Information security definition
Information security : Information is like any other asset subject to unintended or malicious activities that might affect its confidentiality, integrity or availability hence a defensive
practice, activities should take place to help protecting these precious assets.
Other definitions might concentrate more on safeguarding information in its
different status such as static stored in databases, files or dynamic moving over
different carriers or while it is Processed.
1.2.1 Design & Build it to be secure:
this approach might depend on building the application over a framework with
security focus where security becomes part of application itself with minimum
risk of security vulnerabilities.
Sometimes this approach is reached through a special process like development
methodology or as programming language that enforce security.
This approach might look perfect for new applications but when it comes to old or legacy application this becomes nonrealistic approach. Information security .
1.2.2 Verify it is secure:
This approach depends on vulnerability analysis by investigating different
vulnerabilities to be sure that main and known ones are covered.
The next step to apply security through that approach is to reinforce and fix
This approach can be usefull in new systems and legacy ones.
Vulnerability analysis can be done through application or even manually
depending on the analyzed vulnerability.
Vulnerability analysis can be done using :
o static methods like auditing the application source code
o Dynamic method: the analysis is done in the run time by
observing the behavior of the system.
Using the static method might give the maximum coverage for most
existing vulnerabilities but it might have issues of false alerts in time
when the dynamic method we can be sure of correctness but no
guarantee for complete coverage of vulnerabilities.
1.2.3 Protect it:
This approach depends on building a run time environment that will help in
protecting the application vulnerability from being exploited this approach
can be applied through two methods:
1- Proxy approach that will isolate and detach application from other
components in the system which minimize the ability to exploit the
2- Embed monitoring capabilities in infrastructure components (Browser,
language runtime) to enable monitoring behavior, isolate and quarantine
any threat.Information security .
Even though the presented approaches are categorized in different classes but a
hybrid use can be applied sometimes depending of the nature of application.
1.3 Layered Security
One of the most efficient ways to deal with security issues in general and
information security in specific is to apply a layered based model in order to be
able to understand threats and apply necessary countermeasures for it.
What makes this model suitable for security is the architecture of network and
information systems nowadays where most of the interactions are between
users and information systems through the network as a set of requests sent
from the beneficiary to the server that will handle the request, process any sent
information, retrieve or manipulate data.in that context the data become the core
of model as it is the main important asset that need to be protected.
Many models were created to embody the layered security approach from
different perspectives.Information security .
Some models took in consideration the security policy and user dimension and
other focus more on the main layers:
1.3.1 The Physical layer:
We mean by the physical layer the direct physical access to hardware. As
illustrated in the chart above the access to the physical layer can be very
direct and dangerous because attacker can cause direct damage or
compromise network, processing, and storage devices. As example
causing a denial of service that work on a server is simply doable by
unplugging the power cord of that server. This is why physical security of
data centers is an issue that needs to be taken seriously.
A well designed architecture should allow response to attack even with
physical based attacks as example sending notification or raising an alarm.Information security .
1.3.2 Network Layer:
When the attacker doesn’t have any direct access to the physical
hardware the only available path is through external layers toward the
core where the data assets resides.
Compromising network layer will make it easy for attacker to disclose,
alter, or make unavailable mainly the data in motion sent by legitimate
user or response sent by the server. Network layer in that model
represent all activities, devices and protocols used to transfer data from
its source to destination.Information security .
1.3.3 Platform layer:
The platform layer represents the carrier of application layer it provides the
interface between hardware devices and the application layer in addition to
process and file management.
This layer is normally reflected through operating system and any used
framework or server software that host the application.Information security .
1.3.4 Application layer:
This layer represents all input processing, storage, retrieval,
manipulation and output activities done on server side or client side.
This layer depends on services it gets from the platform layer.
1.3.5 Data layer:
This is the layer where the precious assets reside, as it is known that the
Data is the real asset in information systems.
If an attacker is able to reach this layer the information system is
considered as compromised.Information security .
1.3.6 The response layer:
This layer is the deepest layer it encompasses all Data and system
recovery, monitoring, logging and notification activities.
This layer safety is critical because it is the only guarantee that the data
will be partially or totally recovered after an attack or at least knowing
that the attack took place.
Response layer is an abstract layer because its contents might be
distributed over network, platform and application layer Information security .
1.4 The security of layers:
in a layer based model each layer provides services to the next layer in order.
one of the provided services is security thus each layer is responsible of
preventing any malicious attack from passing through to the next layer.but since
layers hold different nature it is sometime impossible for a specific layer to stop
an attack that ment to target deeper layer.lot of malicious requests can travel
freely without any problem through a specific layer as a legitimte requests
because request does not contain any sign of malicious activity related to that
Attacker might need to compromise more than one layer to be able to fulfill the
attack goals. Compromising a layer is not always the goal of attack it might be
only a step to compromise deeper layer to realize the target of attack.
The following drawing illustrates some examples of attack scenarios:
It is important to understand that the security is as strong as the weekest layer
which means that the compromization of any layer might cause a security breach
of the system.
This is why we should defreniciate between various vulnerabilities, attacks,
techniques, technologies and tools used to secure each layer.
Our focus in this subject is web application security so we will be concentrating
on layers directly related to application namely application layer.Information security .
1.5 Application layer security:
Application layer as mentioned is the layer where all the logic of input,
processing, manipulation, storage and output reside that makes this layer the
place containing the customized component thus the components with less
maturity which makes it the most tempting to malicious attacks.
1.6 Defense mechanisms
To be able to defend the application we need to specify the main mechanisms
used to make this possible.
This approach emphasizes heavily the application security noting that some
other aspects needs to be considered if we target general defense mechanisms
The actual focus is based on the ability to control the access, the attacker and to
enable full monitoring capabilities over user input and application:Information security .
this part is about controlling the user privileges in term of access to data
and functionality. This target is normally covered in web application by
three main mechanisms:
a. Session management
Session management is the method in which the server can handle
subsequent requests coming from the same user, meaning that it is
the way the server differentiates various requests coming from
Http as a protocol does not provide this service as it is called
stateless protocol.Information security .
In general, all the application need to provide an approach to help
dealing with requested sent by various user keeping track for each
The common way to allow session management in an application
is to create a session structure and generate the session token. The
session structure is dedicated to track user interaction through the
unique generated token.
Tokens are long, randomly generated strings that are unique for
the user. Tokens are transmitted using different methods the most
common is HTTP cookies other methods like URL strings or hidden
fields can be used too.
Session for specific user is destroyed automatically after a period
of time if no interaction between the client and the server is
initiated, this period can be set by the application and it is usually
about 20 minutes.
Is the method used to identify the user trying to access the
application, normally anonymous unauthenticated personnel are
treated as guest and provided with specific level of access
depending on the nature of the application.
The simplest approach to apply authentication in web application
is usually through user name and password combination.
The provided credentials should abide a set of conditions to
minimize the possibility of guessing those credentials.
More critical web application should be depending on extra
credentials like challenge codes, smart & magnetic cards or
biometric approaches.Information security .
c. Access control:
Authentication of users accessing the applications is only the first
step that will pave to control different users access to application
resources and functionalities.
This task is called “Authorization” and it means to specify “WHO”
access “WHAT”.Information security .
Generally, the “WHO” information are mapped to a set of
privileges, where privileges set specify the access level for that
user on the specific resource.
Privileges are usually bundled in roles where each role, a role or
more can be assigned to a user or a group of users.
Access control robustness is a must because it can be a big source
of threat by malicious users that might try to elevate their
privileges or try to access resources or functionalities with
With all the risk related to accessing data, handling the user input still the
biggest challenge because of freedom level you need to give to user to
fulfil the requirement of usable application which makes having defense
mechanism related to the user input a necessity.
a. Black listing and white listing: Covering issues related to input is
not very easy task especially when it is about entering free text or
when it is related to hidden information that is not part of user
direct interaction like hidden fields and cookie information.
Input handling is usually done by applying common approaches
depending on either accept only the good input based on known
patterns or by rejecting suspicious input based on common
Even though that the whitelisting and blacklisting
seem to be very efficient, those approaches might sometime make
the application less user friendly and less usable which derive the
need to use other ways like sanitization.
c. Semantic check:
Even sanitization might fail to get safe input
because attacker sometimes depends on having the input totally
valid on the syntactic level but malicious on the semantic level. A
good example about this case will be trying to access other users
information by altering the information of account number in the
hidden field dedicated to that purpose.
In that case the input is valid as the input match the pattern for an
account number and the session information shows that the user is
successfully authenticated and the user can access and manipulate
information related to the entered account number.
d. Recursive and fragmented check:
in lot of cases attacker might
tend to divide attack to multiple stages in way that each part is not
classified as malicious input but when it is merged it will create a
malicious input.an example will be double encoding the special
character in the URL.when the URL is received and decoded for the
first time it will not look suspicious but the second decoding by the
application will cause the special character to bypass the filter.
%2527 decoded to %27 decoded to apostrophe (special
Another example is bypass the sanitization process by generating
an attack that reconstruct itself after applying single pass
the other dimension that should be controlled is the attacker in order to
be sure that all unexpected errors handled, preserved the audit log, notify
the administrator and response to attack.
a. Mitigating unexpected errors:
Handling errors will allow
controlling the unexpected part by showing a customized non
informative message or mitigating the error away from any system
generated messages the thing that minimize the information
discloser caused by unexpected verbose message.
b. Keeping Audit logs:
The worst attacks those that do not leave a
trace because it does not give any answer to investigators on what
assets has been compromised, information disclosed, accessed or
altered and nothing about used vulnerability or the identity of
Audit logs should have precise information about all events,
transactions and access attempts that took place and its status
(failed, succeeded) with special focus on any abnormal request
showing malicious pattern.
When storing and managing audit logs it is very critical to be sure
that information cannot be accessed nor changed by attacker even
if that means to isolate as separated system or store the
information on write-once media.
c. You are under attack:
another important issue in handling
attacker is to let the administrator know that the system is under attack to response in real time because some attacks can be
stopped if a fast enough response is generated. Monitoring and
detection modules normally depend on abnormality in received
requests as a count, sequence, known attack patterns or even a
suspicious business content. Examples are receiving a big amount
of request from the same source IP or getting request in a
suspicious sequence or alteration of values that are normally
inaccessible by user (hidden fields) or getting a request to transfer
unusual big amount of money from an online bank account.
Detection modules can be a separated application like firewalls
and intrusion detection systems but using this approach might not
be as effective as integrated modules on all levels especially with
attacks of semantic nature due to the usage of generic patterns in
off-shelf application in contrast with the intrusion detection
modules integrated as part of the application.
notifying administrator that the application is under
attack is something and reacting actively is another thing because
responding in real time is an essential factor and can sometimes
save the application and stop the attack in many critical
Response might be something like blocking request from specific
source, react slowly with suspicious requests or drop the user
Even though that the response was unable to stop a skilled
attacker malicious activities it will provide more information and
buy time to administrator to react more effectively to the attack.
1.6.4 Monitoring and auditing:
This aspect is one of the important aspects because it gives the
administrator the ability to monitor the overall user behaviors, organize
roles, initiate diagnostics tasks and apply different configurations
additionally track and log any abnormal user activities.
The sensitivity and the importance of this mechanism makes it also a very
delicious feast to attackers that might try to gain higher privileges or
disclose power user information benefiting from miss configuration.
Read Also :