Introduction to Security
Introduction to Security
Security Objectives – The CIA Triad: Foundational model for information security. It defines the three core objectives of securing systems and data:
Confidentiality: Ensures that sensitive data is accessed only by authorized users.
Example: HTTPS encrypts data between browser and server to prevent eavesdropping.
Integrity: Guarantees that information remains accurate, consistent, and unaltered except by authorized users.
Example: Digital signatures verify that files have not been tampered with after signing.
Availability: Ensures that systems and data are accessible to authorized users when needed.
Example:A Denial-of-Service (DoS) attack violates availability by flooding a server with requests and making it inaccessible.
Threats and Attacks
Threats: Potential causes of unwanted incidents that may harm a system (e.g., vulnerabilities, malicious actors).
Example: A flaw in outdated software may be exploited by hackers.
Attacks: Actual attempt to gain unauthorized access, disrupt, or damage a system..
Types of Attacks:
Passive Attacks: Do not alter data or system resources.
Aim to eavesdrop or gather information.
Example: Packet sniffing to intercept unencrypted network traffic.
Active Attacks: Involve modifying, disrupting, or destroying data or system functionality.
Example: Man-in-the-middle (MITM) attacks intercept and alter messages between two parties.
Other active attacks include Denial-of-Service (DoS), malware infections, and data tampering.
Insider Threats: Originates from within the organization (intentional or accidental misuse of access).
Outsider Threats: External attackers trying to breach systems remotely
Security Mechanisms
Cryptography: Converts plain text into unreadable form(cipher text) to ensure confidentiality.
Symmetric Key Encryption: Same key for encryption/decryption.
Uses the same secret key for both encryption and decryption.
Requires secure key distribution since both parties must share the key.
Cons: Faster but less secure if the key is compromised.
Example: AES (Advanced Encryption Standard)
Asymmetric Key Encryption: Public and Private Key pair.
Uses a key pair: a public key for encryption and a private key for decryption.
Example: RSA
Pros: Secure key exchange as compromising the public key does not expose the private key.
Cons: Slower than symmetric.
Hash Functions: One-way function that converts data into a fixed-length string (hash).
Irreversible and used for data integrity.
Example: SHA-256 used in digital signatures and blockchain.
Authentication: Verifies the identity of users/systems.
Methods: Passwords, OTPs, Biometrics, Digital Certificates.
Access Control: Restricts access based on identity or role.
Models: RBAC, ABAC
Goal: Enforce least privilege.
Auditing and Logging
Maintains logs of system and user activities.
Helps detect intrusions, unauthorized access, and policy violations.
Access Control Models
Access control models define how permissions are assigned and enforced to regulate who can access resources in a system.
Access Control Matrix: A table that maps users (subjects) to resources (objects) and their permissions.
Models:
DAC (Discretionary Access Control): Users control access to their own resources.
Example:File permission settings in Windows - manually grant read/write access to others.
MAC (Mandatory Access Control): System-enforced rules
Each file or resource has a security label (like “Confidential” or “Top Secret”).
Each user has a clearance level (like “Secret” or “Top Secret”).
We can only access something if your level matches or is higher than the resource’s label.
We can’t change who can access your files - the system decides that.
Example: In a company's HR system:
Employee salary details are marked as "Private".
Only people in the HR department are allowed to see these files.
Even if someone from HR creates the file, they can’t give access to someone in another department.
The system automatically blocks access based on the rules set by the company.
RBAC (Role-Based Access Control)
Access is based on a user’s role in the organization.
Example: Admins have more privileges than regular users.
Security Policies and Models
Bell-LaPadula Model (Confidentiality Focus): Enforces data confidentiality, preventing unauthorized disclosure of information.
Key Principles:
No Read Up: Lower-level users can't access higher-level info.
No Write Down: Higher-level users can't write to lower-level objects.
Biba Model (Integrity Focus): Ensures data integrity by preventing unauthorized or improper modification of data.
Key Principles:
No Read Down: Trusted users shouldn't read less trustworthy data.
