SEC 3302, Advanced IS Security 1
Course Learning Outcomes for Unit VII
Upon completion of this unit, students should be able to:
1. Analyze access controls used to secure information systems (IS).
1.1 Determine how to protect access to the information within a database.
1.2 Explain how developing access levels can protect a database.
4. Evaluate the use of auditing tools.
4.1 Determine how using auditing tools can help reduce losses.
5. Explain the importance of information security (IS).
5.1 Determine the organizational impact of not having strong policies and procedures for securing
applications and data.
5.2 Describe the methods an information technology (IT) security manager can use to increase
organizational awareness of policies and procedures in information security.
Required Unit Resources
Chapter 8: Application Security
Chapter 9: Data Protection
In order to access the following resources, click the links below. You can access transcripts for the videos by
clicking on the three dots below the video on the right, then clicking “Open transcript.”
Professor Messer. (2021, February 2). Protecting data – SY0-601 CompTIA Security+ : 2.1 [Video]. YouTube.
Professor Messer. (2021, April 3). Application security – SY0-601 CompTIA Security+ : 3.2 [Video]. YouTube.
Professor Messer. (2021, May 3). Privacy and data breaches – SY0-601 CompTIA Security+ : 5.5 [Video].
In this unit, we will discuss application security and data protection. In past units, we discussed hardening a
target, which means to change the environment so that it will be more difficult to attack. This process should
include applications, not just operating systems. We have to do this with intention and be proactive for
creating a comprehensive defense strategy: attacks via applications are far more common today than attacks
aimed at operating systems. We must, therefore, make our applications secure so that someone cannot
overtake and exploit the software.
One such exploit is called a buffer overflow. A buffer is a temporary storage area in random access memory
(RAM). If enough attack information is sent so that it exceeds the buffer space, that information will end up
in other RAM areas. A poorly written application can inadvertently result in a buffer overflow. Flushing your
buffers can prevent them from filling up and overflowing, which can cause bad performance or lead to a
UNIT VII STUDY GUIDE
Application and Data
SEC 3302, Advanced IS Security 2
UNIT x STUDY GUIDE
In some cases, buffer overflow can confuse the system and allow commands to be executed on the server.
One type of buffer overflow, called a stack overflow, involves the operating system. This type of overflow can
cause a program, or even an entire computer, to crash.
So how can we harden our applications to ensure that they cannot be exploited? As we just discussed, we
must not allow buffers to overflow. Additionally, applications need to be minimized so that there are less
attack points to exploit. Secure configurations should also be established and maintained with timely updates.
Permissions should likewise be minimized to the lowest level necessary for each employee to be able to
accomplish their job. This will minimize the possibility that hackers will be able to take control of applications.
Cryptographic protections discussed in previous units are also important, as web applications are even more
susceptible to being exploited.
According to Boyle and Panko (2021), one rule in programming is that you should never trust a user’s input.
The application should have data validation. One example of this type of exploit is Structured Query
Language (SQL) injection, which can destroy your entire database. With SQL injection, a user can enter extra
information beyond a password that will enable an attacker to access the system. For example, instead of
entering just a password, a user might also enter the additional text of a SQL query that is executed.
How do you fix a SQL injection issue? You can add in data validation that will not allow certain characters to
be entered. You can minimize the number of characters that can be entered in that field as well. The point is
that developers are able to add validations, so they must be well-trained in how to secure the database.
Attackers can also strike web servers and e-commerce software. Just like any outwardly facing server, the
service can be overloaded and caused to crash. Web servers can be overtaken, and political or other hacker-
produced content can be posted that demeans the company. These attacks can harm the company’s
professional reputation and discourage customers. Attacks like these in which hacker-produced content is
substituted for normal content is known as website defacement.
Additionally, the textbook discusses another attack, known as directory traversal, in which sensitive files are
downloaded by gaining access to important directories—including the command prompt directory. All of this
seems to be a game of cat and mouse between attackers and vendors who patch a vulnerability, only to see
attackers evolve their tactics.
A common is question is: How can we secure websites given they are accessible to the public? The first step
is to update any vendor software regularly. Website assessment tools are available that can identify
vulnerabilities. Website error logs can also help alert us that a potential attacker is checking out our website.
Lastly, application proxy firewalls can be used to help ensure that traffic is normal and does not show signs of
It is not just servers that can be attacked; web browsers can also be targets. If an attacker can upload a script
and deploy it on a browser, this can result in potential disaster in several ways. These scripts often involve
commands that you might use under normal circumstances—and although you may want to change your
settings at times, you do not want an attacker to be able to change them. Also, attackers can add links into
others’ webpages that look good and seem valid, but they are not.
