Cyber Security UNIT-I & UNIT-II

Download as pdf or txt
Download as pdf or txt
You are on page 1of 47

CYBER SECURITY (CSA320)

UNIT-I
INTRODUCTION
Overview of Cyber Security
Cyber security is the practice of defending computers, servers, mobile devices,
electronic systems, networks, and data from malicious attacks. It's also known as
information technology security or electronic information security. The term applies in
a variety of contexts, from business to mobile computing, and can be divided into a
few common categories.

· Network security is the practice of securing a computer network from intruders,


whether targeted attackers or opportunistic malware.

· Application security focuses on keeping software and devices free of threats. A


compromised application could provide access to the data it's designed to protect.
Successful security begins in the design stage, well before a program or device is
deployed.

· Information security protects the integrity and privacy of data, both in storage
and in transit.

· Operational security includes the processes and decisions for handling and
protecting data assets. The permissions users have when accessing a network and the
procedures that determine how and where data may be stored or shared all fall under
this umbrella.
· Disaster recovery and business continuity define how an organization responds
to a cyber-security incident or any other event that causes the loss of operations or
data. Disaster recovery policies dictate how the organization restores its operations
and information to return to the same operating capacity as before the event. Business
continuity is the plan the organization falls back on while trying to operate without
certain resources.

Cyber Threats
A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data,
or disrupt digital life in general. Cyber threats include computer viruses, data
breaches, Denial of Service (DoS) attacks, and other attack vectors. Cyber threats also
refer to the possibility of a successful cyber-attack that aims to gain unauthorized
access, damage, disrupt, or steal an information technology asset, computer network,
intellectual property, or any other form of sensitive data. Cyber threats can come from
within an organization by trusted users or from remote locations by unknown parties.

Types of cyber threats:

1. Cyber Warfare
2. Cyber Crime
3. Cyber Terrorism
4. Cyber Espionage

1. Cyber Warfare: Cyber Warfare is typically defined as a set of actions by a nation or


organization to attack countries or institutions' computer network systems with the
intention of disrupting, damaging, or destroying infrastructure by computer viruses or
denial-of-service attacks. Cyber warfare can take many forms, but all of them involve
either the destabilization or destruction of critical systems. The objective is to weaken
the target country by compromising its core systems.

This means cyber warfare may take several different shapes:

❖ Attacks on financial infrastructure


❖ Attacks on public infrastructure like dams or electrical systems
❖ Attacks on safety infrastructure like traffic signals or early warning systems
❖ Attacks against military resources or organizations

2. Cyber Crime: Cybercrime is criminal activity that either targets or uses a computer,
a computer network or a networked device. Most cybercrime is committed by
cybercriminals or hackers who want to make money. However, occasionally
cybercrime aims to damage computers or networks for reasons other than profit. These
could be political or personal.

Cybercrime can be carried out by individuals or organizations. Some cybercriminals


are organized, use advanced techniques and are highly technically skilled. Others are
novice hackers.

Types of cybercrime include:

● Email and internet fraud.

● Identity fraud (where personal information is stolen and used).

● Theft of financial or card payment data.

● Theft and sale of corporate data.

● Cyber Extortion (demanding money to prevent a threatened attack).

● Ransomware attacks (a type of cyber extortion).

● Crypto jacking (where hackers mine cryptocurrency using resources they do not

own).
3. Cyber Terrorism: Cyberterrorism is often defined as any premeditated, politically
motivated attack against information systems, programs and data that threatens
violence or results in violence. Cyber Terrorist acts are carried out using computer
servers, other devices and networks visible on the public internet. Secured government
networks and other restricted networks are often targets.

Examples of cyberterrorism include the following:

● Disruption of major websites. The intent here is to create public inconvenience


or stop traffic to websites containing content the hackers disagree with.
● Unauthorized access. Attackers often aim to disable or modify
communications that control military or other critical technology.
● Disruption of critical infrastructure systems. Threat actors try to disable or
disrupt cities, cause a public health crisis, endanger public safety or cause
massive panic and fatalities. For example, cyberterrorists might target a water
treatment plant, cause a regional power outage or disrupt a pipeline, oil
refinery or fracking operation.

4. Cyber Espionage: Cyber espionage, or cyber spying, is a type of cyberattack in


which an unauthorized user attempts to access sensitive or classified data or
intellectual property (IP) for economic gain, competitive advantage or political reasons.
Cyber espionage attacks can be motivated by monetary gain; they may also be
deployed in conjunction with military operations or as an act of cyber terrorism or
cyber warfare. The impact of cyber espionage, particularly when it is part of a broader
military or political campaign, can lead to disruption of public services and
infrastructure, as well as loss of life.

Cyber spies most commonly attempt to access the following assets:


● Research & Development data and activity
● Academic research data
● IP, such as product formulas or blueprints
● Salaries, bonus structures and other sensitive information regarding
organizational finances and expenditures
● Client or customer lists and payment structures
● Business goals, strategic plans and marketing tactics
● Political strategies, affiliations and communications
● Military intelligence

Cyber Security Vulnerabilities


The importance of cybersecurity in sustaining business operations has increased
significantly as the value of data increases every day. Organizations must successfully
prevent employee and customer data breaches if they want to develop new business
connections and sustain long-term relationships. A thorough awareness of
cybersecurity vulnerabilities and the techniques used by threat actors to access
networks is necessary to achieve this level of security. Effective vulnerability
management not only improves security programmes but also lessens the impact of
successful attacks.

Here are a few examples of cybersecurity vulnerabilities

● Missing data encryption


● Lack of security cameras
● Unlocked doors at businesses
● Unrestricted upload of dangerous files
● Code downloads without integrity checks
● Using broken algorithms

Vulnerabilities in Software
A software vulnerability is a defect in software that could allow an attacker to gain
control of a system. These defects can be because of the way the software is designed,
or because of a flaw in the way that it’s coded. An attacker first finds out if a system
has a software vulnerability by scanning it. The scan can tell the attacker what types of
software are on the system, are they up to date, and whether any of the software
packages are vulnerable. When the attacker finds that out, he or she will have a better
idea of what types of attacks to launch against the system. A successful attack would
result in the attacker being able to run malicious commands on the target system.

