Question

Methods to Ensure the Security of Web Applications

Study and write the report on the following topics:

1. List the various Internet services in use
2. Identify threats to Internet services and basic countermeasures
3. Describe the basics of Web client-server communication
4. Identify the various Web languages and describe their uses
5. Identify various Web threats and attacks
6. Discuss the steps necessary to secure a Web Server

Report requirements:

1. Write in your words, don’t copy-paste
2. Report volume: 4-5 pages, font size:12

Answer 1

Client/Server Networking

Client/server networks have become predominate information architecture of enterprise computing. Computing power has rapidly become distributed and interconnected throughout many organizations by networked computer systems as that take the form of client/server networks. The Client/Server computing is an envirnment that satisfies the business need buy appropriate allocating the application processing between the client and the server processors

Cent/Server network is a computer network in which one centralized powerful computer called Server) is connected to many less powerful PCs or workstations (called Clients)

The clients run programs and access data that are stored on the server Example www.email.com

Client: A client is a single user workstation that provides a presentation services and the appropriate computing, connectivity and the database services relevant to Hybrid Client the business need Client computers can be classified as Fat Client, Thin Client or hybrid client

Fat/Thick Client: A fat client or thick client is a client that performs the bulk of any data processing operations itsell, and does not necessarily rely on the server Unliko thin clients, thick clients do not rely on a central processing server because the processing is done locally on the user system, and the server is accessed primarily for storage purposes. For that reason, thick clients often are not well suited for public environments. To maintain a thick client, IT needs to maintain all systems for software deployment and upgrades rather than just maintaining the applications on the server For example - Personal Computer

Thin clients

Thin clients use the resources of the host computer. a thin client generally only presents processed data provided by an application server. which performs the bulk of any required data processing Thin client machine is going to communicate with a central processing server, meaning there is  the hardware and software installed on the user's machine

  Hybrid Client is a mixture of the above two clent models . similiar  to a fat client. It procesS locally, but relies on the Server for storing pErsistent data This approach offers features from both fat client ( multimedia support , high performance) and the thin client ( high manageblity , flexibility ). Hybrid clients are well suited for video gaming

Server: A server in one or more multi uner processors with shared memay providing computing, connectivity and the database services and the intirlarn relevant to the business need

Working of a Client/Server Network)

End user Personal Computer or Network Computer workstations of the Clients

Clients are interconnected by local area networks and share application processing with network server which always manage the networks. Client and Server can operate on separate.computer platforms,

the client platform or the server platform can be upgraded without havng to upgrade the other platform

The server is able to service multiple clients concurrently in some client/server systems clients can access multiple server

Action is usually initiated at the client and not the server.

The network system implemented within the client/server téchnology is commonly called by the computer industry as Middleware. Middleware is all the distributed software needed to allow.clients and Servers to interact. General Middleware allows communication directory services, queuing, distributed file sharing and printing .

The various internet services in use

Your internet is one of these three – cable, DSL or fiber because no one uses dial-up anymore. They do the same thing, which is provide you internet access. But they have their own advantages and disadvantages.

Cable internet is a type of connection that transmits data through a cable television network through a coaxial cable. While cable is generally faster than DSL, its primary disadvantage is that you’re sharing bandwidth with neighbors who are using the same cable line. So during peak times where a lot of people are online, your speeds are going to slow down considerably. But on the upside, cable internet speeds are not affected by how far you are from your ISP or Internet Service Provider.

DSL stands for digital subscriber line. It is a type of connection that transmits data over a telephone network through a telephone cable. DSL is the most popular connection in the world. Over 60 percent of broadband connections are DSL. Unlike cable, DSL bandwidth is not shared. But on the downside, DSL internet speeds are affected by how far you are from your ISP. So the farther you are, the slower your speeds. There are two types of DSL connections – asymmetric and symmetric. Asymmetric offers higher download speeds than upload speeds while symmetric offers equal download speeds and upload speeds.

