AS VII

SEC 3302, Advanced IS Security 1

Course Learning Outcomes for Unit VII Upon completion of this unit, students should be able to:

1. Analyze access controls used to secure information systems (IS). 1.1 Determine how to protect access to the information within a database. 1.2 Explain how developing access levels can protect a database.

4. Evaluate the use of auditing tools.

4.1 Determine how using auditing tools can help reduce losses.

5. Explain the importance of information security (IS). 5.1 Determine the organizational impact of not having strong policies and procedures for securing

applications and data. 5.2 Describe the methods an information technology (IT) security manager can use to increase

organizational awareness of policies and procedures in information security. Required Unit Resources Chapter 8: Application Security Chapter 9: Data Protection In order to access the following resources, click the links below. You can access transcripts for the videos by clicking on the three dots below the video on the right, then clicking “Open transcript.” Professor Messer. (2021, February 2). Protecting data - SY0-601 CompTIA Security+ : 2.1 [Video]. YouTube.

https://www.youtube.com/watch?v=maggnNPkKJM Professor Messer. (2021, April 3). Application security - SY0-601 CompTIA Security+ : 3.2 [Video]. YouTube.

https://www.youtube.com/watch?v=CwtHoL1CQ68 Professor Messer. (2021, May 3). Privacy and data breaches - SY0-601 CompTIA Security+ : 5.5 [Video].

YouTube. https://www.youtube.com/watch?v=lnODP7dGXFc Unit Lesson

Introduction In this unit, we will discuss application security and data protection. In past units, we discussed hardening a target, which means to change the environment so that it will be more difficult to attack. This process should include applications, not just operating systems. We have to do this with intention and be proactive for creating a comprehensive defense strategy: attacks via applications are far more common today than attacks aimed at operating systems. We must, therefore, make our applications secure so that someone cannot overtake and exploit the software. One such exploit is called a buffer overflow. A buffer is a temporary storage area in random access memory (RAM). If enough attack information is sent so that it exceeds the buffer space, that information will end up in other RAM areas. A poorly written application can inadvertently result in a buffer overflow. Flushing your buffers can prevent them from filling up and overflowing, which can cause bad performance or lead to a total crash.

UNIT VII STUDY GUIDE Application and Data Security

SEC 3302, Advanced IS Security 2

UNIT x STUDY GUIDE Title

In some cases, buffer overflow can confuse the system and allow commands to be executed on the server. One type of buffer overflow, called a stack overflow, involves the operating system. This type of overflow can cause a program, or even an entire computer, to crash.

Hardening Applications So how can we harden our applications to ensure that they cannot be exploited? As we just discussed, we must not allow buffers to overflow. Additionally, applications need to be minimized so that there are less attack points to exploit. Secure configurations should also be established and maintained with timely updates. Permissions should likewise be minimized to the lowest level necessary for each employee to be able to accomplish their job. This will minimize the possibility that hackers will be able to take control of applications. Cryptographic protections discussed in previous units are also important, as web applications are even more susceptible to being exploited. According to Boyle and Panko (2021), one rule in programming is that you should never trust a user’s input. The application should have data validation. One example of this type of exploit is Structured Query Language (SQL) injection, which can destroy your entire database. With SQL injection, a user can enter extra information beyond a password that will enable an attacker to access the system. For example, instead of entering just a password, a user might also enter the additional text of a SQL query that is executed. How do you fix a SQL injection issue? You can add in data validation that will not allow certain characters to be entered. You can minimize the number of characters that can be entered in that field as well. The point is that developers are able to add validations, so they must be well-trained in how to secure the database.

Web Servers Attackers can also strike web servers and e-commerce software. Just like any outwardly facing server, the service can be overloaded and caused to crash. Web servers can be overtaken, and political or other hacker- produced content can be posted that demeans the company. These attacks can harm the company’s professional reputation and discourage customers. Attacks like these in which hacker-produced content is substituted for normal content is known as website defacement. Additionally, the textbook discusses another attack, known as directory traversal, in which sensitive files are downloaded by gaining access to important directories—including the command prompt directory. All of this seems to be a game of cat and mouse between attackers and vendors who patch a vulnerability, only to see attackers evolve their tactics. A common is question is: How can we secure websites given they are accessible to the public? The first step is to update any vendor software regularly. Website assessment tools are available that can identify vulnerabilities. Website error logs can also help alert us that a potential attacker is checking out our website. Lastly, application proxy firewalls can be used to help ensure that traffic is normal and does not show signs of an attack.