Coding errors could introduce several types of vulnerabilities, which include the
following:

Buffer overflows – These allow someone to put more data into an input field than
what the field is supposed to allow. An attacker can take advantage of this by placing
malicious commands into the overflow portion of the data field, which would then
execute.

SQL Injection – This could allow an attacker to inject malicious commands into the
database of a web application. The attacker can do this by entering specially-crafted
Structured Query Language commands into either a data field of a web application
form, or into the URL of the web application. If the attack is successful, the
unauthorized and unauthenticated attacker would be able to retrieve or manipulate
data from the database.
Third-party libraries – Many programmers use third-party code libraries, rather than
try to write all software from scratch. This can be a real time-saver, but it can also be
dangerous if the library has any vulnerabilities. Before using any of these libraries,
developers need to verify that they don’t have vulnerabilities.

Application Programming Interfaces – An API, which allows software programs to


communicate with each other, could also introduce a software vulnerability. Many
APIs are not set up with strict security policies, which could allow an unauthenticated
attacker to gain entry into a system.

System Administration
System administration refers to the management of one or more hardware and
software systems. The task is performed by a system administrator who monitors
system health, monitors and allocates system resources like disk space, performs
backups, provides user access, manages user accounts, monitors system security and
performs many other functions.

The system administrator’s responsibilities are diverse and involve many areas of an
organization’s technology systems. This IT professional may be responsible for some,
or all the areas listed below, depending on an organization’s structure and scope:

● Design, organize, modify, and support an organization’s computer systems,

including operating systems, business applications, security tools, web servers,


email systems, and user hardware (laptops, PCs).
● Quickly resolve any system failures and troubleshoot issues.

● Upgrade and manage hardware and software.

● Install and configure local area networks (LANs), wide area networks (WANs),

and network segments and servers, such as file servers, VPN gateways, and
intrusion detection systems.
● Ensure an uninterrupted internet connection and manage mail servers for

sending and receiving emails and file servers for saving and managing data.
● Oversee system performance and report generation.

● Manage user accounts, credentials, permissions, access rights, storage allocations,

and active directory administration.

Complex Network Architectures


Network architecture refers to a network’s structural and logical layout. It describes
how the network devices are connected and the rules that govern data transfer
between them.

Types of Networking Architecture

The two types of network architectures are used:

● Peer-To-Peer network

● Client/Server network

Peer-To-Peer network:

● Peer-To-Peer network is a network in which all the computers are linked

together with equal privilege and responsibilities for processing the data.
● Peer-To-Peer network is useful for small environments, usually up to 10

computers.

● Peer-To-Peer network has no dedicated server.

● Special permissions are assigned to each computer for sharing the resources, but

this can lead to a problem if the computer with the resource is down.

Advantages Of Peer-To-Peer Network:

● It is less costly as it does not contain any dedicated server.

● If one computer stops working, other computers will not stop working.

● It is easy to set up and maintain as each computer manages itself.

Disadvantages Of Peer-To-Peer Network:

● In the case of the Peer-To-Peer network, it does not contain the centralized

system. Therefore, it cannot back up the data as the data is different in different
locations.

● It has a security issue as the device is managed itself.


Client/Server Network:

● Client/Server network is a network model designed for the end users called

clients, to access the resources such as songs, video, etc. from a central computer
known as Server.

● The central controller is known as a server while all other computers in the

network are called clients.

● A server performs all the major operations such as security and network

management.

● A server is responsible for managing all the resources such as files, directories,

printer, etc.

Advantages Of Client/Server network:

● A Client/Server network contains the centralized system. Therefore, we can back

up the data easily.

● A Client/Server network has a dedicated server that improves the overall

performance of the whole system.


● Security is better in Client/Server network as a single server administers the

shared resources.

● It also increases the speed of sharing resources.

Disadvantages Of Client/Server network:

● Client/Server network is expensive as it requires the server with large memory.

● A server has a Network Operating System (NOS) to provide the resources to the

clients, but the cost of NOS is very high.

● It requires a dedicated network administrator to manage all the resources.

Open Access To Organizational Data


Open access is a broad international movement that seeks to grant free and open
online access to academic information, such as publications and data. A publication is
defined as 'open access' when there are no financial, legal or technical barriers to
accessing it - that is to say when anyone can read, download, copy, distribute, print,
search for and search within the information, or use it in education or in any other way
within the legal agreements. Currently, there are more than 12,000 academic journals
accessible in the Directory of Open Access Journals, and more than 3,500 archives are
included in the Directory of Open Access Repositories. About 28 percent of peer-
reviewed articles today are open access, and the number is increasing with each
passing year.

Research funders are playing an increasingly important role in accelerating the


adoption of Open Access. The Wellcome Trust in the United Kingdom has led the way,
becoming the world’s first funder to mandate open access for publication of the
research it funds. Scores of other research funders—including the largest funder of
research in the world, the United States. Academic and research institutions have also
embraced open access, with faculty at more than 850 colleges and universities voting to
adopt campus-wide open access policies. Harvard, MIT, the University of Nairobi, and
the entire University of California System have joined the ranks of institutions that
have open access mandates.

Weak Authentication
The more difficult an authentication mechanism is to defeat, the stronger it is. Clearly
the authentication strength of a system should correlate to the value of the assets it is
protecting. Two-Factor and Multi-Factor Authentication solutions are appropriate for
systems that deal with highly valued assets.

Weak Authentication describes any scenario in which the strength of the


authentication mechanism is relatively weak compared to the value of the assets being
protected.

It also describes scenarios in which the authentication mechanism is flawed or


vulnerable:

Password Strength:

The “strength” of a password is related to the potential set of combinations that would
need to be searched in order to guess it.

Thus, the following factors influence password strength:

● Length: The number of characters in the password. The greater the length, the

greater the strength.


● Character Set: The range of possible characters that can be used in the password.

The broader the range of characters, the greater the strength. It is typical for
strong password schemes to require upper- and lower-case letters, digits, and
punctuation characters.

Password Policy:

Password Policy describes the rules that are enforced regarding password strength,
changes, and re-use. An effective password policy supports strong authentication. It
is generally accepted that the each of the following will increase the integrity of the
authentication process:

● Periodically changing the password for an account makes it less likely that a

password will be compromised, or that a compromised password will be used.


