You
are Here: Home: White Papers
|
| |
|
| ||
|  |
Web
Security
The Internet was perhaps the most important and dynamic business tool discovered in the twentieth century. The rise of the Internet has allowed businesses to come right into their client's homes in ways never before imagined, and it has provided businesses with new and efficient ways in which to interact with one another. As a society our dependence on the Internet, as a fast efficient business tool, is growing. It is no longer enough for us just to be able to pay our bills, or go shopping online; we want an internet that will anticipate our needs and the needs of our clients, we want an Internet that will let us know when our favorite products or services go on sale, an Internet that will be customized to fit our individual wants and needs. However, above all what we as a society demand from the Internet is security. Whether it be online banking or corporate secrets, when we enter information into a computer that is connected to the Internet, we want to know that information is safe, and that it can not be accessed by anyone other than who it was intended for. Web Applications are tools, which allow the client or user to interact with a company's web site. Often referred to as the "business logic", web applications allow data to be transferred from the front end (where the user inputs data) to the back end (database or where the company stores the data). When clients have the ability to check their bank balances, move money or buy stocks, they are using web applications. When businesses have Internet links set up between different suppliers and producers they are using web applications. The typical security infrastructure of most businesses today includes firewalls, virtual private networks and intrusion detection systems (IDS). While these are excellent tools, they fail to protect the web application, and it is the web application that is at the greatest risk. "Attackers don't target the strong points of the network; they go straight for the weakest link, which in many architectures is the Web app itself. Beyond the ever-present threat of Web defacements, unchecked vulnerabilities in Web servers such as Microsoft's IIS, Netscape's iPlanet and the open-source Apache are often exploited as a means of gaining access to higher-value assets inside the private network." Mike Bobbitt, Information Security, May 2002 A survey, which was published in April 2002 by the Computer Security Institute and the FBI, turned up frightening results. Of the over 500 IT security employees that were surveyed (most who work for large companies or government offices) 90% stated their companies had experienced serious security breaches, which included: ·
Computer Virus Affliction Interestingly, 60% of those surveyed claimed that their companies used Intrusion Detection Systems (IDS) and 90% claimed their companies used firewalls and anti virus protection, yet such security breaches still occurred. Application
level attacks can come at an incredible cost to today's businesses, as web based
applications can give attackers direct access to a company's entire network. Red
Herring Magazine, quoted the cost of one type of application level attack (the
Code Red Worm) as having caused losses in excess of a billion dollars. The Computer Security Institute and the FBI's survey also identified staggering financial losses. 80% of the over 500 IT security specialists surveyed indicated that their companies had incurred financial losses, with the most expensive being financial fraud, which accounted for average losses of over $4 million. Results of the survey also indicated that 85% of the security breaches consisted of attacks by Internet worms such as the Code Red and Nimda worm, which resulted in an average financial loss of $283,000 per attack. "The damage can be enormous. Applications such as sophisticated supply-chain and inventory programs, price lists, account-management programs, and even shopping carts are being targeted. Databases that link to Web applications are also vulnerable. Common attacks include E-shoplifting, a process in which hackers change price information in shopping carts. Here's how it works: A hacker puts $100 worth of items in a shopping cart and then saves the Web page to a local hard drive. He or she then modifies the price to $10 and resubmits the page. If the shopping cart is improperly coded, it might not double-check the prices and allow the price change upon resubmission." By George V. Hulme, Feb. 25, 2002, Information Week What about my existing firewall? The majority of firewalls used by businesses today are Network firewalls. The job of a network firewall is to shut down any unnecessary network openings, while leaving only the essential network paths open. Firewalls do a decent job of stopping all unnecessary inbound traffic, however, things such as email, web browsing etc. are left open, as they a generally deemed essential to most organizations. The passageways that network firewalls leave open for information to flow in and out of the network are referred to as Ports. Port 80, which is left open for application usage, has become the favorite target of attackers. "Of the more than 10 million security incidents SecurityFocus tracked the first week of February, 64% targeted port 80, which is the application port. About 9% targeted port 139, used for Windows networking and file sharing, and 6% targeted FTP on port 21." By George V. Hulme, Feb. 25, 2002, Information Week A hacker using a standard web browser has the ability to slip past your network firewall and gain access to your company's entire IT network! The really scary thing is just how easily hackers can penetrate your network:
Another challenge faced by network firewalls is that they depend upon predetermined rules and settings, which consequently, make them static. Applications on the other hand are dynamic, constantly changing and evolving, which means that a network firewall can never truly offer applications the security that they require. What about our Intrusion Detection System (IDS)? Intrusion Detection Systems, like network firewalls are an effective defense against network level attacks. However, when faced with the onslaught of application level attacks, IDS fail to offer adequate protection. IDS are designed to alert companies on attacks against the network and not the applications themselves. Dependent on a predetermined set of authorized and unauthorized patterns, IDS are considered reactionary, meaning that they will only sound the alarm after the attack (and potential damage) has occurred. Because IDS are so dependent on a database of established patterns, new and emerging threats become an even greater threat until the IDS database is updated. "Think about this: If organizations are employing a "defense-in-depth" approach to Web security, why are their Web servers still getting hacked? Most e-businesses place their Web servers inside a DMZ, a firewalled buffer zone between the untrusted Internet and trusted private network. Companies may even harden the Web server and monitor inbound packets with a network-based IDS. And yet, their Web site still gets defaced. What gives?" Mike Bobbitt, Information Security, May 2002 Even with highly skilled programmers there are still security risks! At the speed with which IT infrastructures constantly evolves even the best programming techniques are not enough to truly protect organizations from malicious attacks. Programmers developing customized applications face a challenge when it comes to security. If the applications are to be built with minimal security risks, application security must be addressed at each phase of development, which can often be a very time consuming and tedious endeavor. The companies that employ programmers are faced with a quandary. On one hand they want their applications to be secure, but on the other hand they realize their competitors are churning out the latest versions of their new applications. In today's competitive business environment, can you really afford to get left behind? Consequently, what ends up happening more and more often is that Quality Assurance is left to the end user. The attitude becomes, "If a client finds a problem, as soon as they let us know, we will fix it." What happens if the hacker finds the error first? To further complicate matters, many organizations rely on third party vendors and their products. During an installation, or upgrade of third party applications, vulnerabilities may be exposed and left unchecked, which may ultimately lead to your entire network's security being compromised.
| |
| |||||||||||||||||||||||||||||||||||||||||||||||
 | |||||||||||||||||||||||||||||||||||||||||||||||||||
 |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
