Uttar Pradesh Textile Technology Institute, Kanpur

B. Tech 2nd Year (3rd Sem)

Cyber Security (KNC301)
Unit 2
Application Security

Application security refers to security precautions used at the application level to prevent the
theft or hijacking of data or code within the application. It includes security concerns made
during application development and design, as well as methods and procedures for protecting
applications once they've been deployed.

What is Application Security?

All tasks that introduce a secure software development life cycle to development teams are
included in application security shortly known as AppSec. Its ultimate purpose is to improve
security practices and, as a result, detect, repair, and, ideally, avoid security flaws in
applications. It covers the entire application life cycle, including requirements analysis,
design, implementation, testing, and maintenance.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 1 of 27

Hardware, software, and procedures that identify and mitigate security vulnerabilities may be
included in application security. Hardware application security refers to a router that stops
anyone from viewing a computer's IP address over the Internet. However, application-level
security controls, such as an application firewall that rigorously limits what actions are
allowed and banned, are often integrated into the software. An application security routine
that includes protocols such as regular testing is an example of a procedure.

Why Application Security is Important?

Today's applications are frequently available over multiple networks and connected to the
cloud, they are more vulnerable to security attacks and breaches. There is increasing pressure
and incentive to assure security not only at the network level but also within individual
applications. One explanation for this is because hackers are focusing their attacks on
applications more now than in the past. Application security testing can expose application-
level flaws, assisting in the prevention of these attacks.

The faster and earlier you can detect and resolve security concerns in the software
development process, the safer your company will be. Because everyone makes mistakes, the
trick is to identify them as soon as possible.

Application security tools that integrate with your development environment can make this
process and workflow much easier and more efficient. These tools are especially beneficial
for compliance audits, as they can save time and resources by detecting issues before the
auditors notice them. The changing nature of how enterprise applications are built over the
last many years has aided the rapid expansion of the application security industry.

Types of Application Security

Authentication, authorization, encryption, logging, and application security testing are all
examples of application security features. Developers can also use code to reduce security
flaws in applications.

Authentication

When developers include protocols in an application to ensure that only authorized users
have access to it. Authentication procedures verify that the user is who they claim to be.
When logging into an application, this can be performed by requiring the user to supply a
user name and password. Multi-factor authentication necessitates the use of multiple forms of
authentication, such as something you know (a password), something you have (a mobile
device), and something you are (a biometric).

Authorization

A user may be authorized to access and use the application after being authenticated. By
comparing the user's identification to a list of authorized users, the system may verify that the
user has permission to access the application. In order for the application to match only
validated user credentials to the approved user list, authentication must take place before
authorization.

Encryption

Other security measures can safeguard sensitive data from being seen or utilized by a
cybercriminal after a user has been verified and is using the application. Traffic containing
sensitive data that flows between the end-user and the cloud in cloud-based applications can
be encrypted to keep the data safe.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 2 of 27

Logging

If a security breach occurs in an application, logging can assist in determining who gained
access to the data and how they did so. Application log files keep track of which parts of the
application have been accessed and by whom.

Application Security Testing

A method that ensures that all of these security controls are functioning effectively.

Tools for Application Security

A complete application security approach aids in the detection, remediation, and resolution of
a variety of application vulnerabilities and security challenges. Solutions for linking the
impact of application security-related events to business outcomes are included in the most
effective and advanced application security plans.

Finding the right application security technologies for your company is crucial to the
effectiveness of any security measures your DevOps or security team implements.

Application security can be divided into numerous categories:

• Static Application Security Testing (SAST) SAST aids in the detection of code flaws by
examining the application source files for the root cause. The ability to compare static
analysis scan results with real-time solutions speeds up the detection of security problems,
decreasing MTTR and enabling collaborative troubleshooting.
• Dynamic Application Security Testing (DAST) DAST is a more proactive approach, simulating
security breaches on a live web application to deliver precise information about exploitable
flaws. DAST is especially useful for detecting runtime or environment-related errors because
it evaluates applications in production.
• Interactive Application Security Testing (IAST) IAST combines parts of SAST and DAST by
performing analysis in real-time or at any moment during the development or production
process from within the application. IAST has access to all of the application's code and
components, allowing it to produce more accurate results and provide more in-depth access
than previous versions.
• Run-time Application Security Protection (RASP) RASP also works within the application,
but it is more concerned with security than with testing. RASP provides continuous security
checks and automatic responses to possible breaches, which includes terminating the
session and informing IT teams.

Application Security Approaches

Different approaches will uncover different subsets of the application's security flaws, and
they'll be most effective at different stages of the development lifecycle. They all reflect the
various time, effort, cost, and vulnerability trade-offs.

• Design Review The architecture and design of the application can be examined for security
flaws before code is created. The construction of a threat model is a popular strategy used at
this phase.
• White-box Security Review or Code Review A security engineer delves into the application
by manually inspecting the source code and looking for security issues. Vulnerabilities
unique to the application can be discovered through understanding the application.
• Black-box Security Audit This is accomplished solely through the use of an application to
test it for security flaws; no source code is necessary.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 3 of 27

 • Automated Tooling Many security tools can be automated by including them in the
development or testing process. Automated DAST/SAST tools that are incorporated into
code editors or CI/CD systems are examples.
• Coordinated Vulnerability Platform Many websites and software providers offer hacker-
powered application security solutions through which individuals can be recognized and
compensated for reporting defects.

What are Application Security Risks?

