You are on page 1of 48


Cybersecurity/Information Systems/Protecting Information Assets


Protecting Information Assets 2

Assignment 1

According to MSR information assurance model, there are three information states:

transportation, storage, processing. The following section describes how data can be protected in

each state.


Data in storage is the one stored either in the removable disk, at storage, data still faces

security threats. Therefore, data is protected security mechanisms such as firewalls and anti-virus.

The barriers can still be penetrated (Rai, Bunkar & Mishra, 2014). There is the need for additional

layers of protection for data in this state especially when data is compromised from the network

hack. Continuous data protection is one of the methods used in protecting data in storage. An

advantage of CDP is that it can preserve the transactions that happen in an enterprise when the

system is affected, the stored data becomes corrupt, and the data can be recovered from the earlier

backup. With the CDP, it is possible to recover data within a few seconds. Installation of the CDP

software is simple and can be done by non-technical staff.

One way of ensuring security is encryption of data as it resides on the hard drive. There are

other methods of such as data storage on different location and having all data backed up. Another

solution provided by data protection company IBM that ensures greater ability and, for example, to

have the information protected when the cartridges are stolen or lost (Rai, Bunkar & Mishra, 2014).

The cartridges support the encryption of data, thereby nullifying the need to be manually or use

specialized encryption appliances. Using the IBM tape encryption, the tape controller makes a

connection to the IBM Encryption Key component developed by Java platform, and there are

connections between the tape controller and the EKM sever, they communicate through TCP/IP.

The disadvantage of this means of data protection is the increased latency during the data retrieval.
Protecting Information Assets 3
There are also other solutions provided by Gemalto is applied in data encryption and

tokenization. One of them is the use of SafeNet that provide the application level encryption of the

sensitive data when SafeNet is deployed, the data is secure across the lifecycle, and the solution

provides data backup, copying and transfer of data. The other types of data that need to be protected

include files, emails and web pages. Gmalto has protection for this kind of data.

Another method of protecting data at rest is the hardware encryption. Encryption does not

protect data from theft, but it protects data from being misused by internal employees. There are

different arrangements, for example, Endpoint Protector that examines the information on the

predefined content, document name or the consistence level (Rai, Bunkar & Mishra, 2014). Based

on the information given, Endpoint Protector may delete data or protect data from any potential data

beaches either from employees or from external attacks.


Data in transit is less vulnerable when being transferred to the internet. The Transport Layer

of TCP/IP and OSI models already have the security mechanisms. There are hackers that can sniff

data on transit using advanced tools such as Ettercap or dsniff, these attacks are rare they cannot be

given a lot of priority when protecting data on transit. For a secure data transport, there is

encrypting of data using an AES-256 that work with the physical PIN pad that is mounted on the

disk. The devices are available, but they may be expensive depending on their size. The option is

available for the data that cannot be uploaded directly to the internet. The data is therefore placed

on lockable disks before they are transported. Using a VPN is one option of protecting data on

transit. A VPN will need the following: A firewall to act as a barrier between the private and a

public network, and there should be encryption of data to keep sensitive data from hackers.

Most companies, therefore, encrypt data during transit to protect the data against

eavesdropping and by hackers. Data transmission mechanisms include a server-to-server transit, and
Protecting Information Assets 4
there may be transit between the system and the third party systems. One example of data in transit

is the email, and email is not considered safe. Therefore, email providers have been using

encryption options that need to be implemented. To secure data during transportation, the data that

need to be protected should be passed through a secure socket layer. The SSL uses strong security

protocols such as the transport layer. The data being transmitted over email can be secured with

PGP or MIME, other encryptions are the File Encryption tool, after which the transmission is done

through email. The non-web encryptions should be encrypted at the application level encryption.

When the data resides between the servers, it can be encrypted using FIPS cryptography algorithms.

If there is no application-level encryption, there is SSH and IPsec tunneling. During the Wi-Fi

connections, the WPA2 standard which encrypts data and must be applied in addition to the end-to-

end Wi-Fi protection of data. Use of both private key encryption is one of the standard forms in

which data in transit can be protected. In this system, the encryption key is used to decrypt

messages. The difficulty lies in the sharing of the private and public key system.


Data in use by a company is not safe, and the safety depends on the trustworthiness

of the end user. Therefore, the first precaution by a company is to ensure that the people who have

access to data are the ones who need it. The companies, therefore, have to have control over how

the data is accessed. For highly secured data, the users of data should not leave the premise where

data is stored (Rai, Bunkar & Mishra, 2014). There data vulnerability when employees have to

access data from home especially from an insecure machine. Data in use can be protected as

discussed in the following paragraphs.

The first security for data in use is classifying data according to the level of privacy and then

categorizing users who might have access to it. The second procedure is to have data protection

procedures in place with users largely unaware of the measures. Once data in use protection

mechanism is the use of Full disk encryption, which increases invisibility of data to the end user.
Protecting Information Assets 5
Another way data could be protected while in use is with virtual OS on the USB stick that can be

plugged to any machine (Rai, Bunker & Mishra, 2014). Companies like Microsoft that ensures that

small mistakes are prevented from the sensitive data. Locking out the user's operating system and

ensuring that the applications in the system are all patched with the latest security releases. The

fourth security mechanism is having all applications whitelisted so that the people only have access

to the few applications that they need. The last practice is an application of defense in depth at the

network gateway, and this is easy to control and monitor.

Protecting Information Assets 6


Chen, D., & Zhao, H. (2015, March). Data security and privacy protection issues in cloud
computing. In Computer Science and Electronics Engineering (ICCSEE), 2015
International Conference on (Vol. 1, pp. 647-651). IEEE.
Ren, K., Wang, C., & Wang, Q. (2015). Security challenges for the public cloud. IEEE Internet
Computing, 16(1), 69-73.
Yang, J. J., Li, J. Q., & Niu, Y. (2015). A hybrid solution for privacy-preserving medical data
sharing in the cloud environment. Future Generation Computer Systems, 43, 74-86.
Rai, D. P., Bunkar, R. K., & Mishra, V. (2014). Data Security and Privacy Protection Issues in
Cloud Computing. IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN, 2278-0661.
Protecting Information Assets 7

Assignment 2

Survey of operating systems used in data centers and the office environment

The data center provides the physical environments that are a requirement in keeping the

servers in the active state. With a reliable OS, there is flexibility, security, and redundancy of data

(Chen, Mao & Liu, 2014). The operating systems could include dedicated servers, VPS solutions

and cloud hosting solutions as well. The data can be backed up through a fault-tolerant network and

a data grid. A data center can be used to host many operating systems such as Linux, UNIX and

Windows depending on their offer. Cloud hosting companies like Google use a special Operating

system called Goobuntu, and this is the in-house built of Ubuntu (Chen, Mao & Liu, 2014). The

Goobuntu is a light Linux distribution that is being used by Google for its long-term presence on

the internet. Windows has been shunned because it requires the high level of security for it to be

used; this limits the extent to which it can be deployed.

The Business environment servers include Microsoft Windows Server, and it was made

available from Windows 10, it is designed for a business environment. The server is easy to install,

and it is offered through a Microsoft Windows Store. Windows Server has a user-friendly graphics

compared to the Linux based servers (Chen, Mao & Liu, 2014). One disadvantage of Windows

Server is its steep learning curve. Another type of server is the Ubuntu Server is highly secure, it is

fast, and it is very cost effective. The server is trusted when it comes to the business applications,

and since it is dedicated and it allows the for more customization than other commercial based

Operating systems.

CentOS Server, the server is a community-distributed server under GPL License, the OS is

distributed for the same audience, the server has the same installer as Fedora, it is also free

distributed, and researchers who are working on developing a new concept mainly use it. The OS is

designed for business (Chen, Mao & Liu, 2014). The last server is the Unix Server, and the server is
Protecting Information Assets 8
multitasking, it also reliable and secure. Unix Server has file and password encryption and many

more features, the system can be customized to the user. The office versions of Operating systems

have limited specifications as opposed to the large Operating systems that are used within the Data

Centers (Chen, Mao & Liu, 2014). The Office Operating System can be Windows OS or Mac OS X,

they are already customized for users, and they come with user applications such as the ones used in

desktop publishing.

Survey of databases used in data centers

A cloud database is scalable. From the overview of versatile systems and distributed

computing by Chen, Mao and Liu (2014), there are two examples of database environment that can

be utilized in the cloud environment, the database as a service and the traditional cloud model. On

the traditional cloud model, the database runs on the company's infrastructure and the IT staff or the

company (Chen, Mao & Liu, 2014) maintains the database. On the other hand, when using a

database as a service, the database runs on the vendor’s platform, it is the work of the vendor to

ensure maintenance of the database. The business, therefore, depends on the excellent services

giving the company's time to focus on the data provisions and operations. The following sections

explain the examples of a database as a service.

Amazon Web services:

The Amazon Web Services are one best cloud database, and it provides many options such

as NoSQL, in-memory databases and the large-scale data warehousing. The key characteristics of

Amazon Web Services include Amazon RDS: Offers the relational Database services. Amazon

Redshift is a fast and fully managed data warehouse. Amazon Dynamo DB: The DB is a well-

managed in memory and cache services. Amazon Elastic Cache: this service also provides in-

memory cache services (Chen, Mao & Liu, 2014).

Protecting Information Assets 9
Besides, AWS offers database Migration Services makes it possible to migrate data with

Zero Downtime.

Microsoft Azure SQL Databases

The Microsoft Azure offers both SQL and NoSQL database formats. On the survey of no

SQL by Han, Haihong, Le & Du (2014), Microsoft Azure has high scalability and has built-in

protections and multi-tenancy capabilities, and it supports other development tools. Microsoft

Azure makes building and deployment of applications easier, can work with the SQL Server

Management Studio, and is easier to set up than the traditional SQL Server, and it does not include

the physical administration.

Microsoft Azure DocumentDB

The Microsoft Azure supports the two different cloud-based systems offered by the

Microsoft Azure. MAD is a NoSQL database, and it has a high level of consistency, it is compatible

with both JavaScript and JSON access to the database. Moreover, it is scalable; there is a small 15

milliseconds latency during write actions and ten milliseconds during reading actions.

Cloud SQL by Google

The Cloud SQL, which is offered by Google, supports Clod SQL, PostgreSQL and MySQL

databases has a query analysis tool for data analysis and retrieval on the google based platform. The

platform is easy to manage and setup (Chen, Mao & Liu, 2014). Therefore, the developers must

manage the updates, backups, and database functionalities. From beyond the data, divulge by Bell,

Hey & Szalay (2017), Cloud SQL by Google allows the developers to build robust applications and

enjoy the database services offered by Google.

KACE tools

The KACE tools are used in automation and endpoint management. As the number of

endpoints increases, the previously used ad hoc and manual processes of endpoint management are
Protecting Information Assets 10
not sufficient. KACE tools provide a platform for managing network security and software

management using a single endpoint solution (Loveland et al., 2014). KACE Systems Management

Appliance is very useful in accomplishing these goals by automating complex tasks and having a

unified approach to endpoint management. Inventory and information technology, asset

management systems and server management and monitoring systems. Software license

management is also included. The system is easy to use during the system administration and has

efficient patch management.

Symantec Client Management Suite

The Symantec Client Management Suite provides deep visibility of laptops and desktops

being used in an organization. Client suite takes notes of who is using them and the state they are in

currently. The devices gave genuine and recorded information that can be utilized by directors in

recognizing the vulnerabilities and patching procedure. They include fixing of Microsoft

Applications, and they have simple integration with endpoint applications, they can be utilized in

secure logins (Chen, Mao & Liu, 2014). The tools can be used in making informed decisions


Microsoft System Center Configuration Manager

When using the tool, deploying windows is simpler, including all the currently supported

Windows 10 features such as upgrade and updates and the mobile device management tools. The

configuration manager can be extended to include management of PC's Mac's and Linux.
Protecting Information Assets 11

Han, J., Haihong, E., Le, G., & Du, J. (2014, October). Survey on NoSQL database. In Pervasive
computing and applications (ICPCA), 2014 6th international conference on (pp. 363-366).
Bell, G., Hey, T., & Szalay, A. (2017). Beyond the data deluge. Science, 323(5919), 1297-1298.
Loveland, T. R., Reed, B. C., Brown, J. F., Ohlen, D. O., Zhu, Z., Yang, L. W. M. J., & Merchant, J.
W. (2014). Development of a global land cover characteristics database and IGBP DISCover
from 1 km AVHRR data. International Journal of Remote Sensing, 21(6-7), 1303-1330.
Chen, M., Mao, S., & Liu, Y. (2014). Big data: A survey. Mobile networks and applications, 19(2),
Protecting Information Assets 12
Assignment 3

Network management is the process of handling many instances of communications such as

virtualization, video, voice and data. The role of a network manager is to monitor the performance

of a network and ensuring that the network is secured. There are two frameworks that exist that can

be used in managing networks (Dev et al., 2016). The first framework is FCAPS, and the next is

ITIL. FCAPS is used in the configuration, accounting, fault management, security and network

performance management. FCAP is an acronym for five level network management.

F: Fault Management: At the fault management, the correction of network problems

happens at this level. The potential failures are noted, and procedures for controlling them from

reoccurring is noted. In this mode, the network is kept operational.

C: Configuration: The configuration level monitors and controls the network operation.

There are programming and hardware changes that take place that may include the addition of new

programs and equipment to the network. The configuration also includes the removal of obsolete

programs and systems. At this level, the equipment inventory is kept, and it has to be updated


A: Accounting: the accounting level is also known as the network allocation level. The

level’s main aim is to distribute resources to the network users. The effect of this is fair use of the

resources among the users at the same time minimizing the cost of operation, at the level; the users

are billed according to their use (Dev et al., 2016).

P: Performance. P level is involved with the management of the overall performance of the

network. The network parameters such as throughput are maximized while bottlenecks are avoided.

Security: at this level, the network is protected against major attacks from unauthorized users,

sabotage and hackers. Security level is the level where confidentiality of information is ensured. AT
Protecting Information Assets 13
the security level, network administrators are able to control what the individual users can and

cannot do within the network.


