Chat with us, powered by LiveChat Use the pdf document as reference to answer the questions in the word document.? Please paraphrase all answers, do not copy and paste from the ref | WriteDen

Use the pdf document as reference to answer the questions in the word document.? Please paraphrase all answers, do not copy and paste from the ref

Use the pdf document as reference to answer the questions in the word document. 

Please paraphrase all answers, do not copy and paste from the reference document or any other reference document you use. 

Question 1: [NOTE: Answer each part of the question in paragraph format]

a. What is Transparent Data Encryption? Why is it transparent? What types of encryption does it support? Explain how TDE protects against attacks by privileged OS users? (4 points)

b. Identify and explain 4 primary defenses against SQL injection attacks. (4 points)

c. What specific encryption techniques does Amazon RDS use for protecting databases at rest? What encryption techniques and protocols does Amazon RDS use to protect data in flight? (2 points)

Question 2: [NOTE: Answer each part of the question in paragraph format]

a. Explain how a reflected XSS attack is different from a persistent XSS attack. Provide examples of attack scenarios for each. (2 points)

b. As per the OpenCanvas Learning YouTube video, there are 6 components which come together to make a web browser work. Pick 4 out of the 6 components and explain what each of those components does to get the browser to function. (4 points)

c. Describe the main difference between session cookies and persistent cookies. Describe 3 steps that we used to exploit information contained in cookies to launch a privilege escalation attack (based on one of the lab exercises). (4 points)

Question 3: [NOTE: Answer each part of the question in paragraph format. It is okay if your answers to this question spill into the next page due to the table that I have included as a part of the question stem for part d.]

a. Explain what server hardening means in your own words. Which specific web application security risk in the OWASP Top 10 list from 2017 is hardening supposed to best protect against? (2 points)

b. Explain how a replay attack works using your own words. (2 points)

c. Explain what a web application firewall is and how it is different from a traditional network firewall. Which layer in the 7-layer OSI architecture does each operate at? (2 points)

d. Complete the following table of cloud service models by specifying whether the customer (C) or the service provider (SP) is responsible for hardware, operating system, applications, and data. From a customer perspective, which of the 3 cloud service models is most secure (theoretically)? (4 points)

Cloud Service Model

Hardware

Operating System

Applications

Data

SaaS

PaaS

IaaS

Question 4: [NOTE: Answer each part of the question in paragraph format. It is okay if your answers to this question spill into the next page due to the screen capture that I have included as a part of the question stem for part c.]

a. Describe two main differences between Java and JavaScript. (2 points)

b. Explain what an XML external entity is in your own words. Provide an example of XML code that uses an external entity. Explain how an XML external entities injection attack can be used to display the contents of the /etc/passwd file. (4 points)

c. Describe what flaw debt is in your own words. Provide 3 main takeaways from the chart provided below. (4 points)

Page 2 of 6

,

Database Security – Issues and Best Practices

Outline • Intro to Database Security

•Need for Database Security

•Database Security Fundamentals

•Database Security Issues • OWASP Top 10 – A1:2017– Injection

• OWASP Top 10 – A3:2017– Sensitive Data Exposure

•Attacks against Database Security Mechanisms

•Database Security Best Practices

2

Intro to Database Security

3

Intro to Database Security • How does a web application work?

4

Client

Server

Involves databases

Intro to Database Security (contd.) •Database • A database is “an organized collection of structured information, or

data, typically stored electronically in a computer system” • It includes: the data, the DBMS, & applications that use them

•Database Management Systems (DBMS): • DBMS serve “as an interface between the database and its end

users or programs, allowing users to retrieve, update, and manage how the information is organized and optimized”

5

Source: What is a Database – Oracle – https://www.oracle.com/database/what-is-database.html

Intro to Database Security (contd.) •Database Management Systems (DBMS) (continued): • DBMS also facilitate “oversight and control of databases, enabling a

variety of administrative operations such as performance monitoring, tuning, and backup and recovery” • Types: • Relational, Object-Oriented, Distributed, Data Warehouses, Open Source,

Cloud, Autonomous, etc.

• Examples: • Oracle, SQL Server, MySQL, Microsoft Access, MariaDB, PostgreSQL, etc.

6

Source: What is a Database – Oracle – https://www.oracle.com/database/what-is-database.html

Intro to Database Security (contd.) •Database Tutorial for Beginners – Lucidchart

7

Source: Lucidchart – Database Tutorial for Beginners – https://www.youtube.com/watch?v=wR0jg0eQsZA

Intro to Database Security (contd.) •Database security refers to “the range of tools, controls, and

measures designed to establish and preserve database confidentiality, integrity, and availability” (IBM, 2019) •Database security involves protection of • The data in the database • The database management system (DBMS) itself • Any associated applications (including web applications) • The physical and/or virtual database server farms and their

underlying hardware • The computing and/or network infrastructure used to access

the database (IBM, 2019)

8

Intro to Database Security (contd.) •Database security involves securing data • At rest • Using techniques such as encryption • Example: Amazon RDS uses 256-bit Advanced Encryption Standard (AES) for

securing database instances, automated backups, and snapshots at rest • In flight • Using protocols such as Transport Layer Security (TLS) • Example: Amazon RDS uses TLS from the web application to encrypt a

connection to a database instance running MySQL, MariaDB, SQL Server, Oracle, or PostgreSQL to protect data in flight

9

Need for Database Security

10

Need for Database Security •As per Oracle (2022): • Data breaches are “happening everywhere these days, and hackers

are getting more inventive. It’s more important than ever to ensure that data is secure but also easily accessible to users”

•As per IBM (2019): • The consequences of data breaches include the following: • Compromised intellectual property • Damaged brand reputation • Loss of business continuity • Fines or penalties for non-compliance • Expenses related to repairing breaches

11

Need for Database Security (contd.) •As per the IBM (2021) Cost of a Data Breach Report: • The average total cost of a data breach in 2021 was $4.24M • The highest country average cost of a data breach was $9.05M for

U.S. • The highest industry average cost of a data breach was $9.23M

(healthcare) • The cost per lost or stolen record was $161 • The time to identify and contain a data breach was 287 days

12

Need for Database Security (contd.) •As per IBM (2021), the four cost components are:

13

Need for Database Security (contd.) • Data breaches typically involve unauthorized access of company

databases (Privacy Rights Clearinghouse, 2020)

14

Database Security Fundamentals

15

Database Security Fundamentals •Oracle Database Security – Oracle France

Source: Oracle France – Database Security – https://www.youtube.com/watch?v=GXF3T4g2tJg

16

Database Security Fundamentals (contd.)

•As per Oracle (2021), effective database security involves using the following powerful preventive and detective security controls: • Transparent Data Encryption (TDE) • Encryption key management • Privileged user and multifactor access control • Data classification and discovery • Database activity monitoring and blocking • Consolidated auditing and reporting • Data masking

17

Database Security Fundamentals (contd.)

•Transparent Data Encryption (TDE) • Helps prevent attacks that attempt to bypass the database and read

sensitive information from data files at the operating system level, from database backups, or from database exports by encrypting data in the database layer

18

Database Security Fundamentals (contd.)

•Transparent Data Encryption (TDE) (continued)

• It is transparent because the encryption and decryption processes do not require any application changes, and the application users do not have to directly deal with encrypted data • It supports tablespace encryption and column encryption

19

Database Security Fundamentals (contd.)

•Encryption Key Management • TDE uses a two-tier key management architecture • Consists of data encryption keys and a master encryption key • Enables rotation of master keys without having to re-encrypt all of the

sensitive data • Oracle Database 18c introduced support for Bring Your Own Key (BYOK)

• Data encryption keys • Are managed automatically by the database

• The master encryption key • Is used to encrypt the data encryption keys • Is stored and managed outside of the database within an Oracle Wallet or in

an Oracle Key Vault

20

Database Security Fundamentals (contd.)

•Privileged User and Multifactor Access Control – Oracle Database Vault

Source: Oracle – Database Vault – https://www.youtube.com/watch?v=AomjVCdUp6k

21

Database Security Fundamentals (contd.)

•Data Classification and Discovery • Oracle Label Security enforces data access requirements and

records data classification levels at the database row level • Automated discovery of sensitive columns and parent-child

relationships • The discovery process uses built-in extensible patterns such as

credit card numbers and national identifiers to check metadata and column data to identify sensitive columns • The discovery results are stored as an application data model, which

is reusable across multiple databases

22

Database Security Fundamentals (contd.)

•Database Activity Monitoring and Blocking • Oracle Database Firewall provides a first line of defense for

databases

23

Database Security Fundamentals (contd.)

•Consolidated Auditing and Reporting • Oracle Audit Vault consolidates audit data from databases,

operating systems, and directories

24

Database Security Fundamentals (contd.)

•Data Masking • Oracle Data Masking provides a flexible option to discover, mask

and subset sensitive data, enabling the data to be safely shared across non-production environments • Non-production environments such as test and development

systems are the potential targets for a cyber attack as they generally contain copies of production data • Compliance costs are lowered as masked non-production databases

are out of the scope for the audit teams • Sensitive data such as credit card numbers, national identifiers, and

other personally identifiable information (PII) can be masked using predefined masking formats

25

Database Security Issues

26

Database Security Issues •Specific database security issues include: • Cloud database configuration errors • SQL injection • Weak authentication • Privilege abuse / excessive privileges • Inadequate logging / weak auditing / • Unpatched services • Insecure system architecture • Inadequate backups

Source: BCS.org – The Chartered Institute for IT – https://www.bcs.org/articles-opinion-and-research/top-ten-database-

attacks

27

Database Security Issues (contd.)

•OWASP Top 10 – A1:2017–Injection

Source: OWASP Top 10 2017 A1-Injection – https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html

28

Database Security Issues (contd.)•Common database security vulnerabilities:

Source: OWASP Top 10 2017 A1-Injection – https://owasp.org/www-project-top-ten/2017/A1_2017-Injection.html

29

Database Security Issues (contd.)

•OWASP Top 10: SQL Injection – Security Innovation

Source: Security Innovation – OWASP Top 10: SQL Injection – https://www.youtube.com/watch?v=X34cKt8RfJs

30

Database Security Issues (contd.)

•OWASP Top 10 – A3:2017–Sensitive Data Exposure

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-

Sensitive_Data_Exposure

31

Database Security Issues (contd.) •Common database security vulnerabilities:

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017-

Sensitive_Data_Exposure

32

Database Security Attacks

33

Database Security Attacks •Most common database security attacks include:

Source: OWASP – Attacks – https://owasp.org/www-community/attacks/

Attack Type Description

SQL Injection An untrusted source uses an application’s user input features to enter data that is used to dynamically construct a SQL query to read sensitive database data

Denial of Service Storing too much information in a user session object, such as large quantities of data retrieved from the database, can cause DoS issues

Brute Force The attacker makes requests to a server using pre-configured values and then analyzes the response

Ransomware The attacker encrypts and locks the victim’s data and then demands a ransom to unlock and decrypt the data

34

Database Security Attacks (contd.) •As per IBM (2022), some of the most common database

security attacks include: Attack Type Description

Insider Threats Abuse of privileged access by a malicious insider, a negligent insider, or an infiltrator

Human Error Accidents, weak passwords, password sharing, and other unwise or uninformed user behaviors

SQL Injection Insertion of arbitrary SQL attack strings into database queries served by web applications

Buffer Overflow A process attempts to write more data to a fixed-length block of memory than it is allowed to hold

35

Database Security Attacks (contd.) •Common database security attacks (continued):

Source: IBM – Database Security: An Essential Guide – https://www.ibm.com/cloud/learn/database-security

Attack Type Description

DoS/DDoS The attacker floods the database server with so many requests that the server can no longer fulfil legitimate requests from actual users

Malware Software written specifically to exploit vulnerabilities or otherwise cause damage to the database

Attacks on Backups Organizations fail to protect backup data with the same stringent controls used to protect the database itself

36

Database Security Best Practices

37

Database Security Best Practices •OWASP recommends the following best practices: • Connect to the database securely • Prevent unencrypted traffic at the transport layer • Configure databases to always require authentication • Never store database credentials in the application source code

especially if they are unencrypted • Apply the principle of least privilege to the permissions assigned to

database user accounts • Harden the underlying operating system for the database server

Source: OWASP – Database Security Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/Database_Security_Che

at_Sheet.html

38

Database Security Best Practices (contd.)

•Best practices to secure databases (as per IBM): • Consider physical security if the database is not in the cloud • Restrict number of users, their permissions, and network access to the

minimum levels necessary • Focus on end user account/device security • Use best-in-class encryption to protect the data while at rest and in transit • Keep the DBMS version up to date and apply patches as soon as they are

issued • Use best practices for application/web server security • Secure backups / log all operations / perform audits regularly

Source: IBM – Database Security: An Essential Guide – https://www.ibm.com/cloud/learn/database-security

39

Database Security Best Practices (contd.) •Use the following database security best practices: • Best practices to protect against SQL Injection:

• Primary defenses: • Use prepared statements with parameterized queries • Use stored procedures • Allow-list input validation • Escape all user supplied input

• Additional defenses: • Enforce least privilege • Perform allow-list input validation as a secondary defense

Source: OWASP – SQL Injection Prevention Cheat Sheet – https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Preve

ntion_Cheat_Sheet.html

40

Recap • Database security issues continue to be among the OWASP Top 10 list

of web application security risks • This is due to weaknesses in database mechanisms such as dynamic

queries, input validation, key management, access control, configuration, logging, auditing, backups, etc. • Hackers are able to exploit the weaknesses using attacks such as SQL

injection, DoS, brute force, ransomware, etc. • Best practices to protect databases include understanding what types

of data needs to be protected, understanding regulatory compliance, discovering/classifying databases based on data sensitivity, using data masking, monitoring, auditing, encryption, access control, parameterized queries, stored procedures, allow-list input validation, hardening, etc.

41

Thank you!!!

42

Browser Security – Issues and Best Practices

Outline • Intro to Browser Security

•Need for Browser Security

•Browser Security Fundamentals

•Browser Security Issues • OWASP Top 10 – A7:2017– Cross-Site Scripting XSS

• OWASP Top 10 – A3:2017– Sensitive Data Exposure

•Attacks against Browser Security Mechanisms

•Browser Security Best Practices

2

Intro to Browser Security

3

Intro to Browser Security • How does a web application work?

4

Client

Server

Involves browsers

Intro to Browser Security (contd.)

•Browser • A browser is “an application that finds and displays web pages”. • It coordinates communication between your computer and the web

server where a particular website “lives” by: • Accepting a website address as a URL • Submitting a request to the server to retrieve the content for the page • Processing the code (HTML, CSS, JavaScript, etc.) from the server • Loading active content (Flash, ActiveX, etc.) needed by the page • Displaying the complete, formatted web page • Repeating the process for every single user interaction with the page

5

Source: Understanding Your Computer: Web Browsers – U.S. CERT – https://www.cisa.gov/uscert/ncas/tips/st04-022

Intro to Browser Security (contd.)

•Examples: • Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari,

Opera, etc. •Browser Market Share as of February 2022:

6

Source: Global Web Stats – W3Counter– https://www.w3counter.com/globalstats.php

Intro to Browser Security (contd.) • Browser security refers to “how differences in design and

implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8) • Browser security involves the following: • Protection against common client-side attacks • Protection against phishing • Management of browser extensions • Use of adequate cryptography protocols

7

Source: X41 Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

Intro to Browser Security (contd.) • Bro

HOW OUR WEBSITE WORKS

Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of 
HIGH QUALITY & PLAGIARISM FREE.

Step 1

To make an Order you only need to click ORDER NOW and we will direct you to our Order Page at WriteDen. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
 Deadline range from 6 hours to 30 days.

Step 2

Once done with writing your paper we will upload it to your account on our website and also forward a copy to your email.

Step 3
Upon receiving your paper, review it and if any changes are needed contact us immediately. We offer unlimited revisions at no extra cost.

Is it Safe to use our services?
We never resell papers on this site. Meaning after your purchase you will get an original copy of your assignment and you have all the rights to use the paper.

Discounts

Our price ranges from $8-$14 per page. If you are short of Budget, contact our Live Support for a Discount Code. All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.

Please note we do not have prewritten answers. We need some time to prepare a perfect essay for you.