Where hackers hit pay dirt: Web applications provide an easy tool for hackers mining for sensitive data. (Internet).How do today's hackers get past the army of firewalls and intrusion-detection systems that guard enterprise websites? These days it's often by burrowing into Web applications--software programs that range from simple directory search tools to complex inventory management systems. These programs have their own set of security risks that aren't addressed by traditional Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. tools. "Applications contain most of an enterprise's intellectual capital and assets, yet applications have traditionally been ignored in discussions about website security," said Ted DeZabala, a partner in Deloitte & Touche's Security Services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the Practice. Some hackers attempt to overtake a website to gain a jumping-off point Noun 1. jumping-off point - a beginning from which an enterprise is launched; "he uses other people's ideas as a springboard for his own"; "reality provides the jumping-off point for his illusions"; "the point of departure of international comparison cannot be an for attacks against other sites. However, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Diane Fraiman, vice president of marketing for security vendor Sanctum, "The most fierce and determined attacks are usually carried out by hackers who target the specific site for reasons such as ideology, theft, or revenge." Protecting Vulnerable Spats Applications are often linked with a Web-services package that consists of a standardized interface that allows applications, databases, and other programs to share information with each other over the Internet. All this linking of software in cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. makes applications easy-pickings. "With so much outsourcing, the control of different components of an application is in the hands of many different people. Add to that the multiple interfaces among the applications, and you've provided hackers with many more opportunities to invade your software," explained DeZabala. Streaming media See streaming audio, streaming video and digital media hub. , conferencing, and instant messaging Exchanging text messages in real time between two or more people logged into a particular instant messaging (IM) service. Instant messaging is more interactive than e-mail because messages are sent immediately, whereas e-mail messages can be queued up in a mail server for seconds or can be particularly vulnerable. "With many applications you use on your desktop, you think it's just one single application, but underneath it creates a lot of channels for you," said Wei Lu, chief technical officer at Permeo Technologies, which makes Web-security software. "The nature of these channels is very dynamic, but a lot of existing security technologies, whether they're firewalls or VPNs, are static." Lu notes that a software developer would have to know all of a channel's characteristics before he could develop a workable firewall. "Our product supplies an encrypted channel, authenticates the user, and gives them access to specific applications in the network. Without this type of product, you would need separate solutions that are managed independently," he explained. Other security products designed specifically for Web applications work by examining applications for security holes. When a problem is found in a third-party application, the security software links the user to a patch. If a custom-designed program has a security problem, these products might provide coding instructions to repair it. There are also firewalls, such as Sanctum's AppScan, that are designed to keep intruders from tampering tampering The adulteration of a thing. See Drug tampering. with data in back-end systems like Web servers. "If you're a financial institution, a person can impersonate im·per·son·ate tr.v. im·per·son·at·ed, im·per·son·at·ing, im·per·son·ates 1. To assume the character or appearance of, especially fraudulently: impersonate a police officer. 2. a customer by hijacking hijacking Crime of seizing possession or control of a vehicle from another by force or threat of force. Although by the late 20th century hijacking most frequently involved the seizure of an airplane and its forcible diversion to destinations chosen by the air pirates, when their portfolio. They'd try to manipulate the Javascript code, which is between the client and the server. Our product detects that some kind of unauthorized manipulation is occurring and stops it," Fraiman explained. According to security experts, the most secure ebusiness applications are protected on multiple fronts. Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. and access controls allow only authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal into secured areas of the website. Once a user has been admitted to a secured area, all user-submitted data is checked on both the server and client side to ensure that the data conforms to certain rules. Session identifiers--are protected so that it's difficult for a hacker to steal a user's login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. information (or, if it's stolen, its use is limited). And finally, user passwords are encrypted, not just during the log-in phase, but also in the backend databases. User attributes such as IDs and passwords serve as the 'keys' that open the door to today's critical business software. According to Mark McClain, president of Waveset Technologies, a provider of identity management software, "It's critical that enterprises exercise tight control over how these identifiers are managed throughout the user lifecycle--and across complex, highly distributed environments. Integrated identity management tools can provide centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. visibility into--and control over--all access points of an organization. This reduces inherent vulnerabilities and the risk of a malicious attack." Security as a Design Issue Security failures can often be traced to an error in the software design process. For example, a website that doesn't encrypt its customer records leaves credit card information in clear view of anyone who knows how to break into the database server. According to DeZabala, "It's critical that protections be designed into the application rather than be left to patch jobs after a security breach is discovered, or, even worse, a worm has already infiltrated the website." Implementation problems are another common cause of Web application security breaches. Specifically, code that was intended only for the website administrator or developer is left intact after the software is deployed. According to Fraiman, some software bugs A problem that causes a program to produce invalid output or to crash (lock up). The problem is either insufficient logic or erroneous logic. For example, a program can crash if there are not enough validity checks performed on the input or on the calculations themselves, and the computer that lead to security holes are indirectly the result of good coding practice. "Developers write a lot of notes in the code so they can go back and understand what they did," she says. "Also, you build in options to make it easier to debug To correct a problem in hardware or software. Debugging software means locating the errors in the source code (the program logic). Debugging hardware means finding errors in the circuit design (logical circuits) or in the physical interconnections of the circuits. . The debug options often get left on by accident. Hackers can go in and find it and take administrative control Direction or exercise of authority over subordinate or other organizations in respect to administration and support, including organization of Service forces, control of resources and equipment, personnel management, unit logistics, individual and unit training, readiness, mobilization, . Or, the notes left in can tell a hacker exactly what to do to manipulate the code to change behavior and allow them to embezzle embezzle To take illegally something of value being held in custody for someone else. from the site or shut it down." Waiting until the software is deployed to revise faulty software code is a costly proposition. "This approach often includes a line-by-line code review for security holes, sometimes at a cost of 50 cents per line. In fact, most sites add so much new code every day that they could never hope to keep up by patching or fixing holes manually, making the majority of sites insecure," said Fraiman. Malicious worms introduced by hackers are expected to continue penetrating vulnerabilities in popular Web servers such as Microsoft's 115/5.0 server, which has made headlines of late for its security holes. Cross-site scripting See XSS. (CSS (1) See Cascading Style Sheets. (2) (Content Scrambling System) The copy protection system applied to DVDs, which uses a 40-bit key to encrypt the movie. ), the act of inserting malicious code into client-side text fields, is also on the rise. "Almost every day a new CSS attack against a major site is discovered," said Fraiman. One option for some companies may be private networks such as extranets, that operate on the Internet but are only accessible to those individuals you choose to let in. While they're not completely hacker proof, private networks are often preferred over Web-based solutions for companies like financial institutions. According to Lu, many businesspeople don't realize that these private networks aren't part of the Web. "There is a misconception mis·con·cep·tion n. A mistaken thought, idea, or notion; a misunderstanding: had many misconceptions about the new tax program. that you either do it through the Web or you can't do it at all," said Lu of the widespread belief that the Web and the Internet are one and the same. "People think moving to the Internet is moving to the Web because they hear about Web-based fulfillment, trading and banking." For many companies, the most practical remedy for now is to install a proactive application security program in hopes of catching vulnerabilities in the software before the hackers do. Ultimately, the software design community will have to address the security problem at the design stage. www.deloitte.com RELATED ARTICLE: Web Security: United It Stands, Divided It Falls If a hacker broke into your website and infiltrated a database containing your customers' confidential files, how quickly could your IT department discover the security holes, repair them, and verify that all of your other Web applications are secure? If each division within your organization has its own security administrator, you could be looking at weeks of struggle to patch security leaks and adequately test the remaining applications. In fact, letting each division establish its own Web application security practices autonomously may have been what created the security vulnerabilities in the first place. With the divisions' security administrators manually implementing changes in their software on the fly, with few if any technical policies and standards to guide them, security holes are inevitable. To help ward off the risk of being hacked, start by establishing an enterprise-wide set of technical policies and standards that your software developers can use for designing security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security and other aspects of the application's development. To speed response time in the event that your applications are compromised, make sure your enterprise security function is supported by the appropriate automation to manage the design, integration, administration and monitoring of security throughout the enterprise. This type of shared security service can also improve administrative efficiency and user productivity. If it sounds like a laborious la·bo·ri·ous adj. 1. Marked by or requiring long, hard work: spent many laborious hours on the project. 2. Hard-working; industrious. task to establish a unified security policy throughout your entire enterprise, there are a variety of tools that can help. For example, Ted DeZabala, a partner in Deloitte & Touche's Security Services Practice, explained, "Resource provisioning tools provide the ability to consistently enforce password strength The term password strength is a security measure of passwords. The necessary quality of the password depends on how well the password system limits attempts to guess a user's password, whether by a person who knows the user well, or a computer trying millions of possibilities. policies across different programs. They also automate activities that are currently manually intensive." Even software developed with the most stringent standards needs to be rigorously tested. And not just before the application is deployed. "Applications aren't static; they're dynamic. The introduction of any new component can introduce a security weakness," said DeZabala. "Good development methods and processes will only get you so far. You still have the risk that someone will introduce a small change into an application that bypasses the normal development and quality assurance process." Mark Envani is a partner-in-charge of technology risk management in the telecommunications industry at Deloitte & Touche Enterprise Risk Services, Technology & Communications Group (Dallas) |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion