5 Security Controls

5.1 Verson Control and Code Repositories

5.2 Version Control with Git, Github, Gitlab

Refer to the SAT Book.

5.3 Understanding Long-Term Support (LTS) in Software Security

5.3.1 What is LTS?

LTS stands for Long-Term Support. It refers to versions of software that receive extended support from developers, primarily focusing on security updates and critical bug fixes, rather than new features. This ensures that users can rely on stable and secure software for a prolonged period without frequent upgrades.

5.3.1.1 Why is LTS Important?

Security: LTS versions prioritize security updates, making them more reliable for production environments where stability and security are critical.
Stability: LTS versions undergo extensive testing, making them stable and suitable for long-term deployment.
Support: They receive updates and support for a longer duration compared to non-LTS versions.

5.3.2 LTS in Ubuntu

Ubuntu, a popular Linux distribution, releases an LTS version every two years. These versions are supported for five years, offering security updates and maintenance.

Current Ubuntu LTS Version: As of now, the latest Ubuntu LTS is Ubuntu 24.04 LTS. This version will receive support until April 2029.

5.3.2.1 Ubuntu LTS Release List

Version	Code Name	Docs	Release Date	End of Standard Support	End of Life
Ubuntu 24.04 LTS	Noble Numbat	Release Notes	April 25, 2024	June 2029	April 2036
Ubuntu 22.04.4 LTS	Jammy Jellyfish	Release Notes	February 22, 2024	June 2027	April 2034
Ubuntu 20.04.6 LTS	Focal Fossa	Changes	March 23, 2023	April 2025	April 2032
Ubuntu 18.04.6 LTS	Bionic Beaver	Changes	September 17, 2021	June 2023	April 2030
Ubuntu 16.04.7 LTS	Xenial Xerus	Changes	August 13, 2020	April 2021	April 2028
Ubuntu 14.04.6 LTS	Trusty Tahr	Changes	March 7, 2019	April 2019	April 2026

5.3.3 LTS in Django

Django, a high-level Python web framework, also provides LTS versions. These are maintained with security updates for a longer time than regular releases.

Current Django LTS Version: Django 4.2 is the current LTS release, supported until April 2026. This version receives security updates and is ideal for long-term projects.

5.3.3.1 Django LTS Releast List

5.4 Python Supported Versions

Dates shown in italic are scheduled and can be adjusted.

Branch	Schedule	Status	First release	End of life	Release manager
main	PEP 745	feature	2025-10-01	2030-10	Hugo van Kemenade
3.13	PEP 719	prerelease	2024-10-01	2029-10	Thomas Wouters
3.12	PEP 693	bugfix	2023-10-02	2028-10	Thomas Wouters
3.11	PEP 664	security	2022-10-24	2027-10	Pablo Galindo Salgado
3.10	PEP 619	security	2021-10-04	2026-10	Pablo Galindo Salgado
3.9	PEP 596	security	2020-10-05	2025-10	Łukasz Langa
3.8	PEP 569	security	2019-10-14	2024-10	Łukasz Langa

5.4.1 Finding Versions of OS, Python, and Django

For a secure and efficient development environment, it’s important to use the latest LTS versions of your operating system and software. Here are commands to find the current versions:

Operating System (Ubuntu):
```
lsb_release -a
```
Python:
```
python3 --version
```
Django (Ensure you are in your Python environment or virtual environment):
```
python3 -m django --version
```

5.4.2 Benefits of Using LTS Versions

Reduced Risk: Security vulnerabilities are patched promptly, reducing the risk of exploitation.
Predictable Updates: LTS versions provide a predictable update schedule, making it easier to plan upgrades.
Community Support: A large user base often uses LTS versions, leading to more extensive community support and resources.

5.4.3 Best Practices for Using LTS Versions

Stay Informed: Keep track of the support timelines for LTS versions to plan for future upgrades.
Regular Updates: Apply security updates regularly to keep your system and applications secure.
Test Before Upgrading: Test updates in a staging environment before applying them to production systems to ensure compatibility and stability.

By using LTS versions of software like Ubuntu and Django, you ensure that your development environment remains secure, stable, and well-supported, which is essential for both personal projects and professional deployments.

5.5 Authentication

5.5.1 Identity crisis activity

In this activity, we are going to check to see if an email address has been exposed as part of a data breash or hack.

Navigate your browser to HaveIBeenPwned.com.

Once there, enter an email address to see if it has been exposed.

Once a hacker gets a copy of an email address and password, they can run a script to try that email/password combination on other sites.

Reflect and answer the following questions:

What would the impact to a person be if they reused the same email and password for all of there accounts? How would this be different if they used different passwords for each account?
What are the possible effects to an individual whose data has been exposed to persons that should not be able to view it?

5.5.2 World’s Biggest Data Breaches

Data breaches and hacks occur on a regular basis. Some make the news, others don’t, but millions of accounts and personal details are being exposed each year.

Navigate your browser to World’s Biggest Data Breaches and Hacks.

Once there, make sure the search is cleared:

Once a hacker gets a copy of an email address and password, they can run a script to try that email/password combination on other sites.

As you hover over the difference circles, you can get more information about each of the data breaches.

🤔 Using the information on this site, answer the follwoing questions:

What common vulnerabilities or attack vectors are frequently exploited in large-scale data breaches?

