A software solution to be used by a large organization (let us say 1000 users) can be provided by a physical network infrastructure and a private data center, or by cloud infrastructures and the Internet. Discuss the two cases and compare their effectiveness and efficiency. Introduce suitable metrics to support your points.

 

ABC bank had their security systems checked and updated almost three years ago and believe it is now time to call in the experts to fish out any vulnerabilities and resolve them in a suitable way. The company hired to do these checks found the following security flaws: 

FLAW #1 - BROKEN AUTHENTICATION
An attacker can easily brute force user passwords by sending an unlimited amount of POST requests to /login. 

FLAW #2 - SENSITIVE DATA EXPOSURE
The bank's web application uses HTTP to send user credentials and passwords are stored in plain text. 

FLAW #3 - BROKEN ACCESS CONTROL
A cookie is set to the browser in order to remember the user which contains the unique ID. An attacker can easily obtain the user's ID from the transaction form and impersonate the victim

FLAW#4 - CROSS-SITE SCRIPTING (XSS)
When a user registers to the bank, he/she gets to choose a username. This username is shown on every user's homepage since there is a form which has all the usernames and they are unescaped. When the victim logs in to the home page, the script executes. 
FLAW#5 - INSUFFICIENT LOGGING AND MONITORING
When a user performs a transaction, there is no logging for it and so it's difficult to get a transaction history if an attack happened. In addition, if the system crashes, all logs would be lost. 

Explain why these flaws are considered to be huge threats for the bank and highlight the methods and/or techniques that can be used to fix the security issues.