A Practitioner’s Guide
R. Sarma Danturthi
Figure Credits
Figures 02-01a-b, 03.02, 03.03a-b, 05.01, 05.02, 06.01 –06.05, 07.07, 07.08, 07.11, 07.15, 08.01, 08.02, 09.03, 10.03, 11.02, 11.05, 11.09 – 11.13, 12.02, 16.02 – 16.05: Microsoft Corporation
Figures 04-02, 05.03, 07.09: Oracle Corporation
Figure 07-10c: The Department of Defense
Figure 09-02: National Institute of Standards and Technology
Figure 11-06: PayPal Holdings, Inc
Figure 11-07 & 11.08: The Apache Software Foundation
Figure 12-03: OWASP Foundation, Inc.
Figure 13-03: The United States Navy
Figure 14-01 & 14.02: The ZAP Dev Team
Figure 14-03 & 14.04: PortSwigger Ltd
Figures 14-05-14.07: Aircrack-ng
Figure 14-08 & 14.15: United States Department of Defense
Figure 14-16: Office of the Director of National Intelligence
Figure 14-17: SLEUTH KIT LABS
Figure 15-01a-b: Okta, Inc.
Figure 15-02: DigitalOcean, LLC.
Figure 15-03: Apple Inc
Cover image: Thapana Onphalai / Shutterstock
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals.
The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.
For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at corpsales@pearsoned.com or (800) 382-3419.
For government sales inquiries, please contact governmentsales@pearsoned.com.
For questions about sales outside the U.S., please contact intlcs@pearson.com.
Please contact us with concerns about any potential bias at www.pearson.com/report-bias.html.
Visit us on the Web: informit.com/aw
Library of Congress Control Number: 2024931425
Copyright © 2024 Pearson Education, Inc.
Hoboken, NJ
All rights reserved. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a
retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. For information regarding permissions, request forms and the appropriate contacts within the Pearson Education Global Rights & Permissions Department, please visit www.pearson.com/permissions.
ISBN-13: 978-0-13-807373-2
ISBN-10: 0-13-807373-2
$PrintCode
Editor-in-Chief
Mark Taub
Director, ITP Product Management
Brett Bartow
Executive Editor
James Manly
Production Manager
Sandra Schroeder
Development Editor
Ellie C. Bru
Production Editor
Mary Roth
Copy Editor
The Wordsmithery LLC
Technical Editor(s)
Brock Pearson
Team Coordinator
Tammi Barnett
Cover Designer
Chuti Prasertsith
Composition
codeMantra
Proofreader
Donna E. Mulder
Indexer
Erika Millen
Contents at a Glance
Foreword
Introduction
Part I Security Fundamentals
Chapter 1 Basics of Cybersecurity
Chapter 2 Security Details
Chapter 3 Goals of Security
Part II Database Security—The Back End
Chapter 4 Database Security Introduction
Chapter 5 Access Control of Data
Chapter 6 Data Refresh, Backup, and Restore
Chapter 7 Host Security
Chapter 8 Proactive Monitoring
Chapter 9 Risks, Monitoring, and Encryption
Part III Application Security—The Front End
Chapter 10 Application Security Fundamentals
Chapter 11 The Unseen Back End
Chapter 12 Securing Software—In-House and Vendor
Part IV Security Administration
Chapter 13 Security Administration
Chapter 14 Follow a Proven Path for Security
Chapter 15 Mobile Devices and Application Security
Chapter 16 Corporate Security in Practice Reference Index
Part I. Security Fundamentals
Chapter 1: The Basics of Cybersecurity: In this chapter, the reader is introduced to security fundamentals of CIADAD and the authentication fundamentals IAAA. After giving details of hardware, software, and physical security, the roles of users are discussed. A detailed example of security in an organization is then presented to the reader.
Chapter 2: Security Details: This chapter discusses details of encryption, compression, indexing, and archiving. It goes into depth about encryption algorithms, PKI, email security, and non-repudiation. Current and new algorithms are touched on briefly in this chapter as well.
Chapter 3: Goals of Security: The “who is who” in security, RACI matrix, and the goals of security are discussed in this chapter. Events and incidents are also discussed along with risks and breaches. This chapter also stresses the importance of logs and reengineering a project while keeping security as a top priority.
Part II. Database Security—The Back End
Chapter 4: Database Security Introduction: ACID and BASE databases are discussed with examples in this chapter. DDL and DML are shown separately after defining DIT and DAR. Structural and functional security issues in DBs are discussed as well, and a plan for procedural security is put forward for consideration.
Chapter 5: Access Control of Data: Access control with MAC, DAC, RBAC, and RuBAC with roles and privileges is discussed in this chapter. Hashing and checksum examples and how they can be applied to DB are discussed. This chapter also covers monitoring DB with triggers and data protection with various database objects such as views.
Chapter 6: Data Refresh, Backup, and Restore: Data refresh, import, export, backup, and restore methods are shown in this chapter. Readers will learn how the backups and restores should be kept and tested regularly, in addition to daily/weekly/monthly tracking.
