DEV Community: maerih

Security as a Service.

maerih — Fri, 10 Jun 2022 22:07:44 +0000

Whether you understand cloud computing or not, if you are savvy enough to use a smartphone or a laptop, chances are you already use cloud computing services. For example, if you have used Amazon.com or any Google Application or Microsoft 365 Suite or even streamed movies and songs online - you have used cloud computing services.

Microsoft defines cloud computing as the "delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—over the Internet ("the cloud") to offer faster innovation, flexible resources, and economies of scale. You typically pay only for cloud services you use, helping you lower your operating costs, run your infrastructure more efficiently, and scale as your business needs change." Basically, companies can use the services mentioned above through the internet as opposed to their on-premise server.

Due to lower operating costs and other efficiency factors, most companies, no matter the size, are quickly migrating to the cloud (Is cloud really Secure?). This has led to many criticalities arising in the management of cloud architecture. Specifically, the security aspect needs utmost attention, mainly in application domains where integrity, privacy, and confidentiality of information must be guaranteed.
What is Security as a Service (SECaaS)?

Wikipedia describes Security as a Service (SECaas) as a "business model in which a service provider integrates their security services into a corporate infrastructure on a subscription basis." This security as a service is generally more cost-effective than most corporations provide on their own when the total cost of ownership is considered. To understand, consider SECaaS as a SaaS (Software as a Service) model where the service provider offers cybersecurity-focused services to aid with customer's networks and IT systems.
Why You Need Security as a Service (SECaaS)?

According to IDC's Cloud computing study, 92% of organizations have at least some part of their IT environment as cloud-based. Added to that, more than 55% of the organizations currently use multiple public clouds. The survey also found that Technology decision-makers believed privacy and security challenges to be the major hurdles preventing them from taking full advantage of their public clouds. 'The State of Cloud Security 2020', a survey by Sophos, found almost 2/3rd of the organizations (70%) hosting data/workloads in the public cloud experienced a security incident. Moreover, Multi-cloud organizations reported more security incidents than those using only a single platform.
Types of SECaaS:

A lot of work has been done regarding the security of the cloud and the data within it. However, there was still a dearth of best practices guidelines to follow during developing and implementing an elastic cloud model. The Cloud Security Alliance (CSA) solved this problem by breaking the SECaaS into various categories:
Identity and Access Management (IAM):

IAM provides controls for access intelligence, identity verification and access management. It includes processes such as provisioning/de-provisioning of accounts, directory services, authentication, token management etc
THREATS ADDRESSED:

Identity theft
Unauthorized access
Privilege escalation
Insider threat
Non-repudiation
Excess privileges / excessive access
Delegation of authorizations/entitlements fraud
Data Loss Prevention:

This is a preventive measure that mainly ensures that data (structured and unstructured) remains under control. It deals with monitoring, protecting, and verifying the security of data in the cloud and on-premises. Its functionalities include- data labeling & classification, identification of sensitive data, Structured data matching, SQL regular expression detection etc.
THREATS ADDRESSED:

Data loss/leakage
Unauthorized access
Malicious compromises of data integrity
Data sovereignty issues
Regulatory sanctions and fines
Web Security:

This is a reactive and real-time protection mechanism against online applications offered via the cloud by redirecting web traffic to the cloud provider. It provides services like web filtering, spyware & bot network analyzer, phishing site blocker, email security etc
THREATS ADDRESSED

Keyloggers
Domain Content
Malware
Spyware
Bot Network
Phishing
Virus
Bandwidth consumption
Data Loss Prevention
Spam
Email Security:

As the name suggests, email security provides control over inbound and outbound emails, thus helping in enforcing corporate policies. Its functionalities include accurate filtering to block spam, flexible policies to define mail flow, encryption, etc.
THREATS ADDRESSED

Phishing
Intrusion
Malware
Spam
Address spoofing
Security Assessments:

These are audits of cloud services or assessments of on-premises systems via cloud-provided solutions generally done by third parties. Some of the features are Risk management, compliance, technical compliance audits, application security assessments etc
THREATS ADDRESSED

Inaccurate inventory
Lack of continuous monitoring
Lack of correlation information
Lack of complete auditing
Failure to meet/prove adherence to Regulatory/Standards Compliance
Insecure / vulnerable configurations
Insecure architectures
Insecure processes/processes not being followed
Intrusion Management:

This process uses pattern recognition to detect and react to statistically unusual events to stop/prevent an intrusion in real-time. Generally, it provides identification of intrusions & policy violations, automatic/manual remedy actions, updates to address new vulnerabilities & exploits.
THREATS ADDRESSED

