Author Archive Jayanthi

ByJayanthi

OWASP Top 10 vulnerabilities

Reading Time: 3 minutes

OWASP( ‘Open web application security project’) is a community and it is a non-profit organization that is primarily oriented towards securing software. Any type of software that we use today, is always prone to vulnerabilities and bugs. These bugs give hackers a chance to proliferate inside the software and steal our precious information. Can we say any of the data that is stored on countless servers and databases is safe? Never…there is always a way to steal your credit card number sitting in a strange server on a strange land. One way of doing it is by exploiting the vulnerabilities or weaknesses in the software that we use everyday…

OWASP lists the top 10 vulnerabilities in application software along with their risks and countermeasures. This helps organizations to ramp up their software by knowing the common vulnerabilities that are being used. This list is updated every 3-4 years and the last list was updated in 2018.

 

 

It is quite that amazing that when I started coding years ago – we were only worried about getting the code to run the way we wanted it to. But now, times have changed and we have to make sure that the code is hack proof in every possible way.. anyways, here are the OWASP top vulnerabilities released in 2018:

  1. Injection

        ‘Injection’ may mean different things to people from different walks of life but in our context – ‘injection’ is inputting wrong user  data thereby triggering unintended commands. Some examples of injections can be SQL queries, PHP queries, LDAP queries and more.  ‘Injection’ attacks check if an application is vulnerable or not.

    2. Broken authentication

      We have already discussed authentication in an earlier post.  In a typical authentication scenario, we enter the ‘username’ and ‘password’ and if we enter them correctly, we are authenticated. What happens if somebody steals your session maybe in a shopping conversation with a big online retailer? Maybe you were just authenticated and you finished shopping online. What if somebody steals your financial information with the information you entered last?  This is ‘broken authentication’.

   3. Sensitive data exposure

    Now that online banking and online transactions have all become common place – all usernames and passwords can be sniffed if good encryption is not in place. Just imagine a scenario, wherein your online banking password is sniffed by miscreants! Imagine the damage they can do!! 

  This can be avoided by using the latest encryption algorithms and making sure that none of the information is stored in the cache.

4. XML external entities

  This is known as XXE attacks and these are possible due to the uploading of malicious XML files by the user. Once a malicious file is uploaded to the server, it can be used to steal data and do other malicious things.

5. Broken access control

   I have already written about ‘access control‘ in another post.  ‘Access control’ authorizes users to access the appropriate resources. What if ‘John’ gains ‘admin’ privileges and is able to access your account? Is that right? This is ‘broken access control’. John is not authorized to access your account and he should not be able to access by changing a small piece of code.

This can be prevented by using ‘authorization tokens’.

6. Security  misconfigurations

Security misconfigurations can result from using default ‘security’ settings. 

This can be avoided by configuring all the servers appropriately and preventing wordy error messages.

7. Cross site scripting

Cross site scripting occurs when attackers can insert a piece of code on a web page. This can then be used to steal user data and bring down websites.

8.  Insecure deserialization

Serialization and Deserialization are two processes which happen when dealing with data. This is a type of vulnerability wherein the ‘deserialization’ happens with untrusted sources. 

9. Using Components with known vulnerabilities

It is always possible that web application developers are working with components that have some vulnerabilities in them. The vulnerabilities might have just have been discovered. Once that happens, it is good for application developers to delete such components or install patches immediately.

10. Insufficient logging and monitoring

Many security breaches are detected long after an incident. By this time, hackers can penetrate the system and cause even more damage. In order to minimize extra damage, all activities must be logged and monitored. 

The original set of OWASP top 10 vulnerabilities can be found here

This post is for alphabet ‘O’ of the #Blogchatter challenge. The previous post can be found here.

ByJayanthi

Never judge a book by its cover!

Reading Time: 2 minutes

In my favorite proverb series – this is yet another one ‘Never judge a book by its cover’!! – which means not to judge a person too quickly and by looking at only their outward appearance and demeanor. 

Almost all the proverbs seem to be leading us for a perfect life(good healthy eating habits, forgetting the past, moving on etc etc) which is next to impossible for all us… πŸ™‚ but we can still try to follow it to some extent at least…

Judging someone is something we are all guilty of…but sometimes, we judge somebody without knowing them totally and by external appearances alone.  We judge a person in a hurry just by looking at them or by speaking just a few words with them too. We label them quickly too (talkative, quiet, silent, pessimistic, optimist, studious, nerd, geek, no sense of humor etc etc) I have been guilty of judging somebody too quickly just by their appearance and finally realized how wrong I was too!(face palm!!)

All of us undergo many,many experiences in life and each of the experiences either mellows us down, makes us stronger or weaker. Even though there is a Tamil proverb “agathin azhagu mugathil theriyum”(The beauty of your mind is visible on your face) – more often than not, you cannot understand everything that a person has undergone just by looking at their face. Most of us maintain a happy and smiling face which holds many secrets! 

So, good to not judge a book by its cover but give all relationships some time to develop and grow!

This post is for alphabet ‘N’ of the #Blogchatter challenge. The previous post can be found here.

ByJayanthi

Identity management

Reading Time: 2 minutes

‘Identity management’ in some ways is an extension of the concepts of  access control and authentication. The current business environment is complex and getting more complex with time. There are numerous departments(like CRM, ERP and HR) and networks. There are hundreds of business users(like employees, customers and partners) constantly logging into systems and accessing different resources. Employees might also move onto different departments and they might also quit and move onto different organizations. How do we handle the huge responsibility of checking the credentials of the users, authentication them and authorization them? This is done by process of ‘identity management’.

‘Identity management’ involves the process of first identifying the user, authenticating the user and authorizing them to access appropriate resources in an automated way. ‘Identity management’ solutions have to handle the huge task of assigning access to  different users across multiple systems. They also have to make sure that the access is neither too restricted nor too broad.  ‘Identity management’ solutions also involves revoking the credentials of former employees so that cannot access the old resources again.

 

Advantages of IDM solutions:

In the earlier days, IDM solutions were manual, but with today’s complex business scenario, automated solutions are the need of the hour. IDM solutions offer these advantages:

  1. They increase the productivity in an organization(administrators do not have to spend time configuring the different settings for different users)
  2. Security in the organization is enhanced since users are given appropriate access and single-sign on is implemented

IDM solutions:

A number of organizations offer IDM solutions and here are a few of them:

  1. Computer Associates Identity and access management
  2. IBM Identity and access management
  3. Oracle Identity management

Seamless digital transitions in today’s business scenario is possible because of sophisticated identity management’ solutions. 

This post is for alphabet ‘M’ of the #Blogchatter challenge. The previous post can be found here.

ByJayanthi

Let bygones be bygones…

Reading Time: 2 minutes

In my most liked proverb series – here is the next one…

Ten years ago, I had a surgery and I cannot help thinking about it till today. “What if I had some things had happened differently?” – how would have my life been? This is my “flashback” many days… do you also rewind your life to some point in your life?

By the time we reach our late 20s or 30s , we all start having things in our life that we cannot banish. It might be that sour relationship, that terrible let down, that breach of trust, that bad accident or any other bad memory. I used to be a person who could never dismiss the past. I could cling to the past forever and forever. When it dawned on me one day, that carrying the past on my shoulders wasn’t doing anything good. Instead, it only got me disappointed. 

Finally, I read this proverb one day and realized how true it was. From that day, I have tried my level best to not dwell on past things and move forward in life. I haven’t stopped dwelling on the past entirely, but I certainly have learnt to look ahead and move forward. What had happened, had happened – and I had to move ahead….

How about you? Do you keep looking at the back and wonder “if this had not happened” or “if that had not happened” – how life would have been? It would be good to look ahead because we cannot change the past but we can certainly look to the future to make our life better! πŸ™‚

This post is for alphabet ‘L’ for the #BlogchatterA2Z challenge. The previous post can be found here.

ByJayanthi

Keep your mouth shut and eyes open!

Reading Time: 2 minutes

This proverb as a poster was given to my daughter and I haven’t agreed with anything more than this(along with the proverbs in the series! :))

If only most of the world were to follow this – if only.. how would the world be if there were a lot less of talking and more observing?

  1. Lesser arguments
  2. Lesser misunderstandings
  3. Lesser quarrels 
  4. We would understand more
  5. Better relationships! πŸ™‚

 

I am sure many or all of us have been caught in circular conversations – wherein we say one thing to person( as a “secret”!) and that person tells the same thing to another person(as a secret again :)) and by the end, everybody knows the “secret” and the first person comes and asks you “Can’t you just keep a secret?” and you wonder “Why didn’t I just keep my mouth shut in the first place?”

 

Social media may be a powerful tool today to spread messages around but the human mouth is the always strongest news spreader! πŸ™‚ And to top it all, it cannot be documented too. Sometimes, news spreads like wildfire just by a word of mouth.

