|
|
|
|
Web Security
The nature of the internet makes it vulnerable to attack.
Estimates claim that there are over 300
million computers connected via the Internet. Originally
designed to allow for the freest possible
exchange of information, it is widely used today for commercial
purposes. This poses significant
security problems for organizations when protecting their
information assets. For example,
hackers and virus writers try to attack the Internet and
computers connected to the Internet.
Some want to invade others’ privacy and attempt to crack into
databases of sensitive information
or sniff information as it travels across Internet routes.
The concept of Web
The Internet Protocol is designed solely for the addressing and
routing of data packets across a
network. It does not guarantee or provide evidence on the
delivery of messages. There is no
verification of an address. The sender will not know if the
message reaches its destination at the
time it is required. The receiver does not know if the message
came from the address specified as
the return address in the packet. Other protocols correct some
of these drawbacks.
39.1 Web Security Threats
There is two major classes of security threats
• Passive Attacks
• Active Attacks
39.2 Passive attacks
This class of network attacks involves probing for network
information. These passive attacks can
lead to actual active attacks or intrusions/penetrations into an
organization’s network. By probing
for network information, the intruder obtains network
information as that can be used to target a
particular system or set of systems during an actual attack.
Types of Passive attacks
Examples of passive attacks that gather network information
include the following:
• Network Analysis
• Eavesdropping
• Traffic Analysis
39.3 Active Attacks
Once enough network information has been gathered, the intruder
will launch an actual attack
against a targeted system to either gain complete control over
that system or enough control to
cause certain threats to be realized. This may include obtaining
unauthorized access to modify data
or programs, causing a denial of service, escalating privileges,
accessing other systems. They affect
the integrity, availability and authentication attributes of
network security.
39.4 Types of Active attacks
Common form of active attacks may include the following:
• Masquerading – involves carrying
out unauthorized activity by impersonating a legitimate
165
user of the system.
• Piggybacking – involves
intercepting communications between the operating system and
the user and modifying them or substituting new messages.
• Spoofing – A penetrator fools
users into thinking they are interacting with the operating
system. He duplicates logon procedure and captures pass word.
• Backdoors/trapdoors – it allows
user to employ the facilities of the operating system
without being subject to the normal controls.
• Trojan Horse – Users execute the
program written by the penetrator. The program
undertakes unauthorized activities e.g. a copy of the sensitive
data.
39.5 Threat Impact
It is difficult to assess the impact of the attacks described
above, but in generic terms the following
types of impact could occur:
• Loss of income
• Increased cost of recovery
(correcting information and re-establishing services)
• Increased cost of retrospectively
securing systems
• Loss of information (critical
data, proprietary information, contracts)
• Loss of trade secrets
• Damage to reputation
• Degraded performance in network
systems
• Legal and regulatory
non-compliance
• Failure to meet contractual
commitments
39.6 Methods to avoid internet attacks:
1. Define the problem
The start of handling the problem would be to know the problem
or the security threat seeking
management’s attention. Only then can the people be appointed to
address the threat. Greatest
concern about network attacks is finding the right people to
handle daily network security
operations. It's critical that you have key people with the
right experience and background. There's
no magic bullet, it doesn't come because we buy nice software
and put it in our budget and have a
nice appliance somewhere. It's got to be through the use of
people. They have to be well-trained.
2. Consolidate standards and purchasing power
Internet attacks, as discussed can be from various sources. The
attackers tend to be more creative
by identifying new weaknesses in the systems. All major threats
the management feels the
information systems is vulnerable to should be consolidated.
This would help in identifying
standards and security products which can help in securing the
system against that particular set of
internet attacks. There are instances where the organizations
end up buying more that one security
products to address the same security threat, thus increasing
investment.
166
3. Think risks
The network attackers are getting smarter every day.
Organizations and people want their data to
be protected. Businesses must operate within a similar risk
management culture. A comprehensive
risk based approach starting from identifying risks may be a
better solution.
4. Fix configurations
Configuration management is going to be very important. Without
configuration standards,
applying software security tools becomes too costly. If a laptop
is misconfigured or doesn't have
the right security software, the next step should be to deny
network access to that laptop until it
meets the standard. Enforcing safe software configurations is
especially critical on mobile devices
that use wireless connections to access agency networks. With
good configuration management
practices, agencies can provide centrally managed security and
still protect handheld and mobile
devices.
5. Better people mean more secure networks
The shortage of trustworthy people with IT security skills is a
chronic problem that is unlikely to
ever disappear. Enough engineers and computer scientists should
be trained in computer security
skills getting people with the right technical background to do
the work has been the biggest need
of all.
6. Identify problems early and react fast
The most common approach to computer and network security is to
wait for an attack and then go
after it. The organization’s management needs to be more
proactive with embedded security
services to get ahead of significant threats before they can
pull the company off its routine
operations. |
|
|
|
|
|
|