Chapter 7: Host Security: A host is a location (such as a Linux server) that keeps the DB and applications. Taking care of host security is important too as the DB is hosted on the server. This chapter shows how to create cron jobs or scheduled jobs on servers and provides numerous examples.
Chapter 8: Proactive Monitoring: Proactive monitoring helps prevent incidents and helps an organization to be fully prepared. Proactive monitoring can be done with logs, triggers, and more. Log file generation and reading are discussed to keep the reader up to date about what to expect.
Chapter 9: Risks, Monitoring, and Encryption: Risks can be mitigated, transferred, or accepted. But before choosing what to do with a risk, the risk needs to be measured. Risk monitoring is discussed in this chapter, along with DB monitoring, encrypting a DB, and generating automated alerts.
Part III. Application Security—The Front End
Chapter 10: Application Security Fundamentals: Application security starts with good coding fundamentals and following an acceptable coding standard. Cohesion and coupling are discussed, and practical examples show serverand client-side security and checking. Change management is introduced in this chapter to help explain why unauthorized changes to code and DB are not allowed and must follow an approved change management process.
Chapter 11: The Unseen Back End: This chapter discusses stored procedures in the back-end DB and how SQL code can be stored on the DB to run queries rather than creating plaintext queries on the front end then passing them to the DB. Stored procedures offer better security and can be easily embedded into many high-level programming languages.
Chapter 12: Securing Software—In-House and Vendor: Requirements to test in-house-developed software and vendor software are different and each should be tested separately to avoid any vulnerabilities. This chapter discusses the SAST tools available and what the tests show. It also shows why patching and software updates are required and should be done as soon as they are released.
Part IV. Security Administration
Chapter 13: Security Administration: The “need to know” and “least privilege” along with clearances given to subjects are discussed in this chapter. Change management is touched on once more to show how the systems all work in tandem to allow only authorized changes. Legal liabilities are discussed in detail as well the benefits of being proactive in maintaining security.
Chapter 14: Follow a Proven Path for Security: A proven path for achieving security in the DB and application is to conduct around-the-clock monitoring after implementing security controls. Proven path includes testing regularly with various tools and conducting audits. Operational security is discussed in this chapter.
Chapter 15: Mobile Devices and Application Security: Mobile devices pose a new threat as they are now widespread and used everywhere. Wi-Fi security, user privacy, and cryptography’s role in these devices are
discussed in this chapter along with sandboxing and the NIST’s directions for mobile devices.
Chapter 16: Corporate Security in Practice: This chapter discusses each aspect of corporate security in detail —physical, software, hardware, and others. It covers how new employees are onboarded and an existing employee can renew their credentials. Attacks and losses are explained, as well as how an organization can recover from an attack. This chapter covers “lessons learned” and how to document the details after an incident materializes.
Foreword
Introduction
Part I Security Fundamentals
Chapter 1 Basics of Cybersecurity
Cybersecurity
CIA-DAD
Confidentiality
Integrity
Availability
I-A-A-A
Identification
Authentication
Authorization
Auditing or Accounting
Defense in Depth
Hardware and Software Security
Firewalls, Access Controls, and Access
Control Lists
Physical Security
Practical Example of a Server Security in an Organization
Summary
Chapter 1 Questions
Answers to Chapter 1 Questions
Chapter 2 Security Details
The Four Attributes: Encrypt, Compress, Index, and Archive
Encryption
Compression
Indexing
Archiving
Encryption, Algorithms
Public Key Infrastructure
Email Security Example
Nonrepudiation, Authentication Methods (KH-A)
Current and New Algorithms
Summary
Chapter 2 Questions
Answers to Chapter 2 Questions
Chapter 3 Goals of Security
Goals of Security—SMART/OKR
Who’s Who in Security: RACI
Creating the RACI Matrix
Planning—Strategic, Tactical, and Operational
Events and Incidents
Risks, Breaches, Fixes
Security Logs—The More the Merrier
Re/Engineering a Project
Keeping Security Up to Date
Summary
Chapter 3 Questions
Answers to Chapter 3 Questions
Part II Database Security—The Back End
Chapter 4 Database Security Introduction
ACID, BASE of DB, and CIA Compliance
ACID, BASE, and CIA
Data in Transit, Data at Rest
DDL and DML
Designing a Secure Database
Structural Security
Functional Security
Data Security
Procedural Security
Summary
Chapter 4 Questions
Answers to Chapter 4 Questions
Chapter 5 Access Control of Data
Access Control—Roles for Individuals and Applications
MAC, DAC, RBAC, RuBAC
Passwords, Logins, and Maintenance
