ISP Exam PDF

Summary

This document provides an overview of networking concepts. It covers various aspects of network security and discusses common vulnerabilities and mitigation strategies, including network planning and design.

Full Transcript

Table of Contents
TCP/IP model................................................................................................ 1
Operation security (5 step process)............................................................... 4
CIA Triad........................................................................................................ 9
Social engineering....................................................................................... 11
Human security............................................................................................ 13
Control examples......................................................................................... 14
Security attacks(4 types)............................................................................. 14
Accountability, Auditing, Logging, Compliance............................................ 15
Application security...................................................................................... 21
Input validation............................................................................................. 25
Techniques used to launch client server attacks......................................... 25

TCP/IP model
1. Physical layer manages the physical connection between devices,
including the transmission and reception of raw bitstreams over a
physical medium (like cables, fibre optics, or wireless signals).
2. Data link layer handles the physical transmission of data over a network
and to ensure that the data reaches its destination on the same local
network.
3. Network layer handles the movement of packets across different
networks and ensure that they reach their intended destination.
4. Transport layer is crucial for managing how data is transmitted between
applications on different devices.
5. Application layer is responsible for managing communications between
networked applications and providing the necessary services to ensure
that data is properly formatted, transmitted, and received.
Network security
Purpose
Application security focuses on protecting applications from vulnerabilities
that can be exploited by malicious actors.

Common Vulnerabilities and Attacks
Injection Attacks:
o SQL injection: Exploiting vulnerabilities in SQL queries to manipulate
databases.
o Command injection: Executing arbitrary commands on the server.
Cross-Site Scripting (XSS): Injecting malicious scripts into web pages to
steal user data
or hijack sessions.
Cross-Site Request Forgery (CSRF): Tricking users into performing
unintended actions
on a web application.
 Session Hijacking: Stealing a user's session token to gain unauthorized
access.
Insecure Direct Object References: Exposing sensitive information through
URLs or
other parameters.
Security Misconfigurations: Improperly configured servers, databases, and
applications.
Sensitive Data Exposure: Storing or transmitting sensitive data without
adequate
protection.

Mitigating Application Security Risks
Input Validation and Sanitization:
o Validate all user input to prevent malicious data from being processed.
o Sanitize input to remove harmful characters and code.
Secure Coding Practices:
o Follow secure coding guidelines and standards.
o Use a secure coding framework to enforce best practices.
o Conduct regular code reviews and vulnerability assessments.
Strong Authentication and Authorization:
o Implement strong password policies and multi-factor authentication.
o Enforce least privilege principles to limit user access.
Secure Session Management:
o Use strong session tokens and secure session cookies.
o Implement session timeouts and regular session expiration.
Data Protection:
o Encrypt sensitive data both at rest and in transit.
o Implement data loss prevention (DLP) measures to prevent unauthorized
data
transfer.
Regular Security Testing:
o Conduct penetration testing to identify vulnerabilities and assess the
effectiveness of security controls.
o Use vulnerability scanning tools to identify and fix security flaws.
Web Application Firewalls (WAFs):
o Protect web applications from attacks by filtering and blocking malicious
traffic.
Intrusion Detection and Prevention Systems (IDPS):
o Monitor network traffic for signs of intrusion and take action to prevent
attacks.

Operation security (5 step process)
Internet management
Steps
1. Network Planning and Design:
o Define network goals and objectives.
o Design network topology and architecture.
o Select appropriate hardware and software components.
2. Network Implementation:
o Install and configure network devices.
o Configure network protocols (TCP/IP, DNS, DHCP).
o Test network connectivity and performance.
3. Network Monitoring and Management:
o Monitor network performance and identify potential issues.
o Troubleshoot network problems.
o Update and maintain network devices and software.
4. Network Security:
o Implement security measures to protect the network from threats.
o Configure firewalls, intrusion detection systems, and other security tools.
o Educate users about security best practices.
Applications
1. Network Management Tools:
o SNMP (Simple Network Management Protocol): Used to monitor and
manage
network devices.
o RMON (Remote Monitoring): Provides detailed network performance
monitoring.
o Nagios: Open-source network monitoring tool.
o Zabbix: Open-source network monitoring tool.
2. Network Configuration Tools:
o Cisco Configuration Professional (CCP): Configures Cisco network devices.
o Juniper Junos Space: Configures Juniper network devices.
3. Network Security Tools:
o Firewalls: Filter network traffic to prevent unauthorized access.
o Intrusion Detection Systems (IDS): Detect and alert on network intrusions.
o Intrusion Prevention Systems (IPS): Prevent attacks by blocking malicious
traffic.
o VPN (Virtual Private Network): Encrypts network traffic to secure remote
access.
4. Network Analysis Tools:
o Wireshark: Packet analyser for network troubleshooting and security
analysis.
o NetFlow: Collects network traffic flow data for analysis.
5. Network Automation Tools:
o Ansible: Automates configuration management and deployment tasks.
o Puppet: Configuration management tool for automating infrastructure.
o Chef: Configuration management tool for automating infrastructure.
By effectively managing and securing networks, organizations can ensure
reliable and efficient
communication and data transfer, while mitigating potential security risks.

CIA Triad
Confidentiality
Definition: Confidentiality ensures that sensitive information is only
accessible to authorized individuals and systems. This involves implementing
measures to prevent unauthorized access, disclosure, or interception of data.
Confidentiality refers to the ability to prevent unauthorised users from
accessing private data. Confidential data may be protected by the use of
strong passwords and PIN codes, and by ensuring that the physical devices
on which such data is stored are appropriately secured.

Key Practices:
Encryption: Encrypting data to ensure it cannot be read if intercepted.
Access Controls: Using permissions and authentication mechanisms to
restrict access to authorized users.
Data Masking: Hiding sensitive data, such as masking credit card numbers
in reports

Encryption converts sensitive information or data into a secret code to prevent
unauthorized access.

Integrity
Integrity ensures that the data remains accurate, consistent, and unaltered
during storage, transmission, or processing. This principle is crucial for
maintaining the trustworthiness of Information. Integrity refers to the ability to
prevent unauthorised changes from being made to existing data, and to
reverse any unauthorised changes that may have been made. Data integrity
can be protected by implementing read/write restrictions or by placing
restrictions on file access.

Key Practices:
Hashing: Generating a unique hash for data, allowing verification of its
integrity.
Checksums and CRCs: Verifying data integrity during transmission through
checksums.
Version Control: Keeping track of changes in data to prevent unauthorized
modifications.

Availability
Availability ensures that information and resources are accessible to
authorized users when needed. This principle focuses on minimizing
downtime and maintaining operational continuity. Non-availability may be due
to internal causes such as power outages or file corruption, or to external
causes such as denial of-service attacks.

Key Practices:
Redundancy: Implementing redundant systems and backups to ensure data
is available even in case of hardware failure.
Disaster Recovery Plans: Preparing for and recovering from data breaches,
natural disasters, or other incidents that may disrupt access to information.
Regular Maintenance: Performing regular updates and maintenance to
prevent system failures.
The Parkerian Hexad
The Parkerian Hexad (Parker, 1998) extends the CIA Triad by adding three
related principles: possession (or control), authenticity and utility. Parker also
employs a slightly different definition of integrity, which for him refers to data
that remains completely unchanged from its previous state; whereas the CIA
Triad allows authorised changes to be made.
Possession
Possession (or control) refers to the physical storage of data on media such
as disk drives or magnetic tapes. If a disk drive crashes or a magnetic tape is
lost, and if no backup of that data exists, then you will no longer have
possession of the corresponding data. Refers to the physical possession or
control of information or the medium in which it is stored. It's possible for
information to be confidential but not in the possession of the person who
owns or controls it.
Authenticity
Authenticity refers to having the ability to verify the source of a particular item
of information, such as an email message. Ensuring that information is
genuine and from a legitimate source. Authenticity guarantees that the data,
messages, or documents are what they purport to be and that the source can
be verified.
Utility
Utility refers to the usefulness of an item of data. Utility is measured in terms
of degree (slightly useful/extremely useful) and not in binary terms (yes/no).
Ensuring that information is useful and has value to the intended users. Utility
relates to the usability of data in its intended context, meaning that it must be
in a format and condition that can be used as intended. The utility is on a
spectrum (less to most useful) and is not binary (yes/no)

