Question 20208

Running head: ASSESSMENT TEST 1

ASSESSMENT TEST 1

Assessment Test

Student Name

Institutional Affiliation

Course Name and Number

Instructor’s Name

Date

Assessment Test

Learning About OWASP

The Open Web Application Security Project (OWASP) was founded in 2004 and is a non-profit organization to prevent common application attacks. It is the first in many attempts made at standardizing certain coding activities, given that application security threats on old and insecure code have increased (The OWASP Foundation, n.d.). The organization takes up a neutral risk-based approach, avoiding influence from any specific company in its battle to guarantee security. In 2001, the organization was not officially a non-profit organization but identified as a collective that sought to advocate for the need for safe programming practices (The OWASP Foundation, n.d.). Its influence gained recognition, and in 2004, it upgraded to the OWASP foundation, revolutionizing the ethical standards and maintaining freedom and open neutrality from commercial pressure.

Since any other business does not regulate the organization, its neutral standardization is applicable while accrediting applications and monitoring new vulnerabilities. This approach is useful to businesses as they integrate security into maintenance, verification, and development as a guarantee to secure web applications. The organization maintains an open and transparent approach in its approach to global neutrality and information dissemination (The OWASP Foundation, n.d.). It also encourages and supports innovation and credibility while seeking solutions to the challenges facing software security. It is also an inclusive community and encourages participation worldwide. Additionally, it maintains an honest, supportive and respectful approach towards application security.

One of the vulnerabilities mentioned on the company’s website is using an empty string as a password. This approach is insecure and is not advised as it is too easy to guess and makes the authentication weak, especially since the username is guessable or public (The OWASP Foundation, n.d.). Accounts that use this approach are likely to face a brute-force attack against the login interface.

References

The OWASP Foundation. About Us | The OWASP Foundation. Owasp.org. Retrieved 3 September 2020, from https://owasp.org/about/.

The OWASP Foundation. Empty String Password | OWASP. Owasp.org. Retrieved 3 September 2020, from https://owasp.org/www-community/vulnerabilities/Empty_String_Password.

Common Weakness Enumeration

The Common Weakness Scoring System (CWSS) provides a strategy that prioritizes software weaknesses in a manner that is open, flexible, and consistent. It comprises of a community-based and collaborative effort that addresses relevant stakeholders across industrial, academic, and governmental sectors. Software developers are challenged by numerous individual bug reports for discrepancies in their code. This weakness can lead to a vulnerability, and in instances where there is a high volume of weakness, stakeholders need to strategize on which issues to investigate and fix (Common Weakness Enumeration, n.d.). This step often involves incomplete information that needs human intervention in communicating about and reasoning over the relevance of each weakness. After assessing the risk, the weakness can cause, stakeholders then prioritize which weakness to remediate through different methodologies designed to compare the weaknesses and derive actionable information.

This process often involves attacking environmental and surface metrics to derive information that accurately reflects the possible risk involved based on the business context and the Software’s capability, often defined by the business’ unique context and capability (Common Weakness Enumeration, n.d.). It gives room for a more informed decision-making approach while mitigating these risks.

One of the weaknesses identified by CWSS is input validation. This technique is used for checking dangerous inputs to maximize safe processing within the given code or when communicating with other components of the code (Common Weakness Enumeration, n.d.). If the input is not properly validated, the Software becomes prone to attackers who can key in a form that is unrecognizable to the application leading to arbitrary code execution, arbitrary control of resources, or altered control flow.

References

Common Weakness Enumeration. CWE - Common Weakness Scoring System (CWSS). Cwe.mitre.org. Retrieved 3 September 2020, from https://cwe.mitre.org/cwss/cwss_v1.0.1.html.

Common Weakness Enumeration. CWE -CWE-20: Improper Input Validation (4.2). Cwe.mitre.org. Retrieved 3 September 2020, from https://cwe.mitre.org/data/definitions/20.html.

Creating Good Password Security

When creating a new password, it would be advised to take measures to ensure that the password is strong enough to avoid hacks or breach of access. Agreeably, prohibiting guessable passwords such as numbers, real words, and common names is critical since most hackers would try to guess such passwords first and tend to be easy to bypass. It would be ideal to use a special character or a mix of uppercase, numbers, and lowercase letters in passwords. Indeed, password reauthentication is important as most hackers would not be able to guess the password, especially if it had been saved on a public device. Most administrators in industrial settings discourage employees from using their user ID or email as a password since these two are forgeable.

Creating a strong password involves using unique characters, only identifiable to the individual. It is also recommended to use different passwords for all important accounts since reusing passwords present a risk of theft and breach of access. Strong passwords are often longer and memorable and should contain at least eight characters (Guo et al., 2019). It could be a lyric from a poem or an abbreviation. It is ill-advised to write down passwords on a piece of paper, especially in a public place. Individuals may opt to use verified password tools if they are susceptible to forgetting their characters. It is also advised to change a password after a period of three to six months, especially if the individual operates through a public machine (Guo et al., 2019). Individuals should also avoid sharing their passwords with unknown websites as they are easily hacked.

Reference

Guo, Y., Zhang, Z., & Guo, Y. (2019). Optiwords: A new password policy for creating memorable and strong passwords. Computers & Security, 85, 423-435. Retrieved from https://doi.org/10.1016/j.cose.2019.05.015

JSON and AJAX

Ajax is a set of techniques adopted by numerous web technologies to create web applications asynchronously. Through these techniques, web applications can retrieve and send data within its background without interfering with the behaviour or display of the existing page (Friesen, 2016). It allows different web application and pages to change content without having to reload the entire page by separating the presentation layer from the data interchange layer. However, most implementations use JSON over XML.

JavaScript Object Notation, also known as JSON is a data-interchange format that is easy to write and read. This format is easy for machines to generate an is based on the JavaScript Programming Language Standard ECMA-262 third edition subset (Friesen, 2016). It is a text format that uses conventions familiar to programmers with knowledge of the C-family languages like Python, Perl, JavaScript, Java, C#, C++, and C, among others. These features make it a preferable data-interchange language.

Same Origin Policy is a JavaScript implementation security feature found in most browsers. It permits users to make requests to pages within the same domain and restricts users from making requests to pages through a different protocol or from subdomains. Because it is a part of JavaScript, it means it is also a part of jQuery. Subsequently, this means that trying to do an AJAX call to a page on a different domain in impossible (Petty, 2017). There are times, however, where there is a need to make requests to a page on different domains. In such instances, JSON has set standards that allow users to do this, though it will require a hack to use within JavaScript.

References

Friesen, J. (2016). Java XML and JSON. New York, NY, USA:: Apress. Retrieved from https://link.springer.com/content/pdf/bfm%253A978-1-4842-1916-4%252F1.pdf

Petty, D. (2017). The Not-So-Same-Origin Policy. Retrieved from https://www.ise.io/wp-content/uploads/2018/03/ise_same-origin-policy_whitepaper.pdf

Security-Related Rules for Webpages

While each department will add different web pages designed to their liking, there are rules that all staff members and students should be aware of. These include and are not restricted to:

1. All Software should be up-to-date; All scripts or platforms used should be updated as hackers actively keep track of possible security flaws, especially from popular Software. All programs should be regularly updated to prevent security gaps (Maass et al., 2017).

2. Password Policy; All departments and students are required to generate a strong password that will be subject to change after every three months. This is to prevent unauthorized access from hackers and third-party users. All passwords should be complex, containing special characters, numbers, and lower and uppercase letters. The passwords should also be at least eight characters long.

3. Login Page Encryption; All departments should ensure that their login pages are encrypted through SSL. Using an SSL encryption prevents sensitive information such as login credentials from being transmitted and intercepted unknowingly (Maass et al., 2017). It would ensure that all private data shared on the different pages remain secure.

4. Website Maintenance; All departments are required to ensure that every plugin, application, or database is maintained regularly. This process involves deleting any of the abovementioned that are no longer in use.

5. Backup Data; All web pages should have a backup of all files in the event the site is inaccessible, or data is lost. Though the web host provider offers server backups, it is important to have a different backup system in place (Maass et al., 2017). There are content management programs available for your disposal that provide extensions and plugins which automatically back up databases and content.