This is termed password expiration.
● Prohibiting the re-use of the same (or similar) password to the one being

changed will prevent password expiration from being circumvented by users.


● Enforcing minimum strength rules for passwords will guarantee application

compliance with Password Policy.


● Prohibiting dictionary words and/or popular passwords will make password

cracking less likely.


● The use of secret questions to further demonstrate identity.

Password Cracking:

There are countless hacking tools and frameworks available to help an attacker guess a
password through an automated sequence of attempts. This is called “brute forcing”
because such tools will attempt all possible password combinations given a set of
constraints in an attempt to authenticate. An application that does not protect itself
against password cracking in some manner may be considered as having a Weak
Authentication vulnerability depending the requirements and risk-level.

Dictionary Attacks:

In addition to brute force attacks, password cracking tools also typically have the
ability to test a file of candidate passwords. This is called a dictionary attack because
the file used may actually be a dictionary of words. Passwords that can be found in a
dictionary are considered weak because they can eventually be discovered using a
dictionary attack. An application that allows dictionary words as passwords may be
considered as having a Weak Authentication vulnerability depending the application
requirements and risk-level.

Popular Passwords:

Since passwords are usually freely chosen and must be remembered, and given that
humans are lazy, passwords that are easy to remember tend to be more popular than
those that are not. In fact, some passwords become very popular and are used far
more frequently than might be expected. Although the most popular entries change
over time, you can always find a “top-N” list somewhere, like here, or here, or here.
Clearly it is in the user’s best interest to avoid the most popular passwords.

Unprotected Broadband Communications


Broadband communications are usually considered to be any technology with
transmission rates above the fastest speed available over a telephone line. Broadband
transmission systems typically provide channels for data transmissions in different
directions and by many different users. An unsecured wireless connection is one you
can access without a password. Public networks offered in places like cafes are often
open. Although these provide free wireless Internet access, using public Internet comes
with dangers. If your home Internet is open, you should consider securing wireless
access to protect your data and avoid legal trouble.

Unsecure Wi-Fi

The two types of public networks are ones that are left open by businesses and ones
that are left open by individuals. An open network from a business allows customers
to use the Internet in the establishment -- such as patrons of a coffee shop using the
network to work. An open network in a home comes from a router that hasn't been
secured. Sometimes this is unintentional, if the owner doesn't know that her network is
open. However, an unsecured wireless connection isn't always bad. Some experienced
users opt to leave their Wi-Fi open for the public to access, with proper security
precautions to protect their data and bandwidth.

Implementing Wireless Security

Every router has some wireless security features built into the settings. Log in to your
router's administration settings using your browser; if you've never done this before,
the IP address and default login details are usually on the bottom of the router. When
choosing wireless security, WPA2 is the most secure, while WEP is the easiest for
outside users to crack. Set a strong password, and only share the password with
people you trust. Some routers also offer a Guest Network setting, which allows you to
create a secure wireless network and another unsecure network, which offers you
home security and an open network for visitors or neighbors.

Safety on Public Networks

If you routinely access public networks, you can still browse safely. Avoid entering
anything sensitive, such as bank or credit card information. If you have to access this
data, consider using a virtual private network (VPN), which encrypts all the data you
send using an external server.

Poor Cyber Security Awareness


Information is easily shareable across the Internet at nearly the speed of light,
depending on network connections. In reality, someone on the other side of the world
can steal your data in the blink of an eye. Companies will do what they can to protect
your information, but you should also do what you can to keep it safe as well.

1. Outdated Software

Websites are not the only ways you can be hacked, either. Operating systems on your
computer, mobile devices or even software running your wireless network at home are
easy to compromise for hackers. Updates to software are more than just fixing
operational bugs. In many instances, these updates include fixes to vulnerabilities like
using that old copy of Windows 7 without security updates turned on could
compromise your personal data.

2. Not Understanding the Threat

One of the most common reasons why cyber-attacks cause so much damage is because
of the lack of proper understanding. A lot of people believe themselves to be immune
from threats and don’t really put thought into how dangerous attacks can become.

Even something as simple as a web browser can lead to all kinds of problems in work
and personal lifestyles. According to Kaspersky Lab, a leader in antiviral software,
attackers used web browsers 62% of the time to spread mayhem.
3. Lack of Proper Protection

One of the leading causes to how hackers gain a foothold in your systems is due to
improper protection. Remember the comment earlier about not locking your door at
night? Essentially, a lack of security software on your computer or website would be
like removing that door entirely. More than 304 million cyber-attacks were recorded in
2015. Although most of these were thwarted, it puts it into perspective just how
virulent attacks are in the world. In fact, more than 27% of all malware pieces recorded
throughout history were produced that same year.

4. Effects of Ransomware

Ransomware has been around for quite some time, but it has grown exponentially
since 2015. Essentially, this is when someone gains control of a database or computer
system and blocks its use until a “ransom” is paid. However, these kinds of attacks
only happen less than one percent of the time. To put this into perspective, the
Hollywood Presbyterian Medical Center’s network in Los Angeles was held hostage in
2016 until a $17,000 Bitcoin ransom was paid. Because of the number of lives that are
held in the balance from attacks like this, it’s much easier to extort money.

5. Evolving Software

Some forms of attacks are extremely difficult to track down and stop, even for high-
end software. For example, a polymorphic virus delivers a new payload every time it
expands. This means it essentially mutates each time making it very difficult to spot.
As many as 32% of computers with antivirus protection are infected at any given time.
This is often from new viral variants as well as polymorphic wares. All it takes is a
minor change in coding to help a virus become something new and undetectable.
Cyber Security Safeguards
It is meant by Protective measures and controls prescribed to meet the security
requirements specified for an information system. Safeguards may include security
features, management constraints, personnel security, and security of physical
structures, areas, and devices. Some major cyber security safeguards are listed below:

1. Protect Your Information & Documents

2. Be Vigilant Against Tricks

3. Protect Your Communications

4. Be on Alert for “Phishing” to Prevent Account Takeovers

5. Look Out for Fake Notification Emails from Social Media Sites

Access Control
Access control is a data security process that enables organizations to manage who is
authorized to access corporate data and resources. Secure access control uses policies
that verify users are who they claim to be and ensures appropriate control access levels
are granted to users.

