Web Security-Information Security and Systems-Lecture Notes, Study notes of Information Systems

Information Security and Systems is one of courses in Computer Science major. Its connected to database system, business, security. This lecture handout was provided by Dr. Anjli Gujral at Biyani Girls College. Its main points are: Web, Security, Concept, Protocol, Privacy, Information, Passive, Attacks, Eavesdropping, Traffic

Typology: Study notes

2011/2012

Uploaded on 08/04/2012

shalabh_li43y
shalabh_li43y 🇮🇳

4.5

(18)

88 documents

1 / 3

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
LESSON 39
Web Security
The nature of the internet makes it vulnerable to attack. Estimates claim that there are over 300
million computers connected via the Internet. Originally designed to allow for the freest possible
exchange of information, it is widely used today for commercial purposes. This poses significant
security problems for organizations when protecting their information assets. For example,
hackers and virus writers try to attack the Internet and computers connected to the Internet.
Some want to invade others’ privacy and attempt to crack into databases of sensitive information
or sniff information as it travels across Internet routes.
The concept of Web
The Internet Protocol is designed solely for the addressing and routing of data packets across a
network. It does not guarantee or provide evidence on the delivery of messages. There is no
verification of an address. The sender will not know if the message reaches its destination at the
time it is required. The receiver does not know if the message came from the address specified as
the return address in the packet. Other protocols correct some of these drawbacks.
39.1 Web Security Threats
There is two major classes of security threats
Passive Attacks
Active Attacks
39.2 Passive attacks
This class of network attacks involves probing for network information. These passive attacks can
lead to actual active attacks or intrusions/penetrations into an organization’s network. By probing
for network information, the intruder obtains network information as that can be used to target a
particular system or set of systems during an actual attack.
Types of Passive attacks
Examples of passive attacks that gather network information include the following:
Network Analysis
Eavesdropping
Traffic Analysis
39.3 Active Attacks
Once enough network information has been gathered, the intruder will launch an actual attack
against a targeted system to either gain complete control over that system or enough control to
cause certain threats to be realized. This may include obtaining unauthorized access to modify data
or programs, causing a denial of service, escalating privileges, accessing other systems. They affect
the integrity, availability and authentication attributes of network security.
39.4 Types of Active attacks
Common form of active attacks may include the following:
Masquerading – involves carrying out unauthorized activity by impersonating a legitimate
docsity.com
pf3

Partial preview of the text

Download Web Security-Information Security and Systems-Lecture Notes and more Study notes Information Systems in PDF only on Docsity!

LESSON 39 Web Security

The nature of the internet makes it vulnerable to attack. Estimates claim that there are over 300 million computers connected via the Internet. Originally designed to allow for the freest possible exchange of information, it is widely used today for commercial purposes. This poses significant security problems for organizations when protecting their information assets. For example, hackers and virus writers try to attack the Internet and computers connected to the Internet. Some want to invade others’ privacy and attempt to crack into databases of sensitive information or sniff information as it travels across Internet routes.

The concept of Web The Internet Protocol is designed solely for the addressing and routing of data packets across a network. It does not guarantee or provide evidence on the delivery of messages. There is no verification of an address. The sender will not know if the message reaches its destination at the time it is required. The receiver does not know if the message came from the address specified as the return address in the packet. Other protocols correct some of these drawbacks.

39.1 Web Security Threats There is two major classes of security threats

• Passive Attacks

• Active Attacks

39.2 Passive attacks This class of network attacks involves probing for network information. These passive attacks can lead to actual active attacks or intrusions/penetrations into an organization’s network. By probing for network information, the intruder obtains network information as that can be used to target a particular system or set of systems during an actual attack.

Types of Passive attacks Examples of passive attacks that gather network information include the following:

• Network Analysis

• Eavesdropping

• Traffic Analysis

39.3 Active Attacks Once enough network information has been gathered, the intruder will launch an actual attack against a targeted system to either gain complete control over that system or enough control to cause certain threats to be realized. This may include obtaining unauthorized access to modify data or programs, causing a denial of service, escalating privileges, accessing other systems. They affect the integrity, availability and authentication attributes of network security.

39.4 Types of Active attacks Common form of active attacks may include the following:

• Masquerading – involves carrying out unauthorized activity by impersonating a legitimate

docsity.com

user of the system.

  • Piggybacking – involves intercepting communications between the operating system and the user and modifying them or substituting new messages.
  • Spoofing – A penetrator fools users into thinking they are interacting with the operating system. He duplicates logon procedure and captures pass word.
  • Backdoors/trapdoors – it allows user to employ the facilities of the operating system without being subject to the normal controls.
  • Trojan Horse – Users execute the program written by the penetrator. The program undertakes unauthorized activities e.g. a copy of the sensitive data.

39.5 Threat Impact

It is difficult to assess the impact of the attacks described above, but in generic terms the following types of impact could occur:

  • Loss of income
  • Increased cost of recovery (correcting information and re-establishing services)
  • Increased cost of retrospectively securing systems
  • Loss of information (critical data, proprietary information, contracts)
  • Loss of trade secrets
  • Damage to reputation
  • Degraded performance in network systems
  • Legal and regulatory non-compliance
  • Failure to meet contractual commitments

39.6 Methods to avoid internet attacks:

1. Define the problem

The start of handling the problem would be to know the problem or the security threat seeking management’s attention. Only then can the people be appointed to address the threat. Greatest concern about network attacks is finding the right people to handle daily network security operations. It's critical that you have key people with the right experience and background. There's no magic bullet, it doesn't come because we buy nice software and put it in our budget and have a nice appliance somewhere. It's got to be through the use of people. They have to be well-trained.

2. Consolidate standards and purchasing power

Internet attacks, as discussed can be from various sources. The attackers tend to be more creative by identifying new weaknesses in the systems. All major threats the management feels the information systems is vulnerable to should be consolidated. This would help in identifying standards and security products which can help in securing the system against that particular set of internet attacks. There are instances where the organizations end up buying more that one security products to address the same security threat, thus increasing investment.

docsity.com