DISA 3.0 Project 12 PDF
DISA 3.0 Project 12 PDF
DISA 3.0 Project 12 PDF
0 Course
We hereby confirm that we have adhered to the guidelines issued by DAAB, ICAI for the
project. We also certify that this project report is the original work of our group and each
one of us have actively participated and contributed in preparing this project. We have
not shared the project details or taken help in preparing a project report from anyone
except members of our group.
B. Project Report(solution)
3 Background 11
4 Situation 12
8 Documents reviewed 20
9 References 21
10 Deliverables 22
12 Conclusion 27
To identify the vulnerabilities in the system, the management has decided to conduct a
vulnerability assessment and penetration testing in its IT Infrastructure system.
1. Introduction:
Shipkart has grown to become one of the largest E-commerce companies in India. The
company initially focused on online book sales before expanding into other product
categories such as consumer electronics, fashion, home essentials, groceries, and
lifestyle products. Shipkart has identified five core values - Integrity, Respect, Result
Orientation, Innovation and Collaboration – which form the foundation of their corporate
philosophy. From the way their staff work together to the way they deliver their products
and partner with their customers to ensure their success, these values underpin
everything they do. These demonstrate Shipkart’s commitment to creating a strong
corporate culture and long-term partnerships which deliver true value to their customers.
We at M/s SGG & Co LLP (“Firm”), are practicing Chartered Accountants, based at New
Delhi.WehaveanimmenseandvastexperienceinthefieldsofInformationSystemAudit (“IS
Audit”), drafting and implementation of IS Security Policies, Statutory Audit, Internal
Audit,TaxAudit,BankAuditandConsultancyforProjectFinance,andotherprofessional
services.
CA M.Com, FCA, DISA, The senior most partner of our firm having a
Aditya CISA, LLB, professional experience of 23 years in the fields of
Goyal Statutory Audit of Corporates, Information System
Audits, GRC Implementation Statutory Auditof
Nationalized Banks, IS Audit and related fields.
CA Rahul B.Com, FCA, DISA, A practicing Chartered Accountant for the past 20
Shetty FAFD years with immense experience in the fields of
Corporate Governance, Statutory Audit in ERP
environments, Forensic Audits. He has wide
knowledge in CAAT techniques and its related
applications.
CA B.Com, FCA, DISA, The youngest partner of our firm having a
Princy CISA,LLB,LLM professional experience of 9 years. She commands
Jain in the fields of Forensic Audit, InformationSystems
Audit and Statutory Audit of various Entities.
The company also has an IT steering committee which consists of senior executives to
direct, review, and approve IT strategic plans, oversee major initiatives, and allocate
resources. It is not involved in day-to-day management of the IT organization.
● The employees are restricted from using any kind of external devices such as pen
drives, hard disks into thesystem.
● Employees should have a strong password and use internet searchingresponsibly.
● All employees are expected to comply with the IT Policy rules and guidelines while
purchasing, using and maintaining any equipment or software purchased or provided
by theorganization.
● Any employee who notices misuse or improper use of equipment or software within
the organization must inform his/her Reporting Manager(s)immediately.
● Network security is enabled in all PCs through Firewall, Web Security and Email
Securitysoftware.
● Employees are expected to undertake appropriate security measures as enlisted in
the ITPolicy.
● IT Dept. is expected to maintain an incremental backup of all servers with at least4
copies of all servers. At any time, 4 backups of all servers must bemaintained.
● Employees are expected to make sure their Antivirus is updated regularly. TheIT
Dept. should be informed if the Antivirusexpires.
● Username and password allotted to an employee will be deleted
uponresignation/termination/retirement from theorganization.
IT infrastructure of Shipkart
(I) Applicationservices
Thislayerworksasanintermediarywhoprovidesserviceintegrationbetweencustomers
andinformationproviders,givensomeconstraintsuchaslowprice,fastservicesorprofit
maximization for aclient
This layer provides interface for e-commerce applications such as interactive catalogs
and directory support. Interactive catalogs provide customized interface to customer
applications whereas directory services have the functions necessary for information
search and access
The middleware services are used to integrate the diversified software programs and
make them talk to one another.
Networkinfrastructureisrequiredforeffectiveandefficientlinkagebetweenthecustomer and
thesupplier.
In order to safeguard from these IT risks, it is better to find out these vulnerabilities in
advancebeforeattackersdo.Thoughitisalmostimpossibletohavea100%vulnerability free
system, by removing as many vulnerabilities as possible, we can increase system
security.
VulnerabilityAssessmentandPenetrationTestingisastep-by-stepprocess.Vulnerability
assessment is the process of scanning the system or software or a network to find out
theweaknessandloopholeinthat.Theseloopholescanprovideabackdoortoattackers to
attack the victim. Penetration testing is the next step after vulnerability assessment.
Penetration testing is to try to exploit the system in an authorized manner to find out the
possible exploits in the system. In penetration testing, the tester intends to exploit the
system and find out possibleexploits.
By using vulnerabilities like SQL injection, CSRF and XSS hacker can compromise
accountorevenservercangetcompromisedintheworstcases.Hackerisabletochange the
http request generated on his computer before transferring to the server. Anattacker
could obtain credit card details, credentials and other sensitive information by exploiting
anumberofvulnerabilities.Theyareallcommon,despitethesecurityfeaturesofmodern
applicationframeworks.Therefore,itisnecessarytogoforVulnerabilityAssessmentand
Penetration Testing of theorganization.
Network system having vulnerabilities may bring a great number of network threats.
These threats include Malware, Viruses, Payloads, Trojan Horses, Spywares, Root kits,
Port Scanning, Social Engineering, MAC Address Spoofing, DoS and DDoS attacks.
ThesethreatscanalsobecategorizedasUntrustedThreats,StructuredThreats,External
ThreatsandInternalThreatsandavastnumberofcyber-attacksotherthanthese.Every attack
has its own potential towards networks. These attacks can take place due to presence
of vulnerabilities in system.
⦁ Softwarereliability
⦁ Softwarequality
⦁ System Assurance
⦁ Optimum performance and capacityutilization
The vulnerabilities identified in the organization are listed under the following heads:
SSM and Co. should carry out an assessment of threat & vulnerabilities and assess the
risks in Shipkart’s Information Technology Infrastructure. This will include identifying
existingthreatsifanyandsuggestremedialsolutionsandrecommendationsofthesame to
mitigate all identified risks, with the objective of enhancing the security of Information
Systems
For the effective conduct of the assessment, the following terms has been agreed upon
by the management:
● The management shall make available all the information, IT policy documents to
the auditors as and when it is required to beexamined.
● It shall provide the Audit team with unrestricted access for the systems, data
storage and to take any information or to deploy a test package thereon from or
into thesystem.
● Audit team may question or interview any level users of the system on a prior
intimation to gain the feedback and conduct VulnerabilityAssessment.
● The assignment is conducted only to provide observations with regard to the
Vulnerability Assessment and Penetration Testing of thenetwork.
ThePenetrationtestingservicesshouldcombinebothmanualandautomatedtechniques to
ensure Shipkart’s information asset is properly protected and that compliance
requirementsarebeingmet.ThevulnerabilitiesandriskstoShipkartbyperformingareal- world
attack and recommendations should be delivered for remediation with a detailed report
depicting a complete view of IT InfrastructureSecurity.
The IT personnel of the company shall be required to extend full corporation for the
conductofeffectiveassignment.Duringthecourseoftheassignment,wewillrequirethe
followinginfrastructure-
1. Hardware
2. SystemSoftware
4. Others
b. One of the fully functional laptops provided by the company to its employees
for assessment of Vulnerability in the hardware and otherresources
● Weproposetodeployacoreteamof4to6vulnerabilityassessmentpersonnelfor this
assignment in batches of 2 to 3 as per the skill sets required, under the personal
direction and liaison of apartner.
● Shipkart should designate a person at a senior level to coordinate withus.
● Shipkart should also depute one personnel each fromsystem.
● Detailedsystematicauditprocedureswouldbefinalizedaftercompletingreviewof the
documentation and discussion with the systems staff and theusers.
● In tune with terms and scope of reference of the assignment, we will follow black
box, grey box and white box approach to identify vulnerabilities in thesystem.
● With the help of various tools, we would conduct penetration testing on the
vulnerabilitiesidentified.
