- Hack Value: It is the notion among hackers that something is worth doing or is interesting.
- Target of Evaluation: An IT system, product, or component that is identified/subjected to a required security evaluation.
- Attack: An assault on the system security derived from an intelligent threat. An attack is any action violating security.
- Threat: an action or event that might compromise security. A threat is a potential violation of security.
- Compliance to government laws and regulations.
- Evolution of technology focused on ease of use.
- Increased number of network-based applications.
- Increasing complexity of computer infrastructure administration and management.
- It is difficult to centralize security in a distributed computing environment.
- Direct impact of security breach on corporate asset base and goodwill.
Top Security Challenges:
- Increase in sophisticated cyber criminals.
- Data leakage, malicious insiders, and remote workers.
- Mobile security, adaptive authentication, and social media strategies.
- Cyber security workforce.
- Exploited vulnerabilities, operationalizing security.
- Critical infrastructure protection.
- Balancing sharing with privacy requirements.
- Identity access strategies and lifecycle.
List of Security Risks:
- Trojans/Info Stealing/Keyloggers
- Fast Flux Botnets
- Data Loss/Breaches
- Internal Threats
- Organized Cyber Crime
- Phishing/Social Engineering
- New emerging viruses
- Cyber Espionage
- Zero-Day Exploits
- Web 2.0 Threats
- Phishing attacks
- Identity black market
- Transportable data (USB, laptops, backup tapes)
- "Zombie" networks
- Exploits in new technology
- Outsourcing projects
- Social networking
- Business interruption
- Virtualization and cloud Computing
Application Security Attacks:
- Session hijacking
- Man-in-the-middle attack
- The Web Parameter Tampering attack - is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products.
- Directory traversal attacks - the goal of this attack is to order an application to access a computer file that is not intended to be accessible. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code. Also known as the ../ (dot dot slash) attack.
- Canonicalization (c14n) - a process for converting data that has more than one possible representation into a "standard", "normal", or canonical form.
Vulnerability Research Websites: