This document discusses web security and attacks. It begins with an abstract noting that the web presents problems for both web clients and servers, requiring steps to protect both. Chapter 1 defines web security and discusses general security concepts like privacy, integrity, and availability. It also outlines technical methods to secure systems, like encryption, passwords, firewalls, and monitoring. Chapter 2 defines types of computer attacks like denial of service, man-in-the-middle, and brute force attacks. It also discusses social engineering techniques used to manipulate users into revealing confidential information.
In this short slide revision, I have made just a major and important summary on Internet Security, IS Security, CIA, Threats to Security on Networks and also there related controls.
Thank you,
Please comment and share your feedback.
In this short slide revision, I have made just a major and important summary on Internet Security, IS Security, CIA, Threats to Security on Networks and also there related controls.
Thank you,
Please comment and share your feedback.
This lecture includes introduction to computers security and privacy. This lecture include basic concepts of terminologies and technologies involve in current securities and privacy needs.
Cyber security refers to the ability to defend against cyber-attacks, protect resources, and prevent cyber-attacks while information assurance is to ensure the confidentiality, possession or control, integrity, authenticity, availability and utility of information and information systems.
A network security policy group project unit 4 (1) july 2015Jeffery Brown
This focus upon the everyday issues that arise within the IT Department in dealing with Security Policies within a Corporation and Organizations. Therefore, finding ways that can limited the amount of Security Leakage from the Corporate Departments on that Particular Campus where the Employers and Employees work on a Daily Basis.
This is a presentation template if someone is interested in making a case for a web-based security awareness and training program within your company. It is free for all to use and change accordingly.
security concepts ,goals of computer security , problem and requirements ,identifying the assets ,identifying the threats, identifying the impacts, vulnerability ,user authentication ,security system and facilities ,system access control , password management ,privileged user management ,user account management ,data resource protection, sensitive system protection ,cryptography ,intrusion detection ,computer-security classification
This lecture includes introduction to computers security and privacy. This lecture include basic concepts of terminologies and technologies involve in current securities and privacy needs.
Cyber security refers to the ability to defend against cyber-attacks, protect resources, and prevent cyber-attacks while information assurance is to ensure the confidentiality, possession or control, integrity, authenticity, availability and utility of information and information systems.
A network security policy group project unit 4 (1) july 2015Jeffery Brown
This focus upon the everyday issues that arise within the IT Department in dealing with Security Policies within a Corporation and Organizations. Therefore, finding ways that can limited the amount of Security Leakage from the Corporate Departments on that Particular Campus where the Employers and Employees work on a Daily Basis.
This is a presentation template if someone is interested in making a case for a web-based security awareness and training program within your company. It is free for all to use and change accordingly.
security concepts ,goals of computer security , problem and requirements ,identifying the assets ,identifying the threats, identifying the impacts, vulnerability ,user authentication ,security system and facilities ,system access control , password management ,privileged user management ,user account management ,data resource protection, sensitive system protection ,cryptography ,intrusion detection ,computer-security classification
Cybersecurity Interview Questions and Answers.pdfJazmine Brown
Cyber security professionals are in high demand, and those willing to learn new skills to enter the area will have plenty of opportunities. Our goal is to present you with the most comprehensive selection of cybersecurity interview questions available.
Cybersecurity refers to the practice of protecting internet-connected systems, including hardware, software, and data, from attack, damage, or unauthorized access. This includes protecting personal devices, such as smartphones and laptops, as well as critical infrastructure systems, such as power plants and financial systems.
Cyber attacks can come in many forms, such as viruses and malware, phishing scams, and hacking attempts. These attacks can have serious consequences, such as identity theft, financial loss, and disruption of critical services.
To protect against these threats, individuals and organizations must implement strong cybersecurity measures, including using strong passwords and updating them regularly, keeping software and security systems up-to-date, and being cautious about the information that is shared online.
Cybersecurity
Businesses must also invest in the necessary technologies and training to ensure the security of their systems and data. This includes using firewalls, antivirus software, and intrusion detection systems, as well as educating employees on safe online practices.
In addition to technical measures, individuals must also be informed and vigilant about potential threats. This includes being cautious of suspicious emails and links, and being careful about what information is shared online.
In short, cybersecurity is the practice of protecting internet-connected systems and the information stored on them from cyber attacks. Implementing strong technical measures and being informed and vigilant are crucial steps in reducing the risk of cyber attacks and ensuring a safer online experience.
Cybersecurity is a critical aspect of modern society, as more and more of our personal and professional lives are conducted online. Cyber attacks can range from simple nuisance attacks, such as spam emails, to more sophisticated attacks that can steal sensitive information, disrupt businesses, or even cause physical damage.