Reference

Maass, M., Wichmann, P., Pridöhl, H., & Herrmann, D. (2017, June). Privacy score: Improving privacy and security via crowd-sourced benchmarks of websites. In Annual Privacy Forum (pp. 178-191). Springer, Cham. Retrieved from https://doi.org/10.1007/978-3-319-67280-9_10

File Inclusion Vulnerability

File inclusions form part of an advanced server in the scripting language. They are important in managing web applications and ensuring that the code used is tidy. They are also responsible for other tasks such as download functionalities and allow web applications to read files from the file system. If not well-implemented, it is susceptible to attacks through a Remote File Inclusion (RFI) attack or a Local File Inclusion (LFI) attack. An RFI is a vulnerability found mostly in websites operating on PHP (Le et al., 2016). Hackers remotely access the web server through a script. They include a remotely hosted file where thy can use user-supply input without validation, leading to minimal output or arbitrary code execution. An LFI is similar to an RFI, with the difference being that a hacker would have to upload the malicious script to the target server to execute locally (Hassan et al., 2018).

To prevent a security breach, different methods can be considered. First, it would be advised to store information on databases where applicable. Second, it would also be advised to ignore other file paths and filenames and use a file whitelist. Third, all file paths should be saved on a database and an ID assigned to each, such that users are the only ones with access and allowed to make any configurations (Le et al., 2016). Finally, the server should be set to automatically send download headers rather than executing specific file directories such as /download/. This directs the user to the file without the need for additional code. Some of the languages vulnerable to this risk include NodeJS, Perl, PHP, Python, and JRuby (Le et al., 2016).

References

Hassan, M. M., Bhuyian, T., Sohel, M. K., Sharif, M. H., & Biswas, S. (2018). SAISAN: an automated local file inclusion vulnerability detection model. International Journal of Engineering & Technology, 7(2-3), 4. Retrieved from https://www.researchgate.net/profile/Md_Hasan_Sharif/publication/324861182_SAISAN_An_Automated_Local_File_Inclusion_Vulnerability_Detection_Model/links/5ae817bba6fdcc03cd8dc37b/SAISAN-An-Automated-Local-File-Inclusion-Vulnerability-Detection-Model.pdf

Le, V. G., Nguyen, H. T., Lu, D. N., & Nguyen, N. H. (2016, September). A solution for automatically malicious web shell and web application vulnerability detection. In International Conference on Computational Collective Intelligence (pp. 367-378). Springer, Cham. Retrieved from https://doi.org/10.1007/978-3-319-45243-2_34

Risk Assessment Analysis

As the Webmaster for the Republican Party committee, it is important to consider a risk management protocol in the event of a cyberattack. The first thing to consider is the possible attacker. Given that the party is not the preference of many, it is likely to be targeted by rival political parties, domestic and international terrorists, and black hat hackers working for independent individuals. They are likely to attack when the election commences and during the campaign period. They would want to gather information relevant to the party’s agenda ahead of the election. Notably, they are likely to try and use information that would jeopardize the party’s strategies by selling the information to the media or releasing it to the public for their gain.

There are different ways through which the website can be attacked. The first is through malware which involves using worms, viruses, and spyware to breach a network. Such a situation occurs when a user clicks an email attachment or link that automatically installs risky Software (Pope, 2016). Once it has access, malware obtains information through spyware, installs harmful Software that can delete important information, blocks user access, or disrupts different parts of the website. Other forms of attack include Phishing, SQL injection, Denial-of-service attack, and Man-in-the-middle attack.

To best minimize attacks, it would be crucial to ensure that the website has an SSL certificate, preventing hackers from remotely accessing the platform (Pope, 2016). Additionally, it would be important to train all users on the forms of attack and how they occur, such that they can be aware of the risks associated, especially when using public computer systems.

Reference

Pope, J. (2016). Ransomware: minimizing the risks. Innovations in clinical neuroscience, 13(11-12), 37. Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5300711/

Penetration Testing Techniques

Penetration testing is used by managed service providers to give additional cybersecurity for their users. These services help companies prepare for cyberattacks by stress-testing their IT infrastructure security. There are five common pen tests, namely; Network Service Tests, Web Application Tests, Wireless Network Tests, Client-Side Tests, and Social Engineering Tests. Network Service Tests assess the gaps and vulnerabilities in network infrastructure. An advantage of this test is that it circumvents the rate of network downtime (Chen et al., 2018). However, if not done properly, it can mimic the malware in the system. Web Application Tests are more detailed, intense, and targeted. They determine the endpoint of web applications that a user interacts with regularly. One advantage associated with this test is that it ensures a high-end website. However, it may be time-consuming and costly.

Client-Side tests identify locally emerging tests. This test makes it possible to conduct experiments without employing a front-end developer. However, it can also negatively affect user experience, especially if used through JavaScript. Wireless Network Tests assess the devices deployed on the client’s site (Chen et al., 2018). One disadvantage is that it may interfere with file transfers due to reduced speeds. However, it identifies open or rough access points, making it advantageous as it reduces third-party interference. Social engineering tests are important in the human element of an organization, imitating ways through which an individual may breach a company. It is advantageous as it detects ethical hacking. However, it may also be costly and time-consuming.

One notable social engineering technique is impersonation, which involves imitating another person to access a company and obtain valuable information (Chen et al., 2018). One of the limitations of penetration tests is that if not coordinated properly, the results could be misleading.

Reference

Chen, C. K., Zhang, Z. K., Lee, S. H., & Shieh, S. (2018). Penetration Testing in the IoT age. Computer, 51(4), 82-85. Retrieved from https://doi.org/10.1109/MC.2018.2141033

Threat Response Software

The Threat Response software selected is Sumo Logic which is a cloud-based company that emphasizes on security through data analytics that delivers real-time insights from machine-generated big data. It acts as a log management application that evaluates online data feeds, displaying accurate charts and feeds relevant to security threats and performance. It uses email alerts to notify users when threats are detected and offers a freemium version that grants limited permissions, with the choice of upgrading in future.

It is coupled with online support systems, numerous data resources and video tutorials that can be used in training employees on how to use and navigate through the Software. Through these sources, employees and other users can also be notified in the event of a software upgrade. Some of its notable features include activity tracking, access control, alerts and escalations, compliance management, data import and export, permission management, auditing, real-time monitoring, reporting and statistics, third-party integration, and workflow management. It is very flexible and integrates with different cloud providers. It is especially beneficial to small business owners who may not want to implement logging infrastructure. One of the limitations of using the Software, however, is that it may not be suitable for large amounts of data. It is priced at $270 per month.

Reference

Sumo Logic. Find answers hidden in your data | Sumo Logic. Sumo Logic. Retrieved 3 September 2020, from https://www.sumologic.com/lp/brand/?utm_content=b&utm_source=google&utm_medium=ppc&utm_campaign=EMEA_Search_Brand_Low_Countries&utm_adgroup=78295918019&utm_term=%2Bsumo%20%2Blogic&gclid=CjwKCAjwqML6BRAHEiwAdquMnWpOGinvwX7L6UUVCsuLp6p9gItETALtBWoLVNLI_tKUgpV6UEYwphoCppoQAvD_BwE.

The Dark Web

The Dark Web is a collection of encrypted websites with hidden IP addresses, protecting users by giving them anonymity. These websites cannot be accessed through traditional search engines and are only accessible through anonymity browsers such as The Onion Router (TOR) bundle (Easttom, 2018). This bundle is an encrypted network of relays that use internet connections are routed worldwide. However, the relays lead to slow connections since they must redirect the user to the server of the website they would like to access through a decentralized structure. The simplest way of navigating the dark web is by installing TOR browser bundles (Easttom, 2018). Unlike normal .com websites, TOR URLs end with the suffix .onion. These URLs often change to evade DDoS attacks and detection. It is advised to use a VPN when accessing TOR since some governments suspect malicious intent from those who access the Dark Web. Through a VPN, only the ISP sees the encrypted traffic but will not be aware of a user’s activities in the TOR network.

The Dark Web is known for criminal activity such as drug trafficking, illegal weapon deals, and other malicious activities like terrorism. Criminals prefer these websites since governments cannot trace their activities. However, it can be used positively for White hats to gain access to information necessary in implementing security measures (Chertoff, 2017). It also has informative websites that people can use to learn new things that would be restricted to a normal website. It is frequently used by the FBI, CIA, Interpol, Mossad, and MI6 to gather intel that helps curb crime syndicates and potential terror attacks (Chertoff, 2017). Private individuals can use the Dark Web for normal research, especially if they would want to hide their activities from a public network.

References

Chertoff, M. (2017). A public policy perspective of the Dark Web. Journal of Cyber Policy, 2(1), 26-38. Retrieved from https://doi.org/10.1080/23738871.2017.1298643

Easttom, C. (2018). Conducting Investigations on the Dark Web. Journal of Information Warfare, 17(4), 26-37. Retrieved from DOI: 10.2307/26783825