0% found this document useful (0 votes)

18 views4 pages

Phase1 Risk Identification Fix

The document outlines the risk identification and assessment phase for Zalo, a social networking platform by VNG Corporation, focusing on critical assets, threats, and vulnerabilities. Key risks identified include data leakage, DDoS attacks, and payment fraud, with the user database and ZaloPay systems being the most critical assets. The next step involves developing security policies and controls to mitigate these risks.

Uploaded by

Lê Huy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

18 views4 pages

Phase1 Risk Identification Fix

Uploaded by

Lê Huy

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOCX, PDF, TXT or read online on Scribd

Phase 1: Risk Identification & Assessment

1. Define the Enterprise

Zalo is a large-scale social networking and messaging platform developed by VNG Corporation.
It provides communication services such as text, voice, video calls, and mobile payment through
ZaloPay. The platform includes:
- Mobile App (iOS, Android)
- Web App (chat.zalo.me)
- Backend Services: Messaging Engine, Media, Payment, API Gateway
- Databases: SQL (user info), NoSQL (messages), Object Storage (media)
- Big Data & AI: Spam detection, recommendations, analytics

Zalo, part of VNG Corporation, aims to:

 Ensuring information security and user privacy in accordance with Vietnamese law
(Law on Cybersecurity, Decree 13/2023/ND-CP on personal data protection).
 Maintain the availability and stability of uninterrupted messaging, voice calling, and
payment services, serving tens of millions of users.
 Protect brand assets and business reputation, avoid cybersecurity incidents that affect
user trust.
 Comply with international standards in data security and payment (ISO/IEC 27001,
PCI DSS).
 Optimize user experience by applying AI and Big Data while still ensuring information
security.

2. Identify Critical Assets

Asset Description Importance

User Database Stores user profiles, contacts, High

and authentication data

Messaging System Core chat, call, and High

communication features

Payment System (ZaloPay) Manages e-wallet and High

financial transactions

Application Servers Handle all client and backend High

processes

Cloud Storage Keeps backups, media, and Medium

logs
Admin Tools Used by internal staff for Medium
moderation and maintenance

Asset Relationship Diagram

3. Identify Threats
Threat Description

Account Hijacking / Phishing Attackers steal login tokens, OTPs, or session

IDs

DDoS Attacks Overload messaging servers, disrupting user

communication

Malware / Ransomware Encrypt or destroy user or system data

Insider Threat Employees leak or misuse sensitive

information

Payment Fraud Fake or unauthorized ZaloPay transactions

Spam / Bot Abuse Automated spam messages and scams

4. Identify Vulnerabilities

- Weak password protection and missing 2FA

- Outdated system patches and unpatched software

- API endpoints misconfiguration

- Incomplete spam filtering mechanisms

- Poor access control and monitoring of admin activities

- Unsecured or unencrypted backups

- Weak session management or QR login vulnerability on the web version, which

may allow attackers to hijack sessions or reuse authentication tokens.

- Mobile app permission misuse, where excessive access to contacts, microphone,

or storage could lead to privacy leakage.

5. Qualitative Risk Assessment

Likelihood Impact (1– Asset Value Risk Value
Asset Threat Risk Level
(1–5) 5) (1–5) (L×I×A)

Data
User
Breach / 5 5 5 125 Critical
Database
Leak

Messaging
DDoS Attack 4 4 5 80 High
System

Payment
ZaloPay 3 5 5 75 High
Fraud

Insider
Admin Tools 3 4 3 36 Medium
Threat

Cloud Ransomwar
2 4 3 24 Medium
Storage e
Likelihood Impact (1– Asset Value Risk Value
Asset Threat Risk Level
(1–5) 5) (1–5) (L×I×A)

Misconfigur
API Gateway 3 3 3 27 Medium
ation Exploit

6. Summary
- Key Risks: Data leakage, DDoS disruption, and payment fraud.
- Most Critical Assets: User database and ZaloPay transaction systems.
- Next Step (Phase 2): Develop security policies and controls to mitigate risks, followed by cost-
benefit analysis for each mitigation strategy.

Unit 5 Htcs
No ratings yet
Unit 5 Htcs
5 pages
Understanding Threat Modeling Process
No ratings yet
Understanding Threat Modeling Process
7 pages
IAS New 1
No ratings yet
IAS New 1
10 pages
Part 4 and 5
No ratings yet
Part 4 and 5
17 pages
Security Control Families - Vulnerabilities and Mitigation
No ratings yet
Security Control Families - Vulnerabilities and Mitigation
16 pages
IAS New - 2
No ratings yet
IAS New - 2
11 pages
NSBM Green University: Mr. Isuru Sri Bandara
No ratings yet
NSBM Green University: Mr. Isuru Sri Bandara
8 pages
Week 7 Threat Modeling
No ratings yet
Week 7 Threat Modeling
12 pages
Web Application Sample Report
No ratings yet
Web Application Sample Report
46 pages
Cloud Risk Management for LeaseGuard
No ratings yet
Cloud Risk Management for LeaseGuard
4 pages
Building A SOC From Scratch
No ratings yet
Building A SOC From Scratch
61 pages
Fully Formatted Network Risk Assessment
No ratings yet
Fully Formatted Network Risk Assessment
5 pages
Designing A Cybersecurity Framework For Fintech Company 1
No ratings yet
Designing A Cybersecurity Framework For Fintech Company 1
26 pages
Threat Modeling and Risk Management
No ratings yet
Threat Modeling and Risk Management
13 pages
Practical Cloud Case
No ratings yet
Practical Cloud Case
8 pages
BFSI Risk Assessment Template
No ratings yet
BFSI Risk Assessment Template
39 pages
IT Security Risk Assessment Process
No ratings yet
IT Security Risk Assessment Process
4 pages
Lab #2 - Assessment Worksheet
No ratings yet
Lab #2 - Assessment Worksheet
3 pages
Security Improvement Research
No ratings yet
Security Improvement Research
4 pages
02 Sep 2025 - Report
No ratings yet
02 Sep 2025 - Report
4 pages
Cloud Computing Security Guide
No ratings yet
Cloud Computing Security Guide
27 pages
Redteam Assessment Sample Report
No ratings yet
Redteam Assessment Sample Report
80 pages
EMC Security Assignment
No ratings yet
EMC Security Assignment
5 pages
XYZ Co. Info Systems Risk Assessment
No ratings yet
XYZ Co. Info Systems Risk Assessment
5 pages
Background Information On MANGYAN SA TABLA1
No ratings yet
Background Information On MANGYAN SA TABLA1
7 pages
Least Privilege: Do Not Expose Unnecessary Services
No ratings yet
Least Privilege: Do Not Expose Unnecessary Services
7 pages
RMMM Plan
No ratings yet
RMMM Plan
2 pages
Threat Modeling With PASTA - Risk Centric Application Threat Modeling Case Studies - Tony UcedaVélez - OWASP - AppSec-Eu - 2017
50% (2)
Threat Modeling With PASTA - Risk Centric Application Threat Modeling Case Studies - Tony UcedaVélez - OWASP - AppSec-Eu - 2017
62 pages
Week 3 - Risk Management
No ratings yet
Week 3 - Risk Management
11 pages
Lab 6
No ratings yet
Lab 6
5 pages
Mastering Vulnerability Management ?
No ratings yet
Mastering Vulnerability Management ?
23 pages
Cybersecurity Assessment of OWASP Juice Shop
No ratings yet
Cybersecurity Assessment of OWASP Juice Shop
11 pages
Researcjpaper
No ratings yet
Researcjpaper
14 pages
213 15 4398infoassignment
No ratings yet
213 15 4398infoassignment
9 pages
IT Security Policy - Procedure Paper 1
No ratings yet
IT Security Policy - Procedure Paper 1
2 pages
Processunityseptember 2024 Vspptfinal 11722957560412
No ratings yet
Processunityseptember 2024 Vspptfinal 11722957560412
42 pages
Threat Risk & Vul
No ratings yet
Threat Risk & Vul
1 page
MCS601 Assessment Pack 2025 B5
No ratings yet
MCS601 Assessment Pack 2025 B5
27 pages
Discussion 3.1
No ratings yet
Discussion 3.1
5 pages
Ethical Hacking Guidelines for Alef Education
No ratings yet
Ethical Hacking Guidelines for Alef Education
5 pages
Honours IA2 - Exam - Notes
No ratings yet
Honours IA2 - Exam - Notes
9 pages
Isa Assigment 2025
No ratings yet
Isa Assigment 2025
11 pages
Cyber Security Framework V1.0
No ratings yet
Cyber Security Framework V1.0
39 pages
Asdasdasdasd
No ratings yet
Asdasdasdasd
9 pages
21CS116 SNS Assignment-1
No ratings yet