Intrusion
Malware
Security, Information and Event Management (SIEM):

This is a detection process in which the systems accept log/event information. This information is then analyzed and is used to report and alert on events that may require intervention. It provides real-time log & event correlation, forensic support, log normalization, compliance reporting etc
THREATS ADDRESSED

Insecure Interfaces and APIs
Malicious Insiders
Shared Technology Issues
Data Loss and Leakage
Account or Service Hijacking
Unknown Risk Profile
Fraud
Abuse and Nefarious Use
Encryption:

This process makes the data indecipherable by managing encryptions, hashing, digital signatures, key exchanges etc. Its functionalities include- data protection, data validation, message authentication, data time-stamping, code signing, forgery detection etc
THREATS ADDRESSED

Failure to meet Regulatory Compliance requirements
Mitigating insider and external threats to data
Intercepted clear text network traffic
Clear text data on stolen/disposed of hardware
Reducing perceived risks
Network Security:

This refers to various services that help in distributing, managing, and monitoring security controls in a network. The functionalities are traffic/NetFlow monitoring, security monitoring, data threats, access control threats, security gateways, DoS protection/mitigation etc
THREATS ADDRESSED

Data Threats
Access Control Threats
Application Vulnerabilities
Cloud Platform Threats
Regulatory, Compliance & Law Enforcement

A hughes systique infographic with benefits of Security as a service(SECaaS)
Benefits of SECaaS
Professional Expertise:

Many organizations lack domain knowledge or simply struggle to train in-house security professionals for various reasons. SECaaS providers are highly skilled, domain expert technicians who help enterprises enhance their security capabilities.
Knowledge sharing:

Generally, SECaaS providers will be servicing multiple clients simultaneously. So, when any issue arrives with one client, the remedy for that kind of threat can be used as a preemptive defense strategy for other clients as well.
Deployment flexibility:

As SECaaS is itself a cloud-native model, it is probably the best suited to handle evolving workplaces and cloud migrations. It can manage flexible deployment models without the complexity of multi-site hardware installations.
Extra layer of protection:

SECaaS acts as a preventive service to intercept various attacks before they hit the enterprises. For example, it adds an extra layer of Firewall or spam filters between the organization and attackers.
Scaling and cost:

Flexible cost of the SECaaS services allow enterprises to pay only for the services they use. This helps them concentrate on their core competencies while leaving the security concerns to the experts.

Since many companies are adopting cloud technologies but are still ill-informed about the security aspect, they need their service providers to look after their Cloud Security needs. There are various cloud security issues such as data breaches, distributed denial of services attacks, phishing scams, etc that SECaaS providers can efficiently address. Also, developing in-house cloud security experts is costly and requires regular upskilling and training of the employees (Importance of Cloud Migration). Partnering with a trusted SECaaS service provider can help organizations focus on their core business area while the partner will help keep their digital assets secure

Organization Password Best Practices.

maerih — Fri, 10 Jun 2022 21:58:43 +0000

OPBP Best Practices

Remote working has impacted the world of cybersecurity in multiple ways. Remote workers are often not protected by enterprise-level security and so are more prone to cyberattack. The FBI reported a 300% increase in cybercrimes since the pandemic began, and remote work has increased the average cost of a data breach substantially.

Employees working from home are also distracted –

“47% of remote workers cited distraction as the reason for falling for a cyberattack.”

In other words, if you do not have a plan in place to mitigate these risks, you are setting yourself up for a potentially devastating cybersecurity breach.

One simple way to protect your organization from breaches is to apply a strong password policy at all levels of the organization, and enforce it by implementing a secure password policy management solution (PPM).

Here are some password policy best practices you may find useful.

Increase password length and strength

Brute force attacks try all possible combinations of characters to arrive at the password. A 6 string password with only upper or lower case letters can be cracked in 8 seconds. An 18 character password with upper and lower case letters, numbers and symbols can take 1 quintillion years to crack! By adding a special character, combining both upper and lower case letters or adding numbers, encryption can be much more secure.

The full strength of the Advanced Encryption Standard (AES) comes to bear when users create passwords of 32 characters for 128-bit encryption and 64 characters for 256-bit encryption. However, passwords of around 10 characters are strong enough for most applications.

Simplify as much as possible

A password made of only numbers has 10 options for each character in the string, one made of numbers and letters has 36 options, and if you include special characters that adds another 32 possible characters for each spot in the string. This makes it more challenging for brute force attacks to be successful. Complexity in terms of the kind of characters that can be used in the password is, therefore, an advantage.

