SlideShare a Scribd company logo

Elementary-Information-Security-Practices

Octogence, profile picture
Octogence

This document provides guidelines for elementary information security practices for organizations. It discusses basic steps organizations can take to improve security without spending much money. The guidelines are divided into sections on basic security, web application security, network/host security, and include recommendations such as using strong passwords, encrypting sensitive data, updating software regularly, conducting security awareness training, and closing unnecessary network ports. The overall aim is to help organizations identify and address common security mistakes and vulnerabilities.

1 of 11
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
Elementary Information Security Practices 2015 A guide to improve Information Security within organization by taking simple steps Octogence http://octogence.com/ ELEMENTARY INFORMATION SECURITY PRACTICES
1 1Elementary Information Security Practices In the last few decades technology has made giant leaps. This has allowed us to progress in many terms and helped organizations to grow. Utilizing the technology, today we are generating more data than ever before, people are sharing it, companies are creating businesses around it and the governments are “accessing it”. Securing this data has become a prime concern for organizations as well as individuals. Information Security is no more just a technical issue but is a serious business concern. The process of information security follows a multi-step cycle which includes many phases, each one of which is critical. Many organizations fail to understand this and feel safe by depending upon individual element(s) from this cycle. This guide is developed and designed to help organizations become more secure by taking pragmatic steps. The ideas and methods discussed in this guide would allow any organization and individual to make its IT infrastructure safer. Most of the mentioned tools and techniques do not cost anything yet contribute in making the virtual space more secure. This should not be taken as a silver bullet but as something which is good to have without spending much $$$. The reason for creating this guide is to help organizations and individuals identify common mistakes and their mitigation quickly. The common reason that people don’t take steps for IT security is that they are not aware of the issues at the first place, for example some Administrators may not be aware that using WEP for Wi-Fi networks is not a good idea or how an attacker might be able to pivot to the internal network from a compromised host. Here we talk about some basic steps which would certainly be helpful in making the virtual environment safer. The guide is divided into different section for easy navigation and only contains quick and simple methods for better security.
2 2Elementary Information Security Practices Table of Content 1. Basic Information Security 3 2. Web Application Security 4 3. Network Security 6 4. Mobile Application Security 7 5. Tools of the trade 8 a. Offense 8 b. Defense 9 6. Resources 9 7. About Us 10
3 3Elementary Information Security Practices 1. Basic Information Security Some basic steps which would help to increase the level of security substantially. The steps mentioned do not require much effort to implement yet provide considerable protection against common attacks.  Passwords are the keys to the kingdom, as attacker who has been able to extract password of an employee, might leverage it to get deeper into the company IT infrastructure. Utmost care should be taken while handling passwords.  Have strong password policy for employees, clients as well as website and network.  Change default credentials of everything (OS/Software/Devices). So that no one can login into them after a quick Google search.  Do not store employee/client passwords.  If storing passwords is a business requirement salt and hash them.  Use rate limiting techniques to slow down attackers.  Handling and storing sensitive data is a business requirement for many organizations. Handle this with care. Encrypt all sensitive information, so that it becomes worthless for attackers even if they access it, unless they also have access to the key(s).  Encoding is not equal to Encrypting. Many developers simply utilize encoding schemes such as Base64 which can be easily decoded.  Instead of creating own encryption algorithm, use the available solutions as they are much reliable and time tested.  Use encryption softwares like BitLocker to encrypt sensitive information on employee machines.  When transporting sensitive information, use a secure channel (HTTPS). This will help against attackers sniffing the traffic.  Many times attackers are able to get inside a host/network because of outdated softwares which contain vulnerabilities. Update everything possible (OS/Software/Devices) regularly.
