Table of Contents
Part-A: Research via Search engines and virtual
Libraries
Part-B: Essay based on the Research
Essay Title: Security on the Web
The URL of your web site (where your web page is actually located).
Part
A of the assignment is located at:
With the advent of the World Wide Web, there is now an increasing number of applications on the Internet. Examples are commercial activities such as banking, buying and selling over the Internet, and the exchange of commercial information. Increasingly, more and more information is stored on the net is private and confidential by nature. Traditionally, such information would have been on disparate computer systems not accessable to the general public. Today most are publicly accessable via the Information Superhighway. This pervasiveness is a double-edged sword, with the positives mentioned above.
There exist certain elements in the Internet that will try to invade the commercial sanctity of the Internet by a series of violations that could be described at the best, as a disruption of services on the net, and at worse , the siphoning of funds or valuable information. These are typically viruses, worms, hackers, and electronic spies. These elements make it necessary to have security on the web. It is analogous to the bolted front door to a home, shop or bank keeping the bad elements away. If the access to the building is weak, or communication to and from it is clearly visible, it can be violated. Based on this simple principle of locks, keys and ciphers, is security maintained.
There is a requirement to understand the makeup of the web to begin with before we can fully understand the issues of security regarding it. As with the analogy of the house, the elements of access is the front door and the communication issuing from this ‘house’. Also we need to know whether this house is actually known and visible to the outside world. Even more sinister, is whether another imitation house can hijack all communications to the actual house and actually get all deliveries and communications to itself instead. This is what the ‘man-in-the-middle attack’ (Bhansali 2001) is all about. A clear understanding of how violations of web security can occur is essential.
Once the ‘house’ is broken into it is said to be intruded. The same concept exist in the virtuality of the web. Intrusions attempts occur frequently on the web (Adams 2002). Intrusion attempts are analogous to ‘door knob twists’ attempts at the obvious accesses (such as doors and windows) to a building. The thief will determine if the accesses to the house is left unlocked, if so, that will be his first choice of entry. Obvious as it may, this mode of operation is still by choice, of intrusion attempts to systems on the web. Web servers, in particular, are particularly vulnerable to this sort of intrusive activity (Radack 2002).
Once intruded, the web site then can be harvested for all sorts of information. This can be simple name and addresses, or it can be as serious as credit card theft. In its simple and purile form, a web site can be senselessly vandalised as signature of hacker activity. In Fox News, (FoxNews July 2003), it was reported of a competition amoung hackers to break into and vandalise 6000 sites in 6 hours as a form of “competition” amoung hackers. The article also talked about how hackers “sandbagged” themselves in, that is, break in silently, and suddenly do the damage in the contest period. As the vandalising requires the intruder to break in first, the onset of vandalising is preceded with the usual “door knob twists” to try all the entry points in.
Once the usual means of violation is recognised, it is then easier to understand the means of prevention of the violation of the first place. Most security on the web violations can be avoided by following industry best practises – some of this include best practices for web services (Adams 2004), which include XML digital signature and XML encryption. Best practices for computer networks is equally as important as all major intrusions start out this way. The best way to start is to have a risk assessment of the computer network in question and then build means of ‘bridging’ the gaps of security based on commonly accepted best practices and then what is specifically required for the individual organisation. (Cisco 2003)
A risk assessment is to see how vulnerable a web site or installation is to exploitation. This assessment is usually undergirded by a enterprise security policy (Cisco 2003), which outlines the process for the assesment and the means to create a framework for both prevent and response. This is because security on the web may be compromised in one of many ways. The disruption may be caused by a worm or virus outbreak, which is basically executable code that capitalises on software vulnerabilities. The net effect is typically a disruption of services which may lead to a net disruption of business continuity. In the 2003 CSI/FBI Computer Crime and Security Survey (Richardson 2003), disruption of services (in the form of denial-of-service) contributed to 42% of attacks in the 12 month survey period, and this is not taking into consideration the similar effect of virus and worms (94%).
In this same survey (Richardson 2003), the second greatest dollar amount losses by type goes to the ‘denial-of-service’ category which yielded a staggering $65,643,300 reported loss. This comes after ‘Theft of proprietary information’ which is $70,195,900. In his ’10 steps to network and information security’ Leon Pholi (Pholi 2003, p. 18) from the SANS institute recommends some guidelines in managing the virus (or worm) problem. They are to remove unnecessary services and to ensure the latest patches are loaded. This is more of an operation or management issue then it is a technological one. Yet simply carrying the above out methodically will minimise expose where security on the web is concerned.
