INFORMATION ASSURANCE AND SECURITY Management and protection of knowledge, information and data. It combines two (2) fields: Information assurance, which focuses on ensuring the availability, integrity, authentication, confidentiality, and non-repudiation of information and systems. These measures may include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities. Information security, which centers on the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. HOW ARE THEY SIMILAR In many regards, information assurance can be described as an offshoot of information security, as both field involve safeguarding digitally stored information. At a deeper level, professionals in both fields use physical, technical, and administrative means to achieve their objectives. For instance, information assurance and information security professionals both seek the most secure physical data infrastructure possible to protect an organization’s information. They both leverage advanced technical safeguards, such as cutting-edge firewalls. An assessment of information assurance vs information security also reveals a similarity in the threats they face. Both fields are concerned with privacy issues and fraud, malicious hackers, and the strategic defense and recovery of information systems before and after catastrophic events. CORE FUNCTION DIFFERENCES Information Assurance is a broader discipline that combines information security and business aspects of information management. Information assurance work typically involves implementing organization-wide standards that aim to minimize the risk of a company being harmed by cyber threats. To achieve this, an information assurance team may do something like overhauling login authentication systems or performing routine backups or important company data. Thus, information assurance professionals are more concerned with addressing the overall risk to an organization’s information, rather than dealing with an individual, exterior threats. Information security is a more hands-on discipline. It prioritizes developing of tools, technologies, and other countermeasures that can be used to protect information, especially from exterior threats. The subtle difference between the two fields means earning a degree featuring both disciplines can offer students a well-rounded skill set, which can potentially help graduates quality for senior positions in the information security and assurance industries. 5 PILLARS OF INFORMATION ASSURANCE FRAMEWORK 1. Confidentiality. This is the assurance that information is not disclosed to unauthorized individuals, groups, processes, or devices. Highly confidential data must be encrypted so third parties cannot easily decrypt it. Only those who are authorized to view the information are allowed to access. 2. Integrity. The accuracy and completeness of vital information must be safeguard. Data should not be altered or destroyed during transmission and storage. This involves making sure that an information system is not tampered by any unauthorized entities. Policies should be in place so that users know how to properly utilize their system. 3. Availability. This means that authorized users have timely and easy access to information services. IT resources and infrastructure should remain robust and fully-functional at all times even during adverse condition such as database conundrum or fall-overs. It involves protecting against malicious codes, hackers, and other threats that could block access to the information system. 5 PILLARS OF INFORMATION ASSURANCE FRAMEWORK 4. Authenticity. This security measure is designed to establish the validity of transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific information. Authentication prevents impersonation and requires users to confirm their identities before being allowed to access to the systems and resources. This includes, user names, passwords, emails, biometrics, and others. 5. Non-Repudiation. This attribute assures the sender of data is provided with proof of delivery and the recipient provided with proof of the sender’s identify, so neither party can deny sending, receiving, or accessing the data. Security principles should be used to prove identities and to validate the communication process. WHAT IS WEB APPLICATION SECURITY? In simple terms, web application security refers to the different cybersecurity methods that you can use to protect your web apps from any online threats. Due to most hackers targeting specific web applications, web app security is a must. There are many examples of web security, ranging from WAFs (web application firewalls), cookies, MFAs (multifactor authentication), and many more. WHAT IS EXTERNAL WEBSITE SECURITY, WHY ITS IS NEEDED? In short, external web security refers to the different measures when protecting a specific website from cyberattacks that appear outside of an organization's internal system. Examples of this include SQL and many other types of injections. Cyberattacks happen every 39 seconds worldwide, and 560,000 new malware threats occur daily. Because of this, you need excellent external web security to keep your web application and the data of your customers safe. With many cases of businesses losing millions due to these attacks, external web security best practices are necessary. ENTERPRISE SECURITY PLANNING Regardless of what industry you are in, having a quality enterprise security plan ensures that both your business and web app are safe. It is a specific plan created to enhance your business's cybersecurity. Creating an enterprise security plan is one of the first things you should do to ensure breaches are completely minimized to reduce its potential impact. However, enterprise security plans are not only for prevention, but also provide other fantastic advantages for your business. One of these is that it supplies you with an action plan in the event that a potentially damaging breach occurs. WEB SECURITY THREATS With most businesses using web apps in one way or another, security is of the utmost importance. However, web security risks come in thousands of different forms. Here are the most common threats: Credential stuffing Credential stuffing is where perpetrators use credentials gained from data breaches on one web app and use it to log into another web app. By hoping that some users use the same account name and password for many different web apps, they would initiate large-scale logins to crash the site. Brute force attacks Brute force attacks are similar to credential stuffing. However, instead of using found passwords and usernames, cybercriminals would guess many different combinations of passwords and usernames to overload the web application. WEB SECURITY THREATS SQL Injection SQL injection, also known as SQLI, is a type of attack where hackers use SQL code to manipulate the backend of the database, accessing private information. The information that they access ranges from sensitive business data to private customer emails and more. Cross-site scripting Cross-site scripting (also known as XSS) is a type of injection attack, similar to SQLI attacks, where malicious scripts are placed in trusted and secure websites, compromising the users who use these apps. But how do they do it? They manipulate the web app to execute malicious scripts in a victim's browser, giving them all the access they need to the user's private data. WEB SECURITY THREATS Cookie poisoning Cookies are used for millions of websites to save information on your web browser. Cookie poisoning is where the attacker finds the cookies used for a specific web application and changes them to steal all the data that