Question

Submit your Term Project Paper with required content below.

Write on any topic related to technology security. It must produce a minimum of a 10 pages paper and must use a minimum of 5 references. You must use a minimum of one graphics (may use a table)

Note*: Please make sure it should contain alteast 10 pages and 5 references and 1 grahics

Answer 1

DATABASE SECURITY

All organizations-public, governmental or private, small or large-depend on computerized information systems for carrying out their daily activity. At the heart of each such information system, there is a database. At a very general level, we can define a database as a persistent collection of related data, where data are facts that have an implicit meaning. For instance, an employee's name, social security number, or date of birth are all facts that can be recorded in a database. Typically, a database is built to store logically interrelated data representing some aspects of the real world, which must be collected, processed, and made accessible to a given user population. The database is constructed according to a data model which defines the way in which data and interrelationships between them can be represented. The collection of software programs that provide the functionalities for defining, maintaining, and accessing data stored in a database is called a database management system (DBMS).

Since ultimately a database is mapped to (i.e., stored as) files of the underlying operating system, one may think that a DBMS does not need to deal with security as security functionalities of the operating system would suffice. This is not true, however, since at the operating system level the data interrelationships and their semantics are lost and therefore security restrictions exploiting concepts of the data model cannot be enforced. Some of the differences between databases and operating systems that make it necessary for a DBMS to support security features are as follows. Protection level: A DBMS usually needs to protect data at a fine granularity level (e.g., a record of a file), while an operating system protects data at the file level. Object differences: There is a greater variety of object types in a DBMS than in an operating system. The typical object type in an operating system is a file; in a DBMS there can be relations (tables), tuples (rows within a table), attributes (columns within a table), indexes, metadata, and others. Data interrelationships: A database may include many logical objects with complex semantic interrelationships that must be protected. By contrast, the number of physical objects that the operating system protects is less and no semantic interrelationships are supported. Dynamic versus static objects: Data objects in a DBMS can be obtained by dynamically aggregating data from different physical objects in an operating system. By contrast, files tend to be more static making their protection easier. Lifetime of data: The lifetime and frequency of access of data in a DBMS is quite different than the lifetime of data stored as files in an operating system. User views of data: While in an operating system, users are either granted or denied access to data (files), in a DBMS it is possible to give access to a portion of an object by defining different views for different users. Because of these differences, it is clear that some security requirements must be supported by the DBMS itself. Of course, the DBMS can rely on basic security services 86 provided by the underlying operating system. Typical security services provided by the operating system that can be exploited by the DBMS are physical security controls, authentication and auditing. Physical security protects against intentional or accidental threats, like fire or natural disasters. Physical security measures also control the physical access to the computer system on which the database is hosted. Examples of physical measures are the use of locks, security guards, badges, and alarms. Authentication is a means of verifying the identity of a party to another, and is a prerequisite for DBMS security controls to ensure that the correct identity of users is being considered (i.e., users are who they claim to be). The simplest form of authentication is based on the use of passwords: users state their identity with a login identifier and provide a secret password. Finally, auditing is the post facto evaluation of a system's activities, which must therefore be properly logged. Auditing services can be used to perform online analysis to determine possible security violations and to recover the correct state of the database in the case integrity has been compromised

