1)

Confidentiality, integrity and availability, also known as the CIA triad, is a model
designed to guide policies for information security within an organization. The model
is also sometimes referred to as the AIC triad (availability,
integrity and confidentiality) to avoid confusion with the Central Intelligence Agency.
The elements of the triad are considered the three most crucial components of
security.

In this context, confidentiality is a set of rules that limits access to

information, integrity is the assurance that the information is trustworthy and
accurate, and availability is a guarantee of reliable access to the information by
authorized people.

Confidentiality:

Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure

confidentiality are designed to prevent sensitive information from reaching the
wrong people, while making sure that the right people can in fact get it: Access must
be restricted to those authorized to view the data in question. It is common, as well,
for data to be categorized according to the amount and type of damage that could be
done should it fall into unintended hands. More or less stringent measures can then
be implemented according to those categories.

Sometimes safeguarding data confidentiality may involve special training for those
privy to such documents. Such training would typically include security risks that
could threaten this information. Training can help familiarize authorized people with
risk factors and how to guard against them. Further aspects of training can include
strong passwords and password-related best
practices and information about social engineering methods, to prevent them from
bending data-handling rules with good intentions and potentially disastrous results.
Integrity:

Integrity involves maintaining the consistency, accuracy, and trustworthiness of data

over its entire life cycle . Data must not be changed in transit, and steps must be
taken to ensure that data cannot be altered by unauthorized people (for example, in
a breach of confidentiality). These measures include file permissions and
user access controls. Version control maybe used to prevent erroneous changes or
accidental deletion by authorized users becoming a problem. In addition, some
means must be in place to detect any changes in data that might occur as a result of
non-human-caused events such as an electromagnetic pulse (EMP) or server crash.
Some data might include checksums, even cryptographic checksums, for verification
of integrity. Backups or redundancies must be available to restore the affected data
to its correct state.

Availability:

Availability is best ensured by rigorously maintaining all hardware, performing

hardware repairs immediately when needed and maintaining a correctly functioning
operating system environment that is free of software conflicts. It’s also important to
keep current with all necessary system upgrades. Providing adequate
communication bandwidth and preventing the occurrence of bottlenecks are equally
important. Redundancy, failover, RAID even high-availability clusters can mitigate
serious consequences when hardware issues do occur. Fast and adaptive disaster
recovery is essential for the worst case scenarios; that capacity is reliant on the
existence of a comprehensive disaster recovery plan (DRP). Safeguards against
data loss or interruptions in connections must include unpredictable events such as
natural disasters and fire. To prevent data loss from such occurrences,
a backup copy may be stored in a geographically-isolated location, perhaps even in
a fireproof, waterproof safe. Extra security equipment or software such as firewalls
and proxy servers can guard against downtime and unreachable data due to
malicious actions such as denial-of-service (DoS) attacks and network intrusions.
Special challenges for the CIA triad:

Big data poses extra challenges to the CIA paradigm because of the sheer volume of
information that needs to be safeguarded, the multiplicity of sources it comes from
and the variety of formats in which it exists. Duplicate data sets and disaster
recovery plans can multiply the already high costs. Furthermore, because the main
concern of big data is collecting and making some kind of useful interpretation of all
this information, responsible data oversight is often lacking. Whistleblower Edward
Snowden brought that problem to the public forum when he reported on the NSA’s
collection of massive volumes of American citizens’ personal data.

Internet of Things privacy is the special considerations required to protect the

information of individuals from exposure in the IoT environment, in which almost any
physical or logical entity or object can be given a unique identifier and the ability to
communicate autonomously over the Internet or a similar network. The data
transmitted by a given endpoint might not cause any privacy issues on its own.
However, when even fragmented data from multiple endpoints is gathered, collated
and analyzed, it can yield sensitive information.

Session hijacking:
The Session Hijacking attack consists of the exploitation of the web session control
mechanism, which is normally managed for a session token.
Because http communication uses many different TCP connections, the web server
needs a method to recognize every user’s connections. The most useful method
depends on a token that the Web Server sends to the client browser after a
successful client authentication. A session token is normally composed of a string of
variable width and it could be used in different ways, like in the URL, in the header of
the http requisition as a cookie, in other parts of the header of the http request, or yet
in the body of the http requisition.
The Session Hijacking attack compromises the session token by stealing or
predicting a valid session token to gain unauthorized access to the Web Server.
Example 1:
Session Sniffing
In the example, as we can see, first the attacker uses a sniffer to capture a valid
token session called “Session ID”, then he uses the valid token session to gain
unauthorized access to the Web Server.
Example 2:
Cross-site script attack
The attacker can compromise the session token by using malicious code or
programs running at the client-side. The example shows how the attacker could use
an XSS attack to steal the session token. If an attacker sends a crafted link to the
victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript
will run and complete the instructions made by the attacker. The example in figure 3
uses an XSS attack to show the cookie value of the current session; using the same
technique it's possible to create a specific JavaScript code that will send the cookie
to the attacker.

How to prevent the Session Hijacking?

As we’ve seen earlier, the method often used to steal session id is by installing a
malicious code on the client website and then the cookie is stealing. The best way to
prevent session hijacking is enabling the protection from the client side. It is
recommended that taking preventive measures for the session hijacking on the client
side. The users should have efficient antivirus, anti-malware software, and should
keep the software up to date.

There is a technique that uses engines which fingerprints all requests of a session.
In addition to tracking the IP address and SSL session id, the engines also track the
http headers. Each change in the header adds penalty points to the session and the
session gets terminated as soon as the points exceeds a certain limit. This limit can
be configured. This is effective because when intrusion occurs, it will have a different
http header order.

These are the recommended preventive measures to be taken from both the client
and server sides in order to prevent the session hijacking attack.
2)

ENCRYPTION/DECRYPTION:

Encryption is the process of converting normal message (plaintext) into meaningless

message (Ciphertext). Whereas Decryption is the process of converting meaningless
message (Ciphertext) into its original form (Plaintext).

The major distinction between secret writing associated secret writing is that secret writing
is that the conversion of a message into an unintelligible kind that’s undecipherable unless
decrypted. whereas secret writing is that the recovery of the first message from the
encrypted information
Hashing for passwords Mail Security:

Storing passwords in cleartext is the equivalent of writing them down in a piece of digital
paper. If an attacker was to break into the database and steal the passwords table, the
attacker could then access each user account. This problem is compounded by the fact
that many users re-use or use variations of a single password, potentially allowing the
attacker to access other services different from the one being compromised. That all
sounds like a security nightmare.

Web Security:

Websites and web applications are just as prone to security breaches as physical homes,
stores, and government locations. Unfortunately, cyber crime happens every day, and great
web security measures are needed to protect websites and web applications from becoming
compromised.

That’s exactly what web security does – it is a system of protection measures and protocols
that can protect your website or web application from being hacked or entered by
unauthorized personnel. This integral division of Information Security is vital to the
protection of websites, web applications, and web services. Anything that is applied over
the Internet should have some form of web security to protect it.
Intrusion Detection System:

An intrusion detection system (IDS) is a system that monitors network traffic for suspicious
activity and issues alerts when such activity is discovered. While anomaly detection and
reporting is the primary function, some intrusion detection systems are capable of taking
actions when malicious activity or anomalous traffic is detected, including blocking traffic
sent from suspicious IP addresses.

Although intrusion detection systems monitor networks for potentially malicious activity,
they are also prone to false alarms (false positives). Consequently, organizations need to
fine-tune their IDS products when they first install them. That means properly configuring
their intrusion detection systems to recognize what normal traffic on their network looks
like compared to potentially malicious activity.

FIREWALL:

A firewall is software or firmware that enforces a set of rules about what data packets will
be allowed to enter or leave a computer network. A firewall's main purpose is to filter traffic
and lower the risk that malicious packets traveling over the public internet will be able to
impact the security of a private network. Firewalls are incorporated into a wide variety of
networked devices and may also be purchased as stand-alone software applications.

The term firewall is a metaphor that compares a type of physical barrier that's put in place
to limit the damage a fire can cause with a virtual barrier that's put in place to limit damage
from an external or internal cyberattack. When located at the perimeter of a network, a
firewall provides low-level network protection, as well as important logging and auditing
functions.
GATEWAY MALWARE DETECTOR:

Modern malware is evolving at an extremely rapid pace. In fact, a new malware is created
nearly every second. Due to the dynamic landscape of ever-growing malware variants,
traditional antivirus solutions are becoming less effective - unable to detect and block the
unknown malware before it can infiltrate and compromise an organization’s network and
systems, driving the need for a more comprehensive solution. Cisco Systems, Checkpoint
software, and Fortinet have invested in providing cost effective solutions that are easily
managed resulting in low effort required to provide critical protection of your organizations
devices.

ANTIVIRUS:

Antivirus software is a class of program designed to prevent, detect and

remove malware infections on individual computing devices, networks and IT systems.

Antivirus software, originally designed to detect and remove viruses from computers, can
also protect against a wide variety of threats, including other types of malicious software,
such as keyloggers, browser hijackers, Trojan
horses, worms, rootkits, spyware, adware, botnets and ransomware.

Antivirus software typically runs as a background process, scanning computers, servers or

mobile devices to detect and restrict the spread of malware. Many antivirus software
programs include real-time threat detection and protection to guard against potential
vulnerabilities as they happen, as well as system scans that monitor device and system files
looking for possible risks.

VULNERABILITY ASSESSMENT:

A vulnerability assessment is the process of defining, identifying, classifying and prioritizing

vulnerabilities in computer systems, applications and network infrastructures and providing
the organization doing the assessment with the
necessary knowledge, awareness and risk background to understand the threats to its
environment and react appropriately.

A vulnerability assessment process that is intended to identify threats and the risks they
pose typically involves the use of automated testing tools, such as network security
scanners, whose results are listed in a vulnerability assessment report.

A vulnerability assessment provides an organization with information on the security

weaknesses in its environment and provides direction on how to assess the risks associated
with those weaknesses and evolving threats. This process offers the organization a better
understanding of its assets, security flaws and overall risk, reducing the likelihood that
a cybercriminal will breach its systems and catch the business off guard.