One of the key components of cybersecurity is the protection of personal and sensitive information. This includes information such as credit card numbers, social security numbers, and passwords. It is important to use strong passwords, and to regularly update them, as well as to be careful about the information that is shared online.
Another important aspect of cybersecurity is the protection of critical infrastructure, such as power plants and financial systems. These systems are vulnerable to attack from hackers who may seek to cause physical damage, disrupt operations, or steal sensitive information.
Businesses and organizations must also take cybersecurity seriously, as they are often targets of cyber attacks. They must implement strong security measures, such as firewalls, antivirus software, and intrusion detection systems, and educate employees about safe online practices.
In addition to technical measures, it is also important for individuals to be informed and vigilant about it
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
Security and Ethical Challenges Contributors Kim Wanders.docxedgar6wallace88877
Security and Ethical Challenges
Contributors: Kim Wandersee, Les Pang
Computer Security
Computer Security Goals
Computer security must be viewed in a holistic manner and provide an end-to-end protection
as data moves through its lifecycle. Data originates from a user or sensor, passes over a
network to reach a computing system that hosts software. This computer system has software
and processes the data and stores in in a storage device. That data is backed up on a device
and finally archived. The elements that handle the data need to be secure. Computer security
pertains to all the means to protect the confidentiality, integrity, availability, authenticity,
utility, and possession of data throughout its lifecycle.
Confidentiality: A security principle that
works to ensure that data is not disclosed to
unauthorized persons.
Integrity: A security principle that makes sure
that information and systems are not
modified maliciously or accidentally.
Availability: A security principle that assures
reliable and timely access to data and
resources by authorized individuals.
Authenticity: A security principle that the
data, transactions, communications or
documents are genuine, valid, and not
fraudulent.
Utility: A security principle that addresses
that the information is usable for its intended
purpose. .
Possession: A security principle that works to
ensure that data remains under the control of
the authorized individuals.
Figure 1. Parkerian Hexad (PH) security model.
The Parerian Hexad (PH) model expands on the Confidentiality, Integrity, and Availability (CIA)
triad that has been the basic model of Information Security for over 20 years. This framework is
used to list all aspects of security at a basic level. It provides a complete security framework to
provide the means for information owners to protect their information from any adversaries
and vulnerabilities. It adds Authenticity, Utility, and Possession to CIA triad security model. It
addresses security aspects for data throughout its lifecycle.
The Center for Internet Security has identified 20 controls necessary to protect an organization
from known cyber-attack. The first 5 controls will provide effective defense against the most
common cyber-attacks, approximately 85% of attacks. The 5 controls are:
1. Inventory of Authorized and Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled User of Administrative Privileges
A full explanation of all 20 controls is available at the Center for Internet Security website.
Search for CIS controls.
Security Standards and Regulations
The National Institute of Standards and Technology (NIST), Computer Security Division, provides
security standards in its Federal Information Processing Standards (.
Security and Ethical Challenges Contributors Kim Wanders.docxfathwaitewalter
Security and Ethical Challenges
Contributors: Kim Wandersee, Les Pang
Computer Security
Computer Security Goals
Computer security must be viewed in a holistic manner and provide an end-to-end protection
as data moves through its lifecycle. Data originates from a user or sensor, passes over a
network to reach a computing system that hosts software. This computer system has software
and processes the data and stores in in a storage device. That data is backed up on a device
and finally archived. The elements that handle the data need to be secure. Computer security
pertains to all the means to protect the confidentiality, integrity, availability, authenticity,
utility, and possession of data throughout its lifecycle.
Confidentiality: A security principle that
works to ensure that data is not disclosed to
unauthorized persons.
Integrity: A security principle that makes sure
that information and systems are not
modified maliciously or accidentally.
Availability: A security principle that assures
reliable and timely access to data and
resources by authorized individuals.
Authenticity: A security principle that the
data, transactions, communications or
documents are genuine, valid, and not
fraudulent.
Utility: A security principle that addresses
that the information is usable for its intended
purpose. .
Possession: A security principle that works to
ensure that data remains under the control of
the authorized individuals.
Figure 1. Parkerian Hexad (PH) security model.
The Parerian Hexad (PH) model expands on the Confidentiality, Integrity, and Availability (CIA)
triad that has been the basic model of Information Security for over 20 years. This framework is
used to list all aspects of security at a basic level. It provides a complete security framework to
provide the means for information owners to protect their information from any adversaries
and vulnerabilities. It adds Authenticity, Utility, and Possession to CIA triad security model. It
addresses security aspects for data throughout its lifecycle.
The Center for Internet Security has identified 20 controls necessary to protect an organization
from known cyber-attack. The first 5 controls will provide effective defense against the most
common cyber-attacks, approximately 85% of attacks. The 5 controls are:
1. Inventory of Authorized and Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled User of Administrative Privileges
A full explanation of all 20 controls is available at the Center for Internet Security website.
Search for CIS controls.
Security Standards and Regulations
The National Institute of Standards and Technology (NIST), Computer Security Division, provides
security standards in its Federal Information Processing Standards ( ...
Different Types Of Network Security Devices And Tools.docxSameerShaik43
Having a business, be it new or existing means, you have to be aware of the threats that you face. You will require network security to safeguard your crucial data and network from unwanted threats, intrusions and breaches. This overarching and vast term descries software and hardware solutions including rules, configurations and processes pertaining to network accessibility, use and threat protection.
https://www.tycoonstory.com/technology/different-types-of-network-security-devices-and-tools/
Discuss how a successful organization should have the followin.docxcuddietheresa
Discuss how a successful organization should have the following layers of security in place for the protection of its operations: information security management, data security, and network security.
Multiple Layers of Security
Marlowe Rooks posted Mar 13, 2020 9:54 AM
Looking at Vacca”s book chapter 1, “Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing (John R. Vacca, 2014)”. It is the organization responsibility to protect its business and its client information at all times. With that said I’m going to break down why companies need to have multiple layers of security and what types they should implement below.
The first layer is Information security management which can be from Physical Security, or Personnel Security. Physical Security can range from physical items, objects, or areas from unauthorized access and misuse. Personnel Security is to protect the individual or group of individuals who are authorized to access the organization and its operations. Some of the reason to implement Information Security is as follow:
· Decrease in downtime of IT systems
· Decrease in security related incidents
· Increase in meeting an organization's compliance requirements and standards
· Increase in customer satisfaction, demonstrating that security issues are tackled in the most appropriate manner
· Increase in quality of service
· Process approach adoption, which helps account for all legal and regulatory requirements
· More easily identifiable and managed risks
· Also covers information security (IS) (in addition to IT information security)
· Provides a competitive edge to an organization with the help of tackling risks and managing resources/processes
The second layer would be Data Security which can be refers to the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Data security includes data encryption, tokenization, and key management practices that protect data across all applications and platforms. Some of the reason to implement Data Security is as follow:
· Cloud access security – Protection platform that allows you to move to the cloud securely while protecting data in cloud applications.
· Data encryption – Data-centric and tokenization security solutions that protect data across enterprise, cloud, mobile and big data environments.
· Web Browser Security - Protects sensitive data captured at the browser, from the point the customer enters cardholder or personal data, and keeps it protected through the ecosystem to the trusted host destination.
· Mobile App Security - Protecting sensitive data in native mobile apps while safeguarding the data end-to-end.
· eMai ...
Discuss how a successful organization should have the followin.docxsalmonpybus
Discuss how a successful organization should have the following layers of security in place for the protection of its operations: information security management, data security, and network security.
Multiple Layers of Security
Marlowe Rooks posted Mar 13, 2020 9:54 AM
Looking at Vacca”s book chapter 1, “Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing (John R. Vacca, 2014)”. It is the organization responsibility to protect its business and its client information at all times. With that said I’m going to break down why companies need to have multiple layers of security and what types they should implement below.
The first layer is Information security management which can be from Physical Security, or Personnel Security. Physical Security can range from physical items, objects, or areas from unauthorized access and misuse. Personnel Security is to protect the individual or group of individuals who are authorized to access the organization and its operations. Some of the reason to implement Information Security is as follow:
· Decrease in downtime of IT systems
· Decrease in security related incidents
· Increase in meeting an organization's compliance requirements and standards
· Increase in customer satisfaction, demonstrating that security issues are tackled in the most appropriate manner
· Increase in quality of service
· Process approach adoption, which helps account for all legal and regulatory requirements
· More easily identifiable and managed risks
· Also covers information security (IS) (in addition to IT information security)
· Provides a competitive edge to an organization with the help of tackling risks and managing resources/processes
The second layer would be Data Security which can be refers to the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Data security includes data encryption, tokenization, and key management practices that protect data across all applications and platforms. Some of the reason to implement Data Security is as follow:
· Cloud access security – Protection platform that allows you to move to the cloud securely while protecting data in cloud applications.
· Data encryption – Data-centric and tokenization security solutions that protect data across enterprise, cloud, mobile and big data environments.
· Web Browser Security - Protects sensitive data captured at the browser, from the point the customer enters cardholder or personal data, and keeps it protected through the ecosystem to the trusted host destination.
· Mobile App Security - Protecting sensitive data in native mobile apps while safeguarding the data end-to-end.
· eMai.
Module 3 Lectures 6 hrs.