Network worm and virus outbreaks have been around for at least since 1988 (Spafford 1991). The worm which affected the Internet in 1998 exploited flaws in utility programs in systems based on BSD-derived versions of UNIX. The flaws allowed the program to break into those machines, copy itself and infect those systems. This program eventually spread to thousands of machines, and disrupted normal activities and Internet connectivity for many days. These days, due to the popularity of Microsoft, the Windows and NT operating systems are pervasive in the work environment. Existing vulnerabilities in these applications meant that they were prone to exploitation when unpatched. The latest exploitation of a Microsoft vulnerability was by the W32/Sasser worm (US-CERT May 1)
Computers on the Internet are prone to exploitation because of the underlying faults with their operating systems or applications associated with the operating systems. The SANS Institute has highlighted the twenty top vulnerabilities via a consensus from a panel of experts (Kamerling 2003). The twenty top vulnerabilities is split between Windows and Linux Operating systems. These include vulnerabilities in Internet Information Server (IIS), Microsoft Data Access Components and Microsoft SQL Server to name a few Windows vulnerabilities. The linux ones include BIND/DNS, Remote Procedure Call (RPC), Apache Web Server and SNMP.
Apart from exploited vulnerabilities within computers the FBI/CSI report (Richardson 2003) states that another issue with regards with security on the web is insider abuse of Net access. This can be hacking attempts from inside the organisation or blatant misuse of its Internet connectivity. This is usually the result of disgruntled employees. According to a BBC news article (Ward 2002) Disgruntled employees are known to take portable devices (such as memory cards on cameras and MP3 devices) to bring in software that looks for vulnerabilities on a company's network (or web/Internet services).
The innocent-looking devices could also be used to smuggle out confidential or sensitive information, or to place trojans and worms within their employer’s network to assist them from entering the network from the Internet by circumventing the company’s firewall. The dangers disgruntled employees posed was highlighted by a survey showing that almost half of the most serious security incidents businesses suffered last year were caused by company workers (Ward 2002). The FBI/CSI report (Richardson 2003) correspondingly shows that unauthorised access by insiders contributed to 45% of attacks or misuse detected in the last 12 months.
The report also mentions that the second biggest cost due to security issues on
the web is denial of services attacks. Denial
of service is when attempts are made to innundate a network with large volumes of useless data to prevent bona fide network traffic attempts,
or to disrupt connections between one or more machines with the sole purpose of
preventing users from accessing a service, or any other attempts to disrupt
service to a specific system or person (CERT 2001). A multiple or concurrent act of denial of
service, by many computers, is called ‘distributed denial of
service’ attack. Such an attack was
known to halt or greatly impeded the services of Yahoo!, E*Trade, Amazon.com,
and eBay on
Intrusion into computer systems is another problem where
security on the web is concerned. The
FBI/CSI report show that this is a moderate problem amounting to less than 40%
of all misuse detected in the last 12 months (Richardson 2003). The current war on terrorism has shown that
the Al Qaeda terrorist organisation even has cyber war and information
intelligence capability. On Al Queda
computers, there were found tools such as LOphtCrack that allows the operative to
get into almost anyone's password if they've used a simple eight-digit password
(Clarke 2003). There is also evidence
that some of their operatives were undergoing advanced hacking training.
Apparently intercepted communications, as well as computer disks that were found,
indicate that there is extremely vigorous use of the Web and the Net for the
purpose of intrusion and penetration of computer systems via the Internet
(Arquilla 2003).
To curb the increasing abuse where security on the web is concerned, the
concept of authentication and authorization is introduced. Authentication and authorisation facilitates
increased security when accessing sensitive systems on the web. An Internet
Engineering Task Force (IEFT) request for comment document, represents a summary of authentication,
authorization, accounting protocol requirements for network access (RFC2989). Authentication is what the person is, something the
person has or what the person knows (Lynch 1998) that uniquely identifies the
person – in its simplest form, a password.
Authorization is finding out if the person, once identified, is
permitted to have the resource on the web (Wikipedia 2003). Authorization is equivalent to having one’s
ticket checked when going to the movies.
Traditionally, this is implemented on the web is via
password authentication and access control.
However, Beverstock (2003 p. 18) maintains ‘that very strong passwords
are crackable in less than 90 days, and perhaps even as little as 10 days, and
that computers will get dramatically faster in our lifetimes, passwords are
dead as a viable alternative for authentication for high value or important
systems’. This means that for systems
with sensitive information on the web, such as ecommerce sites or Internet
banking, a more secure system is required.
A range of strong authentication alternatives exist and these range from smart cards, biometric readers to digital
certificate technologies. Smart cards
and authentication tokens in particular are being used increasingly. They are appealing because they are
multi-factor credentials, and can be used for more than one function. If deployed
with public key encryption, they can be used to support digital signatures on
online forms (Desmond 2003).
Digital signatures are used in web servers as part of public
key encryption to establish secure browser communications to secure web sites
via the Secure Sockets Layer protocol.
The SSL protocol is by far the dominant protocol for handling secure
transactions over the Internet. SSL supports secure transactions at the Web
servers that host e-commerce transactions as well as in the Web browsers,
applications, and appliances that access those servers (Sun Microsystems 2003).
