|
|
By Brian Serra, Forsythe Solutions Group Inc.
AUGUST 06, 2003
Security in today's new world requires a fresh approach. While businesses may know this in theory, many are light-years behind in practice.
For years, firewalls were the basic defensive tool against cyberattacks, providing perimeter security. Over time, as mission-critical applications move from dedicated connections to the Internet, the perimeters are extending or disappearing completely. Putting applications on the Internet to share information with customers, partners and suppliers has made it easier to do business, but harder to protect it. The perimeter security approach has given way to a new paradigm: building security in levels. The basic idea is that one locked door after another makes it more difficult for attackers to break in.
Firewalls
Firewalls remain the first level of security, as basic as locking your front door. The problem is that firewalls need to allow application traffic to get to the Web application, and they don't distinguish valid application requests from malicious ones. As a result, traffic allowed by the firewalls may contain attacks against the application and related back-end systems.
In addition, firewalls are often improperly configured and implemented. If companies neglect to employ a so-called demilitarized zone (DMZ) for their publicly accessible systems, they can inadvertently give hackers access to systems on their critical internal networks.
Intrusion-detection systems
The second level of defense, less commonly employed, involves the use of intrusion-detection systems (IDS) to monitor networks and servers, notifying people of abnormal activity. The IDS adds another layer of protection but has its own weaknesses. For one thing, the IDS typically doesn't analyze encrypted traffic, such as credit card transactions. For another, many Web application attacks look like normal Web traffic that traditional network sensors won't detect. In addition, most signatures don't cover custom-developed applications, and therefore won't detect specific application attacks. Finally, the IDS sets off alarms but usually can't respond immediately, so if the end system isn't secure, the damage may be done before a response can be mustered.
Patching
Patching, or correcting vulnerabilities through updates to applications and operating systems, is a third level of defense, which is equally important but less common. Although patching is absolutely necessary, it's easy for companies to fall behind on this type of ongoing maintenance. And it may not eliminate risks entirely. For example, patches to the operating systems and applications don't control application-to-back-end requests pulling database information. Unsafe back-end systems can exist even when the Web systems are secured through effective patching.
Security during development
Building security into the development of applications from the beginning is the fourth level of defense. Custom application developers, who often work within tight deadlines and without documented change control, usually don't consider security as they code the application, leaving it vulnerable to security breaches. Many of these developers aren't trained on security concepts, and even those who are still tend to develop the application and then test it for vulnerabilities after the fact. In the future, it will be increasingly important for application developers to not only understand security concepts, but also to take them into account during every step of the development process.
More choices
Companies can provide a fifth and final level of defense through additional security safeguards. On the technical side, you can implement tools such as function-specific DMZ networks; host-based firewalls that run on each system; intrusion-prevention systems (IPS), which block intrusions as opposed to setting off alarms after a possible intrusion; and strong authentication practices, or token authentication, in which users access systems via personal identification numbers and cards as well as one-time passwords.
Develop policies
On the business side, you should develop policies and procedures to ensure Web application security and then communicate them well to your employees. One of the most important things you can do is to train your employees on security awareness. One trend in hacking, for example, known as social engineering, refers to the practice of pretending to be a user or help desk member to obtain information necessary to intrude on a company's information systems. Every employee needs to be aware of these dirty tricks, as well as understand company policy about the type of information they can share.
Addressing Web application security risks at all of these levels is the best way to ensure the safety of your business's information and processes.
Brian Serra, senior security consultant at Skokie, Ill.-based Forsythe Solutions Group Inc., trains security professionals on ethical hacking and Web commerce security.
CW
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
