ZeePedia

Information Systems

Information System (CS507)

LESSON 39

Web Security

The nature of the internet makes it vulnerable to attack. Estimates claim that there are over 300

million computers connected via the Internet. Originally designed to allow for the freest possible

exchange of information, it is widely used today for commercial purposes. This poses significant

security problems for organizations when protecting their information assets. For example,

hackers and virus writers try to attack the Internet and computers connected to the Internet.

Some want to invade others' privacy and attempt to crack into databases of sensitive information

or sniff information as it travels across Internet routes.

The concept of Web

The Internet Protocol is designed solely for the addressing and routing of data packets across a

network. It does not guarantee or provide evidence on the delivery of messages. There is no

verification of an address. The sender will not know if the message reaches its destination at the

time it is required. The receiver does not know if the message came from the address specified as

the return address in the packet. Other protocols correct some of these drawbacks.

39.1 Web Security Threats

There is two major classes of security threats

� Passive Attacks

� Active Attacks

39.2 Passive attacks

This class of network attacks involves probing for network information. These passive attacks can

lead to actual active attacks or intrusions/penetrations into an organization's network. By probing

for network information, the intruder obtains network information as that can be used to target a

particular system or set of systems during an actual attack.

Types of Passive attacks

Examples of passive attacks that gather network information include the following:

�

Network Analysis

�

Eavesdropping

�

Traffic Analysis

39.3 Active Attacks

Once enough network information has been gathered, the intruder will launch an actual attack

against a targeted system to either gain complete control over that system or enough control to

cause certain threats to be realized. This may include obtaining unauthorized access to modify data

or programs, causing a denial of service, escalating privileges, accessing other systems. They affect

the integrity, availability and authentication attributes of network security.

39.4 Types of Active attacks

Common form of active attacks may include the following:

� Masquerading involves carrying out unauthorized activity by impersonating a legitimate

164

Information System (CS507)

user of the system.

�

Piggybacking involves intercepting communications between the operating system and

the user and modifying them or substituting new messages.

�

Spoofing A penetrator fools users into thinking they are interacting with the operating

system. He duplicates logon procedure and captures pass word.

�

Backdoors/trapdoors it allows user to employ the facilities of the operating system

without being subject to the normal controls.

�

Trojan Horse Users execute the program written by the penetrator. The program

undertakes unauthorized activities e.g. a copy of the sensitive data.

39.5

Threat Impact

It is difficult to assess the impact of the attacks described above, but in generic terms the following

types of impact could occur:

� Loss of income

� Increased cost of recovery (correcting information and re-establishing services)

� Increased cost of retrospectively securing systems

� Loss of information (critical data, proprietary information, contracts)

� Loss of trade secrets

� Damage to reputation

� Degraded performance in network systems

� Legal and regulatory non-compliance

� Failure to meet contractual commitments

39.6

Methods to avoid internet attacks:

1. Define the problem

The start of handling the problem would be to know the problem or the security threat seeking

management's attention. Only then can the people be appointed to address the threat. Greatest

concern about network attacks is finding the right people to handle daily network security

operations. It's critical that you have key people with the right experience and background. There's

no magic bullet, it doesn't come because we buy nice software and put it in our budget and have a

nice appliance somewhere. It's got to be through the use of people. They have to be well-trained.

2. Consolidate standards and purchasing power

Internet attacks, as discussed can be from various sources. The attackers tend to be more creative

by identifying new weaknesses in the systems. All major threats the management feels the

information systems is vulnerable to should be consolidated. This would help in identifying

standards and security products which can help in securing the system against that particular set of

internet attacks. There are instances where the organizations end up buying more that one security

products to address the same security threat, thus increasing investment.

165

Information System (CS507)

3. Think risks

The network attackers are getting smarter every day. Organizations and people want their data to

be protected. Businesses must operate within a similar risk management culture. A comprehensive

risk based approach starting from identifying risks may be a better solution.

4. Fix configurations

Configuration management is going to be very important. Without configuration standards,

applying software security tools becomes too costly. If a laptop is misconfigured or doesn't have

the right security software, the next step should be to deny network access to that laptop until it

meets the standard. Enforcing safe software configurations is especially critical on mobile devices

that use wireless connections to access agency networks. With good configuration management

practices, agencies can provide centrally managed security and still protect handheld and mobile

devices.

5. Better people mean more secure networks

The shortage of trustworthy people with IT security skills is a chronic problem that is unlikely to

ever disappear. Enough engineers and computer scientists should be trained in computer security

skills getting people with the right technical background to do the work has been the biggest need

of all.

6. Identify problems early and react fast

The most common approach to computer and network security is to wait for an attack and then go

after it. The organization's management needs to be more proactive with embedded security

services to get ahead of significant threats before they can pull the company off its routine

operations.

166