SlideShare a Scribd company logo

Research Paper

Download as DOCX, PDF
D
David Chaponniere
1 of 8
Johnson County Community College Cyber Security: A Brief Overview for Programmers David Chaponniere CIS-264 Professor Angela Sunderland October 10, 2016
P a g e | 1 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Executive Summary Cyber Security is still a relatively new term to describe the protection of data and information stored electronically. With the steady rise of the “Internet of Things” – a network of everyday devices, appliances, clothing, automobiles, and other objects equipped with computer chips that can collect or transmit data through an Internet connection it is increasingly more difficult to protect user data. In mid-2015, Cisco Systems Inc. estimated that there were already 15.7 billion devices connected to the Internet – including mobile phones, parking meters, thermostats, cardiac monitors, tires, roads, cars, supermarket shelves, and many other types of objects (ITU). Allied Business Intelligence Research Inc. predicts “The number of devices will more than double from the current level, with 40.9 billion forecasted for 2020” most of the increased devices being connected are expected to be in the form of non-traditional connections as remarked by principal analyst Aapo Markkanen “…smartphones, PCs, and other ‘hub’ devices represent still 44% of the active total, but by end-2020 their share is set to drop to 32%. In other words, 75% of the growth between today and the end of the decade will come from non-hub devices: sensor nodes and accessories.” (ABIresearch). Protecting the user’s privacy and data from attack with the increase in potentially vulnerable devices that a user will possibly be storing that information on is of vital importance for these devices to be a safe enhancement to the user’s daily life.
P a g e | 2 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Types of Attacks For a programmer or web developer the possibility of someone attempting to gain unauthorized access to the stored information in a database or to force an application to behave in ways not intended is a very real threat. A non-secure application or website puts the users at risk of losing valuable data and confidential information. Understanding how application attacks work is critical for developers to build defenses right into their applications. One organization that tries to help programmers and developers understand the risks, types of attacks, and ways to prevent those attacks is the Open Web Application Security Project (OWASP). The OWASP Foundation first formed in late 2001 and in 2004 they established themselves as a 501(c)(3) nonprofit organization in the United States. The goal of OWASP is to support developers with free open source educational materials to make more developers aware of security threats and how to prevent those threats. Some examples of the types of currently known threats that OWASP and other organizations are helping to eliminate include (Ionescu): Un-validated Redirects and Forwards – this is more commonly referred to as a “phishing attack” which tricks the user into navigating to a malicious site. Attackers are able to manipulate the URLs of a trusted site to redirect to an unwanted location. A Developer Uses a Component with Known Vulnerabilities – developers should be careful about using unpatched third-party components that may contain security bugs or flaws. These flaws are well known to attackers as these vulnerabilities are often publicized or talked about within the media.
P a g e | 3 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Cross-Site Request Forgery – this type of attack is typically used in conjunction with social engineering (tricking users to engage in a specific action without knowledge of what they are doing) this can allow an attacker to gain control over a user’s system or get access to sensitive information. Missing Function Level Access Control – with this type of attack an application is vulnerable because of a lack of authenticated users or administrator accounts which allows for unauthenticated users to access hidden functionality or control over an application. This can also be from a developer not using strong enough passwords and authentication controls to limit access to the website or application. Sensitive Data Exposure – something as simple as a lack of encryption on a website or application can leave it open to attackers. Passwords and logins that are sent as plain text are easy for an attacker to gain access to and use to commit crimes with. Proper protection of not only the user’s information, but that of the application itself is of equal importance. Security Misconfiguration – a misconfiguration on the server or the application itself can leave it open to attacks and falls on the developer to ensure that the proper security measures are in place so that users who access the application are safe. Insecure Direct Object References – this occurs most commonly when the application provides direct access to objects (e.g. strings, files in the system, or database records). This allows an attacker to bypass authorization and access the resources directly. Cross-Site Scripting – in this type of attack the attacker is able to insert JavaScript directly into the pages of a trusted website and in so doing the attacker is able to modify the contents of the entire website to whatever they choose.
P a g e | 4 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Broken Authentication and Session Management – without properly configured security measures it leaves an application or website open to attacks. Injection – allows an attacker to modify the back-end database through code that is not checked for errors by the application. By doing so the attacker is able to copy or access the restricted data without authorization. Currently, injection is one of the most popular forms of web attacks. Distributed Denial of Service (DDoS) – a simple yet extremely effective form of attack the denial of service attack is focused on making the website unavailable by making more requests than the website or server can respond to. In this way a DDoS attack overwhelms the site and renders it unusable. This list is just a brief list, every year more vulnerabilities are being discovered and used by attackers to gain unauthorized access to applications and websites. The leading provider for antivirus in the United States Symantec Corporation found security vulnerabilities in three quarters of all websites in use today: “There were over one million web attacks against people each day in 2015. Cybercriminals continue to take advantage of vulnerabilities in legitimate websites to infect users, because website administrators fail to secure their websites. Nearly 75 percent of all legitimate websites have unpatched vulnerabilities, putting us all at risk.” (Symantec).
P a g e | 5 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Web attacks blocked per day. Preventing Attacks Education is one of the most important ways to improve Cyber Security. Developers should actively seek out information on the latest security trends and ensure that the applications they create are compliant. Keeping in mind how quickly new threats can arise and how long it takes to secure a vulnerable system it is critical that developers continuously look at the current trends and stay up to date on new technology standards. Developers should also actively keep their code up to date. This is especially important if the developer is using third-party software to ensure they are using the latest patched code from the third-party. This applies to the server operating system and any code being used by the application such as HTML, CSS, ASP, .NET, and JavaScript. When security flaws are announced or discovered the key is to quickly patch the application to secure it. Developers should test all code for security flaws before deploying it in a live environment. This is widely considered to be a best practice for ensuring the application remains secure. Using an independent resource to test the code for compliance and security is an option that many companies and developers use. Using encryption and restricting access to sensitive
P a g e | 6 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere parts of the code is essential to ensuring the code continues to remain safe while in production and cannot be used for malicious attacks on users. Summary Developers are ultimately responsible for the code, application, or website that they create and ensuring that their intended users do not come under attack while using their application is a crucial piece to creating an overall successful application. Staying up to date on current technology standards and trends – continuous education is a key component in Cyber Security. Learning how an attacker can use the code against users will help to close any unintended backdoors and prevent attacks before they occur. Supporting a culture of security within an organization can raise awareness of Cyber Security and foster a more secure Internet for users to enjoy. Maintaining high quality, secure code will keep attackers from gaining access to sensitive information or exploiting the code to act in ways it was not intended. Securing the applications while they are being developed, and having developers with a security first mindset can mean the difference between a new viral success and a huge financial embarrassment.
P a g e | 7 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Bibliography Biggs, Phillippa, ITU, et al. “Harnessing the Internet of Things for Global Development” p. 11. https://www.itu.int/en/action/broadband/Documents/Harnessing-IoT-Global-Development.pdf Markkanen, Aspo, ABIresearch. https://www.abiresearch.com/press/the-internet-of-things-will- drive-wireless-connect/ Ionescu, Paul. “The 10 Most Common Application Attacks in Action”, April 8, 2015, https://securityintelligence.com/the-10-most-common-application-attacks-in-action/ Symantec. “Threat Report”, https://www.symantec.com/security-center/threat-report OWASP. “Main Page”, https://www.owasp.org/index.php/About_OWASP