1. Audit: Organizations can enforce the principle of least privilege through the access
control audit process. This enables them to gather data around user activity and
analyze that information to discover potential access violations.

2. Authentication: Authentication is the initial process of establishing the identity of a


user. For example, when a user signs in to their email service or online banking
Account with a username and password combination, their identity has been
authenticated. However, authentication alone is not sufficient to protect organizations’
data.

3. Biometrics: A biometric access control system is one that determines whether or not
to let a person into a building or a specific room based on the individual's unique
physical biometric characteristics. It works by comparing something unique about the
person—such as face, fingerprint, iris, palm, and hand geometry—to a database of
stored biometric templates about authorized users. If there is a match, the person is
allowed in; otherwise, the person is denied access. It provides significant physical
security benefits for protecting a wide variety of locations from intruders.

4. Cryptography: Cryptography is a method of protecting information and


communications through the use of codes, so that only those for whom the information
is intended can read and process it. Procedures and protocols that meet some or all of
the above criteria are known as cryptosystems. Cryptosystems are often thought to
refer only to mathematical procedures and computer programs; however, they also
include the regulation of human behavior, such as choosing hard-to-guess passwords,
logging off unused systems and not discussing sensitive procedures with outsiders.

5. Deception: Deception technology is a cybersecurity defense practice that aims to


deceive attackers by distributing a collection of traps and decoys across a system's
infrastructure to imitate genuine assets. If an intruder triggers a decoy, then the server
will log and monitor the attack vectors utilized throughout the duration of the
engagement. Deception technology provides security teams with a number of tactics
and resulting benefits to help:

● Decrease attacker dwell time on their network

● Expedite the average time to detect and remediate threats

● Reduce alert fatigue

● Produce metrics surrounding indicators of compromise (IOCs) and tactics,

techniques, and procedures (TTPs).

5. Denial of Service Filters: The DoS Filter window is used to enable or disable the
Denial of Service filter. The DoS filter automatically scans traffic passing through the
switch for well-known frames (based on packet signature) that are typically used to
conduct Denial of Service attacks to network devices. Once a frame is identified as a
threat, it is automatically dropped.

a. Open the DoS Filter subtab on the Security tab.

b. To disable DoS filtering, select Disable from the DoS Filtering drop-down list.

c. To enable DoS filtering, select Enable from the DoS Filtering drop-down list.

d. Click Apply Changes.

6. Ethical Hacking: Ethical Hacking is defined as any form of hacking that is


authorized by the owner of the target system. It can also refer to the process of taking
active security measures to defend systems from hackers with malicious intentions on
data privacy. From a technical standpoint, Ethical Hacking is the process of bypassing
or cracking security measures implemented by a system to find out vulnerabilities,
data breaches, and potential threats. It is only deemed ethical if the regional or
organizational cyber laws/rules are followed.

7. Firewalls: A firewall is a network security device that monitors incoming and


outgoing network traffic and permits or blocks data packets based on a set of security
rules. Its purpose is to establish a barrier between your internal network and incoming
traffic from external sources (such as the internet) in order to block malicious traffic
like viruses and hackers. Firewalls can either be software or hardware, though it’s best
to have both. A software firewall is a program installed on each computer and
regulates traffic through port numbers and applications, while a physical firewall is a
piece of equipment installed between your network and gateway.

8. Intrusion Detection Systems: An Intrusion Detection System (IDS) is a system that


monitors network traffic for suspicious activity and issues alerts when such activity is
discovered. It is a software application that scans a network or a system for harmful
activity or policy breaching. Although intrusion detection systems monitor networks
for potentially malicious activity, they are also disposed to false alarms. Hence,
organizations need to fine-tune their IDS products when they first install them. It
means properly setting up the intrusion detection systems to recognize what normal
traffic on the network looks like as compared to malicious activity.

Comparison of IDS with Firewalls: IDS and firewall both are related to network
security but an IDS differs from a firewall as a firewall looks outwardly for intrusions
in order to stop them from happening. Firewalls restrict access between networks to
prevent intrusion and if an attack is from inside the network it doesn’t signal. An IDS
describes a suspected intrusion once it has happened and then signals an alarm.

9. Response: It is a set of information security policies and procedures that you can
use to identify, contain, and eliminate cyberattacks. The goal of incident response is to
enable an organization to quickly detect and halt attacks, minimizing damage and
preventing future attacks of the same type. There are six steps to incident response.
These six steps occur in a cycle each time an incident occurs. The steps are:

➢ Preparation of systems and procedures

➢ Identification of incidents

➢ Containment of attackers and incident activity

➢ Eradication of attackers and re-entry options

➢ Recovery from incidents, including restoration of systems

➢ Lessons learned and application of feedback to the next round of

preparation

10. Scanning: Security scanning, or vulnerability scanning, can mean many different
things, but it can be simply described as scanning the security of a website, web-based
program, network, or file system for either vulnerabilities or unwanted file changes.
The type of security scanning required for a particular system depends on what that
system is used for. The more complicated and intricate the system or network is, the
more in-depth the security scan has to be. Security scanning can be done as a one-time
check, but most companies who incorporate this into their security practices buy a
service that continually scans their systems and networks.

11. Security Policy: Cybersecurity procedures explain the rules for how employees,
consultants, partners, board members, and other end-users access online applications
and internet resources, send data over networks, and otherwise practice responsible
security. For large organizations or those in regulated industries, a cybersecurity policy
is often dozens of pages long. For small organizations, however, a security policy
might be only a few pages and cover basic safety practices. Such practices might
include:

● Rules for using email encryption

● Steps for accessing work applications remotely

● Guidelines for creating and safeguarding passwords

● Rules on use of social media

12. Threat Management: Threat management, or cyber threat management, is a


framework often used by cybersecurity professionals to manage the life cycle of a
threat in an effort to identify and respond to it with speed and accuracy. The
foundation of threat management is a seamless integration between people, process
and technology to stay ahead of threats. Organizations that successfully adopt and
implement the threat management framework often benefit from:

● Lower risk with faster threat detection, consistent investigations and faster
response

● Continuous improvement through built-in process measurement and reporting

● Increased security team skills, effectiveness and morale.


UNIT-II
SECURING WEB APPLICATIONS, SERVICES, SERVERS
AND INTRUSION DETECTION AND PREVENTION

Introduction to Web Application Security


Web application security (also known as Web AppSec) is the idea of building websites
to function as expected, even when they are under attack. The concept involves a
collection of security controls engineered into a Web application to protect its assets
from potentially malicious agents. Web applications, like all software, inevitably
contain defects.

The following non-exhaustive list of features should be reviewed during Web


application security testing. An inappropriate implementation of each could result in
vulnerabilities, creating serious risk for your organization.

● Application and server configuration. Potential defects are related to


encryption/cryptographic configurations, Web server configurations, etc.
● Input validation and error handling. SQL injection, cross-site scripting (XSS), and
other common injection vulnerabilities are the result of poor input and output
handling.
● Authentication and session management. Vulnerabilities potentially resulting in
user impersonation. Credential strength and protection should also be
considered.
● Authorization. Testing the ability of the application to protect against vertical
and horizontal privilege escalations.
● Business logic. These are important to most applications that provide business
functionality.
● Client-side logic. With modern, JavaScript-heavy web pages, in addition to web
pages using other types of client-side technologies (e.g., Silverlight, Flash, Java
applets), this type of feature is becoming more prevalent.

Basic Security for HTTP Applications


HTTP is used to communicate over the internet, so users, information providers, and
application developers should be aware of the limitations of security. In HTTP, clients
are often privy to a large amount of personal information like: name of the user, email
address, passwords, location, Encryption key, etc. We should be careful to prevent
unintentional leakage of this personal information of the client via the HTTP protocol
to other sources.

1. Abuse of Server Log Information

In this, all the personal data of the user should be stored at the server in an encrypted
form.

2. Transfer of Sensitive Information

HTTP cannot regulate the content of data that is transferred. HTTP cannot have any
prior method to determine the sensitivity of any particular part of the information within
the context of any request. Revealing any specific software version of the server might
allow the server machine to become more vulnerable to attacks against software which
contains security holes. The Proxies which serve as a portal through the firewall of the
network should take special precaution about the transfer of header information which
is used to identify the hosts behind the firewall.
3. Encoding Sensitive Information in URL's

The source of a link could be private information, so it is strongly recommended that the
user be able to select whether or not the field of the referrer is sent.

If the page that we refer to was transferred with a source protocol, clients should not
include a Referrer field in an HTTP request.

4. Privacy Issues Connected to Accept Headers

Accept request-headers can reveal the client's information to all servers which are
accessed.

Basic security for SOAP Services


SOAP is an abbreviation that stands for Simple Object Access Protocol. SOAP is an
API messaging protocol, and SOAP security is the strategy that prevents unauthorized
access to SOAP messages and user information. Web Standards Security (WS Security)
is the main aspect of ensuring SOAP security. WS Security is the set of
principles/guidelines to regulate authentication and confidentiality procedures for
SOAP Messaging. WSS-compliant measures include digital signatures, XML
encryption, X.509 certifications, and passwords, among others. XML encryption makes
data unreadable when unauthorized users gain access.

On average, businesses lose $3.9 million in malware and ransomware attacks (3).
SOAP Security protects the sensitive data in companies’ charge from access by the
wrong hands. Basically, you integrate security into your API infrastructure to protect
the interests of your customers or clients.
SOAP Security Risks

There are several kinds of cyber-attacks and vulnerabilities, and those uniquely
targeting APIs make the bulk of SOAP security risks. Some of them include:

1. Code Injections – in SOAP, XML code injections introduce malicious code into

an application or database. Careful access control prevents these attacks.


2. Leaked/Breached Access – most attacks begin with breached or leaked access.

You must ensure SOAP messages are shown to authorized users only.
3. (Distributed) Denial of Service – DoS or DDoS attacks overwhelm web

services with overly many or long messages. Limiting message length and
volume in SOAP security prevents these attacks.
4. Cross-Site Scripting – code injection, but happens from the web application

side to the website


5. Session Hijacking – an unauthorized user obtains session ID, and that user

gains full access to the application and/or another user’s account.

Identity Management and Web Services


An identity management system (IDMS) can be used to manage the identities and
privileges of computer systems as well as people. Thus, most significant deployments
of Web services for corporate information systems will sooner or later result in the
deployment of an IDMS. The implementation of an enterprise-wide identity
management system is of great interest to corporate security for several reasons.

• An IDMS will close IT security gaps related to enrolling and terminating employees.

• The deployment of an IDMS is typically accompanied by a role-based access control


(RBAC) scheme for the information systems. Once roles are jointly defined by human
resources and business managers, and once IT security privileges are assigned to the
roles, security privileges can be automatically granted upon enrollment in the IDMS.
Privileges are also automatically changed when an employee's position changes, and
revoked automatically upon the employee's termination.

• Physical security can leverage the defined corporate roles by defining access control
privileges to match, aligning physical security more tightly with the organization's job
roles. This doesn't require the access control system to be integrated to any other
system.

• Physical security can leverage the HR enrollment of employees by integrating the


physical access control system (PACS) with the IDMS, so that access control privileges
are managed automatically along with IT privileges as HR enrolls, re-assigns and
terminates employees.

Web Services:

Web Services technology is a collection of standards and protocols designed to reduce


the amount of work it takes to accomplish integration (and thereby reduce cost and
schedule), and to provide flexible interfaces between systems that won't “break” when
one system or the other is updated or revised. IT departments are already using the
Web services approach to integration because it has many advantages over previous
approaches, and now physical security systems are beginning to use Web services to
connect to other systems as well.

Web services technology is being used to address business needs in following ways:

• Enterprise Application Integration (this is the category for PACS and IDMS
integration)
• Improved Application Development Efficiency Business Partner Integration
(suppliers, distributors, channels, etc.)

• Web Portal Integration, Business Activity Monitoring

• Extended Functionality for Web Applications

Authorization Patterns

These are security mechanisms that you can use to decide your client’s privileges
related to system resources. These system resources could be files, services, data, and
application features built on your client’s identity. One such is OAuth2.0.
Authorization Patterns are mentioned below:

1. Scattered data and scattered logic pattern: In this pattern, the data required to make
authorization decisions get scattered across the different microservices. In addition to
data, the logic behind deciding whether access is to be given to the requestor or not is
spread across the service.
The pattern given above works for a small number of microservices, but problems start
appearing when the number of services increases. The call to get data for making
authorization decisions is putting an unnecessary load on underline services, as shown
in the above diagram.

