Task Solutions- Restaurant Management System: ITEC204

Preview text


Abstract — In this era of technology, most of the businesses are
becoming dependent on advanced technologies. For sustainable
growth and commercial benefits, the restaurants industry isalso
adopting different technically advanced systems such as restaurant
management system, restaurant management app etc. In order to
manage these systems, proper security and planning are also
necessary. The selected system, for which the report isprepared
here is Restaurant management system. The report is prepared
based on two different security models in terms of STRIDE and
DREAD. The primary aim of the report istoidentify and analyze
five common threats related tothe IT system that should be resolved
for better business efficiency. Using STRIDE model, the security
requirements are analyzed in the report. After that, the identified
risks and rated and analyzed using DREAD model. Based on
consequences of the risks, at the end of the report some
recommendations are suggested. The outcome ofthe research isthat
main threats toRMS include POS Malware, Ransomware, Phishing
attacks, insider threats and hackers. The mitigation for the same
include using firewall, anti-malware, anti-ransomware, spreading
proper awareness amongst the staffs, monitoring employee
behavior and more.
Index Terms — security threats, STRIDE model, DREAD model,
restaurant management system, data confidentiality and availability.
I. INTRODUCTION
HIS report depicts the importance of identifying IT security
threats and mitigation those threats to run aproject and
business successfully. Any system requires protection against
cyber-attack as well as security threats. Detail investigations on
these areas are very essential. Data breaches are costly, time
consuming for the business. With the help of stronger level
information security approaches, businesses can reduce their
loss that they otherwise endure because of security breaches.
Here, restaurant management system (RMS) will be focused on.
This system has become essential in the present day restaurants
where the operations are not restricted to offline spaces only.
Majority of the restaurants are functioning both online as well
as offline and have to handle much of transaction data. RMS in
this context can be taken to be as an umbrella term for the
various restaurant management software and associated
processes that ensure excellent level of service to the
consumers.
.
Figure 1: Restaurant Management System Home Page [1]
II. RESTAURANT MANAGEMENT SYSTEM AND ITS
FUNCTIONALITIES
Restaurant Management System refers to point of sales (POS)
application specifically developed for the food service sector.
Just like aPOS system, an RMS aids in capturing transactions
and manage inventory with accuracy as well as efficiency [1].
During the times of COVID, the restaurants further realized
that there isaneed tohave aproper system inplace which could
help them out in dealing with the changing demands of the
customers [2]. Thus, the RMS was taken tobe as asavior which
had all of the potential to handle the sundry elements including
customer orders, menus, staff working hours and tasks and
more. There are many benefits of RMS, some of which are as
listed below:
1. Tracking of sales of each item- All of the
transactions happening inaday can be kept arecord of
by such systems as RMS. The record can be that of
orders, payments, promotion deals, expenses and sales
data as well.
2. Quick generation of financial statements- As the
transactions will get captured in the digital medium,
there are very less scope for manual errors [1]. For
instance, each transaction will be time-stamped and
thereafter record with other related details such as
items that have been sold out and more.
3. Enhance customer services- Majority of the RMS
are integrated with features that of CRM software and
thus can be of much help in the context of online
booking, payments made through mobile and more
[3].
4. 24*7 access of data- RMS means data stored can be
accessed anytime and from any location hinting atthe
fact that one can be ahands-on authority even when
not in the premises of the restaurant.
5. Staff management in an efficient manner- RMS
with an employer scheduler will be of much help in
the process of allocation of agreater number of staffs
at times of peak hours and less at times of downtime
[2]. Then again, by proper aggregation of sales data
with the staff schedule, one will be able to be better
Restaurant Management System
T
able to match demand with supply and make sure that
the resources are optimized.
III. IDENTIFY FIVE COMMON SECURITY THREATS
The five common security threats to RMS are as given below:
1. Hackers- Hacking isall about the activities that result
incompromise being done with the digital devices that
include computers, phones and even networks as a
whole. Here in the context of RMS, the threat isfrom
system hacking. System hacking if specifically
defined means compromise amidst computer systems
and software with an aim of targeting the computer or
misusing sensitive information [4]. The
cyber-criminal will figure out the vulnerability in the
system and then launch the attack on the system to
steal the information. This can be taken under the
purview of attack on the integrity of data. This is
because ahacker will get hold of the sensitive data and
therefore there will be compromise done with the
integrity of the same.
1. POS Malware- The main aim of POS malware is
stealing information that is associated with financial
transactions that include credit card information.
