Spread Knowledge

CS507 - Information Systems - Lecture Handout 40

User Rating:  / 0

Related Content: CS507 - VU Lectures, Handouts, PPT Slides, Assignments, Quizzes, Papers & Books of Information Systems

Factors Encouraging Internet Attacks

Generally, Internet attacks of both a passive and active nature occur for a number of reasons, including availability of tools and techniques on the Internet or as commercially available software that an intruder can download easily. For example, to scan ports, an intruder can easily obtain network scanners, various password cracking programs are available free or at a minimal cost. Lack of security awareness and training among an organization’s employees. No matter how perfect a system is made by removing all possible vulnerabilities, there are still chances that weaknesses exist and the system can be intruded at any given time. Inadequate security over firewalls and operating systems may allow intruders to view internal addresses and use network services indiscriminately.

Internet Security Controls

Information Systems can be made secure from the threats discussed last slides. There is not a single control available to cater for the risk of vulnerabilities associated with web (Internet). Some of the solutions are:

  • Firewall Security Systems
  • Intrusion Detection Systems
  • Encryption

Firewall Security Systems

Every time a corporation connects its internal computer network to the Internet if faces potential danger. Because of the Internet’s openness, every corporate network connected to it is vulnerable to attack. Hackers on the Internet could break into the corporate network and do harm in a number of ways: steal or damage important data, damage individual computers or the entire network, use the corporate computer’s resources, or use the corporate network and resources as a way of posing as a corporate employee. Companies should build firewalls as one means of perimeter security for their networks. Likewise, this same principle holds true for very sensitive or critical systems that need to be protected from entrusted users inside the corporate network.

Firewalls are defined as a device installed at the point where network connections enter a site; they apply rules to control the type of networking traffic flowing in and out. The purpose is to protect the Web server by controlling all traffic between the Internet and the Web server.

To be effective, firewalls should allow individual on the corporate network to access the Internet and at the same time, stop hackers or others on the Internet from gaining access to the corporate network to cause damage. Generally, most organizations can follow any of the two philosophies

  • Deny-all philosophy -- which means that access to a given recourses will be denied unless a user can provide a specific business reason or need for access to the information resource.
  • Accept All Philosophy -- under which everyone is allowed access unless someone can provide a reason for denying access.

System reports may also be generated to see who attempted to attack to system and tried to enter the firewall from remote locations.

Firewalls are hardware and software combinations that are built using routers, servers and variety of software. They should control the most vulnerable point between a corporate network and the Internet, and they can be as simple or complex as the corporate security policy demands. There are many types of firewalls, but most enable organization to:

  • Block access to an organization sites on the Internet
  • Limit traffic on an organization’s public services segment to relevant addresses.
  • Prevent certain users from accessing certain servers or services.
  • Monitor communications between an internal and an external network
  • Monitor and record all communications between an internal and the outside world to investigate network penetrations or detect internal subversion.
  • Encrypt packets of data that are sent between different physical locations within an organization by creating a VPN over the Internet.

Firewalls encrypt packets that are sent between different physical locations within an organization by creating a VPN over the Internet. The capabilities of some firewalls can be extended so that they can also provide for protection against viruses and attacks directed to exploit known operating system vulnerabilities. Remote Location server protected by fire walls and IDS further complemented by IPS (Intrusion Prevention system) – Defining Specific ranges of IP addresses that may access the location with defined rights.

Intrusion Detection Systems (IDS)

Another element to securing networks is an intrusion detection system (IDS). IDS is used in complement to firewalls. An IDS works in conjunction with routers and firewalls by monitoring network usage anomalies. It protects a company’s information systems resources from external as well as internal misuse.

Types of IDS includes:

  • Signature-based: These IDS systems protect against detected intrusion patterns. The intrusive patterns they can identify are stored in the form of signatures.
  • Statistical-based: These systems need a comprehensive definition of the known and expected behaviour of systems.
  • Neural networks: An IDS with this feature monitors the general patterns of activity and traffic on the network and creates a database.

Signature-based IDSs will not be able to detect all types of intrusions due to the limitations of detection rules. On the other hand, statistical-based systems may report many events outside of the defined normal activity but which are normal activities on the network. A combination of signature- and statistical –based models provides better protection. IDS is used as part of the network. It may be used in the form of hardware and software or a software may only be installed on the server. An IDS is located in between firewall and corporate network and works in compliment with the firewall. However it can also be installed before the fire wall. IDS helps to detect both on-site unauthorized access through network based IDS, and remote unauthorized access through the use of host based IDS Biometrics may also be used However biometrics helps to prevent only on site illegal access. A log can be maintained in an IDS to detect and observe attempts of intrusions made and those successful. IDS is more concerned with recording and detecting intrusions. For blocking intrusions, an other system called Intrusion Prevention System (IPS) is used which takes input from IDS. IDS reports the IP addresses that are attacking the organizational network.

Components of an IDS

An IDS comprise of following components:

  • Sensors that are responsible for collecting data. The data can be in the form of network packets, log files, system call, traces, etc.
  • Analyzers that receive input from sensors and determine intrusive activity
  • An administrative console – it contains intrusion definitions applied by the analyzers.
  • A user interface

Host-based IDS

The HIDS reside on a particular computer and provide protection for a specific computer system.
They are not only equipped with system monitoring facilities but also include other modules of a typical IDS, for example the response module HIDS can work in various forms.

