Nt1310 Unit 3 Data Management Information System

Using weak passwords, Unencrypted data storage, passing clear text credentials over the network, using weak authentication mechanisms, allowing prolonged session lifetime Access to credentials through data theft, access to authenticated user session, attacker can do network eavesdropping, brute force attacks, dictionary attacks, cookie replay attacks Use strong password policies, do not store credentials in insecure manner, use authentication mechanisms, encrypt communication channels, use secure HTTP(HTTPS) only with Forms authentication cookies Storing secrets in clear text in files, registry, or configuration, Passing sensitive data in clear text over networks, Storing secrets when you do not need to Attacker Network eavesdropping, configuration file sniffing, attacker can read sensitive data out of memory or from local files Confidentiality Do not store secrets in software, Encrypt sensitive data over the network, Secure the channel, Encrypt sensitive data in configuration files Outdated security patch, using vulnerable old version of software, downloading from or browsing un-trusted web-sites, antivirus without latest updates, disabled firewall Hacker Stealing or hacking of personal devices, malware or virus, eavesdropping, sniffing through endpoints, web Session Hijacking Device management
Use least-privileged accounts, consider the granularity of access, enforcing separation of privileges, secure the system resources against system identities DB system having multiple administrators Using insecure custom administration interfaces, insecure configuration of files on the server, storing sensitive information in the clear text form, using overprivileged process accounts and service accounts Hacker Unauthorized access to configuration stores, Retrieval of clear text configuration secrets Encrypt sensitive sections of configuration files, secure settings for various operations of web services using configuration files, usage of access control lists