Miscellaneous Security

Reading time: 2 – 3 minutes

Photo: jaeming

Being security aware and security conscious often boils down to understanding three key concepts that are common to risk management

These security concepts have been around since the inception of information security. Although, these are high-level generalizations, they are important for everyone to know about.

This article is focused on understanding how each of these apply to information systems.

Confidentiality

Confidentiality loss happens when information can be viewed (read) by individuals who shouldn’t access it.

Loss of confidentiality can happen physically or electronically.

Electronic confidentiality loss can happen when the clients and servers aren’t encrypting their communications. This allows malicious entities to view private communications.

Physical confidential loss can happen through social engineering or through theft. This typically means having laptops stolen.

Integrity

Integrity loss happens when information is modified without the modification being authorized. This doesn’t mean that an unauthorized party has to cause the integrity loss to happen. The integrity loss due to an authorized party doing something they shouldn’t. An example would be a system administrator deleting an account record they weren’t authorized to delete.

Integrity Loss can happen either accidentally or through malicious intent. Malicious integrity loss can happen when a user purposely adds, deletes, or modifies database records. This can occur either through an authorized party (someone who has the access to actually modify the record) or by an unauthorized party when the user has access that they shouldn’t have.

Accidental integrity loss happens when a system modifies or deletes records that it shouldn’t. This can happen when a virus infects a system or when a user does something that he didn’t intend to do. This is often why systems will verify that you want a file deleted, before it actually does so.

Availability

Availability is the simple idea that when a user or system attempts to access something, it is available to be accessed. This is extremely important for mission critical systems. Availability for these systems are so critical that most companies have business continuity plans (BCP’s) in order for there systems to have redundancy.

Just like confidentiality and integrity loss, availability loss can happen by accident, a car crashing into a fiber pole disabling access to a system, or through malicious intent, such as a Denial-of-Service attack.

Reading time: 1 – 2 minutes

I recently did a presentation on the OWASP Top 10 for SecurityStreams. Nitesh Dhanjani of SecurityStreams was nice enough to allow me to embed the videos of the presentations on this site.

If you are new to the OWASP Top 10, I highly suggest to watch this presentation, it is about 45 minutes and should give you a high level understanding of all the OWASP Top 10.

If you are an executive or don’t have time to watch the full presentation, then I suggest watching the 10 minute executive presentation.

Make sure to watch them in HD (Upper right hand corner of the videos). Let me know your thoughts and comments.

OWASP Top 10 – Full Presentation

OWASP Top 10 – Executive Presentation

Reading time: 3 – 4 minutes

Photo: fpsurgeon

This is the eighth-part in a ten-part-series describing the OWASP Top 10. (See all the OWASP Top 10)

What is Insecure Cryptographic Storage

Insecure cryptographic storage occurs when an application doesn’t securely encrypt it’s sensitive data when it is stored into a database. This definition is similar to the picture above, recursive.

Simply stated, insecure cryptographic storage occurs when one of following happens:

1. The developers don’t encrypt the data that is being stored in the database.
2. The developers do encrypt the data being stored in the database, but they rely on encryption methods they have developed. (Also known as home-grown cryptography)

After reading these two points you may say, “only an idiot wouldn’t encrypt sensitive data being stored in the database.” I refer you to number two in the list above.

If you think you are smart enough to write your own cryptographic algorithms, you my friend, are the idiot.

The main business concern with not encrypting sensitive data is that it can lead to confidentiality loss. All companies are concerned with unauthorized individuals viewing their sensitive data. In addition, encrypting sensitive data is be a regulatory compliance. (See PCI-DSS requirement 3.)

An Example of Insecure Cryptographic Storage

Here is a simplified example. Selecting the users table from a database we are returned the following:

> select * from users;

The passwords in these table are 32 characters long. Could these passwords be MD5 hashes?

As with all hashing algorithms, MD5 hashes can’t be reversed. However, they can be pre-computed. Using a site like, gdataonline, we can identify what the password is before it was ran through the MD5 hashing algorithm.

After inserting 5f4dcc3b5aa765d61d8327deb882cf99 into the online form the resulting password is returned. In this example, the password is “password.”

How Do You Prevent Insecure Cryptographic Storage From Occurring

If the data is sensitive and stored it NEEDS to be encrypted. Examples of items that are considered to be sensitive can include:

• Credit Cards
• User Names
• Passwords
• User data

There are other things to keep in mind when making sure you securely store information. This includes not creating your own cryptographic algorithms. No matter how smart you or your peers think you are DO NOT attempt to invent a new encryption algorithm. Leave this work to the experts.

Ensure that the data stored is not easy to decrypt. This can usually be averted by not using known weak algorithms such as RC3, RC4, MD5 and SHA-1.

If you are using asymmetric key encryption make sure to store your private keys carefully. If an attacker gets hold of the private key, you might as well not encrypt the data in the first place.