security practics unit 1

SECURITY PRACTICES
CP 4391
S. VILMA VERONICA
ASSISTANT PROFESSOR
DEPARTMENT OF M.E.(CSE)
CP 4391 - SECURITY PRACTICES
COURSE OBJECTIVES:
✔ To learn the core fundamentals of system and web security concepts
✔ To have through understanding in the security concepts related to networks
✔ To deploy the security essentials in IT Sector
✔ To be exposed to the concepts of Cyber Security and cloud security
✔ To perform a detailed study of Privacy and Storage security and related Issues
CP 4391 - SECURITY PRACTICES
UNITS
1. SYSTEM SECURITY
2. NETWORK SECURITY
3. SECURITY MANAGEMENT
4. CYBER SECURITY AND CLOUD SECURITY
5. PRIVACY AND STORAGE SECURITY

UNIT - 1 SYSTEM SECURITY
❖ Model of network security

❖ Security attacks, services and mechanisms
❖ OSI security architecture
❖ A Cryptography prime
❖ Intrusion detection system
❖ Intrusion Prevention system
❖ Security web applications
❖ Case study: OWASP
❖ Top 10 Web Application Security Risks.
Network Security refers to the measures taken by any enterprise or

organization to secure its computer network and data using both hardware
and software systems.
MODELS OF NETWORK SECURITY:
When we send our data from the source side to the destination side we have
to use some transfer method like the internet or any other communication
channel by which we are able to send our message.
The two parties, who are the principals in this transaction, must cooperate for
the exchange to take place.
When the transfer of data happened from one source to another source some
logical information channel is established between them by defining a route
through the internet from source to destination and by the cooperative use of
communication protocols (e.g., TCP/IP) by the two principals.
When we use the protocol for this logical information channel the main aspect
of security has come who may present a threat to confidentiality, authenticity,
and so on.
All the techniques for providing security have two components:
1. A security-related transformation on the information to be sent.

2. Some secret information is shared by the two principals and, it is hoped,
unknown to the opponent.
This model shows that there are four basic tasks in designing a particular
security service:
1. Design an algorithm for performing the security-related transformation.

2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of secret information.
4. Specify a protocol to be used by the two principals that make use of the
security algorithm and the secret information to achieve a particular
security service.
This model shows that there are four basic tasks in designing a particular
security service:
1. Design an algorithm for performing the security-related transformation.

2. Generate the secret information to be used with the algorithm.
3. Develop methods for the distribution and sharing of secret information.
4. Specify a protocol to be used by the two principals that make use of the
security algorithm and the secret information to achieve a particular
security service.

Security attacks, services and mechanisms

A network attack is an attempt to gain unauthorized access to an
organization’s network, with the objective of stealing data or perform other
malicious activity.
There are two main types of network attacks:
Passive: Attackers gain access to a network and can monitor or steal sensitive
information, but without making any change to the data, leaving it intact.
Active: Attackers not only gain unauthorized access but also modify data, either
deleting, encrypting or otherwise harming it.
Security attacks, services and mechanisms

Security Services and mechanisms
1. Authentication
Authentication is used by a server when the server needs to know exactly who
is accessing their information or site.
Authentication is used by a client when the client needs to know that the server
is system it claims to be.
2. Access Control
Network access control is a method of enhancing the security of a private
organizational network by restricting the availability of network resources to
endpoint devices that comply with the organization’s security policy.
2. Access Control
3. Data Integrity
Data integrity is defined as the data contained in the database is both correct
and consistent.
For this purpose, the data stored in the database must satisfy certain types of
procedures (rules). The data in a database must be correct and consistent.
DBMS provides different ways to implement such types of constraints (rules). It

can be implemented by rules i.e., Primary Key, Secondary Key, Foreign key.
This improves data integrity in a database.
4. Data Confidentility
Confidentiality is the protection of information in the system so that an

unauthorized person cannot access it.
5. Non repudiation
It means one party cannot deny receiving a message or a transaction nor can
the other party deny sending a message or a transaction.
For example in cryptography it is sufficient to show that message matches the

digital signature signed with sender’s private key and that sender could have a
sent a message and nobody else could have altered it in transit.
Data Integrity and Authenticity are pre-requisites for Non repudiation.

