Some common steps for protecting websites: -

Apart from keeping platform up-to-date, installing SSL certificate, installing security plugins, providing password policy stronger, restricting exe file upload etc some common steps should also be cared for protecting the websites.

1. We should restrict uploading of the ZIP file

ZIP and other compressed files can contain virus, Trojans, and other malware, in fact, it's rather common because putting the malware into a compressed archive is an easy way of bypassing your anti-virus/anti-malware software until the archive is decompressed. Even it is not uncommon for unscrupulous people to fake a Zip file. Let’s take virus.exe for the example. Rename the virus.exe file to virus.zip.exe and you have the default setting in Windows Explorer of hiding extensions of known file types, it would appear the file is called virus.zip. An unsuspecting user would think the file is a Zip file, even if it had the wrong icon. Double clicking it would execute the virus infected file.

2. File uploading location should be isolated

It should be isolated from other parts of Server and this location should not be in the root location. In this situation, virus/malware will not affect other part or have a minimal impact. This location should keep limited permissions as only those which are required.

3. Each publically accessible website should be isolated from other

With a system vulnerable to directory traversal, an attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, or even more dangerous, allowing the attacker to execute powerful commands on the web server which can lead to a full compromise of the system.

Depending on how the website access is set up, the attacker will execute commands by impersonating himself as the user which is associated with “the website”. Therefore it all depends on what the website user has been given access to in the system. For more details have a look at this link- https://www.acunetix.com/websitesecurity/directory-traversal/

4. Web Application Firewall can be configured for protecting the web application.

L7LB – Layer 7 load balancer.

WAFs are designed to protect the web application. WAFs are a shielding safeguard intended to defend application accessed via the hypertext transfer protocol (HTTP). They are capable of preventing the attack that network firewall or intrusion prevention system cannot. WAFs sit in front of the web application, monitor application activity, and alert on or block traffic that is malicious or that does not comply with specific rules. The intention is to catch application level attack, such as SQL injection and cross-site scripting, along with attempts to manipulate web application behavior.

Disadvantages (If Web Application Firewall is not there):

After Scanning, attacker can exploit the website

An attacker can steal the user credentials.

Disadvantages (If Web Application Firewall is there):

Increase the possibility of DDOS attack – After implementation of WAF, every packet will be scanned (Not only payload but also deep scanning) so in real time scanning, Uploading and downloading speed can reduce. So denial of service attack is a possibility under it. And the client can face some problem during data submission.

In either instance, there is going to be a performance impact on the ability of the web server to serve concurrent requests. That goes without saying.

Given that, to maintain the ability to serve the same or a similar level of requests, either more web servers or more hardware is required.

To some degree, depending on the architecture of the application, this could potentially be mitigated using tools such as Varnish to cache static content, content which doesn’t need to be inspected by a WAF.

Advantages (If Web Application Firewall is there):

In these days, ransomware is the biggest threat of IT organization. So cyber security is more important than speed and we are configuring WAF (Web Application Firewall and reverse proxy) then security will improve.

As it will have the skill to analyze the payload of the packet and make choices depending on the real content, in addition, it provides content filtering abilities. Being able to analyze the whole network packet instead of only the network interfaces and addresses means they have more extensive logging abilities also, for example, program-specific commands, which provide tips that are useful for working with policy execution and security events.

5. Reverse Proxy server implementation:

A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client like they originated from the Web server itself.

      After using the reverse proxy, the original IP (IP of the server where the website(s) is (are) hosted) will be invisible in client domain and it may be public or private IP.

References:-

https://www.acunetix.com/websitesecurity/directory-traversal/

https://blog.sqreen.io/why-web-application-firewalls-fail-to-protect-web-applications/

http://searchsecurity.techtarget.com/answer/What-are-the-drawbacks-to-application-firewalls

http://searchsecurity.techtarget.com/answer/What-are-the-drawbacks-to-application-firewalls

https://my.web24.com.au/knowledgebase/70/Vandalism-and-Hacking.html

https://www.sec-consult.com/en/blog/2012/10/are-web-application-firewalls-useful-a-pentesters-view/index.html

https://www.google.co.in/search?q=web+application+firewall+images&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiWgLrc4vfVAhVFtY8KHU7DCAoQ_AUICygC&biw=1366&bih=638#imgrc=Cu4eY-lkm7hnUM:

https://www.google.co.in/search?biw=1366&bih=638&tbm=isch&sa=1&q=web+application+firewall+with+reverse+proxy+images&oq=web+application+firewall+with+reverse+proxy+images&gs_l=psy-ab.3...116894.122059.0.122420.19.19.0.0.0.0.171.2644.0j19.19.0....0...1.1.64.psy-ab..0.0.0.tnDfwo_JIaU#imgrc=OhfzUtH5ZhF_rM

Basic Understanding of Web Service and Web Server

One day in a presentation I got an example of web service as a website hosted on IIS, having the user interface only for authentication purpose. Although there was some software coding part involved and I got confused that if the web service is like that then what is the difference among web service, website, and web server. During the search on the internet, found so many answers created so many confusions. For example, one confusion is like this web service is used for information exchange from one system to another but I know server to client or client to server, information exchange is also there. Another confusion – Web service may be stateful or stateless but I know that server is also available as stateful or stateless.