4 4Elementary Information Security Practices  Do not rely only on vendors. Sometimes vendors take a long time to provide patch for vulnerabilities in their product, till then take preventive measures against such issues, through virtual patching or patch provided by the community (trusted source).  The weakest link in the chain of security is Human. Many attackers directly target the employees of the organization to get into the network. Conduct security awareness training for employees.  Demonstrate why no one should plug-in any device (pendrive, SDcard etc.) they found in the parking lot or click on links and popups from untrusted sources. Attackers try to lure people into plugging such malware containing devices to the internal network or utilize client side attacks through crafter links in emails.  Through engaging exercises show how attackers use different Phishing techniques to get sensitive data (credentials, CC details etc.) from people. Most of these emails and pages are crafted according to the target after going through their social network profiles and understanding their likes and dislikes.  Always remember any information is Critical Information for an attacker and he/she might use it against you. 2. Web Application Almost every organization and many individuals have a website today. It allows us to showcase information about us, share knowledge and provides medium to connect. Many services are also provided using websites (eCommerce, Recharge etc.). Security of web applications is important as it might affect client data and surely company reputation.  Minimize the amount of information revealed about the technologies being used, else attackers utilize specific vulnerabilities related to them. Usually such information is present in page source, response headers and metadata in files.
5 5Elementary Information Security Practices  Error messages, DEBUG outputs, Hidden directories, Admin page which contain information about the technologies and structure of the application should be replaced with generic response.  Never trust client supplied data. Many developers trust that users will not submit malicious data and do not take proactive measures against it.  Validate every piece of data send by clients. This helps against vulnerabilities such as Cross Site Scripting, SQL Injection, XML injection etc. Also implement output encoding.  Do not rely on client side validation as they are easy to bypass, enforce them on server side.  Use secure methods to create and maintain a session. Provide new set of cookies after login and timeout a session after no activity for a specific amount of time.  Do not use GET method to transfer sensitive information as they are logged at various places such as Browser history, Firewalls etc.  Utilize tokens for sensitive forms and at proper position. Sometimes developers implement Anti-CSRF tokes in cookies instead of body/header, which makes it worthless.  The tokens used should not be predictable and reusable. The recently discovered vulnerability in Facebook is a good example; the vulnerability allowed any user to use the token from mobile access to delete photos of any user.  Implement strong measures to validate authentication as well as authorization. Many applications simply provide a token without binding it to the session and attackers are able to predict the value of the token for another account of same or higher privilege and hence access it.  Implement anti-automation techniques like CAPTCHA to prevent brute force attacks.  Business logic vulnerabilities are the ones most ignored by developers. These issues usually occur due to the design flaw and are hard to detect using scanners. Examples of such vulnerabilities are price tampering, coupon reuse,
6 6Elementary Information Security Practices negative amount transfer etc. Special attention should be given to such issues during development.  Using encrypted channel is a must when transferring sensitive data. Implement HTTPS to prevent data from getting into the hands of an attacker during transmission between client and server.  Disable methods such as PUT and DELETE if not required.  Sometimes the culprit is not the application but the server hosting it. Patch and update the server and associated technologies to defend against issues such as WEBDAV vulnerability. 3. Network/Host A network is a group of computer systems connected together. Usually corporate networks connect various devices using a broad range of technologies. Each unique system and device which is part of the network brings along new challenges and issues.  Close unnecessary open ports/services on every machine on the network. These ports are used by attackers to get inside and maintain connection. NMAP  Implement lockout after a fixed number of failed attempts for every kind of service login, be it SQL server, SMB, RDP etc.  Update every element of the network (hosts, devices, servers etc.) regularly.  Everyone loves to use internet though Wi-Fi as it provide freedom from wires, but if authentication mechanisms with known security issues are used it also opens doors into the network for attackers. Implementations such as WEP, WPS, MAC filtering are easy to crack/bypass and hence should not be relied upon, instead use WPA2 Enterprise with strong password.  Most of these devices (Wi-Fi access point, router, switch etc.) run different services such as SSH and web applications (which might be vulnerable) with default passwords and allow attackers to get in.
