Use the pdf document as reference to answer the questions in the word document.? Please paraphrase all answers, do not copy and paste from the ref
Use the pdf document as reference to answer the questions in the word document.
Please paraphrase all answers, do not copy and paste from the reference document or any other reference document you use.
Question 1: [NOTE: Answer each part of the question in paragraph format]
a. What is Transparent Data Encryption? Why is it transparent? What types of encryption does it support? Explain how TDE protects against attacks by privileged OS users? (4 points)
b. Identify and explain 4 primary defenses against SQL injection attacks. (4 points)
c. What specific encryption techniques does Amazon RDS use for protecting databases at rest? What encryption techniques and protocols does Amazon RDS use to protect data in flight? (2 points)
Question 2: [NOTE: Answer each part of the question in paragraph format]
a. Explain how a reflected XSS attack is different from a persistent XSS attack. Provide examples of attack scenarios for each. (2 points)
b. As per the OpenCanvas Learning YouTube video, there are 6 components which come together to make a web browser work. Pick 4 out of the 6 components and explain what each of those components does to get the browser to function. (4 points)
c. Describe the main difference between session cookies and persistent cookies. Describe 3 steps that we used to exploit information contained in cookies to launch a privilege escalation attack (based on one of the lab exercises). (4 points)
Question 3: [NOTE: Answer each part of the question in paragraph format. It is okay if your answers to this question spill into the next page due to the table that I have included as a part of the question stem for part d.]
a. Explain what server hardening means in your own words. Which specific web application security risk in the OWASP Top 10 list from 2017 is hardening supposed to best protect against? (2 points)
b. Explain how a replay attack works using your own words. (2 points)
c. Explain what a web application firewall is and how it is different from a traditional network firewall. Which layer in the 7-layer OSI architecture does each operate at? (2 points)
d. Complete the following table of cloud service models by specifying whether the customer (C) or the service provider (SP) is responsible for hardware, operating system, applications, and data. From a customer perspective, which of the 3 cloud service models is most secure (theoretically)? (4 points)
|
Cloud Service Model |
Hardware |
Operating System |
Applications |
Data |
|
SaaS |
||||
|
PaaS |
||||
|
IaaS |
Question 4: [NOTE: Answer each part of the question in paragraph format. It is okay if your answers to this question spill into the next page due to the screen capture that I have included as a part of the question stem for part c.]
a. Describe two main differences between Java and JavaScript. (2 points)
b. Explain what an XML external entity is in your own words. Provide an example of XML code that uses an external entity. Explain how an XML external entities injection attack can be used to display the contents of the /etc/passwd file. (4 points)
c. Describe what flaw debt is in your own words. Provide 3 main takeaways from the chart provided below. (4 points)
Page 2 of 6
,
Database Security – Issues and Best Practices
Outline • Intro to Database Security
•Need for Database Security
•Database Security Fundamentals
•Database Security Issues • OWASP Top 10 – A1:2017– Injection
• OWASP Top 10 – A3:2017– Sensitive Data Exposure
•Attacks against Database Security Mechanisms
•Database Security Best Practices
2
Intro to Database Security
3
Intro to Database Security • How does a web application work?
4
Client
Server
Involves databases
Intro to Database Security (contd.) •Database • A database is “an organized collection of structured information, or
data, typically stored electronically in a computer system” • It includes: the data, the DBMS, & applications that use them
•Database Management Systems (DBMS): • DBMS serve “as an interface between the database and its end
users or programs, allowing users to retrieve, update, and manage how the information is organized and optimized”
5
Source: What is a Database – Oracle – https://www.oracle.com/database/what-is-database.html
Intro to Database Security (contd.) •Database Management Systems (DBMS) (continued): • DBMS also facilitate “oversight and control of databases, enabling a
variety of administrative operations such as performance monitoring, tuning, and backup and recovery” • Types: • Relational, Object-Oriented, Distributed, Data Warehouses, Open Source,
Cloud, Autonomous, etc.