Fiber optic communication is the future of data transmission. Data is transmitted through plastic or glass wires as light waves. Fiber optics offer the most potential for high speed data transmission and is the clear solution for our growing bandwidth needs. Its main disadvantage however is that fiber is expensive to install, which is the main reason why it’s still not very widespread today. Now let’s go over to what really matters and that’s their speeds. If you want to know more about internet speeds, I suggest you go watch my video about it by clicking on this link.

threats to Internet services and basic countermeasures

Unauthorized Access

Web services that provide sensitive or restricted information should authenticate and authorize their callers. Weak authentication and authorization can be exploited to gain unauthorized access to sensitive information and operations. Vulnerabilities that can lead to unauthorized access through a Web service include: No authentication used Passwords passed in plaintext in SOAP headers Basic authentication used over an unencrypted communication channel

You can use the following countermeasures to prevent unauthorized access: Use password digests in SOAP headers for authentication. Use Kerberos tickets in SOAP headers for authentication. Use X.509 certificates in SOAP headers for authentication. Use Windows authentication.

Parameter Manipulation

Parameter manipulation refers to the unauthorized modification of data sent between the Web service consumer and the Web service. For example, an attacker can intercept a Web service message, perhaps as it passes through an intermediate node en route to its destination; and can then modify it before sending it on to its intended endpoint.

Vulnerabilities that can make parameter manipulation possible include: Messages that are not digitally signed to provide tamperproofing Messages that are not encrypted to provide privacy and tamperproofing

countermeasures Digitally sign the message. The digital signature is used at the recipient end to verify that the message has not been tampered with while it was in transit. Encrypt the message payload to provide privacy and tamperproofing.

Attacks

Basic replay attack. The attacker captures and copies a message, and then replays the same message and impersonates the client. This replay attack does not require the malicious user to know the contents of the message.

Man in the middle attack. The attacker captures the message and then changes some of its contents, for example, a shipping address, and then replays it to the web service

Disclosure of Configuration Data

There are two main ways in which a Web service can disclose configuration data. First, the Web service may support the dynamic generation of Web Service Description Language (WSDL) or it may provide WSDL information in downloadable files that are available on the Web server. This may not be desirable depending on your scenario.

Vulnerabilities that can lead to the disclosure of configuration data include: Unrestricted WSDL files available for download from the Web server A restricted Web service supports the dynamic generation of WSDL and allows unauthorized consumers to obtain Web service characteristics Weak exception handling

Countermeasures Authorize access to WSDL files using NTFS permissions. Remove WSDL files from Web server. Disable the documentation protocols to prevent the dynamic generation of WSDL. Capture exceptions and throw a SoapException or SoapHeaderException—that returns only minimal and harmless information—back to the client.

various Web languages and describe their uses

1. Java – used for nearly everything
2. Python – used for nearly everything
3. JavaScript – used primarily for web development (including Node.js)
4. C# – used primarily for Windows applications (.NET); also for cross-platform apps and games (using Xamarin and Unity, respectively)
5. C++ – used for nearly everything, esp. systems programming
6. PHP – used exclusively for server-side web development
7. C – used primarily for systems programming
8. Ruby – used primarily for server-side web development with Rails framework
9. R – used for statistical processing
10. Perl – used for nearly everything

various Web threats and attacks

Hacking

Hacking is a term used to describe actions taken by someone to gain unauthorized access to a computer. The availability of information online on the tools, techniques, and malware makes it easier for even non-technical people to undertake malicious activities.

The process by which cyber criminals gain access to your computer.

• Find weaknesses (or pre-existing bugs) in your security settings and exploit them in order to access your information.
• Install a Trojan horse, providing a back door for hackers to enter and search for your information.

Malware

Malware is one of the more common ways to infiltrate or damage your computer.Malicious software that infects your computer, such as computer viruses, worms, Trojan horses, spyware, and adware.

• Intimidate you with scareware, which is usually a pop-up message that tells you your computer has a security problem or other false information.
• Reformat the hard drive of your computer causing you to lose all your information.
• Alter or delete files.
• Steal sensitive information.
• Send emails on your behalf.
• Take control of your computer and all the software running on it

Pharming

Pharming is a common type of online fraud. A means to point you to a malicious and illegitimate website by redirecting the legitimate URL. Even if the URL is entered correctly, it can still be redirected to a fake website.

• Convince you that the site is real and legitimate by spoofing or looking almost identical to the actual site down to the smallest details. You may enter your personal information and unknowingly give it to someone with malicious intent.