7 7Elementary Information Security Practices  Machines which are not connected to the internet but to the internal network should not be ignored as an attacker might be able to pivot from one network to another.  Have a password expiry policy which enforces password change after regular interval of time. This will be helpful against attackers who have got the credentials.  It is possible that attackers already have a foothold in the network using Client side attacks, malware etc. Do not ignore things like rouge services, open ports, connection to suspicious IPs, sudden bandwidth usage variations, connections during odd hours etc. 4. Mobile Applications In the past few years mobile applications have become quite popular. They are fun to play with and provide access to services quickly through our smartphones, but they also bring along security and privacy issues. Mobile apps are complex as most of them interact with the device as well as the web server and with availability of different platforms it becomes more complex to identify vulnerabilities.  If the mobile app provides web based services then all the recommendations from web application apply to it also, such as validating user input, dealing with information disclosure, transport layer protection etc.  Mobile apps use different methods to store data in the device such as SQLite DB, Plist files, XML files etc. When storing sensitive information make sure to encrypt it depending upon requirement, though a rooted device provides full access to the system.  Do not store credentials on the device.  Again, encoding is not encrypting.  Most of the devices log/cache data, which might lead to data leakage. Disable these features if possible.
8 8Elementary Information Security Practices  Do not depend on device ID for authentication/authorization as they can be spoofed.  Mobile platforms also have their own weaknesses such as Android Backup vulnerability, iOS Method Swizzling etc., take appropriate steps to minimize their impact on your app. 5. Tools of the trade When it comes to security, Offense and Defense both are important. Here is a list of tools (free) which can help in the process, but they should be used with care and basic understanding of what they do. Do not perform any kind of testing without proper authorization and against production systems without prior experience. A. Offense  Netsparker Community Edition: Web Vulnerability Scanner  Arachni: Web Vulnerability Scanner  Burp Suite Free: Manual web vulnerability assessment  Nikto: Web server scanner  SQLMap: SQL Injection automation tools  Nmap: Identify open ports, services and much more.  Nessus home: Vulnerability Assessment tool  OpenVAS: Vulnerability Assessment tool  Metasploit: Penetration testing framework  Snoop-It: iOS app testing  iNalyzer: iOS pentesting framework  iRET: iOS reverse engineering toolkit  Appie: Android testing environment Apart from these there are dedicated platforms which provide tools for assessment, such as  Kali Linux: Network and Web application pentesting and Forensics  AppUse: Android App pentesting  Samurai WTF: Web application pentesting
9 9Elementary Information Security Practices B. Defense  ModSecurity: Web Application Firewall  Snort: Intrusion Prevention System  Avast: Antivirus software  ZoneAlarm: Firewall  HAProxy: Load balancer  CloudFlare: Content Delivery Network  Secunia PSI: Computer Security Solution Security Onion is a great platform which includes many such tools to identify and prevent intrusion attempts. Defense mechanisms are great to have if configured and utilized properly, yet one should not depend on them 100% as attackers are aware and develop techniques to bypass them, for example PowerShell scripts are widely used to bypass AV in modern Windows machines, reverse shell can be used to bypass inbound filters in firewalls, traffic encapsulation can be used to bypass deep packet inspection. As stated previously the aim of this guide is to help organizations and individuals to prevent common issues. This is not a comprehensive list but provides a basic understanding of some common mitigation steps which should be followed. 6. Resources Some useful resources which would be helpful in understanding and taking care of Information Security. It includes links to guides, tools list, videos etc.  OWASP https://www.owasp.org/index.php/Main_Page  OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10  OWASP Testing guide https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf  OWASP Secure Coding Practices https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf  SANS Top 25 http://www.sans.org/top25-software-errors/  Security Tools http://sectools.org/  Beginner’s Guide to Pentesting https://averagesecurityguy.files.wordpress.com/2015/01/hack-yourself-first-final.pdf  SecurityTube http://www.securitytube.net/
10 10Elementary Information Security Practices 7. About Octogence Tech Solutions Octogence is an Information Security service provider which focuses on business centric security assessment. Our aim is to help organizations to be more secure in the cyber space so that they stop worrying about data breaches and can focus on their business. Our highly qualified, experienced and motivated team aims at providing our clients the service and quality they expect. We have the expertise as well as the flexibility to provide customized solution depending upon the client requirements. Our Services:  Web Application Pentesting  Mobile Application Pentesting  Network Pentesting Some companies in which our team has previously discovered vulnerabilities: Some products we have helped to be more secure: For any information and support contact:  Chandan Agarwal Sales Executive +91-9971773414 chandan@octogence.com  Sudhanshu Chauhan Principal Consultant +91-9971658929 sudhanshu@octogence.com *Each logo is the trademark property of its respective owner(s). They appear only for representative and illustrative purposes and do not reflect affiliation.

More Related Content

PPTX
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
PPTX
Topic11
Anne Starr
 
PDF
GBS - 8 ways to knockout network headaches
Kristin Helgeson
 
PDF
SD-WAN - comSpark 2019
Advanced Technology Consulting (ATC)
 
PDF
Preventing Data Breaches
xband
 
PPTX
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
PPTX
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
 
PPTX
Zero Trust Networks
Practical Code, LLC
 
Securing IT Against Modern Threats with Microsoft Cloud Security Tools - M365...
Michael Noel
 
Topic11
Anne Starr
 
GBS - 8 ways to knockout network headaches
Kristin Helgeson
 
SD-WAN - comSpark 2019
Advanced Technology Consulting (ATC)
 
Preventing Data Breaches
xband
 
Mobile App Security: Enterprise Checklist
Jignesh Solanki
 
LoginCat - Zero Trust Integrated Cybersecurity
Rohit Kapoor
 
Zero Trust Networks
Practical Code, LLC
 

What's hot (20)

PDF
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
PDF
Case study
Shehrevar Davierwala
 
PPT
Security Incidents
belsis
 
PDF
Symantec 2011 Social Media Protection Flash Poll Global Results
Symantec
 
DOCX
“Verify and never trust”: The Zero Trust Model of information security
Ahmed Banafa
 
PPTX
Information security[277]
Timothy Warren
 
PPTX
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
Michael Noel
 
PPTX
Should You Be Automating
Siemplify
 
PPTX
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
PPTX
Microsoft Platform Security Briefing
technext1
 
PDF
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
PDF
Generic threats to mobile application
Vikrant Kansal
 
PDF
The Cyber Security Landscape: An OurCrowd Briefing for Investors
OurCrowd
 
PPSX
Thread Legal and Microsoft 365 Security
Thread Legal
 
PDF
Navigating Zero Trust Presentation Slides
Ivanti
 
PPTX
6 Biggest Cyber Security Risks and How You Can Fight Back
MTG IT Professionals
 
PDF
Emma Aubert | Information Protection
Microsoft Österreich
 
PPTX
Introduction to information security field
Ahmed Musaad
 
PDF
Introduction to Cybersecurity
Krutarth Vasavada
 
PPTX
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
Securing Your Remote Access Desktop Connection
SecurityMetrics
 
Case study
Shehrevar Davierwala
 
Security Incidents
belsis
 
Symantec 2011 Social Media Protection Flash Poll Global Results
Symantec
 
“Verify and never trust”: The Zero Trust Model of information security
Ahmed Banafa
 
Information security[277]
Timothy Warren
 
You are Doing IT Security Wrong - Understanding the Threat of Modern Cyber-at...
Michael Noel
 
Should You Be Automating
Siemplify
 
A holistic approach to risk management 20210210 w acfe france & cyber rea...
Judith Beckhard Cardoso
 
Microsoft Platform Security Briefing
technext1
 
Luncheon 2015-11-19 - Lessons Learned from Avid Life Media by Rob Davis
North Texas Chapter of the ISSA
 
Generic threats to mobile application
Vikrant Kansal
 
The Cyber Security Landscape: An OurCrowd Briefing for Investors
OurCrowd
 
Thread Legal and Microsoft 365 Security
Thread Legal
 
Navigating Zero Trust Presentation Slides
Ivanti
 
6 Biggest Cyber Security Risks and How You Can Fight Back
MTG IT Professionals
 
Emma Aubert | Information Protection
Microsoft Österreich
 
Introduction to information security field
Ahmed Musaad
 
Introduction to Cybersecurity
Krutarth Vasavada
 
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
Ad

Viewers also liked (20)

PPTX
Quick App Security Testing
Mreetyunjaya Daas
 
PDF
nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection
n|u - The Open Security Community
 
PDF
125524234-bugcon1-pdf
xavazquez
 
PDF
Exploiting and analyzing Microsoft Surface Applications
Wardell Motley, NSA IAM\IEM
 
PDF
BackBox Linux e Metasploit: Una dimostrazione pratica del shellshock
Andrea Draghetti
 
PDF
BackBox Linux: Simulazione di un Penetration Test
Andrea Draghetti
 
PDF
Burp Suite - JOpenspace 2016
Jan Horalík
 
PPTX
Extending burp with python
Hoang Nguyen
 
PPT
Ch02
laffy14
 
PDF
Learn Burp Suite, the Nr. 1 Web Hacking Tool
ayman diab
 
PPTX
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
PPTX
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
DOC
VincentChan2016Apr11
Vincent Chan
 
PDF
Coding for Hackers - Linux Day 2016
Andrea Draghetti
 
PPTX
DEF CON 23 - Hacking Web Apps @brentwdesign
brentwdesign
 
PDF
Hacking android apps by srini0x00
srini0x00
 
PDF
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
PPTX
Your Web Application Is Most Likely Insecure
Achievers Tech
 
PDF
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
PPTX
Burp plugin development for java n00bs (44 con)
Marc Wickenden
 
Quick App Security Testing
Mreetyunjaya Daas
 
nullcon 2011 - (secure) SiteHoster – Disable XSS & SQL Injection
n|u - The Open Security Community
 
125524234-bugcon1-pdf
xavazquez
 
Exploiting and analyzing Microsoft Surface Applications
Wardell Motley, NSA IAM\IEM
 
BackBox Linux e Metasploit: Una dimostrazione pratica del shellshock
Andrea Draghetti
 
BackBox Linux: Simulazione di un Penetration Test
Andrea Draghetti
 
Burp Suite - JOpenspace 2016
Jan Horalík
 
Extending burp with python
Hoang Nguyen
 
Ch02
laffy14
 
Learn Burp Suite, the Nr. 1 Web Hacking Tool
ayman diab
 
Cusomizing Burp Suite - Getting the Most out of Burp Extensions
August Detlefsen
 
AppSec USA 2015: Customizing Burp Suite
August Detlefsen
 
VincentChan2016Apr11
Vincent Chan
 
Coding for Hackers - Linux Day 2016
Andrea Draghetti
 
DEF CON 23 - Hacking Web Apps @brentwdesign
brentwdesign
 
Hacking android apps by srini0x00
srini0x00
 
Web application penetration testing lab setup guide
Sudhanshu Chauhan
 
Your Web Application Is Most Likely Insecure
Achievers Tech
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Mathias Karlsson
 
Burp plugin development for java n00bs (44 con)
Marc Wickenden
 
Ad

Similar to Elementary-Information-Security-Practices (20)

ODP
Cyber Security for Financial Institutions
Khawar Nehal khawar.nehal@atrc.net.pk
 
PDF
Measure To Avoid Cyber Attacks
Skillmine Technology Consulting
 
PDF
Measures to Avoid Cyber-attacks
Skillmine Technology Consulting
 
PDF
Advantages and Disadvantages of Network Security.pdf
Careerera
 
DOCX
Sample Discussion 1Security is one of the most important fun.docx
jeffsrosalyn
 
DOCX
Sample Discussion 1Security is one of the most important fun.docx
rtodd599
 
DOCX
5 ways to strengthen cybersecurity in the workplace
SameerShaik43
 
PDF
Importance of Secure Coding with it’s Best Practices
ElanusTechnologies
 
PPTX
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
PDF
Internet Security Essay
Best Online Paper Writing Service
 
DOCX
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
PDF
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
Groovy Web
 
PDF
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
PDF
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 
PDF
Android Based Total Security for System Authentication
IJERA Editor
 
DOCX
Running head Cryptography1Cryptography16.docx
healdkathaleen
 
PDF
Web Application Security Testing Guide | Secure Web Apps
digitaljignect
 
PDF
Best Practices for Developing Secure Web Applications
ScalaCode
 
PDF
A Brief Note On Companies And The Largest Ever Consumer...
Erin Moore
 
PDF
IRJET- Password Management Kit for Secure Authentication
IRJET Journal
 
Cyber Security for Financial Institutions
Khawar Nehal khawar.nehal@atrc.net.pk
 
Measure To Avoid Cyber Attacks
Skillmine Technology Consulting
 
Measures to Avoid Cyber-attacks
Skillmine Technology Consulting
 
Advantages and Disadvantages of Network Security.pdf
Careerera
 
Sample Discussion 1Security is one of the most important fun.docx
jeffsrosalyn
 
Sample Discussion 1Security is one of the most important fun.docx
rtodd599
 
5 ways to strengthen cybersecurity in the workplace
SameerShaik43
 
Importance of Secure Coding with it’s Best Practices
ElanusTechnologies
 
Security engineering 101 when good design & security work together
Wendy Knox Everette
 
Internet Security Essay
Best Online Paper Writing Service
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 
The 14 Most Common Security Risks For SaaS Applications And How To Fix Them.pdf
Groovy Web
 
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
How Can I Reduce The Risk Of A Cyber-Attack?
Osei Fortune
 
Android Based Total Security for System Authentication
IJERA Editor
 
Running head Cryptography1Cryptography16.docx
healdkathaleen
 
Web Application Security Testing Guide | Secure Web Apps
digitaljignect
 
Best Practices for Developing Secure Web Applications
ScalaCode
 
A Brief Note On Companies And The Largest Ever Consumer...
Erin Moore
 
IRJET- Password Management Kit for Secure Authentication
IRJET Journal
 

Elementary-Information-Security-Practices

  • 1. Elementary Information Security Practices 2015 A guide to improve Information Security within organization by taking simple steps Octogence http://octogence.com/ ELEMENTARY INFORMATION SECURITY PRACTICES
  • 2. 1 1Elementary Information Security Practices In the last few decades technology has made giant leaps. This has allowed us to progress in many terms and helped organizations to grow. Utilizing the technology, today we are generating more data than ever before, people are sharing it, companies are creating businesses around it and the governments are “accessing it”. Securing this data has become a prime concern for organizations as well as individuals. Information Security is no more just a technical issue but is a serious business concern. The process of information security follows a multi-step cycle which includes many phases, each one of which is critical. Many organizations fail to understand this and feel safe by depending upon individual element(s) from this cycle. This guide is developed and designed to help organizations become more secure by taking pragmatic steps. The ideas and methods discussed in this guide would allow any organization and individual to make its IT infrastructure safer. Most of the mentioned tools and techniques do not cost anything yet contribute in making the virtual space more secure. This should not be taken as a silver bullet but as something which is good to have without spending much $$$. The reason for creating this guide is to help organizations and individuals identify common mistakes and their mitigation quickly. The common reason that people don’t take steps for IT security is that they are not aware of the issues at the first place, for example some Administrators may not be aware that using WEP for Wi-Fi networks is not a good idea or how an attacker might be able to pivot to the internal network from a compromised host. Here we talk about some basic steps which would certainly be helpful in making the virtual environment safer. The guide is divided into different section for easy navigation and only contains quick and simple methods for better security.
  • 3. 2 2Elementary Information Security Practices Table of Content 1. Basic Information Security 3 2. Web Application Security 4 3. Network Security 6 4. Mobile Application Security 7 5. Tools of the trade 8 a. Offense 8 b. Defense 9 6. Resources 9 7. About Us 10
  • 4. 3 3Elementary Information Security Practices 1. Basic Information Security Some basic steps which would help to increase the level of security substantially. The steps mentioned do not require much effort to implement yet provide considerable protection against common attacks.  Passwords are the keys to the kingdom, as attacker who has been able to extract password of an employee, might leverage it to get deeper into the company IT infrastructure. Utmost care should be taken while handling passwords.  Have strong password policy for employees, clients as well as website and network.  Change default credentials of everything (OS/Software/Devices). So that no one can login into them after a quick Google search.  Do not store employee/client passwords.  If storing passwords is a business requirement salt and hash them.  Use rate limiting techniques to slow down attackers.  Handling and storing sensitive data is a business requirement for many organizations. Handle this with care. Encrypt all sensitive information, so that it becomes worthless for attackers even if they access it, unless they also have access to the key(s).  Encoding is not equal to Encrypting. Many developers simply utilize encoding schemes such as Base64 which can be easily decoded.  Instead of creating own encryption algorithm, use the available solutions as they are much reliable and time tested.  Use encryption softwares like BitLocker to encrypt sensitive information on employee machines.  When transporting sensitive information, use a secure channel (HTTPS). This will help against attackers sniffing the traffic.  Many times attackers are able to get inside a host/network because of outdated softwares which contain vulnerabilities. Update everything possible (OS/Software/Devices) regularly.
  • 5. 4 4Elementary Information Security Practices  Do not rely only on vendors. Sometimes vendors take a long time to provide patch for vulnerabilities in their product, till then take preventive measures against such issues, through virtual patching or patch provided by the community (trusted source).  The weakest link in the chain of security is Human. Many attackers directly target the employees of the organization to get into the network. Conduct security awareness training for employees.  Demonstrate why no one should plug-in any device (pendrive, SDcard etc.) they found in the parking lot or click on links and popups from untrusted sources. Attackers try to lure people into plugging such malware containing devices to the internal network or utilize client side attacks through crafter links in emails.  Through engaging exercises show how attackers use different Phishing techniques to get sensitive data (credentials, CC details etc.) from people. Most of these emails and pages are crafted according to the target after going through their social network profiles and understanding their likes and dislikes.  Always remember any information is Critical Information for an attacker and he/she might use it against you. 2. Web Application Almost every organization and many individuals have a website today. It allows us to showcase information about us, share knowledge and provides medium to connect. Many services are also provided using websites (eCommerce, Recharge etc.). Security of web applications is important as it might affect client data and surely company reputation.  Minimize the amount of information revealed about the technologies being used, else attackers utilize specific vulnerabilities related to them. Usually such information is present in page source, response headers and metadata in files.
  • 6. 5 5Elementary Information Security Practices  Error messages, DEBUG outputs, Hidden directories, Admin page which contain information about the technologies and structure of the application should be replaced with generic response.  Never trust client supplied data. Many developers trust that users will not submit malicious data and do not take proactive measures against it.  Validate every piece of data send by clients. This helps against vulnerabilities such as Cross Site Scripting, SQL Injection, XML injection etc. Also implement output encoding.  Do not rely on client side validation as they are easy to bypass, enforce them on server side.  Use secure methods to create and maintain a session. Provide new set of cookies after login and timeout a session after no activity for a specific amount of time.  Do not use GET method to transfer sensitive information as they are logged at various places such as Browser history, Firewalls etc.  Utilize tokens for sensitive forms and at proper position. Sometimes developers implement Anti-CSRF tokes in cookies instead of body/header, which makes it worthless.  The tokens used should not be predictable and reusable. The recently discovered vulnerability in Facebook is a good example; the vulnerability allowed any user to use the token from mobile access to delete photos of any user.  Implement strong measures to validate authentication as well as authorization. Many applications simply provide a token without binding it to the session and attackers are able to predict the value of the token for another account of same or higher privilege and hence access it.  Implement anti-automation techniques like CAPTCHA to prevent brute force attacks.  Business logic vulnerabilities are the ones most ignored by developers. These issues usually occur due to the design flaw and are hard to detect using scanners. Examples of such vulnerabilities are price tampering, coupon reuse,
  • 7. 6 6Elementary Information Security Practices negative amount transfer etc. Special attention should be given to such issues during development.  Using encrypted channel is a must when transferring sensitive data. Implement HTTPS to prevent data from getting into the hands of an attacker during transmission between client and server.  Disable methods such as PUT and DELETE if not required.  Sometimes the culprit is not the application but the server hosting it. Patch and update the server and associated technologies to defend against issues such as WEBDAV vulnerability. 3. Network/Host A network is a group of computer systems connected together. Usually corporate networks connect various devices using a broad range of technologies. Each unique system and device which is part of the network brings along new challenges and issues.  Close unnecessary open ports/services on every machine on the network. These ports are used by attackers to get inside and maintain connection. NMAP  Implement lockout after a fixed number of failed attempts for every kind of service login, be it SQL server, SMB, RDP etc.  Update every element of the network (hosts, devices, servers etc.) regularly.  Everyone loves to use internet though Wi-Fi as it provide freedom from wires, but if authentication mechanisms with known security issues are used it also opens doors into the network for attackers. Implementations such as WEP, WPS, MAC filtering are easy to crack/bypass and hence should not be relied upon, instead use WPA2 Enterprise with strong password.  Most of these devices (Wi-Fi access point, router, switch etc.) run different services such as SSH and web applications (which might be vulnerable) with default passwords and allow attackers to get in.
  • 8. 7 7Elementary Information Security Practices  Machines which are not connected to the internet but to the internal network should not be ignored as an attacker might be able to pivot from one network to another.  Have a password expiry policy which enforces password change after regular interval of time. This will be helpful against attackers who have got the credentials.  It is possible that attackers already have a foothold in the network using Client side attacks, malware etc. Do not ignore things like rouge services, open ports, connection to suspicious IPs, sudden bandwidth usage variations, connections during odd hours etc. 4. Mobile Applications In the past few years mobile applications have become quite popular. They are fun to play with and provide access to services quickly through our smartphones, but they also bring along security and privacy issues. Mobile apps are complex as most of them interact with the device as well as the web server and with availability of different platforms it becomes more complex to identify vulnerabilities.  If the mobile app provides web based services then all the recommendations from web application apply to it also, such as validating user input, dealing with information disclosure, transport layer protection etc.  Mobile apps use different methods to store data in the device such as SQLite DB, Plist files, XML files etc. When storing sensitive information make sure to encrypt it depending upon requirement, though a rooted device provides full access to the system.  Do not store credentials on the device.  Again, encoding is not encrypting.  Most of the devices log/cache data, which might lead to data leakage. Disable these features if possible.
  • 9. 8 8Elementary Information Security Practices  Do not depend on device ID for authentication/authorization as they can be spoofed.  Mobile platforms also have their own weaknesses such as Android Backup vulnerability, iOS Method Swizzling etc., take appropriate steps to minimize their impact on your app. 5. Tools of the trade When it comes to security, Offense and Defense both are important. Here is a list of tools (free) which can help in the process, but they should be used with care and basic understanding of what they do. Do not perform any kind of testing without proper authorization and against production systems without prior experience. A. Offense  Netsparker Community Edition: Web Vulnerability Scanner  Arachni: Web Vulnerability Scanner  Burp Suite Free: Manual web vulnerability assessment  Nikto: Web server scanner  SQLMap: SQL Injection automation tools  Nmap: Identify open ports, services and much more.  Nessus home: Vulnerability Assessment tool  OpenVAS: Vulnerability Assessment tool  Metasploit: Penetration testing framework  Snoop-It: iOS app testing  iNalyzer: iOS pentesting framework  iRET: iOS reverse engineering toolkit  Appie: Android testing environment Apart from these there are dedicated platforms which provide tools for assessment, such as  Kali Linux: Network and Web application pentesting and Forensics  AppUse: Android App pentesting  Samurai WTF: Web application pentesting
  • 10. 9 9Elementary Information Security Practices B. Defense  ModSecurity: Web Application Firewall  Snort: Intrusion Prevention System  Avast: Antivirus software  ZoneAlarm: Firewall  HAProxy: Load balancer  CloudFlare: Content Delivery Network  Secunia PSI: Computer Security Solution Security Onion is a great platform which includes many such tools to identify and prevent intrusion attempts. Defense mechanisms are great to have if configured and utilized properly, yet one should not depend on them 100% as attackers are aware and develop techniques to bypass them, for example PowerShell scripts are widely used to bypass AV in modern Windows machines, reverse shell can be used to bypass inbound filters in firewalls, traffic encapsulation can be used to bypass deep packet inspection. As stated previously the aim of this guide is to help organizations and individuals to prevent common issues. This is not a comprehensive list but provides a basic understanding of some common mitigation steps which should be followed. 6. Resources Some useful resources which would be helpful in understanding and taking care of Information Security. It includes links to guides, tools list, videos etc.  OWASP https://www.owasp.org/index.php/Main_Page  OWASP Top 10 https://www.owasp.org/index.php/Top_10_2013-Top_10  OWASP Testing guide https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf  OWASP Secure Coding Practices https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf  SANS Top 25 http://www.sans.org/top25-software-errors/  Security Tools http://sectools.org/  Beginner’s Guide to Pentesting https://averagesecurityguy.files.wordpress.com/2015/01/hack-yourself-first-final.pdf  SecurityTube http://www.securitytube.net/
  • 11. 10 10Elementary Information Security Practices 7. About Octogence Tech Solutions Octogence is an Information Security service provider which focuses on business centric security assessment. Our aim is to help organizations to be more secure in the cyber space so that they stop worrying about data breaches and can focus on their business. Our highly qualified, experienced and motivated team aims at providing our clients the service and quality they expect. We have the expertise as well as the flexibility to provide customized solution depending upon the client requirements. Our Services:  Web Application Pentesting  Mobile Application Pentesting  Network Pentesting Some companies in which our team has previously discovered vulnerabilities: Some products we have helped to be more secure: For any information and support contact:  Chandan Agarwal Sales Executive +91-9971773414 chandan@octogence.com  Sudhanshu Chauhan Principal Consultant +91-9971658929 sudhanshu@octogence.com *Each logo is the trademark property of its respective owner(s). They appear only for representative and illustrative purposes and do not reflect affiliation.