Security Assessment

User Generated

qvfthvfr

Programming

Cyber Defense in Web Based Attacks

Description

Scenario:
You are the Information Security manager in a medium-sized retail organization based in Dubai. The overwhelming majority of your clients flies or drives to Dubai over the weekend to pick up the purchases they made online during the week.

You have been asked to assess the company’s current security posture and come up with a recommendation for securing against website risks, threats, and vulnerabilities.

Directions:
Write a paper that includes the following:

  • A description of 3 major risks, 3 threats, and 3 vulnerabilities that are of concern from the IT security point of view.
  • An explanation of the best practices you would recommend to mitigate these risks, threats, and vulnerabilities.

Keep in mind, we are most interested in your ability to describe the risks, threats, and vulnerabilities in the retail industry in accordance with security goals. Use diagrams, where appropriate.

Deliverables:

  • Your paper should be 2-3 pages in length, not including the title and reference pages.
  • You must include a minimum of two (2) credible sources and information from the module to support your writing.
  • Your paper must follow University academic writing standards and APA style guidelines, as appropriate.
  • You are strongly encouraged to submit all assignments to the Turnitin Originality Check.


    Textbook:
    Harwood, M. (2016). Internet security: How to defend against attackers on the web (2nd ed.). Burlington, MA:Jones & Bartlett Learning. ISBN-13: 9781284090550

