Want to be secure on the Net? Beware of these common lapses that can result in security breaches.The dot com deluge is on. Jaldi.com, chaitime.com, anything-for-me.com, ideasnyou.com, the list seems to be endless.
Such exponential growth indicates a heavy dependence on technology. Security is critical for any breach of safety will put off potential Net users. The growing significance of security can be seen from the graph alongside that shows the increasing number of web sites that have been defaced in the past four years:
Clearly, Net proliferation appears to have proportionately spawned cyber criminals as well. During the course of certifying information technology's security for our clients, we have seen that sometimes companies almost invite trouble by making some typical mistakes either due to an oversight, negligence or because they have not realised the likely damage that can arise from such an error.
We have highlighted a few typical mistakes that companies and individuals tend to make:
Allowing access points to intruders
The technology that supports e-commerce and Internet access is built around several components. A key component is the operating system, which could be UNIX, Windows NT etc. Operating Systems are the basis upon which the information technology architecture depends. Yet on many occasions one comes across unchanged default settings, poorly configured access profiles, or inactive accounts not disabled. Such security lapses allow intruders points of access. In UNIX there are some typical default User Ids. Those listed in the table below are the ones corporations may not have changed.
Similarly on Windows NT 4.0 defaults like administrator, backup, and guest can be easily tampered with due to their well-known passwords. A vulnerability in the Microsoft Media Services utility even allows an attacker to crash the service. Attackers exploit a software implementation problem that fails to properly handle handshake packets, which they deliberately send in the wrong order. The media service will crash after receiving the out of order packets and all established media sessions will fail.
Taking CGI scripts for granted
Common Gateway Interface scripts are critical for the interactive nature of the Web. They are typically written in Practical Extraction and Report Language (PERL) or are made as shell scripts, C, and are generally located in the "cgi-bin" directory on the Web server. Unless precautionary measures are taken, CGI scripts execute unauthorised commands. Hence it is important to understand what the CGI code does, limit permissions to the "cgi-bin" directory, prevent buffer overflows by checking data and not assuming the input size of data since PERL doesn't limit the size of data input.
Irregular web server reviews
Some security lapses that are typically associated with web servers are the functioning of non-essential features like ping, finger, and NFS, absence of a streamlined backup system, and irregularly reviewing and monitoring web server access logs.
Few rules for data access
The last of the above applies to database security and administration as well, for databases house critical information and should be accessed only on a need-to-know basis. Even databases that house internal information should be accessed only by those whose job descriptions demand it. Exposing a database to access attempts from other servers can potentially open the database to security threats from those servers. When operating in a distributed environment, the following challenges exist:
Data integrity -- ensuring that data is not updated/modified during transmission.
Data privacy -- ensuring that data is not disclosed during transmission.
Authentication -- having assurance that users', hosts', and clients' identities are correctly known.
Authorisation -- giving permission to a user, a program, or a process to access database object(s).
A known vulnerability exists within the Oracle 7.x database software which allows local users to view the usernames and passwords of those interacting with Oracle. The problem is that Oracle does not hide the username and password in the process list. As a result, any user can view this information and a local attacker can gain access to your Oracle SQL database. Database companies like Oracle itself, provide simple solutions to overcome these problems, but few users implement these recommendations.No clear e-mail policy
Potential vehicles for attacks are e-mail bombs, spamming, and trojans. Corporations would be well served to have a clear-cut e-mail policy. It should cover areas like encrypting sensitive information sent through e-mail, restricting auto forwarding of e-mails, and controlling the access rights on e-mail solutions like Lotus Notes where in the absence of access control, users can view confidential information.
Muddled firewall policy
A well thought out security architecture will ensure that there are checks within the system. Firewalls, which protect networks and implement security policy for communication between networks, can be deployed. A common drawback of most firewall policies is that instead of "denying all access unless specifically allowed", they "allow access unless specifically denied".
Corporations can draw up policy documents for firewall configuration. Ideally such a policy can be part of a comprehensive Information Systems policy for the corporation.
Typically, firewall configuration can be assessed by the rules added on the firewall. A few key rules like the precedence of the stealth rule over all others, establishing ending dates when temporary external access is granted as an exception, and banning experimental external access on a production firewall, can provide for a robust firewall set-up.
Vulnerable routers
One component that interacts with external networks is a router. Routers are intelligent devices that direct traffic on networks. Routers and firewalls are often the first to experience an intrusion attempt. 3Com HiperARC routers allow an attacker to reboot the system. The attacker exploits this vulnerability due to a bug in the HiperARC TCP/IP (Transmission Control Protocol / Internet Protocol) stack. The HiperARC is overwhelmed by a high volume of connections to the net port and eventually reboots. The result is a Denial of Service condition of the HiperARC.
Erratic encryption standard reviews
Security at the data level is necessary especially when data is going out on third party networks. There are encryption standards like DES and RSA as well as encryption software like Pretty Good Privacy (PGP) which convert data into a complete hash after encryption. The data is usable only after it is decrypted by an authentic and authorised user. This process can be sustained by having periodic reviews of encryption standards and processes.
Relying solely on in-house IT
The e-business is exposed to the Internet and needs to provide an assurance to trading partners and customers that their assets are safe. Such assurance can only come from third parties in the form of a certification of web sites.
Economising on security costs
Home PC users are susceptible to not only denial of service attacks but also virus plants like Netbus which is a client server application where the server is installed on a user's computer and the client is the planter of the application. It enables the planter of the virus to see the user's screen, lock his keys, force shutdown, trap passwords etc. It can be installed if the planter knows the target's Internet protocol address.
Hence security is a must for home PCs too. One may be led to believe that such expensive security devices are beyond the reach of the home PC user. But such software is freely available on the Internet. Companies like Zone Labs offer their ZoneAlarm 2.0 firewall free on the Internet.
Slow updates on anti-virus software
New viruses keep appearing and anti-virus software providers come up with updates to include newer viruses. Hence it is important that home PC users and corporations ensure that their data files on the anti virus software are less than 20 days old and there is a process in place to ensure that updates are loaded onto the software.
Authored by Ernst & Young's Information Systems Assurance and Advisory Services (ISAAS) group.