ITIL is an Information Technology Infrastructure Library. The framework was designed to

deliver high-quality delivery over the network (Dev et al., 2016). ITIL is the most widely used

network framework in use in many organizations today because it provides a better quality

assurance towards the provision of better and better network management practices. The framework

includes the practices for applications, security management and services. The following section

discusses the three areas.

Service Support: The service support is the network operations center that ensures that the

users of the system have the access required for the applications that they use. Network components

in this area include help desks, support for new applications and troubleshooting. The underlying

issues to be addressed include configuration management, problem management and change

management. The role of problem management is tracking the number of incidents and keeping

logs. The configuration management is used in tracking the number of devices that are connected

within the network (Kim & Feamster, 2013). Change management involves configuration and

problem management, and the change board would include the ability to approve the planned

changes and have the problems that occur during change recorded. Effective support would include

the ability to create processes for troubleshooting up to high-level problems, PC installations and

having random access to the other aspects of the organization that design and implement network.

Service Delivery: the management functions of a network are delivered in this area.

The service delivery ensures that as the application's data flow through the network, they reach the

targeted node in the network. The other options available include the capacity management and the

application modeling.
Protecting Information Assets 14
Security Management: Security is among the many foci of the network management

framework. The main work of the service management is ensuring that there is a firewall and that

help in preventing external access to data and information within the network, in the security

management lies the proper configurations of permissions and rights that will ensure that there is

not unauthorized access for end users (Dev et al., 2016).

Infrastructure management: In bigger organizations, the teams that are responsible for

equipment installation is different from the team that troubleshoot and design the network, and that

is the motivation behind why design executives from a focal place in the ITIL. The centralization of

the configuration management is the motivation behind why the exact configuration of the system

ought to be completed. The framework management is in charge of the design and the deployment,

the physical design of the network appliances. The work of the change team is simply to approve

the changes, and the infrastructure team does all the work including the heavy design by the

engineers and the architects (Case, Mundy, Partain & Stewart, 2017).

Application management: The application management has a single purpose of ensuring

that all applications have the right design and configurations to be implemented in the network.

The configurations may include the number of dependencies, delay timers and number of

connections required by a single application. The application management will ensure that all

applications are end to end and provide services and delivery to the end users.

Software Asset Management: In this module, the software products and licenses are

managed. The software asset management clashes with the software configuration as it provides the

essential information about the software installed on every device. Accounting of every software

licensing and maintenance is one of the big components of network management in a large

organization. In smaller IT environment, the functions can be collapsed together to provide the

same services as in the larger organizations (Hasan, Sugla & Viswanathan, 2016).
Protecting Information Assets 15
Network management tools


OPManager is a well-known software for network monitoring. OPManager can do mapping

of the network, monitoring of WAN RTT, Monitor the VolP , analyse network traffic and monitor

the health of the network.

LogRythm Free

LogRythm is available for both commercial and free versions that can be used in evaluating

traffic and network (Hasan, Sugla & Viswanathan, 2016). The solution is user-friendly networks

with outstanding visibility greatly benefit the security team, and it exposes threats in due time and

initiates automatic response activities to incidents. Apart from that, it also interconnects events and

can recognize patterns.


SolarWinds is a hyperactive and very influential solution. SolarWinds monitors each of the

components integrated to form a particular application, monitoring network bandwidth and traffic.

SolarWinds has a module called ORION that provides online observance of devices in the network,

visualizes equipment, raising alarms and mentioning the occurrence of events.


Allows identification and solving of network predicaments. ThousandEyes offers

performance analyzing for applications, it uses the technology of security , emails and web assets

are protected ,updates the operating system and other applications, employs a backup plan and has

data recovery set up and pays attention to securing important data ((Hasan, Sugla & Viswanathan,


Protecting Information Assets 16
Paessler has a web interface has been designed afresh entirely to make it user-friendly and

supports mini-HTML in mobile equipment (Hasan, Sugla & Viswanathan, 2016). Paessler offers

high-standard map duty to make network views customizable, tracks virtual surroundings, new

remotes& sensors to observe far away systems and native inbuilt Linux functions of monitoring.


Spiceworks is used in small and medium businesses. Quick and not stressful to install in

Windows surrounding. The motherboard is completely configurable, user-friendly and is a complete

solution for monitoring inventory.

Protecting Information Assets 17


Dev, R. H., Emery, D. H., Rustici, E. S., Brown, H. M., Wiggin, D. S., Gray, E. W., & Scott, W. P.
(2016). U.S. Patent No. 5,504,921. Washington, DC: U.S. Patent and Trademark Office.
A case, J., Mundy, R., Partain, D., & Stewart, B. (2017). Introduction to version 3 of the Internet-
standard network management framework (No. RFC 2570).
Hasan, M., Sugla, B., & Viswanathan, R. (2016). A conceptual framework for network management
event correlation and filtering systems. In Integrated Network Management, 2016.
Distributed Management for the Networked Millennium. Proceedings of the Sixth
IFIP/IEEE International Symposium on (pp. 233-246). IEEE.
Kim, H., & Feamster, N. (2013). Improving network management with software-defined
networking. IEEE Communications Magazine, 51(2), 114-119.
Protecting Information Assets 18

Assignment 4


There are various scanning tools available in the market, and they are automated tools that

look for web vulnerabilities such as SQL Injection, Path Traversal, XXS, and Command Injection.

The tools have a large vulnerability database and cover over 5000 vulnerabilities. They have

features such as advanced reports, deep scan technologies and intelligent Scanning Algorithms.

Every web application owner has to make sure that his/her website is protected from and free from

online threats (Mohammed, 2016). They have to ensure sensitive and vital information is not

leaked. Regular scanning for vulnerability or just routine scanning is essential for any website

(Jensen, Pedersen, Olesen & Hansen, 2015). Regular scanning is for mitigation of any potential

risks posed to the system.

There are two types of web scanning tools-the commercial and open source. For

commercial, a company or individual has to pay to gain access. The scanning tools can be

automated for continuous security alerting. Some of the commercial web scanners are Acunetix,

Detective and Qualys. There are GPL Licence and the commercial license. For GPL license, the

source code is provided and can be accessed, modified and distributed by anyone. The tools allow

for redistribution and modification of this code (Mirjalili, Nowroozi & Alidoosti, 2014). They give

room for a user to download and conduct the security check as the need arises. The only limitation

is that not all of them can conduct a broad range of breaches like a commercial license. The GPL

license scanning tool can still offer both offensive and defensive security vulnerability testing

(Mohammed, 2016).

While free tools are available in the market, they have limited capability compared to their

commercial counterparts. The commercial software is costly and has more functionalities when
Protecting Information Assets 19
compared to the free licenses. The premium software has dedicated customer support and provides

regular upgrades and bug fixes. Most freeware is community developed therefore they lack a

standard. Premium software has a standard, and they are free from advertisements (Mohammed,


There are several open source scanners available in the world today, which will be discussed

below. They vary in functionality, capabilities, availability and usability. Open sources are available

to any individual be it a normal human being, a hacker or an ethical hacker. The following sections

describe the web scanning tools.


