<Previous Lesson

Information Systems

Next Lesson>

Lesson#40

Factors Encouraging Internet Attacks

Factors Encouraging Internet Attacks

Generally, Internet attacks of both a passive and active nature occur for a number of reasons,
including availability of tools and techniques on the Internet or as commercially available software
that an intruder can download easily. For example, to scan ports, an intruder can easily obtain
network scanners, various password cracking programs are available free or at a minimal cost. Lack
of security awareness and training among an organization’s employees. No matter how perfect a
system is made by removing all possible vulnerabilities, there are still chances that weaknesses exist
and the system can be intruded at any given time. Inadequate security over firewalls and operating
systems may allow intruders to view internal addresses and use network services indiscriminately.

40.1 Internet Security Controls
Information Systems can be made secure from the threats discussed last slides. There is not a
single control available to cater for the risk of vulnerabilities associated with web (Internet). Some
of the solutions are:
Firewall Security Systems
Intrusion Detection Systems
Encryption

40.2 Firewall Security Systems
Every time a corporation connects its internal computer network to the Internet if faces potential
danger. Because of the Internet’s openness, every corporate network connected to it is vulnerable
to attack. Hackers on the Internet could break into the corporate network and do harm in a
number of ways: steal or damage important data, damage individual computers or the entire
network, use the corporate computer’s resources, or use the corporate network and resources as a
way of posing as a corporate employee. Companies should build firewalls as one means of
perimeter security for their networks. Likewise, this same principle holds true for very sensitive or
critical systems that need to be protected from entrusted users inside the corporate network.
Firewalls are defined as a device installed at the point where network connections enter a site; they
apply rules to control the type of networking traffic flowing in and out. The purpose is to protect
the Web server by controlling all traffic between the Internet and the Web server.
To be effective, firewalls should allow individual on the corporate network to access the Internet
and at the same time, stop hackers or others on the Internet from gaining access to the corporate
network to cause damage. Generally, most organizations can follow any of the two philosophies

Deny-all philosophy -- which means that access to a given recourses will be denied unless
a user can provide a specific business reason or need for access to the information
resource.

Accept All Philosophy -- under which everyone is allowed access unless someone can
provide a reason for denying access.
System reports may also be generated to see who attempted to attack to system and tried to enter
the firewall from remote locations.
168
Firewalls are hardware and software combinations that are built using routers, servers and variety
of software. They should control the most vulnerable point between a corporate network and the
Internet, and they can be as simple or complex as the corporate security policy demands. There are
many types of firewalls, but most enable organization to:
Block access to an organization sites on the Internet
Limit traffic on an organization’s public services segment to relevant addresses.
Prevent certain users from accessing certain servers or services.
Monitor communications between an internal and an external network
Monitor and record all communications between an internal and the outside world to
investigate network penetrations or detect internal subversion.
Encrypt packets of data that are sent between different physical locations within an
organization by creating a VPN over the Internet.
Firewalls encrypt packets that are sent between different physical locations within an organization
by creating a VPN over the Internet. The capabilities of some firewalls can be extended so that
they can also provide for protection against viruses and attacks directed to exploit known operating
system vulnerabilities. Remote Location server protected by fire walls and IDS further
complemented by IPS (Intrusion Prevention system) – Defining Specific ranges of IP addresses
that may access the location with defined rights.

40.3 Intrusion Detection Systems (IDS)
Another element to securing networks is an intrusion detection system (IDS). IDS is used in
complement to firewalls. An IDS works in conjunction with routers and firewalls by monitoring
network usage anomalies. It protects a company’s information systems resources from external as
well as internal misuse.

Types of IDS includes:
Signature-based: These IDS systems protect against detected intrusion patterns. The
intrusive patterns they can identify are stored in the form of signatures.
Statistical-based: These systems need a comprehensive definition of the known and
expected behaviour of systems.
Neural networks: An IDS with this feature monitors the general patterns of activity and
traffic on the network and creates a database.
Signature-based IDSs will not be able to detect all types of intrusions due to the limitations of
detection rules. On the other hand, statistical-based systems may report many events outside of the
defined normal activity but which are normal activities on the network. A combination of
signature- and statistical –based models provides better protection. IDS is used as part of the
network. It may be used in the form of hardware and software or a software may only be installed
on the server. An IDS is located in between firewall and corporate network and works in
compliment with the firewall. However it can also be installed before the fire wall. IDS helps to
detect both on-site unauthorized access through network based IDS, and remote unauthorized
access through the use of host based IDS Biometrics may also be used However biometrics helps
to prevent only on site illegal access. A log can be maintained in an IDS to detect and observe
attempts of intrusions made and those successful. IDS is more concerned with recording and
detecting intrusions. For blocking intrusions, an other system called Intrusion Prevention System
(IPS) is used which takes input from IDS. IDS reports the IP addresses that are attacking the
169
organizational network.

40.4 Components of an IDS
An IDS comprise of following components:
Sensors that are responsible for collecting data. The data can be in the form of network
packets, log files, system call, traces, etc.
Analyzers that receive input from sensors and determine intrusive activity
An administrative console – it contains intrusion definitions applied by the analyzers.
A user interface

Host-based IDS
The HIDS reside on a particular computer and provide protection for a specific computer system.
They are not only equipped with system monitoring facilities but also include other modules of a
typical IDS, for example the response module HIDS can work in various forms.