Owing to the nature of the POS devices, routines of
POS malware are deemed different from the other data
stealing malware. POS malware are in search for
security loopholes to enter into the system. This may
have default login credentials or even cooperated
partner systems [5]. Once the POS malware gets
inside the RMS system then itcan choose which data
to snip and upload to the remote server. Most of the
POS malware are laced with backdoor and
command-and-control features. Reports suggest that
there are three POS malware variants directed at the
hospitality sector in the present times. These as
figured out are RtPOS, MMon and PwnPOS [6]. As
per the collected evidences itis clear that the cyber
criminals used different remote access tools along
with credential dumpers to gain initial entry and inject
the malware in the POS environment [6]. These
variants of malware are developed to scrape payment
card data from Windows-based POS devices or
systems. Here there are much chances that the POS
system such as RMS be affected of these malware
variants and much of sensitive data relating to
payment and customer details be compromised with.
But then again, there are some limitations as well such
as the information been stolen cannot be made use to
make purchase online or anything as such. RMS as
already mentioned isaPOS system and thus has to be
considered in this context of POS malware. In this
case the data confidentiality as well as integrity of the
data isaffected.
2. Ransomware- Ransomware refers to a sort of
malware that averts and also limits the users from
retrieving their system. There are ransomware variants
as well which are taken anot of for several years and
often are means to demand money from the victims by
showing an on-screen alert [10]. Ransomware attacks
are launched to gain entry to the system which can be
any system as RMS. If the restaurant does not give
into the demands of the criminal then they will not get
hold of the data they have in their RMS. This means
huge loss of data and loss to the business as whole. It
can be said that loss of data means reputation of the
company atstake. Ransomware can be taken under the
purview of authentication and non-repudiation. It is
being said in the sense that repudiation attack or
authentication issues happen only when application of
system do no have the right controls to properly track
and log the actions of the users.
3. Insider threats- Insider threats are also aconcern for
RMS as this as well affect the functioning of the
system. Itcan happen that legitimate users access the
RMS with the mentality to damage company systems
or data. There are chances for fraud as well that can
include theft, destruction of data, improper
modification and then deception [7]. All of these being
mentioned can happen in case the employees of the
restaurant are not happy with the management and are
having certain unfulfilled demands. This as well can
be taken under the purview of availability and
authentication being compromised with.
Non-repudiation can also be linked to this.
4. Phishing attacks- Phishing attacks refers to the
practice of transmitting fraudulent communications all
of which tend to be coming from atrustworthy source.
This issomething that isgenerally done by means of
email [8]. There are 4vulnerabilities with CVE ID as
given below:
ï‚· CVE-2019-18417
ï‚· CVE-2019-18416
ï‚· CVE-2019-18415
ï‚· CVE-2019-18414
Here the exploitation vector is the network. For
instance, ifthe CVE-ID that of 18417 is considered then
the vulnerability in the RMS will allow the remote worker
to intervene the vulnerable system. This specific
vulnerability is there when the application is unable to
cleanse user-supplied input such as “Add anew food ”or
something as such [9]. A remote authenticated attacker
will be able to upload as well as execute arbitrary file on
the target system. Then again, CVE-ID that of 18416
corresponds with the cross-site scripting. This specific
vulnerability exists because of insufficient cleansing of
user-supplied data in the Last Name field of amember.
Successful exploitation of the above mentioned
vulnerability will allow the remote attacker to steal
possibly sensitive information, make modifications to the
web page and thereafter conduct phishing and
drive-by-download attacks [9]. Phishing attacks will
compromise with the data confidentiality, data integrity,
repudiation and authentication.
IV. ANALYSIS OF SECURITY REQUIREMENT USING STRIDE
MODEL
In this section, STRIDE model has been used to characterize
the vulnerabilities. S stands for Spoofing that is the impact
associated with authentication, Tstands for Tampering that is
impact linked with integrity, R for repudiation that is impact
linked with non-repudiation, Ifor information disclosure that is
impact linked with confidentiality, DOS associated with
availability and lastly elevation of privilege linked with
authorization [11].
Threa
ts
Spoo
fing
Iden
tity
Tamp
ering
data
Repud
iation
Infor
matio
n
Disclo
sure
Den
ial
of
Ser
vice
Elev
ation
of
Privi
lege
Hacker
s ✔ ✔ ✔ ✔
POS
Malwa
re
✔ ✔ ✔ ✔
Ranso
mware ✔ ✔ ✔
Insider
threats
✔ ✔ ✔
Phishi
ng
attacks
✔ ✔ ✔ ✔
STRIDE MODEL
(Source: created by author)
From the above table itis clear that in context of all of these
threats identified there is aneed of having proper security
measures in place. For stopping the hackers, restaurants can
make use of firewalls in their networks when using RMS.
Firewall refers to asoftware program or sometimes apiece of
hardware as well that serves as ahindrance for the hackers and
prohibits them from entering the system. Similarly, firewall can
be used for POS Malware along with anti-malware,
anti-ransomware and other such technologies. Insider threats
can be addressed by continuous monitoring of the behavior of
the staffs and those using the systems. Proper and timely
updates to the system will also help to save itfrom insider
threats. Lastly, itcan be said that proper awareness amongst the
employees is something that can help systems such as RMS
from getting targeted by the cyber criminals.
