Session vs Cookie

Session vs Cookie

Sessions are server-side files that contain user information, while Cookies are client-side files that contain user information. Sessions have a unique identifier that maps them to specific users. This identifier can be passed in the URL or saved into a session cookie.

Most modern sites use the second approach, saving the identifier in a Cookie instead of passing it in a URL (which poses a security risk). You are probably using this approach without knowing it, and by deleting the cookies you effectively erase their matching sessions as you remove the unique session identifier contained in the cookies.

For information on how to securely implement Session and Cookie Management, please refer to https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

http://stackoverflow.com/questions/359434/differences-between-cookies-and-sessions

Session vs Cookie

Digital Certificate Authority (CA)

In cryptography, a Certificate Authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate.

Public CA

Public CA are entities who issues SSL certificate in the name of a verifiable public web domains.  Well known Public CAs are Comodo, Symantec, GoDaddy and GlobalSign.  Depending upon the type of certificate issued, the level of validation steps performed by the Public CA on the web domain varies.

The Domain Validated SSL Certificate validates the domain is registered and someone with admin rights is aware of and approves the certificate request.  The validation process is normally performed via email or DNS. The owner is requested to prove admin right by receiving and confirming an email sent to an administrative email for the domain, or by configuring some specific DNS records for the domain.

The Organization Validated SSL Certificate (OV certificate) validates the domain ownership, plus organization information included in the certificate such as name, city, state and country.  The validation process is similar to the domain validated certificate, but it requires additional documentation to certify the company identity.

The Extended Validation SSL Certificate (EV certificate) requires an extended validation of the business. It validates domain ownership and organization information, plus the legal existence of the organization. It also validates that the organization is aware of the SSL certificate request and approves it.  The validation requires documentation to certify the company identity plus a set of additional steps and checks.

Public CA’s however are deprecated from issuing certificates for internal/intranet web sites and servers.  Internal servers should use certificates provided by an Internal CA or use a self-signed certificate.

Internal CA

Establishing an Internal CA is the way to go for enabling seamless digital identity to the server programs, client programs, Active Directory Objects, etc, in your organization.  An Internal CA will have a root certificate that is trusted by all the objects in the organization.  The root certificate will be used to sign individual certificates allocated to each object within the organization. 

Self-Signed Certificates

If your organization is not large enough to justify the establishment of an Internal CA, you could go down the route of issuing self-signed certificates for establishing internal SSL communication.  When party A tries to talk to party B, B should trust A’s self-signed certificate and vice versa.  How this trust is established, depends on the platform on which A and B exists.

References:

http://www.davidpashley.com/articles/becoming-a-x-509-certificate-authority/

http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

http://security.stackexchange.com/questions/82884/clarifying-self-signed-certificates-vs-root-certificate-authority

http://stackoverflow.com/questions/292732/self-signed-ssl-cert-or-ca

http://stackoverflow.com/questions/20894868/are-certificates-useful-for-intranet-ssl

http://stackoverflow.com/questions/4024393/difference-between-self-signed-ca-and-self-signed-certificate

https://www.digicert.com/internal-names.htm

https://blog.secureideas.com/2013/06/ssl-certificates-setting-up-and.html

https://technet.microsoft.com/en-us/library/cc700805.aspx

Digital Certificate Authority (CA)

Encryption for Portable Hard Disks

Encryption for Portable Hard Disks for Huge Data Transfer

Full Disk Encryption may be achieved by using Bitlocker for Windows or FileVault for MAC.  Please refer to this link: https://answers.syr.edu/display/software/Encrypting+your+external+hard+drive+on+Windows+and+OSX

Further References:

http://www.tomsguide.com/faq/id-2318734/encrypt-portable-hard-drive.html

https://technet.microsoft.com/en-us/library/ee706531(v=ws.10).aspx

http://lifehacker.com/a-beginners-guide-to-encryption-what-it-is-and-how-to-1508196946

http://lifehacker.com/five-best-file-encryption-tools-5677725

Encryption for Portable Hard Disks

Business Owner vs IT Manager (Application Management Responsibilities)

The roles of Application Business Owner and Application IT Manager are often not clearly defined within an Organizational setup or not well understood.  The definition of these two roles are quintessential to ensure that responsibilities and accountabilities are appropriately placed for the Management of an IT Application.

Application Business Owner Accountabilities

  • Determine Business Criticality, Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
  • Data Ownership – Identify, Classify and Protect Data.
  • Application Access Control Ownership – Ensure that access to the application, on both the Business and IT side, are as per the Need-To-Have Principle.
  • Responsible for the Application’s Information Security Governance and Control and Regulatory Compliance.

Application IT Manager Responsibilities

  • Implement IT controls to Protect Data.
  • Ensure that access to the application , on the IT side, are as per Need-To-Have Principle.
  • Support the Application Business Owner by providing oversight of IT implementation and processes.

 

Business Owner vs IT Manager (Application Management Responsibilities)

Virtual Private Network

VPN (Virtual Private Network)

A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network, and thus are benefiting from the functionality, security and management policies of the private network. A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryption.

A VPN spanning the Internet is similar to a wide area network (WAN). From a user perspective, the extended network resources are accessed in the same way as resources available within the private network. Traditional VPNs are characterized by a point-to-point topology, and they do not tend to support or connect broadcast domains. Therefore, communication, software, and networking, which are based on OSI layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a local area network (LAN). VPN variants, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation.

VPNs allow employees to securely access the corporate intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo-restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.

Why Use VPN?  What is the most frequent Use-Case of a VPN?

Imagine you check-in into a hotel in China.  The hotel may provide a Wifi service.  The traffic from your phone/laptop may be easily eavesdropped by other “fellow” tourists or a criminal who might have embedded a sniffing tool within the hotel premises.  Over and above this scenario, the hotel may itself present a proxy server / gateway through which all internet traffic from the hotel rooms have to go through to be routed to the public Internet.  This proxy server is able to inspect all your unencrypted traffic.  Furthermore, some hotels might also do a Man-In-The-Middle for your SSL sessions (you are presented with an SSL certificate by the hotel’s proxy server when you try to visit https://www.google.com/ for example).  This would result in the proxy server able to intercept and read all your SSL traffic.

The only safe way to protect yourself in such a scenario is to use a VPN service.  All the traffic originating from your mobile/laptop will be encrypted and sent to a secure remote proxy server for decryption and release into the Public Internet; Protected from the prying eyes and  ears in the hotel environment.

OpenVPN

OpenVPN is an open-source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. It is capable of traversing network address translators (NATs) and firewalls. It is published under the GNU General Public License (GPL).

OpenVPN allows peers to authenticate each other using a pre-shared secret key, certificates, or username/password. When used in a multiclient-server configuration, it allows the server to release an authentication certificate for every client, using signature and Certificate authority. It uses the OpenSSL encryption library extensively and contains many security and control features.

VPN Services

There are many VPN service providers to choose from.

An example – Private Tunnel VPN service is a commercial VPN service based on the OpenVPN platform.  They provide free VPN service for upto 500 MB.  Their charging model is based on the amount of data transferred rather than monthly recurring charges.  This business model of paying per GB could be a very useful asset for those that only need intermittent secure internet connections.

References:

https://en.wikipedia.org/wiki/Virtual_private_network

https://en.wikipedia.org/wiki/OpenVPN

https://openvpn.net/index.php/open-source/333-what-is-openvpn.html

http://lifehacker.com/5940565/why-you-should-start-using-a-vpn-and-how-to-choose-the-best-one-for-your-needs

http://www.techradar.com/news/networking/wi-fi/why-you-should-avoid-hotel-wi-fi-like-the-plague-1292555/2

Virtual Private Network

IT System Controls (High Level)

IT System Controls

  1. Identification of Business Owner and IT Manager
  1. Assessment of Business Criticality of the System
  1. MAS TRM checklistshould be completed by the Service Provider team  for Compliance with MAS Technology Risk Management Guidelines.  This should be answered from the perspective of the Service Provider team and is intended to measure the Service Provider’s own internal controls.

http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/TRM_Checklist.xlsm

  1. MAS Outsourcing Technology Questionnaireshould be completed by the Outsourcer/Business Owner together with the Service Provider.

http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%20Framework/Risk%20Management/Technology%20Questionnaire%20for%20Outsourcing%202015.docx

  1. Data Flow Diagramshowing component-to-component data flow and interfaces with other IT Systems should be created and Data Transfer Protocols should be identified.  Secure protocols should be used for data transfer.
  1. Confidential Data should be encryptedin-storage (Database or SAN level encryption) and in-transit (both external and internal connections).
  1. Functional/Non-Functional Specifications Documentshould be created.
  1. IT Risk Assessmentshould be initiated and completed. 
  1. Multiple-Factor Authentication for access over the internet and for Privileged Accessshould be implemented.
  1. Penetration Testing(Network level and Application level White box testing) should be performed for Internet Facing Components. 
  1.  Datacenter and Operations Center Inspection.
  1. Datacenter TVRA(Threat, Vulnerability and Risk Assessment)
  1. PDPA Compliance– Signoff from the Data Protection Officer once the compliance is achieved.
  1. Cross Border Data Transfer/Access Regulatory Compliance– Sign-off from Compliance team after their clearance.
  1. Source Code Security Reviews for Sensitive Modules– particularly modules dealing with Authentication, Transactions, and Customer Confidential Data.
  1. Controls surrounding Application Business Roles and Access– should be implemented by the Business Owner.
  1. Controls surrounding Application IT Roles and Access– should be implemented by the IT Application Manager. 
  1. Controls surrounding Platform IT Roles and Access– should be implemented by the IT Infrastructure Manager. 
  1. Application Password Controls – Comply with Password Guidelines.
  1. Transaction Signing.
  1. IT Architecture Standards should be met.
  1. Data Loss Prevention Solutions– Endpoint controls should be implemented by Service Provider.
  1. Source Code Ownership/Escrow Arrangements – Should be discussed and agreed by the Business.
  1. MAS Reporting for Relevant Incidents – Establish processes to meet the regulatory requirement to report to MAS within 1 hour for Security Incidents (if the system contains Customer PII) / System Malfunction (if the application is classified as MAS Critical).
  1. IT Control Enforcement through Legal Contract Clauses– A Legal Contract should be established, which enforces applicable IT Controls, SLAs, Incident Reporting Timelines, etc.

 

IT System Controls (High Level)

Penetration Testing Scope – Best Practices

Penetration Testing Scope – Application Server-Side

  • Information Leakage – Tests should be carried out to detect network system verbosity and promiscuity.
  • Business Logic  – Mistakes made in implementing business logic can lead to security holes.
  • Authentication – Authentication testing should ensure that security requirements (credential expiry, revocation, reuse etc.) are implemented correctly and the protection of security functions and cryptographic keys is robust.
  • Authorization – Tests should be conducted to verify that the security access matrix works correctly in various permutations.
  • Input Data Validation – Proper data validation should include the following:
    • Every input to the applications should be validated.
    • All forms of data (such as text boxes, select boxes and hidden fields) should be checked.
    • The handling of null and incorrect data input should be verified.
    • Content formatting should be checked.
    • Maximum length for each input field should be validated.
  • Exception / Error Handling – Leakage of sensitive information should not be an outcome of a system failure.
  • Session Management – To ensure secure session management, the following conditions should be specified:
    • Sensitive information that is passed in the cookies is encrypted.
    • Session identifier should be random and unique.
    • Session should expire after a pre-defined length of time.
  • Cryptography – The implementation of cryptography must be rigorously tested covering all cryptographic functions (encryption, decryption, hashing, signing) and key management procedures (generation, distribution, installation, renewal, revocation and expiry).
  • Vulnerability Testing – Testing against common vulnerabilities such as the OWASP Top Ten.

Penetration Testing Scope – Mobile App/Client

  • Environmental Analysis – Business case surrounding the application will be studied.
  • Architectural Analysis
  • Static Analysis
  • Dynamic Analysis
  • File System Analysis

Penetration Testing Scope – Network

  • Information gathering
  • Network Surveying
  • Port Scanning
  • System and Service Scanning
  • Vulnerability Assessment
  • Platform misconfiguration
  • Patch Management
  • Authentication Mechanisms

 

Penetration Testing Scope – Best Practices

Security Incident Management Resources

Security Incident Management / CERT (Computer Emergency Response Team) Resources from ENISA (European Union Agency for Network and Information Security) is free and could be found at  https://www.enisa.europa.eu/activities/cert/training/training-resources/resources 

Other resources / certifications, which are paid, are the below:

GCIH (GIAC Certified Incident Handler) – http://www.giac.org/certification/certified-incident-handler-gcih

ECIH (EC-Council Certified Incident Handler) – http://www.eccouncil.org/Certification/ec-council-certified-incident-handler

Security Incident Management Resources

Active Directory and LDAP

https://en.wikipedia.org/wiki/Directory_service

What is a Directory Service?  What is its relationship with LDAP?

The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.  Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications throughout the network.  As examples, directory services may provide any organized set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a telephone directory is a list of subscribers with an address and a phone number.

LDAP vendors:

  • OpenLDAP (OpenLDAP public license) http://www.openldap.org
  • SunOne (iPlanet) Directory Server
  • Novell’s eDirectory
  • IBM Directory Server
  • Microsoft Active Directory
  • Innosoft
  • Lotus Domino
  • Nexor
  • Critical Path

 

Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however, Active Directory became an umbrella title for a broad range of directory-based identity-related services.

A server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.

Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft’s version of Kerberos, and DNS.

References:

 

http://stackoverflow.com/questions/663402/what-are-the-differences-between-ldap-and-active-directory

https://technet.microsoft.com/en-us/library/bb463152.aspx

http://coewww.rutgers.edu/www1/linuxclass2003/lessons/lecture8.html

Active Directory and LDAP

Privacy vs Secrecy

Privacy is a natural right.

“I don’t care about privacy because I have nothing to hide” is similar to saying “I don’t care about free speech because I have nothing to say”.

Privacy and Secrecy are different.  Secrecy ensures that nobody knows the content that are secret (example: Merger plans of a company, before releasing it).  Whereas, privacy ensures that certain contents are not made available to the public, even though the public might know certain aspects of the content (example: Social Security number of a person, his marital status, place of birth, number of children, etc).

Privacy vs Secrecy