No Write Up: Less trustworthy users can't modify high-integrity data.
Clark-Wilson Model (Commercial Integrity Focus)
Enforces well-formed transactions and separation of duties.
Subjects cannot directly manipulate data; all changes must go through controlled transactions.
Example: One person enters a transaction, another approves it.
System and Network Security
Firewalls: Filter incoming and outgoing traffic based on rules.
Example: Block unknown ports, allow only known applications.
Intrusion Detection Systems (IDS): Detects suspicious activity. Types:
Signature-based: It has a list of known attack patterns (signatures).
If something matches one of those patterns, it's flagged as a threat.
Example: Detects a virus if it matches a known virus file.
Anomaly-based: Detects deviations from normal behavior.
Learn what is “normal behavior” for users or systems.
It raises an alert when something unusual or unexpected happens.
Example: If a user logs in at 3 a.m. from another country, the IDS may raise a warning.
Secure Protocols: These are safe ways of sending data over a network so others can’t spy or steal it. Examples:
SSL/TLS – Secures websites (HTTPS). Encrypts data between your browser and the website.
SSH – Secure way to remotely access a computer or server.
OS Hardening: This means making your computer’s operating system more secure by:
Disabling unused services.
Applying security patches.
Applying strict security settings and rules.
Malware and Cyber Threats
Malware stands for malicious software, programs made to harm, steal, or control computers or data.
Types of Malware:
Virus: A virus is a harmful program that hides inside normal files or apps.
Spreads when the infected file is opened.
Worm: Spreads automatically across networks, without needing user action.
Can slow down or crash systems.
Trojan Horse: Pretends to be a legitimate program but actually contains harmful code.
Tricks the user into installing it.
Spyware: Secretly watch your activity.
Can steal passwords, credit card info, or track what we do online.
Ransomware: Locks or encrypts your files, then demands money to unlock them.
Often spreads via email links or infected websites.
Defense Mechanisms:
Antivirus software: Scans and removes known malware.
Regular patching: Keeps software up to date to fix security holes.
Backups: Regularly saving the data ensures we can recover files if ransomware strikes.
Firewalls: Block unwanted or dangerous network traffic.
Web Security
Common attacks:
SQL Injection: Injecting malicious SQL via input fields.
It can be used to steal, delete, or change data.
Fix: Use parameterized queries.
XSS (Cross-Site Scripting): Injecting malicious JavaScript into web pages.
These scripts run in the browser of anyone who views the page — can steal cookies, show fake content, or redirect users.
Fix:
Escape output before showing user data in the browser.
Validate user input to block scripts.
CSRF (Cross-Site Request Forgery): Forces users to perform unwanted actions.
Fix: Use CSRF tokens, which are unique keys added to forms to verify the request is genuine.
Secure Coding Practices:
Input validation: Check and clean all user inputs (e.g., forms, URLs) to block bad data.
Output encoding: Convert data before showing it in the browser to prevent script attacks.
Using HTTPS: Encrypt all data between the user and website to prevent spying or tampering.
Legal and Ethical Aspects
Understanding the rules and responsibilities around using technology safely and legally.
Cybercrime Laws: These are laws that punish Illegal activities: hacking, identity theft, data breaches.
Consequences: Fines, imprisonment.
Example: Accessing someone’s email or bank account without permission is a cybercrime.
Intellectual Property (IP): Protects original work: code, design, inventions. Types:
Copyright – for code, websites, etc.
Patents – for new inventions or tech methods.
Trade secrets – business secrets
Example: Copying someone’s app or code without permission is an IP violation.
Ethical Hacking: Authorized penetration testing to identify vulnerabilities.
Privacy: It’s about respecting and protecting users' personal data.
Laws like GDPR (in Europe) require:
Getting user consent.
Clearly explaining how data is used.
Keeping user data safe.
Authentication & Authorization
Security Foundations: Security in web apps is built on two main pillars:
Authentication: It verifies the identity of the user or client.
Example: Logging in with username and password.
Authorization: It defines permissions for the authenticated user.
Example: An admin can delete a user, but a regular user cannot.
Basic Authentication: A client sends an Authorization header. The credentials are Base64-encoded, not encrypted:
Authorization: Basic <Base64(username:password)>
Security Implications:
Use only over HTTPS to avoid interception.
Vulnerable if credentials are exposed.
Does not support multi-factor authentication.
Still useful for:
Internal services
Simplicity
Quick testing
API Keys: A long, unique alphanumeric token used to authenticate applications, not users. Sent via:
URL query: ?api_key=XYZ
Header: Authorization: API-Key XYZ
Security Best Practices:
Do not hardcode API keys in frontend code.
Store them in .env files or secure vaults.
Use scopes for role-based access (e.g., read-only, admin).
Rotate keys regularly.
Always use HTTPS.
Useful for:
Third-party APIs (Google Maps, Stripe)
Server-to-server communication
Token-Based Authentication: Token-based systems allow stateless interactions.
Concepts:
Once authenticated, users receive a token.
The token is sent in subsequent requests.
The server validates it without storing session data.
Types:
Opaque Tokens: Random strings, meaningless to clients.
Must be validated on the server via introspection.
Structured Tokens (e.g., JWT): Contain readable metadata (e.g., user ID, roles).
Self-contained and don’t require server-side lookup.
JWT – JSON Web Tokens: A compact, URL-safe token format to securely transmit user info.Commonly used for: Authentication, Authorization, Single Sign-On (SSO)
JWT Structure:
header.payload.signature
Header: Specifies algorithm and type.
{ "alg": "HS256", "typ": "JWT" }
Payload (Claims): Contains user identity and roles.
{ "sub": "1234567890", "name": "John Doe", "admin": true }
Signature: Ensures the token hasn't been tampered with. Generated using:
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
JWT Best Practices:
Do not store sensitive info (e.g., passwords).
Set expiration (exp) to limit token life.
Use HTTPS to transmit tokens.
OAuth 2.0 – Delegated Authorization: An open standard for third-party access without sharing credentials.
You can allow apps (like LinkedIn or Spotify) to access your Facebook or Google data without giving them your password.
OAuth Components:
Component
Role
Resource Owner
The user (data owner)
Client
The app requesting data
Authorization Server
Issues tokens
Resource Server
API that holds protected data
Scopes
The level of access requested (e.g., email, profile, admin)
OAuth Flows (Grant Types):
Authorization Code Flow: Most secure, used by server-side web apps. Steps:
App redirects to login.
Authorization code returned to app.
App exchanges code for access token.
Implicit Flow (deprecated): Tokens returned via browser.
Used in SPAs.
Vulnerable to token theft — avoid unless necessary.
Client Credentials Flow: For machine-to-machine (M2M) systems.
No user involved.
Use case: background jobs, cron scripts.
Resource Owner Password Flow (legacy): User submits username/password to the client.
Now considered insecure; avoid in favor of other flows.
Device Code Flow: For devices without browsers (e.g., TVs).
User logs in on a separate device, then code is confirmed on TV.
Authorization Code with PKCE: Adds proof-of-possession layer for SPAs and mobile apps.
Prevents code interception attacks.
Tokens in OAuth
Access Tokens: Short-lived tokens used to access resources.
Refresh Tokens: Used to get new access tokens without logging in again.
Tokens are usually JWTs, but not required to be.
Pseudo-Authentication & OpenID Connect: OAuth is for authorization, not authentication. But many apps tried to use it to identify users = pseudo-authentication
OIDC: Built on top of OAuth 2.0. Adds:
id_token (contains user identity)
userinfo endpoint
Benefits of OIDC:
Proper authentication layer
Supports SSO, profile access
Standard for modern identity systems
Tools & Libraries
Tech
Purpose
JWT.io
Inspect JWTs
OAuth 2.0 Playground
Test OAuth flows
Auth0
Auth-as-a-Service
Passport.js
Authentication for Node.js
Keycloak
Open-source identity and access management
Last updated