1. Systems that monitor incoming connection attempts. These examine host-based incoming
and outgoing network connections. These are particularly related to the unauthorized
connection attempts to various protocols used for network communication such as
TCP (Transmission Control Protocol) or
UDP (User Datagram Protocol) ports and can also detect incoming portscans.

2. Systems that examine network traffic that attempts to access the host. These systems
protect the host by intercepting suspicious packets and scanning them to discourage
intrusion.
Network Traffic – data travel in the form of packets on network
Packet – a specific amount of data sent at a time

Network Based IDS
The network-based type of IDS (NIDS) produces data about local network usage. The NIDS
reassemble and analyze all network packets that reach the network interface card. For example,
while monitoring traffic, The NIDS’s capture all packets that they see on the network segment
without analyzing them and just focusing on creating network traffic statistics. Honeynet (s) – does
not allow the intruder to access actual data but leaves the intruder in a controlled environment
which is constantly monitored. Monitoring provides information regarding the approach of the
intruder.

Components of IDS
An IDS comprises on the following:
Sensors that are responsible for collecting data. The data can be in the form of network
packets, log files, system call traces, etc.
Analyzers that receive input from sensors and determines intrusive activity.
An administration console
A user interface.

Features of IDS
The features available in an IDS includes:
Intrusion Detections
Gathering evidence on intrusive activity
Automated response (i.e. termination of connection, alarm messaging)
170
Security policy
Interface with system tools
Security policy management

Limitations of IDS
An IDS can not help with the following weaknesses :
Incorrectness or scope limitation in the manner threats are defined
Application-level vulnerabilities
Backdoors into application
Weakness in identification and authentication schemes

40.5 Web Server Logs
The major purpose of enhancing web security is to protect web server from attacks through the
use of internet. While doing that Logging is the principal component of secure administration of a
Web server. Logging the appropriate data and then monitoring and analyzing those logs are critical
activities. Review of Web server logs is effective, particularly for encrypted traffic, where network
monitoring is far less effective. Review of logs is a mundane activity that many Web administrators
have a difficult time fitting into their hectic schedules. This is unfortunate as log files are often the
best and/or only record of suspicious behavior. Failure to enable the mechanisms to record this
information and use them to initiate alert mechanisms will greatly weaken or eliminate the ability to
detect and assess intrusion attempts.
Similar problems can result if necessary procedures and tools are not in place to process and
analyze the log files. System and network logs can alert the Web administrator that a suspicious
event has occurred and requires further investigation. Web server software can provide additional
log data relevant to Web-specific events. If the Web administrator does not take advantage of these
capabilities, Web-relevant log data may not be visible or may require a significant effort to access.

Web Trust
Under the web trust approach, a WebTrust Seal of assurance is placed on the site to show potential
customers that a CPA or CA has evaluated the website’s business practices and controls. The
purpose is to determine whether they are in conformity with the Web Trust Principles. The
WebTrust Principles and Criteria are intended to address user needs and concerns and are designed
to benefit users and providers of electronic commerce services. Your input is not only welcome, it
is essential to help ensure that these principles and their supporting criteria are kept up-to-date and
remain responsive to marketplace needs. Web trust principals broadly cover following aspects:
1. Business Practices Disclosures – The entity discloses how it does business with its electronic
commerce.
2. Transaction integrity – the website operator maintains effective controls and practices to
ensure that customer’s orders placed using electronic commerce are completed and billed as
agreed.
3. Information protection – the entity maintains effective controls and practices to ensure that
private customer information is protected from uses not related to entity business.

40.6 Web Security audits
Going online exposes an entity to more hazards than otherwise. This requires implementation of
171
effective controls and checks to secure both the company’s online data from undesired
manipulation, and the customer’s information and orders. The organization may hire an audit firm
to offer these services and check the integrity of the website. Web audits help in gaining a web
rating which enhances the credibility of the audits. There are different levels of audits, tailored to
your needs and your budget. Among the issues we can carefully review on your site, resulting in a
detailed report with recommendations:
performance, page load time
graphics optimization
navigation usability, consistency
browser compatibility
content formatting consistency
accessibility compliance with ADA guidelines and Section 508 Standards
broken links
page errors, script errors
search engine ranking
interface layout

40.7 Digital Certificates
The digital equivalent of an ID card is also called "digital IDs," digital certificates are issued
by a trusted third party known as a "certification authority" (CA) such as VeriSign and
Thawte.
For example, CBR requires a NIFT class 2 digital certificate in order to facilitate filing
return electronically
NIFT itself is an affiliate of Verisign Inc. working as certification authority in pakistan.
The certificate is valid for one year.
The certificate is attached to email every time a message is attached and sent to recipient.
The CA verifies that a public key belongs to a specific company or individual (the
"subject"), and the validation process it goes through to determine if the subject is who it
claims to be depends on the level of certification and the CA itself.
The process of verifying the "signed certificate" is done by the recipient's software, which is
typically the Web browser. The browser maintains an internal list of popular CA’s and their public
keys and uses the appropriate public key to decrypt the signature back into the digest. It then
recomputes its own digest from the plain text in the certificate and compares the two. If both
digests match, the integrity of the certificate is verified. Companies like VeriSign and thawte
provide a variety of security and telecom services like digital certificates.

<Previous Lesson

Information Systems

Next Lesson>

Home

Lesson Plan

Topics

Go to Top

Next Lesson
Previous Lesson
Lesson Plan
Topics
Home
Go to Top