Recommended

Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Contending Malware Threat using Hybrid Security Model
Contending Malware Threat using Hybrid Security ModelContending Malware Threat using Hybrid Security Model
Contending Malware Threat using Hybrid Security ModelIRJET Journal
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
The Seven Kinds of Security
The Seven Kinds of SecurityThe Seven Kinds of Security
The Seven Kinds of SecurityVeracode
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
 

Recommended

Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Contending Malware Threat using Hybrid Security Model
Contending Malware Threat using Hybrid Security ModelContending Malware Threat using Hybrid Security Model
Contending Malware Threat using Hybrid Security ModelIRJET Journal
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec Technology and Consulting
 
Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)Comilion introduction presentation 26102012 (1)
Comilion introduction presentation 26102012 (1)AP DealFlow
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web securityIAEME Publication
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application SecuritySaadSaif6
 
The Seven Kinds of Security
The Seven Kinds of SecurityThe Seven Kinds of Security
The Seven Kinds of SecurityVeracode
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?IBM Security
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Gaining A Foothold
Gaining A FootholdGaining A Foothold
Gaining A FootholdClaranet UK
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
Web application firewall solution market
Web application firewall solution marketWeb application firewall solution market
Web application firewall solution marketSameerShaikh225
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and SystemParam Nanavati
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareIBM Security
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Enterprise Management Associates
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks- Mark - Fullbright
 
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...ijtsrd
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppEric Zhuo
 
Top 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingTop 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingSeqrite
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016Shannon G., MBA
 
NormShieldBrochure
NormShieldBrochureNormShieldBrochure
NormShieldBrochureCandan BOLUKBAS
 
Cyber week
Cyber weekCyber week
Cyber weekrashaud ivory
 
Nomofobia power point
Nomofobia power pointNomofobia power point
Nomofobia power pointANA PAULINA BUENO CEBALLOS
 

More Related Content

What's hot

What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?IBM Security
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNowSecure
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Gaining A Foothold
Gaining A FootholdGaining A Foothold
Gaining A FootholdClaranet UK
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen? Claranet UK
 
Web application firewall solution market
Web application firewall solution marketWeb application firewall solution market
Web application firewall solution marketSameerShaikh225
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and SystemParam Nanavati
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareIBM Security
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Enterprise Management Associates
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) Eoin Keary
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...IBM Security
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks- Mark - Fullbright
 
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...ijtsrd
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppEric Zhuo
 
Top 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingTop 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingSeqrite
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016Shannon G., MBA
 

What's hot (20)

What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
 
Next-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approachNext-level mobile app security: A programmatic approach
Next-level mobile app security: A programmatic approach
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Gaining A Foothold
Gaining A FootholdGaining A Foothold
Gaining A Foothold
 
How Does a Data Breach Happen?
How Does a Data Breach Happen? How Does a Data Breach Happen?
How Does a Data Breach Happen?
 
Web application firewall solution market
Web application firewall solution marketWeb application firewall solution market
Web application firewall solution market
 
Risks and Security of Internet and System
Risks and Security of Internet and SystemRisks and Security of Internet and System
Risks and Security of Internet and System
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated Ransomware
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
Solving the Asset Management Challenge for Cybersecurity (It’s About Time)
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
Outsmart Fraudsters: Give Customers Great User Experience While Keeping Fraud...
 
Turning the Tables on Cyber Attacks
Turning the Tables on Cyber AttacksTurning the Tables on Cyber Attacks
Turning the Tables on Cyber Attacks
 
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
An Assessment of Intrusion Detection System IDS and Data Set Overview A Compr...
 
Whitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6ppWhitepaper - CISO Guide_6pp
Whitepaper - CISO Guide_6pp
 
Top 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in BankingTop 5 Cybersecurity Risks in Banking
Top 5 Cybersecurity Risks in Banking
 
The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016The State Of Information and Cyber Security in 2016
The State Of Information and Cyber Security in 2016
 
NormShieldBrochure
NormShieldBrochureNormShieldBrochure
NormShieldBrochure
 

Viewers also liked

البلايا تحن إلى اللبيب
البلايا تحن إلى اللبيبالبلايا تحن إلى اللبيب
البلايا تحن إلى اللبيبHamid Benkhibech
 
День работника налог.органов
День работника налог.органовДень работника налог.органов
День работника налог.органовlibusue
 
Psychoanalysis of Heinz Hot Ketchup Print Ad
Psychoanalysis of Heinz Hot Ketchup Print AdPsychoanalysis of Heinz Hot Ketchup Print Ad
Psychoanalysis of Heinz Hot Ketchup Print AdChetna Sethia
 
Comunica s.a portafolio de servicios
Comunica s.a portafolio de serviciosComunica s.a portafolio de servicios
Comunica s.a portafolio de serviciosfannyjohanna
 
Carmen Martín Gaite Entre Visillos 02
Carmen Martín Gaite Entre Visillos 02Carmen Martín Gaite Entre Visillos 02
Carmen Martín Gaite Entre Visillos 02Any Lau
 
Biofísica aula 6 biofísica da circulação sanguínea 2016 betania
Biofísica aula 6 biofísica da circulação sanguínea 2016 betaniaBiofísica aula 6 biofísica da circulação sanguínea 2016 betania
Biofísica aula 6 biofísica da circulação sanguínea 2016 betaniaBetânia Campos
 
Building Fundament Wealth PowerPoint
Building Fundament Wealth PowerPointBuilding Fundament Wealth PowerPoint
Building Fundament Wealth PowerPointRuben Lopez
 

Viewers also liked (11)

Cyber week
Cyber weekCyber week
Cyber week
 
Nomofobia power point
Nomofobia power pointNomofobia power point
Nomofobia power point
 
Paper3x.PDF
Paper3x.PDFPaper3x.PDF
Paper3x.PDF
 
البلايا تحن إلى اللبيب
البلايا تحن إلى اللبيبالبلايا تحن إلى اللبيب
البلايا تحن إلى اللبيب
 
День работника налог.органов
День работника налог.органовДень работника налог.органов
День работника налог.органов
 
Psychoanalysis of Heinz Hot Ketchup Print Ad
Psychoanalysis of Heinz Hot Ketchup Print AdPsychoanalysis of Heinz Hot Ketchup Print Ad
Psychoanalysis of Heinz Hot Ketchup Print Ad
 
Comunica s.a portafolio de servicios
Comunica s.a portafolio de serviciosComunica s.a portafolio de servicios
Comunica s.a portafolio de servicios
 
Carmen Martín Gaite Entre Visillos 02
Carmen Martín Gaite Entre Visillos 02Carmen Martín Gaite Entre Visillos 02
Carmen Martín Gaite Entre Visillos 02
 
Biofísica aula 6 biofísica da circulação sanguínea 2016 betania
Biofísica aula 6 biofísica da circulação sanguínea 2016 betaniaBiofísica aula 6 biofísica da circulação sanguínea 2016 betania
Biofísica aula 6 biofísica da circulação sanguínea 2016 betania
 
Ai de ti copacabana
Ai de ti copacabanaAi de ti copacabana
Ai de ti copacabana
 
Building Fundament Wealth PowerPoint
Building Fundament Wealth PowerPointBuilding Fundament Wealth PowerPoint
Building Fundament Wealth PowerPoint
 

Similar to Research Paper

Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
En msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityEn msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityOnline Business
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsCognizant
 
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...IJERA Editor
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Designing Security Assessment of Client Server System using Attack Tree Modeling
Designing Security Assessment of Client Server System using Attack Tree ModelingDesigning Security Assessment of Client Server System using Attack Tree Modeling
Designing Security Assessment of Client Server System using Attack Tree Modelingijtsrd
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfSolviosTechnology
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedJennifer Campbell
 
A Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity EducationA Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity Educationijtsrd
 
Strategies for Effective Cybersecurity in Web Development pdf.pdf
Strategies for Effective Cybersecurity in Web Development pdf.pdfStrategies for Effective Cybersecurity in Web Development pdf.pdf
Strategies for Effective Cybersecurity in Web Development pdf.pdfLondonAtil1
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationKen Flott
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 

Similar to Research Paper (20)

Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
En msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityEn msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurity
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
Application Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting ReputationsApplication Security: Safeguarding Data, Protecting Reputations
Application Security: Safeguarding Data, Protecting Reputations
 
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 
Designing Security Assessment of Client Server System using Attack Tree Modeling
Designing Security Assessment of Client Server System using Attack Tree ModelingDesigning Security Assessment of Client Server System using Attack Tree Modeling
Designing Security Assessment of Client Server System using Attack Tree Modeling
 
Top 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdfTop 6 Web Application Security Best Practices.pdf
Top 6 Web Application Security Best Practices.pdf
 
185
185185
185
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent Involved
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats
 
A Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity EducationA Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity Education
 