3)

1. Bolster Access Control

Access control is an important part of security. Weak access control leaves your data and
systems susceptible to unauthorized access.

Boost access control measures by using a strong password system. You should have a mix of
uppercase and lower case letters, numbers, and special characters. Also, always reset all
default passwords.

Finally, create a strong access control policy.

2. Keep All Software Updated

As pesky as those update alerts can be, they are vital to your network’s health.

From anti-virus software to computer operating systems, ensure your software is updated.
When a new version of software is released, the version usually includes fixes for security
vulnerabilities.

Manual software updates can be time-consuming. Use automatic software updates for as
many programs as possible.
3. Standardize Software

Keep your systems protecting by standardizing software. Ensure that users cannot

install software onto the system without approval.

Not knowing what software is on your network is a huge security vulnerability. Make sure
that all computers use the same:

Operating system
Browser
Media player
Plugins

Standardization also makes system updates less of a hassle.

4. Use Network Protection Measures

Protecting your network is crucial. To keep your network and its traffic secured

Install a firewall
Ensure proper access controls
Use IDS/IPS to track potential packet floods
Use network segmentation
Use a virtual private network (VPN)
Conduct proper maintenance

5. Employee Training

Sometimes external threats are successful because of an insider threat. The weakest link in
data protection can be your own employees.

Ensure your employees understand network security. Your employees should be able to
identify threats. They should also know who to contact to avoid a security breach.

Provide security training throughout the year, and be sure to update it. There are new
security risk every day.
Security policy first : At minimum your security policy should include procedures to
prevent and detect misuse as well as guide lines for making and designing of software.

Don’t neglect physical security: Assign an individual or team to oversee physical

security in your facilities. Meet with them frequently to review policies, and make sure to
educate your employees on the importance of physical security as well. The extra effort to
fortify physical security can help curtail breaches that could be devastating to your
organization.

Use strong authentication: Strong authentication is often confused with two-factor

authentication or more generally multi-factor authentication. However, strong
authentication is not necessarily multi-factor authentication. Soliciting multiple answers to
challenge questions may be considered strong authentication but, unless the process also
retrieves 'something you have' or 'something you are', it would not be considered multi-
factor authentication.

Sement LAN: A section of a local area network that is used by a particular workgroup or
department and separated from the rest of the LAN by a bridge, router or switch. Networks
are divided into multiple segments for security and to improve traffic flow by filtering out
packets that are not destined for the segment.

4)

UNDO/REDO:
Users make mistakes all the time, especially with highly developed and optimized user
interfaces, where small graphical gestures have powerful effects. Most of the time, they
realize their mistakes immediately afterward, because the screen gets updated with the
new application state and 453 the result does not match their expectations. A fundamental
requirement for any modern application is the ability to cancel operations immediately
through an “undo” action and to “redo” them if it turns out that the effect was desired after
all. This section discusses the established technique for solving this challenge: The
application maintains a list of incremental and undoable changes to the model. We first
consider a minimal version to highlight the technique, then we briefly examine various
implementations within the Eclipse platform to get an overview of practical issues involved.
When multiple users can edit the same document simultaneously, a multi-user undo is
needed. Global multi-user undo reverts the latest action made to the document, regardless
of who performed the edit. Local multi-user undo only reverts actions done by the local
user, which requires a non-linear undo implementation.

Where undo can be used to backtrack through multiple edits, the redo command goes
forward through the action history. Making a new edit usually clears the redo list. If a
branching redo model is used, the new edit branches the action history.

The number of previous actions that can be undone varies by program, version, and
hardware or software capabilities. For example, the default undo/redo stack size in Adobe
Photoshop is 20 but can be changed by the user. As another example, earlier versions
of Microsoft Paint only allowed up to three edits to be undone; the version introduced in
Windows 7 increased this limit to 50.

Undo is the most essential features in any real rich application experience. In many cases,
your user has already turned these commands into reflexes, automatically hitting the proper
keys and expecting the right thing to happen. Unfortunately, this is often left
unimplemented by developers when making the transition from the desktop to the web,
serving as a rude awakening to your users when they make a mistake that can’t be undone.
It makes sense that this doesn’t receive the attention it deserves since the actual
functionality of your application should obviously come first, and it doesn’t help that
implementing these features from scratch can be quite difficult. However, they add a
necessary amount of polish that you should seriously consider adding to your web
application.

We can built-in support that can allow you to plug undo and redo right in by just by adding
a few lines of code. In this tutorial, we will be exploring how to add sophisticated undo and
redo support to a graphical application in the browser. We won’t be creating the entire
application from scratch however, but instead building off of an existing example. We’re
doing this for two reasons. For starters, we don’t want to get distracted from our main task
by having to wade through unrelated code. Instead we’ll simply review whatever code we
need to as we get to it. More importantly, the sample provided is complex enough to serve
as a true real-world example, as opposed to the contrived code we’d be forced to put
together in the limited scope of space and time of this tutorial. This also has the benefit of
displaying the modular nature of undo support in website, and how we can add it to an
application without knowing every detail of its implementation.