  1. Systems that monitor incoming connection attempts. These examine host-based incoming and outgoing network connections. These are particularly related to the unauthorized connection attempts to various protocols used for network communication such as
    • TCP (Transmission Control Protocol) or
    • UDP (User Datagram Protocol) ports and can also detect incoming portscans.
  2. Systems that examine network traffic that attempts to access the host. These systems protect the host by intercepting suspicious packets and scanning them to discourage intrusion.
    • Network Traffic – data travel in the form of packets on network
    • Packet – a specific amount of data sent at a time

Network Based IDS

The network-based type of IDS (NIDS) produces data about local network usage. The NIDS reassemble and analyze all network packets that reach the network interface card. For example, while monitoring traffic, The NIDS’s capture all packets that they see on the network segment without analyzing them and just focusing on creating network traffic statistics. Honeynet (s) – does not allow the intruder to access actual data but leaves the intruder in a controlled environment which is constantly monitored. Monitoring provides information regarding the approach of the intruder.

Components of IDS

An IDS comprises on the following:

  • Sensors that are responsible for collecting data. The data can be in the form of network packets, log files, system call traces, etc.
  • Analyzers that receive input from sensors and determines intrusive activity.
  • An administration console
  • A user interface.

Features of IDS

The features available in an IDS includes:

  • Intrusion Detections
  • Gathering evidence on intrusive activity
  • Automated response (i.e. termination of connection, alarm messaging)
  • Security policy
  • Interface with system tools
  • Security policy management

Limitations of IDS

An IDS can not help with the following weaknesses :

  • Incorrectness or scope limitation in the manner threats are defined
  • Application-level vulnerabilities
  • Backdoors into application
  • Weakness in identification and authentication schemes

Web Server Logs

The major purpose of enhancing web security is to protect web server from attacks through the use of internet. While doing that Logging is the principal component of secure administration of a Web server. Logging the appropriate data and then monitoring and analyzing those logs are critical activities. Review of Web server logs is effective, particularly for encrypted traffic, where network monitoring is far less effective. Review of logs is a mundane activity that many Web administrators have a difficult time fitting into their hectic schedules. This is unfortunate as log files are often the best and/or only record of suspicious behavior. Failure to enable the mechanisms to record this information and use them to initiate alert mechanisms will greatly weaken or eliminate the ability to detect and assess intrusion attempts.

Similar problems can result if necessary procedures and tools are not in place to process and analyze the log files. System and network logs can alert the Web administrator that a suspicious event has occurred and requires further investigation. Web server software can provide additional log data relevant to Web-specific events. If the Web administrator does not take advantage of these capabilities, Web-relevant log data may not be visible or may require a significant effort to access.

Web Trust

Under the web trust approach, a WebTrust Seal of assurance is placed on the site to show potential customers that a CPA or CA has evaluated the website’s business practices and controls. The purpose is to determine whether they are in conformity with the Web Trust Principles. The WebTrust Principles and Criteria are intended to address user needs and concerns and are designed to benefit users and providers of electronic commerce services. Your input is not only welcome, it is essential to help ensure that these principles and their supporting criteria are kept up-to-date and remain responsive to marketplace needs. Web trust principals broadly cover following aspects:

  1. Business Practices Disclosures – The entity discloses how it does business with its electronic commerce.
  2. Transaction integrity – the website operator maintains effective controls and practices to ensure that customer’s orders placed using electronic commerce are completed and billed as agreed.
  3. Information protection – the entity maintains effective controls and practices to ensure that private customer information is protected from uses not related to entity business.

Web Security audits

Going online exposes an entity to more hazards than otherwise. This requires implementation of effective controls and checks to secure both the company’s online data from undesired manipulation, and the customer’s information and orders. The organization may hire an audit firm to offer these services and check the integrity of the website. Web audits help in gaining a web rating which enhances the credibility of the audits. There are different levels of audits, tailored to your needs and your budget. Among the issues we can carefully review on your site, resulting in a
detailed report with recommendations:

  • performance, page load time
  • graphics optimization
  • navigation usability, consistency
  • browser compatibility
  • content formatting consistency
  • accessibility compliance with ADA guidelines and Section 508 Standards
  • broken links
  • page errors, script errors
  • search engine ranking
  • interface layout

Digital Certificates

  • The digital equivalent of an ID card is also called "digital IDs," digital certificates are issued by a trusted third party known as a "certification authority" (CA) such as VeriSign and Thawte.
  • For example, CBR requires a NIFT class 2 digital certificate in order to facilitate filing return electronically
  • NIFT itself is an affiliate of Verisign Inc. working as certification authority in pakistan.
  • The certificate is valid for one year.
  • The certificate is attached to email every time a message is attached and sent to recipient.
  • The CA verifies that a public key belongs to a specific company or individual (the"subject"), and the validation process it goes through to determine if the subject is who it claims to be depends on the level of certification and the CA itself.

The process of verifying the "signed certificate" is done by the recipient's software, which is typically the Web browser. The browser maintains an internal list of popular CA’s and their public keys and uses the appropriate public key to decrypt the signature back into the digest. It then recomputes its own digest from the plain text in the certificate and compares the two. If both digests match, the integrity of the certificate is verified. Companies like VeriSign and thawte provide a variety of security and telecom services like digital certificates.