Network Security Network security refers to any activity designed to protect your network. Specifically, these activities protect the usability, reliability, integrity and safety of your network and data. Effective network security targets a variety of threats and stops them from entering or spreading on your network. No single solution protects you from a variety of threats. You need multiple layers of security. If one fails, others still stand. Network security is accomplished through hardware and software. The software must be constantly updated and managed to protect you from emerging threats. Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than wired networks and need to encrypt communications to deal with sniffing and continuously checking the identity of the mobile nodes. The mobility factor adds more challenges to security, namely monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both homogenous and heterogenous mobility (inter-technology), the latter requires homogenization of the security level of all networks visited by the mobile. From the terminal’s side, it is important to protect its resources (battery, disk, CPU) against misuse and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to ensure terminal’s integrity as it plays a dual role of router and terminal. The difficulty of designing security solutions that could address these challenges is not only to ensure robustness faced with potential attacks or to ensure that it does not slow down communications, but also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly, in this open context the wireless network is to ensure anonymity and privacy, while allowing traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is therefore facing a dilemma of providing a network support of free exchange of information while controlling the content of the communication to avoid harmful content. Actually, this concerns both wired and wireless networks. All these factors influence the selection and implementation of security tools that are guided by a prior risk assessment and security policy. Finally, we are increasingly thinking about trust models in the design of secured systems, that should offer higher level of trust than classical security mechanisms, and it seems that future networks should implement both models: security and trust models. In fact, if communication nodes will be capable of building and maintaining a predefined trust level in the network, then the communication system will be trustable all the time, thus allowing a trusted and secure service deployment. However, such trust models are very difficult to design and the trust level is generally a biased concept presently. It is very similar to the human based trust model. Note that succeeding in building such trust models will allow infrastructure based networks but especially infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy several applications. This will also have an impact on current business models where the economic model would have to change in order to include new players in the telecommunication value chain A network security system usually consists of many components. Ideally, all components work together, which minimizes maintenance and improves security.

Network security components often include:

· Firewall to block unauthorized access to your network

· Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day

· or zero-hour attacks Virtual Private Networks (VPNs) to provide secure remote access

· Communication security

· Anti-virus and anti-spyware

Application Security

Application security (AppSec) is the use of software, hardware and procedural methods to protect applications from external threats. AppSec is the operational solution to the problem of software risk. AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application irrespective of the function, language or platform. As a best practice, AppSec employs proactive and preventative methods to manage software risk, and align an organization’s security investments with the reality of today’s threats.

It has three distinct elements:

1) measurable reduction of risk in existing applications

2) prevention of introduction of new risks

3) compliance with software security mandates

A software vulnerability can be defined as a programmatic function that processes critical data in an insecure way. These “holes” in an application can be exploited by a hacker, spy or cybercriminal as an entry point to steal sensitive, protected or confidential data.

The severity and frequency of cyber-attacks is increasing which is making the practice of AppSec important. AppSec as a discipline is also becoming more complex the variety of business software continues to proliferate. Here are some of the reasons why (and see if these sound familiar): Today’s enterprise software comes from a variety of sources –

• in-house development teams,
• commercial vendors,
• outsourced solution providers, and
• open source projects.

Software developers have an endless choice of programming languages to choose from – Java, .NET, C++, PHP and more. Applications can be deployed across myriad platforms – installed to operate locally, over virtual servers and networks, accessed as a service in the cloud or run on mobile devices. AppSec products must provide capabilities for managing security risk across all of these options as each of these development and deployment options can introduce security vulnerabilities. An effective software security strategy addresses both immediate and systemic risk. The Application Security market has reached sufficient maturity to allow organizations of all sizes to follow a well-established roadmap: Begin with software security testing to find and assess potential vulnerabilities:

• Follow remediation procedures to prioritize and fix them.
• Train developers on secure coding practices.
• Leverage ongoing threat intelligence to keep up-to-date.
• Develop continuous methods to secure applications throughout the development life

Communications Security

Communications Security (COMSEC) ensures the security of telecommunications confidentiality and integrity – the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of any information that is transmitted, transferred or communicated. There are five COMSEC security types:

• Cryptosecurity: This encrypts data, rendering it unreadable until the data is decrypted.
• Emission Security (EMSEC): This prevents the release or capture of emanations from equipment, such as cryptographic equipment, thereby preventing unauthorized interception.
• Physical Security: This ensures the safety of, and prevents unauthorized access to, cryptographic information, documents and equipment.
• Traffic-Flow Security: This hides messages and message characteristics flowing on a network. Transmission Security (TRANSEC): This protects transmissions from unauthorized access, there by preventing interruption and harm.                                                        

DATA LEAKAGE

Definition:

Data Leakage is the unauthorized transmission of data (or information) from within an organization to an external destination or recipient. This may be electronic, or may be via a physical method. Data Leakage is synonymous with the term Information Leakage. The reader is encouraged to be mindful that unauthorized does not automatically mean intentional or malicious. Unintentional or inadvertent data leakage is also unauthorized.

Definition: Data leakage is defined as the accidental or unintentional distribution of private or sensitive data to an unauthorized entity. Sensitive data in companies and organizations include intellectual property (IP), financial information, patient information, personal credit-card data, and other information depending on the business and the industry.

Data leakage poses a serious issue for companies as the number of incidents and the cost to those experiencing them continue to increase. Data leakage is enhanced by the fact that transmitted data (both inbound and outbound), including emails, instant messaging, website forms, and file transfers among others, are largely unregulated and unmonitored on their way to their destinations. Furthermore, in many cases, sensitive data

The potential damage and adverse consequences of a data leakage incident can be classified into two categories: direct and indirect losses. Direct losses refer to tangible damage that is easy to measure or to estimate quantitatively. Indirect losses, on the other hand, are much harder to quantify and have a much broader impact in terms of cost, place, and time [Bunker, 2009]. Direct losses include violations of regulations (such as those protecting customer privacy) resulting in fines, settlements or customer compensation fees; litigation involving lawsuits; loss of future sales; costs of investigation and remedial or restoration fees. Indirect losses include reduced share price as a result of negative publicity; damage to a company’s goodwill and reputation; customer abandonment; and exposure of intellectual property (business plans, code, financial reports, and meeting agendas) to competitors. Data leakage can occur in many forms and in any place. In a 2009 Data Breach Investigation Report (by the Verizon Business RISK team), 90 data breaches occurring in 2008 were analyzed. In addition to the significant number of compromised records (285 million), the investigation revealed other interesting aspects of this problem as well. One of the most intriguing aspects revealed by the compiled data is that most breaches have been caused by external parties (74%). However, the number of breaches resulting exclusively from the actions of insiders is still significant (20%). Incidents in which business partners have been involved account for 32% of the total. According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 227,052,199 individual records containing sensitive personal information were involved in security breaches in the United States between January 2005 and May 2008.

DATA LEAKAGE THREATS The above sample also indicates that enterprises should broaden the focus of their security efforts beyond merely securing network perimeters and internal hosts from classic threats i.e., viruses, Trojan horses, worms, D/DoS attacks and intrusions.

Classified into two types:

1. Internal threats

2. External threats.

INTERNAL THREATS

According to data compiled from EPIC.org and PerkinsCoie.com, 52% of Data Security breaches are from internal sources compared to the remaining 48% by external hackers. The noteworthy aspect of these figures is that, when the internal breaches are examined, the percentage due to malicious intent is remarkably low, at less than 1%. The corollary of this is that the level of inadvertent data breach is significant (96%). This is further deconstructed to 46% being due to employee oversight, and 50% due to poor business process.

INTENTIONAL INTERNAL DATA LEAKAGE OR SABOTAGE

Whilst the data presented suggests the main threat to internal data leakage is from inadvertent actions, organizations are nevertheless still at risk of intentional unauthorized release of data and information by internal users. The methods by which insiders leak data could be one or many, but could include mediums such as Remote Access; Instant Messaging; email; Web Mail; Peer-to-Peer; and even File Transfer Protocol. Use of removable media, hard copy, etc is also possible. Motivations are varied, but include reasons such as corporate espionage, financial reward, or a grievance with their employer. The latter appears to be the most likely. According to a study conducted by The US Secret Service and CERT, 92% of insider related offences was following a “negative work-related event”. Of these, the offenders were predominantly male (96%) and the majority held technical roles (86%). Whilst the consequences of these attacks related not just to data, of the attacks studied, 49% included the objective of “sabotaging information and/or data”. An example of such an attack is described in the USSS/CERT study as follows, note how the characteristics match the findings above (highlighted in bold): “An application developer, who lost his IT sector job as a result of company downsizing, expressed his displeasure at being laid off just prior to the Christmas holidays by launching a systematic attack on his former employer’s computer network. He also sent each of the company’s customers an email message advising that the Web site had been hacked. Each email message also contained the customer’s usernames and passwords for the Web site.”

