Data Security

Essentials Of Data Security And Privacy – Volumetree

Recent events tend to suggest that we don’t even have to be the ones making the mistake for our private information to be leaked – take facebook’s recent scandal or the Equifax saga that transpired last year. But before we can protect our own information, we need to educate ourselves in the language of data security and equip our knowledge with the right terminology that is being used worldwide.

This article encompasses the essential terminologies that are related to data security. You might come across a lot of terms that you’ve heard in passing or even known for a while but might not know the exact meaning. We guarantee that a quick look at these terms will give you a fair insight into what steps you should be taking in order to protect your own information, while also educating the ways in which security breaches can take place.

Data Encryption

The reason why encryption of PII data is imperative before sending it to any SaaS tool is the fact that you only need to share a secret key with the client in order for them to see the plaintext version. This allows securing data in a way such that it is only readable by the endpoint applications and is not read by the browser inspector. The only hold-back is the cumbersome pace at which encryption and decryption take place.

 

Code Review

A thorough, organized and systematic evaluation of the computer source code is called a code review or sometimes also called peer review. The purpose of the evaluation, of course, is to find all mistakes and aberrations in the source code, thereby making it even better in the process. Pair programming, informal walkthroughs, and formal inspections are all different ways in which this review is undertaken.

Firewall

Firewall One of the better known technical terms, a firewall is a system designed to protect your network by monitoring and controlling incoming as well as outgoing network traffic. This is based on specific security rules that are predetermined by the user. A firewall operates by creating a barrier between a trusted internal network and an untrusted external network like the internet. Firewalls can either be network firewalls or host-based firewalls. The former filters all traffic between two or more networks and runs on the hardware of that network, while the latter runs on host computers and controls all network traffic that goes in and out of that machine.

Fixed IP and VPN’s

Static IP addresses that are created for the purpose of dynamic cloud computing are often referred to as elastic IP addresses. The difference between traditional static IP addresses and Elastic IP is the ability to mask instance or availability zone failures by systematically remapping your public IP addresses to any instance related to your account. No more must you have to wait for a technician to configure your host again or replace it. The Amazon EC2 gives you the power to engineer around the issue with your instance or software. It programmatically remaps your IP address to a replacement instance.

SQL Injection

When an external party inserts a MySQL statement to be run on your database outside of your knowledge, it is called as SQL injection. This is often done with a user is asked for any input such as a name, but the user gives you a MySQL statement that you would end up running on your database.

 

MITM

A man-in-the-middle attack (MITM) takes place when someone secretly relays and thereafter alters the communication between two parties. These two parties are unaware of this attacker’s presence and therefore have no idea of the attack taking place. Active eavesdropping, an example of a MITM attack, is when the attacker separately communicates with both victims and relays messages to either, thereby making both of them believe that they are speaking with each other. For it to be foolproof, the attacker must relay all communication between the parties without them suspecting anything wrong. This might often be easier to do than it may seem as attackers often enter unencrypted wireless access points to insert themselves at the man-in-the-middle. The entire MITM attack is based on the avoiding any mutual authentication at either of the endpoints. This is also the reason why most cryptographic protocols are equipped with some sort of authentication so that MITM attacks don’t frequent their services and databases.

 

Cookie Attack/Session Hijacking

Session Hijacking or Cookie Hijacking occurs when a valid session key is exploited to acquire unauthorized access to services or information within a computer system. When magic cookies – those used to authenticate users to remote servers, are stolen in order to perform this authentication, cookie theft is known to have taken place. This is highly pertinent to web developers due to the cookies that are used to maintain sessions on several websites. These cookies can easily be stolen and used by attackers who use intermediary computers. One way of doing this is by using source-routed IP packets. Let’s say Anne and Chris are exchanging information. If Brad uses source-routed IP packets, he might be able to encourage Anne and Chris’ IP packets to pass through his machine, thereby providing him access to all the information being shared.

 

HTTPS

HTTPS stands for Hypertext Transfer Protocol Secure – a step further from the conventional HTTP in order to secure communication over any computer network. This is done by encrypting the communication protocol with Transport Layer Security or its predecessor Secure Sockets Layer. This is how you get the abbreviation HTTPS over TLS or HTTPS over SSL. The fundamental reason for HTTPS is the authentication of any accessed website while securing the privacy of the information that is being shared or exchanged. It is intended to provide this security in transit when a lot of attacks can take place. MITM attacks like eavesdropping and tampering of communication are prevented with HTTPS and bidirectional encryption. This is what ensures that the user is interacting with the intended party and not an impostor or attacker.

Tokenization of Payment Gateways

Tokenizing payment gateways (non-pass-through payment using JavaScript) helps mitigate the risk of data breaches. It is a security measure that completes payment by converting credit card numbers into alphanumeric data that is unique for every transaction. This allows you to process payments without using the numbers of your credit card, thereby making the transaction that much more secure.

 

It minimizes the risk of data breaches
  • Through the tokenization of payment gateways, this processing of payment occurs without actually storing, processing and transmitting credit card information. Even in the case of a token leak, there is no real loss of information or data because it has no real meaning within itself.
  • The Japan Consumer Credit Association’s “Action Plan for the Strengthening of Measures for Security in Credit Card Transactions” recommends tokenization of payment.
It does not require significant changes in the system.
  • As the service allows the use of protocol/module connection type, customers are provided with a secure payment environment without having them redirected to another payment screen.

While some might know a lot of these terminologies and concepts, others might be enlightened by it. By providing information about data security, we aim to further the impact that individual users can have in knowing what is happening with their information and also taking active measures to protect it. Continue to follow this space for further updates and interesting articles along the binding theme of data security.

Leave a Comment

Your email address will not be published. Required fields are marked *