Social engineering
Social Engineering: Manipulating individuals into divulging confidential
information or performing actions that compromise security.
Social engineering attacks occur when cybercriminals manipulate victims into
taking or omitting specific actions, such as disclosing sensitive data or
disabling security checks. One typical example of social engineering is
phishing. OPSEC assists enterprises here by spreading awareness on
spotting and preventing such attacks.

Social Engineering Types
Pretexting: Deceiving individuals by impersonating a trusted person or
organization.
Phishing: Sending fraudulent emails or messages to trick recipients into
revealing sensitive information.
Spear Phishing: A targeted form of phishing that attacks specific individuals
or organizations.
Tailgating: Physically following authorized individuals into restricted areas.
Mitigation Strategies
Regular Security Awareness Training:
o Educate employees about social engineering tactics, phishing attacks, and
weak password practices.
o Conduct regular training sessions to reinforce security awareness.
o Use interactive training methods, such as simulations and quizzes.
Strong Password Policies:
o Enforce complex password requirements, including a mix of characters,
numbers, and symbols.
o Encourage the use of unique passwords for different accounts.
o Implement password managers to securely store and manage passwords.
Access Controls:
o Limit access to sensitive information and systems based on the principle of
east privilege.
o Implement multi-factor authentication to add an extra layer of security.
o Regularly review and update access permissions.
Phishing Simulations:
o Conduct periodic phishing simulations to test employees' awareness and
response.
o Analyse the results to identify areas for improvement in training and policies.
Incident Response Plan:
o Develop and implement a comprehensive incident response plan to address
security breaches.
o Have a clear process for reporting and responding to incidents.
Human Behavior Awareness:
o Encourage employees to be cautious of unsolicited requests, even if they
appear to be from trusted sources.
o Teach employees to verify information independently, such as by calling a
known number or checking official websites.
o Promote a culture of security awareness, where employees are encouraged
to report suspicious activity.
By implementing these strategies, organizations can significantly reduce their
vulnerability to social engineering attacks and protect their valuable assets.

Human security
Human-Introduced Threats
Weak Passwords: Employees often choose easy-to-guess passwords.
Physical Security Oversights: Leaving workstations unattended and
unlocked.
Social Engineering: Manipulating individuals to gain unauthorized access.
Insider Threats: Malicious actions by employees or contractors.
Mitigating Human Risk Factors
Strong Password Policies: Enforcing complex password requirements.
Security Awareness Training: Educating employees about security best
practices.
Access Controls: Limiting access to sensitive information and systems.
 Social Engineering Awareness Training: Teaching employees to recognize
and avoid
social engineering tactics.
Incident Response Planning: Having a plan in place to respond to security
incidents.
Sources of Human Information for Social Engineering
Human Intelligence (HUMINT): Gathering information through direct
interaction with
people.
Open-Source Intelligence (OSINT): Collecting information from publicly
available
sources, such as social media, public records, and online forums.
By understanding and addressing the human element in security,
organizations can significantly
reduce their risk of cyberattacks and data breaches.

Control examples
Physical controls are used to prevent or deter unauthorised access;
examples include security cameras and locked doors.
Administrative controls refer to processes and procedures that are
implemented in order to reduce or avoid risk. For example, you may have an
information security policy plus supporting documentation showing how this
policy has been implemented.
Technical controls use technical measures to manage risk, such as intrusion
detection systems and firewalls.

Security attacks(4 types)
There are four different types of security attack: interception, interruption,
modification and fabrication. Furthermore, security attacks can be carried out
on ‘data at rest’ (e.g. data that is stored on a hard drive) or ‘data in motion’
(e.g. data that is in the process of being transferred from one computer to
another via email).

Interception attacks allow unauthorised users to access confidential data
and/or software applications and can be difficult to detect.
Interruption attacks prevent authorised users from accessing information
assets, either temporarily or permanently. Such attacks may affect the
integrity as well as the availability of data.
Modification attacks result in unauthorised changes being made to the
content of affected files. This could compromise the availability, integrity
and/or confidentiality of the file contents.
Fabrication attacks generate random data, fake email communications or
additional processes that serve no useful purpose. Such attacks affect the
integrity of the system and may also impact its availability.

Accountability, Auditing, Logging, Compliance
Accountability
The principle of accountability requires individuals who have access to your
resources to be held responsible for their actions and to adhere to the rules
that govern the use of those resources. In order to determine accountability,
you need to refer back to the identification, authentication and authorisation
rules that are associated with a particular individual. Holding people
accountable is an important factor in preventing security breaches: it enables
non-repudiation, it deters people from abusing organisational resources, and it
helps to detect and prevent intrusions.

Accountability in Information Security refers to the principle that individuals
and organizations must
be held responsible for their actions and decisions related to the management
and protection of
information.
This includes ensuring that users, administrators, and other stakeholders are
accountable for their roles
in maintaining the confidentiality, integrity, and availability of data.
Holding people accountable is an important factor in preventing security
breaches: it enables non
repudiation, it deters people from abusing organisational resources, and it
helps to detect and
prevent intrusions.

Non-repudiation implies that you have sufficient evidence to be able to
prove who was responsible for
a particular activity or occurrence.
Deterrence implies that people will be more likely to follow rules governing
the use of resources, if
they know that their actions are being monitored.
Intrusion detection and prevention tools monitor organisational systems
and alert technical staff to
unusual or undesirable activities.
To determine accountability, you need to refer to the identification,
authentication and authorisation
rules that are associated with a particular individual.

When evidence is collected for use in a legal dispute, it is important for the
chain of custody to remain unbroken. A tracking system allows the original
evidence to be tracked, monitored and reported.

Concepts
Audit Trails: Keeping detailed records of user activities to ensure actions can
be traced back to
specific individuals or systems.
Access Controls: Assigning and managing permissions so that only
authorized individuals can access sensitive information.
 Security Policies: Establishing clear guidelines and expectations for how
information should be
protected and ensuring that these policies are followed.
Monitoring and Reporting: Continuously monitoring systems and networks
for security
breaches and reporting any suspicious activities.
Enforcement: Ensuring that violations of security policies are addressed and
that there are consequences for failing to adhere to security standards.

Auditing
Internal auditing is the process of reviewing organisational records to ensure
that rules governing the use of corporate resources have been complied with.
In large organisations, external audits may be performed to ensure that your
organisation meets statutory financial and regulatory requirements.
Organisations may also conduct audits of software licenses and of websites
that are frequently visited by employees.

A computer log generates a history of the digital activities that have occurred
within a specific system.
Monitoring usually involves reviewing computer logs in order to identify
unusual activities, usage patterns or traffic volumes.
An assessment audit searches for vulnerabilities in the system in order to
resolve any potential or existing problems.
A separate field of auditing is IT auditing, which deals specifically with IT
controls.
Regulatory Compliance
Organisations need to comply with externally imposed rules and regulations
that may affect their internal systems and processes.
Compliance refers to an organisation’s adherence to the rules and
regulations that govern a particular industry, including the information that is
typically handled within that industry.

In this context, compliance is a business need, not an issue of technical
security.
Regulatory compliance requires adherence to the laws governing the
industry in which your organisation operates. The demonstration of regulatory
compliance is based on regular audits and assessment.
Industry compliance involves adherence to practices that are not mandated
by law, but are essential for organisations operating within a particular
business context. For example, organisations must comply with the standards
that have been defined for processing credit card transactions.

Control Examples
Physical, administrative and technical controls are used to support compliance
with standards and regulatory requirements.

Physical controls are used to prevent or deter unauthorised access;
examples include security cameras and locked doors.
Administrative controls refer to processes and procedures that are
implemented in order to reduce or avoid risk. For example, you may have an
information security policy plus supporting documentation showing how this
policy has been implemented.
Technical controls use technical measures to manage risk, such as
intrusion detection systems and firewalls.
 The primary controls used to mitigate risk within a particular environment are
referred to as key
controls. The failure of a key control will usually affect an entire process, and it
is unlikely that another control will be able to compensate for this failure.
Compensating controls are used as a (less effective) substitute for
impractical or unfeasible key controls.
Maintaining compliance relies on a four-step process that includes
monitoring existing controls, reviewing their effectiveness, documenting and
analysing the review results, and reporting on the overall state of controls in
the organisation.

Legal Compliance
Relevant legislation must be taken into account when evaluating compliance.
The Sarbanes-Oxley Act (SOX) of 2002 is definitely relevant to South African
organisations. SOX regulates financial data, operations, and assets for
publicly held companies, and includes specific requirements related to the
gathering, retention and storage of electronic records.

In South Africa, we have specific legislation that needs to be complied with:
POPIA: Governs the lawful processing of personal data to protect
individual privacy.
ECTA: Provides legal recognition for electronic communications,
transactions, and signatures.
Cybercrimes Act: Defines and addresses various cybercrimes, including
hacking and cyber fraud.
RICA: Regulates the interception of communications and requires the
retention of certain communication data.
King IV Report: Offers guidelines on corporate governance, including IT
governance and cybersecurity.
NCPF: Outlines South Africa's national cybersecurity strategy and
response to cyber threats.
 CPA: Protects consumer rights in electronic transactions and against
unfair trade practices.
The Sarbanes-Oxley Act (SOX) of 2002 is definitely relevant to South
African organisations, which regulates financial data, operations, and assets
for publicly held companies, and includes specific requirements related to the
gathering, retention and storage of electronic records.

Compliance Frameworks
Compliance frameworks make it easier for organisations to ensure compliance
across a number of unrelated regulations.
Use of a tried and tested framework also simplifies the audit process, since it
facilitates the auditor’s understanding of the program controls that have been
implemented.

Some internationally accepted compliance frameworks and standards are
listed below.
Standards promulgated by the International Organisation for
Standardisation (ISO):
ISO/IEC 27000: Information security management systems – Overview
and vocabulary.
ISO/IEC 27001: Information technology – Security techniques –
Information security management systems – Requirements.
ISO/IEC 27002: Code of practice for information security controls

Special publications issued by the US National Institute of Standards and
Technology (NIST):
SP 800-37: Guide for Applying the Risk Management Framework to Federal
Information Systems.
SP 800-53: Security and Privacy Controls for Federal Information Systems
and Organisations.
Compliance in the Cloud encompasses several different models that offer
differing levels of control over the computing environment. Organisations are
able to choose the most appropriate configuration for their needs, based on
their business requirements.
Infrastructure as a Service (IaaS) provides access to virtual servers and
storage. The cloud provider is responsible for risks associated with the host
servers and the networks that connect those servers.
Platform as a Service (PaaS) provides prebuilt servers such as database
and web servers. The cloud provider is responsible for the security of the
server infrastructure, as well as server configuration, backup and
maintenance.
Software as a Service (SaaS) provides access to specific applications or
software suites. The cloud provider is responsible for the security of the
servers and accompanying infrastructure including software applications.

Some cloud providers allow clients to audit the security of their cloud
environment, subject to certain conditions such as the timing and frequency of
audits. Other cloud providers may share the results of their own annual
external audit with their clients.

Application security
Often, application and data vulnerabilities are not a result of poor network
design, but rather insecure coding practices.
Key defences include proper input validation, strong user authentication, and
authorization mechanisms.
Sensitive data should always be encrypted, either at rest or in transit.
Common software development vulnerabilities include buffer overflows, race
conditions, input validation attacks, and various authentication, authorization,
and cryptographic attacks

Common attacks
Web applications are particularly susceptible to various types of attacks.
 Client-side attacks typically work by embedding malicious links within a web
page hosted on the client’s machine.
When users click these links, hidden code is executed, potentially
compromising the system.
Server-side attacks are often enabled by weaknesses such as insufficient
input validation, improper user permissions, the use of default directory names
and structures, and the presence of outdated backups containing source
code.

