At first my source of writing is from udacity, intro to information security. for more information we can view from the udacity website.
When you have something of value and there is a risk to it. But in the today world we have more value to the data or information. the threat is a possible danger that exploit our weakness and therefore causes harm
Cyber Assets at Risk
we need to develop a security mindset:
> Cyber criminals
> Nation States
Vulnerabilities and Attacks:
> Security Breach
> Vulnerabilities are in software, networks, humans
lets take a real world examples: Target Store Breach
> what is of value – credit card data
> what is threat source – criminals
> what was vulnerability – phishing was used to obtain credentials of the network
The following figures with the relationship of threats, vulnerabilities, attack and Risk will demonstrate more.
fig: Relationship of Threats, Vulnerabilities, Attacks, and Risk
What should we do in Cyber Security
Make threats go away – Not really practical
Reduce vulnerabilities – Will never go away
But, we can follow the CIA principles.
> Confidentiality: It is roughly equivalent to privacy. The ability to hide information from those people unauthorized to view it.
> Integrity: It involves maintaining the consistency, accuracy and trustworthy of data. the data must not be changed in transit and should take some measures to ensure that the data cannot be altered by authorized people
> Availability: it is important to ensure that the information is accessible to authorized people all the times. we can view short video about CIA
What should the good guys do?
Prevention – Keep bad guys out. We will never have 100 % prevention
Detection – Detect the bad guys are in the system
Response – Respond to the intrusion
Recovery and remediation – Restore corrupted data and stop similar future attacks
Policy vs Mechanism – What vs how will attacks be handled
How do We Address Cyber Security
To reduce the vulnerabilities, follow the basic design principle for securing systems.
Economy of mechanism – Keep systems simple and small.
Fail-safe defaults – Means default access is denial
Complete mediation – No one should be able to bypass security
Open Design – Is good because not counting on secrecy
Least privilege – Only give users the minimum level of access that they need
Psychological acceptability – Don’t expect people to do what is inconvenient.
In the web application, the common problem is that all the users inputs are untrusted. Some security measures need to be taken by application to defend themselves from attack. So to handle user access to the application ‘s data and functionality to prevent users from gaining unauthorized access, handling the user input to the application from causing malformed input undesirable behavior, handling attacker and taking suitable defensive measures, managing the application itself by enabling administrators to monitors activities and configure functionality
In any application the central security requirement is controlling the user’ access to its data and functionality. There are different kinds of users some are authenticated users, some are anonymous, some are administrative. The application should be handled so that users can reads the emails own not of others. The following security mechanisms can be used to handle the application.
> Session management
> Access control
The authentication mechanisms is basic way to handle the user access. Authenticating is the process of knowing who he/she claims to be. Authentication used in application by basically with the user name and password. In the security critical application like for bank, there can be additional credential or multistage login processes. for the higher security requirement other authentication model may be used based on client certificates, smart cards or challenge response tokens. The authentication process should be carefully handled because any flaws in design and implementation. Flaws can be taken advantages by the attacker to use to guess user name and bypass password and unauthorized access to sensitive data and functionality.
The another task for handling the users are session management. First I want to explain session. After successfully login into application user access different pages and makes series of HTTP request from its browser. At the same time different user some are authenticated and some anonymous try to login the application. So to identify the different users. The application meet the way to create the session for each user and issuing the user a token that identifies the session. Session itself is data Structure held on the server that track the state of the user interaction with application. When the user receive the token, submit it back to the server in subsequent HTTP request enabling the application to associate with that users. When the users does not make request for certain time then the session is expired.
In the term of attack, attacker can use other tokens to authentication and use application. similarly another areas of attack is knowing the how the tokens are generated. Attackers can guess tokens to access different others user tokens.
Access control also called authorization is the process to access the particular resources to be granted or denied. Authorization and authentication are different things. From the authentication it can be known the which kinds of the users are and according to the types of users the resources are granted or denied that is authorization or access control. So access control is important part of application. Omitting the access control check part causes attacker to gain unauthorized access to data and functionality.