Analysis: Review the data breaches listed on the World’s Biggest Data Breaches and Hacks site. Identify recurring vulnerabilities, such as weak passwords, phishing attacks, outdated software, or inadequate security protocols, and explain how these were exploited in specific breaches.

5.5.3 How to Attackers Gain Access?

In this activity, you are going to take time to research different ways that attackers can gain access to unathorized information.

Keylogger: A keylogger is a type of software or hardware device that records keystrokes made on a keyboard to capture sensitive information such as passwords or personal data.
Credential Stuffing: Credential stuffing is a cyberattack where stolen username-password pairs are used to gain unauthorized access to user accounts across multiple websites.
Shoulder Surfing: Shoulder surfing involves an attacker looking over someone’s shoulder to obtain confidential information such as PINs or passwords.
Social Engineering: Social engineering is the manipulation of individuals into divulging confidential information by exploiting human psychology rather than using technical hacking methods.
Pretexting: Pretexting is a social engineering tactic where an attacker creates a fabricated scenario to trick a victim into revealing personal information.
Malware: Malware is malicious software designed to harm or exploit any programmable device, service, or network, often used to steal sensitive data or disrupt operations.
Phishing: Phishing is a fraudulent attempt to obtain sensitive information by disguising as a trustworthy entity in electronic communications.
Malicious Links: Malicious links are hyperlinks embedded in emails, websites, or messages that lead to harmful websites or initiate malware downloads.
Brute Force: A brute force attack is a method used by attackers to crack passwords by trying every possible combination until the correct one is found.
Piggybacking: Piggybacking refers to the unauthorized access to a secured area or system by following someone with legitimate access.
Rogue Access Point: A rogue access point is an unauthorized wireless access point installed on a secure network, potentially used to intercept data.
Evil Twin Attack: An evil twin attack occurs when a hacker sets up a fraudulent Wi-Fi network that mimics a legitimate one to steal data from unsuspecting users.
Packet Sniffing: Packet sniffing involves capturing and analyzing network traffic to monitor data flow or intercept sensitive information.
Weak Passwords: Weak passwords are easy-to-guess or commonly used passwords that can be easily cracked by attackers, compromising security.
Physical Theft: Physical theft refers to the stealing of physical devices, such as computers or mobile phones, which can lead to unauthorized access to sensitive data.

Use the following sites to assist you in your research:

Open Web Application Security Project (OWASP) Top Ten Attacks

5.5.4 Keylogging:

You Can Be Tracked!

https://rakhqljlbf-2460211228-a.codehs.me/index.html

5.6 Encryption

In Django development, encryption is used to protect sensitive data both in transit and at rest, ensuring user information and application data remain confidential and secure from unauthorized access.

5.6.1 SSH

In the context of Django development, SSH is used to securely connect to remote servers for deploying and managing Django applications, safeguarding the integrity of commands and data during deployment processes.

5.6.1.1 Step 1. Generate an SSH Key Pair

% ssh-keygen -t rsa -b 4096 -C "mail@cyber.mrchen.store"     
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/jc24/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/jc24/.ssh/id_rsa
Your public key has been saved in /Users/jc24/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:q8o3m+jdLUP0u/wtNXhXsBDBBS34iFEiTYSDny/jbks mail@cyber.mrchen.store
The key's randomart image is:
+---[RSA 4096]----+
|       . o+++*.  |
|      . ooo.= o  |
|       ..ooo.+ o |
|        +. .. . .|
|       .So . .  .|
|        + o . + .|
|       oEo . o o |
|   . oo==o....   |
|   .=o==+++o...  |
+----[SHA256]-----+

5.6.1.2 Step 2. Copy the Public Key to the Remote Server

% ssh-copy-id -i ~/.ssh/id_rsa.pub jeremy@cyber.mrchen.store

5.6.1.3 Step 3. Connect Using SSH with the -i Option

% ssh -i ~/.ssh/id_rsa jeremy@cyber.mrchen.store

5.6.1.4 Use SSH Config to Secure Connection

/etc/ssh/sshd_config

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

5.6.2 HTTPD

When developing Django applications, HTTPD servers like Apache or Nginx are configured with SSL/TLS certificates to enable HTTPS, ensuring encrypted and secure communication between users and the Django web application.

5.6.3 Django Secret

The Django Secret Key is crucial for securing user sessions, password resets, and cryptographic operations within a Django application, ensuring that sensitive data and authentication processes remain protected against tampering and unauthorised access.

settings.py

# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'django-insecure-c!nj)mo8)fv0c#9gw44+=&1l@kq=*mdu_w)%(iy(%eku545*v$'

5.6.4 Django Password Validation

Django provides a robust password validation framework to enhance security by enforcing password strength requirements. This is configured in the settings.py file using the AUTH_PASSWORD_VALIDATORS list, which specifies a set of validators to apply when users set or change their passwords. The default validators include:

UserAttributeSimilarityValidator: Ensures the password is not too similar to the user’s attributes, such as username or email, to prevent easy guesses.
MinimumLengthValidator: Enforces a minimum length requirement for passwords, promoting stronger passwords.
CommonPasswordValidator: Checks against a list of common passwords to avoid using passwords that are easily guessable or widely used.
NumericPasswordValidator: Prevents passwords from being entirely numeric, which are often weaker and easier to crack.

These validators help maintain high security standards for user accounts by requiring complex and unique passwords.

settings.py

AUTH_PASSWORD_VALIDATORS = [
    {
        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
    },
    {
        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
    },
]