Databases, which frequently store sensitive information like personal and
financial data, are prime targets for attackers.
Common vulnerabilities within databases stem from insecure network
protocols used for communication, a lack of appropriate user credentials, poor
SQL coding practices, and privilege escalation through SQL injection

Common mitigations
To mitigate these risks, several security tools are available.
Sniffers monitor network traffic patterns, while web application analysis tools
search for insecure configurations and vulnerabilities.
"Fuzzers" test applications by attempting to induce failures or unexpected
behaviors. Specialized vulnerability assessment tools play a crucial role in
identifying and evaluating security weaknesses, and vendors typically provide
guidance on how to address these issues.
Vulnerability assessments usually include three main steps: mapping and
discovery, scanning for vulnerabilities, and overcoming cloud-specific
challenges.
Penetration testing is another critical approach for identifying potential
weaknesses and involves a five-step process: scoping, reconnaissance
(gathering information), discovery of vulnerabilities, exploitation of identified
weaknesses, and finally, reporting the findings
Purpose
Application security focuses on protecting applications from vulnerabilities
that can be
exploited by malicious actors.
Common Vulnerabilities and Attacks
Injection Attacks:
o SQL injection: Exploiting vulnerabilities in SQL queries to manipulate
databases.
o Command injection: Executing arbitrary commands on the server.
Cross-Site Scripting (XSS): Injecting malicious scripts into web pages to
steal user data
or hijack sessions.
Cross-Site Request Forgery (CSRF): Tricking users into performing
unintended actions
on a web application.
Session Hijacking: Stealing a user's session token to gain unauthorized
access.
Insecure Direct Object References: Exposing sensitive information through
URLs or
other parameters.
Security Misconfigurations: Improperly configured servers, databases, and
applications.
Sensitive Data Exposure: Storing or transmitting sensitive data without
adequate
protection.
Mitigating Application Security Risks
Input Validation and Sanitization:
o Validate all user input to prevent malicious data from being processed.
o Sanitize input to remove harmful characters and code.
Secure Coding Practices:
o Follow secure coding guidelines and standards.
o Use a secure coding framework to enforce best practices.
o Conduct regular code reviews and vulnerability assessments.
Strong Authentication and Authorization:
o Implement strong password policies and multi-factor authentication.
o Enforce least privilege principles to limit user access.
Secure Session Management:
o Use strong session tokens and secure session cookies.
o Implement session timeouts and regular session expiration.
Data Protection:
o Encrypt sensitive data both at rest and in transit.
o Implement data loss prevention (DLP) measures to prevent unauthorized
data
transfer.
Regular Security Testing:
o Conduct penetration testing to identify vulnerabilities and assess the
effectiveness of security controls.
o Use vulnerability scanning tools to identify and fix security flaws.
Web Application Firewalls (WAFs):
o Protect web applications from attacks by filtering and blocking malicious
traffic.
Intrusion Detection and Prevention Systems (IDPS):
o Monitor network traffic for signs of intrusion and take action to prevent
attacks.
By understanding these vulnerabilities and implementing strong security
measures,
organizations can significantly reduce the risk of application security breaches
and protect their
valuable assets.
Input validation
Input validation ensures that the input submitted to an application is in the
expected format. When input validation is absent, unusual input characters
might cause an application to crash, or could even affect the functioning of the
operating system.

Input validation refers to the process of ensuring that any data entered by
users (or external sources) is properly checked before being processed by the
system.
It aims to ensure that inputs are within the expected format, type, and range,
protecting applications from attacks such as SQL injection, cross-site scripting
(XSS), or buffer overflows.
Without proper input validation, attackers can inject malicious data into the
system, potentially compromising its security.
Effective input validation involves sanitizing and verifying all user inputs
against predefined rules, using techniques such as whitelisting, regex
patterns, and escaping characters.