• Examples: • Oracle, SQL Server, MySQL, Microsoft Access, MariaDB, PostgreSQL, etc.
6
Source: What is a Database – Oracle – https://www.oracle.com/database/what-is-database.html
Intro to Database Security (contd.) •Database Tutorial for Beginners – Lucidchart
7
Source: Lucidchart – Database Tutorial for Beginners – https://www.youtube.com/watch?v=wR0jg0eQsZA
Intro to Database Security (contd.) •Database security refers to “the range of tools, controls, and
measures designed to establish and preserve database confidentiality, integrity, and availability” (IBM, 2019) •Database security involves protection of • The data in the database • The database management system (DBMS) itself • Any associated applications (including web applications) • The physical and/or virtual database server farms and their
underlying hardware • The computing and/or network infrastructure used to access
the database (IBM, 2019)
8
Intro to Database Security (contd.) •Database security involves securing data • At rest • Using techniques such as encryption • Example: Amazon RDS uses 256-bit Advanced Encryption Standard (AES) for
securing database instances, automated backups, and snapshots at rest • In flight • Using protocols such as Transport Layer Security (TLS) • Example: Amazon RDS uses TLS from the web application to encrypt a
connection to a database instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL to protect data in flight
9
Need for Database Security
10
Need for Database Security •As per Oracle (2022): • Data breaches are “happening everywhere these days, and hackers
are getting more inventive. It’s more important than ever to ensure that data is secure but also easily accessible to users”
•As per IBM (2019): • The consequences of data breaches include the following: • Compromised intellectual property • Damaged brand reputation • Loss of business continuity • Fines or penalties for non-compliance • Expenses related to repairing breaches
11
Need for Database Security (contd.) •As per the IBM (2021) Cost of a Data Breach Report: • The average total cost of a data breach in 2021 was $4.24M • The highest country average cost of a data breach was $9.05M for
U.S. • The highest industry average cost of a data breach was $9.23M
(healthcare) • The cost per lost or stolen record was $161 • The time to identify and contain a data breach was 287 days
12
Need for Database Security (contd.) •As per IBM (2021), the four cost components are:
13
Need for Database Security (contd.) • Data breaches typically involve unauthorized access of company
databases (Privacy Rights Clearinghouse, 2020)
14
Database Security Fundamentals
15
Database Security Fundamentals •Oracle Database Security – Oracle France
Source: Oracle France – Database Security – https://www.youtube.com/watch?v=GXF3T4g2tJg
16
Database Security Fundamentals (contd.)
•As per Oracle (2021), effective database security involves using the following powerful preventive and detective security controls: • Transparent Data Encryption (TDE) • Encryption key management • Privileged user and multifactor access control • Data classification and discovery • Database activity monitoring and blocking • Consolidated auditing and reporting • Data masking
17
Database Security Fundamentals (contd.)
•Transparent Data Encryption (TDE) • Helps prevent attacks that attempt to bypass the database and read
sensitive information from data files at the operating system level, from database backups, or from database exports by encrypting data in the database layer
18
Database Security Fundamentals (contd.)
•Transparent Data Encryption (TDE) (continued)
• It is transparent because the encryption and decryption processes do not require any application changes, and the application users do not have to directly deal with encrypted data • It supports tablespace encryption and column encryption
19
Database Security Fundamentals (contd.)
•Encryption Key Management • TDE uses a two-tier key management architecture • Consists of data encryption keys and a master encryption key • Enables rotation of master keys without having to re-encrypt all of the
sensitive data • Oracle Database 18c introduced support for Bring Your Own Key (BYOK)
• Data encryption keys • Are managed automatically by the database
• The master encryption key • Is used to encrypt the data encryption keys • Is stored and managed outside of the database within an Oracle Wallet or in
an Oracle Key Vault
20
Database Security Fundamentals (contd.)