Infrastructure and Network Security: Introduction to System Security, Server Security,
OS Security, Physical Security, Introduction to Networks, Network packet Sniffing,
Network Design Simulation. DOS/DDOS attacks. Asset Management and Audits,
Vulnerabilities and Attacks. Intrusion detection and Prevention Techniques, Host based
Intrusion prevention Systems, Security Information Management, Network Session
Analysis, System Integrity Validation.
Open Source/ Free/ Trial Tools: DOS Attacks, DDOS attacks, Wireshark, Cain & abel,
iptables/
Windows Firewall, snort, suricata, fail2ban
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
How to Split Bills in the Odoo 17 POS ModuleCeline George
Bills have a main role in point of sale procedure. It will help to track sales, handling payments and giving receipts to customers. Bill splitting also has an important role in POS. For example, If some friends come together for dinner and if they want to divide the bill then it is possible by POS bill splitting. This slide will show how to split bills in odoo 17 POS.
2. Web Security
ABSTRACT
As well as many other areas related to security, the World Wide Web presents two types of
very different problems with different solutions. On one hand, most of us use a web browser
on a regular basis and want to prevent our web clients to execute code in an attack that al-
lows you to take control of our machine. On the other hand they are web servers, to which we
do not want them look compromised by constant attacks. So what is the answer? Well there
is not a single answer. We need to follow a series of steps to protect both clients and servers.
As Server Manager you cannot force your clients to be sure, but you can protect your own
server and applications based on web attacks. Protecting the server also you can prevent
broken clients or users that have visited the hostile actions of attack sites that could damage
your accounts or data hosted on our site, sabotaging it; for example, an attack by scripting
multisite that interacts with the user account to change the password for your account on our
site.
4. Web Security
INTRODUCTION
Absolute security is unprovable, maintain a secure system is to ensure three fundamental
aspects such as: confidentiality where accessible only to authorized agents our system re-
sources, integrity within it our only system resources may be modified by our agent and avail-
ability where the resources of our systems will be available for our authorized agent.
Today security is a very important aspect in any companies or organizations where are han-
dled information of utmost importance, with this reason we decided to conduct our research in
this field because each time there more people engaged in the theft of information to get out
or to sell them to the competition.
With our research we will achieve each and every one of the readers will prevent certain at-
tacks that impairs the integrity, either personal or own company losing useful information.
5. Web Security
METHODOLOGY
The methodology we used was practically a great search for information in books, magazines,
as well as various websites where we have obtained information of great importance for our
work.
CHAPTER 1. WEB SECURITY
1.1. WHAT IS THE WEB SECURITY?
The Internet world and its associated elements are agile mechanisms that provide a wide
range of possibilities for communication, interaction and entertainment, such as elements of
multimedia, forums, chat, mail, communities, virtual libraries and others that can be accessed
by all audiences. However, these elements should contain mechanisms that protect and re-
duce the risk of security hosted and distributed potencializados through the same Internet
service.
Security must set standards that minimize the risks to the information or infrastructure within
any organization. These standards include hours of operation, restrictions on certain places,
user profiles, authorizations, refusals, emergency planning, protocols and everything that a
good level of security minimising the impact on the performance of employees and the Organ-
ization in general and as a main contributor to programmes made by programmers.
Security is designed to protect the assets, which include the following:
• Computational infrastructure: is a fundamental part for storage and information man-
agement, as well as for the very functioning of the organization. The function of com-
puter security in this area is ensuring that the equipment is functioning properly and to
anticipate in case of failures, theft, fire, boycott, natural disasters, failures in the power
supply and any other factor that violates the infrastructure.
• Users: they are people who use the technological structure, area of communications and
managing information. The system must be protected in general that use them may not
call into question the security of the information, nor that the information handled or
stored is vulnerable.
6. Web Security
• Information: is the main asset. Uses and resides in the computational infrastructure and
is used by the users.
Usually it deals exclusively to ensure the rights of access to data and resources with the tools
of control and identification mechanisms. These mechanisms allow to know that the operators
have only the permissions that were given.
Ilustración 1: el servicio de seguridad y filtrado permite a las organizaciones protegerse de las
amenaza.
1.2 GENERAL CONCEPTS OF SAFETY.
Privacy: refers to that the information can be known only to authorize individuals.
Integrity: refers to the security of that information not has been altered, deleted,
reformatted, copied, etc., during the process of transmission or on your own comput-
er's origin.
Availability: refers to information can be recovered or available at the time that is
needed.
Information Security: These are actions that are aimed at establishing guidelines to
achieve confidentiality, integrity and availability of information and continuity of opera-
tions to an event that interrupted.