Web Browsers It is not just servers that can be attacked; web browsers can also be targets. If an attacker can upload a script and deploy it on a browser, this can result in potential disaster in several ways. These scripts often involve commands that you might use under normal circumstances—and although you may want to change your settings at times, you do not want an attacker to be able to change them. Also, attackers can add links into others’ webpages that look good and seem valid, but they are not. Mobile code is another area through which attacks may occur. Commands written into a web page can result in automatically executing scripts after the web page containing the commands is downloaded. Attack scripts will also execute if the user accidentally clicks on a malicious link. In fact, depending on the program, the user may not even need to click the link in some cases.

SEC 3302, Advanced IS Security 3

UNIT x STUDY GUIDE Title

Security for a web browser can be improved much like that of web servers. Achieving this requires regular patching and upgrading. Often, a browser may have customizable security settings and privacy options that can be used to increase security.

Email Attacks Email attacks can be very similar to web server attacks. Emails can contain malicious links and attachments with malware. Spam has also become a bigger problem, as mailboxes get overrun with commercial solicitation messages. These messages may include images, which are harder to filter out effectively, take up more bandwidth, and occupy more space. Finding a filter that does not also block legitimate mail continues to be a struggle. The best remedies for these issues include fine-tuned email filters and targeted employee training that will teach employees not to open attachments from strangers. The contents of an email can be encrypted, but most organizations do not use this feature.

Data Protection, Loss, and Backup Now, let’s discuss data protection, which involves data being stored on hosts rather than passed over networks. For most organizations, data is their most important business asset. You can obtain a new server fairly quickly, or you can spin a new one up if you are virtualized, but what can you do if your data is lost? How would you be able to contact your customers, set prices, or even determine what your prices should be? The system itself is meaningless without the data points by which we construct information. Chapter 9 in our textbook is particularly important in that it discusses in detail all of the ways in which data must be secured while it is stored. Considerations for stored data protection include accidental loss, data that is taken out of the business without permission, and how data should be destroyed when one desires to dispose of it securely. Data loss is an egregious outcome; it is the type of scenario with results that can range from someone losing their job to the entire business sinking. So, how do we lose data, and how can we avoid data loss? Mechanical issues and server outages can cause losses, of course, but it is often likely that data is lost because we did not take the correct precautions that were needed to safeguard the data. For example, it is important to conduct database and server backups regularly. When something happens to the data on the host, there have to be backup copies available that the business can rely upon. Fire, water, theft, natural disasters, mechanical failures, accidental loss, and a host of other dangers constantly threaten databases. Because of this, it is wise to regularly back up both files and directories. How regularly databases are backed up should be carefully considered—remember, you can only recover the data from your last backup. There are three types of backups for databases—full, incremental, and transaction. If you run transaction backups every hour, rather than running them daily or weekly, then you risk potentially losing only an hour’s worth of data if something happens. Scope is also relevant. Do you only want to back up the files and directories themselves, image the entire drive, or shadow all files? Obviously, the more in-depth the backup is, the greater the resources will need to be to accommodate the backup. However, the greater the scope, the greater the recovery will be when the data needs to be restored. Data storage is another consideration for data protection. When you make backups, you need to have a place where you can store those backups, such as keeping SQL database backups on a file server with a share. Also, server backups can be stored in a storage area network (SAN). One option for database backups is to encrypt the backups. Another option is to save backups on tape and store them offsite. An important precaution for access control is to limit the number of people who have access to backups. In addition to doing this, retention of backups and media should be regulated and closely monitored.

SEC 3302, Advanced IS Security 4

UNIT x STUDY GUIDE Title

Database Access Control Database access control is one of the more important areas of access control due to the data that are housed in databases. Database administrators (DBA) will provide permissions based on the need of the requester. For example, most users will need to read data; some will also need the capability to alter data. Higher security is required for the role of database owner or system administrator. A number of database management systems (DBMS) can manage access for individual databases and restrict access to only authenticated and authorized users. Authentication can take place locally or in a remote, central server. As mentioned previously, websites are commonly attacked through unexpected data being passed along by SQL injection. This can result in a consequence as drastic as deletion of data, or a database being shut down. Database auditing tools can be used to collect information about noncompliance with established security policies, changes to data, errors, warnings, and unsuccessful logins. In addition, data encryption is a good tool for data stored in databases.

Conclusion Organizations can use a variety of methods to secure their applications, data, web servers, and websites. The textbook provides a lot of valuable information for those of you interested in those career areas.

Reference Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.

https://online.vitalsource.com/#/books/9780135823354