|
|
|
|
Lesson#40
|
Factors Encouraging Internet Attacks
|
|
|
|
Factors Encouraging Internet Attacks
Generally, Internet attacks of both a passive and active nature
occur for a number of reasons,
including availability of tools and techniques on the Internet
or as commercially available software
that an intruder can download easily. For example, to scan
ports, an intruder can easily obtain
network scanners, various password cracking programs are
available free or at a minimal cost. Lack
of security awareness and training among an organization’s
employees. No matter how perfect a
system is made by removing all possible vulnerabilities, there
are still chances that weaknesses exist
and the system can be intruded at any given time. Inadequate
security over firewalls and operating
systems may allow intruders to view internal addresses and use
network services indiscriminately.
40.1 Internet Security Controls
Information Systems can be made secure from the threats
discussed last slides. There is not a
single control available to cater for the risk of
vulnerabilities associated with web (Internet). Some
of the solutions are:
• Firewall Security Systems
• Intrusion Detection Systems
• Encryption
40.2 Firewall Security Systems
Every time a corporation connects its internal computer network
to the Internet if faces potential
danger. Because of the Internet’s openness, every corporate
network connected to it is vulnerable
to attack. Hackers on the Internet could break into the
corporate network and do harm in a
number of ways: steal or damage important data, damage
individual computers or the entire
network, use the corporate computer’s resources, or use the
corporate network and resources as a
way of posing as a corporate employee. Companies should build
firewalls as one means of
perimeter security for their networks. Likewise, this same
principle holds true for very sensitive or
critical systems that need to be protected from entrusted users
inside the corporate network.
Firewalls are defined as a device installed at the point where
network connections enter a site; they
apply rules to control the type of networking traffic flowing in
and out. The purpose is to protect
the Web server by controlling all traffic between the Internet
and the Web server.
To be effective, firewalls should allow individual on the
corporate network to access the Internet
and at the same time, stop hackers or others on the Internet
from gaining access to the corporate
network to cause damage. Generally, most organizations can
follow any of the two philosophies
•
Deny-all philosophy
-- which means that access to a given recourses
will be denied unless
a user can provide a specific business reason or need for access
to the information
resource.
•
Accept All Philosophy
-- under which everyone is allowed access unless
someone can
provide a reason for denying access.
System reports may also be generated to see who attempted to
attack to system and tried to enter
the firewall from remote locations.
168
Firewalls are hardware and software combinations that are built
using routers, servers and variety
of software. They should control the most vulnerable point
between a corporate network and the
Internet, and they can be as simple or complex as the corporate
security policy demands. There are
many types of firewalls, but most enable organization to:
• Block access to an organization
sites on the Internet
• Limit traffic on an
organization’s public services segment to relevant addresses.
• Prevent certain users from
accessing certain servers or services.
• Monitor communications between an
internal and an external network
• Monitor and record all
communications between an internal and the outside world to
investigate network penetrations or detect internal subversion.
• Encrypt packets of data that are
sent between different physical locations within an
organization by creating a VPN over the Internet.
Firewalls encrypt packets that are sent between different
physical locations within an organization
by creating a VPN over the Internet. The capabilities of some
firewalls can be extended so that
they can also provide for protection against viruses and attacks
directed to exploit known operating
system vulnerabilities. Remote Location server protected by fire
walls and IDS further
complemented by IPS (Intrusion Prevention system) – Defining
Specific ranges of IP addresses
that may access the location with defined rights.
40.3 Intrusion Detection Systems (IDS)
Another element to securing networks is an intrusion detection
system (IDS). IDS is used in
complement to firewalls. An IDS works in conjunction with
routers and firewalls by monitoring
network usage anomalies. It protects a company’s information
systems resources from external as
well as internal misuse.
Types of IDS includes:
• Signature-based: These IDS
systems protect against detected intrusion patterns. The
intrusive patterns they can identify are stored in the form of
signatures.
• Statistical-based: These systems
need a comprehensive definition of the known and
expected behaviour of systems.
• Neural networks: An IDS with this
feature monitors the general patterns of activity and
traffic on the network and creates a database.
Signature-based IDSs will not be able to detect all types of
intrusions due to the limitations of
detection rules. On the other hand, statistical-based systems
may report many events outside of the
defined normal activity but which are normal activities on the
network. A combination of
signature- and statistical –based models provides better
protection. IDS is used as part of the
network. It may be used in the form of hardware and software or
a software may only be installed
on the server. An IDS is located in between firewall and
corporate network and works in
compliment with the firewall. However it can also be installed
before the fire wall. IDS helps to
detect both on-site unauthorized access through network based
IDS, and remote unauthorized
access through the use of host based IDS Biometrics may also be
used However biometrics helps
to prevent only on site illegal access. A log can be maintained
in an IDS to detect and observe
attempts of intrusions made and those successful. IDS is more
concerned with recording and
detecting intrusions. For blocking intrusions, an other system
called Intrusion Prevention System
(IPS) is used which takes input from IDS. IDS reports the IP
addresses that are attacking the
169
organizational network.
40.4 Components of an IDS
An IDS comprise of following components:
• Sensors that are responsible for
collecting data. The data can be in the form of network
packets, log files, system call, traces, etc.
• Analyzers that receive input from
sensors and determine intrusive activity
• An administrative console – it
contains intrusion definitions applied by the analyzers.
• A user interface
Host-based IDS
The HIDS reside on a particular computer and provide protection
for a specific computer system.
They are not only equipped with system monitoring facilities but
also include other modules of a
typical IDS, for example the response module HIDS can work in
various forms.