•Privileged User and Multifactor Access Control – Oracle Database Vault
Source: Oracle – Database Vault – https://www.youtube.com/watch?v=AomjVCdUp6k
21
Database Security Fundamentals (contd.)
•Data Classification and Discovery • Oracle Label Security enforces data access requirements and
records data classification levels at the database row level • Automated discovery of sensitive columns and parent-child
relationships • The discovery process uses built-in extensible patterns such as
credit card numbers and national identifiers to check metadata and column data to identify sensitive columns • The discovery results are stored as an application data model, which
is reusable across multiple databases
22
Database Security Fundamentals (contd.)
•Database Activity Monitoring and Blocking • Oracle Database Firewall provides a first line of defense for
databases
23
Database Security Fundamentals (contd.)
•Consolidated Auditing and Reporting • Oracle Audit Vault consolidates audit data from databases,
operating systems, and directories
24
Database Security Fundamentals (contd.)
•Data Masking • Oracle Data Masking provides a flexible option to discover, mask
and subset sensitive data, enabling the data to be safely shared across non-production environments • Non-production environments such as test and development
systems are the potential targets for a cyber attack as they generally contain copies of production data • Compliance costs are lowered as masked non-production databases
are out of the scope for the audit teams • Sensitive data such as credit card numbers, national identifiers, and
other personally identifiable information (PII) can be masked using predefined masking formats
25
Database Security Issues
26
Database Security Issues •Specific database security issues include: • Cloud database configuration errors • SQL injection • Weak authentication • Privilege abuse / excessive privileges • Inadequate logging / weak auditing / • Unpatched services • Insecure system architecture • Inadequate backups
Source: BCS.org – The Chartered Institute for IT – https://www.bcs.org/articles-opinion-and-research/top-ten-database-
attacks
27
Database Security Issues (contd.)
•OWASP Top 10 – A1:2017–Injection
Source: OWASP Top 10 2017 A1-Injection – https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html
28
Database Security Issues (contd.)•Common database security vulnerabilities:
Source: OWASP Top 10 2017 A1-Injection – https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html
29
Database Security Issues (contd.)
•OWASP Top 10: SQL Injection – Security Innovation
Source: Security Innovation – OWASP Top 10: SQL Injection – https://www.youtube.com/watch?v=X34cKt8RfJs
30
Database Security Issues (contd.)
•OWASP Top 10 – A3:2017–Sensitive Data Exposure
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
31
Database Security Issues (contd.) •Common database security vulnerabilities:
Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-
Sensitive_Data_Exposure
32
Database Security Attacks
33
Database Security Attacks •Most common database security attacks include:
Source: OWASP – Attacks – https://owasp.org/www-community/attacks/
Attack Type Description
SQL Injection An untrusted source uses an application’s user input features to enter data that is used to dynamically construct a SQL query to read sensitive database data
Denial of Service Storing too much information in a user session object, such as large quantities of data retrieved from the database, can cause DoS issues
Brute Force The attacker makes requests to a server using pre-configured values and then analyzes the response
Ransomware The attacker encrypts and locks the victim’s data and then demands a ransom to unlock and decrypt the data
34
Database Security Attacks (contd.) •As per IBM (2022), some of the most common database
security attacks include: Attack Type Description
Insider Threats Abuse of privileged access by a malicious insider, a negligent insider, or an infiltrator
Human Error Accidents, weak passwords, password sharing, and other unwise or uninformed user behaviors
SQL Injection Insertion of arbitrary SQL attack strings into database queries served by web applications
Buffer Overflow A process attempts to write more data to a fixed-length block of memory than it is allowed to hold
35
Database Security Attacks (contd.) •Common database security attacks (continued):
Source: IBM – Database Security: An Essential Guide – https://www.ibm.com/cloud/learn/database-security
Attack Type Description
DoS/DDoS The attacker floods the database server with so many requests that the server can no longer fulfil legitimate requests from actual users
Malware Software written specifically to exploit vulnerabilities or otherwise cause damage to the database
Attacks on Backups Organizations fail to protect backup data with the same stringent controls used to protect the database itself
36
Database Security Best Practices
37
Database Security Best Practices •OWASP recommends the following best practices: • Connect to the database securely • Prevent unencrypted traffic at the transport layer • Configure databases to always require authentication • Never store database credentials in the application source code
especially if they are unencrypted • Apply the principle of least privilege to the permissions assigned to
database user accounts • Harden the underlying operating system for the database server
Source: OWASP – Database Security Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Che
at_Sheet.html
38
Database Security Best Practices (contd.)
