Cybersecurity Essentials - Application & Data Security - HOWEST
Document Details
Uploaded by SecureAlbuquerque
Howest
null
Kurt Schoenmaekers
Tags
Summary
This document covers the basics of cybersecurity, application security, and data security, emphasizing the concepts of DevSecOps and various methodologies (SDLC). It also explores important frameworks like OWASP Top 10, GDPR, and best practices including database security controls.
Full Transcript
Application Security Voettekst 5 What do we mean by an “application”? A computer program designed to help people perform an activity. (Wikipedia) Examples: word processor, a spreadsheet, an accounting application, a web browser, an email client, a me...
Application Security Voettekst 5 What do we mean by an “application”? A computer program designed to help people perform an activity. (Wikipedia) Examples: word processor, a spreadsheet, an accounting application, a web browser, an email client, a media player, a file viewer, simulators, a console game or a photo editor. system software, which is mainly involved with running the computer (Operating System) Insecure applications open your organization up to external attackers. An application can run on the desktop, on a local or remote server, or in the cloud. Software Development Lifecycle (SDLC) Guides the phases deployed in the development or acquisition of a software system. SDLC's primary goal is to ensure a structured and methodical approach to software development, ensuring high quality software within a specified budget and time frame. Depending on the methodology, it may also include the controlled decommissioning of the software as a phase. System/Software Development Lifecycle (SDLC) Formal process that specifies requirements, among other things : Business requirements – what should the system do? Functional requirements - how do users interact with the system? Technical requirements – what does the system need to work? Risk mitigation and control requirements to protect the integrity of the system, confidentiality of information stored, processed or communicated as well as adequate authentication and authorization mechanisms. Often, however, cybersecurity is an afterthought and not thought of until a rather later phase to introduce it. In the Software Development Lifecycle, the focus is on software development. In the System Development Lifecycle, the focus is as well on systems, people and processes. SDLC usually stands for Software Development Lifecycle. System/Software Development Lifecycle (SDLC) Planning Security is not explicitly mentioned. Maintenance Analysis Production Design Testing Development DevSecOps (Other) methodology (based on DevOps) used in software development with integration of cybersecurity. Security is integrated into every stage of the software development life cycle from the beginning. DevSecOps integrates phases in a continuous cycle of development, integration, testing, deployment and monitoring but - unlike SDLC - emphasizes close collaboration between development, security and operations teams. Automation: Use of automated security testing and controls within the CI/CD (Continuous Integration/Continuous Delivery) pipeline. Continue Feedback: Security feedback is continuously collected and processed. Voettekst 10 DevSecOps Voettekst 11 DevSecOps phases - Dev Threat Modelling: Identify and analyze potential threats early in the process. Tool example: Threat Dragon (OWASP) Secure Coding: Follow guidelines for secure coding and conduct code reviews. Security as Code (SaC): Security measures are considered part of the code so they are also subject to automation and version control, among other things. SAST: (Static Application Security Testing) “white-box” testing method that analyzes source code to identify vulnerabilities without running the application. Tool example: SonarQube Voettekst 12 DevSecOps phases - Dev DAST: (Dynamic Application Security Testing) “black-box” testing method that examines a running application to detect vulnerabilities as an attacker would. Tool example: OWASP ZAP, Burp Suite but also Integriti. IAST: (Interactive Application Security Testing) “grey-box” testing method that detects vulnerabilities by monitoring the application in real-time, using embedded agents. Pentesting: Uses DAST tools as well as manual verification. Digital Sign: Signing the code as proof of origin for user. Voettekst 13 DevSecOps phases - Ops Secure Transfer: Secure communication for transfer between Test and Operations environment. Security Config: All security settings and configurations must be consistent and meet security policy (compliance). Security Scan: DAST, container scanning, Infrastructure as Code scanning, cloud configuration validation, compliance checks, among others. Security Patch: Implement all security patches according to the Patch or Change Management Policy. Security Audit: audit of the entire system in production. Security Monitor: SIEM via SOC ideally where all controls are bundled together. Security Analysis: Bringing lessons learned back to Dev. Voettekst 14 OWASP Non-profit foundation Mission: Improve software