the user trusts the application to keep safe. Millions of users use cookies to store their data and make their lives easier, so this can become a big problem. Man-in-the-middle (MITM) attack A MITM (also known as a man-in-the-middle) attack is where a hacker will find themselves between the web application and the user. They will then impersonate the user or the web application so that they can steal personal information from these two parties. WEB SECURITY THREATS Sensitive data disclosure Sensitive data disclosure happens when a web application exposes sensitive information without knowing it. This usually occurs when an application doesn’t have enough cybersecurity web development protection. Insecure deserialization This basic web security threat is where cyber attackers place malicious scripts into web apps, allowing them to inflict DoS (denial of service) attacks, SQL injections, and many other threats to harm these web apps and their customers. SECURE WEB DEVELOPMENT BEST PRACTICES Conduct security threat assessment Each web application provides different business benefits. Therefore, cyber threats will have a unique impact on each business. Before developing the actual product, you need to analyze the threats against their impact and probability of occurring. Based on the analysis results, proper security controls should be prioritized and implemented before launch. Remember that no applications are 100% secure, so you must accept some risks when cybersecurity is concerned. By applying web application security best practices, you can greatly reduce the probability of threats comprising your systems. SECURE WEB DEVELOPMENT BEST PRACTICES Harden configuration Secure web applications need an infrastructure to run, and some software components need configurations to be functional. Providers of infrastructure and software components document all web security settings and best practices. Cloud providers publish reference architecture, covering security-oriented architecture designs on their sites. There are also independent white papers and manuals on the security configuration of software services. Perhaps the most known are CIS Benchmarks. Following those guidelines can save a lot of issues caused by a security misconfiguration. SECURE WEB DEVELOPMENT BEST PRACTICES Use encryption for confidential information Properly implemented encryption is an essential protection mechanism for confidential information. It’s a must-have for all data transferred via public networks. Update dependencies in your web app regularly All components used in the web app may contain security vulnerabilities. It’s essential to regularly check and look out for security issues on your web app by creating a web application vulnerabilities list. Implement logging When launched, your application may be a target of various malicious actors who will try breaching your security controls. Because of this, visibility of such trials is a must. You should log all security-related events, which will allow you to trace back all actions taken by malicious actors. Those logs must be kept securely for a specific time to allow for forensic analysis. The logged time across all components should be the same to ensure accuracy. SECURE WEB DEVELOPMENT BEST PRACTICES Document the software changes Building software that brings value to a business is a process. The source code may change many times, even the parts connected with crucial functionalities. Most of the software’s functionalities will probably have security protecting it. Implement input data validation One of the most common web security issues in web applications are injections. A malicious user may craft special data and pass it within channels used for interactions with the applications (user data inputs). These users may then execute the code either on the server-side or in the clients’ browsers, causing a security breach. SECURE WEB DEVELOPMENT BEST PRACTICES Prepare a backup and recovery plan When creating the application, especially if it will be a core business tool, you should consider the downtimes. Having a cloud solution with High Availability (HA) won’t protect against all situations, such as data corruption. In these cases, backups come in handy. Educate employees No matter how secure the application is, humans, particularly your employees, will use it. They should be educated on how to handle data securely and be able to create strong, not guessable passwords. SECURE WEB DEVELOPMENT BEST PRACTICES Manage your permissions Giving full access to everything in any IT system is a very bad idea. The application’s users should have the minimum required permissions needed to perform their daily business activities (principle of least privilege). Emergency, elevated permissions should be temporarily granted and revoked immediately when no longer needed. Implement web app security best practices for users’ authentication Having strong passwords to IT systems was mentioned already, but sometimes strong passwords are not enough. It’s worth considering implementing multi-factor authentication. This is where the application’s user or system administrator provides an additional factor, which proves either possession of something (hardware token, mobile device) or who they are (fingerprint, vein pattern, face pattern). SECURE WEB DEVELOPMENT BEST PRACTICES Monitor for anomalies For every running IT system, you must apply an alerting system to detect potential breaches and notify the person responsible for application maintenance. In case the alert is raised, you should investigate the incident and, if needed, alter the security controls to protect against the newly discovered threat. Utilize security audits and penetration testing Cybersecurity threats are constantly evolving, with new vulnerabilities being discovered in software components. That’s why businesses should always measure the security of data processing. Security audits are a great tool to serve that purpose. These audits ensure that all processes related to data processing security are in place and working. Penetration tests are a great solution for measuring application security. Their purpose is to simulate attacks on systems by using vulnerabilities chaining, which shows web application security issues threatening the business. Regular measuring of data processing security is one of the GDPR requirements, so you should utilize both security audits and penetration testing. SECURE WEB DEVELOPMENT BEST PRACTICES Apply vulnerabilities management You should always manage and take the correct steps when discovering web security issues during the security measurement process. It’s done by analyzing the web application security risk they pose and planning mitigation actions based on the results. Have a plan for a potential data breach Despite all that effort, a breach can still happen. There is no such thing as 100% security. In case that happens, it’s better to be ready. Prepare a crisis response cybersecurity team, and be sure that you have a general web application security checklist with up-to-date assets lists, business functions, owners, and recovery procedures. SECURE WEB DEVELOPMENT BEST PRACTICES Improve security in web development as soon as possible With the possibility of many different web app cyberattacks occurring, you need to be prepared and have a quality web app security strategy to counter these threats from massively impacting your business and its web apps. REFERENCES: https://www.studocu.com/ph/document/occidental-mindoro-state-college/human-computer-interaction/ https://www.netguru.com/blog/web-development-security, April 2022, Pawel Malita THANK YOU!