2. Centralized data and logic patterns: We can try putting all the authorization data
and logic in one place as a solution. We can then separate it from services that require
authorization. We can implement this pattern by following a common way of building
a dedicated authorization service. Another option could be to use an off-the-shelf
solution like Key cloak or Open Policy agent. Whenever services have to perform
permission checks, they turn around and ask for the authorization service.
Having a single system in charge of authorization is quite appealing. But we should
consider some essential points before finalizing the pattern as mentioned below:

● The entire authorization data is in a single place now. There could be one
possibility: either the authorization service turns into the data’s single source of
truth, or you can copy and synchronize the data from your applications to a
central place.
● The authorization data should understand the entire data model underlying
permissions related to groups, shares, folders, guests, and projects. The system
can become a bottleneck for new development if the models are constantly
changing. Any change in any microservice can ask for an update to the
authorization service. Thus, breaking the separation of concerns.
● A single service that has the responsibility for securing every type of request
needs high availability as well as low latency. Every request gets denied if the
system goes down, and every request gets slow if the system starts responding to
the queries slowly.

3. Scattered logic and central gateway data Pattern: We put all the data required for
authorization as part of every request in this pattern. Then each service will not have to
fetch data separately, which will reduce the load on underline services.
The advantage of this pattern is its architectural simplicity, and it gives them the
freedom to developers to not be concerned about the roles data or org data origin. We
can get the authorization data quickly on request, and you can also perform a
permission check instantly without any additional roundtrips.

Security Considerations
Data security consideration requires the security of data and system resources against
unauthorized access, disclosure, or corruption. Data breaches may be intentional or
unintentional but ultimately cause huge losses to the organization hence need to be
taken seriously.

5 types of data security considerations are:

1. Backing up Data

The purpose of data backup is to create extra copies of important files in a separate
storage location to act as a backup during any failure. Various factors like human
carelessness, malicious attack, or system faults trigger failure in an infrastructure.
Physical storage or cloud storage stores the backed-up data.

2. Data Archiving for Security

As a business grows, keeping track of huge amounts of data and managing them can
be tricky. Data archiving is the process of retaining inactive data at a secure place for a
long time. Such data may or may not be used in the future but are required to be stored
for its intended purpose. Archives have search facilities. Indexed makes the retrieval
fast and easy. Archives hold old information that is unnecessary for everyday tasks.
Storing such inactive information in primary storage can reduce its efficiency. Data
archive helps in reducing the load on primary storage by moving unused resources to
the archive.
3. Disposal of Data

An organization should wipe out data regularly, whether that’s cleaning inboxes or
getting rid of old databases that are no longer relevant. Data stored on physical storage
devices like hard drives, USBs, tapes must be purged before discarding.

The information stored in the cloud is destroyed to keep the organization’s private
data out of reach from criminals. Every company must do this whenever they get rid of
something that holds data.

4. Location Security

Organizations face a daunting task in deciding where to locate their business-critical


data. Since the amount of data is enormous it is stored across different devices in
multiple locations from on-premises to cloud. Knowing the location of the data center
helps in planning the location security to protect the data. Companies usually locate
their data hubs several miles outside the city. They need to look carefully into the
location restrictions.

For example, the warehouse located in a disaster-prone area poses a huge risk of data
compromise during a calamity.

5. Redundant Utilities

The data center has critical data and facilities required to keep the business up and
running. To restrict unwanted intruders from entering the data center’s perimeter,
strong security barriers must be set up. These barriers can be two-factor authentication,
access control, or leveraging CCTV surveillance. But no matter how complex the
security is there will always be some data loss. This can be due to various reasons like
employee negligence or malicious activity. Hence duplication of critical components of
the system becomes necessary. This increases the reliability of the system, improves
performance, and provides a fail-safe backup.

Challenges

For security teams, the number of controls they can implement to secure a web
application in production is limited while for the attackers, there is no limit on the
number of attack vectors they can exploit. Five most common web application security
challenges faced are:

1. Injection: Injection or SQL injection is a type of security attack in which the malicious
attacker inserts or injects a query via input data (as simple as via filling a form on the
website) from the client-side to the server. If it is successful, the attacker can read data
from the database, add new data, update data, delete some data present in the database,
issue administrator commands to carry out privileged database tasks, or even issue
commands to the operating system in some cases.

2. Broken Authentication: It is a case where the authentication system of the web


application is broken and can result in a series of security threats. This is possible if the
adversary carries out a brute force attack to disguise itself as a user, permitting the users
to use weak passwords that are either dictionary words or common passwords like
“12345678”, “password” etc. This is so common because shockingly 59% of the people
use the same passwords on all websites they use. Moreover, 90% of the passwords can
be cracked in close to 6 hours! Therefore, it is important to permit users to use strong
passwords with a combination of alphanumeric and special characters. This is also
possible due to credential stuffing, URL rewriting, or not rotating session IDs.
3. Sensitive Data Exposure: As the name suggests, this means that sensitive data stored
is leaked to malicious attackers. This information can include personal data like name,
address, gender, date of birth, personal identification numbers like Aadhaar card
number or SSN, etc., financial data like account number, credit card numbers, health-
related information, etc. This can result in a monetary loss if the attacker uses the
financial information of users to carry out online payments (in most cases to
cryptocurrency), identity theft, and reputation loss.

4. XML External Entities: This type is common to web applications that parse XML
input. It is carried out when the input in the form of XML references an external entity
but is processed by a weak XML parser. It can cause a huge loss to the brand as it can in
turn allow distributed denial of service, port scanning, server-side request forgery,
disclosure of sensitive information, etc.

5. Broken Access Control: Access control specifies limits or boundaries in which a user
is allowed to operate. For example, the root privileges are usually given to the
administrator and not the actual users. Having a broken or leaking access control system
can result in unintended information leaks, modifying details of other user accounts,
manipulating metadata, acting as the admin, unauthorized API access, etc.

