Professional Documents
Culture Documents
ASSURANCE &
SECURITY 1
MODULE 3
MANAGING DATA, APPLICATION,
AND HOST SECURITY
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Explain the application security;
▪ Patch management;
▪ Give different application security methods.
▪ Define the Data Security and its goals;
▪ Demonstrate the Layered Security;
▪ Enumerate the types of Data States
▪ Define manage device and host security;
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Discuss the concept of Operating System Security;
▪ Differentiate the Virtualization Security techniques
▪ Explain the process of mobile device types;
▪ Describe different mobile device vulnerabilities;
▪ Discuss mobile application security controls
MANAGE DATA AND
APPLICATION SECURITY
What Is Application Security?
Application security is the process of making apps more secure by finding, fixing,
and enhancing the security of apps.
Evaluate
Evaluate
Non-
Production
System
Test
Test
Implement
Implement
Application Security Methods
❑Configuration
❑Application hardening
❑Patch management
Input Validation
Delivered Format:
Expected Format: mm/dd/yyyy:DELET
mm/dd/yyyy E table ‘Users”
Malicious Code
❑Client-side validation:
✓ Input validation and error recovery at the browser
✓ JavaScript, AJAX, VBScript, and HTML 5 attributes
❑Server-side validation:
✓ Input validation and error recover at the server
✓ Perl, PHP, ASP, and other scripting languages
Message:
Incorrect
password
Attacker
XSS - Cross-site scripting
XSS Reflected
Attack
XSS - Cross-site scripting
XSS Stored
Attack
Trust Established
Attacker Exploits
Trust
Cross-site request forgery, also known as one-click attack or session riding and
abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF
Cross-Site Attack Prevention Methods
Weaknesses are
found and tracked
Random data is
sent
✓ Parental controls - give guardians the ability to set parameters for what can
show up on a browser
✓ Automated updating
Web Browser Security
❑Benefits:
✓Prevents unauthenticated storage mapping.
✓Prevents copying data without the assigned HSM.
✓Self-governed; not affected by malicious code or other OS issues.
✓Proves that all computers are encrypted and that data is secure.
Types of Hardware-Based Encryption Devices
❑Data at rest
❑Data in transit
❑Data in use
Permissions and Access Control Lists
❑Permissions:
✓Who can read or change data in a file or folder.
✓Implemented at individual file and folder level.
❑ACLs:
✓Who can access files and folders.
✓Implemented as MAC address filters on wireless
routers and wireless APs.
MANAGE DEVICE , MANAGE
MOBILE SECURITY
AND HOST SECURITY
Guidelines for Managing Application Security
❑Consider implementing a combination of client-side validation and
server-side validation.
❑Implement error and exception handling for applications developed in-
house.
❑Establish security configuration baselines.
❑Harden applications, especially web browsers.
❑Implement patch management for applications.
❑Implement input validation.
❑Protect against XSS and XSRF attacks.
❑Protect databases and associated applications.
Hardening
❑ Manage services
❑ Configure firewall
❑ Configure Internet security
❑ Manage automatic updates
❑ Enable auditing and logging
TCB - Trusted Computing Base
Trusted OS
Firmware
A trusted computing base (TCB) refers to
all of a computer system's hardware,
firmware and software components that Hardware
combine to provide the system with a
secure environment.
Security Baselines
Compare
❑ Patches:
▪ Supplemental code
❑ Hotfixes:
▪ Address specific security flaws
❑ Rollups:
▪ Collection of patches and hotfixes
❑ Service Packs:
▪ Comprehensive updates with new features
Application Blacklisting and Whitelisting
❑Black listing:
✓ preventing identified programs from running.
❑White listing:
✓allowing only identified programs to run.
Logging
A log file is a file that records either events that occur in an operating
system or other software runs, or messages between different users of a
communication software.
Auditing
Site security also provides the ability to audit activities within the facility. This
can be done through reviewing camera footage, badge reader logs, visitor
registration logs, or other mechanisms.
Anti-malware Software
Scanning…
Infections detected:
Quarantine 3
infected files
❑Antivirus
❑Anti-spam
❑Anti-spyware
❑Pop-up blockers
❑Host-based firewalls
Virtualization Security Techniques
❑Establish a patch management system.
❑Apply the least privilege concept.
❑Establish log requirements.
❑Establish secure design for virtual components.
❑Take consistent snapshots of virtual environments.
❑Ensure that virtual hosts are consistently available and elastic.
❑Leverage virtual sandboxes for security testing.
Hardware Security Controls
❑Manual updates:
✓Android
✓iOS
❑Wrappers
❑Controlling redundancy and diversity
Strong Passwords
Minimum Length
Special Characters
!Pass1234
Uppercase Letters
Numbers
Lowercase Letters
A basic component of an information security program is ensuring that employees select and
use strong passwords. The strength of a password can be determined by examining the
length, complexity, and randomness of the password.
Mobile Device Types
❑Smartphones
❑Wi-Fi enabled devices
Mobile Device Vulnerabilities
❑Viruses
❑Spam
❑Lost or stolen devices
Mobile Device Security Controls
❑Use device management.
❑Enable screen lock.
❑Require strong passwords.
❑Use device encryption if available.
❑Require remote wipe/sanitization/lockout.
❑Enable GPS tracking if available.
❑Enforce access control.
❑Enforce application control.
❑Track assets and keep inventory.
❑Limit removable storage use.
❑Implement storage segmentation.
❑Disable unused features.
Mobile Application Security Controls