Module 4.pdf
Module 4.pdfModule 4.pdf
Module 4.pdf
 
Module 4 Cyber Security Vulnerabilities& Safe Guards
Module 4 Cyber Security Vulnerabilities& Safe GuardsModule 4 Cyber Security Vulnerabilities& Safe Guards
Module 4 Cyber Security Vulnerabilities& Safe Guards
 
Strategies for Effective Cybersecurity in Web Development pdf.pdf
Strategies for Effective Cybersecurity in Web Development pdf.pdfStrategies for Effective Cybersecurity in Web Development pdf.pdf
Strategies for Effective Cybersecurity in Web Development pdf.pdf
 
C01461422
C01461422C01461422
C01461422
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
Toward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network AutomationToward Continuous Cybersecurity With Network Automation
Toward Continuous Cybersecurity With Network Automation
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 

Research Paper

  • 1. Johnson County Community College Cyber Security: A Brief Overview for Programmers David Chaponniere CIS-264 Professor Angela Sunderland October 10, 2016
  • 2. P a g e | 1 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Executive Summary Cyber Security is still a relatively new term to describe the protection of data and information stored electronically. With the steady rise of the “Internet of Things” – a network of everyday devices, appliances, clothing, automobiles, and other objects equipped with computer chips that can collect or transmit data through an Internet connection it is increasingly more difficult to protect user data. In mid-2015, Cisco Systems Inc. estimated that there were already 15.7 billion devices connected to the Internet – including mobile phones, parking meters, thermostats, cardiac monitors, tires, roads, cars, supermarket shelves, and many other types of objects (ITU). Allied Business Intelligence Research Inc. predicts “The number of devices will more than double from the current level, with 40.9 billion forecasted for 2020” most of the increased devices being connected are expected to be in the form of non-traditional connections as remarked by principal analyst Aapo Markkanen “…smartphones, PCs, and other ‘hub’ devices represent still 44% of the active total, but by end-2020 their share is set to drop to 32%. In other words, 75% of the growth between today and the end of the decade will come from non-hub devices: sensor nodes and accessories.” (ABIresearch). Protecting the user’s privacy and data from attack with the increase in potentially vulnerable devices that a user will possibly be storing that information on is of vital importance for these devices to be a safe enhancement to the user’s daily life.
  • 3. P a g e | 2 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Types of Attacks For a programmer or web developer the possibility of someone attempting to gain unauthorized access to the stored information in a database or to force an application to behave in ways not intended is a very real threat. A non-secure application or website puts the users at risk of losing valuable data and confidential information. Understanding how application attacks work is critical for developers to build defenses right into their applications. One organization that tries to help programmers and developers understand the risks, types of attacks, and ways to prevent those attacks is the Open Web Application Security Project (OWASP). The OWASP Foundation first formed in late 2001 and in 2004 they established themselves as a 501(c)(3) nonprofit organization in the United States. The goal of OWASP is to support developers with free open source educational materials to make more developers aware of security threats and how to prevent those threats. Some examples of the types of currently known threats that OWASP and other organizations are helping to eliminate include (Ionescu): Un-validated Redirects and Forwards – this is more commonly referred to as a “phishing attack” which tricks the user into navigating to a malicious site. Attackers are able to manipulate the URLs of a trusted site to redirect to an unwanted location. A Developer Uses a Component with Known Vulnerabilities – developers should be careful about using unpatched third-party components that may contain security bugs or flaws. These flaws are well known to attackers as these vulnerabilities are often publicized or talked about within the media.
  • 4. P a g e | 3 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Cross-Site Request Forgery – this type of attack is typically used in conjunction with social engineering (tricking users to engage in a specific action without knowledge of what they are doing) this can allow an attacker to gain control over a user’s system or get access to sensitive information. Missing Function Level Access Control – with this type of attack an application is vulnerable because of a lack of authenticated users or administrator accounts which allows for unauthenticated users to access hidden functionality or control over an application. This can also be from a developer not using strong enough passwords and authentication controls to limit access to the website or application. Sensitive Data Exposure – something as simple as a lack of encryption on a website or application can leave it open to attackers. Passwords and logins that are sent as plain text are easy for an attacker to gain access to and use to commit crimes with. Proper protection of not only the user’s information, but that of the application itself is of equal importance. Security Misconfiguration – a misconfiguration on the server or the application itself can leave it open to attacks and falls on the developer to ensure that the proper security measures are in place so that users who access the application are safe. Insecure Direct Object References – this occurs most commonly when the application provides direct access to objects (e.g. strings, files in the system, or database records). This allows an attacker to bypass authorization and access the resources directly. Cross-Site Scripting – in this type of attack the attacker is able to insert JavaScript directly into the pages of a trusted website and in so doing the attacker is able to modify the contents of the entire website to whatever they choose.
