Web Security: Passive attacks, Active Attacks, Methods to avoid internet attacks

<< Risk Management: Business Continuity Planning, Components, Phases of BCP, Business Impact Analysis (BIA)
Internet Security Controls, Firewall Security SystemsIntrusion Detection Systems, Components of IDS, Digital Certificates >>
Information System (CS507)
Web Security
The nature of the internet makes it vulnerable to attack. Estimates claim that there are over 300
million computers connected via the Internet. Originally designed to allow for the freest possible
exchange of information, it is widely used today for commercial purposes. This poses significant
security problems for organizations when protecting their information assets. For example,
hackers and virus writers try to attack the Internet and computers connected to the Internet.
Some want to invade others' privacy and attempt to crack into databases of sensitive information
or sniff information as it travels across Internet routes.
The concept of Web
The Internet Protocol is designed solely for the addressing and routing of data packets across a
network. It does not guarantee or provide evidence on the delivery of messages. There is no
verification of an address. The sender will not know if the message reaches its destination at the
time it is required. The receiver does not know if the message came from the address specified as
the return address in the packet. Other protocols correct some of these drawbacks.
39.1  Web Security Threats
There is two major classes of security threats
Passive Attacks
Active Attacks
39.2  Passive attacks
This class of network attacks involves probing for network information. These passive attacks can
lead to actual active attacks or intrusions/penetrations into an organization's network. By probing
for network information, the intruder obtains network information as that can be used to target a
particular system or set of systems during an actual attack.
Types of Passive attacks
Examples of passive attacks that gather network information include the following:
Network Analysis
Traffic Analysis
39.3  Active Attacks
Once enough network information has been gathered, the intruder will launch an actual attack
against a targeted system to either gain complete control over that system or enough control to
cause certain threats to be realized. This may include obtaining unauthorized access to modify data
or programs, causing a denial of service, escalating privileges, accessing other systems. They affect
the integrity, availability and authentication attributes of network security.
39.4  Types of Active attacks
Common form of active attacks may include the following:
Masquerading ­ involves carrying out unauthorized activity by impersonating a legitimate
Information System (CS507)
user of the system.
Piggybacking ­ involves intercepting communications between the operating system and
the user and modifying them or substituting new messages.
Spoofing ­ A penetrator fools users into thinking they are interacting with the operating
system. He duplicates logon procedure and captures pass word.
Backdoors/trapdoors ­ it allows user to employ the facilities of the operating system
without being subject to the normal controls.
Trojan Horse ­ Users execute the program written by the penetrator. The program
undertakes unauthorized activities e.g. a copy of the sensitive data.
Threat Impact
It is difficult to assess the impact of the attacks described above, but in generic terms the following
types of impact could occur:
Loss of income
Increased cost of recovery (correcting information and re-establishing services)
Increased cost of retrospectively securing systems
Loss of information (critical data, proprietary information, contracts)
Loss of trade secrets
Damage to reputation
Degraded performance in network systems
Legal and regulatory non-compliance
Failure to meet contractual commitments
Methods to avoid internet attacks:
1. Define the problem
The start of handling the problem would be to know the problem or the security threat seeking
management's attention. Only then can the people be appointed to address the threat. Greatest
concern about network attacks is finding the right people to handle daily network security
operations. It's critical that you have key people with the right experience and background. There's
no magic bullet, it doesn't come because we buy nice software and put it in our budget and have a
nice appliance somewhere. It's got to be through the use of people. They have to be well-trained.
2. Consolidate standards and purchasing power
Internet attacks, as discussed can be from various sources. The attackers tend to be more creative
by identifying new weaknesses in the systems. All major threats the management feels the
information systems is vulnerable to should be consolidated. This would help in identifying
standards and security products which can help in securing the system against that particular set of
internet attacks. There are instances where the organizations end up buying more that one security
products to address the same security threat, thus increasing investment.
Information System (CS507)
3. Think risks
The network attackers are getting smarter every day. Organizations and people want their data to
be protected. Businesses must operate within a similar risk management culture. A comprehensive
risk based approach starting from identifying risks may be a better solution.
4. Fix configurations
Configuration management is going to be very important. Without configuration standards,
applying software security tools becomes too costly. If a laptop is misconfigured or doesn't have
the right security software, the next step should be to deny network access to that laptop until it
meets the standard. Enforcing safe software configurations is especially critical on mobile devices
that use wireless connections to access agency networks. With good configuration management
practices, agencies can provide centrally managed security and still protect handheld and mobile
5. Better people mean more secure networks
The shortage of trustworthy people with IT security skills is a chronic problem that is unlikely to
ever disappear. Enough engineers and computer scientists should be trained in computer security
skills getting people with the right technical background to do the work has been the biggest need
of all.
6. Identify problems early and react fast
The most common approach to computer and network security is to wait for an attack and then go
after it. The organization's management needs to be more proactive with embedded security
services to get ahead of significant threats before they can pull the company off its routine
Table of Contents:
  1. Need for information, Sources of Information: Primary, Secondary, Tertiary Sources
  2. Data vs. Information, Information Quality Checklist
  3. Size of the Organization and Information Requirements
  4. Hierarchical organization, Organizational Structure, Culture of the Organization
  5. Elements of Environment: Legal, Economic, Social, Technological, Corporate social responsibility, Ethics
  6. Manual Vs Computerised Information Systems, Emerging Digital Firms
  7. Open-Loop System, Closed Loop System, Open Systems, Closed Systems, Level of Planning
  8. Components of a system, Types of Systems, Attributes of an IS/CBIS
  9. Infrastructure: Transaction Processing System, Management Information System
  10. Support Systems: Office Automation Systems, Decision Support Systems, Types of DSS
  11. Data Mart: Online Analytical Processing (OLAP), Types of Models Used in DSS
  12. Organizational Information Systems, Marketing Information Systems, Key CRM Tasks
  13. Manufacturing Information System, Inventory Sub System, Production Sub System, Quality Sub system
  14. Accounting & Financial Information Systems, Human Resource Information Systems
  15. Decision Making: Types of Problems, Type of Decisions
  16. Phases of decision-making: Intelligence Phase, Design Phase, Choice Phase, Implementation Phase
  17. Planning for System Development: Models Used for and Types of System Development Life-Cycle
  18. Project lifecycle vs. SDLC, Costs of Proposed System, Classic lifecycle Model
  19. Entity Relationship Diagram (ERD), Design of the information flow, data base, User Interface
  20. Incremental Model: Evaluation, Incremental vs. Iterative
  21. Spiral Model: Determine Objectives, Alternatives and Constraints, Prototyping
  22. System Analysis: Systems Analyst, System Design, Designing user interface
  23. System Analysis & Design Methods, Structured Analysis and Design, Flow Chart
  24. Symbols used for flow charts: Good Practices, Data Flow Diagram
  25. Rules for DFDs: Entity Relationship Diagram
  26. Symbols: Object-Orientation, Object Oriented Analysis
  27. Object Oriented Analysis and Design: Object, Classes, Inheritance, Encapsulation, Polymorphism
  28. Critical Success Factors (CSF): CSF vs. Key Performance Indicator, Centralized vs. Distributed Processing
  29. Security of Information System: Security Issues, Objective, Scope, Policy, Program
  30. Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat
  31. Control Adjustment: cost effective Security, Roles & Responsibility, Report Preparation
  32. Physical vs. Logical access, Viruses, Sources of Transmissions, Technical controls
  33. Antivirus software: Scanners, Active monitors, Behavior blockers, Logical intrusion, Best Password practices, Firewall
  34. Types of Controls: Access Controls, Cryptography, Biometrics
  35. Audit trails and logs: Audit trails and types of errors, IS audit, Parameters of IS audit
  36. Risk Management: Phases, focal Point, System Characterization, Vulnerability Assessment
  37. Control Analysis: Likelihood Determination, Impact Analysis, Risk Determination, Results Documentation
  38. Risk Management: Business Continuity Planning, Components, Phases of BCP, Business Impact Analysis (BIA)
  39. Web Security: Passive attacks, Active Attacks, Methods to avoid internet attacks
  40. Internet Security Controls, Firewall Security SystemsIntrusion Detection Systems, Components of IDS, Digital Certificates
  41. Commerce vs. E-Business, Business to Consumer (B2C), Electronic Data Interchange (EDI), E-Government
  42. Supply Chain Management: Integrating systems, Methods, Using SCM Software
  43. Using ERP Software, Evolution of ERP, Business Objectives and IT
  44. ERP & E-commerce, ERP & CRM, ERP Ownership and sponsor ship
  45. Ethics in IS: Threats to Privacy, Electronic Surveillance, Data Profiling, TRIPS, Workplace Monitoring