Wednesday 4 July 2018

Information Security Controls

Information Security controls is mechanism or a set of rules to to decrease the risk in terms of vulnerability , internal and external threads etc. Information security also covered the other aspects of an organisation like Computer Security , Physical Security , Network Security , Business Continue Planning , Disaster Recvery Planning, Counter Measures With Existing Or Future Attacks.

These controls facilities an organisation to keep his Information Confidentiol from external or internal attacks, Its maintain and help organisation to keep running their system after any attacks.

Its also proview you an view that how much your Information secure.

Here are some important thing which you should be covered under Information Security Controls.

  • This rule comes under the physical security , In this set each and every person should be pass into the organisation by well managed physical security which should be monitor properly to identify the unknown Intruder.

  • Every information which generated or produce in an Organisation should be properly backup time to time to prevent data loss due to hacking attempt and system failure, Its also recommended to create an extreme back and restore system which should run and managed properly.

  • Incident Response should be there to perform an immediate reply for any incident which can be anything like , Fire attack , physical attacker or any technical hacking attack.

  • Keep you employee Train And Educated about Any incident its also covered in Information Security Controls , If your employee is well trained about these types of situation then there will be less chance of any loss in an organisation.

  • Log monitoring Must be in organisation to identify the Inside and outsider attack before the incident happened , Many organisation use Log Monitoring for their web application and internal system , Incoming and outgoing traffic.

Information security controls are mainly Devided in 7 Categories

1. Network Security

2.Access Control

3. Security Management

4.Physical Security

5.Business Continuity & DR Planning

6.Operations Security

7.Application/System Security

1. Network Security Controls

Network Security Controls if the first or the important part for an organisation because this part start from bottom line or you can say that this is the heart of any Company . Network Security Covers his internal devices like routers , Switcher and other devices which is very important for an organisation to continue his work.

Setting Up firewall and UTM are recommended for every organisation to keep controls on their Network Environment .

2. Access Controls

Access controls Covers the right or privilege for each and every user which is under an organisation and internal employees , Access controls is comes as Authorization.This is very important that every user his limited user privilege and right to continue his work , Like an employee for any organisation should not able to access administrator level access things action Like changing some one password , access to internal resources , Etc.

 3. Security Management

Security management is the classification of an organization assets inventory which should be followed by proper guidelines , rules set and documentation.Many organisation create Security Policies which should followed by his employee. Like no employee can bring any storage devices in office primasius which decrease the risk of insider data theft.

4. Physical Security

Physical Security its also an important factor for an organisation to identify an unknown intruder or attacker, decrease the risk of business loss like fire attack , earth quake or any natural or unnatural attack.

Many things are comes under the Physical Security Like , CCTV Cameras, Security Guards , Fire Preventions Systems

Entry Gates authentication such like Finger Print Scanner or Eye Detection Mechanism.

5. Business Continuity & DR Planning

Business Continuity & DR Planning allow an organisation to keep running his business regularly if he is/was under attack , Data loss or system failure.

This control managed the whole data of an organisation which automatically back up time by time , to restore  in case of data loss or any hacking attack.

6. Operations Security

OPSEC ( Operation Security ) Covers unwanted or unintended risk which can be performed against us,OPSEC maintain these all things to take care that is there any information can be used against us or not.

7.Application/System Security

Application/System Security is an major control for an organisation to maintain his on-line identify safe and confidential. This controls covers that we should maintain our Application/System Security by different technologies like Firewall , IPS , SIEM and Other Log Monitoring Systems.

This will help an organisation to keep them self secure before or while the attack.










Tuesday 3 July 2018

Attacking JSON Application : Pentesting JSON Application

Hello all, Its quite long time i have dosn`t updated my blog. So  here we go.

Today we will see how we can pentest  JSON Web Application.

Note- Some of the methods are taken from third party resources and some are presented as my personal experience.

First What Is JSON According To JSON Website.

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999

"In a lemon language JSON is typically used Javascript to pass the parameter". Like Below HTTP Request.

GET /site/getuserinfo=narendrabhati HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0
Content-Type: application/json;