Intrusion Detection and Prevention


It is a security event, or a combination of multiple security events, that constitutes a
security incident in which an intruder gains, or attempts to gain, access to a system or
system resource without having authorization to do so.

Any of the following can be considered an intrusion −

● Malware, sometimes known as ransomware, is a type of computer virus.

● Attempts to obtain unauthorized access to a system


● DDOS (Distributed Denial of Service) attacks

● Destruction of cyber-enabled equipment

● Employee security breaches that are unintentional (like moving a secure file

into a shared folder)


● Untrustworthy users, both within and external to your company

Physical Theft
A physical threat is a potential cause of an incident that can result in loss or physical
harm to the computer systems. Physical security is represented as the security of
personnel, hardware, programs, networks, and data from physical situations and
events that can support severe losses or harm to an enterprise, departments, or
organization. This contains security from fire, natural disasters, robbery, theft,
elimination, and terrorism.

There are various types of physical threats which are as follows:

Unauthorized Access − One of the most common security risks regarding


computerized information systems is the hazard of unauthorized access to confidential
information. The main concern appears to be from unwanted intruders, or hackers, who
use the current technology and their skills to divide into supposedly secure computers
or to exhaust them. A person who gains access to a data system for malicious reasons is
often termed a cracker instead of a hacker.

Computer Viruses − Computer virus is a type of nasty application written deliberately


to enter a computer without the user’s permission or knowledge, with an ability to
duplicate itself, therefore continuing to spread. Some viruses are small but duplicate
others can cause severe harm or adversely influence program and implementation of
the system.
Vandalism − Deliberate damage caused to hardware, software and data is treated as a
serious threat to information system security. The threat from destruction lies in the fact
that the organization is temporarily refused access to someone of its resources. Even
relatively minor damage to an element of a system can have an essential effect on the
organization as a whole.

Accidents − Accidental misuse or damage will be influenced over time by the attitude
and disposition of the staff in addition to the environment. Human errors have a higher
impact on information system security than do man made threats caused by purposeful
attacks. But most accidents that are serious threats to the security of information
systems can be diminished.

Abuse of Privileges
Privileged account abuse occurs when the privileges associated with a particular user
account are used inappropriately or fraudulently, either maliciously, accidentally or
through willful ignorance of policies. Privileged accounts are a gateway to critical
systems and data. Abuse of these powerful accounts can lead to the loss of sensitive
data and business intelligence, as well as downtime of systems and applications
essential for business operations.

Steps for reducing the risk of privileged account abuse:

Step 1: Continuously assess and properly manage assigned privileges

Ask your friends whether they have ever accessed information they shouldn’t have
seen. I’m sure you’ll find that many of them have. This happens because privilege
assignment is often seen as a one-time task, which it shouldn’t be. Instead, on a regular
basis, you make sure to:
● Review access rights and remove excessive permissions in accordance with the

least-privilege principle.
● Review and update permissions whenever a user’s role in the organization

changes.
● Make sure your sensitive data is not overexposed by verifying that access to it is

granted based strictly on a specific need.


● Pay special attention to your privileged accounts — who can use them and what

permissions they grant.

Step 2: Gain visibility into your IT environment

Would you know if there was a suspiciously high number of failed attempts to access a
critical file or database, or an unauthorized modification to your security groups? If
not, this step is especially important to you. Without a thorough monitoring of all
changes and user activity in the IT environment, it is impossible to detect threats,
including privilege abuse, in their early stages.

Step 3: Analyze user behavior

It’s one thing to collect data. It’s totally another to get meaningful insights out of it.
Can you tell when your users exercise their privileges outside of normal working
hours? Do you know whether their current behavior deviates from the norm? User
behavior analysis will show you anomalies that are not always obvious if you just look
at event logs.
Unauthorized Access by Outsider
Unauthorized access is when a person gains entry to a computer network, system,
application software, data, or other resources without permission. Any access to an
information system or network that violates the owner or operator’s stated security
policy is considered unauthorized access. Unauthorized access is also when legitimate
users access a resource that they do not have permission to use. The most common
reasons for unauthorized entry are to:

● Steal sensitive data


● Cause damage
● Hold data hostage as part of a ransomware attack
● Play a prank

Unauthorized Access Tactics:

Guessing passwords: Guessing passwords is a common entry vector for unauthorized


access. Manual password guessing is done using social engineering, phishing, or by
researching a person to come up with information that could be the password.

Social engineering: Cybercriminals often gain unauthorized access by taking


advantage of human vulnerabilities, convincing people to hand over credentials or
sensitive data. These attacks, known as social engineering, often involve some form of
psychological manipulation and utilize malicious links in email, pop-ups on websites,
or text messages.

Tailgating or piggybacking: Tailgating is a tactic used to gain physical access to


resources by following an authorized person into a secure building, area, or room. The
perpetrator can be disguised as a delivery or repair person, someone struggling with
an oversized package who may require assistance, or someone who looks and acts as if
they belong there. Most of these situations occur "in plain sight."

Fraudulent use of access cards: Access cards that are lost, stolen, copied or shared
pose an unauthorized access risk.

Door propping: While incredibly simple, propping open a door or window is one of
the most effective ways for an insider to help a perpetrator gain unauthorized access to
restricted buildings or spaces.

Malware Infection
Malware (short for “malicious software”) is a file or code, typically delivered over a
network, that infects, explores, steals or conducts virtually any behavior an attacker
wants. And because malware comes in so many variants, there are numerous methods
to infect computer systems. Though varied in type and capabilities, malware usually
has one of the following objectives:

● Provide remote control for an attacker to use an infected machine.

● Send spam from the infected machine to unsuspecting targets.

● Investigate the infected user’s local network.

● Steal sensitive data.

Intrusion Detection and Prevention Techniques


An Intrusion Detection System (IDS) is either a hardware device or software
application that uses known intrusion signatures to detect and analyze both inbound
and outbound network traffic for abnormal activities. This is done through:
● System file comparisons against malware signatures.
● Scanning processes that detect signs of harmful patterns.
● Monitoring user behavior to detect malicious intent.
● Monitoring system settings and configurations.

Vital intrusion detection and prevention techniques are:

Web Application Firewall (WAF) – The Imperva cloud WAF is a cloud-based firewall
deployed on your network’s edge. It bolsters your existing IPS through signature,
reputational and behavioral heuristics that filter malicious incoming requests and
application attacks—including remote file inclusions and SQL injections.