UNINTENTIONAL INTERNAL DATA LEAKAGE

A significant amount of data security breaches are due to either employee oversight or poor business process. This presents a challenge for businesses as the solution to these problems will be far greater than simply deploying a secure content management system. Business processes will need to be examined, and probably reengineered; personnel will need to be retrained, and a cultural change may be required within the organization. These alone are significant challenges for a business. A recent example of what is probably unintentional featured an Australian employment agency’s web site publishing “Confidential data including names, email addresses and passwords of clients” from its database on the public web site. An additional embarrassing aspect of this story was the fact that some of the agency’s staff made comments regarding individuals, which were also included. For instance, “a client is referred to as a ‘retard’ and in another a client is called a ‘lazy good for nothing’”. This alone raises the possibility of legal action from those clients.

INTERNAL DATA LEAKAGE VECTORS

INSTANT MESSAGING / PEER-TO-PEER

· Many organizations allow employees to access Instant Messaging from their workstations or laptops, with a 2005 estimate suggesting 80% of large companies in the US having some form of Instant Messaging. This includes products such as MSN Messenger; Skype; AOL; GoogleTalk; ICQ; and numerous others. Many of the clients available (and all of those mentioned here) are capable of file transfer. It would be a simple process for an individual to send a confidential document (such as an Excel file containing sensitive pricing or financial data) to a third party. Equally a user could divulge confidential information in an Instant Messaging chat session.

EXTERNAL THREATS According to the Privacy Rights Clearinghouse, in 2005 US companies exposed the personal information of over 53 million people.

DATA THEFT BY INTRUDERS· An ever-popular topic in the media is the electronic break-in to an organization by intruders including the theft of sensitive information. There have been numerous stories in the press of the theft of credit card information by intruders (note that the press often refer to intruders as hackers). In 2005 it was estimated that as many as 40 Million credit card numbers were stolen by intruders from MasterCard, VISA, American Express, and other credit card brands. More recently, Monster.com lost hundreds of thousands (potentially as many as 1.3 million) of job site users’ IDs to intruders “…hackers grabbed resumes and used information on those documents to craft personalized "phishing" e-mails to job seekers.” This particular event holds significant concern, because resumes contain a significant amount of information about an individual, including their full name, address, phone number(s), employment history, interests, and possibly contact details of third parties, such as referees. This allows for particularly targeted, and if crafted well, believable phishing attacks, or perhaps even more audacious social engineering attacks such as phone calls. Another scenario to consider is that phishers may start developing fraudulent employment web sites, and attempt to attract users to send their resumes directly to them. This is slightly outside the scope of this paper however it is important that this possibility is pointed out, as I believe it is a vector yet to emerge.

SQL INJECTION· Web sites that use an SQL server as the back end database may be vulnerable to SQL Injection attacks, if they fail to correctly parse user input. This is usually a direct result of poor coding. SQL Injection attacks can result in content within the database being stolen. For example, a site that does not correctly sanitize user input may cause a server error to occur. For example: The initial action of the attack could be to enter a single quote within the input data in a POST element on a website, which may generate an SQL statement as follows: SELECT info FROM table WHERE search = ‘mysearch’’ Note the additional quote mark. Should the application not sanitize the user input correctly a server error may occur. This indicates to the attacker that the user input is not being sanitized and that the site is vulnerable to further exploitation. Further trial and error by the attacker could eventually reveal table names, field names, and other information, that, once obtained, will allow them to construct an SQL query within the POST element that yields sensitive data

MALWARE

· In recent years, the SirCam worm would, after infecting a computer, scan through the My Documents folder and send a file at random out via email to the user’s email contacts. If malware is classified as a zero day threat, and there is no signature yet available, there is a higher likelihood that the malware will evade inbound gateway protection measures and desktop anti-virus. Once this malware infects a PC, it may then initiate outbound communications, potentially sending out files which may contain sensitive data. One aspect to be mindful of is that to a firewall, the traffic is from an 69 internal source. This is an important point, because most firewalls will not restrict traffic that is initiated internally via an acceptable protocol.

                                                                       

Reference: Security Analyst Student HandBook-Student Handbook-Security Analyst SSC/N0901 https://en.wikipedia.org/wiki/Information_security https://www.cso.com.au/article 632864/technology-security-trends-2018 https://en.wikipedia.org/wiki/Network_security