7. Web Security
Active: A resource with which the company has and that has value can be tangible
(server, desktop, communications equipment) or intangible (information, policies,
standards, procedures).
Vulnerability: exposure to risk, bug or security hole detected in a program or comput-
er system.
Threat: any situation or event possible with potential for damage, which may arise in a
system.
Risk: is a made potential, which in the event occur can negatively impact safety, costs,
programming or the scope of a business or a project process.
E-mail: e-mail is a network service that allows users to send and receive messages in-
cluding text, images, video, audio, programs, etc. through electronic communication
systems.
Ilustración 2: es importante señalar que existen ataques en distintos tipos de navegadores.
1.3. TECHNICAL TO ENSURE THE SYSTEM.
The most important asset that you have is the information and, therefore, should there be any
techniques that ensure, beyond the physical security that is set on the equipment in which it is
8. Web Security
stored. These techniques gives them the logical security that involves the application of barri-
ers and procedures that protect access to the data and only allow to access them to the per-
sons authorized to do so.
Each type of attack and each system requires a means of protection or more (in the majority
of cases is a combination of several of them)
The following are a series of measures that are considered basic to ensure a type system,
while extraordinary measures are required for specific needs and greater depth:
Use techniques of development that meet safety criteria to use for all software that implant
systems, starting from standards and sufficiently trained and aware with the security person-
nel.
• Implement physical security measures: systems fire, surveillance of the data pro-
cessing centers , protection against flooding, electrical protection systems against
power outages and surge systems, control of access, etc.
• Encode information: cryptology , Cryptography and criptociencia . This should be done
on all those routes that circulate the information that you want to protect, not only on
those most vulnerable. For example, if the data in a very confidential basis is protect-
ed with two levels of firewall, it has encrypted all the way between clients and servers
and the servers themselves, certificates are used and however left unencrypted prints
sent to the network printer, would have a point of vulnerability.
• Passwords difficult to find out, for example, not to be deduced from the personal data
of the individual or by comparison with a dictionary, and they have moved with suffi-
cient frequency. Passwords, in addition, must have the sufficient complexity so an at-
tacker cannot deduce it by means of computer programs. The use of digital certificates
improves security with the simple use of passwords.
• Network surveillance. Networks carry the information, so in addition to being the usual
means of access of the attackers, also are good places to get information without hav-
ing to access the same sources. The network not only circulates the information in
computer files as such, also transported by it: email, phone conversations (VoIP), in-
stant messaging, Internet browsing, reads and writes to database, etc. Therefore, pro-
tect the network is one of the main tasks to prevent data theft. There are measures
ranging from the physical security of the points of entry until the control of connected
9. Web Security
equipment, for example 802.1x. In the case of wireless networks violate the security is
increased and additional measures should be taken.
• Network perimeter security, or DMZ, can generate strong rules of access between us-
ers and not public servants and the published equipment. In this way, the weaker rules
only allow access to certain teams and never to the data, which will be after two levels
of security.
• Repellent or protective technologies: firewall , intrusion detection system AntiSpyWare
, antivirus , keys for software protection etc.
• Maintain information systems with the upgrades that most impact on safety.
• Backup copies and even remote backup system that allow maintaining the information
in two locations asynchronously.
• Control access to information through centralized and maintained permissions (type
Active Directory, LDAP, access control lists, etc.). The means to achieve this are:
• Restrict access (people of the Organization and which aren't) programs and files.
• Ensure that the operators can work but that cannot modify the programs or files that
do not match (without a supervision).
• Ensure that they used data, files and correct programs in/and/by the chosen proce-
dure.
• Ensure that the transmitted information is the same that the recipient has been sent to
which and which not to reach other. And existing systems and alternative emergency
steps of transmission between different points.
• Organize to each employee by computer hierarchy, with different keys, and permis-
sions well established, in each and every one of the systems or used application.
• Constantly update the passwords for access to computer systems, as indicated
above, and even using a program that can help the users to the management of the
large number of passwords that have to manage in today's environments, commonly
known as managers of identity.
• Redundancy and decentralization.
10. Web Security
Ilustración 3: para asegurar el sistema existen diferentes técnicas como las mencionadas
anteriormente.
1.4. SAFETY TIPS.
• Child pornography: Avoid hosting, publish, or transmit information, messages,
graphics, drawings, sound files, images, photographs, recordings or software that di-
rectly or indirectly in sexual activities with minors, in accordance with international or
national legislation, such as Act 679 of 2001 and the 2002 Decree 1524 or that clarify
it, modify or add or all laws prohibiting it.
• Control of viruses and malicious code: Always have an updated antivirus in your
computer (s), try running it periodically, in the same way, have elements (pop-up win-
dow) pop up blockers and anti-spyware on your computer.