Security issues with web applications range from large-scale network disruption to focused
database tampering. The following are some application security threats:

• A vulnerability known as cross-site scripting (XSS) allows an attacker to insert client-side

code into a webpage. This gives the attacker direct access to the user's sensitive
information.
• Remote attackers can use denial-of-service (DoS) and distributed denial-of-service (DDoS)
attacks to flood a targeted server or the infrastructure that supports it with various types of
traffic. This illegitimate traffic eventually prevents legitimate users from accessing the
server, causing it to shut down.
• SQL injection (SQLi) is a technique used by hackers to exploit database flaws. These attacks,
in particular, can reveal user identities and passwords, as well as enabling attackers to edit
or destroy data, as well as modify or create user rights.
• Hackers employ cross-site request forgery (CSRF) to mimic authorized users after duping
them into submitting an authorization request. Since their accounts have additional
permissions, high-level users are obviously frequent targets of this strategy, and once the
account is compromised, the attacker can remove, change, or destroy data.
• Memory corruption occurs when bad actors execute a variety of attacks on an application,
they end up unintentionally changing some area of its memory. As a result, the software
exhibits unexpected behaviour or fails.
• The buffer overflow occurs when malicious code is injected into the system's designated
memory region. Overflowing the buffer zone's capacity causes surrounding areas of the
application's memory to be overwritten with data, posing a security risk.

Application Security and APM

There is a symbiotic relationship between application performance management and

application security. Improved visibility into highly distributed or complex environments,
such as microservices architecture and cloud applications, is possible with an effective APM
strategy.

By providing a full picture of an application's infrastructure and components, measuring ideal

performance with dynamic baselining, and alerting when discrepancies or abnormalities are
identified, the APM data can assist improve software security. When combined with
application security solutions, APM can provide redundancy and additional support for your
safety program by increasing the depth of information about the inner workings of your
application and system.

Database Security
1. What is Database Security?
Database security is a plethora of measures, controls, and tools that are designed to preserve
as well as establish the integrity, confidentiality, and availability of the database.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 4 of 27

Confidentiality is the most important aspect of data security because this is something that is
the most compromised.

The database security should be capable of addressing and protecting the data available in the
database, the DBMS or the database management system, any of the applications that are
associated with it, the server of the physical database or the underlying hardware and the
virtual database server and the network or the computing infrastructure that is used to access
the database.

Now that we understand what database security tries to accomplish let us delve into talking
about the kinds of database security.

2. Types of DS
A) Database security controls

The database security control has many controls that include DBMS configuration, access for
system hardening, and security monitoring. These are various security controls that help to
manage the security protocol circumventing.

B) System hardening and monitoring

The architecture underlying offers additional DBMS access. The systems need to be hardened
making use of the security configuration, patched consistency, and immunity from all kinds
of access which includes any insider threats.

C) Access

A major outcome of the database security is its data access limitation. The access control will
authenticate legitimate users and applications. This limits what they are capable of accessing.
The access includes designing and granting the appropriate attributes of the user and the
roles. It also limits the administrative privileges.

D) DBMS configuration

DBMS configuration is critical and it must be hardened and configured to take the advantage
of various security features. This helps to limit any kind of privileged access that could cause
a misconfiguration of the security settings. It is important that the DBMS is monitored for its
configuration and it goes through the process of proper change control that helps to make
sure that the configuration is consistent.

E) Application security

The application security and the database security framework help to protect from any
commonly known attacker exploits which could cause to circumvent the access control. This
may also include the SQL injection.

F) Authentication

Authentication is an important part of the database security measure which is the process
through which the user credentials are matched as per the details that have been stored in the
database. It allows only the users that are authenticated to access the network, data, and the
database platform.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 5 of 27

G) Database auditing

Auditing and monitoring the actions are a part of the protocol of database security. It delivers
a centralized oversight to the database. The auditing helps to deter, detect, and also reduce the
overall impact of any unauthorized access to the DBMS.

H) Encryption

The database security includes security management of the encryption keys. It helps to
protect the encryption system and the management of the secure and off-site encryption
backup. It also gives access to the restriction protocols.

I) Backups

A very crucial part of the database security protocol is the data backup. This makes a data
copy and stores it in a different system. The backup allows one to recover any data that may
have been lost. The data could be lost because of data corruption, any hardware failure,
natural disasters, or hacking.

3. Types of Attacks
There could be many kinds of database security threats. The breach could happen because of
any kind of mis-configuration in the software, any vulnerability, if there are any careless
patterns, or because of misuse. Most kinds of database security attacks have been listed
below.

A) Human error

Using weak password accidents, password sharing and any kind of uninformed or unwise
human behaviour could also cause a security breach.

B) Malware

This is software that is written to exploit the vulnerability that could cause damage to the
database. The malware may come from any endpoint device that is connected to the database
network.

C) Insider threats

An insider threat can happen because of a malicious insider who wishes to cause harm, any
negligent insider who makes an entry in the database and makes the database vulnerable to an
outside attack, or because of an infiltrator who gets the credentials through a scheme like
gaining access to the database credentials itself.

D) Attacks on the backup

If the organization does not have proper backup data and follows stringent data controls that
are used to protect the database then this can be vulnerable to backup attacks.

E) The exploitation of the vulnerabilities of the database software

The hackers find and target any kind of vulnerability in the database management software.
All the commercial vendors and those that offer open-source database management platforms
issue patches to address these vulnerabilities. However when there is a failure to use this
patch timely then this can cause an increase in exposure.
Shashank Saxena (8090315900) Unit 2 - Application Security Page 6 of 27
4. Importance

You need to ensure proper database security measures because:

• If the intellectual property gets stolen then it becomes impossible to maintain your
competitive advantage.
• A breach of database security causes damage to the reputation of your brand.
• Some business will stop to operate if there is a breach.
• There are penalties or fines imposed in case of a non-compliance.
• There are costs involved in notifying clients and in repairing the breaches.

5. Best Practices

Database security should extend beyond the database confines.

• The database server should be located in a climate-controlled and secure environment.

• There should be a minimum number of users who should have database access to help
them to do their jobs.
• It is important to be aware of who has access to the database and how any data is
being used.
• All the data which are included in the database should be protected with the best
encryption.
• The latest version of the database management software should be used and all the
patches should be applied
• Any of the web server or application can be vulnerable to attack and thus should go
through continuous security testing
• Al the copies, backups, and images should be subject to similar security controls like
the database
• All the logins should be recorded in the operating system and the database server

Conclusion
It is a challenging and complex thing to incorporate total database security. This will involve
a range of practices and information security technologies. If the database is assessable easily
then it makes it more vulnerable to security threats. If the database is invulnerable then it
becomes difficult to access it. This gives rise to proper database security measures.

