an author through accessing author and publisher information. After accessing this information, they will be able to pose as authors and will take offer the author’s accounts and will get the royalties that are paid for the authors (Ghosh, 2012). They will also be able to access the details of the authors and publishers and will get other information like the banking details which they will use to attack the company.
How to thwart social engineering attacks
There are ways in which social engineering attacks can be thwarted in Amazon. One of the ways in which the social engineering attacks is to have more ways of authenticating users. It is not enough to have email, and names to access an account. There should be the use of biometrics information and data to be able to use in the authentication.
Another way in which social engineering attacks can be thwarted is to have continuous updates of personal information. It is important to have clients and customers update their personal information most of the time. By having the clients change their personal information, they will be able to protect the data that they have in their ways of living.
Another way of thwarting social engineering is to avoid having the customers reveal how the infrastructure of the company has been done and structured. It is through concealing the way the customers get to the system. There is also a need to have crushing of information that will reveal the data and information of the clients in the way they will access the data and information on the website of the company.
Countermeasures
One of the measures that can be done in order to have secure and data protection is to destroy customer information that are no longer used. It is important to have ways in which the data will be protected and enhanced in terms of protection. The data that is found in the data environment is to have data protection so that the data will be protected in the end.
Another countermeasure that should be done is to have regular updates on their data infrastructure. This is one of the ways in which the holes and the security lapses will be assured in the end. It is important to have ways in which the data will be protected and enhanced in the end so that there will be secure ways in which they will be accessed and enhanced in the end.
Another countermeasure is to ensure that there is to have surprise inspections of the profiles of the users who make use of the systems in Amazon. This will ensure that any attempted attack that might be made possible in the company will be thwarted before they take root of the systems of the company.
Also, it is important to have an agreement with the users of AWS so that they know how they will share the data and who will be responsible for the data that they have. One of the ways in which the cloud data will be protected is to have continuous monitoring of the infrastructure and have a firewall that will separate the company data and the enterprise information for the data that has been stored in the company.
Threats to web server
There are threats to the web server that are dangerous to the organization. These risks will have to be assessed and enhanced with the use of the data and information in the company. One of the web server attacks that is possible in the web server of the company is brute force attack. With brute force attack, the attacker will try to get access to the server of the company in order to access the data and information of the company. Another web server attack that is possible is open relay. It is a case where the mail system of Amazon will be hijacked so that the servers will start sending emails to people around the world.
Another vulnerability is that of botnet attacks. With botnet attacks, the attackers will send malicious attacks using the agent computers. Also, there is the Denial of Service attacks (DoS). It is a case where the attackers will shut down the site of Amazon. The server will be jammed with data and information processing that it will be hard to start processing information for the customers. The other attack that will be possible is cross-site scripting. It is an attack where the attacker will integrate an attack to the server-side script of the server that will be used to carry out attacks (Kamoun, & Halaweh, 2012). Also, there is the use of SQL injection which is an attack that is used to pass malicious codes to the database of the web application. The attacker will pass the code to the database and will achieve the required attacks on the database.
Another attack is the malware which can be targeted to the web server is that the web server will no longer be working. The malware will be installed in the system of the web server and will make the web server not to be functional.
Another possible vulnerability to the web server is having installations of software which have not been patched. It is important to have software which have been update so that they are safe from any type of attack.
The ninth attack that is possible is careless users. It is possible to have users will bring havoc to the server. The users can have passwords that make guessing them simple and easy to achieve.
The tenth vulnerability to the web server is possible failure of the web servers when service is interrupted. It is a case which will bring issues and technical challenges to the service delivery.
Web application threats and vulnerabilities
One of the threats and vulnerabilities is injection which can be LDAP or operating system injection. This will affect the users.
The second threat to the web application is broken session management or authentication. This will happen if there is no management of faulty management of the sessions.
The third threat is cross-site scripting where a web application will take data that is not trusted and thrust it to the web browser without checking the validity of the data.
The fourth web application threat and vulnerability is insecure direct object references. These are the references the developers of the application will leave the reference of an internal object such that the attackers will take advantage of the reference.
Another vulnerability is that of incorrect configuration of the security. There should be settings which are secure and will be available and useful for the application. These should be taken into consideration in the entire working of the application.
The sixth vulnerability is not protecting the data that is deemed to be sensitive. It important to have sensitive data protected. Most web applications do not have security of the data that are deemed to be sensitive like the credit cards.
The seventh vulnerability is lack of functional configuration that will make it accessible to the right people.
The eighth vulnerability is cross site request forgery. The ninth and tenth vulnerabilities are making use of components that are known to be vulnerable and forwards and redirects which are not validated.
SQL injections could pose threats to applications in that data that is not trusted is sent to the browser without changing the details or checking the validity of the data.
References
Ghosh, A. K. (Ed.). (2012). E-commerce Security and Privacy (Vol. 2). Springer Science & Business Media.
Kamoun, F., & Halaweh, M. (2012). User interface design and e-commerce security perception: an empirical study. International Journal of E-Business Research (IJEBR), 8(2), 15-32.
Zhang, Y., Deng, X., Wei, D., & Deng, Y. (2012). Assessment of E-Commerce security using AHP and evidential reasoning. Expert Systems with Applications, 39(3), 3611-3623.