Structured Methodology
Shipkart shall make available all the required resources on time and provide one
coordinator for interaction and clarifications as required.
Audit plan
Audit Program\procedures
1. Undertakeanin-depthstudyandanalysisofallaspectsofthenewsystemtobe
implemented. In doing so, the following objectives would be kept in mind while
setting the overallgoals:
● Identify vulnerability in the new system to be implemented with respect to
operational, security, confidentiality of the business.
● Identify vulnerability based on user experience and on the userend.
● Conduct penetration testing on the vulnerabilityidentified.
● Exposure in terms of financial and data security while conducting penetration
testing.
2. Conducting vulnerabilityassessment
● Static Analysis- In this technique we do not execute any test case or exploit. We
analyzethecodestructureandcontentsofthesystem.Withthistechniquewecan find
out about all types of vulnerabilities. In this technique we do not exploit the
system, so there would be no bad effect of this testing on thesystem.
● Manual Testing- In this technique, we do not require any tool or any software to
find out vulnerabilities. This tester uses his own knowledge and experience tofind
outthevulnerabilitiesinthesystem.Thistestingcanbeperformedwithaprepared
testplan(Systematicmanualtesting)orwithoutanytestplan(Exploratorymanual
testing).
3. Penetration TestingTechniques
● BlackBoxTesting:Inthistechnique,thetesterdoesnothaveanypriorknowledge of the
network architecture or systems of the testing network. Usually black box testing
is performed from external network to internal network. Tester has to use his
expertise and skills to perform thistesting.
● GreyBoxTesting:Inthistechnique,thetesterhavesomepartialknowledgeofthe testing
network. Tester do not have knowledge of complete network architecture, but he
know some basic information of testing network and system configuration.
Actually, Grey box testing is the combination of both the other techniques. This
can be perform from internal or externalnetwork.
● WhiteBoxTesting:Testershavecompleteknowledgeofthenetworkconfiguration of
the testing network and the system configuration of the testingnetwork/system.
Usually this testing is perform from the internal network. White box testing require
deep understanding of the testing network or system and gives betterresults.
● Organizational StructurePolicy
● Information SecurityPolicy
● Network SecurityPolicy
● Remote AccessPolicy
● Internet AccessPolicy
● Password ManagementPolicy
● Privacy And ConfidentialityPolicy
● Ethical Standards
● Incidence occurrence and Responseregister
● Business ContinuityPlan
● Backup And RetrievalPolicy
● User creation modification and deletionpolicy
● Encryption policy andprocedures
● Risk AssessmentPolicy
● Document related to Organization chart & hierarchy and jobresponsibility
● Access matrix circulars, guidelines issued toemployees
● Findings report of Internal Auditdepartment
● Physical Access ControlPolicy
● Logical Access ControlPolicy
● Software LicenseManagement
● Roles And ResponsiblePolicy
• Guidelinesthatassistprotectionofconfidentiality,availability,andintegrityofdata
ofShipkart,identifyingspecificareasofimprovementensuringthattheinformation
systems implemented provide a safe and secure computingenvironment.
• Providing specific recommendation on security control, regular check, follow up
and best practices, which can be adaptive by Shipkart asapplicable.
• Providing key issue identifying areas of control weakness in the security control
implemented with recommendation forImprovement.
(I) EXECUTIVESUMMARY
● The new system to be implemented has many benefits in terms of user experience,
load capacity, data management, and lesser lagtime.
● However, we have come across many vulnerabilities in the existing and new system
which needs to becorrected.
● Major vulnerabilities had been noticed in the system programming of the operational
end which may lead to huge revenue loss once explored byattackers.
● Othermajorvulnerabilitieshavebeenidentifiedonthesecurityandconfidentialityend.
ThesevulnerabilitiesifexploitedcanhaveahugeimpactonthereputationofShipkart.
● Wehaveprovidedourrecommendationsconsideringthevulnerabilitiesidentifiedand also
the exposure it can have. We have also provided the approximate time which may
be required to fix thevulnerabilities.
On our assessment of the systems, it was found out that the network tested was not
secured in a manner aligned with good practices. There were a number of issues
identified that negatively impact the security posture of the organisation. The description
of the same and recommendation on how these can be minimised has been reported.