Two-factor authentication (2FA) – 2FA is a security process requiring users to provide


two means of verification when logging into an account, such as a password and one-
time passcode (OTP) sent to a mobile device. It bolsters intrusion prevention by adding
an extra layer of protection to your application’s sensitive data.

Backdoor protection – IDS configurations typically identify backdoors based on


known malware signatures. At best, it’s a halfway measure, as most perpetrators
obfuscate the code and alias of their backdoor shells to avoid all recognition.

Anti-Malware Software
Anti-malware is a type of software developed to scan, identify and eliminate malware,
also known as malicious software, from an infected system or network.

Anti-malware secures an individual system or an entire business network from


malicious infections that can be caused by a variety of malware that includes viruses,
computer worms, ransomware, rootkits, spyware, keylogger, etc. Anti-malware can be
deployed on individual PCs, a gateway server or even on a dedicated network
appliance.

Benefits Of Anti-Malware:

● Real-time protection
● Boot-time scan
● Scanning of individual files
● Protection of sensitive information
● Restoration of corrupted data
● Protection from spam and identity theft
● Provides robust web protection
● Provides quick scan of the removable device

Network based Intrusion Prevention Systems


Network-based intrusion prevention systems monitor entire networks or network
segments for malicious traffic. This is usually done by analyzing protocol activity. If
the protocol activity matches against a database of known attacks, the corresponding
information isn’t allowed to get through. NIPS are usually deployed at network
boundaries, behind firewalls, routers, and remote access servers.

The majority of NIPSs utilize one of the three detection methods as follows:

● Signature-based detection: Signatures are attack patterns predetermined and

preconfigured. This detection method monitors the network traffic and compares
it with the preconfigured signatures so as to find a match. On successfully
locating a match, the NIPS takes the next appropriate action. This type of
detection fails to identify zero-day error threats. However, it has proved to be
very good against single packet attacks.
● Anomaly-based detection: This method of detection creates a baseline on

average network conditions. Once a baseline has been created, the system
intermittently samples network traffic on the basis of statistical analysis and
compares the sample to the created baseline. If the activity is found to be outside
the baseline parameters, NIPS takes the necessary action.
● Protocol state analysis detection: This type of detection method identifies

deviations of protocol states by comparing observed events with predefined


profiles.

Host based Intrusion Prevention systems


The Host-based Intrusion Prevention System (HIPS) protects your system from
malware and unwanted activity attempting to negatively affect your computer. HIPS
utilizes advanced behavioral analysis coupled with the detection capabilities of
network filtering to monitor running processes, files and registry keys. HIPS is
separate from Real-time file system protection and is not a firewall; it only monitors
processes running within the operating system.

HIPS settings can be found in Advanced setup (F5) > Detection engine > HIPS >
Basic. The HIPS state (enabled/disabled) is shown in the ESET Endpoint Security main
program window, in the Setup > Computer.

Security Information Management


Security information management is a process of gathering, monitoring and investigating log
data in order to find and report suspicious activities on the system. This process is automated
by security information management systems or tools. The files (records) have information
about system activities such as running applications, services, errors that occurred. So that is
what security log data is.
With security log files, one can know the IP address of the system, MAC or internet address,
login data and status of the system. If such details fall on bad guys, they might use the details
destructively.

The reports generated by SIM systems are typically used to :

1. Detect unauthorized access as well as modifications to files and data breaches.


2. Identify data trends that can be leveraged potentially by business organizations for
their progression.
3. They are also used to identify network behavior and assess performance.

The SIM tool (system) acts as a software agent which sends the reports about the events to the
centralized server. By which admins are updated about the reports. That’s all about Security
Information Management.

Network Session Analysis


It is a category of cybersecurity that involves observing network traffic
communications, using analytics to discover patterns and monitor for potential threats.
The practice of session analysis is actually much older than the Internet. For example,
the military began intercepting radio traffic beginning in World War I, and the
interception and decoding work done became a critical part of battle strategy during
World War II.

Though we’ve advanced considerably from radio technology, the principle of traffic
analysis remains the same. Communication traffic patterns are scrutinized for
information that will help keep assets secure. By monitoring network traffic, abnormal
activity from threat actors can be detected early on, thwarting attackers before they
achieve their goal of destruction or theft.

Need of Network Session Analysis:


1. They shorten the dwell time of infections. Discovering threats as soon as possible
is the best way to minimize damage. The longer an infection lives in a network,
the more damage it can do. Swiftly detecting a threat can ensure that there is
minimal harm.
2. They improve efficiency. Most organizations do not have the resources to have
personnel devoted to actively monitoring for and investigating risk around the
clock. These solutions automated threat detection, allows organizations to do
more with less and ensures that security analysts are able to focus more on threat
removal.
3. They provide wide coverage. By monitoring traffic, NTA solutions can monitor
different types of devices. For example, many NTA solutions are OS agnostic,
monitoring traffic from both Linux servers and Windows workstations.

System Integrity Validation


A system integrity validation is a part of the system hardening process to confirm that
we have taken all the necessary measures to prevent any unauthorized access to our
systems and files. System integrity validation verifies the integrity of different system
components, such as operating systems, applications, and network services.

Countermeasures:

There are various countermeasures that can be used for effective security which include
physical security, logical security, and cryptographic security.

● Logical Security controls involve a computer system’s access to resources, such

as files, network access, and so on. Logical controls help prevent unauthorized
or improper access to a computer system.
● Examples of logical controls are passwords, such as encryption algorithms

such as Asymmetric cryptography, and ElGamal encryption algorithm. Data


flow controls enforce secure data flow by controlling who can send or receive
data from the computer system’s memory or storage.
● Data flow controls help prevent unauthorized or improper access to data, such

as limiting the ability of an authorized user to access data from another user.
● Physical security protects items by ensuring that physical intrusions are

properly locked down and that doors and windows are tightly secured.
● Cryptographic security controls ensure the proper transmission of

information or files over a network between two computers or devices that


are communicating with each other. Examples of cryptographic systems
include the Secure Sockets Layer (SSL) protocol, Transport Layer Security
(TLS), Secure HTTP (HTTPS)

You might also like