Security Mechanisms

OSI System Architecture:
The OSI (Open Systems Interconnection) Security Architecture defines a

systematic approach to providing security at each layer.
It defines security services and security mechanisms that can be used at each of
the seven layers of the OSI model to provide security for data transmitted over
a network.
These security services and mechanisms help to ensure the confidentiality,

integrity, and availability of the data.
OSI System Architecture:
The OSI architecture is internationally acceptable as it lays the flow of providing

safety in an organization.
OSI Security Architecture focuses on these concepts:
1. Security Attack
2. Security mechanism
3. Security Service
Classification of OSI Security Architecture
OSI Security Architecture is categorized into three broad categories namely

Security Attacks, Security mechanisms, and Security Services.
1. Security Attacks:
A security attack is an attempt by a person or entity to gain unauthorized
access to disrupt or compromise the security of a system, network, or device.
These are defined as the actions that put at risk an organization’s safety.
They are further classified into 2 sub-categories:
1. Passive Attack:
Attacks in which a third-party intruder tries to access the message/ content/
data being shared by the sender and receiver by keeping a close watch on the
transmission or eave-dropping the transmission is called Passive Attacks.
They are further classified into 2 sub-categories:
1. Passive Attack:
Attacks in which a third-party intruder tries to access the message/ content/
data being shared by the sender and receiver by keeping a close watch on the
transmission or eave-dropping the transmission is called Passive Attacks.
Passive attacks are further divided into two parts based on their behavior:
1. Eavesdropping
2. Traffic analysis
Eavesdropping:
This involves the attacker intercepting and listening to communications
between two or more parties without their knowledge or consent.
Eavesdropping can be performed using a variety of techniques, such as packet

sniffing, or man-in-the-middle attacks.
Traffic analysis:
This involves the attacker analyzing network traffic patterns and metadata to
gather information about the system, network, or device.
Here the intruder can’t read the message but only understand the pattern and
length of encryption.
Traffic analysis can be performed using a variety of techniques, such as network

flow analysis, or protocol analysis
Active Attacks:
Active attacks refer to types of attacks that involve the attacker actively
disrupting or altering system, network, or device activity.
Active attacks are typically focused on causing damage or disruption, rather

than gathering information or intelligence. Here, both the sender and receiver
have no clue that their message/ data is modified by some third-party intruder.
Active Attacks:
The message/ data transmitted doesn’t remain in its usual form and shows
deviation from its usual behavior.
This makes active attacks dangerous as there is no information provided of the

attack happening in the communication process and the receiver is not aware
that the data/ message received is not from the sender.
Active attacks are further divided into four parts based on their behavior:
Masquerade is a type of attack in which the attacker pretends to be an

authentic sender in order to gain unauthorized access to a system.
Replay is a type of active attack in which the attacker intercepts a transmitted

message through a passive channel and then maliciously or fraudulently replays
or delays it at a later time.
Modification of Message involves the attacker modifying the transmitted

message and making the final message received by the receiver look like it’s not
safe or non-meaningful.
Denial of service (DoS) attacks involve the attacker sending a large volume of
traffic to a system, network, or device in an attempt to overwhelm it and make
it unavailable to legitimate users.
2. Security Mechanism
The mechanism that is built to identify any breach of security or attack on the
organization, is called a security mechanism.
Security Mechanisms are also responsible for protecting a system, network, or

device against unauthorized access, tampering, or other security threats..
3. Security Services:
Security services refer to the different services available for maintaining the
security and safety of an organization.
They help in preventing any potential risks to security. Security services are
divided into 5 types:
1. Authentication
2. Access control
3. Data Confidentiality
4. Data integrity
5. Non- repudiation
1. Authentication is the process of verifying the identity of a user or device in order to
grant or deny access to a system or device.
2. Access control involves the use of policies and procedures to determine who is allowed
to access specific resources within a system.
3. Data Confidentiality is responsible for the protection of information from being accessed
or disclosed to unauthorized parties.
4. Data integrity is a security mechanism that involves the use of techniques to ensure that
data has not been tampered with or altered in any way during transmission or storage.
5. Non- repudiation involves the use of techniques to create a verifiable record of the
origin and transmission of a message, which can be used to prevent the sender from
denying that they sent the message.
Benefits of OSI Architecture:
1. Providing Security:
OSI Architecture in an organization provides the needed security and safety, preventing
potential threats and risks.
2. Organising Task:
The OSI architecture makes it easy for managers to build a security model for the
organization based on strong security principles.
3. Meets International Standards:

Security services are defined and recognized internationally meeting international standards.
The standard definition of requirements defined using OSI Architecture is globally accepted.

Cryptography is technique of securing information and communications

through use of codes so that only those person for whom the information is
intended can understand it and process it.
Thus preventing unauthorized access to information.
The prefix “crypt” means “hidden” and suffix graphy means “writing”.
Techniques used For Cryptography:
In today’s age of computers cryptography is often associated with the process

where an ordinary plain text is converted to cipher text which is the text made
such that intended receiver of the text can only decode it and hence this
process is known as encryption.
The process of conversion of cipher text to plain text this is known as

decryption.
Features Of Cryptography:
Confidentiality: Information can only be accessed by the person for whom it is intended and
no other person except him can access it.
Integrity: Information cannot be modified in storage or transition between sender and

intended receiver without any addition to information being detected.
Non-repudiation: The creator/sender of information cannot deny his intention to send

information at later stage.
Authentication: The identities of sender and receiver are confirmed. As well as

destination/origin of information is confirmed.
Types Of Cryptography:
Symmetric Key Cryptography:

It is an encryption system where the sender and receiver of message use a
single common key to encrypt and decrypt messages.
Symmetric Key Systems are faster and simpler but the problem is that sender
and receiver have to somehow exchange key in a secure manner.
The most popular symmetric key cryptography system is Data Encryption

System(DES).
Hash Functions:
There is no usage of any key in this algorithm.
A hash value with fixed length is calculated as per the plain text which makes it
impossible for contents of plain text to be recovered.
Many operating systems use hash functions to encrypt passwords.

Asymmetric Key Cryptography:

Under this system a pair of keys is used to encrypt and decrypt information. A
public key is used for encryption and a private key is used for decryption.
Public key and Private Key are different.
Even if the public key is known by everyone the intended receiver can only
decode it because he alone knows the private key.
Applications Of Cryptography:
1. Computer passwords
2. Digital Currencies
3. Secure web browsing
4. Electronic Signatures
5. Authentication
6. Cryptocurrencies
7. End-to-end encryption

INTRUSION DETECTION SYSTEM Vs INTRUSION PROTECTION SYSTEM:
INTRUSION DETECTION SYSTEM Vs INTRUSION PROTECTION SYSTEM:

SECURITY WEB APPLICATION:
Websites and Web applications has became a necessity in this world, From business,
companies, education, collaboration, personal blogs, foods and groceries, health and
medicine, social media platforms, accessing Government Services and Digital payments and
even voting everything is available in the Internet.
These days its has become common to get our daily works done via some button clicks on the
screen and the common question “are website secure?”.
The answer is mostly but not completely.
Every legitimate website tries to provide at most security but no form of internet is
completely, a 100% secure.
Website vs WebApp :
Websites are static HTML, CSS, with some JS files displayed according styling provided in CSS.
Websites aren’t dynamic, they can’t submit forms, can’t generate pages dynamically and
might be limited in other accepts too.
Web Applications are the programs which can accept form submissions, generate pages
dynamically, communicate with database to do CURD processes and more.
Some of the security tips for website owners generally are:
✔ Getting an SSL certificate
✔ Creating secure passwords
✔ Keeping backups
✔ Updating websites to latest releases

Some of the security tips for website owners generally are:
✔ Getting an SSL certificate
✔ Creating secure passwords
✔ Keeping backups
✔ Updating websites to latest releases


OWASP
It is basically stands for the Open Web Application Security Project, it is a non-profit global
online community consisting of tens of thousands of members and hundreds of chapters that
produces articles, documentation, tools, and technologies in the field of web application
security.
OWASP
OWASP’s top 10 is considered as an essential guide to web application security best

practices.
The top 10 OWASP vulnerabilities in 2020 are:

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access control
6. Security misconfigurations
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with known vulnerabilities
10. Insufficient logging and monitoring.
OWASP
OWASP’s top 10 is considered as an essential guide to web application security best

practices.
The top 10 OWASP vulnerabilities in 2020 are:

1. Injection
5. Broken Access control
6. Security misconfigurations
10. Insufficient logging and monitoring.
OWASP
1. Injection
Injection vulnerabilities occur when an attacker uses a query or command to insert
untrusted data into the interpreter via SQL, OS, NoSQL, or LDAP injection.
The data that is injected through this attack vector makes the application do something it is
not designed for.
Injection attacks can be prevented by

1. Using safer API which avoids the use of the interpreter
2. Using parameterized queries when coding
3. Segregating commands from data to avoid exposure to attacks
OWASP
Broken Authentication is a vulnerability that allows an attacker to use manual or automatic
methods to try to gain control over any account they want in a system.
In worse conditions, they could also gain complete control over the system.
Broken authentication attacks can be prevented by

1. Implementing multi-factor authentication
2. Protecting user credentials
3. Sending passwords over encrypted connections
OWASP

This vulnerability is one of the most widespread vulnerabilities on the OWASP list and it
occurs when applications and APIs don’t properly protect sensitive data such as financial
data, social security numbers, usernames, and passwords, or health information, and this
enables attackers to gain access to such information and commit fraud or steal identities.
Sensitive data exposure attacks can be prevented by

1. Using the secure URL’s
2. Using strong and unique passwords
3. Encrypting all sensitive information that does need to be stored
OWASP

This vulnerability occurs for web applications that parse XML input. It happens when poorly
configured XML processors evaluate external entity references within the XML documents
and send sensitive data to an unauthorized external entity, i.e., a storage unit such as a hard
drive. By default, most XML parsers are vulnerable to XXE attacks.
XXE attacks can be prevented by
Using less complex data formats such as JSON

Keeping XML processors and libraries upgraded
Using SAST tools
OWASP
5. Broken Access Controls
This vulnerability occurs when there is broken access to resources, it means there are some
improperly configured missing restrictions on authenticated users which allows them to
access unauthorized functionality or data like access to others accounts, confidential
documents, etc.
Broken access control attacks can be prevented by

1. Deleting accounts that are no longer needed or are not active
2. Shutting down unnecessary services to reduce the burden on servers
3. Using penetration testing
OWASP
6. Security Misconfiguration
It is estimated that up to 95% of cloud breaches are the result of human errors and this fact
leads us to the next vulnerability called security misconfiguration.
This vulnerability refers to the improper implementation of security intended to keep

application data safe.
Security misconfiguration attacks can be prevented by

1. Using Dynamic application security testing (DAST)
2. Disabling the use of default passwords
3. Keeping an eye on cloud resources, applications, and servers
OWASP

This is also a widespread vulnerability that almost affects 53% of all web applications.
XSS vulnerability allows a hacker to inject malicious client-side scripts into a website and then
use the web application as an attack vector to hijack user sessions, or redirecting the victim
to malicious websites.
Cross-site scripting attacks can be prevented by

1. Using appropriate response headers
2. Filtering the input and encoding the output
3. Using the content security policy
4. Applying a zero-trust approach to user input
OWASP
Insecure Deserialization vulnerability allows an attacker to remotely execute code in the
application, tamper or delete serialized (written to disk) objects, conduct injection attacks,
replay attacks, and elevate privileges.
Insecure Deserialization attacks can be prevented by

