Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Part III Application Security

This section addresses primarily information security issues that are related to application and web security, and discusses malicious software infection and how to avoid such infection through mechanisms like anti-virus software. We also explain how cryptography has provided fillip to information security and how it can assure confidentiality and authenticity.

In Chapter 6, “Application and Web Security,” we look into the fact that ensuring security of the software (including operating system, applications, tools, and utilities) and networks are most difficult because various things can go wrong. Some of the typical vulnerabilities they are exposed to are: misconfiguration, not validated inputs, defects/errors in the coding, man in the middle attacks, man in the browser attacks, session hijacking, weak encryption keys, weak/default passwords, weak authentication mechanisms, SQL Injection, and Buffer Overflows. We mention that increased use of software and web-based applications over the Internet has increased the exposure of these to various kinds of attacks. We also mention that we are yet to catch up with best practices on application development and infrastructure set up so that we have a fairly good chance of winning the race with the attackers. We then highlight what can go wrong with the software

applications like medical software and aviation-related software and discuss some fundamental aspects of any application security from completeness of inputs to maintenance of integrity of data in transmission.

We look into the impact of each of these aspects in detail. We then explore the importance of effective application development life cycle in ensuring strong and secure software applications. In this context we explain the need for considering security requirements during the initial phases of application design and development life cycle and the need for effective design of the security requirements. Need for strong risk assessment as to what can go wrong and secure coding standards are highlighted. We then highlight important design and development guidelines which include understanding security requirements to architecting and designing for security to secure coding to strong reviews and testing to strong configuration management to strong release management. We look at the reasons for issues on the web and important attacks on the web like SQL or command injection, buffer overflows, session hijacking, cookie poisoning, password cracking, and cross-site scripting. We then discuss the vulnerabilities of web browsers, web servers, and web applications. We also discuss how to overcome the web browser, web server, and web application related vulnerabilities. Finally, we discuss the role of SSL and Digital Certificate in securing the web application communications.

Chapter 7, “Malicious Software and Anti-Virus Software,” as the title suggests, identifies the purpose of such software is to create harm or damage to systems or to people or to both. Further, in this commercially oriented world, it seems that the companies are in a hurry to push across their technology and tools without strictly ensuring that the users of their technology and tools are protected. One strong example of this is that even though these companies are aware that “non-validated inputs” are the most exploited, still they do not take care to ensure proper validations.

Unfortunately, all these new technologies and tools provide opportunities for the people with bad intentions to find, understand, and exploit the loopholes or flaws in them. The advanced technologies while being beneficial to people and organizations in many ways, at the same time provide potential for knowledgeable users to connect to other systems from their mobiles and tablets and exploit them. Even though people who use the Internet are generally aware that there are some security threats of using the internet, most of them are not aware of the specifics of these threats and what can go wrong with their systems or to their financial assets or to their well-guarded secrets or information. Most of them are not even aware of why their identity credentials should not be made known to others and what can go wrong because of it. There are many more risks which the applications and systems are exposed to.

Fortunately, anti-virus software came to the rescue of individuals and organizations. Malicious software is generally known as malware. Spyware, adware, trojans, backdoors, viruses, worms, and botnets are all considered malware and are described. We also look into the types of viruses and how virus infection happens. We then look into the history of malware and the measures that can be taken to counter each of these types of malware. We also look into some of the recent malware attacks and explore the current scenario of malware with statistical perspective. Then we explore the need for anti-virus software and the expectations from anti-virus software and their vendors. We then list some of the key anti-virus software and explain their features. We offer a few general words of caution to users of anti-virus software.

Chapter 8, “Cryptography,” examines the increasing use of the Internet as a commerce tool, and how most of the businesses are using the Internet today to carry out transactions, commerce, and transfer of money. It is important for the users, banks, and commercial institutions, to make sure that the information is secured and no one is able to read the data or change the data during the transmission. If computer systems can code the plain text and the receiver understands this coded message, and is able to interpret it, then users feel more secure to transmit data over the Internet or any other media. This method of coding plain text messages to a secret coded message is called cryptography. The method of disguising the plain text to hide the actual data is called encryption. The new encrypted text is called ciphertext. The encrypted data is not readable by others and hence it is secured. Once it reaches the destination, the receiver can reverse the process to read the ciphertext and this process is called decryption.

Encryption and decryption is done using a key or code. Sometimes, only one key is used to perform both encryption and decryption or sometimes two separate keys are used, one for encryption and other key for decryption. It is used for ensuring integrity and authentication as well. Cryptography is widely used everywhere from Internet to telephones to televisions. While application of Internet is increasingly demanding and growing, hackers are cracking cryptographic algorithms and researchers are working on providing better algorithms and keys so that user's data and authentication is protected. Cryptography, encryption, and decryption are performed using a mathematical function, often known as cryptographic

algorithm. The cryptographic algorithm makes use of one or more of the keys to encrypt the data. Strength of the encryption depends on the keys and cryptographic algorithm which makes use of these keys to encrypt.

There are three types of mechanisms used in cryptology: symmetric encryption (which uses the same key for encryption and decryption), asymmetric encryption (which uses different keys for encryption and decryption known as public key and private key) and hashing functions/algorithms which are used to code information like passwords and ensure the authenticity of the documents. Asymmetric encryption which is also known as public key cryptography is enabled through Registration Agencies and Certificate Agencies. Public Key Infrastructure is built by Certificate Agencies to handle the PKC mechanisms effectively. The Certificate Agencies issue the Digital Certificate to the organizations identifying them effectively in the digital world. To ensure the confidentiality of the document, the document is encrypted using the receiver's public key by the sender and decrypted by receiver using his own private key.

For authenticity of the document, the encryption is carried out by the sender using his own private key and the receiver uses the sender's public key to decrypt the same. For ensuring both confidentiality and authenticity of the document both private key of the sender and public key of the receiver are used for encryption while for decrypting both public key of the sender and private key of the receiver are used. We also looked into Hash Function Cryptography and their uses. We also looked at the applications of the cryptography and the security issues related to cryptography and the disk encryption mechanisms.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science