Phishing

Phishing is used most often by cyber criminals because it's easy to execute and can produce the results they're looking for with very little efforts, Fake emails, text messages and websites created to look like they're from authentic companies. They're sent by criminals to steal personal and financial information from you. This is also known as “spoofing”.

• Trick you into giving them information by asking you to update, validate or confirm your account. It is often presented in a manner than seems official and intimidating, to encourage you to take action.
• Provides cyber criminals with your username and passwords so that they can access your accounts (your online bank account, shopping accounts, etc.) and steal your credit card numbers.

Spam

Spam is one of the more common methods of both sending information out and collecting it from unsuspecting people. Canada has a new anti-spam legislation that you can learn more about at www.fightspam.gc.ca  

• The mass distribution of unsolicited messages, advertising or pornography to addresses which can be easily found on the Internet through things like social networking sites, company websites and personal blogs.

• Canada's anti-spam legislation applies to all commercial electronic messages. A commercial electronic message is any electronic message that encourages participation in a commercial activity, regardless of whether there is an expectation of profit.
• Annoy you with unwanted junk mail.
• Create a burden for communications service providers and businesses to filter electronic messages.
• Phish for your information by tricking you into following links or entering details with too-good-to-be-true offers and promotions.
• Provide a vehicle for malware, scams, fraud and threats to your privacy

steps necessary to secure a Web Server

1. Use a Secure Content Management System (CMS)

The first step is to decide how you’ll build your website and manage your content if you haven’t already. Those who are going with a professional web developer have less to be concerned about as long as you’re working with a reputable company or individual. However, you should still emphasize while your website is still in the design stage that the developer incorporate security features that are appropriate for the level of safety you need. Your web designer can also explain the various features, why they’re needed, and how to maintain security after you go live. One thing you should beware of no matter which platform you choose is the security of plugins and themes. These are third-party add-ons and frameworks that control how your website looks and functions. Most web builders have their own inventory of plugins, but there are also many free and premium add–ons available on the internet.

2. Control Who Has Access

Unfortunately, too many data leaks and hacks can be chalked up to a simple human error. Even if employees are using their own devices at work or leaving accounts open when using a public network on the road. Or if they’re unaware of security best practices, in the first place.

This is where having an enterprise-wide security protocol can help, but you should make employee education and training a priority. One of the first lessons is to stop relying on staff to create secure passwords. Instead, opt for a password manager software to create unique, hacker-proof passwords for each device and account connected with your network. Among encryption tools, the best password management software applications (we use 1Password, for instance) on the market today incorporate two-factor authentication that requires a traditional password and a key that puts extra layers of encryption between you and the bad guys.

3. Choose a Secure, Reliable Hosting Platform

The second most important security measure is to choose wisely when looking for a web hosting platform. Web development companies sometimes have a hosting service as well. However, if you go with a pro that doesn’t offer web hosting, you build organically from scratch, or you’re using WordPress, you’ll have to find a reputable hosting service. And that is a good thing.

There are literally hundreds of website hosts and servers on the market, as a quick Google search will prove. You can look for a budget plan, but try to stay away from free or shared hosting. Take this one very seriously.

When you’re sharing resources with other website owners, their problems can become your problems, and “free” hosting services may still store and sell your data even if they offer basic security; many do away with security altogether, which is why they can afford to offer free hosting platforms. With dedicated hosting, you have a little more flexibility as far as available resources, but a lot of the security measures rest with you.

4. Install High-Grade Security Features

Once you’ve chosen a secure platform, devised and implemented security practices, you need to install protection on each network and connected device. In addition to antivirus, anti-spyware, and anti-malware software, install your own firewall if one isn’t included by your hosting service. Installing a VPN is also a smart choice because it encrypts your data from your router as well as masking your identity, location, and activity.

Configure your router to segment your network into different lines, one for business, one for personal use or guests, and another for any IoT devices. That way, if one area is accessed, your other networks won’t go down with it.

5. Keep Everything Updated

Having all of the most current security features in place won’t protect you for long if you don’t keep them updated. Whenever you can, set all plugins and security software to auto-install updates. Make sure that you’re using the most current versions of all plugins, themes, and WordPress, and keep the firmware for your router and firewall up to date.

One of the vulnerabilities that website owners overlook is right in their databases. Make sure that you completely uninstall any old, obsolete, or unused plugins and themes. Simply disabling them isn’t good enough.