21CS116 SNS Assignment-1
6 pages
Class 2 Vulnerability Management
No ratings yet
Class 2 Vulnerability Management
11 pages
Incident Response Assignment
No ratings yet
Incident Response Assignment
4 pages
Cloud Security Best Practices Guide
No ratings yet
Cloud Security Best Practices Guide
35 pages
Mastering Web App Security - VAPT Techniques
No ratings yet
Mastering Web App Security - VAPT Techniques
8 pages
Information Security
No ratings yet
Information Security
5 pages
Cybersecurity Risk Assessment for E-commerce
No ratings yet
Cybersecurity Risk Assessment for E-commerce
3 pages
Cybersecurity Risk Management Strategies
No ratings yet
Cybersecurity Risk Management Strategies
33 pages
CISO MindMap 2025
No ratings yet
CISO MindMap 2025
1 page
02 Sep 2025 - Report
No ratings yet
02 Sep 2025 - Report
4 pages
Quoc
No ratings yet
Quoc
20 pages
Cyber Hamla
No ratings yet
Cyber Hamla
6 pages
Cyber Security Framework V1.01
100% (1)
Cyber Security Framework V1.01
42 pages
Assesment Case Study
No ratings yet
Assesment Case Study
7 pages
3E5078 Gallagher Command Centre Cryptography and Encryption TIP
No ratings yet
3E5078 Gallagher Command Centre Cryptography and Encryption TIP
22 pages
Understanding Computer Viruses and Malware
No ratings yet
Understanding Computer Viruses and Malware
11 pages
API Security Essentials
100% (1)
API Security Essentials
5 pages
ELibrary DBProject001 SCHEMA
No ratings yet
ELibrary DBProject001 SCHEMA
4 pages
ICS Session 02. LECTURE PPT - Why Cyber Security Is So Important v1
No ratings yet
ICS Session 02. LECTURE PPT - Why Cyber Security Is So Important v1
16 pages
Cybersecurity for Sri Lankan IT Pros
No ratings yet
Cybersecurity for Sri Lankan IT Pros
15 pages
Ccs-Model QP
No ratings yet
Ccs-Model QP
5 pages
Security Challenges in Cyberspace
No ratings yet
Security Challenges in Cyberspace
15 pages
Pki Structure and Applicable Documents
No ratings yet
Pki Structure and Applicable Documents
1 page
Inte 422 It Security Audit and Ethics - Kabarak University
No ratings yet
Inte 422 It Security Audit and Ethics - Kabarak University
5 pages
6 Key Data Breaches to Know in 2022
No ratings yet
6 Key Data Breaches to Know in 2022
7 pages
Information Security Terminologies Overview
No ratings yet
Information Security Terminologies Overview
46 pages
MegaCorp One Penetration Test Summary
No ratings yet
MegaCorp One Penetration Test Summary
34 pages
Cryptography and Network Security Syllabus
No ratings yet
Cryptography and Network Security Syllabus
90 pages
Authentication Service Security
No ratings yet
Authentication Service Security
12 pages
Email Security
No ratings yet
Email Security
30 pages
Private Key Hacking PDF
100% (6)
Private Key Hacking PDF
49 pages
Certificate of Incorporation-180712
No ratings yet
Certificate of Incorporation-180712
1 page
Cybersecurity Lab: Analyzing Attacks
No ratings yet
Cybersecurity Lab: Analyzing Attacks
3 pages
Common Cyber Threats and Strategies
No ratings yet
Common Cyber Threats and Strategies
17 pages
Cissp Errata PDF
No ratings yet
Cissp Errata PDF
8 pages
Security and Cryptography Video Task
No ratings yet
Security and Cryptography Video Task
1 page
Assignment On Information and Computer Security
No ratings yet
Assignment On Information and Computer Security
2 pages
Biometric Multi-Bank ATM System
100% (1)
Biometric Multi-Bank ATM System
24 pages
BCA Cyber Security Tutorial Sheet 7
No ratings yet
BCA Cyber Security Tutorial Sheet 7
1 page
Indusface WAS Premium - Advanced Systems Co. LTD
No ratings yet
Indusface WAS Premium - Advanced Systems Co. LTD
12 pages
Module 6 - Mindmap
No ratings yet
Module 6 - Mindmap
1 page
Cyber Threats Playbook For Soc Analyst 1748846018
No ratings yet
Cyber Threats Playbook For Soc Analyst 1748846018
10 pages
Lab - Visualizing The Black Hats: Objectives
No ratings yet
Lab - Visualizing The Black Hats: Objectives
3 pages
Vapt 1
No ratings yet
Vapt 1
18 pages