1. Implementing digital signatures
2. Using penetration testing
3. Isolating the code that deserializes and running it in low privilege environments to
prevent unauthorized actions
OWASP

Nowadays there are many open-source and freely available software components (libraries,
frameworks) that are available to developers and if there occurs any component which has
got a known vulnerability in it then it becomes a weak link that can impact the security of the
entire application.
This attack can be prevented by

1. Removing all unnecessary dependencies
2. Using virtual patching
3. Using components only from official and verified sources
OWASP
10. Insufficient Logging and Monitoring

It is estimated that the time from attack to detection can take up to 200 days, and often
longer. In the meantime, attackers can tamper with servers, corrupt databases, and steal
confidential information.
Insufficient logging and ineffective integration of the security systems allow attackers to pivot
to other systems and maintain persistent threats.
Insufficient logging and monitoring attacks can be prevented by

1. Implementing logging and audit software
2. Establishing an effective monitoring system
3. Thinking like an attacker and use a pen testing approach

security practics unit 1

Uploaded by

Copyright:

Available Formats

security practics unit 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

security practics unit 1

Uploaded by

Copyright:

Available Formats

SECURITY PRACTICES

4. CYBER SECURITY AND CLOUD SECURITY

5. PRIVACY AND STORAGE SECURITY

❖ Model of network security

Network Security refers to the measures taken by any enterprise or

MODELS OF NETWORK SECURITY:

MODELS OF NETWORK SECURITY:

All the techniques for providing security have two components:

1. A security-related transformation on the information to be sent.

MODELS OF NETWORK SECURITY:

1. Design an algorithm for performing the security-related transformation.

MODELS OF NETWORK SECURITY:

1. Design an algorithm for performing the security-related transformation.

❖ Model of network security

Security attacks, services and mechanisms

Security attacks, services and mechanisms

DBMS provides different ways to implement such types of constraints (rules). It

Confidentiality is the protection of information in the system so that an

For example in cryptography it is sufficient to show that message matches the

Data Integrity and Authenticity are pre-requisites for Non repudiation.

❖ Model of network security

The OSI (Open Systems Interconnection) Security Architecture defines a

These security services and mechanisms help to ensure the confidentiality,

The OSI architecture is internationally acceptable as it lays the flow of providing

OSI Security Architecture focuses on these concepts:

OSI Security Architecture is categorized into three broad categories namely

They are further classified into 2 sub-categories:

They are further classified into 2 sub-categories:

Eavesdropping can be performed using a variety of techniques, such as packet

Traffic analysis can be performed using a variety of techniques, such as network

Active attacks are typically focused on causing damage or disruption, rather

This makes active attacks dangerous as there is no information provided of the

Masquerade is a type of attack in which the attacker pretends to be an

Replay is a type of active attack in which the attacker intercepts a transmitted

Modification of Message involves the attacker modifying the transmitted

Security Mechanisms are also responsible for protecting a system, network, or

3. Meets International Standards:

❖ Model of network security

Cryptography is technique of securing information and communications

Thus preventing unauthorized access to information.

Techniques used For Cryptography:

In today’s age of computers cryptography is often associated with the process

The process of conversion of cipher text to plain text this is known as

Integrity: Information cannot be modified in storage or transition between sender and

Non-repudiation: The creator/sender of information cannot deny his intention to send

Authentication: The identities of sender and receiver are confirmed. As well as

Symmetric Key Cryptography:

The most popular symmetric key cryptography system is Data Encryption

Many operating systems use hash functions to encrypt passwords.

Asymmetric Key Cryptography:

Public key and Private Key are different.

❖ Model of network security

❖ Model of network security

The answer is mostly but not completely.

Some of the security tips for website owners generally are:

✔ Getting an SSL certificate

✔ Creating secure passwords

✔ Updating websites to latest releases

Some of the security tips for website owners generally are:

✔ Getting an SSL certificate