WEEK 6 (IT SECURITY)

LECTURE 6

In this lecture I learn about Database Security. Database security is the system, processes, and procedures that protect a database from unintended activity. Unintended activity can be categorized as authenticated misuse, malicious attacks or inadvertent mistakes made by authorized individuals or processes. Database security is also a specialty within the broader discipline of computer security. Database security become important because information is critical resource in enterprise, securing become billion dollar industry, and people want to protect their confidential information.

Characteristic of good database security

• Data independence
• Shared access
• Minimal redundancy
• Data consistency
• Data integrity

Level of database security
• Physical security – protection of personnel, hardware, programs, networks, and data from physical circumstances
• Operating system security – use of an access control matrix, capability and accessor list
• DBMS security – protection mechanisms and query modification
• Data encryption – such as RSA scheme and data encryption standard

Advantages of using database
• Shared access
• Minimal redundancy
• Data consistency
• Data integrity
• Controlled access

LAB 6

This lab i learn about database security. Below are step how to install MySQL server.

WEEK 5 (IT SECURITY)

LECTURE 5 (10 August 2009)

In this lecture I learn about Operating System Security. This lecture cover level of protection, method that use for memory protection, how to threats that damage the authentication process and encrypted password file. In operating system we use Segmentation as a security method.

There are level of protection
• No protection
• Isolation
• Share all or share nothing
• Share via access limitation
• Share by capabilities
• Limit use of an object
• Granularity of protection

Method use for memory protection
• Fence
• Relocation
• Base / bound register
• Tagged architecture
• Segmentation
• Paging
• Paging combined with segmentation

Threat that damage the authentication process
• Spoofing
• Eavesdropping
• Modification
• Masquerading

Encrypted password file
• Conventional encryption
• One way cipher
• Salted password (UNIX)

LAB 5 (11 August 2009)

Topic of this lab is Web Application Security. In this lab, I must know to describe the flaw of web application and how it is exploited. Besides that, I also have to exploit the web vulnerabilities. After that, I need to list prevention method that can be taken to overcome web application vulnerabilities.

Web application

An application that can be accessed using a web browser over a network, either the Internet or within the Local Area Network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP and etc. The script produced is then rendered by common web browser. Web application let user to access application or system anywhere and at any time provided the user is connected to a network connection and there is a web browser installed on the machine.

This ease of usage makes webapp popular among Internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.
WebGoat
Simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application.
WebScarab
Tool for everyone who need to expose the working of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that application has been designed or implemented.

WEEK 4 (IT SECURITY)

LECTURE 4 (3 August 2009)

In this lecture I learn about Program Security. This topic covers about vulnerabilities, Safeguard to Program threat and Pillar to Software Security. In vulnerabilities cover about Secure Program, Malicious Code and Top 10 Web application vulnerabilities.

Secure Program - An assessment of security can also be influenced by someone’s general perspective on software quality

Malicious Code - Malicious Code is a new kind of threat which cannot be blocked by anti-virus software alone. In contrast to viruses (which require a user to execute a program in order to cause damage), malicious code is an auto-executable application. It can take the form of Java Applets, ActiveX controls, plug-ins, pushed content, scripting languages, or a number of new programming languages designed to enhance Web pages and email.

Top 10 Web application vulnerabilities

(1)Cross site scripting

(2) Injection flaws

(3)Malicious file execution

(4)Insecure direct object reference

(5)Cross site request forgery

(6)Information leakage and improper error handling

(7)Broken authentication and session management

(8)Insecure crypto storage

(9)Insecure communication

(10)Failure to restrict URL access

LAB 4 (4 August 2009)

In this lab I learn about Cryptography Extended. I must know what is Symmetric and
Asymmetric Cryptography. Also know about Caesar Cipher and Vigeneré Cipher for
Symmetric Cryptography. And lastly RSA algorithm for Asymmetric Cryptography.

Symmetric Cryptography
Symmetric cryptography is a an outgrowth of classical cryptography.All classical cryptosystem are secret key systems.Most of them can be seen as block ciphers, if not, stream ciphers.

Caesar Cipher
Also known as a Caesar shift cipher or shift cipher, is one of the simplest methods of encryption, although it can be easily broken. It is a substitution cipher in which each letter in the plaintext is replaced by the letter some fixed number of positions further down the alphabet

Vigeneré Cipher

Asymmetric Cryptography
Asymmetric cryptography or public-key cryptography is cryptography in which a pair of keys is used to encrypt and decrypt a message so that it arrives securely. Initially, a network user receives a public and private key pair from a certificate authority. Any other user who wants to send an encrypted message can get the intended recipient's public key from a public directory. They use this key to encrypt the message, and they send it to the recipient. When the recipient gets the message, they decrypt it with their private key, which no one else should have access to.