Toggle

navigation
TCS Logo

CC Home
My Channels
Contests
ExOP
Image Gallery
Quiz Central
Anyone Can Code
Profile
Launch TCS NextStep
Logout

CC India
CC India
Rest of the World

Campus Commune
My Channels
Enter your search text here Search:
Notifications
Loading..
See all notifications
Messages (0)
Requests (0)
Invitations (0)
Helpline Responses (0)

My Profile
My Items
Logout

QUICK LINKS:
Contests
ExOP
Image Gallery
Quiz Central
Anyone Can Code
Launch TCS NextStep
Loading..
Chapter 1: Information Security
Information Security - All Chapters
Home
See Leaderboard

Index
1.1.Application Security

1.2.Introduction to Infrastructure Security

1.3.Cryptography & Malwares

1.4.Network Security Components & Identifying suspicious activities

Go to Doubts

1.1. Application Security

1. Objective

Objective of this chapter is to introduce the following concepts:

Information Security & Users

Application Security
Application Security Testing
Two example of Vulnerabilities
Vulnerability management
Mobile Security

2. Information Security

It is a strategy with a combination of process, technology and policies to protect organization/personal

information at rest and transit. Any breach in above three may lead to loss of resource or asset. It is the set
of practices and procedures your business uses to ensure:

Confidentiality
Integrity
Availability

Fig 1. Three pillars of information security (CIA)

2.1. Confidentiality
It means prevention of disclosure of information to unauthorized individuals or systems. For example, if
an unauthorized employee is able to view payroll data, this is a loss of confidentiality. Similarly, if an
attacker is able to access a customer database including names and credit card information, this is also a
loss of confidentiality.

Confidentiality is related to the broader concept of data privacy .One of the underlying principles of
confidentiality is "need-to-know" or "least privilege". Confidentiality is designed to prevent sensitive
information from reaching the wrong people, while making sure that the right people can in fact get it. If
the authentication method like User Id, Password is exposed to any unauthorized user then the whole
system may be compromised.

So, confidential information should not be accessible to unauthorized user.

Cryptography and Encryption methods are an example of an attempt to ensure confidentiality of data
transferred from one computer to another

2.2. Integrity

It means tampering of information is not allowed if the user or program is not authorized to do so. For
example, if a file is infected with a virus, the file has lost integrity. Similarly, if a message within an email
is modified in transit, the email has lost integrity.
There are many ways wherein data integrity can be compromised. Human error in data entry is one of the
top causes. Another could be the instability of communications medium when transmitting data. Software
applications having bug and viruses could also compromise data integrity.

Commonly used methods to protect data integrity include hashing the data you receive and comparing it
with the hash of the original message, which is the more secure way to protect data Integrity.

2.3. Availability

It means information should be available whenever needed or requested. For example, if a Web site is not
operational when a customer wants to purchase a product, the Web site has suffered a loss of availability.
Denying access to information has become a very common attack nowadays. Almost every week you can
find news about high profile websites being down by DoS (Denial-of-service attack) attacks. The primary
aim of DoS attacks is to deny access to legitimate consumer of services.

Above three parameters are used to define a vulnerability or weakness in the system. To find and utilize
the vulnerabilities different types of user have defined themselves. Three major groups of them are -

3. Information security personnel

a) Black-hat hackers, or black hats, are the type of hacker who violate computer security for personal
gain (such as stealing credit card numbers or harvesting user sensitive data for sale to identity thieves) or
for pure maliciousness.

b) White-hat hackers are the opposite of the black-hat hackers. Theyre the ethical hackers, experts in
compromising computer security systems who use their abilities for good, ethical, and legal purposes
rather than bad, unethical, and criminal purposes.

c) A gray-hat hacker falls somewhere between a black hat and a white hat. A gray hat doesnt work for
their own personal gain or to cause carnage, but they may technically commit crimes and do arguably
unethical things.

4. Application Security

Application security is a collective method of security practices to protect the resource like databases,
active directory, file system etc. from external threats.
In SDLC after software design, security is becoming an increasingly important concern during application
development as applications are accessible over networks and becoming more vulnerable to a wide variety
of threats. Security measures by vulnerability assessment & penetration testing are conducted to minimize
the risk from threats. More about it has been given below

5. Vulnerability Assessment (VA) & Penetration Testing (PT)

Vulnerability assessment and penetration testing is a phenomena in which the IT environment systems
such as computers, applications and networks are scanned in order to identify the presence of
vulnerabilities associated with them.

A vulnerability assessment is a service designed to analyze the application in scope and find areas where
attack might be more likely to occur, without necessarily exploiting the issues located. Specifically, a
vulnerability assessment will typically involve investigation of the application to determine whether latest
security fixes are applied, whether the system is configured in a manner that makes attack more difficult,
and whether the system exposes any information that an attacker could use to gain leverage against other
systems in the environment.

Penetration tests attempt to exploit the vulnerabilities in a system to determine whether unauthorized
access or other malicious activity is possible and identify which flaws pose a threat to the application.
Penetration tests find exploitable flaws and measure the severity of each. A penetration test is meant to
show how damaging a flaw could be in a real attack rather than find every flaw in a system. Together,
penetration testing and vulnerability assessment tools provide a detailed picture of the flaws that exist in
an application and the risks associated with those flaws.

6. Application Security basics

With increase in the infrastructure, high end devices are easily availing more complex applications.
Ranging from native thin to thick application, simple to complex web application has given higher space
to attacker to attack the same. All the security flaws related to application generally comes under
application security. Primarily application security weaknesses are the origin of flaw and on moving
further it becomes as vulnerability. More details has given below

6.1. Weakness
Weakness is nothing but the code level flaw which exists in the application that may allow attacker to gain
access over it. It may allow exploitation or may not as sometimes it depends on some other factor to get it
executed. Each weakness discovered is registered in SANS CWE site with a unique ID. Where CWE
refers to Common Weakness Enumeration and ID refer to the unique number ID.

6.2. Vulnerability
Vulnerability is a confirmed weakness which can be exploited and in severe case attacker can compromise
CIA aspect of the IT asset. Most of the vulnerabilities and details about it are available in CVE site.
Eachvulnerability represented in a format of CVE-YYYY-XXXX. Where CVE represents to Common
Vulnerabilities and Exposures, YYYY refers to year of publish & XXXX refers to vulnerability ID.

6.3. OWASP & SANS

Open web application security project (OWASP) is a global leader in the field application security which
operates without any profit. In this platform most of the security researcher share their ideas in the form of
whitepapers, tools, proof of concepts (PoC) and security advisories.

Every three years OWASP publishes the top 10 vulnerabilities category based on facts and finding through
different surveys and observations. Find the link belowfor latest top 10 vulnerabilities.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

SysAdmin, Audit, Network, and Security (SANS) are a global institution operating with multiple training
and awareness program across the world in the field of information security. SANS manages the CWE
repository and keeps the top 25 weakness in it knowledge base for latest or top rated weakness.

7. Application Security Testing

Security Testing is a type of software testing that aims to uncover vulnerabilities of the system and figure
out that its data and resources are secured from possible trespassers. Security Testing ensures that system
and applications in an institution/organization are free from any loopholes that may cause a big loss.
The goal of security testing is to identify the threats in the system and measure its likelihood/possible
vulnerabilities. It also helps in detecting all potential security risks in the system and help developers in
removing these problems through coding. Typical security requirements may include distinct elements of
confidentiality, integrity, authentication, availability, authorization and non-repudiation. Actual security
requirements tested depend on the security requirements implemented by the system.

There are three major ways available to proceed for security testing. Elaborated below
 Fig 2. Types of testing methods

7.1. Blackbox Testing

In this testing method the tester looks at the available inputs of an application and the expected outputs
that should result from each input. The tester is not concerned with the internal workings, he processes the
application to achieve a particular output An example of a black-box system would be a search engine.
When one enters the text that he/she wants to search for in the search bar and clicks on Search, the
specified results is returned. In such a case, we dont see the specific process that is being employed to
obtain the search results, we just see that on providing an input a search term and we get an output
the specified search results.

7.2. Whitebox Testing

This testing procedure/technique looks under the cover and into the subsystem of an application. This
testing method enables us to see what is happening inside the application. It provides a degree of
sophistication that is not available with black-box testing as the tester is able to refer to and interact with
the objects that comprise an application rather than only having access to the user interface.
An example of a white-box system would be in-circuit testing where we are looking at the
interconnections between each component and verifying that each internal connection is working properly.
Another example from a different field might be an auto-mechanic who looks at the inner-workings of a
car to ensure that all of the individual parts are working correctly to ensure the car drives properly.

7.3. Greybox Testing

Greybox testing procedure/technique is effective combination of both Blackbox and Whitebox testing
methodologies. This testing enables you to have a limited access of what is happening inside the
application.

8. Approach to Automated & Manual Testing

Above mentioned testing activities are carried out via automated tools and with manual skill set. Both
automated and manual testing has different set of approaches.

Details about it mentioned below:

9. Top Vulnerabilities

Till date there are unaccountable numbers of vulnerabilities which are exposed. E.g. Apache servers
authentication vulnerability may allow to login as privilege user and let him to do whatever he/she wants.
Among widespread vulnerabilities, lets discuss two top rated among them

9.1. SQL Injection

SQL stands for Structured Query Language. It is used to query, operate, and administer database systems
such as Microsoft SQL Server, Oracle, or MySQL.

The database systems provide the backend functionality to the web application. In support of web
applications, user-supplied data is often used to dynamically build SQL statements that interact directly
with a database. This is where this vulnerability comes into picture. Through some simple queries, an
attacker can get confidential information from an application that is vulnerable to SQL injection.
Before we go further, let us know the possible consequences of SQL injection.

A successful SQL injection can reveal sensitive data to the hacker.

 An attacker can modify the database of an application. This can lead to manipulation of users
information. For example, an attack on the database can delete the list of customers of a bank.
Such an attack can also execute administrative operations on the database which means that the attacker
can have the privilege of shutting down the database and thus create a denial of service kind of scenario.

The next question is how does an attacker perform SQL injection?

In order to run malicious SQL queries against a database server, an attacker first finds an input within the
web application that is included inside of an SQL query.
Some common types of input fields are the search fields and login pages, where proper input validation is
not implemented.

Here is a server-side pseudo-code that is used to authenticate users to the web application.

Fig 3. How SQL injection goes

# Define POST variables

uname = request.POST['username']
passwd = request.POST['password']
# SQL query vulnerable to SQLi
sql = SELECT id FROM users WHERE username= + uname + AND password= + passwd +
# Execute the SQL statement
database.execute(sql)

The above script is a simple example of authenticating a user with a username and a password against a
database with a table named users, and a username and password column.

The above script is vulnerable to SQL injection because an attacker could submit malicious input in such a
way that would alter the SQL statement being executed by the database server.

A simple example of an SQL injection payload could be something as simple as setting the password field
to password OR 1=1.

This would result in the following SQL query being run against the database server.

SELECT id FROM users WHERE username=username ANDpassword=password OR 1=1

Thus, with such queries, an attacker can easily run SQL query in an application.

Here in below two most recently happened cyber-attack in this category as per analyst say are

1. http://thehackernews.com/2015/02/TalkTalk-hack-data-breach.html
2. http://www.bbc.com/news/technology-34963686

9.2. SQL Injection measures

SQL injection exploits happen when specially crafted user inputs are fed to a web application and they are
directly concatenated to the dynamic SQL query and are interpreted as SQL code by the SQL database
engine. Thus if we can prevent this from happening, we can make our application secure with respect to
SQL injection. The following are measures generally taken to prevent SQL injection:

1. Using Input Validation and Whitelist of values The primary reason for SQLi and many other issues
are unvalidated user inputs.Thus the first line of defense against SQLi is validating user inputs both on
client as well as server side. Also using a white list of values i.e specifying only certain values as
acceptable is recommmended.

2. Parameterised SQL queries Parameterised SQL queries are SQL queries where user input or values
required in a query are first stored in a SQL placeholder and that place holder is used in the dynamic SQL
query. When these placeholder are usedthe SQL database engine knows that whatever are inside these
place holder are simply values and not code. Thus even if malicious user inputs are given the SQL
database engine will identify it as data only and thus prevent execution of malicious action.

3. Stored procedures Similiar to variables used to store values , stored procedures are nothing but a set of
compiled SQL statements(supposedly performing a function) which have been assigned a name.The
purpose of stored procedure is primarily reusability.Using stored procedures we can use the name to
execute the concerned SQL statements without writing them again and again.In context of securing web
application since whatever is the SQL code is , it has been already stored in the database as a stored
procedure so when database interacts with web application it simply sends the name of stored procedure
and a list of parameters for the required values which the stored procedure requires.Whatever user inputs
are given are stored in these parametrs and are treated as data by SQL database engine as SQL code was
already defined beforehand.Suffice it to say Stored procedures are a more advanced form of parametrised
queries.

4. Escaping user input Certain DBMSes use certain character escaping schemes specific to certain
queries.Escaping user supplied input will prevent the DBMS from confusing data with SQL code thus
mitigating SQL injection.However it is advised not to use this approach as the only way to prevent SQLi
ina web application as in some cases this technique can easily be bypassed.

9.3. XSS or Cross site scripting

Another widespread vulnerability is XSS. XSS stands for Cross Site Scripting. It is a vulnerability which
when present in web applications, allows hackers to insert client side scripts. When these scripts are
injected into the web application, the script gets executed and affects the web application.

Take for example a simple script like <script>alert(hi)</script>

Fig 4. Client side script execution

By successfully adding such a script to a web page, the hacker will gain control on the application. Instead
of a simple text like hi, the hacker can insert a link that will redirect the user to some other application.

Along with SQL injection, XSS is another widespread vulnerability in the world of applications. The
implications of XSS can be severe too.
XSS can create the following adversities for an application

Steal the important cookie information.

Steal personal information.
Redirect the user to another application.
Make the application difficult to access.

Here in below a case of XSS misuse has been demonstrated.

Fig 5. A case of cross site scripting example

You can see attacker can load the malicious script into web sites through XSS permanently and whenever
genuine user comes to access the page the malicious script will get executed and attacker can steal the
sensitive information of victim user like user sessions, cookie information etc.

Thus, we can see that the impact of these two vulnerabilities SQL injection and XSS, can be very severe.
There have been incidents in the past where hackers have used these two vulnerabilities to cause huge
damage to the applications. Being aware of these issues and following the right security practices can help
in making the application more secured from such vulnerabilities.

9.4. Cross Site Scripting Injection measures

Cross site scripting occurs in a web application when the web application takes in unvalidated user input
and directly inputs those inputs in its webpages.In such a case the attacker can easily input malicious
javascript as input. Following measures can be taken to make a application secure against XSS :

1. Using Input Validation and Whitelist of values As said earlier the reason for XSS is unvalidated
inputs. Thus Validating user input on client as well as server side and using whitelist comes naturaaly as a
mitigation for the exploit.

2. Escaping user input This is the primary means of defending against a XSS attack. When you are
escaping something you are indicating to the web browser that the user input should be treated as data
only and nothing else. Even if javascript is included as user input the browser will treat it as data only if
proper escaping is done. Also certain popular escaping libraries like ANTIXSS from Microsoft or ESAPI
from owasp can be used for this purpose.

3. Restricting Untrusted javascript Allowing all javascript to run makes an application vulnerable to
XSS. Thus configuring web applications such that they run javascript that comes only from trusted
domains and applications also curtails chances of XSS. For this Whitelist of trusted domains and
applications can be used.

4. Using Built In Browser Protections Browsers like Firefox, Chrome, etc are now providing inbuilt
protections against XSS. Enabling these in a web application also goes along way in preventing XSS.

10. Vulnerability Management

Vulnerability management is a strategy to find, prioritize, fix and manage the vulnerabilities from origin to
closure with respect to a series of periodic assessment on a particular application, infrastructure & network
of a particular organization. The major steps in it are

Vulnerability assessment to find vulnerability in development (SAST) & testing phase (DAST)
Reporting all vulnerabilities with detailed description & analysis
Risk measurement and prioritization of vulnerabilities for fixing plan
Determine vulnerability trends and security posture of the organization at any point of time

11. Mobile Security

Mobile phone usage has grown many folds over the year. Usage of mobile has reached a remarkable
height in the society and has become an integral part of every individual. There have been great advances
in mobile computing. People can download apps that help them socialize, keep fit, get directions, transact,
shop, and much more. There are millions of mobile applications available in app stores that make our
simple life simpler. Amidst all the great things that have been accomplished in the mobility space, there is
a global community of hackers who have been watching the mobile space closely. They use newer and
bolder techniques to break into mobiles and applications, so app developers need to be cautious. Mobile
applications security testing is the process of reviewing the application characteristics and the code for
vulnerabilities. It is a combination of static analysis, dynamic analysis and penetration testing.

11.1. Mobile Operating Systems Ecosystem:

Mobile operating systems have shown tremendous evolution over the decade. Mobile Operating systems
have been well integrated with wide range of devices that form the consumer electronics.

The Various mobile operating systems:

Fig 6. Mobile platforms

The mobile applications are designed as per the Operating systems. Mobile application binaries includes
apk file for android, ipa file for iOS, xap file for windows and cod/bbb files for blackberry.
Android holds over 50% of the market share as far as mobile applications and OS is concerned.

Each and every OS come up with the latest OS version every year so as to mitigate the short coming/flaws
with the previous versions
Some operating systems like android and open source and allow device manufacturers to customize the
OS as per their requirements
iOS, Windows and Blackberry and proprietary OS and come with their in-house devices. Such devices are
in constant monitoring by these companies and get regular updates

11.2. Introduction to Mobile Security:

An organization called OWASP has set new standards that judge the security parameters involved in
usage and development of mobile applications.

Below chart shows the top 10 vulnerabilities identified by OWASP as far as security of these applications
are concerned.

Fig 7. Mobile OWASP top 10

Data stored in any device is critical and hence prevention of loss of such confidential data is the primary
concern as far as mobile application security is concerned.

Insecure storage of data accounts for more than 60% of data loss reported in the mobile devices.

Some of the common Data loss scenarios in mobile applications include:

1. Storage of sensitive information like personal identifiable information (PIIs) in the device.
2. Caching of sensitive information like credentials and PIIs.
3. Side channel data leakages like improper usage of resources by various interacting applications.
4. Lack of splashing in iOS relates storage of screenshots of sensitive pages.
5. Use of weak cryptography to store and encrypt sensitive information.
6. Lack of binary protection can help retrieve sensitive and critical information from application binary.

Some common example of vulnerabilities in mobile application can be

1. Drive by downloads where unintentionally user downloads malicious apk files for Android OS when
the user visits an untrusted site in the mobile browser.
2. Storage of sensitive information when you check Device Storage->Android->data folder and search
individual application package structures.

Next
Introduction to Infrastructure Security
Next
Ask a Doubt:
Misuse of 'Ask a Doubt' Section will be dealt as per the Terms & Conditions of Campus Commune

Note: Please do not use the doubts section for any quiz/quiz-content related queries.
Use the helpline () located above in top right corner for problems/queries related to quizzes.

Submit

Open Doubts
Closed Doubts
My Doubts

There are no doubts yet

There are no closed doubts yet

There are no doubts yet

About

As you gear up to join one of Asia's largest IT organizations, we introduce to you ESRM Aspire.

ASPIRE is a mandatory online interactive pre ILP learning program for graduates (new recruits). The
objectives of ASPIRE are to:
 Prepare for TCS Initial Learning Program (ILP)
Learn the basic concepts of ESRM

ASPIRE courses are subdivided into chapters. A course is said to be complete if and only if all the
chapters within it are completed. In order to complete a course in ASPIRE

Finish reading the material and/or viewing short videos of a chapter and unlock the chapter quiz
Take chapter quiz and clear it with a pass score to complete the chapter
Complete all chapters to unlock the course quiz
Take course quiz and clear it with a pass score to complete the course

It is essential that you complete ASPIRE courses in an honest manner. Based on ASPIRE content, at the
time of joining TCS, you will be mandated to take up IRA(Initial Readiness Assessment) to assess your
level of preparedness for ILP.

Happy Learning!

Close

About

As you gear up to join one of Asia's largest IT organizations, we introduce to you ESRM Aspire.

ASPIRE is a mandatory online interactive pre ILP learning program for graduates (new recruits). The
objectives of ASPIRE are to:

Prepare for TCS Initial Learning Program (ILP)

Learn the basic concepts of ESRM

ASPIRE courses are subdivided into chapters. A course is said to be complete if and only if all the
chapters within it are completed. In order to complete a course in ASPIRE

Finish reading the material and/or viewing short videos of a chapter and unlock the chapter quiz
Take chapter quiz and clear it with a pass score to complete the chapter
Complete all chapters to unlock the course quiz
Take course quiz and clear it with a pass score to complete the course

It is essential that you complete ASPIRE courses in an honest manner. Based on ASPIRE content, at the
time of joining TCS, you will be mandated to take up IRA(Initial Readiness Assessment) to assess your
level of preparedness for ILP.

Happy Learning!

Close

List of Badges