Unformatted Attachment Preview

Internet Security: How to Defend Against Attackers on the Web Lesson 5 Mitigating Web Site Risks, Threats, and Vulnerabilities © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Learning Objective ▪ Compare and contrast Web-based risks. Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 2 Key Concepts ▪ Different types of traffic to Web sites ▪ Common vulnerabilities and attacks impacting Web applications ▪ Best practices for mitigating known Web application risks, threats, and vulnerabilities Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 3 Who Is Coming to Your Web Site? ▪ Company with e-commerce Web site needs to know types of traffic visiting site ▪ Important for security and marketing Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 4 Web Site Analytics ▪ Web analytics software tracks: • Visitor location • Visitor sources • Visitor type • Visitor navigation • Average time on site • Leave (bounce) rate Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 5 Google Analytics Result Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 6 Google Analytics Dashboard ▪ Some features of Google Dashboard: • Visits • Site usage • Visitors overview • Map overlay • Content overview Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 7 Google Analytics Map Overlay Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 8 Whom Do You Want to Come to Your Site? ▪ Characteristics of site demographic determine site design ▪ Create customer profile based on desired demographic • Profile is a description of your customer based on various criteria • Age range, gender, marital status, geographical location, occupation, etc. Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 9 Market Segmentation Customer location Customer demographic Customer behaviors Customer lifestyle Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 10 Accepting User Input ▪ Web site may have interactive elements, designed to engage visitors so they return to the site ▪ Interactive elements may introduce security considerations, including phishing, bullying, and cyberstalking Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 11 Accepting User Input (Cont.) ▪ Forums ▪ Web site feedback forms ▪ Online surveys Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 12 OWASP Overview ▪ Open Web Application Security Project (OWASP) • A 501(c)3 not-for-profit worldwide charitable organization focused on improving the security of application software Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 13 OWASP Top 10 1. Injection • Injection flaws allow attackers to relay malicious code through the Web application to another system; common attack is SQL injection Mitigation • Input validation Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 14 OWASP Top 10 2. Broken Authentication and Session Management • Authentication and session management includes all aspects of handling user authentication and managing active sessions Mitigation • Strong passwords, password rotation, password storage and transmission encryption, session ID protection, limit session caching Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 15 OWASP Top 10 3. Cross-Site Scripting (XSS) • A type of computer security vulnerability typically found in the Web applications that enables malicious attackers to inject client-side script into the Web pages viewed by other users • Two common types: reflected and stored Mitigation • End user education (be wary of links) • Web site security • Firewall Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 16 OWASP Top 10 4. Insecure Direct Object Reference • Occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter Mitigation • Input validation • Permissions that lock down objects on the server (need to be tested) Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 17 Reflected XSS Attack Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 18 OWASP Top 10 5. Security Misconfigurations • Default security settings may be insecure • Administrators may make mistakes during configuration Mitigation • Harden settings, perform security audits, keep operating system up to date, keep databases current, review life cycle of products in use, understand function and role of system, training and research Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 19 OWASP Top 10 6. Sensitive Data Exposure • Breaches can expose sensitive data, which includes credit card numbers, research secrets, student records, personal information, banking data, employee records, and more Mitigation • Safely secure data in storage and in transit, secure and manage authentication, authorize access to data, create data policies Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 20 OWASP Top 10 7. Missing Function Level Access Control • If users can access resources or application features beyond what their roles require, access controls have failed • Results from careless permission assignment or a developer mistake Mitigation • Manage authorization and permissions carefully, perform audits, create policies Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 21 OWASP Top 10 8. Cross-Site Request Forgery (CSRF) • Links take visitor to a malicious destination • A type of malicious exploit of a Web site whereby unauthorized commands are transmitted from a user that the Web site trusts Mitigation • Log off Web sites when done, don’t store usernames or passwords, periodically delete cookies, ensure browsers are up to date, be wary of unknown sites Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 22 OWASP Top 10 9. Using Components with Known Vulnerabilities • Use of software that's at or exceeds end of life, unpatched applications, open-source software with well-known vulnerabilities Mitigation • Keep applications up to date, research vulnerabilities, keep applications and operating systems patched, remove unused functionality Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 23 OWASP Top 10 10. Unvalidated Redirects and Forwards • Unvalidated links from trusted sites that take users to an unauthorized site to gain sensitive information from them or to install malicious software on their machines Mitigation • Don’t use redirects • If you must, restrict use of temporary redirects and use permanent ones wherever possible Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 24 Web Developer Tool Screen Used to Set a Web site as Preferred Domain Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 25 Additional Web Threats Not in the OWASP Top 10 ▪ Malicious file execution ▪ Information leakage and improper error handling ▪ Unsecure cryptographic storage ▪ Unsecure communications ▪ Failure to restrict URL access Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 26 Malicious File Execution ▪ A vulnerability caused by unchecked input into the Web server ▪ Because of unchecked input, attacker’s files can be executed or processed on Web server Mitigation ▪ Input validation, denial of certain file extensions, access control mechanisms, account management, specific firewall configuration, network segmentation Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 27 Information Leakage and Improper Error Handling ▪ Attacker exploits information in insecure error messages ▪ Errors can include error tracing information, network name, verification of existence of a file, ID or password login, database details ▪ Mitigation ▪ Policies and procedures, procedure for storing error messages, careful attention to information in error messages, adequate permissions Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 28 Unsecure Cryptographic Storage ▪ Sensitive data that is stored without appropriate encryption Mitigation ▪ Choose a strong encryption algorithm ▪ Store private keys offline and make accessible only when needed Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 29 Unsecure Communications ▪ Data that is not secure during transit over a network or the Internet Mitigation ▪ Security association (SA) and Internet Key Exchange (IKE) ▪ Internet Security Protocol (IPSec) ▪ Secure Sockets Layer (SSL) Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 30 Failure to Restrict URL Access ▪ Information on Web server not sufficiently protected when direct links aren’t present ▪ User finds hidden URLs ▪ Developers must implement access control for each function to authorize user explicitly Mitigation ▪ Careful design planning to implement protection throughout application ▪ Penetration testing Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 31 Best Practices for Mitigating Known Web Application Risks, Threats, and Vulnerabilities Harden the network Document network security procedures Deploy encryption strategies Educate users Use preventative mitigation tools Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 32 Summary ▪ Different types of traffic to Web sites ▪ Common vulnerabilities and attacks impacting Web applications ▪ Best practices for mitigating known Web application risks, threats, and vulnerabilities Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 33 Virtual Lab ▪ Exploiting Known Web Vulnerabilities on a Live Web Server Internet Security: How to Defend Against Attackers on the Web © 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Page 34
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Please feel f...


Anonymous
Awesome! Perfect study aid.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags