Application Security Terminology -Basic

Fundamental Security Objectives

The fundamental and core goals of information security domain are to:

1. Ensure confidentiality of information
2. Ensure Integrity of the data always
3. Ensure Availability of information as and when required

All security controls, mechanisms, and safeguards are implemented to provide one or more of these protection types, and all risks, threats, and vulnerabilities are measured for their potential capability to compromise one or all of the AIC principles

Confidentiality

It ensures that the required level of secrecy is enforced at each stage of data processing and prevents unauthorized disclosure. This level of secrecy should prevail while data resides on systems and devices within the network, as it is transmitted, and once it reaches its destination

To ensure confidentiality, application designers and developers has to adopt and implement mechanisms to identify and protect sensitive data in the application data management.

Few ways how confidentiality can be compromised:

1. Network sniffing
2. Breaking encryption
3. Social engineering
4. Gaining unauthorized access to data

Few protection mechanisms include:

1. Encrypting sensitive data during transmission and at rest
2. Hashing and salting the user passwords
3. Enacting access controls
4. Masking the credit card numbers when displaying in a web page.
5. Classifying data and enforcing controls

Integrity

Integrity means that data or information in your system is maintained so that it is not modified or deleted by unauthorized parties.

Software, hardware, and communication mechanisms must work in coordination to maintain and process data correctly and to transfer data to correct destinations without unwanted changes. The data processing systems and communications networks must be shielded against manipulation and outside intervention.

Few ways integrity can be compromised:

1. Malicious modification of data by hackers
2. Logic bombs
3. Backdoors

Ensuring Integrity:

1. Ensuring strict access controls
2. Version controls
3. Checksums
4. Digital signatures
5. Implementing intrusion detection systems
6. Data backups
7. Audit trails

Availability

The final component of the CIA Triad is availability. It means that systems and data are available to authorized individuals when they need it and under any circumstances, including power outages or natural disasters.

Without availability, even if you have met the other two requirements of the CIA Triad, your business can be negatively impacted.

Few ways availability can be compromised:

1. DoS/DDOS attacks
2. Ransomware

Ensuring Availability:

1. Redundant networks, servers and applications for failover
2. Clustering of the servers/services
3. Load Balancing between multiple servers
4. Backups of the servers
5. DDOS detection and prevention firewalls

Data Classification

Data classification, or categorization, is the process of grouping subjects, objects, and so on into groups, categories, or collections with similarities. These similarities are mostly based on various parameters such as value, cost, sensitivity, risk, vulnerability, privilege, possible levels of loss or damage, or need to know basis.

Data classification schemes’ main goal is to categorize and standardize the process of data security based on labels for importance and sensitivity.

Data classification is applied to provide/define security mechanisms for storing, processing, and transferring data.

The criteria by which data is classified is based on the organization performing the classification according to the nature of the business.

Popular common data classification schemes:

Government/military classification

High	Top Secret
	Secret
	Confidential
	Sensitive but unclassified
Low	Unclassified

• Top Secret Top secret is the highest level of classification for government information. It is used to protect information that could cause exceptionally grave damage to national security if it were disclosed without authorization. Top secret information is compartmentalized, which means that only those who have a specific need to know about it are granted access. Even someone with top secret clearance may not have access to all top secret information.
• Secret Secret is the second-highest level of classification for government information. It is used to protect information that could cause serious damage to national security if it were disclosed without authorization. Examples of secret information include plans for military operations, information about foreign intelligence operations, and scientific research that could be used to develop weapons of mass destruction
• Confidential Confidential is the third-highest level of classification for government information. It is used to protect information that could cause serious damage to national security if it were disclosed without authorization. Examples of confidential information include trade secrets, financial data, and diplomatic communications.
• Sensitive But Unclassified Sensitive but unclassified (SBU) information is information that is not classified but that is still sensitive and should be kept private. It is often used to protect information that could violate the privacy rights of individuals. SBU is not a classification label, but rather a marking or label used to indicate how the information should be used or managed.
• Unclassified Un-classified information is information that is not sensitive and does not pose a threat to national security. It can be disclosed to the public without any risk of harm. Unclassified is not a classification label, but rather a marking or label used to indicate how the information should be used or managed.

Business/Non-Government

Business/Non-Government sector classification systems can vary widely because they typically do not have to adhere to a standard or regulation.

High	Confidential	Private
	Sensitive
Low	Public

• Confidential Confidential information is the most sensitive type of information and should only be shared with authorized individuals. If confidential information is disclosed, it could have a significant negative impact on a company.
• Private Private data is information that is personal or confidential and should only be shared with authorized individuals. If private data is disclosed, it could have a significant negative impact on the company or individuals involved.
• Sensitive Sensitive data is information that is more confidential than public data. If it is disclosed, it could have a negative impact on the company.
• Public Public data is information that is not confidential and can be shared with anyone. Its disclosure does not have a serious negative impact on the organization.

Personally identifiable information, PII

PII stands for Personally Identifiable Information. It is any information that can be used to identify a specific individual, such as their name, address, Social Security number, or date of birth. PII is often used by businesses and government agencies to track individuals, provide them with services, or comply with regulations

PII can be a valuable asset for businesses, but it can also be a liability. If PII is lost or stolen, it can be used by criminals to commit identity theft, fraud, or other crimes. Businesses and government agencies must take steps to protect PII from unauthorized access, use, disclosure, or destruction.

The definition of the National Institute of Standards and Technology (NIST) explains PII as:

“Any information about an individual maintained by an agency, including
(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and
(2) Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

Few Examples of PII:

1. Credit card number
2. Social security number (SSN)
3. Biometric data: fingerprints, retina scans, or voice signature
4. Medical records
5. Address information
6. Full Name
7. Email address
8. Personal telephone number
9. Login data
10. Passport number
11. Driver’s license number

Protected Health Information PHI

PHI stands for Protected Health Information. It is any information about an individual’s health status or payment for health care that is created or maintained by a covered entity. Covered entities are health care providers, health plans, and health care clearinghouses.

PHI can be in a variety of forms, including paper records, electronic records, and oral communications. It can include information such as a patient’s name, date of birth, Social Security number, medical history, and treatment information.

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy and security of PHI. HIPAA requires covered entities to take steps to protect PHI from unauthorized access, use, disclosure, and destruction.

In order for health data to be considered PHI and regulated by HIPAA it needs to be two things:

Personally identifiable to the patient
Used or disclosed to a covered entity during the course of care

Examples of PHI:

• Billing information from your doctor
• Appointment scheduling note with your doctor’s office
• An MRI scan
• Blood test results
• Phone records

Examples of health data that is not considered PHI:

• Number of steps in a pedometer
• Number of calories burned
• Blood sugar readings w/out personally identifiable user information (PII) (such as an account or user name)
• Heart rate readings w/out PII

Threats

Cybersecurity threats are the likelihood of a cyberattack occurring. A cyberattack is an intentional and malicious attempt by an attacker to gain access to a computer system or network, steal data, or disrupt operations. Attackers may be motivated by a variety of factors, including information theft, financial gain, espionage, or sabotage.

The major types of information security threats are:

1. Malware attack
2. Social engineering attacks
3. Distributed denial of service (DDoS)
4. Software supply chain attacks
5. Advanced persistent threats (APT)
6. Man-in-the-middle attack (MitM)
7. Password attacks

Asset

In the context of information security, an asset is anything that should be protected.

An asset can be a computer file, a network service, a system resource, a process, a program, a product, an IT infrastructure, a database, a hardware device, furniture, product recipes/formulas, intellectual property, personnel, software, facilities, and so on.

An asset is anything that an organization values and considers important enough to protect. Assets can be tangible, such as physical property, or intangible, such as intellectual property. The loss or disclosure of an asset can have a significant impact on an organization including:

• Security compromise: The loss or disclosure of an asset can lead to a security breach, which can allow unauthorized access to sensitive data or systems.
• Loss of productivity: Employees may be unable to work if they are unable to access the information or systems they need.
• Reduction in profits: A security breach or other incident can damage an organization’s reputation, which can lead to lost sales or customers.
• Additional expenditures: An organization may need to spend money to investigate and remediate a security breach or other incident.
• Discontinuation of the organization: In some cases, a security breach or other incident may be so severe that it forces an organization to discontinue operations.
• Intangible consequences: The loss or disclosure of an asset can also have intangible consequences, such as damage to the organization’s brand reputation or loss of employee morale.

Vulnerability

A vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.

• Below are some examples of vulnerabilities:
• Improper input validation for applications
• Allowing weak passwords
• A weakness in a security encryption algorithm
• A weakness in a firewall that can lead to malicious hackers getting into a computer network
• Lack of security cameras/biometrics in a sensitive facility

Threat/Attack Vector

A threat vector is a method or means by which a threat actor can exploit a vulnerability to gain unauthorized access to a system or network.

Threat vectors can be used to deliver malware, steal data, or disrupt operations. Hackers exploit threat vectors to gain access to user accounts or load malicious software (malware) onto systems to launch cyber-attacks, with the aim of stealing sensitive information and causing system failures. The total number of all possible entry points (threat vectors) for unauthorized access into a system is known as its attack surface.

• Some common threat vectors include:
• Phishing: Phishing is a social engineering attack in which attackers send emails or text messages that appear to be from a legitimate source in order to trick the recipient into clicking on a malicious link or providing sensitive information.
• Malware: Malware is malicious software that can damage or disable computer systems, steal data, or track users’ activities.
• Zero-day attacks: Zero-day attacks exploit vulnerabilities that are not yet known to the software vendor or the user. Zero-day attacks are often very difficult to defend against because there is no patch available to fix the vulnerability.
• Denial-of-service (DoS) attacks: DoS attacks overwhelm a system with so much traffic that it becomes unavailable to legitimate users.
• Ransomware: Ransomware is a type of malware that encrypts a victim’s data and demands a ransom payment in order to decrypt it.

Attack Surface

Attack surface is the sum of all possible points, or attack vectors, where an unauthorized user can access a system and extract data. It is simpler to defend against an attack with a smaller attack surface.

The attack surface is categorized into two categories:

Digital Attack Surface

The digital attack surface area comprises all the hardware and software that connect to an organization’s network. These include business or operations applications, source code, ports, servers, and websites, as well as shadow IT, which sees users bypass IT to use unauthorized applications or devices.

Physical Attack Surface

The physical attack surface includes all endpoint devices that an attacker can gain physical access to, such as desktop computers, hard drives, laptops, mobile phones, and Universal Serial Bus (USB) drives. The physical attack threat surface also includes carelessly discarded hardware that contains user data and login credentials, users writing passwords on paper, and physical break-ins.

Countermeasures

Countermeasures are actions, devices, procedures, techniques, or other measures that reduce the vulnerability of information systems. They are designed & deployed to protect the confidentiality, integrity, and availability of information.

Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices.

Countermeasures can take the form of software, hardware and behavioral.

Software countermeasures include:

1. Firewalls
2. Anti-virus software
3. Intrusion Detection Systems
4. Multi-factor Authentication

Hardware countermeasures include:

1. Biometric authentication systems
2. Physical restriction of access to computers and peripherals
3. Intrusion detectors
4. Alarms

Behavioral/administrative countermeasures include:

1. Refraining from opening e-mail messages and attachments from unknown senders
2. Regularly backing up data on external media.
3. Regular scanning for viruses and other malware
4. Regular installation of updates and patches for operating systems

Exploit

An exploit is a piece of code or a program that maliciously takes advantage of vulnerabilities/security flaws in software or hardware to infiltrate and initiate attacks or install malware, such as spyware, ransom ware, trojan horses, worms, or viruses.

The exploit is not the malware itself but is used to deliver the malware.

Different types of exploits:

1. Software Exploits
2. Hardware Exploits
3. Network Exploits

Web Application Vulnerability Scanner

Web Application Vulnerability Scanners are automated tools that scan web applications, to look for security vulnerabilities such as cross-site scripting (XSS), SQL Injection (SQLi), Command line injection, path traversal and insecure server configuration.

This category of tools are frequently referred to as Dynamic Application Security Testing (DAST) Tools.

A wide range of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses.

Important features of Web applications scanners are:

• Ability to analyze various types of web application technologies such as PHP, ASP.NET, ASP, etc.
• Ability to scale: should be fast enough to scan large websites with multiple web page.
• Ability to generate readable and actionable reports without extensive Web security know-how.

Few Web application scanning tools:

1. Qualys
2. AppScan
3. Acunetix

Auditing

A cybersecurity audit includes a comprehensive security assessment of information systems to evaluate policy compliance and identify gaps in security policy implementation.

The auditing process involves deeply examining an organizations digital assets and security controls to ensure they satisfy compliance standards requirements. Apart from offering insights into existing security vulnerabilities, a comprehensive audit also includes mitigation actions to mitigate cyber threats.

An efficient audit plan assesses five fundamental security factors:

1. Data – consists of the tools and security procedures used to safeguard the privacy, accuracy, and integrity of data within a business network. To safeguard vital corporate data while it is in transit and at rest, data security typically consists of TLS encryption, authentication & authorization rules, and security policies.
2. Operations – includes the cybersecurity policies, security procedures, and controls of the operational framework. Operational security entails offering thorough safeguards on diverse infrastructure assets’ administrative, procedural, and functional operations.
3. Network Security – Security posture evaluation of network resources and other systems which can be accessed from the internet. A thorough network security audit analyzes network availability, device access control, infrastructure security, and the overall performance of network assets.
4. System – refers to the degree of security implementation in hardware assets, operating systems, and other critical infrastructure within the network. System security audits review the patching process, device access management, and the management of elevated permissions.
5. Physical Security – Preventive actions and controls put in place to govern access to application data, software, and hardware assets. Physical security measures also protect enterprise personnel from potential threats that could result in loss or compromise of business systems. Comprehensive cyber security audits evaluate multiple aspects of physical security, including surveillance procedures, access control, and physical disk backups.

Types of Audits in Cybersecurity

1. Internal Auditing: The in-house team performs internal audits to evaluate the network’s internal controls, policies, and cybersecurity processes. A strong internal audit foundation helps assess existing and required security controls while assisting the cybersecurity audit team in understanding flaws in security implementation.
2. External Auditing: In an external audit, third-party security specialists examine security controls, regulatory compliance, and security gaps within an enterprise network. As external auditors are highly trained and qualified in identifying vulnerabilities, sensitive data, and network assets, they ensure the auditing process meets the organization’s objective by helping counter continuously changing threats.

Risk Assessment

The primary purpose of a risk assessment is to identify, assess, and prioritize risks to information and information systems. It helps organizations identify and prioritize areas for improvement in their cybersecurity program. It also helps organizations communicate their risks to stakeholders and make informed decisions about how to allocate resources to reduce those risks.

There are many cybersecurity risk assessment frameworks and methodologies available, but they all share a common goal

The National Institute of Standards and Technology (NIST) Cybersecurity Framework is one of the most popular risk assessment frameworks. It provides a flexible and structured approach for organizations to assess their cybersecurity risks and prioritize actions to reduce those risks.
https://csrc.nist.gov/projects/risk-management/about-rmf

Another popular risk assessment framework is the ISO 27001:2022 standard. This standard provides a comprehensive approach to information security management, including requirements for risk assessment and risk treatment.

Organizations based on their requirements cab also develop their own customized risk assessment frameworks and methodologies. Whatever approach an organization chooses, the goal should be to identify, assess, and prioritize risks to information and information systems.

Security Policy

Information security policies are a set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.

A security policy is a formal declaration of an organization’s goals for safeguarding its physical assets and information technology (IT). Security policies are living, breathing documents that change to reflect new technology, security gaps, and other factors.

Types of security policies

Security policies for an organization can be categorized into three types based on the scope and purpose of the policy:

1. Organizational- These policies are a master blueprint of the entire organization’s security program.
2. System-specific- A system-specific policy covers security procedures for an information system or network.
3. Issue-specific- These policies target certain aspects of the larger organizational policy such as:
   a) Access control policies say which employees can access which resources.
   b) Change management policies provide procedures for changing IT assets so that adverse effects are minimized.
   c) Disaster recovery policies ensure business continuity after a service disruption. These policies typically are enacted after the damage from an incident has occurred.
   d) Incident response policies define procedures for responding to a security breach or incident as it is happening.

Also Read: Terminology-Intermediate, Terminology-Advanced, Security Terminology Section

Suggested Exercises: General Security Concepts and Terminology Tests