  • 5. P a g e | 4 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Broken Authentication and Session Management – without properly configured security measures it leaves an application or website open to attacks. Injection – allows an attacker to modify the back-end database through code that is not checked for errors by the application. By doing so the attacker is able to copy or access the restricted data without authorization. Currently, injection is one of the most popular forms of web attacks. Distributed Denial of Service (DDoS) – a simple yet extremely effective form of attack the denial of service attack is focused on making the website unavailable by making more requests than the website or server can respond to. In this way a DDoS attack overwhelms the site and renders it unusable. This list is just a brief list, every year more vulnerabilities are being discovered and used by attackers to gain unauthorized access to applications and websites. The leading provider for antivirus in the United States Symantec Corporation found security vulnerabilities in three quarters of all websites in use today: “There were over one million web attacks against people each day in 2015. Cybercriminals continue to take advantage of vulnerabilities in legitimate websites to infect users, because website administrators fail to secure their websites. Nearly 75 percent of all legitimate websites have unpatched vulnerabilities, putting us all at risk.” (Symantec).
  • 6. P a g e | 5 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Web attacks blocked per day. Preventing Attacks Education is one of the most important ways to improve Cyber Security. Developers should actively seek out information on the latest security trends and ensure that the applications they create are compliant. Keeping in mind how quickly new threats can arise and how long it takes to secure a vulnerable system it is critical that developers continuously look at the current trends and stay up to date on new technology standards. Developers should also actively keep their code up to date. This is especially important if the developer is using third-party software to ensure they are using the latest patched code from the third-party. This applies to the server operating system and any code being used by the application such as HTML, CSS, ASP, .NET, and JavaScript. When security flaws are announced or discovered the key is to quickly patch the application to secure it. Developers should test all code for security flaws before deploying it in a live environment. This is widely considered to be a best practice for ensuring the application remains secure. Using an independent resource to test the code for compliance and security is an option that many companies and developers use. Using encryption and restricting access to sensitive
  • 7. P a g e | 6 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere parts of the code is essential to ensuring the code continues to remain safe while in production and cannot be used for malicious attacks on users. Summary Developers are ultimately responsible for the code, application, or website that they create and ensuring that their intended users do not come under attack while using their application is a crucial piece to creating an overall successful application. Staying up to date on current technology standards and trends – continuous education is a key component in Cyber Security. Learning how an attacker can use the code against users will help to close any unintended backdoors and prevent attacks before they occur. Supporting a culture of security within an organization can raise awareness of Cyber Security and foster a more secure Internet for users to enjoy. Maintaining high quality, secure code will keep attackers from gaining access to sensitive information or exploiting the code to act in ways it was not intended. Securing the applications while they are being developed, and having developers with a security first mindset can mean the difference between a new viral success and a huge financial embarrassment.
  • 8. P a g e | 7 CyberSecurity:A Brief OverviewforProgrammers DavidChaponniere Bibliography Biggs, Phillippa, ITU, et al. “Harnessing the Internet of Things for Global Development” p. 11. https://www.itu.int/en/action/broadband/Documents/Harnessing-IoT-Global-Development.pdf Markkanen, Aspo, ABIresearch. https://www.abiresearch.com/press/the-internet-of-things-will- drive-wireless-connect/ Ionescu, Paul. “The 10 Most Common Application Attacks in Action”, April 8, 2015, https://securityintelligence.com/the-10-most-common-application-attacks-in-action/ Symantec. “Threat Report”, https://www.symantec.com/security-center/threat-report OWASP. “Main Page”, https://www.owasp.org/index.php/About_OWASP