Wapiti allows for full audit and security of the website and other web applications. The

applications perform web scans by crawling into web pages looking for scripts and all web pages of

all the deployed applications, looking for loopholes where it can inject data (Dessiatnikoff, Akrout,

Alata, Kaâniche & Nicomette, 2018). When it goes into forms and URLs, it acts like a fuzzer that

will inject payloads of info and find if the script has any form of vulnerability. The current Wapiti

3.* has a file disclosure feature which includes fopen, require and readfiles. It also has XSS

injection both reflected and permanent injections, including the CRF injections such as session

splitting and Session fixation. XXE injection, it also secures weak .htacess that can easily be


The software supports both GET and POST requests, it allows a brute force requests on

HTTP, and it supports multipart input type, meaning that it can inject file uploads into the systems.

General vulnerability reports in TXT files and detecting and suspending a scan attack, and it may

also give many GUI output colours, gives different levels of verbosity (Mirjalili, Nowroozi &

Alidoosti, 2014), and has a capability for HTTPS, Socks5 and HTTP proxies. Moreover, they

handle authentication via various methods such as Basic, Digest and Kiberos and restrains the scope
Protecting Information Assets 20
of the domain to be scanned, adds or remove parameters to a URL. The tool does URL safeguard to

explore even if the URL is not on the scope and authenticate SSL activation and has several controls

to activate crawler behavior and limits and has a custom HTTP header or a custom user agent.


Nikto has been in existence for over a decade. Netsparker sponsors it. The main goal of

Nikto is to detect misconfiguration in web servers, any plugins and web weak points. The tool,

however, cannot detect SQL and XSS bugs. Nikto is comprehensive and can fight about above 6500

threat items. Is compatible with NTLM authentication, HTTP proxy server, SSL and several others,

Nikto calculates the time for maximum execution in relation to each target scan. The tool can be

accessed via Kali Linux, and it has benefits for the intranet as a solution to locate the security risks

of web servers (Daud, Bakar & Hasan, 2014).

Nikto is designed for stealth mode operations, and it works in a test server mode, it has

quickly severed modes, provides log files, and has anti-IDS methods. Nikto has an SSL support,

and it has a full HTTP proxy support. The software can give reports in plain text, HTML, CSV and

NBE formats (Mohammed, 2016). Nikto gives the reports via unusual headers, and it has

interactive status, and replays saved positives and other requests, and it has options that guess

credentials for authorization which include password combos. In addition, it can enhance a positive

reduction via false headers (Mirjalili, Nowroozi & Alidoosti, 2014).


Arachni scanner is the high-performance scanner, and it is built upon a Ruby framework for

current web applications. The tool can be availed through portable binary for Windows, Linux and

Mac. Arachni is not just a static website, and it can follow fingerprints on platforms (Fonseca,

Vieira & Madeira, 2017) and carries out both passive checks and active checks, forgery, traversing

of paths, splitting of response, local inclusion of files, invalid DOM directs, the disclosure of source
Protecting Information Assets 21
code and command injection are some of the vulnerabilities Arachni can detect. Arachni is

compatible with Windows, Linux, Unix, BSD and Solaris. Uses Java, Python, ASP, Ruby and PHP

and it gives the user the ability to audit the report in either HTML, Text, YAML, XML or JSON.

Another feature of Arachni is that it provides the extension of scanning to a higher level by making

leveraged plugins.


Vega is an open source web scanner which is used in security testing for vulnerabilities.

Vega can be useful in finding and validating the SQL Injections, disclosing of sensitive information

and Cross-site Scripting and many other vulnerabilities (Mohammed, 2016). The application is

written in Java and is a cross-platform application. The Vega client will be useful in finding

information such as reflected cross-site scripts, blind SQL-injections and shell injection. Vega has a

mechanized scanner that can discover an XXS and can be utilized in checking communications

among servers and customer, and it can be used in SSL block attempt for the HTTP sites.


Fonseca, J., Vieira, M., & Madeira, H. (2017, December). Testing and comparing web vulnerability
scanning tools for SQL injection and XSS attacks. In 13th Pacific Rim International
Symposium on Dependable Computing (PRDC 2017) (pp. 365-372). IEEE.
Daud, N. I., Bakar, K. A. A., & Hasan, M. S. M. (2014, August). A case study on web application
vulnerability scanning tools. In Science and Information Conference (SAI), 2014 (pp. 595-
600). IEEE.
Jensen, T., Pedersen, H., Olesen, M. C., & Hansen, R. R. (2016, October). Thaps: automated
vulnerability scanning of PHP applications. In Nordic Conference on Secure IT Systems
(pp. 31-46). Springer, Berlin, Heidelberg.
Dessiatnikoff, A., Akrout, R., Alata, E., Kaâniche, M., & Nicomette, V. (2018, December). A
clustering approach for web vulnerabilities detection. In 17th IEEE Pacific Rim
Protecting Information Assets 22
International Symposium on Dependable Computing (PRDC 2014) (pp. 194-203). IEEE
Computer Society.
Mirjalili, M., Nowroozi, A., & Alidoosti, M. (2014). A survey on web penetration test. Advances in
Computer Science: an International Journal, 3(6), 107-121.
Mohammed, R. (2016). Assessment of Web Scanner Tools. International Journal of Computer
Applications (0975-8887), 133(5).
Protecting Information Assets 23

Assignment 5

1. Security Policy Manual

Security is a concept of providing defense, protection, and developing effective policies.

The essence of business security is providing the minimum required standards for the operations of

the security plans and procedures that can assist in reducing crime and identifying the individuals

who commit the crimes. Security manual is used in implementing a security program and focusing

on activities that create risks to a company (Yeh & Chang, 2017). The security program begins with

a security plan that will actualize the preventive measures ready for each office. The improvement

of a security plan includes the constant appraisal of the organization's vulnerabilities and threats.

The threats can come from personnel, assets and liabilities, customers, procedures and policies,

intellectual property, organization structure and even legal obligations. For a security policy to be

effective, there must be a continuous assessment of risks for every office, and there is also need to

identify any appropriate solutions that would reduce the projected losses to every function and


The security manual is developed from a security survey; the activities that may have an

unacceptable level of risks should be assessed and documented in a security policy manual.

Security policy will deal with physical, technical, information protection and procedural security.

2. Company Introduction

Medev Limited is a company that deals with financial services and has connected computers

as well as distributed offices throughout the United States. The company has a connection to the

Internet as well as a private intranet through which its core operations are carried out. Major

financial transactions go through a specialized and protected system. Therefore the company needs
Protecting Information Assets 24
a security policy to safeguard the company assets. The cybersecurity policy has been developed for

the people who have authorized access to the information systems. The cybersecurity document has

several applications. The main use id to have the directors informed of their obligations to protect

the information as a core asset to the company (Crowley, 2013). The Security Policies in the

document describe what information to be protected and identifies the threats to the asset. The

Cyber Security also describes the responsibility of the user, and it describes what the user describes

as the best use, the answers to these questions is the description of the acceptable use and the

penalties for violations of the policy. The system for reacting to the occurrences that compromise

the security of the organization and the system is incorporated into the report.

3. Information protected by the organization

All users of the data in the company have the rights to protect the information asset. The

information protection from unauthorized access is necessary, and the protection must have system

software, hardware, web applications and application software. Systems software include database

management systems, restore and backup of file systems and communication protocols (Tipton &

Nozaki, 2017). Application Software: contains the off-the-shelf software applications and many

other packages used within the company. Communication and network hardware: includes the

network and software including routing tables, routers, switches, multiplexers and other associated

network management tools.

4. Information Classification

The data the clients find value in the framework will be named non-secret or private. The

organization will have coordinate command over a resource, and the organization is required to

audit and support the arrangement of the data and have the suitable dimensions of security to ensure

it. All the data must be grouped and be managed by the organization.
Protecting Information Assets 25
5. Computer and asset classification

The table 1 below shows the computer assets and their description.

Table 1: Computer Assets and their Description

Security Level Description Example

The system has
RED A computer has all
information classified as
the confidential data and
confidential and cannot be
other information on the
revealed to any personnel.
database. There are network
The information in the
routers and firewall that has
classification can only be
routing tables and other
revealed on the need to
routing data.
know basis.

The major use of the

system under the RED

classification is to provide

mission-critical services that

are important to the critical

operations of the company.

In case of a system failure,

might lead to consequences

and the adverse

consequences to the


GREEN The GREEN system The systems in this category

contains confidential info or include the user departments

Protecting Information Assets 26

can perform any critical and many PC’s that are used

info, the main use of the in accessing the server

green systems is a provision application. The network or

of the access to the RED the administrative systems

systems. The access is use the workstations.

network enabled (Crowley,


WHITE The system cannot An example in this category

access the RED or GREEN is a word processor used by

Systems. The system does the company secretary.

not perform or contain any Another model is a test

mission-critical information framework utilized by the

planners and software

engineers to test and grow

new PC networks.

BLACK The code WHITE BLACK is a public

system is the system that is company server without any

eternally available to the critical information.

users and is isolated from

the critical components by

either a firewall. The

systems are of importance to

the company, but they are of

less importance to the

Protecting Information Assets 27
6. Network Classification

A LAN can be classified using applications and another system that is directly connected to

the networks (Tipton & Nozaki, 2017). A LAN may have one RED component, and the users that

can access the component can be classified as the RED users. A LAN can assume that the security

classification is attached to it to ensure maximum protection for every LAN network.

7. Security Definitions

The System is externally accessible to the public: the systems must be accessed via the

network and the personnel that is out of the company without the need for a password for login. The

system can be accessed using ping connections, and the systems can be ping from the internet to

access information by the public.

Non-public and external access: in the private network, the client of the network will

require a valid username and passwords to access the system. The framework director gives the Id

and secret word to be used a password, and there ought to be another layer of security given by the

framework, for example, the accessibility of a firewall between the Internet and the system (Tipton

and Nozaki, 2017). The framework can be gotten to by means of the FTP server, which can be

utilized in exchange of records with the partners, for example, through the email frameworks.

Internally accessible systems: the users of these systems have a valid password and id to

log into the systems (Siponen & Willison, 2017). The internal systems have a firewall and maybe

another layer of a firewall to protect it from the internet. Internal system is only visible to the

internal users and is not visible to the external users. The system needs to be designed in a manner

that it does not respond to ping.

8. Threats to security

8.1 Internal Employee

Protecting Information Assets 28
Employees pose risks to data, and they can be a great point of vulnerability, they can have

the system damaged through the incompetence of the employees or just purpose to slow down the

operations of the systems (Crowley, 2013). The security has to be layered to compensate for that,

and this can be mitigated as well. The threat from employees might be mitigated by having

employees to be exposed to the appropriate rights to the system. Therefore, the access to the

systems should be limited to business hours and the users should not share accounts. The login

should not be shared between the users and when the users are separated there is limited access to

the various components of the systems, again all the system logs should be retained, and the

computer assets should be secured so that only authorized staff can have access.

8.2 Amateur Hackers and another source of threats such as Vandals

The attacks from these types of attackers are high in number are is likely to be high in a

probability of occurring. The perpetrators of these attacks perform crime of opportunity or others

just trying to beat the systems (Crowley, 2013). Hackers scan the internet for security loopholes

using various hacker tools, the attack is well planned, and they will plant viruses to the systems or

use the system resources for own use. If these class of hackers find no loophole in the system, they

might move to easier targets.

8.3 Criminal hackers of the system

The attacks from these type of attackers are relatively low because there are few with this

level of skills. Their skills are advanced, and they may be skilled in using the tools used in hacking

systems (O'Brien & Marakas, 2016). They may have a loophole to the systems and might have a

successful attack on the systems.

9. User responsibilities

The section is used in establishing the usage policies to the computing system, information

and systems resource from the office. The description covers all employees who use the system,
Protecting Information Assets 29
network and employees, businesses partner and any other individual who has been granted access to

the system for the company.

9.1 Acceptable use

All the user accounts should be used for the intended purpose only and cannot be used for

personal use. Any unauthorized use of the systems arise to computer abuse and should be

punishable by law. The company, therefore, classifies unauthorized use to be a criminal offense and

can be sued by a court of law. The users of the systems are responsible for the protection of

confidential data in their various accounts, and the information includes the passwords and the

logon information (Crowley, 2013). All employees should not make copies of such information, and

the information should not be distributed to unauthorized individuals outside the within or outside

the company. The users shall not use the system with an intent to harass or degrade the performance

of the system. They are also not allowed to divert the system information for another purpose other

than the intended purpose.

The users shall not have unauthorized devices attached to their PCs unless they have a

specific use for the devices and the use is within the scope of the security boundaries (O'Brien &

Marakas, 2016). The users of the systems are bound not to download any unauthorized software

from the internet to their workstations. All the users are supposed to report any misuse or violations

of the internet use and misconduct to the immediate supervisor.

9.2 The use of an Internet

The employees and contractors must have the permissions from the security administrator.

The internet must be regarded as a business tool for the company and shall be used to further the

company agenda only (Crowley, 2013). The internet shall be restricted to the business processes

such as sending and receiving company emails, obtaining useful information about the business and

having other relevant topics. The Interne may not be used for transmission, storing or retrieving

information of critical nature to a group, or other purposes that are threatening in nature.
Protecting Information Assets 30
10. User classification

The users of the network are people who use the devices that are connected to the network.

Their mission is to use the network to achieve their daily job routine. All users in the network are

required to have knowledge about the security policies, any violations done by any person should

be reported to the system administrator. All the framework clients must submit to the Acceptable

Use Policy that is characterized in the archive. The organization has the accompanying client

gatherings and their entrance benefits characterized. Table 1 below shows the users and their

designated responsibilities.

Table 2: The users and their responsibility

User Responsibility

Users (Employees) They have RED and GREEN access to the

system database

Security Administrator Has the highest level of clearance; He is

allowed to access all the components of the

network, firewall and databases as required

by their job functions.

System Analysts He has access to many applications and the

database. They have no access to the

company routers and firewalls

Contractor/Consultants They have access to the databases on a need

basis, the access to routers and hubs is

restricted on the need basis. They also know

the security policies, and the information

systems and their access must be

documented and authorised by the system

Protecting Information Assets 31

analyst (Crowley, 2013).

11. Monitoring and use of Systems

The company has the right to trace every electronic information passing through the system

created by an individual including email messages and network use. The company has no mandate

to monitor the use of computer systems by employees continuously (Dhillon & Backhouse, 2016).

The surveillance is not limited to files sent through the network, emails and the electronic

information sent through the network to ensure that the information sent through the network has

been sent through using the best practices and is within the laws and regulations of the Medev


12. Subordinate Policies

Subordinate policies are the core functions of the system. Controlling access to the

information that is deemed critical to the company, the control is limited to modification,

distribution and disclosure of sensitive information. The reason for controlling network access is to

ensure that only authorized individuals can use the system. In this network, the access control is

done via password and user provided identity (Farn, Lin & Fung, 2014).

12.1 User Network Access

The system will be accessed using passwords, and the passwords must meet the following criteria.

 Passwords must be changed after seven days and should be unique.

 The user accounts should be frozen after few attempts at login.
 Passwords and logins may be suspended after 34 days without use.

12.2 System administrator Access

The system administrators will have RED and GREEN access to the system. The access

includes access to the database, routers, hubs and firewalls that are required to fulfil their roles
Protecting Information Assets 32
within the company. All employees whose contract has been terminated must have their passwords

erased from the system.

12.3 Special System Access

The special access is granted to people who need temporary access to the system, for

example, the contractors. The password provided will have to expire within a given period (Hong,

Chi, Chao & Tang, 2013). There should be documentation that shows that a specific person has a

special account and for what purpose.

12.4 Connection to the third party networks

The third party networks include consultants and vendors of the companies that need to

share information with the company. Employees of the company for business purposes of the

company use the third party networks. In this case, the third party company will take all precautions

so that only the individual accesses the data required by the company for business purposes.

13. Non-Compliance

The company takes the information protection seriously, and the persons who violate the use

of information technology should be punished accordingly. If anyone violates this policy, the

company may be forced to pursue disciplinary procedures. The disciplinary issue shall be done on

the case by case basis (Dhillon & Backhouse, 2016). The state and the federal laws may be used

against any employee who has been found guilty shall be prosecuted according to the laws and the

regulations of the company Policy manual. In the case where the employee is not an employee of

the company, the incident shall be conducted as a civil or criminal suit, and the information may be

referred to the law enforcement officers to determine whether a proceeding should be opened

against the person.

Protecting Information Assets 33
14. Incident Handling Procedures

In this section, the procedures for handling the security incidents are defined. The term

Incident is an adverse or irregular event that threatens the integrity, availability of information in

any part of the information systems, and Figure 1 below shows an example of an incident handling

the procedure. Example of information security incident include:

Figure 1: Incident Handling Procedure (Google Images, 2019)

Illegal access by an intruder of a computer system. For example a hacker access file systems and

copies password. Check if there is damage to a computer system that is caused any man in the

middle attack or physical damage caused by a worm or a Trojan released by an attacker. Malicious

use of the company systems in launching an attack on the computers outside the company network.

The following image shows the common incident handling procedure.

Protecting Information Assets 34

Employees who think that their terminal has been compromised should report to system

administrator immediately. The system shall continue being on and shall not be subject to closure or

removal from the network until the source of the threat is located (Dhillon & Backhouse, 2016).

Threat identification is important in identifying the source the steps necessary to avert the threat and

find future solutions to the problem.

Protecting Information Assets 35


Dhillon, G., & Backhouse, J. (2016). Technical opinion: Information system security management
in the new millennium. Communications of the ACM, 43(7), 125-128.
Hong, K. S., Chi, Y. P., Chao, L. R., & Tang, J. H. (2013). An integrated system theory of
information security management. Information Management & Computer Security, 11(5),
Tipton, H. F., & Nozaki, M. K. (2017). Information security management handbook. CRC press.
Yeh, Q. J., & Chang, A. J. T. (2017). Threats and countermeasures for information system security:
A cross-industry study. Information & Management, 44(5), 480-491.
O'Brien, J. A., & Marakas, G. M. (2016). Management information systems (Vol. 6). McGraw-Hill
Siponen, M., & Willison, R. (2017). Information security management standards: Problems and
solutions. Information & Management, 46(5), 267-270.
Crowley, E. (2013, October). Information system security curricula development. In Proceedings of
the 4th conference on Information technology curriculum (pp. 249-255). ACM.
Farn, K. J., Lin, S. K., & Fung, A. R. W. (2014). A study on information security management
system evaluation—assets, threat and vulnerability. Computer Standards & Interfaces,
26(6), 501-513.
Protecting Information Assets 36

Assignment 6

Objective and Scope of the Standard

The Web Application document has an outline of the practices that establish the basic

requirements for Columbia University web applications, which include the University supported

software and applications. The record is proposed to be used by the faculty in charge of the

improvement and support of the sites and web applications. The report gives the coding gauges,

which depend on the generally accepted standards, and limits the security vulnerabilities and

provides the reference to data regarding the web security vulnerabilities to understand the causes of

the vulnerabilities and the vulnerabilities and how they can be remediated.

Vulnerabilities of the web applications may have different forms, and there are attacks that

use injections, which exploits the vulnerabilities in the website. In other terms, the attacker

manipulates data in the URL thereafter forcing an exploitable malfunction in the application. The

successful attack may give an attacker control over the applications and give them easy access to a

database and server. Any access can have disastrous results. Most attacker’s goal is to obtain data,

and the data is mostly obtained from business databases containing information that could be sold

or used by an attacker for their own benefit. Some of the most commonly sought after data include

strategic business plans, competitive analysis and confidential customer data. The confidential

customer data is the most sought data because it can be sold to third party individuals. Personally

identifiable data could include addresses, passwords and date of births. When a company loses

millions of data, it becomes almost impossible to contain the damage. He attacks may also target

individual computers, and the attacks may be executed by injecting the target computers by a

malware that may have the links redirected to links that steal multiple information from the user’s

personal computer. The malware can also trick users into revealing their confidential information
Protecting Information Assets 37
and may hijack people’s data, and a computer may also be attacked and turned into a spam server

mechanism aimed to further their goals.

Everyone is responsible for network maintenance, services and other websites must conform

to this standard.
Protecting Information Assets 38


Objective and Scope of the Standard...........................................................................22


Threat Risk Modeling...................................................................................................23

Web Security Standards................................................................................................24

Deny access for exceptional conditions...................................................................24

All inputs should be validated, and all output be sanitized......................................25

Maintain the Separation of Duties............................................................................25

All authentications and authorization must be verified............................................26

All the users must be assigned the least privilege principle.....................................26

Establish the default settings....................................................................................27

Keep the attacker surface area minimized................................................................27

Keep the security simple..........................................................................................27

Provide defense in depth..........................................................................................28

Maintain the audit logs.............................................................................................28

Supplemental security requirements........................................................................29

OWASP Web Application Security Checklist..............................................................29

SANS top 25 most Dangerous Software Errors...........................................................30

Protecting Information Assets 39

The information that has been presented in the document are consistent with the OSWAP

institute. And other sources that are organized as the industry best practices. The Policy has been

developed for Illinois University. The Security Open Community has a dedication to enabling of the

organization to have, maintain and purchase the application that could be deployed by an

organization. The chapters in the document re free and open to everyone that that is interested in

improving the applications (Huang, Yu, Hang, Tsai, Lee, & Kuo, 2014). The Institute was made as a

research institute that is established in research. The SANS Institute has security at its core

activities. At the heart of SANS there exist many organizations that work together to help.

Threat Risk Modeling

The threat risk modeling gives a description of approved threats and risks methodologies,

which helps in the provision of the context web applications standard. Before having consistent

security features and controls, the context of the web application standards will be looked into to

help in controlling the significant risks to the web applications. For the successful application of the

standard, it is important to have full knowledge and full assessments of the significant risks to web

applications. The risk modeling process shown in this section is as described by the Risk Modeling

Standards presented by OSWAP.

After performing the risk evaluation, the system administrator monitors the controls that

need to be implemented. To determine the type of control to be put in place, requirements must

adhere to the availability, confidentiality and accountability information security methodology to

determine how the security controls can be applied to data. When using the CIAA approaches.

Web Security Standards

Deny access for exceptional conditions

Protecting Information Assets 40
Error handling is very important in making sure that the codes are secure. This is evidenced

by the exception that exists during application of security controls; there is an importance of taking

the security importance and behavior that would not be allowed. In this scenario, there are three

possible results from the security mechanisms, allowing the operations and the disallowing the

operations and Exception handling.

The general rule is that the operations must be designed in a way such that should there be

any failure, the same execution path must always be followed. The methods such as Validate,

Authorize should not return true during the data processing.

All inputs should be validated, and all output be sanitized.

All inputs to the website must be validated. The data must be decoded before any validation

takes place- all inputs must be checked. The length of the input must be checked: Check if the

length is within the allowable criteria such as a range of minimum and maximum. All the

acceptable data types must be checked. For example, the system must be able to determine if the

input is characters and numbers only (Huang, Tsai, Lin, Huang, Lee & Kuo, 2015). The last check

for input of the acceptable data types, the entered input must be checked if they a non-characters,

non-numeric and special characters.

All inputs must undergo sanitization to ensure that the inputs do not reveal a lot about the

system. The messages sent to the users should not provide too much information that may be

exploited by an attacker (Catteddu, 2016). The error messages should not reveal the inner workings

of the system. One example is the password is invalid, and the user ID is provided by the user, the

messages should not contain the information system components or directories but should inform

the user of the invalidity of the input. An example of the message can be "Invalid input", and not

"Invalid Password or Username". The second error message should show what is required of the

Protecting Information Assets 41
Maintain the Separation of Duties

There must be another entity that monitors action. The main goal of separation of duties is

the reduction possibilities of one unit doing all processes and concealing the prohibited actions. In

general, the applications administrator should take single responsibility. In the given scenario, there

should be separate accounts maintained. The application administrators' accounts should be used for

the authorized tasks only.

All authentications and authorization must be verified

There must be security controls that monitor all the authentications, and the users must be

identified. The identification must be done using the password and username. The password must

have a significant length and must include the alphanumeric characters, if possible, it should have

special character as well. After the user is authenticated (Bau, Bursztein, Gupta & Mitchell, 2016).

the system must ensure that the access rights of the users are implemented, employing the least

privilege principle.

All the users must be assigned the least privilege principle

The least privilege must encompass the user rights and permissions including access to

database and file access. The permissions should allow them to do the limited functions in the

system to ensure that the user does not have rights that are above the user. The requests must also be

obtained from the authority or manager (Stuttard & Pinto, 2014). The user may need to read access

rights on the application, and the permission is granted to the user. There is no way the users may

access level till it is done so by the users of the system.

Establish the default settings

There are some security-related parameters such as passwords, password length, must not be

changeable by the user. If there is an application that uses more than one account, there should be a

different password for each account. When the accounts are inactive, their passwords should be
Protecting Information Assets 42
disabled or removed (Erlingsson, Livshits & Xie, 2017). When a default password is created, it

must be changed immediately and be replaced by a new one.

If the application requires a default password to be used for initial sign-on to the application

or the even when it is forgotten, then the reset logon should be complex and should be replaced by

another complex one. The new logon must be different from every user. The default password

should have an expiry date usually not more than 24 hours, and it must be used for one time only,

after which it will have to be reset.

Keep the attacker surface area minimized

To minimize the attacks, the vulnerable zone must be reduced. In case there are entry points

to the applications, there are more vulnerabilities in the system. When there are many entry points

to the system, it also means that there are ways in which the system can be attacked. Every addition

of features to the system means that there are risks that have been added to the system hence more

ways in which the system can be attacked. For a secure system, there should be least entry points to

the systems, and it should have the least applications added, the bare minimum to meet its

functionalities. Each feature of the system must function only as required and should be protected

from performing unintended functions from the system requirements.

Keep the security simple

The security of the system must be kept simple, there are different approaches to system

functionality that could be made using a simple code, and some coders prefer using complex codes

instead. The use of highly secure architecture must be avoided because the simpler approaches are

faster and more efficient to use. When obscurity is used in the security control, it may fail when it is

the only control available in the system. The security of a system should not rely on hidden but on

the simple security features, but not the knowledge that some code is kept secure (Johari & Sharma,

2015). The security of the system should not rely on the many functions of the system, there should
Protecting Information Assets 43
be the defense in depth, transaction limits should be defined, and the network controls and audit

trails must be well defined.

Provide defense in depth

The defense in depth is where few controls are sufficient, but the layered defense that

approaches different risks is better. The main aim of the controls is to make exploitation of the

vulnerabilities unlikely. When there are more control layers, it becomes more difficult to

circumvent when compared to a single control. The security control should not be too complex such

that they cannot be traced. In web-based coding, the defense mechanism can be multiple

authentication layers and requiring many user activities during the login.

Maintain the audit logs

No matter how good the defenses are, the exploits must be prevented. There should be sufficient

audit logs to be put in place so that when the unauthorized log is in the system, there should be

sufficient evidence from the logs (Erlingsson, Livshits & Xie, 2017). The user activities must be

documented, and the information system security must be produced.

When possible, even the audit procedures must be documented and the security

administration procedures such as the restricted account access, unsuccessful attempts to access the

system, the dates when the attempts took place and if possible. The log files must be locked down

so as to allow administrators to have access to the system. The logs must not be altered, deletion or

editing of the log files.

Supplemental security requirements

The web server backups are done regularly. Configure a secure web content by the

configuration of an anti-spambot protections such as using captures or any other keyword filtering.

Ensure that the website login has the following element denied (Stallings, Brown, Bauer &

Bhattacharjee, 2015), the purpose and the function of the web server, the information categories that
Protecting Information Assets 44
is processed and stored and be transmitted throughout the server. The security requirements for the

information as well as any additional requirements. There should be controlled access to the data on

the web server.

Security Checklist according to OWASP

All pages in a system must have a valid authentication required, especially the pages that are

accessible to the public. All passwords must be verified, and the password field must have

confirmed the user password as it is filled by the user. The password fields must have auto complete

and cut and paste disabled (Stallings, Brown, Bauer & Bhattacharjee, 2015). When the users log out

of the system, all sessions must be destroyed during logout. All the persons implementing the

OWASP security guidelines must have read and understood the guidelines.

