Access Control & Web security

Access control
 Access control is a security technique that regulates
who or what can view or use resources in a computing
environment. It is a fundamental concept in security
that minimizes risk to the business or organization..
 Access control systems perform identification,
authentication and authorization of users and
entities by evaluating required login credentials that
can include passwords, personal identification
numbers (PINs), biometric scans, security tokens or
other authentication factors.
 There are two types of access control: physical and
logical. Physical access control limits access to
campuses, buildings, rooms and physical IT assets.
Logical access control limits connections to computer
networks, system files and data.

Why is access control important?

 The goal of access control is to minimize the security

risk of unauthorized access to physical and logical
systems.
 Access control is a fundamental component of security
compliance programs that ensures security technology
and access control policies are in place to protect
confidential information, such as customer data.
 Most organizations have infrastructure and
procedures that limit access to networks, computer
systems, applications, files and sensitive data, such as
personally identifiable information (PII) and
intellectual property.
 Organizations use different access control models
depending on their compliance requirements and the
security levels of information technology (IT) they are
trying to protect.
Main models of access control
 There are several main models of access control :
 Mandatory access control (MAC).
 Discretionaryaccess control (DAC).
 Role-based access control (RBAC).
 Rule-based access control.
 Attribute-based access control (ABAC).
Mandatory access control (MAC).
 This is a security model in which access rights are
regulated by a central authority based on multiple
levels of security.

 Often used in government and military environments,

classifications are assigned to system resources and the
operating system (OS) or security kernel.

 It grants or denies access to those resource objects

based on the information security clearance of the user
or device.
Discretionary access control (DAC).
 This is an access control method in which owners
or administrators of the protected system, data or
resource set the policies defining who or what is
authorized to access the resource. Many of these
systems enable administrators to limit the
propagation of access rights.
Role-based access control (RBAC).
 This is a widely used access control mechanism that
restricts access to computer resources based on
individuals or groups with defined business functions -
- e.g., executive level, engineer level 1, etc. -- rather
than the identities of individual users.

 The role-based security model relies on a complex

structure of role assignments, role authorizations and
role permissions developed using role engineering to
regulate employee access to systems.
 Rule-based access control.This is a security model in
which the system administrator defines the rules that
govern access to resource objects. Often, these rules
are based on conditions, such as time of day or
location.

 Attribute-based access control (ABAC). This is a

methodology that manages access rights by evaluating
a set of rules, policies and relationships using the
attributes of users, systems and environmental
conditions.
What is Cyber Security?
 The technique of protecting internet-connected
systems such as computers, servers, mobile devices,
electronic systems, networks, and data from malicious
attacks is known as cybersecurity.
 We can divide cybersecurity into two parts one is
cyber, and the other is security.
 Cyber refers to the technology that includes systems,
networks, programs, and data.
 Security is concerned with the protection of systems,
networks, applications, and information. In some
cases, it is also called electronic information
security or information technology security.
 Some other definitions of cyber security are:
 "Cyber Security is the body of technologies, processes, and
practices designed to protect networks, devices,
programs, and data from attack, theft, damage,
modification or unauthorized access.“

 "Cyber Security is the set of principles and practices

designed to protect our computing resources and online
information against threats."
Web Security
 Web Security can be defined as the process of securing
confidential data stored online from unauthorized
access and modification.
 Web security is also known as “Cybersecurity”. It
basically means protecting a website or web
application by detecting, preventing and responding
to cyber threats.
 That’s exactly what web security does – it is a system of
protection measures and protocols that can protect
your website or web application from being hacked or
entered by unauthorized personnel.
Available Technology
 There are different types of technologies available for
maintaining the best security standards. Some popular
technical solutions for testing, building, and
preventing threats include:
 Black box testing tools
 White box testing tools
 Web application firewalls (WAF)
 Security or vulnerabilityscanners
 Password cracking tools
WEB SECURITY ISSUES
 Phishing: Phishing is a cybercrime in which a target
or targets are contacted by email, telephone or text
message by someone posing as a legitimate institution
to lure individuals into providing sensitive data such as
personally identifiable information, banking and
credit card details, and passwords.
WEB SECURITY ISSUES
 SQL Injection (SQLI) is a backend database method
used by hackers to take control of a web application by
injecting malicious SQL codes.

 SQLI attacks are becoming very widespread, because

they are easy to do and require very little technical
knowledge to perform. SQLI is a web application
server issue which most of the developers are unaware
of.
Cross-Site Request Forgery (CSRF)
 Cross-Site Request Forgery (CSRF) is an attack that
forces an end user to execute unwanted actions on
a web application in which they’re currently
authenticated. With a little help of social engineering
(such as sending a link via email or chat), an attacker
may trick the users of a web application into executing
actions of the attacker’s choosing.
 If the victim is a normal user, a successful CSRF attack
can force the user to perform state changing requests
like transferring funds, changing their email address,
and so on.
Cross-site scripting (XSS)
 Cross-site Scripting (XSS) is a client-side code injection
attack. The attacker aims to execute malicious scripts in
a web browser of the victim by including malicious code
in a legitimate web page or web application.
 The actual attack occurs when the victim visits the web
page or web application that executes the malicious
code.
 The web page or web application becomes a vehicle to
deliver the malicious script to the user’s browser.
Vulnerable vehicles that are commonly used for Cross-
site Scripting attacks are forums, message boards, and
web pages that allow comments.
How to prevent XSS attacks
 There are a number of precautions you can take to
prevent XSS attacks.
 Keep Software Up-To-Date: Software should always
be kept up-to-date for many reasons, including fixing
bugs, improving performance, installing new features
and patching security vulnerabilities. Regularly
updating software will greatly reduce the
vulnerabilities that leave a site or application open to
XSS vulnerabilities.
 Sanitize And Validate Input Fields:
Input fields are the most common point of entry for
XSS attack scripts. Therefore, you should always
screen and validate any information input into data
fields. This is particularly important if the data will be
included as HTML output to protect against reflected
XSS attacks.
Validation should occur on both the client-side and
server-side as an added precaution. Validating the
data before it’s sent to servers will also protect against
persistent XSS scripts. This can be accomplished using
Java script.
 Web Application Firewall: A web application firewall
(WAF) can be a powerful tool for protecting against
XSS attacks. WAFs can filter bots and other malicious
activity that may indicate an attack. Attacks can then
be blocked before any script is executed.

 Content Security Policy: A content security policy

(CSP) can define the functions a website is allowed to
perform. They can be used to prevent a website
from accepting any in-line scripts. This may be the
strongest method at your disposal as it can completely
block XSS attacks or at least greatly reduce the
possibility of them.