In: Accounting
Methods to Ensure the Security of Web Applications
Study and write the report on the following topics:
Report requirements:
Client/Server Networking
Client/server networks have become predominate information architecture of enterprise computing. Computing power has rapidly become distributed and interconnected throughout many organizations by networked computer systems as that take the form of client/server networks. The Client/Server computing is an envirnment that satisfies the business need buy appropriate allocating the application processing between the client and the server processors
Cent/Server network is a computer network in which one centralized powerful computer called Server) is connected to many less powerful PCs or workstations (called Clients)
The clients run programs and access data that are stored on the server Example www.email.com
Client: A client is a single user workstation that provides a presentation services and the appropriate computing, connectivity and the database services relevant to Hybrid Client the business need Client computers can be classified as Fat Client, Thin Client or hybrid client
Fat/Thick Client: A fat client or thick client is a client that performs the bulk of any data processing operations itsell, and does not necessarily rely on the server Unliko thin clients, thick clients do not rely on a central processing server because the processing is done locally on the user system, and the server is accessed primarily for storage purposes. For that reason, thick clients often are not well suited for public environments. To maintain a thick client, IT needs to maintain all systems for software deployment and upgrades rather than just maintaining the applications on the server For example - Personal Computer
Thin clients
Thin clients use the resources of the host computer. a thin client generally only presents processed data provided by an application server. which performs the bulk of any required data processing Thin client machine is going to communicate with a central processing server, meaning there is the hardware and software installed on the user's machine
Hybrid Client is a mixture of the above two clent models . similiar to a fat client. It procesS locally, but relies on the Server for storing pErsistent data This approach offers features from both fat client ( multimedia support , high performance) and the thin client ( high manageblity , flexibility ). Hybrid clients are well suited for video gaming
Server: A server in one or more multi uner processors with shared memay providing computing, connectivity and the database services and the intirlarn relevant to the business need
Working of a Client/Server Network)
End user Personal Computer or Network Computer workstations of the Clients
Clients are interconnected by local area networks and share application processing with network server which always manage the networks. Client and Server can operate on separate.computer platforms,
the client platform or the server platform can be upgraded without havng to upgrade the other platform
The server is able to service multiple clients concurrently in some client/server systems clients can access multiple server
Action is usually initiated at the client and not the server.
The network system implemented within the client/server téchnology is commonly called by the computer industry as Middleware. Middleware is all the distributed software needed to allow.clients and Servers to interact. General Middleware allows communication directory services, queuing, distributed file sharing and printing .
The various internet services in use
Your internet is one of these three – cable, DSL or fiber because no one uses dial-up anymore. They do the same thing, which is provide you internet access. But they have their own advantages and disadvantages.
Cable internet is a type of connection that transmits data through a cable television network through a coaxial cable. While cable is generally faster than DSL, its primary disadvantage is that you’re sharing bandwidth with neighbors who are using the same cable line. So during peak times where a lot of people are online, your speeds are going to slow down considerably. But on the upside, cable internet speeds are not affected by how far you are from your ISP or Internet Service Provider.
DSL stands for digital subscriber line. It is a type of connection that transmits data over a telephone network through a telephone cable. DSL is the most popular connection in the world. Over 60 percent of broadband connections are DSL. Unlike cable, DSL bandwidth is not shared. But on the downside, DSL internet speeds are affected by how far you are from your ISP. So the farther you are, the slower your speeds. There are two types of DSL connections – asymmetric and symmetric. Asymmetric offers higher download speeds than upload speeds while symmetric offers equal download speeds and upload speeds.
Fiber optic communication is the future of data transmission. Data is transmitted through plastic or glass wires as light waves. Fiber optics offer the most potential for high speed data transmission and is the clear solution for our growing bandwidth needs. Its main disadvantage however is that fiber is expensive to install, which is the main reason why it’s still not very widespread today. Now let’s go over to what really matters and that’s their speeds. If you want to know more about internet speeds, I suggest you go watch my video about it by clicking on this link.
threats to Internet services and basic countermeasures
Unauthorized Access
Web services that provide sensitive or restricted information should authenticate and authorize their callers. Weak authentication and authorization can be exploited to gain unauthorized access to sensitive information and operations. Vulnerabilities that can lead to unauthorized access through a Web service include: No authentication used Passwords passed in plaintext in SOAP headers Basic authentication used over an unencrypted communication channel
You can use the following countermeasures to prevent unauthorized access: Use password digests in SOAP headers for authentication. Use Kerberos tickets in SOAP headers for authentication. Use X.509 certificates in SOAP headers for authentication. Use Windows authentication.
Parameter Manipulation
Parameter manipulation refers to the unauthorized modification of data sent between the Web service consumer and the Web service. For example, an attacker can intercept a Web service message, perhaps as it passes through an intermediate node en route to its destination; and can then modify it before sending it on to its intended endpoint.
Vulnerabilities that can make parameter manipulation possible include: Messages that are not digitally signed to provide tamperproofing Messages that are not encrypted to provide privacy and tamperproofing
countermeasures Digitally sign the message. The digital signature is used at the recipient end to verify that the message has not been tampered with while it was in transit. Encrypt the message payload to provide privacy and tamperproofing.