OWASP Top 10 Security Risks

The OWASP security has all pages in a system with a valid authentication required,

especially the pages that are accessible to the public. All passwords must be verified, and the

password field must find the user password as it is provided. The password fields must have auto

complete and cut and paste disabled. When the users log out of the system, all sessions must be

destroyed during logout. Please have a verification mechanism that will offer user’s access to the

URL for authorization (Ravishankar, Violleau & Hill, 2015). All the persons implementing the

OWASP security guidelines must have read and understood the guidelines.

The top ten OSWAP security risks include injection attacks that happen when untrusted

coeds are sent to the interpreters through an input form or another form of a web application. An

attacker could use an SQL code to a form that uses plain text, and when there is no form validation,

it could result in the code being executed. This type of attacks is what we call an SQL Injection.

The second form of attack is the Broken Authentication where an attacker can access the system

and compromise it by logging in as an administrator (Ruiz, 2019). Another attack in the OSWAP
Protecting Information Assets 45
top ten list is the exposure of sensitive data, and the web application should protect the sensitive

data, the protection can b OWASP Top 10 Security Risks e done through encryption of the sensitive

data and cache disabling, XML External Entities can also be parsed to an XML input. The best

preventive measure against this type of attack is having the application accept less complex and

sensitive data (Ruiz, 2019).

Another attack is a broken Access Control, which refers to controlled access to the

information and functionality. Using the broken access control, the system authorization could be ,

and the attacker can perform as though they are legitimate users of the system. The attack can be

prevented by having tokenized system authorization. XXS is another web security risk listed by

OSWAP (Ruiz, 2019). XXS occurs when the application has a loophole that allows the attacker to

add codes into the system, the vulnerability can be used in injecting JavaScrip code into the system.

One example is when an attacker sends an email to the victim; the email could seem to be from a

trusted bank or a service provider (Ruiz, 2019), the link when clicked could provide the attacker

with valuable information such as the victims' location and more personal details could be exposed

by the system. XXS could be mitigated by making the URL bypass untrusted HTTP and validating

all the user-generated content.

Insecure Deserialization is a threat that frequently serializes and deserializes data in a web

application. When an attacker uses unsecured deserialization, they tamper with contents of the data

packets before they are delivered,effect attacks such as remote code and DDOS attacks. One way of

making the organization safe from the Insecure Deserialization is prohibiting deserialization from

untrusted data (Ruiz, 2019). Using components with Known vulnerabilities is one way in which

developers expose their web applications. The use of libraries that are faulty and can be exploited

can have serious consequences in an application. The common example is the front-end libraries

such as react and Vue. Attackers may look for vulnerabilities in these components and attempt an

attack (Ruiz, 2019). When there is a security vulnerability in these components, the attacker may
Protecting Information Assets 46
pose threats to millions of websites that use the components. The developers, therefore, must look

for the security loopholes in these components and ensure that they are patched and regularly


Top 25 Software Errors according to SAN

The list provides the most recurring web and phone application errors that result into an

exploit and other vulnerabilities. The examples of the vulnerabilities include Buffer copy without

the check size of the input. Over-reliance on the untrusted input and related security decisions.

Unrestricted uploads of files, some of which may be. The list includes excluding Cross-Site Request

Forgery, open direct attacks and use of the unrestricted uploads. Other elements included by SAN’s

list is improper neutralization of input when the page is being generated, there should also be

neutralization of the commands used in the Operating system commands, use of unsafe functions,

downloading components without any check-in integrity and incorrect buffer size calculation. There

is also integer wraparound and overflow. Other errors which result in porous defenses include

missing authentication, hardcoded credentials and incorrect authorization (“CWE/SANS TOP 25

Most Dangerous Software Errors”, 2019).

Additional Best Practices

There are more security regulations that should be considered and used within a system;

there should be mechanisms to ensure that the timing of the access is in place, for example

immediately after validation, the system should be aware of the next possible actions. The next data

to be used immediately should be in place. If there are big time lapses among the authentication and

the data use, then there must be a login again to grant new access (Ravishankar, Violleau & Hill,

2015). Authentication check will ensure that the person using the system is the right person and

when the person walks away from the system without log out, the system will automatically log the

user out.
Protecting Information Assets 47
Identify which security level is required for the database access by the applications and the

access is limited accordingly when the application requires only read-write access, the person may

not be allowed to update the system, the least privilege must be applied to the application. The

DBA must be accessed to the database the same day to ensure that the application is logged in and

audited and be stored via the stored procedures that can track their activities. The application

database should be separated from the database server (Ravishankar, Violleau & Hill, 2015). When

there is an evaluation done all parties must be involved, the examination of every component must

assess the business areas like operational and technological requirements. The components must

include: The input control, Output control, authorization control, auditing and logging and the use

of encryption

Security should be kept as simple as possible and should be configurable, the organization

security must have a plan, and it must be configured from the beginning, the users must be

separated room the administrator logins. The practice of least privilege must be incorporated into

the system.
Protecting Information Assets 48

Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2013).
Improving web application security: threats and countermeasures. Microsoft Corporation, 3.
Erlingsson, U., Livshits, V. B., & Xie, Y. (2017, May). End-to-End Web Application Security. In
Huang, Y. W., Yu, F., Hang, C., Tsai, C. H., Lee, D. T., & Kuo, S. Y. (2014, May). Securing web
application code by static analysis and runtime protection. In Proceedings of the 13th
international conference on World Wide Web (pp. 40-52). ACM.
Catteddu, D. (2016). Cloud Computing: benefits, risks and recommendations for information
security. In Web application security (pp. 17-17). Springer, Berlin, Heidelberg.
Curphey, M., & Arawo, R. (2016). Web application security assessment tools. IEEE Security &
Privacy, 4(4), 32-41.
Erlingsson, U., Livshits, V. B., & Xie, Y. (2017, May). End-to-End Web Application Security. In
Huang, Y. W., Tsai, C. H., Lin, T. P., Huang, S. K., Lee, D. T., & Kuo, S. Y. (2015). A testing
framework for Web application security assessment. Computer Networks, 48(5), 739-761.
Stuttard, D., & Pinto, M. (2014). The web application hacker's handbook: Finding and exploiting
security flaws. John Wiley & Sons.
Stallings, W., Brown, L., Bauer, M. D., & Bhattacharjee, A. K. (2014). Computer security:
principles and practice (pp. 978-0). Pearson Education.
Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. (2016, May). State of the art: Automated black-box
web application vulnerability testing. In 2016 IEEE Symposium on Security and Privacy
(pp. 332-345). IEEE.
Ravishankar, T. S., Violleau, T., & Hill, M. R. (2013). U.S. Patent No. 8,245,285. Washington, DC:
U.S. Patent and Trademark Office.
Johari, R., & Sharma, P. (2013, May). A survey on web application vulnerabilities (SQLIA, XSS)
exploitation and security engine for SQL injection. In 2015 International Conference on
Communication Systems and Network Technologies (pp. 453-458). IEEE.
CWE/SANS TOP 25 Most Dangerous Software Errors. (2019). Retrieved from
Ruiz, G. (2019). OWASP Top 10 Security Risks – Part I. Retrieved from