The Need for Email and Application Security

Emails and applications are the heart of today’s digital business. Whether servicing
employees, partners or customers, emails and applications drive business growth, create new
revenue streams and increase customer value. Thus, emails and applications have become a
significant focal point for modern businesses.

Email is the most important business communication tool—and simultaneously, the most
used for cyber attacks. In fact, attackers turn to email as the primary vector for spreading
malware. Attackers also use social engineering to create sophisticated and highly targeted
Business Email Compromise (BEC) and phishing campaigns. Email Security enables your
users to communicate securely and helps your organization combat Business Email
Compromise (BEC), ransomware, advanced malware, phishing, spam, and data loss with a
multilayered approach to security.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 7 of 27

The applications we need to do business are no longer just residing in a single, physical data
centre. Sure, there are some applications running in your on-premises data centre. But some
are also running in offsite data centers, or in your private cloud. Applications are moving
targets; they run everywhere and are constantly changing, making them difficult to secure.
Application security encompasses securing an application throughout its life cycle.
Syndrome’s application security offers cloud workload protection to reduce the attack surface
with automated micro-segmentation based on recommended policies tailored to your
applications, and complete visibility of application behaviors, dependencies, and
vulnerabilities.

Email Security
Because of its ubiquity and inherent vulnerabilities, email is a popular vector for cyber
attacks. These attacks can include:

• Malware, such as viruses, worms, Trojan horses, and spyware. When attacks using
these vectors succeed, an attacker can take control of workstations or servers. This
access can then be exploited to compromise otherwise secure information.
• Spam, which can be disruptive to worker productivity, and can also serve as a
transportation method for malware.
• Phishing, which entails the use of computer or social engineering tricks to convince
victims to disclose sensitive information, or to provide access to sensitive systems.
Email security is the set of methods used for keeping email correspondence and accounts safe
from these attacks.
Ensuring Email Security

Email security is a multi-layered discipline involving several types of software and

technology. There are multiple ways to ensure the security of enterprise email accounts – but
it’s important to combine employee education with comprehensive security policies and
procedures.

Recommended policies and procedures include:

• Password Cycling: Require employees to use strong passwords and mandate frequent
password changes. This helps to ensure that, even if a password is compromised, its
use can be limited.
• Secure Login: Ensure that webmail applications use encryption. This is standard
functionality, but critical to prevent emails from being intercepted by malicious
actors.
• Spam Filtering: Implement scanners and other tools to scan messages and block
emails containing malware or other malicious files before they reach end users. Even
relatively benign spam – such as marketing offers – can hamper productivity if
employees have to manually remove it from their inboxes.
• Spyware Protection: A robust cyber security program or a dedicated spyware
removal service that can dispose of malicious email attachments and repair altered
files/settings.
• Email Encryption: Encryption technologies such as OpenPGP let users encrypt
emails between sender and recipient. This is a necessity for businesses where
sensitive information is shared frequently via communication platforms like email.
• Employee Education: Engage employees in ongoing security education around email
security risks and how to avoid falling victim to phishing attacks over email. Some
Shashank Saxena (8090315900) Unit 2 - Application Security Page 8 of 27
 companies send their own employees mock phishing emails in order to test their
resistance to these attacks.
Employee Education

In addition to the implementation of policies and procedures that promote email security,
companies can encourage their employees to follow best practices to guarantee the security of
their email accounts. Employees should be encouraged to:

• Avoid opening attachments, and avoid clicking on hyperlinks without checking them
first. (Many companies even suggest that employees use browser bookmarks for
navigation, rather than clicking links in emails.)
• Frequently change password, and follow standard best practices for complexity and
length.
• Avoid sharing passwords with anyone – even co-workers or friends.
• Avoid sharing of sensitive information within emails - only send it to trusted
individuals, and only when required.
• Use secure VPN software to access corporate email when working remotely.
• Don’t access company email or sensitive information when using public WI-FI
connections.

Why Email Security is Important

It’s important that users and organizations take measures to guarantee the security of their
email accounts against known attacks, and it’s especially important that a proper
infrastructure is in place to stop any unauthorized attempts at accessing accounts or
communications. Users are especially susceptible to phishing attacks against businesses,
because they sidestep technical security protections, and instead lean into users themselves to
expose weaknesses. This is why email security solutions should start with proper techniques
like encryption, spyware detection, and login security. But it’s equally important that
employees are educated on the proper steps that should be taken to protect email.

Data Security Consideration

Data security is the protection of programs and data in computers and communication
systems against unauthorized access, modification, destruction, disclosure or transfer whether
accidental or intentional by building physical arrangements and software checks. It refers to
the right of individuals or organizations to deny or restrict the collection and use of
information about unauthorized access. Data security requires system managers to reduce
unauthorized access to the systems by building physical arrangements and software checks.

Data security uses various methods to make sure that the data is correct, original, kept
confidentially and is safe. It includes-

• Ensuring the integrity of data.

• Ensuring the privacy of the data.
• Prevent the loss or destruction of data.

Data security consideration involves the protection of data against unauthorized access,
modification, destruction, loss, disclosure or transfer whether accidental or intentional. Some
of the important data security consideration are described below:

Shashank Saxena (8090315900) Unit 2 - Application Security Page 9 of 27

Backups
Data backup refers to save additional copies of our data in separate physical or cloud
locations from data files in storage. It is essential for us to keep secure, store, and backup our
data on a regular basis. Securing of the data will help us to prevent from-

• Accidental or malicious damage/modification to data.

• Theft of valuable information.
• Breach of confidentiality agreements and privacy laws.
• Premature release of data which can avoid intellectual properties claims.
• Release before data have been checked for authenticity and accuracy.

Keeping reliable and regular backups of our data protects against the risk of damage or loss
due to power failure, hardware failure, software or media faults, viruses or hacking, or even
human errors.

To use the Backup 3-2-1 Rule is very popular. This rule includes:

• Three copies of our data

• Two different formats, i.e., hard drive + tape backup or DVD (short term) +
flash drive
• One off-site backup, i.e., have two physical backups and one in the cloud

Some important backup options are as follows -

1. Hard drives - personal or work computer

2. Departmental or institution server
3. External hard drives
4. Tape backups
5. Discipline-specific repositories
6. University Archives
7. Cloud storage

Some of the top considerations for implementing secure backup and recovery are-

1. Authentication of the users and backup clients to the backup server.

2. Role-based access control lists for all backup and recovery operations.
3. Data encryption options for both transmission and the storage.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 10 of 27

 4. Flexibility in choosing encryption and authentication algorithms.
5. Backup of a remote client to the centralized location behind firewalls.
6. Backup and recovery of a client running Security-Enhanced Linux (SELinux).
7. Using best practices to write secure software.

Archival Storage
Data archiving is the process of retaining or keeping of data at a secure place for long-term
storage. The data might be stored in safe locations so that it can be used whenever it is
required. The archive data is still essential to the organization and may be needed for future
reference. Also, data archives are indexed and have search capabilities so that the files and
parts of files can be easily located and retrieved. The Data archival serve as a way of reducing
primary storage consumption of data and its related costs.

Data archival is different from data backup in the sense that data backups created copies of
data and used as a data recovery mechanism to restore data in the event when it is corrupted
or destroyed. On the other hand, data archives protect the older information that is not needed
in day to day operations but may have to be accessed occasionally.

Data archives may have many different forms. It can be stored as Online, offline, or cloud
storage-

• Online data storage places archive data onto disk systems where it is readily
accessible.
• Offline data storage places archive data onto the tape or other removable media using
data archiving software. Because tape can be removed and consumes less power than
disk systems.
• Cloud storage is also another possible archive target. For example, Amazon Glacier is
designed for data archiving. Cloud storage is inexpensive, but its costs can grow over
time as more data is added to the cloud archive.

The following list of considerations will help us to improve the long-term usefulness of our
archives:

1. Storage medium
2. Storage device
3. Revisiting old archives
4. Data usability
5. Selective archiving
6. Space considerations
7. Online vs. offline storage

Storage medium

The first thing is to what storage medium we use for archives. The archived data will be
stored for long periods of time, so we must need to choose the type of media that will be lost
as long as our retention policy dictates.

Storage device

This consideration takes into account about the storage device we are using for our archives
which will be accessible in a few years. There is no way to predict which types of storage

Shashank Saxena (8090315900) Unit 2 - Application Security Page 11 of 27

devices will stand the best. So, it is essential to try to pick those devices that have the best
chance of being supported over the long term.

Revisiting old archives

Since we know our archive policies and the storage mechanisms we use for archiving data
would change over time. So we have to review our archived data at least once a year to see
that if anything needs to be migrated into a different storage medium.

For example, about ten years ago, we used Zip drives for archival then we had transferred all
of my archives to CD. But in today?s, we store most of our archives on DVD. Since modern
DVD drives can also read CDs, so we haven't needed to move our extremely old archives off
CD onto DVD.

Data usability

In this consideration, we have seen one major problem in the real world is archived data
which is in an obsolete format.

For example, a few years ago, document files that had been archived in the early 1990s were
created by an application known as PFS Write. The PFS Write file format was supported in
the late 80s and early 90s, but today, there are not any applications that can read that files. To
avoid this situation, it might be helpful to archive not only the data but also copies the
installation media for the applications that created the data.

Selective archiving

In this consideration, we have to sure about what should be archived. That means we will
archive only a selective part of data because not all data is equally important.

Space considerations

If our archives become huge, we must plan for the long-term retention of all our data. If we
are archiving our data to removable media, capacity planning might be simple which makes
sure that there is a free space in the vault to hold all of those tapes, and it makes sure that
there is a room in our IT budget to continue purchasing tapes.

Online vs. offline storage

In this consideration, we have to decide whether to store our archives online (on a dedicated
archive server) or offline (on removable media). Both methods of archival contain advantages
and disadvantages. Storing of data online keeps the data easily accessible. But keeping data
online may be vulnerable to theft, tampering, corruption, etc. Offline storage enables us to
store an unlimited amount of data, but it is not readily accessible.

Disposal of Data
Data destruction or disposal of data is the method of destroying data which is stored on tapes,
hard disks and other electronic media so that it is completely unreadable, unusable and
inaccessible for unauthorized purposes. It also ensures that the organization retains records of
data for as long as they are needed. When it is no longer required, appropriately destroys
them or disposes of that data in some other way, for example, by transfer to an archives
service.
Shashank Saxena (8090315900) Unit 2 - Application Security Page 12 of 27
The managed process of data disposal has some essential benefits-

• It avoids the unnecessary storage costs incurred by using office or server space in
maintaining records which is no longer needed by the organization.
• Finding and retrieving information is easier and quicker because there is less to
search.

The disposal of data usually takes place as part of the normal records management process.
There are two essential circumstances in which the destruction of data need to be handled as
an addition to this process-

• The quantity of a legacy record requires attention.

• The functions are being transferred to another authority and disposal of data records
becomes part of the change process.

The following list of considerations will help us for the secure disposal of data-

1. Eliminate access
2. Destroy the data
3. Destroy the device
4. Keep the record of which systems have been decommissioned
5. Keep careful records
6. Eliminate potential clues
7. Keep systems secure until disposal

Eliminate access

In this consideration, we have to ensure that eliminating access account does not have any
rights to re access the disposed of data again.

Destroy the Data

In this consideration, there is not necessary to remove data from storage media will be safe.
Even these days reformatting or repartitioning a drive to "erase" the data that it stores is not
good enough. Today's many tools available which can help us to delete files more securely.
To encrypt the data on the drive before performing any deletion can help us to make data
more difficult to recover later.

Destroy the device

In the most cases, storage media need to be physically destroyed to ensure that our sensitive
data is not leaked to whoever gets the drives next. In such cases, we should not destroy them
itself. To do this, there should be experts who can make probably a lot better at safely and
effectively rendering any data on our drives unrecoverable. If we can't trust this to an outsider
agency that specializes in the secure destruction of storage devices, we should have a
specialized team within our organization who has the same equipment and skills as outside
contractors.

Keep the record of which systems have been decommissioned

In this, we have to make sure that the storage media has been fully decommissioned securely
and they do not consist of something easily misplaced or overlooked. It is best if storage
media that have not been fully decommissioned are kept in a specific location, while
decommissioned equipment placed somewhere else so that it will help us to avoid making
mistakes.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 13 of 27

Keep careful records

In this consideration, it is necessary to keep the record of whoever is responsible for

decommissioning a storage media. If more than one person is assigned for such
responsibility, he should sign off after the completion of the decommissioning process. So
that, if something happened wrong, we know who to talk to find out what happened and how
bad the mistake is.

Eliminate potential clues

In this consideration, we have to clear the configuration settings from networking equipment.
We do this because it can provide crucial clues to a security cracker to break into our network
and the systems that reside on it.

Keep system secure until disposal of data

In this consideration, we should have to make clear guidelines for who should have access to
the equipment in need of secure disposal. It will be better to ensure that nobody should have
access authentication to it before disposal of data won't get his or her hands on it.

Security Technologies
With the rapid growth in the Internet, Cyber Security has become a major concern to
organizations throughout the world. The fact that the information and tools & technologies
needed to penetrate the security of corporate organization networks are widely available has
increased that security concern.

Today, the fundamental problem is that much of the security technology aims to keep the
attacker out, and when that fails, the defences have failed. Every organization who uses
internet needed security technologies to cover the three primary control types - preventive,
detective, and corrective as well as provide auditing and reporting. Most security is based on
one of these types of things: something we have (like a key or an ID card), something we
know (like a PIN or a password), or something we are (like a fingerprint).

Some of the important security technologies used in the cyber security are described
below-

Firewall

Shashank Saxena (8090315900) Unit 2 - Application Security Page 14 of 27

Firewall is a computer network security system designed to prevent unauthorized access to or
from a private network. It can be implemented as hardware, software, or a combination of
both. Firewalls are used to prevent unauthorized Internet users from accessing private
networks connected to the Internet. All messages are entering or leaving the intranet pass
through the firewall. The firewall examines each message and blocks those that do not meet
the specified security criteria.

Categories of Firewalls

Firewall can be categorised into the following types-

1. Processing mode:

The five processing modes that firewalls can be categorised are-

Packet filtering

Packet filtering firewalls examine header information of a data packets that come into a
network. This firewall installed on TCP/IP network and determine whether to forward it to
the next network connection or drop a packet based on the rules programmed in the firewall.
It scans network data packets looking for a violation of the rules of the firewalls database.
Most firewall often based on a combination of:

• Internet Protocol (IP) source and destination address.

• Direction (inbound or outbound).
Shashank Saxena (8090315900) Unit 2 - Application Security Page 15 of 27
 • Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and
destination port requests.

Packet filtering firewalls can be categorized into three types-

1. Static filtering: The system administrator set a rule for the firewall. These filtering rules
governing how the firewall decides which packets are allowed and which are denied are
developed and installed.

2. Dynamic filtering: It allows the firewall to set some rules for itself, such as dropping
packets from an address that is sending many bad packets.

3. Stateful inspection: A stateful firewalls keep track of each network connection between
internal and external systems using a state table.

Application gateways

It is a firewall proxy which frequently installed on a dedicated computer to provides network

security. This proxy firewall acts as an intermediary between the requester and the protected
device. This firewall proxy filters incoming node traffic to certain specifications that mean
only transmitted network application data is filtered. Such network applications include FTP,
Telnet, Real Time Streaming Protocol (RTSP), BitTorrent, etc.

Circuit gateways

A circuit-level gateway is a firewall that operates at the transport layer. It provides UDP and
TCP connection security which means it can reassemble, examine or block all the packets in
a TCP or UDP connection. It works between a transport layer and an application layers such
as the session layer. Unlike application gateways, it monitors TCP data packet handshaking
and session fulfilment of firewall rules and policies. It can also act as a Virtual Private
Network (VPN) over the Internet by doing encryption from firewall to firewall.

MAC layer firewalls

This firewall is designed to operate at the media access control layer of the OSI network
model. It is able to consider a specific host computer's identity in its filtering decisions. MAC
addresses of specific host computers are linked to the access control list (ACL) entries. This
entry identifies specific types of packets that can be sent to each host and all other traffic is
blocked. It will also check the MAC address of a requester to determine whether the device
being used are able to make the connection is authorized to access the data or not.

Hybrid firewalls

It is a type of firewalls which combine features of other four types of firewalls. These are
elements of packet filtering and proxy services, or of packet filtering and circuit gateways.

2. Development Era:

Firewall can be categorised on the basis of the generation type. These are-

• First Generation
• Second Generation
• Third Generation
• Fourth Generation
• Fifth Generation

Shashank Saxena (8090315900) Unit 2 - Application Security Page 16 of 27

First Generation:

The first generation firewall comes with static packet filtering firewall. A static packet filter
is the simplest and least expensive forms of firewall protection. In this generation, each
packet entering and leaving the network is checked and will be either passed or rejected
depends on the user-defined rules. We can compare this security with the bouncer of the club
who only allows people over 21 to enter and below 21 will be disallowed.

Second Generation:

Second generation firewall comes with Application level or proxy servers. This generation of
firewall increases the security level between trusted and untrusted networks. An Application
level firewall uses software to intercept connections for each IP and to perform security
inspection. It involves proxy services which act as an interface between the user on the
internal trusted network and the Internet. Each computer communicates with each other by
passing network traffic through the proxy program. This program evaluates data sent from the
client and decides which to move on and which to drop.

Third Generation:

The third generation firewall comes with the stateful inspection firewalls. This generation of
the firewall has evolved to meet the major requirements demanded by corporate networks of
increased security while minimizing the impact on network performance. The needs of the
third generation firewalls will be even more demanding due to the growing support for VPNs,
wireless communication, and enhanced virus protection. The most challenging element of
this evolution is maintaining the firewall's simplicity (and hence its maintainability and
security) without compromising flexibility.

Fourth Generation:

The fourth generation firewall comes with dynamic packet filtering firewall. This firewall
monitors the state of active connections, and on the basis of this information, it determines
which network packets are allowed to pass through the firewall. By recording session
information such as IP addresses and port numbers, a dynamic packet filter can implement a
much tighter security posture than a static packet filter.

Fifth Generation:

The fifth generation firewall comes with kernel proxy firewall. This firewall works under the
kernel of Windows NT Executive. This firewall proxy operates at the application layer. In
this, when a packet arrives, a new virtual stack table is created which contains only the
protocol proxies needed to examine the specific packet. These packets investigated at each
layer of the stack, which involves evaluating the data link header along with the network
header, transport header, session layer information, and application layer data. This firewall
works faster than all the application-level firewalls because all evaluation takes place at the
kernel layer and not at the higher layers of the operating system.

3. Intended deployment structure:

Firewall can also be categorized based on the structure. These are-

Shashank Saxena (8090315900) Unit 2 - Application Security Page 17 of 27

Commercial Appliances

It runs on a custom operating system. This firewall system consists of firewall application
software running on a general-purpose computer. It is designed to provide protection for a
medium-to-large business network. Most of the commercial firewalls are quite complex and
often require specialized training and certification to take full advantage of their features.

Small Office Home Office

The SOHO firewall is designed for small office or home office networks who need protection
from Internet security threats. A firewall for a SOHO (Small Office Home Office) is the first
line of defence and plays an essential role in an overall security strategy. SOHO firewall has
limited resources so that the firewall product they implement must be relatively easy to use
and maintain, and be cost-effective. This firewall connects a user's local area network or a
specific computer system to the Internetworking device.

Residential Software

Residential-grade firewall software is installed directly on a user's system. Some of these

applications combine firewall services with other protections such as antivirus or intrusion
detection. There are a limit to the level of configurability and protection that software
firewalls can provide.

4. Architectural Implementation

The firewall configuration that works best for a particular organization depends on three
factors: the objectives of the network, the organization's ability to develop and implement the
architectures, and the budget available for the function.

There are four common architectural implementations of firewalls:

Shashank Saxena (8090315900) Unit 2 - Application Security Page 18 of 27

Packet-filtering routers

Packet filtering firewall is used to control the network access by monitoring the outgoing and
incoming packets. It allows them to pass or halt based on the source and destination IP
addresses, protocols and ports. During communication, a node transmits a packet; this packet
is filtered and matched with the predefined rules and policies. Once it is matched, a packet is
considered secure and verified and are able to be accepted otherwise blocked them.

Screened host firewalls

This firewall architecture combines the packet-filtering router with a separate and dedicated
firewall. The application gateway needs only one network interface. It is allowing the router
to pre-screen packets to minimize the network traffic and load on the internal proxy. The
packet-filtering router filters dangerous protocols from reaching the application gateway and
site systems.

Dual-homed host firewalls

The network architecture for the dual-homed host firewall is simple. Its architecture is built
around the dual-homed host computer, a computer that has at least two NICs. One NIC is to
be connected with the external network, and other is connected to the internal network which
provides an additional layer of protection. With these NICs, all traffic must go through the
firewall in order to move between the internal and external networks.

The Implementation of this architecture often makes use of NAT. NAT is a method of
mapping assigned IP addresses to special ranges of no routable internal IP addresses, thereby
creating another barrier to intrusion from external attackers.

Screened Subnet Firewalls

This architecture adds an extra layer (perimeter network) of security to the screened host
architecture by adding a perimeter network that further isolates the internal network from the
Internet. In this architecture, there are two screening routers and both connected to the
perimeter net. One router sits between the perimeter net and the internal network, and the
other router sits between the perimeter net and the external network. To break into the
internal network, an attacker would have to get past both routers. There is no single
vulnerable point that will compromise the internal network.

VPNs

A VPN stands for virtual private network. It is a technology which creates a safe and an
encrypted connection on the Internet from a device to a network. This type of connection
helps to ensure our sensitive data is transmitted safely. It prevents our connection from
eavesdropping on the network traffic and allows the user to access a private network
securely. This technology is widely used in the corporate environments.

A VPN works same as firewall like firewall protects data local to a device wherever VPNs
protects data online. To ensure safe communication on the internet, data travel through secure
tunnels, and VPNs user used an authentication method to gain access over the VPNs server.
VPNs are used by remote users who need to access corporate resources, consumers who want
to download files and business travellers want to access a site that is geographically
restricted.

Shashank Saxena (8090315900) Unit 2 - Application Security Page 19 of 27

Intrusion Detection System (IDS)
An IDS is a security system which monitors the computer systems and network traffic. It
analyses that traffic for possible hostile attacks originating from the outsider and also for
system misuse or attacks originating from the insider. A firewall does a job of filtering the
incoming traffic from the internet, the IDS in a similar way compliments the firewall security.
Like, the firewall protects an organization sensitive data from malicious attacks over the
Internet, the Intrusion detection system alerts the system administrator in the case when
someone tries to break in the firewall security and tries to have access on any network in the
trusted side.

Intrusion Detection System have different types to detects the suspicious activities-

1. NIDS-

It is a Network Intrusion Detection System which monitors the inbound and outbound traffic
to and from all the devices over the network.

2. HIDS-

It is a Host Intrusion Detection System which runs on all devices in the network with direct
access to both internet and enterprise internal network. It can detect anomalous network
packets that originate from inside the organization or malicious traffic that a NIDS has failed
to catch. HIDS may also identify malicious traffic that arises from the host itself.

3. Signature-based Intrusion Detection System-

It is a detection system which refers to the detection of an attack by looking for the specific
patterns, such as byte sequences in network traffic, or known malicious instruction sequences
used by malware. This IDS originates from anti-virus software which can easily detect known
attacks. In this terminology, it is impossible to detect new attacks, for which no pattern is
available.