Techniques used to launch client server attacks
Cross-site scripting incorporates code written in a scripting language into a
web page or other media. When a user views the web page or media, the
embedded code is executed.
Three main types of XSS:
1.Stored XSS (Persistent XSS): The malicious script is permanently stored on
the target server, for example, in a database or a comment field. When a user
requests the content, the server sends the script back, and it is executed in
the user’s browser.
2.Reflected XSS (Non-persistent XSS): The malicious script is part of a URL
or request that the attacker sends to the victim. When the victim clicks the link
or takes action, the server reflects the script back, and it gets executed by the
browser.
3.DOM-based XSS: The vulnerability occurs when the website’s JavaScript
modifies the DOM (Document Object Model) without proper validation or
escaping. This allows attackers to inject malicious scripts directly into the
page's DOM

Cross-site request forgery relies on a link located on a web page, that will
execute automatically when the web page is opened, and initiate an activity on
another web page where the user is currently authenticated. CSRF, also
known as XSRF or Session Riding, is a type of attack where an attacker tricks
a user into performing actions on a website where the user is authenticated,
without their knowledge or consent.

How it works:
The victim is logged into a website (e.g., a bank account).
The attacker sends the victim a malicious link or embeds a hidden request
on a page they control.
When the victim clicks the link or visits the attacker's page, the browser
sends a request to the trusted website (where the user is authenticated),
performing actions such as transferring money or changing settings.
The trusted website sees the request as legitimate because it comes from
the user’s authenticated session

Prevention of CSRF:
CSRF tokens: Generate unique, unpredictable tokens for forms or requests
and validate them on the server side.
SameSite cookie attribute: Helps restrict how cookies are sent with requests
originating from external sites.
Requiring re-authentication for sensitive actions (like financial transactions)
 Clickjacking tricks users by linking a malicious control to an apparently
innocent button on a web page.
Clickjacking is an attack where an attacker tricks users into clicking on
something different from what they perceive, potentially leading them to
execute unintended actions. The attacker may use transparent layers or
hidden frames to overlay malicious content, causing users to click on
elements like buttons or links without realizing it

How it works:
1. The attacker creates a website with a hidden iframe containing a trusted
site (such as a social media platform, bank, or web app). 2. The user is
presented with seemingly harmless content, but when they click on
something, they are actually interacting with the hidden content in the iframe.
3. As a result, the user may unknowingly “like” a post, transfer money, or
perform some action on the hidden site

Prevention of Clickjacking:
X-Frame-Options header: Ensures that the page cannot be embedded in
iframes from other domains.
DENY: Prevents the page from being displayed in a frame entirely.
SAMEORIGIN: Allows the page to be displayed only if the frame is from
the same domain.
Content Security Policy (CSP) frame-ancestors directive: Specifies which
sources are allowed to embed the page.
UI Redressing techniques: Developers can ensure that users are interacting
with visible, intended elements

Physical security
Identifying physical threats and security controls
Physical Security Measures are intended (purpose) protect people,
equipment, and data storage facilities from physical threats.
 All relevant security threats should be identified in order for appropriate
controls to be implemented. Examples of physical threats include extreme
temperatures, gases, liquids, living organisms, projectiles, movement, and
energy anomalies.

The physical security controls that are put in place to counter these threats
may have a deterrent, detective and/or preventive function.
Deterrent controls are intended to discourage potential intruders from trying
to gain access to your property, whether physical or digital.
Detective controls monitor and report physical intrusions, or undesirable
events such as a smoke alarm going off.
Preventive controls such as locks, electric fences or guard dogs, make it
difficult for an intruder to enter a building or other business premises.

Business continuity plans ensure that the business will continue to function
despite disruptions that interfere with normal business processes.
Disaster recovery planning anticipates the possible impact of an unforeseen
disaster and lays out the steps that should be followed if a disaster occurs.