Which is why in Information security, the weakest link in any security perimeter is always the human factor(or the human mouth in our case!) How is this even possible – you might think – we have the greatest firewall, anti-virus software and all the security safeguards and we might still get hacked. How? Because some person, might have the leaked the password to a database to another person and this might have landed in the wrong person’s hands. If only, they kept their mouth shut and did not tell the password…if only…

In an ideal world our mouths would be shut at incorrect times and our eyes would be open all the time… πŸ™‚ but since we are all mere mortals, we could try and follow the proverb to the best of our efforts by talking less and observing more!

This post is for alphabet ‘K’ for the #BlogchatterA2Z challenge. The previous post can be found here. 

ByJayanthi

A journey of a thousand miles…

Reading Time: 2 minutes

….begins with a  single step!! Next in my line of favorite quotes is this one…

I signed up for the Blogchatter challenge with a lot of apprehension. The month of April is always an interesting one for me. Both my children’s exams get over that time. Their summer vacations begin that time too. If you thought, having small kids at home and working(writing) from home is hard, think again! Older kids are also a lot of work!! Many a time, I have two pairs of eyes always peeking into my laptop – wondering what I am going to be writing about next πŸ™‚ They have their summer classes, entrance exams, play dates, and are constantly going in and out of the house with their friends…and you get the point…it is a busy house! πŸ™‚

To top it all – we had also planned for short trips wherein I knew I would not have time to write posts then and there. How will I be able to manage writing 26 posts one for each and every day of April? (except for Sundays) I knew I had to take the first step and decide to do it. Then, I had to draw a plan. Yes, I am a planner and I have been able to stick to it so far, even though I have been traveling through the A2Z challenge.

So, how have I been able to do it so far? By taking the first step of deciding to do it. Yes, friends – ‘the journey of a thousand miles begins with a single step’ is so true for me for the #Blogchatter challenge and for many mammoth tasks too. 

Once the first step was taken, all other activities have followed and I have got some direction on how to proceed and complete it.

The Blogchatter challenge runs all through April and it isn’t over yet. Wish me luck to complete it!

This post is for alphabet ‘J’ for the #Blogchatter challenge. The previous post can be found here

ByJayanthi

Identity chaos

Reading Time: 2 minutes

As I was toying with my next topic for my technical post in Information security, I bumped into this concept called ‘Identity chaos’ – my curiosity was piqued and well, I wrote about it instantly! πŸ™‚ So, here goes:

As reminded by several security professionals, a good password is one that has a combination of:

  1. Upper case letters
  2. Lower case letters
  3. Numerals
  4. Special characters
  5. Be a minimum of 8 characters in length

All security practitioners constantly remind you to follow these tips diligently to protect yourself from hacks and breaches. Now when users finally condescend and start following these rules, each of the websites they visit must be given a new password.

Next comes the real test. They have to remember the password the very next day or so.

Now assume they visit website1 and begin typing the password:  xyZ123! and success! – they have logged in!

                                     They visit website2 and type the password:  XyZ324! and success again and they are logged in again !

                                     They visit website3 and try typing the password….only to realise that they have forgotten the password :

“Was it xyZ123 that was the password?” OR

“Was it XYZ!123 that was the password?!!” OR

“Was it an entirely different combination?!!” 

They are totally confused and frantically try the different password combinations….till they get locked out!! 

    Sounds familiar? This is “identity chaos” or “password fatigue“!!

When a user tries to remember the different password combinations for different website logins when they forget it, is known as “identity chaos” or “password fatigue”!!

This post for alphabet ‘I’ of the #BlogchatterA2Z challenge. The previous post can be found here.

 

 

 

ByJayanthi

Health is wealth

Reading Time: 2 minutes

When we are young, health is never an issue(in most cases atleast!) We have the normal growing pains and we get the same cold, cough, fever, allergies etc etc But as we age and our school days and college days give way to career ways and matrimony – we get caught in an interesting cycle. Family pressure, work pressure, stress from all quarters and our ability/inability to handle them brings new diseases into our life. Many are life style diseases and some are passed down to us from our parents/grandparents too! πŸ™‚

While most diseases go away after a while(even the more serious ones) or we learn to manage them(any which way – exercise, medicines, will power, mental strength) it is just the journey of undergoing the process(from diagnosing the disease, to the various tests, to treatment and beyond) that totally exhaust us. 

There is no greater saying than this proverb “Health is wealth” according to me…we can be “aggressive”, “smart”, “intelligent”, “greatest multi-tasker” and every other positive adjective in the world – but it all comes from having one thing in our life – “good health”. If this “good health” is taken away from us – everything else vanishes with it. We focus all our energies on curing the disease that rids us(or any other loving person who gets it) and this truly shakes our foundations and all our beliefs. The way we handle things when “health” is taken away from us is true “strength”.

Proactive health management:

With so much importance riding on our health, what better thing to do than being proactively healthy? Though none of us are perfect, we can still do a few things to keep ourselves healthy:

  1. Eat well without too much of junk(of course, we do allow the taste buds to take over once in a while! :))
  2. Exercise everyday
  3. Learn something new every month 
  4. Try to be positive most of the time
  5. Have a good social life
  6. Laugh πŸ™‚

I am no angel and I do fail to do most of the things that I have listed πŸ™‚ – but these tips will surely keep some health woes out of our way for some time at least!! 

Wealth is an absolute necessity in life – but without “health” – how will you make “wealth”?

This post is for alphabet ‘H’ for the #BlogchatterA2Z challenge. The previous post can be found here.

ByJayanthi

GIAC certifications

Reading Time: 2 minutes

‘Information security’ and certifications go hand in hand.  The more certifications you have, the more renowned you are in the InfoSec domain. Information security certifications are offered by many organizations such as (ISC)2 (CISSP and CCSP), EC-Council (CEH – ‘Certified Ethical hacker’), ISACA (CISM, CISA, CRISC) and also by SANS (GIAC certifications) We will see the various GIAC certifications in this post…

 

 

GIAC certifications:

The SANS institute was established in 1989 and it offers various certifications and training programs. SANS offers GIAC (Global Information Assurance Certification ) certifications suited to every InfoSec professional and category. The SANS institute offers classroom trainings, online trainings and mentored trainings. The different certification categories are Cyber defense, pen testing, incident response and forensics, management, audit and legal. 

Here is a partial list of the different certifications:

  1. GSEC – GIAC security essentials
  2. GCIH: GIAC Certified Incident Handler
  3. GCFA: GIAC Certified Forensic Analyst
  4. GPEN: GIAC Penetration Tester
  5. GISF: GIAC Information Security Fundamentals

Notes about GIAC exams:

  1. All GIAC exams are open book which means you can get any number of books and printed material to the exam. However, you cannot access the Internet for any purposes.
  2. All certifications are valid for four years after which it has to be renewed.
  3. All exams must be taken at a proctored testing center.
  4. Each exam will also have different set of questions, time limit and passing grade
  5. GIAC exams can be attempted without formal SANS training. The prices can be found here

What is your preferred certification? Have you got any of the above certifications? How has your experience been?

The post is for alphabet ‘G’ for the #BlogchatterA2Z challenge. The previous post can be found here

ByJayanthi

No one in this world can love a girl as much as her father…

Reading Time: 2 minutes

Lakshmi thought her father was the greatest man. She adored him to bits. The father-daughter bond was created as soon as she was born. From the time she was young, she was struck by his aura. He was the wittiest and greatest father, she thought.

Did you know that it is hard for an adult to come to a child’s level and interact with them? Well, he could do just that… just by magic, he could become a small child and entertain her for hours.

He taught her how to bicycle and how did all the work of running behind her when she was learning to balance on the wheels. That was a lot of work… running behind a school kid on a bicycle who is forever ready to topple and fall – but he did it all the same! He stood by her in all her difficult times. He would attend all the PTMs at school with sincerity. If her grades ever slipped, he never reprimanded her for not getting good grades. Instead, he always taught her how to approach the same problem in a different way and solve it.

School admissions, college admissions, college projects – he would be there to see her through it all! 

 He always taught her life’s most important lessons. As she grew up, he taught her how to dress up well, be smart, study smart, and to be a totally “out-of-the-box” thinker. He always wanted her to be “smart” and “independent”!!

He was a terrific orator. He could keep her and all her friends spellbound with his talks and witty anecdotes. 

Are you nodding your head and thinking the same thing(or similar things) about your father too? πŸ™‚

No wonder there is a saying “No one can love a girl as much as her father”!! Fathers are great – whether they are fathers of daughters or sons -aren’t they? πŸ™‚

What is your father story? How was this quote about fathers?

This post is for alphabet ‘F’ of #BlogchatterA2Z. The previous post can be found here