1. Systems that monitor
incoming connection attempts. These examine host-based incoming
and outgoing network connections. These are particularly related
to the unauthorized
connection attempts to various protocols used for network
communication such as
• TCP (Transmission Control
Protocol) or
• UDP (User Datagram Protocol)
ports and can also detect incoming portscans.
2. Systems that examine network
traffic that attempts to access the host. These systems
protect the host by intercepting suspicious packets and scanning
them to discourage
intrusion.
• Network Traffic – data travel in
the form of packets on network
• Packet – a specific amount of
data sent at a time
Network Based IDS
The network-based type of IDS (NIDS) produces data about local
network usage. The NIDS
reassemble and analyze all network packets that reach the
network interface card. For example,
while monitoring traffic, The NIDS’s capture all packets that
they see on the network segment
without analyzing them and just focusing on creating network
traffic statistics. Honeynet (s) – does
not allow the intruder to access actual data but leaves the
intruder in a controlled environment
which is constantly monitored. Monitoring provides information
regarding the approach of the
intruder.
Components of IDS
An IDS comprises on the following:
• Sensors that are responsible for
collecting data. The data can be in the form of network
packets, log files, system call traces, etc.
• Analyzers that receive input from
sensors and determines intrusive activity.
• An administration console
• A user interface.
Features of IDS
The features available in an IDS includes:
• Intrusion Detections
• Gathering evidence on intrusive
activity
• Automated response (i.e.
termination of connection, alarm messaging)
170
• Security policy
• Interface with system tools
• Security policy management
Limitations of IDS
An IDS can not help with the following weaknesses :
• Incorrectness or scope limitation
in the manner threats are defined
• Application-level vulnerabilities
• Backdoors into application
• Weakness in identification and
authentication schemes
40.5 Web Server Logs
The major purpose of enhancing web security is to protect web
server from attacks through the
use of internet. While doing that Logging is the principal
component of secure administration of a
Web server. Logging the appropriate data and then monitoring and
analyzing those logs are critical
activities. Review of Web server logs is effective, particularly
for encrypted traffic, where network
monitoring is far less effective. Review of logs is a mundane
activity that many Web administrators
have a difficult time fitting into their hectic schedules. This
is unfortunate as log files are often the
best and/or only record of suspicious behavior. Failure to
enable the mechanisms to record this
information and use them to initiate alert mechanisms will
greatly weaken or eliminate the ability to
detect and assess intrusion attempts.
Similar problems can result if necessary procedures and tools
are not in place to process and
analyze the log files. System and network logs can alert the Web
administrator that a suspicious
event has occurred and requires further investigation. Web
server software can provide additional
log data relevant to Web-specific events. If the Web
administrator does not take advantage of these
capabilities, Web-relevant log data may not be visible or may
require a significant effort to access.
Web Trust
Under the web trust approach, a WebTrust Seal of assurance is
placed on the site to show potential
customers that a CPA or CA has evaluated the website’s business
practices and controls. The
purpose is to determine whether they are in conformity with the
Web Trust Principles. The
WebTrust Principles and
Criteria are intended to address user needs and concerns and are designed
to benefit users and providers of electronic commerce services.
Your input is not only welcome, it
is essential to help ensure that these principles and their
supporting criteria are kept up-to-date and
remain responsive to marketplace needs. Web trust principals
broadly cover following aspects:
1. Business Practices Disclosures – The entity discloses how it
does business with its electronic
commerce.
2. Transaction integrity – the website operator maintains
effective controls and practices to
ensure that customer’s orders placed using electronic commerce
are completed and billed as
agreed.
3. Information protection – the entity maintains effective
controls and practices to ensure that
private customer information is protected from uses not related
to entity business.
40.6 Web Security audits
Going online exposes an entity to more hazards than otherwise.
This requires implementation of
171
effective controls and checks to secure both the company’s
online data from undesired
manipulation, and the customer’s information and orders. The
organization may hire an audit firm
to offer these services and check the integrity of the website.
Web audits help in gaining a web
rating which enhances the credibility of the audits. There are
different levels of audits, tailored to
your needs and your budget. Among the issues we can carefully
review on your site, resulting in a
detailed report with recommendations:
• performance, page load time
• graphics optimization
• navigation usability, consistency
• browser compatibility
• content formatting consistency
• accessibility compliance with ADA
guidelines and Section 508 Standards
• broken links
• page errors, script errors
• search engine ranking
• interface layout
40.7 Digital Certificates
• The digital equivalent of an ID
card is also called "digital IDs," digital certificates are issued
by a trusted third party known as a "certification authority"
(CA) such as VeriSign and
Thawte.
• For example, CBR requires a NIFT
class 2 digital certificate in order to facilitate filing
return electronically
• NIFT itself is an affiliate of
Verisign Inc. working as certification authority in pakistan.
• The certificate is valid for one
year.
• The certificate is attached to
email every time a message is attached and sent to recipient.
• The CA verifies that a public key
belongs to a specific company or individual (the
"subject"), and the validation process it goes through to
determine if the subject is who it
claims to be depends on the level of certification and the CA
itself.
The process of verifying the "signed certificate" is done by the
recipient's software, which is
typically the Web browser. The browser maintains an internal
list of popular CA’s and their public
keys and uses the appropriate public key to decrypt the
signature back into the digest. It then
recomputes its own digest from the plain text in the certificate
and compares the two. If both
digests match, the integrity of the certificate is verified.
Companies like VeriSign and thawte
provide a variety of security and telecom services like digital
certificates. |
|
|
|
|