    These all confusions was my mistakes because I haven’t tried to understand the meaning of heading word “Service”.  One day, I was studying about some servers and found the definitions as-  a server can offer some services and a client can access or request some services from the server. Now I got the word services here and After getting the word got the exact answer of all confusions and I am able to answer the web service definition as “web service is a piece of software code used to fulfill the communication between Server-Client model or model where information exchange is required from one system to another. Now understand the things in details – Suppose we have a Java Servlet program for authentication and calculation. And the program containing three different parts.

1.   .html part – this part contains the information, which we have to exchange from one point to another. Means the User Interface (Web browser page) part is written in HTML language and the user can enter the authentication credentials on the web page and can view the calculation on the web page after compilation and executions of this HTML code.

2.  .java part –  this page contains the methods used in web services as get, post, delete, etc.

3.  .xml part -  As the extension suggest .xml, this page is written in XML language and used to configure servlet. Means map the Java class, package, HTML page, URL, etc.

Now see the things in a graphical manner.

Difference Between Information Security & Cyber Security

·       ICT (Information and Communication Technology) Security

In this context, ICT security refers to relevant incidents as well as measures, controls, and procedures applied by enterprises in order to ensure integrity, confidentiality, and availability of their data and ICT systems.

Data: – Maybe anything. Ex:- 03031989

Information: - The data which is having some meaning. Ex:- 03031989 is a date of birth of someone.

Basic Definition:

Cyber Security: The ability to protect or defend the use of cyberspace from cyber-attack.

Cyber security is about securing things that are vulnerable through ICT. It also considers that where data is stored and technologies used to secure the data. Part of cyber security about the protection of information and communications technologies – i.e. hardware and software, is known as ICT security.

Information Security (1): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Information Security (2): Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide —\

1)   integrity, which means guarding against improper information modification or destruction;

Attack -   Modification

2)   confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;

Attack – Interception

3)   availability, which means ensuring timely and reliable access to and use of information.

Attack - Interruption

 Information security is all about protecting the information, which generally focuses on the confidentiality, integrity, availability (CIA) of the information.

Following Venn diagram can be helpful to understand the differences.

Reference- Center for Cyber and Information Security (https://ccis.no/cyber-security-versus-information-security/)

In the diagram below, we can see that right side Venn diagram represent the Cybersecurity (things which are vulnerable through ICT, it includes information, both physical and digital, and non-information such as cars, traffic lights, electronic appliances, etc.), while left side represent the information security (which consist of information both digital and analog).

Note that IT security is the protection of information technologies. Practically, there is no difference in ICT security and IT security. As you can see in the following picture that both sets are having some overlap. Below diagram illustrates the relationship between ICT security, cyber security, and information.

Reference- Center for Cyber and Information Security (https://ccis.no/cyber-security-versus-information-security/)

(http://www.cisoplatform.com/profiles/blogs/understanding-difference-between-cyber-security-information)

MEECES– Meaning of Hacker

Max Kilger likes to get into the heads of computer criminals. Throughout his many years of research, he's developed a motivational profile he calls "MEECES" - for money, ego, entertainment, cause, entrance to social groups and status. Max Kilger likes to get into the heads of computer criminals. He chats with these people at conferences and online and studies their behavior when they hack inside Honeynet's decoy computers. Throughout his many years of research, he's developed a motivational profile he calls "MEECES" - for money, ego, entertainment, cause, entrance to social groups and status. MEECES is a modification of the FBI and military security's counterespionage profile called MICE - which stands for money, ideology, compromise and ego. Kilger outlines behavioral motivators in a 60-page chapter on hacker profiling in the second edition of the Honeynet-developed book "Know Your Enemies," due from Addison Wesley in May. Here's the upshot of those motivators:
Money - Stolen credit cards become currency for certain crime rings and social groups of carders who trade them for access to other compromised credit card databases.

Ego - Spanning the entire spectrum of the community from black hat to white hat hackers, ego is the drive to solve a problem, look at the code, see how something works, and then get it to do something it wasn't created to do.

Entertainment - The bored teenager syndrome is not as strong as in the days of big disk drives and mainframes, but it remains a motivator. "You'll still see a hacker break into a system, trash it up and sit back and watch the system administrator scurry around trying to save it," Kilger says.

Cause - Think hacktivism, mostly Web site defacements and distributed denial-of-service attacks for politics and ideologies.

Entrance into social groups - Hackers achieves this by sharing their successful break-ins with the groups they want to be included in.

Status - This is the strongest motivator among all hackers, crackers, and carders because their main emphasis is on skills. The higher profile the target, the higher their status.

Reference - http://www.networkworld.com/article/2330885/lan-wan/meeces-to-pieces.html

Hackers are able to do a lot more today, without the steep learning curve. The FBI define the motivation of individuals who commit espionage against the country, with the acronym, MICE, money, ideology, compromise or coercion, ego or extortion. Researcher, Max Kilger, proposed that the motivations for the hacker community can be thought of as MEECES, money, ego, entertainment, cause, entrance, and status. Attackers could be outsiders, competition, hacktivists, organized crime, terrorists, governments, even hired guns!

Reference - https://courses.edx.org/courses/course-v1:RITx+CYBER501x+2T2017

Where we are now. Is this kind of competition is good for us.

http://epaperbeta.timesofindia.com/Gallery.aspx?id=23_03_2017_030_008_003&type=P&artUrl=TRUMP-PUMPS-UP-WAR-CHEST-23032017030008&eid=31808