•Best practices to secure databases (as per IBM): • Consider physical security if the database is not in the cloud • Restrict number of users, their permissions, and network access to the
minimum levels necessary • Focus on end user account/device security • Use best-in-class encryption to protect the data while at rest and in transit • Keep the DBMS version up to date and apply patches as soon as they are
issued • Use best practices for application/web server security • Secure backups / log all operations / perform audits regularly
Source: IBM – Database Security: An Essential Guide – https://www.ibm.com/cloud/learn/database-security
39
Database Security Best Practices (contd.) •Use the following database security best practices: • Best practices to protect against SQL Injection:
• Primary defenses: • Use prepared statements with parameterized queries • Use stored procedures • Allow-list input validation • Escape all user supplied input
• Additional defenses: • Enforce least privilege • Perform allow-list input validation as a secondary defense
Source: OWASP – SQL Injection Prevention Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preve
ntion_Cheat_Sheet.html
40
Recap • Database security issues continue to be among the OWASP Top 10 list
of web application security risks • This is due to weaknesses in database mechanisms such as dynamic
queries, input validation, key management, access control, configuration, logging, auditing, backups, etc. • Hackers are able to exploit the weaknesses using attacks such as SQL
injection, DoS, brute force, ransomware, etc. • Best practices to protect databases include understanding what types
of data needs to be protected, understanding regulatory compliance, discovering/classifying databases based on data sensitivity, using data masking, monitoring, auditing, encryption, access control, parameterized queries, stored procedures, allow-list input validation, hardening, etc.
41
Thank you!!!
42
Browser Security – Issues and Best Practices
Outline • Intro to Browser Security
•Need for Browser Security
•Browser Security Fundamentals
•Browser Security Issues • OWASP Top 10 – A7:2017– Cross-Site Scripting XSS
• OWASP Top 10 – A3:2017– Sensitive Data Exposure
•Attacks against Browser Security Mechanisms
•Browser Security Best Practices
2
Intro to Browser Security
3
Intro to Browser Security • How does a web application work?
4
Client
Server
Involves browsers
Intro to Browser Security (contd.)
•Browser • A browser is “an application that finds and displays web pages”. • It coordinates communication between your computer and the web
server where a particular website “lives” by: • Accepting a website address as a URL • Submitting a request to the server to retrieve the content for the page • Processing the code (HTML, CSS, JavaScript, etc.) from the server • Loading active content (Flash, ActiveX, etc.) needed by the page • Displaying the complete, formatted web page • Repeating the process for every single user interaction with the page
5
Source: Understanding Your Computer: Web Browsers – U.S. CERT – https://www.cisa.gov/uscert/ncas/tips/st04-022
Intro to Browser Security (contd.)
•Examples: • Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari,
Opera, etc. •Browser Market Share as of February 2022:
6
Source: Global Web Stats – W3Counter– https://www.w3counter.com/globalstats.php
Intro to Browser Security (contd.) • Browser security refers to “how differences in design and
implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8) • Browser security involves the following: • Protection against common client-side attacks • Protection against phishing • Management of browser extensions • Use of adequate cryptography protocols
7
Source: X41 Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf
Intro to Browser Security (contd.) • Bro
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
