Security Articles

Defense-in-Depth – What Strategy To Follow?

Defense-in-Depth – What Strategy To Follow?

Defense in depth (also known as Castle Approach) is an information assurance (IA) concept in which multiple layers of security controls are placed throughout an information technology (IT) system. It is the concept of protecting a computer network with a series of defensive mechanisms such that if one mechanism fails, another will already be in place to thwart an attack.

How to exploit Cross Site Request Forgery attack on web applications where request is posted in JSON format!

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state-changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Please see the attached pdf to read more about How does a CSRF attack works and what are the recommendations to protect yourself against this attack.

PCI DSS standards meets the requirements of the GDPR?

The objective of both the PCI DSS and the GDPR is to ensure an organization’s personal data is in a secured manner. The main focuses of PCI DSS are on payment card and cardholder data, whereas the GDPR focuses on European residents’ personal data. The main difference is that the GDPR is less prescriptive than the PCI DSS.

The GDPR provides guidance on what needs to protecting but does not clearly defined a detailed action plan, but PCI DSS has clearly defined an objective that what needs to be achieved and given clear direction for securing the payment card and cardholder data.

The PCI DSS as standards to achieve the objective of GDPR 

Perturbed over login ID and password data breach? Not anymore!

In recent years, we have been hearing of numerous ‘Login ID’ and ‘Password’ related data breaches involving popular websites and other online services. It is also likely that your application credentials are listed in a massive file that is floating around in the Dark Web. These can lead to “Loss of Trust” with customers. Loss of Trust leads to ‘Loss of Brand Loyalty’ and eventually results in ’Loss of Business’.

Lets us see how these security issues can be encountered. Most of us will obviously come up with a solution toward multi-factor authentication and risk/behavioral authentication. This, apart from being the obvious solution that could pop-up, multi-factor authentication often creates conflict between ‘compliance requirements’ and ‘user convenience’. Ideally, we should be thinking about a solution to fortify the application security - without compensating on user experience.

IoT Security in 2018

The Internet of Things (IoT) offers the potential to exchange information and insights in real time, across a connected network.

The number of IoT devices increased 31% year-over-year to 8.4 billion in 2017 and it is estimated that there will be 30 billion devices by 2020. The global market value of IoT is projected to reach $7.1 trillion by 2020.

IoT involves extending internet connectivity beyond standard devices, such as desktops, laptops, smartphones and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the internet, and they can be remotely monitored and controlled.

Gartner identifies the top 10 Internet of Things (IoT) technologies as below:-

Session Puzzling : Solving the puzzle!

Session puzzling is an application level vulnerability that occurs when the application session variable is using more than one purpose. The other name of session puzzling is session variable overloading.

The attacker tries to access application entry points. The session objects creation can be indirectly initiated while exploiting session puzzles, and later exploited, by accessing an entry point such as web services, web pages, remote procedure calls, etc.

Session puzzle enables the attackers to bypass authentication, Impersonate legitimate users, elevate privileges, bypass flow restrictions, and even execute additional attacks.

Machine Learning in Cyber Security

Nowadays, every single human activity is connected to a digital system. But these digital systems always rely on the programming language. Based upon the previous activities, the system can analyze and learn the data to be processed without any human interaction, this concept leads to a technology called machine learning.

In the case of Cyber Security, Machine Learning technology helps to analyze previous Cyber Attacks and develops the protective response accordingly. The Cyber Security is one of the latest sectors with the huge investment in machine learning based on the response to increasing cyber threat.

In the past, Cyber Security was not very familiar with Machine Learning.  Network administrators were struggling with finding and tracking attacks. It looks a lot of time for them to even detect an attack. 
Now, there are many security software that has been developed to support the human in order to maintain the System effectively.

Bluetooth Security Flaw Could Allows Nearby Hackers to Steal Your Data

Bluetooth Security Flaw Could Allows Nearby Hackers to Steal Your Data

A newly discovered bug in Bluetooth implementations and operating system drivers allows hackers to gain unauthorized access to a device and steal data. 

Bluetooth firmware or operating system software drivers may not adequately validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to gain the encryption key used by the device.

Hackers get access to the data by forcing a device to use a known pairing key. For instance, when pair phone with computer, it might be prompted to enter a five-digit code. Hackers leverage that code to intercept information when pairing the device again. This flaw is different than the BlueBorne virus that cropped up last year, which allowed hackers to gain control of a device using its Bluetooth connection. 

Why depending on RDNS is bad and not to trust client provided Destination IP address for Name Lookup in Transparent Proxy Deployments!

As everyone knows that forward DNS is used to get the IP address from the Domain name (maps a domain name to an IP address) whereas Reverse DNS is used to get the hostname from the IP address (maps Ipv4 address to the CNAME on the host) which uses Pointer records to get this.

When the bluecoat ProxySG is configured to allow or deny the access to URL's, it must determine the hostname of the site being requested.

In Explicit Deployment:

When it is an HTTP site, the proxy simply observes the HTTP request headers to determine the hostname of a website.

When it’s an HTTPS site, the communication will be encrypted via SSL.

Learn Zscaler under 650 words!

Zscaler is a global cloud-based information security company that provides Internet security, web security, next generation firewalls, sandboxing, SSL inspection, antivirus, vulnerability management and granular control of user activity in cloud computing, mobile and Internet of things environments.

Zscaler route all traffic through its software to apply corporate and security policies, eliminating the time and money companies spend managing Web filtering, data leakage protection, SSL inspection, advanced threat protection and security on their own servers.

Zscaler Architecture

We realized that we needed to split the entire architecture into 3 areas.   
         Elements of Zscaler Cloud
•    Control Plane: - To manage policies.  
•    Data Plane: - How traffic will flow
•    Statistic Plane: - Collection of all the logs and get it back and correlated for your analytic.          

Pages

Subscribe to RSS - Security Articles