Mobile code is another area through which attacks may occur. Commands written into a web page can result
in automatically executing scripts after the web page containing the commands is downloaded. Attack scripts
will also execute if the user accidentally clicks on a malicious link. In fact, depending on the program, the user
may not even need to click the link in some cases.
SEC 3302, Advanced IS Security 3
UNIT x STUDY GUIDE
Security for a web browser can be improved much like that of web servers. Achieving this requires regular
patching and upgrading. Often, a browser may have customizable security settings and privacy options that
can be used to increase security.
Email attacks can be very similar to web server attacks. Emails can contain malicious links and attachments
with malware. Spam has also become a bigger problem, as mailboxes get overrun with commercial
solicitation messages. These messages may include images, which are harder to filter out effectively, take up
more bandwidth, and occupy more space. Finding a filter that does not also block legitimate mail continues to
be a struggle.
The best remedies for these issues include fine-tuned email filters and targeted employee training that will
teach employees not to open attachments from strangers. The contents of an email can be encrypted, but
most organizations do not use this feature.
Data Protection, Loss, and Backup
Now, let’s discuss data protection, which involves data being stored on hosts rather than passed over
networks. For most organizations, data is their most important business asset. You can obtain a new server
fairly quickly, or you can spin a new one up if you are virtualized, but what can you do if your data is lost?
How would you be able to contact your customers, set prices, or even determine what your prices should be?
The system itself is meaningless without the data points by which we construct information.
Chapter 9 in our textbook is particularly important in that it discusses in detail all of the ways in which data
must be secured while it is stored. Considerations for stored data protection include accidental loss, data that
is taken out of the business without permission, and how data should be destroyed when one desires to
dispose of it securely.
Data loss is an egregious outcome; it is the type of scenario with results that can range from someone losing
their job to the entire business sinking. So, how do we lose data, and how can we avoid data loss?
Mechanical issues and server outages can cause losses, of course, but it is often likely that data is lost
because we did not take the correct precautions that were needed to safeguard the data.
For example, it is important to conduct database and server backups regularly. When something happens to
the data on the host, there have to be backup copies available that the business can rely upon. Fire, water,
theft, natural disasters, mechanical failures, accidental loss, and a host of other dangers constantly threaten
databases. Because of this, it is wise to regularly back up both files and directories.
How regularly databases are backed up should be carefully considered—remember, you can only recover the
data from your last backup. There are three types of backups for databases—full, incremental, and
transaction. If you run transaction backups every hour, rather than running them daily or weekly, then you risk
potentially losing only an hour’s worth of data if something happens.
Scope is also relevant. Do you only want to back up the files and directories themselves, image the entire
drive, or shadow all files? Obviously, the more in-depth the backup is, the greater the resources will need to
be to accommodate the backup. However, the greater the scope, the greater the recovery will be when the
data needs to be restored.
Data storage is another consideration for data protection. When you make backups, you need to have a place
where you can store those backups, such as keeping SQL database backups on a file server with a share.
Also, server backups can be stored in a storage area network (SAN). One option for database backups is to
encrypt the backups. Another option is to save backups on tape and store them offsite.
An important precaution for access control is to limit the number of people who have access to backups. In
addition to doing this, retention of backups and media should be regulated and closely monitored.
SEC 3302, Advanced IS Security 4
UNIT x STUDY GUIDE
Database Access Control
Database access control is one of the more important areas of access control due to the data that are housed
in databases. Database administrators (DBA) will provide permissions based on the need of the requester.
For example, most users will need to read data; some will also need the capability to alter data. Higher
security is required for the role of database owner or system administrator.
A number of database management systems (DBMS) can manage access for individual databases and
restrict access to only authenticated and authorized users. Authentication can take place locally or in a
remote, central server.
As mentioned previously, websites are commonly attacked through unexpected data being passed along by
SQL injection. This can result in a consequence as drastic as deletion of data, or a database being shut
down. Database auditing tools can be used to collect information about noncompliance with established
security policies, changes to data, errors, warnings, and unsuccessful logins. In addition, data encryption is a
good tool for data stored in databases.
Organizations can use a variety of methods to secure their applications, data, web servers, and websites. The
textbook provides a lot of valuable information for those of you interested in those career areas.
Boyle, R. J., & Panko, R. R. (2021). Corporate computer security (5th ed.). Pearson.
- Course Learning Outcomes for Unit VII
- Required Unit Resources
- Unit Lesson
- Hardening Applications
- Web Servers
- Web Browsers
- Email Attacks
- Data Protection, Loss, and Backup
- Database Access Control