- Ameen Murtaza Siddiqui
- Khalifa Khaled Almansoori
Final Project CSE 210 | Abu Dhabi University
- Introduction
- Purpose and choice of selection
- Objectives of the company
- Strategies of the company
- Security Policies of the company
- Information Classification
- Asset Identification
- Risk Assessment: Vulnerabilities, Threats, Risks
- IT Security Plan
- Implementation Plan
- Training and Security Awareness Plan
- Maintenance and Configuration
- Lessons Learned
Instagram is an American photo and video sharing, social media company which was founded in 2010. Many users are teens and adults, who use the platform for texting, sharing stories, posting photographs, and recording videos.
It is a large company in terms of infrastructure. Due to continuous growth, Instagram expanded its operations across the ocean, building data centers in Europe to keep latency low for a better user experience.
We chose Instagram because it is one of the most widely used social media apps and has extensive security plans to protect against cyberattacks. Instagram aims to ensure users' security when they trust the platform with their credentials and personal data.
Instagram is trusted by people to store personal data, which is confidential. Many people use Instagram for business purposes, such as advertising, marketing, and growing their business. Instagram also allows for social use, like sharing photos, videos, and updates. This bridges the gap between celebrities, businesses, and their audiences.
Instagram has worked hard to reach its goals, which is why it has grown faster than Facebook and other media companies. Some of the key strategies include:
- Providing bug-free software for iOS and Android users.
- Offering customizable settings for businesses on Instagram.
- Allowing users to share high-definition photos and videos.
- Developing a direct messaging feature.
- Enforcing audience-appropriate content.
- Enabling feedback and error/scam reporting.
- Releasing software and security updates regularly.
Security is a top priority for Instagram, as users trust the platform with their personal data and credentials. Key security policies include:
- Requiring two-factor authentication.
- Sending email verifications before major actions.
- Account verification.
- Friend request and direct message filtering to prevent scams.
- Providing logs of recent logins for intrusion awareness.
- Recommending security controls.
- Reporting accounts or content for moderation.
| Information Type | Classification Level |
|---|---|
| User security activity | Confidential |
| Application information | Confidential |
| User information | Restricted |
| User login logs | Internal |
| Credit card details | Confidential |
| User activity | Public |
| Active status | Restricted |
| Business information and bio | Public |
| History of purchases | Restricted |
| User handle and profile pic | Public |
- Authentication database information
- User’s media database
- Server audit logs
- Security firewall
- Asymmetric encryption for direct messaging
- Backups
- Availability of information
- Intrusion detection systems
- Biometric scans for entry
| Threat | Vulnerability | Asset | Impact | Likelihood | Risk |
|---|---|---|---|---|---|
| SQL Injection Attack (HIGH) | User data and passwords can be revealed | User data | Loss of confidentiality | Medium | Critical |
| System Overheating (HIGH) | Improper cooling systems | User media database | Database unavailability | Medium | High |
| DDoS Attack (MEDIUM) | Availability of Instagram services | User services | Instagram unavailability | High | Critical |
| Cameras getting hacked (HIGH) | Online cameras or unencrypted cameras | Security systems | Physical security leaked | High | High |
| Database firewall bypass (HIGH) | Outdated firewall | Firewalls | Intrusions into database | Medium | High |
| Human interference (HIGH) | Low level of security scans | Biometric scans | Unauthorized access | Low | High |
- System Logs: Keep logs of users who had access to security controls and track changes made to security settings.
- Backups: Regularly back up system files, settings, and confidential data to restore in case of breaches.
- Access Controls: Restrict data access based on roles to prevent unauthorized viewing.
- Risk Assessment: Perform monthly risk assessments to resolve emerging risks.
- Training: Train employees to respond to new threats.
- Security Patches: Keep security patches updated to guard against new threats.
| Risk | Implementation |
|---|---|
| SQL Injection | Input validation, parameterized queries, web-application firewall |
| DDoS Attack | Security policies, firewall installation, software updates |
| Phishing Emails | Use spam filters, raise awareness, restrict outside emails |
- Campaigns: Raise awareness of security risks.
- Posters: Inform employees about recent threats.
- Presentations: Train employees on risk mitigation.
- Leaflets: Distribute information on security advice.
- Emails: Alert users about data breaches.
- Meetings: Discuss security infrastructure.
- Quizzes: Reinforce knowledge with quizzes and competitions.
- Check for software updates and security patches.
- Remove unnecessary files and settings.
- Enable security controls like auditing and internal firewalls.
- Close unnecessary ports.
- Approve and apply changes with management consent.
- Perform re-assessments to identify new vulnerabilities.
We learned that as companies grow, their infrastructure becomes more vulnerable to attacks. Regular security updates and maintenance are critical to prevent data breaches. Understanding security measures helps reduce risks and minimize the impact of future incidents.