• Avoid visiting untrusted sites or install software of dubious origin.
• Most of the peer-to-peer applications contains programs spies that are installed with-
out you realizing. Make sure that the updates are applied in operating systems and
browsers Web on a regular basis.
• If its programs or the work performed in your computer do not require Java support,
ActiveX, Multimedia Autoplay or auto running programs, disable these. If required, ob-
tain and configure personal firewall, this will reduce the risk of exposure.
Email:
• Do not post your email account on untrusted sites.
11. Web Security
• Do not give your email account since any action shall be your responsibility.
• Do not report confidential or personal information through email.
• If a user receives a message with a warning about your bank account, must not an-
swer it
• Never respond to a HTML email with embedded forms.
• If you enter the key on an untrusted site, make sure to change it immediately for your
safety and in compliance with the duty of care that assists him as holder of the same.
Spam control:
• Never click on links inside the email even if they seem legitimate. Directly enter the
URL of the site in a new browser window
• For sites that indicate to be safe, check your SSL certificate.
• Do not I forward email chains, prevents congestions in networks and mail, as well as
the theft of information content in the headlines.
• Control of social engineering.
• Do not report confidential information you or of persons that surround it.
• Do not talk to strangers for work or personal issues that can compromise information.
• Use the right communication channels to disseminate the information.
Control of phishing:
• If a user receives an email, call, or text message with a warning about your bank ac-
count, not to answer it.
• For sites that indicate to be safe, check your SSL certificate.
• Validate with the entity with whom has a service, if the message received by mail is
valid.
Theft of passwords:
• Change your passwords frequently, at least every 30 days.
• Use strong passwords: easy to remember and hard to guess.
• Avoid setting very small passwords, it is recommended that it is at least a length of 10
characters, combined with numbers and special characters.
• Do not send key information through email or other means that is not encrypted.
13. Web Security
CHAPTER 2. ATTACKS AND VULNERABILITIES.
2.1 COMPUTER ATTACK
A computer attack is a method by which an individual, using a System computer tries to take
control, destabilize or damage other system computer (computer, private network, etcetera).
There are various types of cyber-attacks. Some are:
• Denial of service attack , also called DoS attack (Denial of Service), is an attack on a
system of computers or network that causes that a service or resource is inaccessible
to legitimate users, normally causing loss of network connectivity due to the consump-
tion of the bandwidth of the network of the victim or the computer of the victim system
resources overload.
• Man in the middle, sometimes abbreviated MitM, is a situation where an attacker mon-
itors (usually by a Tracker-port) a communication between two parties and falsifies the
exchanges to impersonate one.
• REPLAY attacks a form of network, attack in which a data transmission valid is mali-
ciously or fraudulently repeated or delayed. It is carried out by the author or by an ad-
versary who intercepts the information and retransmits it, possibly as part of a masked
attack.
• Zero-day attack , attack against a computer, from which is exploit certain vulnerabili-
ties, or security holes of some program or programs until they are known, or that, once
posted the existence of the vulnerability, is conducted the attack before the publication
of the patch than the solvent.
• Attack by brute force. It is not necessarily a procedure that should be performed by
computer processes, although this system would save time, energy and efforts. Brute
force attack system, tries to recover a key testing all possible combinations until you
find one that seeks, and which allows access to the system, program or file in study
14. Web Security
2.2. SOCIAL ENGINEERING.
Social engineering is the practice of obtaining information confidential through the manipula-
tion of users legitimate. It is a technique that can be used by certain people, such as private
investigators, criminals, or rogue computer, information, access or privileges in information
systems which allow them to perform some act that harms or expose the person or body
committed to risk or abuses.
The principle that underpins the social engineering is that in any system "users are the weak
link". In practice, a social engineer will commonly use the phone or Internet to mislead people,
pretending to be, for example, an employee of a bank or any other company, a co-worker, a
technician or a client. Via the Internet or the website is used, in addition, the submission of
applications for renewal of permits access to websites or memos false seeking answers and
even the famous chains, thus leading to reveal sensitive information, or to violate the typical
security policies. With this method, the social engineers they take advantage of the natural
tendency of people react predictably in certain situations, for example providing financial de-
tails an apparent official of a Bank rather than having to find security holes in computer sys-
tems.
Perhaps most simple but very effective attack is to mislead a user to think that a system ad-
ministrator is requesting a password for several legitimate purposes. Systems of Internet us-
ers frequently receive messages requesting passwords or information of credit card, with the
reason of "create an account", "reset configuration", or other benign; operation to this kind of
attacks they are called phishing (pronounced like "fishing", fishing). Users of these systems
should be warned early and often that they not disclose passwords or other sensitive infor-
mation to people who claim to be administrators. In fact, computer systems administrators
rarely (or never) need to know the password of users to carry out their tasks. However even
this type of attack may not be necessary in a survey carried out by the company Boixnet, 90%
of the employees of Waterloo Station Office of London revealed their passwords in Exchange
for a cheap pen.
Another contemporary example of a social engineering attack is the use of attachments in e-
mails , offering, for example, "intimate" photos of some famous person or a "free" program
(often seemingly from some well-known person) but running malicious code (for example, to
15. Web Security
use the victim machine to send massive amounts of Spam). Now, once the malicious e-mails
first take software providers to disable the execution Automatic attachments, users must acti-
vate these files explicitly for malicious action to occur. Many users, however, open almost
blindly any attachment received, thus making the attack.
Social engineering also applies to the Act of handling face to face to gain access to computer
systems. Another example is the knowledge about the victim, through the introduction of typi-
cal logical, common passwords or knowing your past and present; answering the question:
what password would I if it were the victim?
The main defense against social engineering is to educate and train users in the use of secu-
rity policies and ensure that they are followed.
One of the most famous of recent social engineers is Kevin Mitnick. In his opinion, social en-
gineering is based on these four principles:
1. All want to help.
2. The first movement is always trusted the other.
3. We do not like to say no.
4. All we like us praise.
2.3. SQL INJECTION
SQL injection is a method of infiltration of exploit code that relies on a computer vulnerability
present in an application-level validation of entries to query a database.
The origin of the vulnerability lies in the incorrect checking or filtering of the variables used in
a program that contains either generated code SQL. It is, in fact, a mistake of a more general
class of vulnerabilities that can occur in any programming language or script that is embed-
ded inside another.
Referred to as SQL injection, without distinction, to the type of vulnerability, infiltration meth-
od, the fact of embedding SQL exploit code and embed code portion.
16. Web Security
It is said that there is or was a SQL injection when, somehow, is inserted, or "injects" SQL
code invasive within the scheduled SQL code to alter the normal operation of the program
and to make running the portion of "invasive" code embedded, in the database.
This kind of intrusion usually is harmful, malicious or spyware, is therefore a problem of com-
puter security, and should be taken into account by the Programmer of the application in or-
der to prevent it. A program made with carelessness, indifference or ignorance of the prob-
lem, it may prove to be vulnerable, and the security of the system (database) can be eventu-
ally compromised.
Intrusion occurs during the execution of the vulnerable program, whether it is in computers
desktop or in sites Web , in this latter case obviously running in the Server which hosts them.
Vulnerability can occur automatically when a program "weapon carelessly" one SQL state-
ment in runtime , either during the development phase, when the programmer express the
SQL statement to execute in unprotected form. In any case, provided that the programmer
need and make use of parameters entered by the user, in order to consult a database; is,
precisely, within the parameters where the intruder SQL code can be incorporated.
To execute the query on the database the code SQL injected will also run and could do a
number of things, how to insert records, modify or delete data, authorize access e, even run
another type of malicious code on the computer.
For example, assume that the following code resides in a web application and there is a pa-
rameter "username" that contains the name of the user to consult, a SQL injection could
cause follows:
The original and most vulnerable SQL code is:
Query: = "SELECT * FROM My Table WHERE name = '" + username + "';"
17. Web Security
Ilustración 5: el proceso de la inyección SQL
2.4 SPOOFING.
Spoofing, in terms of Security of networks refers to the use of techniques of phishing usually
with malicious applications or research.
Spoofing attacks can be classified depending on the technology used. Among them are the IP
spoofing (perhaps the best-known), ARP spoofing, DNS spoofing, Web spoofing or email
spoofing, although in general can include spoofing within any network technology susceptible
to identity theft.
18. Web Security
Ilustración 6: a través de la dirección ip podemos atacar a nuestra victima
IP Spoofing
IP spoofing. Basically consists in replacing the IP address TCP/IP source of a package by
another address IP to which you want to impersonate. This is usually achieved through
programmes aimed at this and can be used for any Protocol within TCP/IP as ICMP, UDP or
TCP. It must be taken into account that the responses of the host that get altered packets will
be directed to the fake IP. For example, if we send a ping (package "echo ReQuest")
suplantado, la respuesta será recibida por el host al que pertenece la IP legalmente. Este tipo
de spoofing unido al uso de peticiones origen de un paquete icmpbroadcast a diferentes
redes es usado en un tipo de ataque de flood conocido como ataque Smurf. Para poder
realizar Suplantación de IP en sesiones TCP, se debe tener en cuenta el comportamiento de
dicho protocolo con el envío de paquetes SYN y ACK con su SYN específico y teniendo en
cuenta que el propietario real de la IP podría (si no se le impide de alguna manera) cortar la
conexión en cualquier momento al recibir paquetes sin haberlos solicitado. También hay que
tener en cuenta que los enrutadores actuales no admiten el envío de paquetes con IP origen
no perteneciente a una de las redes que administra (los paquetes suplantados no
sobrepasarán el enrutador).
19. Web Security
ARP Spoofing
Phishing by chart forgery ARP. The construction of frames modified in order to distort the ARP
(list IP-MAC) table of a victim and force it to send packets to an attacker host rather than to its
legitimate destination request and ARP response.
The Protocol Ethernet works by MAC addresses, not by IP addresses. ARP is the Protocol
responsible for translating IP addresses to MAC addresses so that communication can be
established; so when a host wants to communicate with an IP broadcasts an ARP-Request
frame to the address of Broadcast asking the host MAC holder of the IP you want to
communicate. The computer with the requested IP responds with an ARP-Reply indicating
your MAC. Routers and hosts keep a local table with the IP-MAC relationship called ARP
table. The ARP table can be distorted by an attacker computer issued frames ARP-REPLY
with your MAC including destination valid for a specific IP, as for example the of a router, in
this way the information directed to the router would pass the attacker computer who can
scan such information and redirect if so desired. The ARP protocol works at the level of data-
binding of OSI, for which this technique only can be used on LANs or in any case on the part
of the network that is prior to the first router. One way to protect yourself from this technique is
using tables ARP static (provided that the IP network are fixed), which can be difficult in large
nets.
Other forms of protection include using ARP tables change detection programs (as Arpwatch)
and using the safety of port of the switches to prevent changes in MAC addresses.
DNS Spoofing
Phishing by domain name. It's the distortion of a relationship "Domain-IP name" before a
name resolution query, i.e., resolving an IP address false a certain name DNS or vice versa.
This can be achieved by falsifying entries in the relation name domain-IP of a server DNS,
through any vulnerability in the specifically or by its trust towards unreliable servers. Falsified
entries in a DNS server are susceptible of being infected (poison) the DNS cache of another
different server (DNS Poisoning)).
Web Spoofing
Impersonation of a real web page (not to be confused with phishing). It routes the connection
of a victim through a fake page to other WEB sites in order to gather information from the
20. Web Security
victim (view websites, information forms, passwords etc.). The fake web page acts as a of
proxy, requesting the information required by the victim to each original server and skipping
even the protection SSL. The attacker can modify any information from and to any server that
the victim go. The victim can open the false by any type of deception website, even opening a
simple link. Web spoofing is hardly detectable; perhaps the best measure is a plugin from the
browser at all times showing the visited server IP: If the IP never changes when you visit
different WEB pages means that we are probably suffering from this type of attack. This
attack is done by implementation of code which will rob us information. Ghost pages on which
these codes are injected to get information of the victims are usually made.
E-mail Spoofing
Spoofing in email of the address of electronic mail of other persons or entities. This technique
is used regularly for the sending of e-mail messages hoax as a perfect supplement for the use
of phishing and SPAM it is as simple as the use of a server SMTP configured for this purpose.
To protect yourself you should check the IP of the sender (to find out if that ip actually belongs
to the Agency indicating in the message) and the address of the server SMTP used.
GPS Spoofing
An attack of GPS spoofing attempts to mislead a recipient of GPS transmitting a slightly more
powerful than the received signal from the satellites of the GPS system, structured to
resemble a normal set of GPS signals. However, these signals are modified in such a way
that will cause the receiver determines a different position to the real, specifically determined
by the attacking signal somewhere. Because the GPS system works by measuring the time it
takes for a signal traveling between the satellite and the receiver, a successful spoofing
requires the attacker to know precisely where the target is such that the false signal can be
structured with the appropriate delay.
An attack of GPS spoofing begins with the transmission of a slightly more powerful signal that
delivers the correct position and then begins to slowly drift to the position desired by the
attacker, since if done too quickly attacked receiver you will lose fixation in the signal, at which
time spoofing attack would only run as an attack of disturbance .
21. Web Security
RESULTS
At the conclusion of the investigation of our article, we obtained all the information and
knowledge necessary for anyone to surf the web is even aware of the dangers that exist in
navigate. In the same way we made them get a set of instructions so that your personal
information not be used for profit and note indications for surfing the web.
22. Web Security
REFERENCES
lockhart. (2011) security hacks.
Jean paul garcia muran. (2011). Hacking y seguridad en internet.
Mikel gastesi. (2010). Farude online.
Misha glenny. (2008). El lado oscuro de la red.
Sebastien baudru. (2005). Seguridad informatica ethical hacking.