Web Servers-

Web pages are a collection of data, including images, text

files, hyperlinks, database files etc., all located on some
computer (also known as server space) on the Internet.

A web server is dedicated software that runs on the server-

side. When any user requests their web browser to run any
web page, the web server places all the data materials
together into an organized web page and forwards them
back to the web browser with the help of the Internet.
A web server is a dedicated computer responsible for
running websites sitting out on those computers
somewhere on the Internet. They are specialized programs
that circulate web pages as summoned by the user.

The primary objective of any web server is to collect,

process and provide web pages to the users.
Web Servers
How do web servers work?
The term web server can denote server hardware or server
software, or in most cases, both hardware
and software might be working together.
On the hardware side, a web server is defined as a
computer that stores software and another website raw
data, such as HTML files, images, text documents, and
JavaScript files.

The hardware of the web servers are connected to the web

and supports the data exchange with different devices
connected to the Internet.
On the software side, a web server includes server
software accessed through website domain names. It
controls how web users access the web files and ensures
the supply of website content to the end-user. The web
server contains several components, including an HTTP
server.
Whenever any web browser, such as Google Chrome,
Microsoft Edge or Firefox, requests for a web page
hosted on a web server, the browser will process the
request forward with the help of HTTP. At the server end,
when it receives the request, the HTTP server will accept
the request and immediately start looking for the requested
data and forwards it back to the web browser via HTTP.
Web-application-
A web-application is an application program that is
usually stored on a remote server, and users can access it
through the use of Software known as web-browser.
 Flow of the Web Application

In general, a user sends a request to the web-server using

web browsers such as Google Chrome, Microsoft Edge,
Firefox, etc over the internet.
Then, the request is forwarded to the appropriate
web application server by the web-server.

Web application server performs the requested operations/

tasks like processing the database, querying the
databases; produces the result of the requested data.

The obtained result is sent to the web-server by the web

application server along with the requested
data/information or processed data.

The web server responds to the user with the requested or

processed data/information and provides the result to the
user's screen
Common web app security vulnerabilities-

Cross site scripting (XSS) - XSS is a vulnerability that

allows an attacker to inject client-side scripts into a
webpage in order to access important information directly,
impersonate the user, or trick the user into revealing
important information.

SQL injection (SQi) - SQi is a method by which an

attacker exploits vulnerabilities in the way a database
executes search queries. Attackers use SQi to gain access
to unauthorized information, modify or create new user
permissions, or otherwise manipulate or destroy sensitive
data.
Denial-of-service (DoS) and distributed denial-of-
service (DDoS) attacks - Through a variety of vectors,
attackers are able to overload a targeted server or its
surrounding infrastructure with different types of attack
traffic.

Memory corruption - Memory corruption occurs when a

location in memory is unintentionally modified, resulting
in the potential for unexpected behavior in the software.
Bad actors will attempt to sniff out and exploit memory
corruption through exploits such as code injections or
buffer overflow attacks.
Buffer overflow - Buffer overflow is an anomaly that
occurs when software writing data to a defined space in
memory known as a buffer. Overflowing the buffer’s
capacity results in adjacent memory locations being
overwritten with data.

This behavior can be exploited to inject malicious code

into memory, potentially creating a vulnerability in the
targeted machine.
Data breach - Different than specific attack vectors, a
data breach is a general term referring to the release of
sensitive or confidential information, and can occur
through malicious actions or by mistake.

The scope of what is considered a data breach is fairly

wide, and may consist of a few highly valuable records
all the way up to millions of exposed user accounts.
8 Essential Tips to Secure Web Application Server
The firewall -
Your firewall may be taking care of your network’s
borders, keeping the bad guys out and the good guys in,
but for sure it is leaving a door wide open for attackers to
break in your web application server.

Scan for web-specific vulnerabilities

Network scanners cannot detect Application-specific
vulnerabilities. To detect and eliminate these
vulnerabilities, you have to put the applications under a
series of tests and audits, such as penetration tests, black
box scanning, and source code auditing.
Educate your developers-
Developers tend to think their applications run in ideal
worlds, where resources are unlimited, users don’t make
mistakes, and there are no people with ruthless intentions.
Unfortunately, at some point, they need to face real-world
issues, especially those regarding information security.

Turn off unnecessary functionality-

A basic, common sense tip is to reduce the number of
potentially vulnerable entry points. If attackers can exploit
any of the components of the web server, the whole web
server could be in danger.
Use separate environments for development, testing,
and production-
Developers and testers need privileges on the
environments they work on that they should not have on
the live application server. Even if you blindly trust them,
their passwords could easily leak and fall into unwanted
hands.
Keep your server software updated-
As obvious as it might seem, this is one of the most
overlooked tasks. SUCURI( a security team) found 59%
of CMS applications were outdated, which is open to risk.
Restrict access and privileges
A basic security measure is to keep remote access traffic
— such as RDP and SSH — encrypted and tunnelled. It is
also a good idea to keep a reduced list of IP addresses
from where remote access is allowed, making sure that
any attempt to log remotely from any other IP is blocked.

Keep an eye on server logs-

Administrators should monitor them regularly to detect
any suspicious behavior before it does any damage.
By analyzing log files, you can uncover a lot of
information to help you better protect the application. If an
attack should happen, log files could show you when and
how it started, helping to do better damage control.
Keep yourself informed-
There’s a lot of free and useful information on the Internet
that you can use for the benefit of your web application.
Don’t miss any new post on reputable security blogs (like
this one) and stay informed about what’s happening in the
security and web industry.
What is Application Security?
Application security aims to protect software application
code and data against cyber threats. You can and should
apply application security during all phases of
development, including design, development, and
deployment.
A web service is any piece of software that makes itself
available over the internet and uses a standardized XML
messaging system. XML is used to encode all
communications to a web service.

Web services are self-contained, modular, distributed,

dynamic applications that can be described, published,
located, or invoked over the network to create products,
processes, and supply chains. These applications can be
local, distributed, or web-based. Web services are built on
top of open standards such as TCP/IP, HTTP, Java,
HTML, and XML.
Security is critical to web services-
There are three specific security issues with web services
−
•Confidentiality
•Authentication
•Network Security
Confidentiality
A single web service may consist of a chain of
applications. For example, one large service might tie
together the services of three other applications.

In this case, SSL is not adequate; the messages need to be

encrypted at each node along the service path, and each
node represents a potential weak link in the chain.
Authentication-
If a client connects to a web service, how do we identify
the user? Is the user authorized to use the service?
The following options can be considered but there is no
clear consensus on a strong authentication scheme.

•HTTP includes built-in support for Basic and Digest

authentication, and services can therefore be protected in
much the same manner as HTML documents are currently
protected.
SOAP ( Simple object Access protocol) Digital Signature
(SOAP-DSIG) leverages public key cryptography to
digitally sign SOAP messages. It enables the client or
server to validate the identity of the other party.

The Organization for the Advancement of Structured

Information Standards (OASIS) is working on the
Security Assertion Markup Language (SAML).
Network Security-
There is currently no easy answer to this problem, and it
has been the subject of much debate. For now, if you are
truly intent on filtering out SOAP or XML-RPC messages,
one possibility is to filter out all HTTP POST requests that
set their content type to text/xml.

Another alternative is to filter the SOAP Action HTTP

header attribute. Firewall vendors are also currently
developing tools explicitly designed to filter web service
traffic
HTTP Protocol-
HTTP is a message-based (request,
response), stateless protocol comprised of headers (key-
value pairs) and an optional body. Three versions of HTTP
have been released so far – HTTP/1.0 (released in 1996,
rare usage), HTTP/1.1 (released in 1997, wide usage), and
HTTP/2 (released in 2015, increasing usage).
The HTTP protocol works over the Transmission Control
Protocol (TCP). TCP is one of the core protocols within
the Internet protocol suite and it provides a reliable,
ordered, and error-checked delivery of a stream of data,
making it ideal for HTTP.

The default port for HTTP is 80, or 443 if you’re using

HTTPS (an extension of HTTP over TLS).
HTTP Requests
In order to initiate an HTTP request, a client first
establishes a TCP connection to a specified web server on
a specified port (80 or 443 by default).
The request would start with an initial line known as
a request line, which contains a method, a URL, and the
HTTP version (HTTP/1.1 in the below example). We must
also include a Host header in order to tell the HTTP client
where to send this request.
Example:
GET / HTTP/1.1
Host: www.example.com
HTTP Responses
On the server-side, an HTTP server listening on port 80
sends back an HTTP response to the client for what it has
requested.
The HTTP response will contain a status line as the first
line in the response, followed by the response. The status
line indicates the version of the protocol, the status code
(200 in the below example), and, usually, a description of
that status code.
Security in HTTP:
SSL - SSL stands for Secure Sockets Layer. SSL is a
secure protocol developed for sending information
securely over the internet. Many websites use SSL for
secure areas of their sites, like user account pages and
online checkout.
Usually, when you are asked to “log in” on a website, the
resulting page is secured by SSL creating essentially a
secure session.
SSL encrypts the data being transmitted so that a 3rd party
cannot “eavesdrop” on the transmission and view the data
being transmitted. Only the user’s computer and the secure
server can recognize the data.

SSL keeps your name, address, and credit card

information between you and the merchant to which
you’re providing it. Without this type of encryption, online
shopping would be far too insecure about being practical.
After you visit a web address starting with “https,” the “s”
after the “HTTP” indicates the website is secure. These
websites often use SSL certificates to verify their
authenticity.
TLS stands for Transport Layer Security. TLS is
the protocol that provides authentication, privacy, and data
integrity between two communicating computer
applications.

When data has to be securely exchanged by web

applications over the network, it is the most likely the
deployed security protocol. Applications can include web
browsing sessions, file transfers, VPN connections, remote
desktop sessions, and voice over IP (VOIP).
TLS evolved from SSL and has largely suppressed it,
although the terms SSL or SSL/TLS are mostly associated
with one another.

Key differences between SSL and TLS that makes TLS a

more secure and efficient protocol are:
•message authentication
•key material generation
•the supported cipher suites, with TLS supporting newer
and safer algorithms.
HTTP-
An HTTP stands for Hypertext Transfer Protocol. The
HTTP protocol provides communication between different
communication systems.
When the user makes an HTTP request on the browser,
then the web server sends the requested data to the user in
the form of web pages. In short, we can say that the HTTP
protocol allows us to transfer the data from the server to
the client.
An HTTP is an application layer protocol that comes
above the TCP layer. It has provided some standard rules
to the web browsers and servers, which they can use to
communicate with each other.

An HTTP is a stateless protocol as each transaction is

executed separately without having any knowledge of the
previous transactions, which means that once the
transaction is completed between the web browser and the
server, the connection gets lost.
HTTPS-
The full form of HTTPS is Hypertext Transfer Protocol
Secure. The HTTP protocol does not provide the security
of the data, while HTTP ensures the security of the data.
Therefore, we can say that HTTPS is a secure version of
the HTTP protocol.

This protocol allows transferring the data in an encrypted

form. The use of HTTPS protocol is mainly required
where we need to enter the bank account details.
The HTTPS protocol is mainly used where we require to
enter the login credentials. In modern browsers such as
chrome, both the protocols, i.e., HTTP and HTTPS, are
marked differently.

To provide encryption, HTTPS uses an encryption

protocol known as Transport Layer Security, and officially,
it is referred to as a Secure Sockets Layer (SSL).
SSL Certificates
When we want our websites to have an HTTPS protocol,
then we need to install the signed SSL certificate. The SSL
certificates can be available for both free and paid service.
The service can be chosen based on business needs.

The HTTP does not contain any SSL certificates, so it

does not decrypt the data, and the data is sent in the form
of plain text.
What Is SOAP?
SOAP is an abbreviation that stands for Simple Object
Access Protocol.

During the implementation of web services in computer

networking, structured information is exchanged in
various ways. SOAP is one such messaging protocol, and
it is used because it offers neutrality, independence, and
extensibility.
In Web services, SOAP allows the user request to interact
with other programming languages. In this way, it
provides a way to communicate between applications
running on different platforms (Operating system), with
programming languages and technologies used in web
service.
Characteristics of SOAP-
•It is an open standard protocol used in the web service to
communicate via internet.
•It is used to broadcast a message over the network.
•It is used to call remote procedures and exchange
documents.
•It can be used on any platform and can support multi-
languages. So, it is a platform and language independent.
•It uses the XML format to send messages over the HTTP
protocol.
•The structure of a SOAP message consists of an
envelope, header, and body element.
Basic Security for SOAP Services-
SOAP is an API messaging protocol, and SOAP security is
the strategy that prevents unauthorized access to SOAP
messages and user information.

Web Standards Security (WS Security) is the main aspect

of ensuring SOAP security.

WS Security is the set of principles/guidelines to regulate

authentication and confidentiality procedures for SOAP
Messaging. WSS-compliant measures include digital
signatures, XML encryption, X.509 certifications, and
passwords, among others. XML encryption makes data
unreadable when unauthorized users gain access.
SOAP Security Risks-
There are several kinds of cyber-attacks and
vulnerabilities, and those uniquely targeting APIs make
the bulk of SOAP security risks.
Some of them include:
•Code Injections – in SOAP, XML code injections
introduce malicious code into an application or database.
Careful access control prevents these attacks.
•Leaked/Breached Access – most attacks begin with
breached or leaked access. You must ensure SOAP
messages are shown to authorized users only.
•(Distributed) Denial of Service – DoS or DDoS attacks
overwhelm web services with overly many or long
messages. Limiting message length and volume in SOAP
security prevents these attacks.

•Cross-Site Scripting – code injection, but happens from

the web application side to the website

•Session Hijacking – an unauthorized user obtains session

ID, and that user gains full access to the application and/or
another user’s account
Secure Web Services-
Creating secure SOAP Web Services is as simple as
adding security layers to your SOAP headers.

You can add a security credential to the SOAP header,

including username and passwords, as variables.
Some best practices to ensure that your API is secured
are-
Regular Testing-
In this IoT era, few people perform regular testing on all
devices connected to their server networks. You must
implement testing procedures to ensure your SOAP API
stands up to common threats and highlight vulnerabilities
that hackers may exploit.

Some types of tests include injection testing and fuzz

testing. The former determines how your API reacts to
unexpected input, while the latter detects vulnerable points
where ransomware or malicious code can be introduced.
Identity and Access Management (IAM)-
This is the basic layer of any cybersecurity protocol. It
includes everything from usernames and passwords to
advanced authentication techniques like two-step
verification.

IAM should prevent external users from accessing the

application outside hours or stealing session tokens and
gaining entry into the sessions.
Request Monitoring-
Involves monitoring SOAP messaging and requests for
abnormalities. You should, therefore, quickly identify and
resolve any data leaks or vulnerabilities. This uses logging
systems, which you can regularly check for any
irregularities.
Input Validation-
In SOAP, input validation is divided into SOAP response
validation and schema compliance validation. The former
ensures that the response to the SOAP message follows the
correct format, and the latter ensures that the message
follows XML schema and the Web Service Description
Language (WSDL).
Redundant Security Standards-
There are many places of overlap in SOAP, XML, and
WSDL standards. The purpose of redundant security
standards is to provide insurance in these areas of overlap.

With them in place, you have less chance of exposing

sensitive data and a better chance of identifying
vulnerabilities before hackers exploit them.
Identity Management and Web Services-
Identity management (IdM), also known as identity and
access management (IAM) ensures that authorized people
– and only authorized people – have access to the
technology resources they need to perform their job
functions.

It includes polices and technologies that encompass an

organization-wide process to properly identify,
authenticate, and authorize people, groups of people, or
software applications through attributes including user
access rights and restrictions based on their identities.
An identity management system prevents unauthorized
access to systems and resources, helps prevent ex-
filtration of enterprise or protected data, and raises alerts
and alarms when access attempts are made by
unauthorized personnel or programs, whether from inside
or outside the enterprise perimeter.

Identity management has gained importance over the past

decade due to the growing number of global regulatory,
compliance, and governance mandates that seek to protect
sensitive data from exposure of any kind.
What is the difference between identity management and
access management?
Identity Management-
A digital identity is the key to access. Identities contain
information and attributes that define a role, specifically
provide or deny access to a given resource, and informs
others in the organization who or what that identity
belongs to, how to contact them if a person, and where
they fit in the overall enterprise hierarchy.
Creating an identity can have ripples throughout the
organization, for example by creating an email account,
setting up an employee record, or generating an entry in an
organization chart. Identities are living things in that they
can change over time.

For example- if an employee takes a new role or moves

to a new work location.
Access Management-
Access management is the authentication of an identity
that is asking for access to a particular resource, and
access decisions are simply the yes or no decision to grant
that access.

This can be a tiered process, with access services that

determine whether a user is authorized for any access on
the network at all, and lower tiers of access that
authenticate where the identity in question should be
granted access to specific servers, drives, folders, files,
and applications.
The difference between identity management and access
management can be simplified like this:

IDENTITY management is all about managing the

attributes related to the USER, group of users, or other
identity that may require access from time to time.

ACCESS management is all about evaluating those

attributes based on existing policies and making a yes or
no access decision based upon those attributes.
web service-
A web service is a set of open protocols and standards that
allow data to be exchanged between different applications
or systems.

Web services can be used by software programs written in

a variety of programming languages and running on a
variety of platforms to exchange data via computer
networks such as the Internet in a similar way to inter-
process communication on a single computer.
Any software, application, or cloud technology that uses
standardized web protocols (HTTP or HTTPS) to connect,
interoperate, and exchange data messages – commonly
XML (Extensible Markup Language) – across the internet
is considered a web service.

Web services have the advantage of allowing programs

developed in different languages to connect with one
another by exchanging data over a web service between
clients and servers. A client invokes a web service by
submitting an XML request, which the service responds
with an XML response.
Functions of Web Services-
•It’s possible to access it via the internet or intranet
networks.
•XML messaging protocol that is standardized.
•Operating system or programming language independent.
•Using the XML standard, it is self-describing.
•A simple location approach can be used to locate it.
Components of Web Service
XML and HTTP is the most fundamental web services
platform. The following components are used by all
typical web services:

•SOAP (Simple Object Access Protocol)

SOAP stands for “Simple Object Access Protocol.” It is a
transport-independent messaging protocol. SOAP is built
on sending XML data in the form of SOAP Messages.
UDDI (Universal Description, Discovery, and
Integration)-
UDDI is a standard for specifying, publishing and
discovering a service provider’s online services. It
provides a specification that aids in the hosting of data via
web services.

UDDI provides a repository where WSDL files can be

hosted so that a client application can discover a WSDL
file to learn about the various actions that a web service
offers.
WSDL (Web Services Description Language)
If a web service can’t be found, it can’t be used. The client
invoking the web service should be aware of the location
of the web service.

Second, the client application must understand what the

web service does in order to invoke the correct web
service. The WSDL, or Web services description language,
is used to accomplish this.
How Does Web Service Work?
The diagram depicts a very simplified version of how a
web service would function. The client would use requests
to send a sequence of web service calls to a server that
would host the actual web service.
Remote procedure calls are what are used to make these
requests. Calls to methods hosted by the relevant web
service are known as Remote Procedure Calls (RPC).

Example: Flipkart offers a web service that displays

prices for items offered on Flipkart.com.

The front end or presentation layer can be written in .Net

or Java, but the web service can be communicated using
either programming language.
Characteristics Of Web Service-
Web services have the following features:

XML Based: The information representation and record

transportation layers of a web service employ XML. There
is no need for networking, operating system, or platform
binding when using XML.

At the middle level, web offering-based applications are

highly interoperable.
Loosely Coupled: A customer of an internet service
provider isn’t necessarily directly linked to that service
provider. The user interface for a web service provider can
change over time without impacting the user’s ability to
interact with the service provider.

Capability to be Synchronous or
Asynchronous: Synchronicity refers to the client’s
connection to the function’s execution. The client is
blocked and the client has to wait for the service to
complete its operation, before continuing in synchronous
invocations. Asynchronous operations allow a client to
invoke a task and then continue with other tasks.
Supports Remote Procedural Call: Consumers can use
an XML-based protocol to call procedures, functions, and
methods on remote objects utilizing web services. A web
service must support the input and output framework
exposed by remote systems.

Supports Document Exchanges: One of XML’s most

appealing features is its simple approach to
communicating with data and complex entities. These
records can be as simple as talking to a current address or
as complex as talking to an entire book or a Request for
Quotation. Web administrations facilitate the simple
exchange of archives, which aids incorporate
reconciliation.
Advantages Of Web Service
Using web services has the following advantages:
Business Functions can be exposed over the Internet: A
web service is a controlled code component that delivers
functionality to client applications or end-users.

This capability can be accessed over the HTTP protocol,

which means it can be accessed from anywhere on the
internet. Because all apps are now accessible via the
internet, Web services have become increasingly valuable.
Interoperability: Web administrations allow diverse apps
to communicate with one another and exchange
information and services. Different apps can also make
use of web services.
A .NET application, for example, can communicate with
Java web administrations and vice versa. To make the
application stage and innovation self-contained, web
administrations are used.

Reusability: A single web service can be used

simultaneously by several client applications.
Communication with Low Cost: Because web services
employ the SOAP over HTTP protocol, you can use your
existing low-cost internet connection to implement them.
Web services can be developed using additional
dependable transport protocols, such as FTP, in addition to
SOAP over HTTP.

A Standard Protocol that Everyone Understands: Web

services communicate via a defined industry protocol. In
the web services protocol stack, all four layers (Service
Transport, XML Messaging, Service Description, and
Service Discovery) use well-defined protocols.
Authorization Patterns-
These are security mechanisms that you can use to
decide your client's privileges related to system
resources. These system resources could be files, services,
data, and application features built on your client's
identity.

Authentication pattern is about various patterns that

help in recognizing a user or system's identity. OIDC
(OpenID Connect) for user authentication. OpenID
Connect is a profile built on top of OAuth 2.0. OAuth 2.0
is about access delegation, while OpenID Connect is about
authentication.
Authorization is a function of the policy definition phase,
which comes before the policy enforcement phase, in
which access requests are accepted or denied depending
on the authorizations that have been defined previously.

Authorization Types
There are four types of Authorization-
• API keys
• Basic Auth
• HMAC
• OAuth.
API keys-
In order to utilize most APIs, you must first sign up for an
API key. The API key is a long string that is typically
included in the request URL or header. The API key is
mostly used to identify the person who is performing the
API call (authenticating you to use the API).

The API key could potentially be linked to a specific app

you’ve registered. You may receive both public and
private keys from APIs. The public key is normally
included in the request, whereas the private key is used
primarily for server-to-server communication and is
treated more like a password.
Basic Auth-
Basic Auth is another type of authorization. The sender
inserts a username: password into the request header using
this way. Base64 is an encoding technique that turns the
login and password into a set of 64 characters to ensure
secure transmission. APIs that support Basic Auth will
also support HTTPS, which encrypts the message content
within the HTTP transport protocol. (Without HTTPS,
hackers could easily decipher the username and
password.)
The API server decrypts the message and checks the
header when it receives it. It chooses whether to accept or
refuse the request after decoding the string and assessing
the username and password.
HMAC-
HMAC stands for Hash-based Message Authentication
Code. It is a digital signature algorithm designed to reuse
the message digest Algorithm like MD5 and SHA-1 and
provide an efficient data integrity protocol mechanism.

As HMAC is used to encrypt the plain text in a secure

manner, it is being used in Secure Socket Layer protocol,
SSL certificate and has been chosen as a mandatory
security implementation for the internet protocol, i.e. IP.
OAuth-
Another type of authorization is OAuth, open access
delegation standard that allows Internet users to grant
websites or applications access to their information on
other websites without having to give them their
passwords. Companies like Amazon, Google, Facebook,
Microsoft, and Twitter employ this technology to let
users to exchange information about their accounts with
third-party applications or websites.

On behalf of a resource owner, OAuth grants clients

“secure delegated access” to server resources. It outlines
how resource owners can grant third-party access to their
server resources without having to provide credentials.
The top cyber security problems organizations are
facing
Cyber security problems can range from things as granular
as out-of-date software to large-scale struggles like a lack
of support from leadership teams. The following is a
sampling of the most common issues -

•Recognizing that you are a target-

Small organizations don’t always realize that their assets
and data are still attractive to cyber criminals. “In our
modern economy, most companies have things that
attackers want—information and money, “Cyber threats
face organizations of every size.”
•Failure to inform employees of threats-
You can spend all the money you want on antivirus,
intrusion detection, next-generation filters and other
technologies, but all this technology will be nearly useless
if you don't focus on educating your staff first.
If your staff is not aware of these scams and how to
identify them, you're still vulnerable.”

“This may have been many people’s first time working

from home,” Harris says. “Many simply do not know how
to stay safe and prevent cyber attacks like ransomware.
They don’t have someone next to them at the office to ask
if the email they just received is legitimate or if this
website looks safe to download a file from.”
•Data breaches due to remote work-
With more people working from home and other locations
not within the office, there is a greater chance of breaches
from “a perimeter-less environment.” Connections to other
networks, with non-approved devices, can happen in these
situations.
•Ransomware attacks-
Ransomware is a type of malware that can encrypt files
on a device, making them inaccessible or unusable. Once
the files are corrupted, the attackers then demand a
“ransom” in exchange for decryption.

At times, the attacker will threaten to expose or sell the

information should the ransom, which is usually
demanded in crypto currency, not be paid.
•Losing sight of the ‘backup plan-
“Most companies don’t see backups as part of their cyber
security initiative,” He explains that people often rely on
systems or services to keep their data protected and forget
to consistently back up their data as a fail-safe.

“The system should be built in way that assumes all other

services will eventually fail and backups will be required,”
Lack of a corporate security program-
“One surprisingly prevalent issue that companies face
when it comes to security is their lack of a formal
corporate security program,”.

Every company, no matter the size, should have a

corporate security policy outlining acceptable use, incident
response, physical security and at least a dozen more
areas.
•Treating cyber security like an IT issue instead of a
financial issue-
Many business leaders still treat cyber security like an IT
issue, when these days, it’s really about the bottom line.
“At its core, cyber security attacks are a financial issue,”
“Data shows that the average cost of a data breach is
about $4 million.”
•Lack of information security representation on the
board-
Many companies have very robust policies and procedures
for their business processes.

“That is something sophisticated board members can

understand. But IT is a different language for a
businessperson, and unfortunately, most board members
ignore or defer these issues.”