SQL injection
Week 7 Reading Summary, Question, and recent Cyber Security News…
- Summarize one key point from each assigned reading…
SQL injection is a type of code injection technique that exploits a security vulnerability occurring in the DB layer of an application (user input incorrectly filtered… then possibly passed into the DB via manipulated SQL statements.) To help prevent SQL injections do the following: user input must be carefully escaped/filtered, and also audit one’s web site & SQL databases with a good web vulnerability scanner [WebCruiser, etc.])
- Question to classmates (facilitates discussion) from assigned reading…
Question: What would be some other SQL database vulnerabilities, and also how to fix quickly?
*Answer: Here is my answer… known SQL flaws within the DB server itself, and here one would install the latest software updates ASAP to make the overall system more secure! How about your answer…
Identify, read, and post to our blog a current event article regarding ethical hacking & penetration testing (follow theme topic of the week, or other interesting related article)…
In the Cyber Security News lately…
2016 Marching Orders – Encrypt End-to-End While You can (as reported recently within the RedmondMag.com on 1/11/2016)…
“Data breaches remain a critical threat to organizations and there’s concern that one of the best defenses, end-to-end encryption technology, may not be around forever… Hillary Clinton said in a Brookings Institute speech. ‘And this is complicated. You’re going to hear all of the usual complaints, you know, freedom of speech, etc. But if we truly are in a war against terrorism and we are truly looking for ways to shut off their funding, shut off the flow of foreign fighters, then we’ve got to shut off their means of communicating. It’s more complicated with some of what they do on encrypted apps’… Expect to keep hearing demands from the stump for encryption technology that keeps corporate and personal data safe, but is completely accessible to law enforcement and intelligence agencies whenever they need it… Meanwhile, the technology keeps moving forward. One element to keep an eye on in 2016 is quantum computing, which could make a lot of current encryption technology irrelevant… over the next 15 years will necessitate the migration of all our existing public-key cryptosystems to new quantum-resistant algorithms and a quantum-resistant TLS (used for every HTTPS secure Web connection) is the first step.”
https://redmondmag.com/articles/2016/01/01/2016-marching-orders.aspx
Week 6 Reading Summary, Question, and recent Cyber Security News…
- Summarize one key point from each assigned reading…
This week we begin our focus on web application security from the Burp Suite included with Kali2-Linux (tools to perform security testing [Burp Proxy, Spider, Intruder, Decoder, etc.]) and on web application injection vulnerabilities (client-side submission of unexpected unputs in order to exploit system vulnerabilities [vulnerabilies known, but still not fixed by many web site developers/owners over the last 10 yrs.]) Best practices for web app security would be to have managers & developers design & maintain web apps with security always a part of the overall process (definitely minimize user input validation issues, etc.)
- Question to classmates (facilitates discussion) from assigned reading…
Question: Using Burp Proxy (intercept web traffic) & Burp Intruder (automate custom web app attacks), which would be your choice of Burp Intruder “payload”?
*Answer: My choice would be to use the “Pitch-fork” attack (for a SQL injection web app attack [custom username & passwd payloads.])
Identify, read, and post to our blog a current event article regarding ethical hacking & penetration testing (follow theme topic of the week, or other interesting related article)…
In the Cyber Security News lately…
Microsoft’s New Security Approach (as reported within the RedmondMag.com on 1/5/2016)…
https://redmondmag.com/articles/2016/01/01/a-new-security-approach.aspx
Back in 2002 Microsoft began their “Trustworthy Computing” security initiatives (improve security on products such as Windows OS, Office suite, etc.), and now fast forward to 2015 (massive global security threats against almost all Internet connected organizations) with Microsoft’s evolved security focus much more on “operations” (new security initiatives such as their Cyber Defense Operations Center [24×7 rapid response from many diverse security experts], Azure Security Center [cloud services for IT admins to monitor Microsoft client’s security cloud environment], etc.)… definitely an excellent direction for Microsoft, but let’s see how it all goes in near future for Microsoft and it’s cloud partners (security breach frequency & response times, transparency, etc.)