security worldwide. Top 10: Publishes a list of the most critical Web application security risks. Projects: Provides tools and documentation such as OWASP ZAP and OWASP ASVS. Community: Global community of security experts and volunteers. More than 250 local chapters worldwide, including in Belgium. Training: Provides educational resources and training for developers and security professionals including Juice Shop (insecure web application). Leading education and training conferences. Voettekst 15 Application security and OWASP Top 10 (2021) Open Web Application Security Project (OWASP) publishes a list of the top 10 (Web) application security risks. This is a variable list that is updated every 4 years. Reducing Security Risks from Applications To reduce application security risk, OWASP recommends the following : Define security requirements for the application. Use sound security architecture practices for application security from the beginning of application design. Build strong and usable security controls. Integrate security into the development life cycle (Security by Design, DevSecOps). Stay on top of application vulnerabilities (in other words, use OWASP). OWASP Top 10 Proactive Controls Implement access control (authorization) Example: use “Least privilege.” Use cryptography to protect data Validate all entries and handle exceptions Example: make sure SQL injection is made difficult or impossible. Address security from the beginning See DevSecOps. Secure by using standard configurations In other words, the default configuration of the software as supplied should already be secure. OWASP Top 10 Proactive Controls Keep your components safe Use known libraries with security features rather than trying to invent the wheel yourself. Secure digital identities For example, use MFA. Use the browser's security features Instruct the Web browser to enforce security measures if possible. Implement security logging and monitoring Ensures that potential security incidents can be detected (detect) and responded to (respond). Stop Server Side Request Forgery See Web pentesting classes. OWASP – there is more... Voettekst 20 Data Security Voettekst 21 “Data really powers everything that we do.” Jeff Weiner – formal CEO LinkedIn “Data is the new oil” Clive Humby - British mathematician and entrepreneur Data Classification Definition: Organizing data into categories based on their sensitivity and value. Purpose: Protection of sensitive information and compliance with legal requirements. For example, a press release is PUBLIC, military plans are SECRET. There is a need to classify data based on: the sensitivity and impact of a change the release or loss of that data. Classification works in the cyber world by “labeling” (“tagging”) data with metadata (just as the author of a document is added to a Word or Excel file in the metadata). Data Classification Limit classifications to a minimum number of categories: E.g. public, company confidential and (Top) secret. Classifications are defined in the data classification policy. This is also where the processing and protection (e.g., encryption, DLP) is also defined for each classification. Classification is important in some regulations, for example: GDPR – European, personal data NIS2 – European, sensitive information PCI-DSS – global, credit card information HIPAA – USA, medical information SOX – USA, financial information Data classification – Security requirements Access and authentication Establish access requirements, including defining user profiles, access approval criteria and validation procedures. Confidentiality Determine where and how sensitive data is stored and how it is transmitted. Privacy Use controls to alert when personal data is misused. Availability Determine uptime and downtime tolerances for different types of data. Data classification – Security requirements Ownership and distribution Establish procedures to protect data from unauthorized copying and distribution. Integrity Protect data from unauthorized changes with change management procedures and automated monitoring and detection of unauthorized changes and manipulation. Retention of data Determine retention periods and keep specific versions of software, hardware, authentication data and encryption keys to ensure availability. Auditability Keep track of who had access, authorizations, changes and transactions. Data in Databases – Typical issues SQL-injection: Attackers inject malicious SQL code to access or manipulate data. Unpatched Software: Outdated database software may contain vulnerabilities that can be exploited by attackers. Insufficient Access Control: Lack of strict access controls can lead to unauthorized access to sensitive data. Weak Authentication: Use of weak passwords or lack of multi-factor authentication increases the risk of breaches. Unencrypted Data: Data that is not encrypted is vulnerable to interception and theft. Misconfiguration: Errors in database configuration can lead to security breaches and unauthorized access. Voettekst 27 Data in Databases – controls Encryption: Encrypt data both at rest and during transmission to