APPLICATIONS AND SYSTEMS DEVELOPMENT SECURITY

Security Development Controls

1. Administration Control
The administrative controls are defined by the top management in an organization.

Examples of Administrative Controls

(i) Security policy

(ii) Monitoring and supervising
(iii) Separation of duties
(iv)Job rotation
(v) Information classification
(vi)Personnel procedures
(vii) Investigations
(viii) Testing
(ix)Security-awareness and training

2. Policy and Procedures

(i) A security policy is a high-level plan that states management’s intent pertaining to how
security should be practiced within an organization. It also includes actions are
acceptable, and what level of risk the company is willing to accept. This policy is derived
from the laws, regulations, and business objectives that shape and restrict the company.
(ii) The security policy provides direction for each employee and department regarding how
security should be implemented and followed. It also includes the repercussions for non-
compliance. Procedures, guidelines, and standards provide the details that support and
enforce the company’s security policy.

3. Personnel Controls
(i) Personnel controls indicate how employees are expected to interact with security
mechanisms, and address noncompliance issues pertaining to these expectations.
 (ii) Change of Status: These controls indicate what security actions should be taken when an
employee is hired, terminated, suspended, moved into another department, or promoted.
(iii) Separation of duties: The separation of duties should be enforced so that no one
individual can carry out a critical task alone that could prove to be detrimental to the
company.
Supervisory Structure

Management must construct a supervisory structure which enforces management members

to be responsible for employees and take a vested interest in their activities. If an employee
is caught hacking into a server that holds customer credit card information, that employee
and her supervisor will face the consequences?

4. Security-Awareness Training
This control helps users/employees understand how to properly access resources, why
access controls are in place and the ramification for not using the access controls
properly.

5. Testing
This control states that all security controls, mechanisms, and procedures are tested on a
periodic basis to ensure that they properly support the security policy, goals, and objectives
set for them.

The testing can be a drill to test reactions to a physical attack or disruption of the network, a
penetration test of the firewalls and perimeter network to uncover vulnerabilities, a query to
employees to gauge their knowledge, or a review of the procedures and standards to make sure
they still align with business or technology changes that have been implemented.
INTERNET SECURITY
Internet security is a branch of computer security specifically related to the Internet, often
involving browser security but also a part of network security on a more general level as it
applies to other applications or operating systems.
Its objective is to establish rules and measures to use against attacks over the Internet.

The Internet represents an insecure channel for exchanging information leading to a high risk of
intrusion or fraud, such as phishing. Different methods have been used to protect the transfer of
data over the internet, including encryption. Some of the Common IT security measures used
includes:

Common IT security measures

Access control ensures that individuals can only access data and services for which they are
authorized. Some of the common IT security measures include:
(i) Physical control of access to premises and computers
(ii) A clean desk policy so that sensitive or confidential information (including passwords) is
not left lying around
(iii) Individual passwords that randomly mix letters and characters, and are regularly
changed and not shared with others
(iv)Network restrictions to prevent access to other computer systems and networks
(v) Application controls to ensure individuals are limited in the data or service they can
access
(vi)Restrictions on what can be copied from the system and stored on pen drives, memory
sticks or cds/dvds
(vii) Limits on the sending and receiving of certain types of email attachments

Modern operating systems and network software have the ability to achieve most of this, but you
still need to manage the registration of users and user authentication systems – e.g. passwords.

Other IT security measures

Security software
Security software can help detect and remove computer viruses and other malware. Without
protection, malware can damage your IT system, access confidential data or create further
security holes for hackers to exploit.

Data encryption
Encryption scrambles data, and is used to protect information that is being held on a computer,
stored on external media such as DVDs or transmitted over a network.

Firewall
A firewall is a hardware or software security device that filters information passing between
internal and external networks. It controls access to the internet by internal users, and prevents
outside parties from gaining access to your network.

Intrusion detection
These products monitor system and network activity to spot potential security breaches. If a
detection system suspects an attack, it can generate an alarm, such as an email alert, based upon
the type of activity it has identified.

THREATS IN NETWORK
Main aims of threats are to compromise confidentiality, integrity applied against data, software,
hardware by nature accidents, non-malicious humans and malicious attackers.
What Makes A Network Vulnerable?
(i) Anonymity – leaving no trace for identification
(ii) Many Points Of Attack
(iii) Sharing
(iv) Complexity Of System
Threat originate mainly from :
(i) Port scan - is a common technique hackers use to discover open doors or weak points in
a network. A port scan attack helps cyber criminals find open ports and figure out
whether they are receiving or sending data. It can also reveal whether active security
devices like firewalls are being used by an organization
 (ii) Social Engineering - getting favour from employee and getting info from network
(iii) Reconnaissance - investigations by hackers
(iv) Operating System and Application fingerprinting
(v) Bulletin Boards and chats
(vi) Availability of Documentation

Threats In Transit: Eavesdropping and Wiretapping

The term eavesdrop implies overhearing without expanding any extra effort. For example we
can say that an attacker is eavesdropping by monitoring all traffic passing through a node.
The more hostile term is wiretap, which means intercepting communication through some
effort.
Choices of wiretapping are:
1. Cable
2. Microwave
3. Satellite Communication
4. Optical Fiber
5. Wireless
From, a security stand point we should assume all communication links between network nodes
that can broken. For this reason commercial network users employ encryption to protect the
confidentiality of their communication.

Protocol Flaws:
Each protocol is identified by its Request For Comment (RFC) number. In TCP, the sequence
number of the client increments regularly which can be easily guessed and also which will be
the next number.
Impersonation:
In many instances, there is an easier way than wiretapping for obtaining information on a
network: impersonate another person or process.
In impersonation, an attacker has several choices:
i. Guess the identity and authentication details of the target
ii. Disable authentication mechanism at the target computer
 iii. Use a target that will not be authenticated
iv. Use a target whose authentication data are known
Spoofing:
Obtaining the network authentication credentials of an entity(a user, an account, a process, a
node, a device) permits an attacker to create a full communication under the entity’s identity.
Examples of spoofing are masquerading, session hijacking, and man-in-the-middle attacks.
i. In a masquerade one host pretends to be another.
ii. Session hijacking is intercepting and carrying on a session begun by another entity.
iii. Man-in-the-middle attack is a similar form of attack, in which one entity intrudes
between two others.

Message Confidentiality Threats:

An attacker can easily violate message confidentiality (and perhaps integrity) because of the
public nature of networks. Eavesdropping and impersonation attacks can lead to a
confidentiality or integrity failure.
Here we consider several other vulnerabilities that can affect confidentiality.
i. Misdelivery
ii. Exposure
iii. Traffic Flow Analysis
Message Integrity Threats:
In many cases, the integrity or correctness of a communication is at least as important as its
confidentiality. In fact for some situations, such as passing authentication data, the integrity of
the communication is paramount.
Threats based upon failures of integrity in communication
i. Falsification of messages
ii. Noise
confidentiality. In fact for some situations, such as passing authentication data, the integrity
of the communication is paramount. Threats based upon failures of integrity in communication
i. Falsification of messages
ii. Noise