Hashing and Checksum Methods
Locking, Unlocking, Resetting
Oracle PL-SQL Listing
MS SQL Server Listing
Monitoring User Accounts, System Account
Monitoring—Triggers
Data Protection—Views and Materialized Views
PII Security—Data, Metadata, and Surrogates
Summary
Chapter 5 Questions
Answers to Chapter 5 Questions
Chapter 6 Data Refresh, Backup, and Restore
Data Refresh—Manual, ETL, and Script
ETL Jobs
Security in Invoking ETL Job
Data Pump: Exporting and Importing
Backup and Restore
Keeping Track—Daily, Weekly, Monthly
Summary
Chapter 6 Questions
Answers to Chapter 6 Questions
Chapter 7 Host Security
Server Connections and Separation
IP Selection, Proxy, Invited Nodes
Access Control Lists
Connecting to a System/DB: Passwords, Smart Cards, Certificates
Cron Jobs or Task Scheduler
Regular Monitoring and Troubleshooting
Summary
Chapter 7 Questions
Answers to Chapter 7 Questions
Chapter 8 Proactive Monitoring
Logs, Logs, and More Logs
Data Manipulation Monitoring
Data Structure Monitoring
Third-Party or Internal Audits
Excessive Logins
Failed or Partial Backups
File Size Comparisons by Day/Week/Month
Users Escalating Their Privileges as DBA
User Program Executables and Output
Redirection
Updated Invited Nodes List
LOG File Generation
Creating an SQL File
—/home/oracle/myScripts/getcounts.s ql
Creating the Shell File
—/home/oracle/myScripts/runsql.ksh
Creating the crontab for Running the Shell File in Background
Examining the Log
Changing the Shell and SQL Files as Needed
Summary
Chapter 8 Questions
LAB Work
Answers to Chapter 8 Questions
Chapter 9 Risks, Monitoring, and Encryption
Security Terms
Risk, Mitigation, Transfer, Avoidance, and Ignoring
Mitigation
Transfer
Avoiding
Ignoring
Acceptance
Organized Database Monitoring
Encrypting the DB: Algorithm Choices
Automated Alerts
Summary
Chapter 9 Questions
Answers to Chapter 9 Questions
Part III Application Security—The Front End
Chapter 10 Application Security Fundamentals
Coding Standards
The Software Development Process
Models and Selection
Cohesion and Coupling
Development, Test, and Production
Client and Server
Server
Side Effects of Bad Security in Software
Fixing the SQL Injection Attacks
Evaluate User Input
Do Back-End Database Checks
Change Management—Speaking the Same Language
Secure Logging In to Applications, Access to Users
Creating New Credentials
Logging In to Applications
Using the Databases
Summary
Chapter 10 Questions
Answer to Chapter 10 Questions
Chapter 11 The Unseen Back End
Back-End DB Connections in Java/Tomcat
Connection Strings and Passwords in Code
Stored Procedures and Functions
File Encryption, Types, and Association
Implementing Public Key Infrastructure and Smart Card
Examples of Key Pairs on Java and Linux
Symmetric Encryption
Asymmetric Encryption
Vulnerabilities, Threats, and Web Security
Attack Types and Mitigations
Windows
macOS/OSX
Linux
Mobile Devices
Summary
Chapter 11 Questions
Answers to Chapter 11 Questions
Chapter 12 Securing Software—In-House and Vendor
Internal Development Versus Vendors
Vendor or COTS Software
Action Plan
In-House Software Development
Initial Considerations for In-House Software
Code Security Check
Fixing the Final Product—SAST Tools
Fine-Tuning the Product—Testing and Release
Patches and Updates
Product Retirement/Decommissioning
Summary
Chapter 12 Questions
Answers to Chapter 12 Questions
Part IV Security Administration
Chapter 13 Security Administration
Least Privilege, Need to Know, and Separation of Duties
Who Is Who and Why
Scope or User Privilege Creep
Change Management
Documenting the Process
Legal Liabilities
Software Analysis
Network Analysis
Hardware or a Device Analysis
Be Proactive—Benefits and Measures
Summary
Chapter 13 Questions
Answers to Chapter 13 Questions
Chapter 14 Follow a Proven Path for Security
Advantages of Security Administration
Penetration Testing
ZAP
Burp Suite
Aircrack-ng
Penetration Test Reports
Audits—Internal and External and STIG
Checking
OPSEC—The Operational Security
Digital Forensics—Software Tools
Lessons Learned/Continuous Improvement
Summary
Chapter 14 Questions
Answers to Chapter 14 Questions
Chapter 15 Mobile Devices and Application
Security
Authentication
Cryptography
Code Quality and Injection Attacks
User Privacy on the Device
Descriptive Claims
Secure Software Development Claims
Sandboxing
Mobile Applications Security Testing
NIST’s Directions for Mobile Device Security
Summary
Chapter 15 Questions
Answers to Chapter 15 Questions
Chapter 16 Corporate Security in Practice
Case # 1: A Person Is Joining an Organization as a New Employee
Case # 2: An Employee Is Fired or Is Voluntarily Leaving the Organization
Case # 3: An Existing Employee Wants to Renew Their Credentials
Case # 4: An Existing Employee’s Privileges Are Increased/Decreased
Case # 5: A Visitor/Vendor to the Organizational Facility
Physical Security of DB and Applications
Business Continuity and Disaster Recovery
Attacks and Loss—Recognizing and Remediating
Recovery and Salvage
Getting Back to Work
Lessons Learned from a Ransomware Attack—Example from a ISC2 Webinar
Summary
Chapter 16 Questions
Answers to Chapter 16 Questions
Reference Index