Attacks
Basic replay attack. The attacker captures and copies a message, and then replays the same message and impersonates the client. This replay attack does not require the malicious user to know the contents of the message.
Man in the middle attack. The attacker captures the message and then changes some of its contents, for example, a shipping address, and then replays it to the web service
Disclosure of Configuration Data
There are two main ways in which a Web service can disclose configuration data. First, the Web service may support the dynamic generation of Web Service Description Language (WSDL) or it may provide WSDL information in downloadable files that are available on the Web server. This may not be desirable depending on your scenario.
Vulnerabilities that can lead to the disclosure of configuration data include: Unrestricted WSDL files available for download from the Web server A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics Weak exception handling
Countermeasures Authorize access to WSDL files using NTFS permissions. Remove WSDL files from Web server. Disable the documentation protocols to prevent the dynamic generation of WSDL. Capture exceptions and throw a SoapException or SoapHeaderException—that returns only minimal and harmless information—back to the client.
various Web languages and describe their uses
various Web threats and attacks
Hacking
Hacking is a term used to describe actions taken by someone to gain unauthorized access to a computer. The availability of information online on the tools, techniques, and malware makes it easier for even non-technical people to undertake malicious activities.
The process by which cyber criminals gain access to your computer.
Malware
Malware is one of the more common ways to infiltrate or damage your computer.Malicious software that infects your computer, such as computer viruses, worms, Trojan horses, spyware, and adware.
Pharming
Pharming is a common type of online fraud. A means to point you to a malicious and illegitimate website by redirecting the legitimate URL. Even if the URL is entered correctly, it can still be redirected to a fake website.
Phishing
Phishing is used most often by cyber criminals because it's easy to execute and can produce the results they're looking for with very little efforts, Fake emails, text messages and websites created to look like they're from authentic companies. They're sent by criminals to steal personal and financial information from you. This is also known as “spoofing”.
Spam
Spam is one of the more common methods of both sending information out and collecting it from unsuspecting people. Canada has a new anti-spam legislation that you can learn more about at www.fightspam.gc.ca
steps necessary to secure a Web Server
1. Use a Secure Content Management System (CMS)
The first step is to decide how you’ll build your website and manage your content if you haven’t already. Those who are going with a professional web developer have less to be concerned about as long as you’re working with a reputable company or individual. However, you should still emphasize while your website is still in the design stage that the developer incorporate security features that are appropriate for the level of safety you need. Your web designer can also explain the various features, why they’re needed, and how to maintain security after you go live. One thing you should beware of no matter which platform you choose is the security of plugins and themes. These are third-party add-ons and frameworks that control how your website looks and functions. Most web builders have their own inventory of plugins, but there are also many free and premium add–ons available on the internet.
2. Control Who Has Access
Unfortunately, too many data leaks and hacks can be chalked up to a simple human error. Even if employees are using their own devices at work or leaving accounts open when using a public network on the road. Or if they’re unaware of security best practices, in the first place.
This is where having an enterprise-wide security protocol can help, but you should make employee education and training a priority. One of the first lessons is to stop relying on staff to create secure passwords. Instead, opt for a password manager software to create unique, hacker-proof passwords for each device and account connected with your network. Among encryption tools, the best password management software applications (we use 1Password, for instance) on the market today incorporate two-factor authentication that requires a traditional password and a key that puts extra layers of encryption between you and the bad guys.
3. Choose a Secure, Reliable Hosting Platform
The second most important security measure is to choose wisely when looking for a web hosting platform. Web development companies sometimes have a hosting service as well. However, if you go with a pro that doesn’t offer web hosting, you build organically from scratch, or you’re using WordPress, you’ll have to find a reputable hosting service. And that is a good thing.
There are literally hundreds of website hosts and servers on the market, as a quick Google search will prove. You can look for a budget plan, but try to stay away from free or shared hosting. Take this one very seriously.
When you’re sharing resources with other website owners, their problems can become your problems, and “free” hosting services may still store and sell your data even if they offer basic security; many do away with security altogether, which is why they can afford to offer free hosting platforms. With dedicated hosting, you have a little more flexibility as far as available resources, but a lot of the security measures rest with you.
4. Install High-Grade Security Features
Once you’ve chosen a secure platform, devised and implemented security practices, you need to install protection on each network and connected device. In addition to antivirus, anti-spyware, and anti-malware software, install your own firewall if one isn’t included by your hosting service. Installing a VPN is also a smart choice because it encrypts your data from your router as well as masking your identity, location, and activity.
Configure your router to segment your network into different lines, one for business, one for personal use or guests, and another for any IoT devices. That way, if one area is accessed, your other networks won’t go down with it.
5. Keep Everything Updated
Having all of the most current security features in place won’t protect you for long if you don’t keep them updated. Whenever you can, set all plugins and security software to auto-install updates. Make sure that you’re using the most current versions of all plugins, themes, and WordPress, and keep the firmware for your router and firewall up to date.
One of the vulnerabilities that website owners overlook is right in their databases. Make sure that you completely uninstall any old, obsolete, or unused plugins and themes. Simply disabling them isn’t good enough.