However, do not mandate the usage of these different kinds of characters. This can lead to frustration and reuse of the same password with minor character substitutions (P@ssword or Passw0rd, for example). This is especially the case when the policy also demands frequent changes of password. If the old password is compromised, such minor variations will be relatively easy to guess, too.

To mitigate this risk, don’t mandate the use of special characters and reduce the frequency of mandatory password reset to approximately once a year. A long password using only lowercase letters is more secure than a short one which is a variant of an older password.

Do not allow password reuse

Do not allow reuse of earlier passwords during periodic password reset to increase security. Train your staff not to use minor variations of their earlier passwords, and instead look for completely different passwords.

Also train staff on the risks of reusing passwords across home and work accounts. Password reuse results in a huge surge in credential stuffing attacks. If any service is compromised and your password and username are stolen, hackers could use the same credentials to try and hack your other accounts. Each account must therefore use unique credentials to maintain security.

Reinforce passwords using multi-factor authentication (MFA)

Multi-factor authentication uses a combination of things you know, such as a password or PIN; things you have, such as a badge or smartphone; and things you are, such as biometric data, to authenticate your right to access a particular system, data or application.

Enabling MFA ensures that even if a password is stolen, the system is not compromised.

Use a secure password manager

Many users find it difficult to remember their passwords for multiple online services, and so either use a single password for all, or, worse, save all their passwords to an unreliable password manager.

If you do opt for a password manager, choose one that is highly secure, in order to mitigate the risk involved. Most IAM solutions will include a password manager or, with Single Sign-on, completely do away with the need for multiple passwords. A single secure password is enough to log on to your IAM and access your applications and data.

Use an IAM application for Password Policy Management (PPM)

It’s one thing to lay down rules for password policy across the organization. It’s quite another to enforce the policy. An Identity Access Management (IAM) application can help you ensure that all your users consistently comply with a high standard of security while setting their passwords, without the need for a separate password policy enforcement tool.

Administrators can customize and define password policy for all users in the organization. You can also specify upon whom the policy should be enforced, based on the users’ access level. Password policies can of course also be defined as blanket rules.

A common perception is that the risks associated with breached passwords do not apply to your organization as you have secure systems. But your organization’s data security is only as strong as the weakest password of your users. In 2020, 770 million credential stuffing attacks occurred. That means that if your employee’s personal passwords are compromised, and they have reused the same password at work, your data is compromised too. Worse, 17% of all sensitive files are accessible to all employees, and about 60% of companies have over 500 accounts with non-expiring passwords.

Implementing a robust Identity and Access Management (IAM) solution brings you several steps closer to protecting your user credentials and corporate data. Worldwide, cybercrime costs will hit $6 trillion annually this year. Don’t let your organization succumb to a Data breach! With these simple steps, you can stay safe with multiple layers of data protection. Allow our team at Akku to help you secure your systems.

What is PWA.

maerih — Fri, 10 Jun 2022 21:36:41 +0000

Have you ever wondered how you can convert your webpage to an app that can run on a mobile phone no matter its Android or iOS?

Or have you seen that little + (plus) icon at the top of a website, and it makes you wonder how this website is installable? Well, PWA is the answer to your questions.
What is PWA?

PWA's or Progressive Web Apps are a hybrid or say a mix of your regular websites or web pages and a mobile application; they provide you the power of both worlds. And PWA's are getting quite popular these days a significant reason being you don't need to learn another language like Kotlin or flutter to build a mobile app for your product, you can convert your existing website into a mobile application. You can even submit to Google Play and App store.
Of course, you can't compete with a language specifically designed for mobile apps, but still, PWA's come in handy a lot of time, you don't have to code separately for android, ios and browsers.
PWA's have access to all native app features like local storage, cache, push notifications, offline access, and a lot of cool features, so if all this gets you excited, let's dive deeper into it.
Benefits of PWA
Cross Platform Support

PWA is browser build and not os build so it can run on any machine, whether it is Android, ios, or your laptop.
Speed

PWA is quite faster compared to your standard websites because of the use of service workers, which helps to store the contents of the website in the form of cache on the first time load, making all your further loads significantly faster.
Offline Mode

That's the biggest feature standard websites lack, but through the use of service workers, you can load an offline version of your app, or you can cache the data for the first time and provide it for the later loads giving a better user experience.
SEO Friendly

In simple words, SEO is a way to make your websites get ranked higher in the search page results, e.g., Google. So, because PWA is technically a website, its content can get indexed and are discoverable on search engines, and because of this, your app can reach a broader audience.
Low cost of development

You don't need to hire a web developer and an app developer separately for your project, and you can convert your existing website to a PWA in no time.

And a lot of others.

Yes, there are quite a few disadvantages of using a PWA like the browser compatibility issues and the inability to control all features of mobile phones fully, but still, its plus points kind of pay off for all its costs.

Okay, So enough talk now, let's see what the things that make up a PWA are.

A manifest.json file: This is a JSON file which contains all the information about how your app will look, which initial page to load when your app starts, all the icons which the app should use and it also tells the browser that it's a PWA and how it should behave after being installed.

A service worker: A service worker is just a javascript file that runs as soon as your app loads and keeps running in the background. It helps you to control all the network requests, push notifications, cache items, etc.. In short, this script takes care of all the functionality part of your app and thus is the core of any PWA.

A secure HTTPS connection: As, by now, you must have realized PWA's are highly robust, so they only work on trusted connections, to make sure there is no harm to user's data and overall security, and in general to user experience.

That's it, add these three features to your code, make sure to connect the manifest and service worker file to your HTML. You are good to go. Most browsers detect that your app is a PWA and they give an option of installing it to the home screen when a user visits your site, else you can generate a .apk file for it and publish it to the well known PWA Store or the App Store.

PWA is a vast topic in itself. There's a lot more to it, but for getting started, these three things are essential, and rest your curiosity will figure it out by itself.

Best Practices of choosing a system.

maerih — Fri, 10 Jun 2022 21:32:21 +0000

Preamble

The browsers only understand JavaScript, however with rise of stuff that we use on browsers e.g. Games, Virtual Reality, Augmented Reality, JavaScript hasn't been able to catch up due to its inherent interpreted nature despite its powerful engines like V8.

Suppose you have a cool game or software developed in a low-level programming language e.g. C/C++ or a high-level programming language e.g. Java/C#/Rust/Go. With WebAssembly you can run these apps on a browser. Wihout re-writing them in JavaScript.

Wait, what?
What is WebAssembly?

WebAssembly (abbreviated Wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications.

-https://webassembly.org/

WebAssembly, or wasm, is the most significant new technology to come to the web platform in a decade. Technically speaking, it is a new, low-level, assembly-like language that runs efficiently on the existing web platform and is backward-compatible with its precursor, asm.js. Most people, however, will use the wasm format as a compiler target, translating their applications into web-ready modules that can run in modern web browsers at near-native speeds.

-https://research.mozilla.org/webassembly

W A S M

Check out Milica Mihajlija's awesome blog to know more.
Blazor

Blazor is an open-source framework from Microsoft to develop Component based UIs using language you already know and love, C#. I'll be blunt and say:

It's Microsoft's response to Angular and React.

Because why not?

But it's not why we're talking about Blazor here. The reason is, one of the hosting models of Blazor is WebAssembly.

Blazor's home page says:

Blazor can run your client-side C# code directly in the browser, using WebAssembly. Because it's real .NET running on WebAssembly, you can re-use code and libraries from server-side parts of your application.
-https://dotnet.microsoft.com/apps/aspnet/web-apps/blazor

Make awesome Portfolio.

maerih — Fri, 10 Jun 2022 21:27:18 +0000

Hi ✋😁
I would like to introduce my self,
my name is Maeri
and I am a web developer.

I wrote this article to share my new portfolio.

I was searching for designs on google for a couple of days, and then I stumbled on a good design that I like. Its a design by Brittany Chiang.

I built my portfolio based on her design using Vue Js, and with the help of the plugin Vuetify. I tweaked my portfolio a little with the taste that I like.

Introduction to cyber threats.

maerih — Fri, 10 Jun 2022 21:22:47 +0000

As we are going through unusual and challenging times, our daily habit has been affected in all sorts of ways. For those who are working from home, this is indeed a very difficult time. We are more open to cyber attacks due to the little to no cyber security we have in place while working from home.

Hackers are desperately trying to exploit the opportunity and up to some extent, it’s working. It’s mainly because many organizations and business tasks have gone from an internal network to the open internet without much preparation. This has exposed them to more potential threats.

Some of the common attacks are listed below.

Email-Phishing
SMS-Phishing
Mobile Malware
Malicious Software
Ransomware Attacks

Cyber Security Best Practices For Remote Workers

In this rising time of cyber attacks, taking preventive action against these interventions is a necessity.

Use antivirus and antispyware software on every computer used in your business and make sure they are frequently updated.
Limit physical access to your computers and network components.
Regularly change passwords and ensure that they’re not easy to predict

more detailed version published at https://beaglesecurity.com/blog/blogs/2020/04/13/Cyber-Security-Threats-and-Best-Practices-for-Remote-Workers.html