Almost all ecommerce sites, such as
online stores and banks, or any web
entity that carry out secure transaction on the web uses SSL. The SSL protocol uses two kinds of
cryptographic tools for security services: symmetric-key cryptography and
public-key cryptography. RSA is the main public-key technology used with SSL
today but Elliptic Curve Cryptography is emerging as a newer and faster
alternative (Gupta,Stebila, Fung,Chang,Gura,Eberle 2003).The RSA algorithm was
invented in 1978 by Ron Rivest, Adi Shamir, and Leonard Adleman (webpatent).
Elliptic curves can provide versions of public-key methods that, in some
cases, are faster and use smaller keys, while providing an equivalent level of
security. Their advantage comes from using a different kind of mathematical
group for public-key arithmetic (Hankerson, Menezes,Vanstone 2003). Irrespective of the technology, all these
technologies were created to make commercial transactions on the web
secure. This should make the entering of
credit card numbers at commercial websites secure provided you are using secure
communication such as Secure Sockets Layer. In addition, one will recognise a
secure URL by the usage of “https:” in the address line and by the filename extension .shtml
and not .html (
In conclusion, we have seen that with the quick growth of the Internet came also the escalating problem of bad elements in the Internet. These elements often would test the limits of the security of the web by various forms of violation. These elements are not necessarily just hackers or enterprise espionage in action, but also worms and viruses propagating on the net. The disruption and damages results in loss of services and additional effort to clean up the aftermath. In the case of a distributed denial of services, entire web sites such as Internet bank sites and other commercial sites, could be brought to a standstill because of the unavailable bandwidth to commercial traffic to those sites.
The flip side to this is that security on the web does exist and is easily practised if some industry best practises are observed. This include the regular patching of operating systems and applications residing on the web, and removing unnecessary services. Leon Pholi (Pholi 2003, p. 18) from the SANS institute recommended this practise in his ’10 steps to network and information’. In addition, for secure access to commercial web sites, the implementation of authentication and authorisation is greatly recommended. In the analogy of the secure house or building, we covered the locking and barring of doors. Last but not least, all communications to and fro the house must be made secured so as not to give sensitive information away. This is enforced by digital certificates, encryption, and SSL technology.
Arquilla, J April 2003, “Vulnerability,
what are al qaeda’s capabilities” >http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/vulnerable/alqaeda.html>,
Beverstock, D June 2003, “Passwords are DEAD! (Long live passwords?)”, GSEC Practical v.1.4b SANS Institute (Security Reading Room), US
Bhanzali, B 2001,
Man-in- the-Middle Attack, 2000-2001 Sans Institute,
CERT,
Cisco Systems, 2003, Document ID:13601 Network Security Policy: Best Practices White Paper <http://www.cisco.com/warp/public/126/secpol.html>,
Cisco Systems,
Clarke, R April 2003, “Vulnerability,
what are al qaeda’s capabilities” <http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/vulnerable/alqaeda.html>,
Clifford, L April 1998, A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources, Coalition for Networked Information, Washington US
Desmond, J August 2003, “Burton Group: Strong Authentication Alternatives Gaining Traction” <http://www.esecurityplanet.com/prodser/article.php/3064221> , esecurityplanet.com, US
FoxNew, July 2003, ‘Government warns of
mass hacker attacks’,
Associated Press
Gupta,Stebila, Fung,Chang,Gura,Eberle 2003, Speeding up Secure Web Transactions using Elliptic Curve Cryptography (ECC), Sun Microsystems Inc, California, US
Hankerson D, Menezes
A,Vanstone S 2003, Guide to Elliptic Curve
Cryptography, Springer-Verlag
Professional Computing
Indiana University, Computer Science
2003, “A148: Working the World-Wide Web Lecture -- Copyright and Security on
the Web” <http://www.cs.indiana.edu/l/www/classes/a148/lectures/protect.html>,
Kamerling, E 2003, Top 20 list for 2003
<http://www.sans.org/top20>, SANS
Institute,
Pholi, L 2003, Security in Practice –
Reducing the Effort, SANS Institute,
Radack, S 2002, Security of Public Web
Servers, Information Technology Laboratory
Richardson, R 2003, computer crime and
security survey, CSI/FBI,
Spafford, E 1991, The
Internet Worm Incident,
Sun Microsystems Inc, 2003, “Industry
Announcement: Next Generation Internet
Security” http://research.sun.com/projects/crypto/SunNetwork2003_whitepaper.pdf,
Ward, M 29 April 2002, “Employees seen
as computer Saboteurs”, BBC News,
webpatent, september 2003, patent 4405829: “Cryptographic communications system and method” http://www.webpatent.com/patents/p4405829.htm,
Wikipedia, 2004, The free encyclopedia – lookup on authorization <http://en.wikipedia.org/wiki/Authorization> , Wikimedia Foundation Inc, Florida US