prevent unauthorized access. Access Control: Use role-based access control (RBAC) to determine who has access to what data. Authentication: Implement strong authentication methods such as multi-factor authentication (MFA). Audit and Logging: Keep detailed logs of database activity to detect suspicious activity. Patch Management: Make sure database software is up-to-date with the latest security patches. Back-ups: Make regular backups and test recovery procedures to prevent data loss. Data in databases – best practice "Least Privilege": Give users only the minimum access rights they need. Segregation of Duties: Segregate roles and responsibilities to reduce the risk of internal threats. For example, Database Administrator versus Database Auditor. Only the latter can delete or modify logs. Database "Firewalls": Use database firewalls to block malicious SQL injections and other attacks. Regular Audits: Conduct regular audits and penetration tests to identify and fix vulnerabilities. Intrusion Detection Systems (IDS): Implement IDS to detect unauthorized access attempts. Data Masking: Use data masking to hide sensitive data in non-production environments. Voettekst 29 Data in Databases - controls at the database level Referential Integrity: Ensures that references between tables are valid, prevents inconsistent data. Entity Integrity: Each record has a unique key, prevents duplication and ensures accurate identification. Validation of Input : Checks entered data for accuracy and completeness, prevents SQL injections and other attacks. Defined Data Fields (Schema): Determines structure and type of data, prevents entry of incorrect or harmful data. The “Data Owner” and other profiles Data belong to an individual or an organizational element (department, company, government agency...), and thus NOT to IT. The Data Owner is responsible for determining data classification determining the required level of security Note that the following job functions are also related to data : Data Custodian: Manages data according to owner's rules (Manages the safe storage, transport and security of data, implements technical measures and security protocols, determines database structure, etc.). Is not concerned with the content. Data Stewards: are concerned with the meaning and proper use of the data, not how it is stored or protected. GDPR in a nutshell GDPR GDPR = EU General Data Protection Regulation (since May 25, 2018). This regulation deals with the protection of PERSONAL data. A regulation is immediately binding. In Belgium: AVG = Algemene Verordening Gegevensbescherming “Personal data” means anything that can identify a natural person. The GDPR requires all organizations to report certain data breaches to the relevant supervisory authority (in Belgium, this is the "Gegevensbeschermingsautoriteit"). An example is when digital personal data is stolen in large quantities. Roles Controller This is the entity that determines the purpose and means of processing the personal data. Processor This is the entity that processes personal data on behalf of the controller. Data Protection Officer, DPO: This is a person designated to oversee GDPR compliance within an organization. Data Subject: This is the person whose personal data is being processed. Voettekst 34 Material Scope (To what does GDPR not apply?) This Regulation does not apply to the processing of personal data: a) in the course of an activity which falls outside the scope of Union law; b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU; c) by a natural person in the course of a purely personal or household activity; d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. 35 Definitions ‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ‘Processing’ any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; GDPR Principles Lawfulness, fairness and transparency: Data must be processed in a lawful, fair and transparent manner. Purpose limitation: Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Data minimization: Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Accuracy: Data must be accurate and up-to-date; incorrect data must be corrected or deleted. GDPR Principles Storage limitation: Data should not be kept longer than necessary for the purposes for which it was collected. Integrity and Confidentiality: Data must be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. Accountability : Organizations must be able to demonstrate compliance with the GDPR principles. Personal data breach ‘Personal data breach’ a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Legal obligation to report not later than 72 hours after having become aware of the personal data breach To the competent authorities (Gegevensbeschermingsautoriteit in Belgium) Unless unlikely to result in a risk to the rights and freedoms of natural persons Exercises Cybersecurity Essentials Info Room D.1.203 (15.15u). Exercises in LEHO. Make ALL exercises! Submit all answers by midnight Sunday at the latest. Remember that completing the exercises counts toward your final score! Coaches Mr. Kurt Schoenmaekers Mr. Henk Brouckxon Mr. Chris Roets Mr. Nico Declerck