4. Anomaly-based Intrusion Detection System-

This detection system primarily introduced to detect unknown attacks due to the rapid
development of malware. It alerts administrators against the potentially malicious activity. It
monitors the network traffic and compares it against an established baseline. It determines
what is considered to be normal for the network with concern to bandwidth, protocols, ports
and other devices.

Access Control

Access control is a process of selecting restrictive access to a system. It is a concept in

security to minimize the risk of unauthorized access to the business or organization. In this,
users are granted access permission and certain privileges to a system and resources. Here,
users must provide the credential to be granted access to a system. These credentials come in
many forms such as password, keycard, the biometric reading, etc. Access control ensures
security technology and access control policies to protect confidential information like
customer data.

The access control can be categories into two types-

Shashank Saxena (8090315900) Unit 2 - Application Security Page 20 of 27

 • Physical access control
• Logical access control

Physical Access Control- This type of access control limits access to buildings, rooms,
campuses, and physical IT assets.

Logical access control- This type of access control limits connection to computer networks,
system files, and data.

The more secure method for access control involves two - factor authentication. The first
factor is that a user who desires access to a system must show credential and the second
factor could be an access code, password, and a biometric reading.

The access control consists of two main components: authorization and authentication.
Authentication is a process which verifies that someone claims to be granted access
whereas an authorization provides that whether a user should be allowed to gain access
to a system or denied it.

Threat to E-Commerce
E-Commerce refers to the activity of buying and selling things over the internet. Simply, it
refers to the commercial transactions which are conducted online. E-commerce can be drawn
on many technologies such as mobile commerce, Internet marketing, online transaction
processing, electronic funds transfer, supply chain management, electronic data interchange
(EDI), inventory management systems, and automated data collection systems.

E-commerce threat is occurring by using the internet for unfair means with the intention of
stealing, fraud and security breach. There are various types of e-commerce threats. Some are
accidental, some are purposeful, and some of them are due to human error. The most
common security threats are an electronic payments system, e-cash, data misuse, credit/debit
card frauds, etc.

Electronic payments system:

With the rapid development of the computer, mobile, and network technology, e-commerce
has become a routine part of human life. In e-commerce, the customer can order products at
home and save time for doing other things. There is no need of visiting a store or a shop. The
customer can select different stores on the Internet in a very short time and compare the
products with different characteristics such as price, colour, and quality.

The electronic payment systems have a very important role in e-commerce. E-commerce
organizations use electronic payment systems that refer to paperless monetary transactions. It
revolutionized the business processing by reducing paperwork, transaction costs, and labour
cost. E-commerce processing is user-friendly and less time consuming than manual
processing. Electronic commerce helps a business organization expand its market reach
expansion. There is a certain risk with the electronic payments system.

Some of them are:

The Risk of Fraud

An electronic payment system has a huge risk of fraud. The computing devices use an
identity of the person for authorizing a payment such as passwords and security questions.
Shashank Saxena (8090315900) Unit 2 - Application Security Page 21 of 27
These authentications are not full proof in determining the identity of a person. If the
password and the answers to the security questions are matched, the system doesn't care who
is on the other side. If someone has access to our password or the answers to our security
question, he will gain access to our money and can steal it from us.

The Risk of Tax Evasion

The Internal Revenue Service law requires that every business declare their financial
transactions and provide paper records so that tax compliance can be verified. The problem
with electronic systems is that they don't provide cleanly into this paradigm. It makes the
process of tax collection very frustrating for the Internal Revenue Service. It is at the
business's choice to disclose payments received or made via electronic payment systems. The
IRS has no way to know that it is telling the truth or not that makes it easy to evade taxation.

The Risk of Payment Conflicts

In electronic payment systems, the payments are handled by an automated electronic system,
not by humans. The system is prone to errors when it handles large amounts of payments on a
frequent basis with more than one recipients involved. It is essential to continually check our
pay slip after every pay period ends in order to ensure everything makes sense. If it is a
failure to do this, may result in conflicts of payment caused by technical glitches and
anomalies.

E-cash

E-cash is a paperless cash system which facilitates the transfer of funds anonymously. E-cash
is free to the user while the sellers have paid a fee for this. The e-cash fund can be either
stored on a card itself or in an account which is associated with the card. The most common
examples of e-cash system are transit card, PayPal, GooglePay, Paytm, etc.

E-cash has four major components-

1. Issuers - They can be banks or a non-bank institution.

2. Customers - They are the users who spend the e-cash.
3. Merchants or Traders - They are the vendors who receive e-cash.
4. Regulators - They are related to authorities or state tax agencies.

In e-cash, we stored financial information on the computer, electronic device or on the

internet which is vulnerable to the hackers. Some of the major threats related to e-cash system
are-

Shashank Saxena (8090315900) Unit 2 - Application Security Page 22 of 27

Backdoors Attacks

It is a type of attacks which gives an attacker to unauthorized access to a system by bypasses

the normal authentication mechanisms. It works in the background and hides itself from the
user that makes it difficult to detect and remove.

Denial of service attacks

A denial-of-service attack (DoS attack) is a security attack in which the attacker takes action
that prevents the legitimate (correct) users from accessing the electronic devices. It makes a
network resource unavailable to its intended users by temporarily disrupting services of a
host connected to the Internet.

Direct Access Attacks

Direct access attack is an attack in which an intruder gains physical access to the computer to
perform an unauthorized activity and installing various types of software to compromise
security. These types of software loaded with worms and download a huge amount of
sensitive data from the target victims.

Eavesdropping

This is an unauthorized way of listening to private communication over the network. It does
not interfere with the normal operations of the targeting system so that the sender and the
recipient of the messages are not aware that their conversation is tracking.

Credit/Debit card fraud

A credit card allows us to borrow money from a recipient bank to make purchases. The issuer
of the credit card has the condition that the cardholder will pay back the borrowed money
with an additional agreed-upon charge.

A debit card is of a plastic card which issued by the financial organization to account holder
who has a savings deposit account that can be used instead of cash to make purchases. The
debit card can be used only when the fund is available in the account.

Some of the important threats associated with the debit/credit card are-

ATM (Automated Teller Machine)-

It is the favourite place of the fraudster from there they can steal our card details. Some of the
important techniques which the criminals opt for getting hold of our card information is:

Skimming-

It is the process of attaching a data-skimming device in the card reader of the ATM. When
the customer swipes their card in the ATM card reader, the information is copied from the
magnetic strip to the device. By doing this, the criminals get to know the details of the Card
number, name, CVV number, expiry date of the card and other details.

Unwanted Presence-

Shashank Saxena (8090315900) Unit 2 - Application Security Page 23 of 27

It is a rule that not more than one user should use the ATM at a time. If we find more than
one people lurking around together, the intention behind this is to overlook our card details
while we were making our transaction.

Vishing/Phishing

Phishing is an activity in which an intruder obtained the sensitive information of a user such
as password, usernames, and credit card details, often for malicious reasons, etc.

Vishing is an activity in which an intruder obtained the sensitive information of a user via
sending SMS on mobiles. These SMS and Call appears to be from a reliable source, but in
real they are fake. The main objective of vishing and phishing is to get the customer's PIN,
account details, and passwords.

Online Transaction

Online transaction can be made by the customer to do shopping and pay their bills over the
internet. It is as easy as for the customer, also easy for the customer to hack into our system
and steal our sensitive information. Some important ways to steal our confidential
information during an online transaction are-

• By downloading software which scans our keystroke and steals our password and card
details.
• By redirecting a customer to a fake website which looks like original and steals our sensitive
information.
• By using public Wi-Fi

POS Theft

It is commonly done at merchant stores at the time of POS transaction. In this, the
salesperson takes the customer card for processing payment and illegally copies the card
details for later use.

Digital Signature
A digital signature is a mathematical technique which validates the authenticity and integrity
of a message, software or digital documents. It allows us to verify the author name, date and
time of signatures, and authenticate the message contents. The digital signature offers far
more inherent security and intended to solve the problem of tampering and impersonation
(Intentionally copy another person's characteristics) in digital communications.

The computer-based business information authentication interrelates both technology and the
law. It also calls for cooperation between the people of different professional backgrounds
and areas of expertise. The digital signatures are different from other electronic signatures not
only in terms of process and result, but also it makes digital signatures more serviceable for
legal purposes. Some electronic signatures that legally recognizable as signatures may not be
secure as digital signatures and may lead to uncertainty and disputes.

Application of Digital Signature

The important reason to implement digital signature to communication is:

• Authentication
Shashank Saxena (8090315900) Unit 2 - Application Security Page 24 of 27
 • Non-repudiation
• Integrity

Authentication
Authentication is a process which verifies the identity of a user who wants to access the
system. In the digital signature, authentication helps to authenticate the sources of messages.

Non-repudiation
Non-repudiation means assurance of something that cannot be denied. It ensures that
someone to a contract or communication cannot later deny the authenticity of their signature
on a document or in a file or the sending of a message that they originated.

Integrity
Integrity ensures that the message is real, accurate and safeguards from unauthorized user
modification during the transmission.

Algorithms in Digital Signature

A digital signature consists of three algorithms:

1. Key generation algorithm

The key generation algorithm selects private key randomly from a set of possible private
keys. This algorithm provides the private key and its corresponding public key.

2. Signing algorithm

A signing algorithm produces a signature for the document.

3. Signature verifying algorithm

A signature verifying algorithm either accepts or rejects the document's authenticity.

How digital signatures work

Digital signatures are created and verified by using public key cryptography, also known as
asymmetric cryptography. By the use of a public key algorithm, such as RSA, one can
generate two keys that are mathematically linked- one is a private key, and another is a public
key.

The user who is creating the digital signature uses their own private key to encrypt the
signature-related document. There is only one way to decrypt that document is with the use of
signer's public key.

This technology requires all the parties to trust that the individual who creates the signature
has been able to keep their private key secret. If someone has access the signer's private key,
there is a possibility that they could create fraudulent signatures in the name of the private
key holder.

The steps which are followed in creating a digital signature are:

Shashank Saxena (8090315900) Unit 2 - Application Security Page 25 of 27
 1. Select a file to be digitally signed.
2. The hash value of the message or file content is calculated. This message or file
content is encrypted by using a private key of a sender to form the digital signature.
3. Now, the original message or file content along with the digital signature is
transmitted.
4. The receiver decrypts the digital signature by using a public key of a sender.
5. The receiver now has the message or file content and can compute it.
6. Comparing these computed message or file content with the original computed
message. The comparison needs to be the same for ensuring integrity.

Types of Digital Signature

Different document processing platform supports different types of digital signature. They are
described below:

Certified Signatures
The certified digital signature documents display a unique blue ribbon across the top of the
document. The certified signature contains the name of the document signer and the
certificate issuer which indicate the authorship and authenticity of the document.

Approval Signatures
The approval digital signatures on a document can be used in the organization's business
workflow. They help to optimize the organization's approval procedure. The procedure
involves capturing approvals made by us and other individuals and embedding them within
the PDF document. The approval signatures to include details such as an image of our
physical signature, location, date, and official seal.

Visible Digital Signature

The visible digital signature allows a user to sign a single document digitally. This signature
appears on a document in the same way as signatures are signed on a physical document.
Shashank Saxena (8090315900) Unit 2 - Application Security Page 26 of 27
Invisible Digital Signature
The invisible digital signatures carry a visual indication of a blue ribbon within a document in
the taskbar. We can use invisible digital signatures when we do not have or do not want to
display our signature but need to provide the authenticity of the document, its integrity, and
its origin.

https://www.tutorialspoint.com/internet_security/internet_security_checklist.htm

https://www.geeksforgeeks.org/need-of-information-security/?ref=lbp

https://www.vmware.com/topics/glossary/content/application-security

https://www.atatus.com/glossary/application-security/

Shashank Saxena (8090315900) Unit 2 - Application Security Page 27 of 27