V. RISK RATING USING DREAD MODEL
In this section, the DREAD model has been used to find the
probability of risk. The full form is Damage Potential,
Reproducibility, Exploitability, Affected Users and lastly
Discoverability [12]. The scale tomeasure is1-3 where 1islow,
2is medium and 3is high. After rating ifthe summation of
DREAD is between 12-15 itis HIGH RISK, ifitis between
8-11 itisMEDIUM RISK and ifitisbetween 5-7 then itislow
risk.
Threats D R E A D Total Rating
Hackers 3 2 3 3 2 13 High
Risk
POS 3 2 2 3 2 12 High
Malware Risk
Ransomware 2 3 3 3 3 14 High
Risk
Insider
threats
1 2 1 1 1 6 Low
Risk
Phishing
attacks
3 2 2 3 3 13 High
Risk
Risk Rating using DREAD model
(Source: created by author)
The mitigation techniques as mentioned before that are using
firewall, anti-malware, anti-ransomware and proper awareness
amongst the staffs can help out inthe context. Something which
ismost important isbeing sure that the workforce iswell aware
of the modern threat and vulnerabilities and have the idea to
address the same atthe first instance.
VI. RECOMMENDATIONS
The recommendations for the above situation isas follows:
1. Use of firewalls
2. Use of anti-malware and anti-ransomware software
3. Being specific with system updates
4. Spreading awareness about the cyber attacks
5. Monitoring workforce behavior
6. Appreciating employees with good and responsible
cyber etiquettes.
Mitigation Strategies
(Source: created by author)
VII. CONCLUSION
The paper discussed on what exactly RMS isand how
does itbenefit the hospitality sector going on to hint at
the threats this system can encounter. The five main
threats that were figured out are hackers, ransomware,
POS malware, insider threats and phishing attacks.
From the STRIDE and DREAD model itgot clear that
the identified threats are serious and need to be
addressed with security measures such as having
firewalls, anti-malware software, anti-ransomware
software, frequent security updates, spreading
awareness amongst the workforce, monitoring
employee behavior and so on. Itcan be said that with
advancing times the ways being adopted by the cyber
criminals is getting upgraded and hence itis needed
that organizations be sure of the security measures that
they have in place for dealing with cyber attacks.
VIII. REFERENCES
[1]. W.B.A.C. Piyatissa. Web Based Restaurant Management
System (Doctoral dissertation). 2021.
[2]. E.M. Kocaman and B.M. Türkmen. The Effects of Use of
Restaurant Management Systems Perceived by the Personnel
According to Their Demographic Characteristics. In Handbook
of Research on Smart Management for Digital Transformation
(pp. 256-274). IGI Global. 2022.
[3]. B.N. Kumar and B.S. Varun. TABLE BOOKING AND
RESTAURANT MANAGEMENT SYSTEM USING
ANDROID APPLICATION (OPSS). International Journal of
Engineering Applied Sciences and Technology, 4(12),
pp.373-378. 2020.
[4]. K.L. Hui and J.Zhou. The Economics of Hacking. 2020.
[5]. O. Or-Meir, N. Nissim, Y. Elovici, and L. Rokach,
Dynamic malware analysis in the modern era —A state of the
art survey. ACM Computing Surveys (CSUR), 52(5), pp.1-48.
2019.
[6]. “Visa Alert: POS Malware Attacks Persist”,
Bankinfosecurity.com, 2022. [Online]. Available:
https://www.bankinfosecurity.com/visa-alert-pos-malware-atta
cks-persist-a-15126. [Accessed: 05- May- 2022].
[7]. N.A. Hashim, Z.Z. Abidin, N.A. Zakaria, R. Ahmad, and
A.P. Puvanasvaran. Risk assessment method for insider threats
in cyber security: Areview. International Journal of Advanced
Computer Science and Applications, 9(11). 2018.
[8]. K.L. Chiew, K.S.C. Yong and C.L. Tan. A survey of
phishing attacks: Their types, vectors and technical approaches.
Expert Systems with Applications, 106, pp.1-20. 2018.
[9]. “Multiple vulnerabilities in Restaurant Management
System”, Cybersecurity-help.cz, 2022. [Online]. Available:
https://www.cybersecurity-help.cz/vdb/SB2019102506.
[Accessed: 05- May- 2022].
[10]. B.A.S. Al-rimy, M.A. Maarof, and S.Z.M. Shaid.
Ransomware threat success factors, taxonomy, and
countermeasures: Asurvey and research directions. Computers
& Security, 74, pp.144-166. 2018.
[11]. T. Kaneko, Y. Takahashi, T. Okubo and R. Sasaki. Threat
analysis using STRIDE with STAMP/STPA. In The
international workshop on evidence-based security and privacy
in the wild. 2018.
[12]. M.A. Naagas and T.D. Palaoag, A threat-driven approach
to modeling acampus network security. In Proceedings of the
6th International Conference on Communications and
Broadband Networking (pp. 6-12). 2018, February.