Symmetric encryption is a method of encrypting and decrypting data using the same secret key. Symmetric encryption is fast and efficient, but it requires a secure way of managing and distributing the keys to the users who need them. If the keys are compromised, the data is no longer secure.
One of the strategies to securely manage and distribute symmetric keys is to use HTTPS protocol for secure key transfer. HTTPS is a protocol that uses SSL/TLS to encrypt the communication between a client and a server over the Internet. HTTPS can protect the symmetric keys from being intercepted or modified by an attacker during the key transfer process. HTTPS can also authenticate the server and the client using certificates, ensuring that the keys are sent to and received by the intended parties.
To use HTTPS protocol for secure key transfer, the development team needs to implement the following steps1:
Generate a symmetric key for each user who wants to store their files on the cloud storage platform. The symmetric key will be used to encrypt and decrypt the user's files.
Generate a certificate for the cloud storage server. The certificate will contain the server's public key and other information, such as the server's domain name, the issuer, and the validity period. The certificate will be signed by a trusted certificate authority (CA), which is a third-party entity that verifies the identity and legitimacy of the server.
Install the certificate on the cloud storage server and configure the server to use HTTPS protocol for communication.
When a user wants to upload or download their files, the user's client (such as a web browser or an app) will initiate a HTTPS connection with the cloud storage server. The client will verify the server's certificate and establish a secure session with the server using SSL/TLS. The client and the server will negotiate a session key, which is a temporary symmetric key that will be used to encrypt the data exchanged during the session.
The cloud storage server will send the user's symmetric key to the user's client, encrypted with the session key. The user's client will decrypt the symmetric key with the session key and use it to encrypt or decrypt the user's files.
The user's client will store the symmetric key securely on the user's device, such as in a password-protected file or a hardware token. The user's client will also delete the session key after the session is over.
Using HTTPS protocol for secure key transfer can ensure that the symmetric keys are protected from eavesdropping, tampering, or spoofing attacks. However, this strategy also has some challenges and limitations, such as:
The development team needs to obtain and maintain valid certificates for the cloud storage server from a trusted CA, which might incur costs and administrative overhead.
The users need to trust the CA that issued the certificates for the cloud storage server and verify the certificates before accepting them.
The users need to protect their symmetric keys from being lost, stolen, or corrupted on their devices. The development team needs to provide a mechanism for key backup, recovery, or revocation in case of such events.
The users need to update their symmetric keys periodically to prevent key exhaustion or reuse attacks. The development team needs to provide a mechanism for key rotation or renewal in a secure and efficient manner.
References:
Key Management - OWASP Cheat Sheet Series
Symmetric Cryptography & Key Management: Exhaustion, Rotation, Defence
What is Key Management? How does Key Management work? | Encryption Consulting

NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce.
NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost-effective programs to protect their information and information systems.

This is a classic example of Web Parameter Tampering. This occurs when attackers manipulate parameters exchanged between client and server to exploit vulnerabilities in the application logic. In this case:
Damount and Camount are passed via URL parameters.
The web application is not validating or sanitizing the values.
Altering the values affects the transaction outcome.
This is not an SQL Injection (no SQL code shown), nor is it XSS (no script injection), and it is unrelated to Cookie Tampering (which involves browser-stored cookies).
Reference: CEH v13 eCourseware - Module 14: Hacking Web Applications # "Parameter Tampering" CEH v13 Study Guide - Web Application Attacks # "Client-side Parameter Tampering"

In CEH v13 Module 10: Vulnerability Assessment, the Vulnerability Management Lifecycle is defined with the following structured steps:
Identify assets & baseline (Step 2)
Vulnerability scanning (Step 5)
Risk assessment/prioritization (Step 6)
Remediation (Step 1)
Verification (Step 3)
Continuous monitoring (Step 4)
So the correct lifecycle flow is:
2 # 5 # 6 # 1 # 3 # 4
This ensures vulnerabilities are identified, assessed, remediated, validated, and monitored on an ongoing basis.
Reference:
Module 10 - Vulnerability Management Lifecycle
CEH iLabs: End-to-End Vulnerability Assessment and Remediation

Banner grabbing is a technique wont to gain info about a computer system on a network and the services running on its open ports. administrators will use this to take inventory of the systems and services on their network. However, an to find will use banner grabbing so as to search out network hosts that are running versions of applications and operating systems with known exploits.
Some samples of service ports used for banner grabbing are those used by Hyper Text Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP); ports 80, 21, and 25 severally. Tools normally used to perform banner grabbing are Telnet, nmap and Netcat.
For example, one may establish a connection to a target internet server using Netcat, then send an HTTP request. The response can usually contain info about the service running on the host:

This information may be used by an administrator to catalog this system, or by an intruder to narrow down a list of applicable exploits.
To prevent this, network administrators should restrict access to services on their networks and shut down unused or unnecessary services running on network hosts. Shodan is a search engine for banners grabbed from portscanning the Internet.