Clark Thought Leadership ®

The purpose of this blog is to provide Thought Leadership in the areas of Information Technology and Security. Technology innovation can efficiently grow commerce, create jobs and help with societal challenges, but risks & threats to technical resources make it necessary to weave in security to safeguard Confidentiality, Integrity and Accessibility. I use my passion for technology to satisfy my humanitarian inner being by championing problem solving in my community.

Showing posts with label bdpa. Show all posts

Thursday, January 16, 2014

The Three Headed Threat

The Highest Web Application Risks

The three headed web application Threats that can cause major problems for your web application and become a nightmare.

Cross-Site Scripting (XSS)
SQL Injection
Denial of Service (Dos)

For me these are the big three, for other security professionals it could be a mix of others. I choose these three because they occur so often.

Cross-Site Scripting (XSS)

Using the special characters below attackers can compromise your web application and steal its data with cross site scripting.

< >" ' % ; () & + \ # { } | ^ - [ ]

Filter the input andoutput of the characters mentioned above is the common method of safeguarding against cross-site scripting attacks.

Impact of Cross-Site Scripting

Hackers can successfully exploit XSS vulnerabilities in a web application by inserting a script allows them to have full control over that gives end users' account credentials. Then are able to perform many malicious activities, such as:

Hijack an account
Spread web worms
Access browser history and clipboard contents
Control the browser remotely
Scan and exploit intranet appliances and applications

SQL Injection

SQL Injection is input of data that can have unintended results while executing a database query. The input of the data will contain other characters that change the intended SQL string data query.

Mitigation:

Have all SQL statements be built within a stored procedure instead of the application.
Filter key SQL elements from the data before executing your inquiry.

Denial of Service (DoS)

Denial of Service attacks are caused by an attacker who sends sufficient traffic volume to your web application; typically using free tools available on the internet, which cause the web service to stop responding or become unavailable to answer legitimate web traffic requests. Leaving legitimate users unable to access your web site or application.

Diagnosis:

Unusually slow network performance (opening files or accessing websites)
Unavailability of a particular website
Inability to access any website
A dramatic increase in the number of spam emails received

Mitigation:

Have a business continuity plan that utilizes alternate web server resources and IP addresses that can be easily configured to allow legitimate web traffic of customers so they can access the site.

Turn on and review log files to determine if the web application is under a DoS attack; sometimes a DoS attack may not be one at all, but something configured incorectly or something polling your website by mistake.

Their are also cloud services available that can absorb a DoS attack for your web site and only pass legitimate traffic to your site.

And for safety's sake; Encrypt The Data!

The only weakness that the mythical three headed dog Cerberus had was that it fell to the mighty strength of Hercules.

Use the mighty strength of encryption to protect your data!

All three of the above threats put your data at risk. Anytime your data is at rest (stored), or in transit make sure it is encrypted.

Enjoy,

Julius

Friday, October 18, 2013

Healthcare.gov Fix: U.S. Government Sponsored Hackathons

New Idea - The U.S. Government should make these overpriced government Information Technology firms compete against Hackathon public projects when drafting their technology proposals..

This would spark many youth to pursue careers in technology. Because of the rebellious nature of youth, many would get a kick out of creating competing products to stick it to the man! Thus, helping to solve America's STEM crisis.

Healthcare.gov would have been child's play for America's young adults who have built social media mega infrastructures, which were originally developed and hosted from dorm rooms and cramped apartments on computers sitting on the floor.

Until we read again!

Take care!

Thursday, July 19, 2012

How To Create A Strong Password for Every Web Site and Remember It

Creating a strong password and keeping it confidential is the key to safeguarding your information on the Internet. Most people use the same password for every internet site and never change it. Are you one of those people who have used the same password on all your Internet sites for years? I hope not. There are many different ways to go about creating a strong password and creating a different password for every Internet site you access, but remembering each different password is a challenge.

This is a very simple method that is similar to the way I create a different strong password for each web site I use. I personally like using parts of each website I use so it's easy for me to have a different password for each website I use that is complex and strong. Note: You must keep your methodology to yourself to keep your information safe. You give up your strong password formula and you give someone the ability to access every website you have. Once you develop your strong password formula/ methodology Never Write It Down make it logical enough so that you will remember it.

Note: If you ever need to give someone access to your account, change the password to something different which does not use your password formula and change it back as soon when you don't need that person accessing your account.

Take a web site like Facebook. I am taking the last four, three or two letters of the URL before the .com
You will end up with "ook" now add some special characters, uppercase letters or numbers to the front and back or "ook" so that you end up with a password 10-12 characters in length; or longer; the longer the password the more secure!
For this example I added characters that gave me: %$Uook25K$ This is a very strong password. The only thing you need to memorize or remember is that you must add "%$U" before ook and "25K$" after it.
Now lets apply this method to another website. Let do Twitter.
Using the method from above we will take the last three characters before the .com which give us: "ter".
Now add your mix of special characters, uppercase letters and numbers to "ter".
You end up with: %$Uter25K$
Try it developing a custom password formula for yourself.

Now you have the ability to have a different password for every website you have an account on.

Enjoy,

Julius Clark, MBA, CISSP, CISA

In addition, if you are new to the IT Security field, or have no experience and want to change your career consult with me at:

www.cybersecuritycareeradvisor.com

Wednesday, September 22, 2010

Governments Who Request or Remove Data About Its Citizens

The Google Transparency Tool

Site:
http://www.google.com/transparencyreport

Per Google:

Transparency is a core value at Google. As a company we feel it is our responsibility to ensure that we maximize transparency around the flow of information related to our tools and services. We believe that more information means more choice, more freedom and ultimately more power for the individual.
We’ve created an interactive map of Government Requests that shows the number of government inquiries for information about users and requests for Google to take down or censor content. We hope this step toward greater transparency will help in ongoing discussions about the appropriate scope and authority of government requests.
Our interactive Traffic graphs provide information about traffic to Google services around the world. Each graph shows historic traffic patterns for a given country/region and service. By illustrating outages, this tool visualizes disruptions in the free flow of information, whether it's a government blocking information or a cable being cut. We hope this raw data will help facilitate studies about service outages and disruptions.

Transparency Report: Government Requests

I used this tool to conduct some quick research and compared the first six months of 2010 data, to all of 2009 requests by governments to either collect information from Google on citizen posted data or to request data to be removed.

Should we be scared? Google's Transparency Tool makes it real and demonstrates that countries keep tabs on what their citizens are doing on the Internet.

The United States leads the list with over 4287 data requests from Google between January 2010 - June 2010.

Google Transparency Report For Government Data Requests on Their Citizens: For the First Six Months of 2010 Compared To All of 2009

The first 6 months of 2010 for 4 of the 5 top governments who request data on their citizens has already exceeded the total number requests they made for the entire year of 2009. See below.

Country	2010 Government Data Requests	2009 Government Data Requests	Change
United States	4287	3580	707
Brazil	2435	3663	-1228
India	1430	1061	136
United Kingdom	1343	1166	177
France	1017	846	171

Google Transparency Report For Government Data Removal Requests of Their Citizens Data: For the First Six Months of 2010 Compared To All of 2009

The number of requests to Google by governments to remove data is also increasing sharply. The United States is due to double the number of requests to remove information by the end of 2009

Country	2009 Data Removal Requests	2010 Data Removal Requests	Change
Brazil	291	398	107
Libya		149	149
United States	123	128	5
Germany	188	124	124
Italy	57	69	12
United Kingdom	123	48	-75

Complete list of government who request data from Google or Request that Google remove data.

Country	Data	Removal
China	?
United States	4287	128
Brazil	2435	398
India	1430	30
United Kingdom	1343	48
France	1017	25
Germany	668	124
Italy	651	69
Spain	372	16
Australia	200	14
South Korea	170	38
Argentina	134	12
Taiwan	130	11
Chile	115
Singapore	106
Portugal	73	<10
Belgium	71	<10
Japan	56	7
Turkey	51	5
Hong Kong	50	<10
Switzerland	35	5
Israel	30	4
Austria		2
Canada		<10
Cyprus		<10
Greece		<10
Kazakhstan		<10
Libya		149
Macedonia [FYROM]		<10
Malta		<10
Mexico		<10
Netherlands		<10
New Zealand		<10
Norway		<10
Puerto Rico		<10
Russia		<10
Solomon Islands		<10
Sweden		<10

I applaud Google for providing this tool for transparency purposes. It makes you wonder about the information being gathered or censored. Hmmm.