Web Security Importance - Coursework Example

Final Report- Web security. In my final report I deeply elaborate on the of web security. I have discussed the topic inclusive of all aspects related to it and given examples of how to try and maintain confidentiality in information sharing. Web security intends to protect all internet users, including those who conduct crucial bank dealings over the internet. There are very essential dealings and transactions that many opportunists out there who are very willing to pounce on. This enables them to swindle money by obtain critical information and data through tapping into conversations and hacking of passwords. Web security has therefore become a very key component in the world of information technology. I as an interested party believe this report will elucidate essential details on the matter of web security and bring out in the open some of the risks that internet users experience in their day to day use of the internet and also the counter measures. The tables and figures I have used in this report clearly show web security statistics and elaborate on some of the issues I have discussed like the levels and type of web security threats. TABLE OF CONTENTS TABLE OF CONTENTS 2 ABSTRACT. 4 INTRODUCTION AND BACKGROUND 5 FACTORS THAT CONTRIBUTE TO WEB SECURITY 5 The knowledge of the user 5 The necessary tools available for security 5 Responsibility of the user 5 SWEET relevance to security 6 SWEET DEVELOPMENT 6 Creating awareness to web security 7 Tools To Detect Web Attacks 8 Web versus Desktop Applications 8 Intelligent Information Systems 9 INTERNET CONTROLS: 9 INTRUSION DETECTION SYSTEM: 9 Signature-Based Network Intrusion Detection System: 9 References 11 3.Alanazi, Fahad, and Mohamed Sarrab. "The History of Web Application Security Risks." International Journal of Computer Science and Information Security 9.6 (2011): 40-47.ProQuest. The journal details all information security matters. 11 APPENDIX A. GLOSSARY 13 Intelligent Information Systems - These are secure systems developed and can automatically detect threats and ensure that they are removed without the involvement of the user. 13 APPENDIX B. RESEARCH METHODS. 14 Web Security: Applications, and Tools XXXXX XXXXX Wednesday June 12, 2013 English ABSTRACT. This final report discusses the topic of web security and some of the risks that internet users all over the world experience. Over the years, web security has grown to become a very crucial part of our daily lives. This is shown by the manner in which most of the world population conducts their business. These include, doing bank transactions, holding board meetings through video conferencing to simple chats over the internet using simple interfaces such as Facebook and twitter. The threats posed by malicious internet users has driven the technocrats into developing methods such secure web applications and procedures such as SWEET that ensure people have their data safe when they are transmitting them over the internet. The final report has elucidated some of these methods and procedures that have been developed all over the years as the world of information technology is open-ended and is open to so many changes as the years go by. INTRODUCTION AND BACKGROUND Web security is a branch of Information Security that deals with the security of websites, web applications, and web services. At higher levels, web security operates on the ethics of application security and applies them to Internet and web systems.When web application security is mentioned, there is an inclination to at once think about hackers defacing web sites and bombarding web sites with rejection of service attacks. These types of problems represent some of the most important threats faced by todays web applications. The answer to web security is broader than just technology. It is an unending process involving the users and practices.Security is a path, not a target. As oneevaluatesthe infrastructure and applications, theydiscoverprospective threats and realize that each threat presents its own levels of risk. Hence, security is all about risk management and putting in placevaluable countermeasures. FACTORS THAT CONTRIBUTE TO WEB SECURITY There are various factors that contribute to web security this can be categorized into different factors HUMAN AND TECHNOLOGICAL FACTORS There are various human factors that contribute to web security they include: The knowledge of the user A good user is more concerned with their security in the web and in most cases; do not put their data at risk. Users therefore should have the right knowledge to be able to securely use the web. The technology that is in use at that particular time Present technology provides applications and tools that enable the user to be protected at all times. Users are always reminded to update their technology each and every time to ensure that they are always secure. TOOLS FOR SECURITY There are various tools that are relevant to ensuring that security is achieved in the web and here is a summary of some of them. The necessary tools available for security Just like technology, various tools used by the user are also crucial to their security. Users should ensure that they have the right tools and should always update both their hardware and software. SECURITY CAN BE ACHIEVED BY ADDRESSING There are various things that can be done by the developer and the user so as to realize web security. USER AND TECHNOLOGY FACTORS There are various technological and user factors that affect web security. They greatly impact the manner in which the web can be influenced. Responsibility of the user Many users are now educated on various ways to ensure that they are secure within the network There are different web applications that are created by JavaScript to ensure security of the users. Many tools have been created to ensure that third parties are completely denied access to information. Governments and other organizations are spending lot to ensure that their data is protected they do this by using the latest technology and tools available in the market. SWEET SWEET is a teaching tool that is used to teach web users of different levels about the importance and relevance of web security and how to achieve it. Below are some of the way in which it developed and how relevant it is to web security. SWEET relevance to security SWEET is a tool that ensures that users are taught to learn to operate in a secure manner (Li-Chiou and Lixin 2012), trying to make web application to be like desktop applications. This will reduce the amount of attacks on web applications. Even though many authors have similar views on how to ensure that the user is protected from unknowingly sharing their information to third parties, there are a lot of controversial ideas that different authors hold on ensuring that the user is well protected Li-Chiou, Chen, and Lixin Tao mainly focus in the use of SWEET to ensure that the user is protected. Kapodistria, Helen, Sarandis Mitropoulos, and Christos Douligeris insist that the user should be educated on how to protect themselves from attacks. Torchiano, Marco, FilippoRicca, and Alessandro Marchetto mainly focus on the building od secure web applications such as those in desktop applications. In the table below, a study done in Netherlands is tabulated to give a summary of how desktop applications and web applications differ in terms of security. It provides a summary of how desktop applications are secure as compared to web applications. Table.1 A study in Netherlands compares the defects of both web and desktop applications. The two-way ANOVA figure is an analysis to see if indeed there is a significant notable difference in the two defects of applications. (Taken from Torchiano, et al. 2011, 159) SWEET DEVELOPMENT Developing sweet requires a lot of professional as well as technical experts who need to work together to realize the functioning of SWEET Design Sweet configures a computing environment using virtualization technology which simply means running emulator software on a computer so as to emulate another desired computer. The computer being used and the virtual computer run different or same systems. Virtualization has been used worldwide in both educational demonstrations and commercial systems. Developments such as Microsoft Virtual PC, VMware are results of virtualization. In our development, user computers were locally run on by SWEET computers (Li-Chiou and Lixin 2012). Visualization Firstly Client-side virtualization do not need internet connections thus isolates web security exercises to the network preventing spilling effect on the internet which is an advantage over server-side virtualization. Secondly virtual computers are portable, reduce pressure on the servers, can be distributed by web downloading flexible, easy to maintain and easily modified. HISTORY OF WEB SECURITY The internet though a fascinating technology lacks geographical borders thus raising concerns about conducting business online because there are those who focus on penetrating to steal important info. Of late hackers have focused on web applications that allow shopping and communication with countries companies mainly because these have increased users who use databases for exchange of info (Alanazi & Mohamed, 2011). SQL is a method used by hackers it’s dangerous because it can damage a whole system but also very easy. It’s an attack whereby SQL code is appended into the application user input parameters then passed to another SQL server knows as the back-end SQL for execution. This is very dangerous it allows hackers to hack without using a password thus compromising privacy and integrity of data especially if sensitive. HISTORY OF SOME WEB TOOLS Below is a brief look at how some of the tools have evolved over time to achieve a secure web environment. Preventing SQL Injection Removing a single quotation mark because verification occurs from this. Replacing a single quotation mark with two single quotation marks in the string input Removing TSQL comments like /**/ and – to reduce chances of damaging data. Using policy systems that are secure by limiting options to maybe only writing and reading Creating awareness to web security Creating awareness to web users on web security is very important. As seen earlier, knowledgeable users are less prone to attacks than users who do not have the right knowledge needed for web security Due to this factor, many companies are creating awareness to users to always be on the look especially for fisher software that can be used to hack into their accounts. With the right knowledge, the user is able to (Wills, 2011). There are behaviors that users have to avoid whenever they are in the web to avoid sharing their information to third parties. First is that they should never give out their passwords to any stranger as this may pose a threat to their security in the web Users should be taught on the most secure web applications to use when on the net and they have to know that web applications are not that secure All web users should be educated on how to protect themselves by the use of a firewall. With this, they are able to ensure that they are always safe whenever they are on the web Tools To Detect Web Attacks DotDefender is a web application tool that was developed to help cub the increasing number of web attacks and it has been able to do wonders. It acts as a firewall to protect users from third party attacks. It identifies any threats and alerts the user. There are also malicious objects that are not allowed to pass through the firewall. The type of protocol in use is also a determining factor to security and hence it is the responsibility of every user to ensure that they use the right protocol (Kapodistria, 2011). There are many proposed tools that will be developed by different developers and each tool is designed to help solve a certain web problem this ensures that the user has a collection of tools to choose whenever faced with any security threat. There are various web tools that can detect record and or prevent any attack that comes from the net. The kind of OS that the user is using is very important for these tools to be functional. Web versus Desktop Applications Web applications are known to be more prone to security threats as compared to desktop applications and it is because of this that many developers are coming up with ways to make web applications that have protocols similar to those of desktop applications (Torchiano, 2011). For web applications to be less prone to security issues, the developers need to focus on testing. Testing ensures that threats are removed and that web addresses are properly defined from destination and the origin. Web applications tend to have more security defects as compared to desktop applications. There are several loopholes that can provide access to third parties into the accounts of unsuspecting users. Web applications need to be designed with different protocols that will not only ensure security but will also build a well defined approach to securing the website. In the next figure, a previous research on desktop and web applications are summarized. This plot shows the % defects that web and desktop applications have and how much they differ. The drop box clearly indicates that at a range of 0.3 to 0.4 desktop applications are more secure compared to web applications with a 0.5 and above defects. Fig. 2 Box plot of percentage of defects is presentation layer per type of application. Carried out in Netherlands, the table aims at finding the best application that can be used between web applications and desktop applications. Intelligent Information Systems To help web users have a secure web system, developers are using artificial intelligence to develop secure systems that can automatically detect threats and ensure that they are removed without the involvement of the user (Achkoski Dojchinovski, 2011). These systems ensure that they protect the user without their knowledge. Even though sometimes they might become a nuisance they are vital to the protection of the user data. INTERNET CONTROLS: In this era of modern information technology, the Internet has delivered the ultimate lack of restrictions to information and communication. Like all types of freedom, the Internet has been abused by many unprincipled personalities to execute their malice. These range from directing annoying and at times violent e-mails, to credit card scam, advanced fee fraud, having other systems infested with malevolent viruses, raid of private information or communication, etc. The development of these unpleasant practices has compelled the development of some methods of Internet Controls. These are control procedures, to thwart abuses by operators in the system. Some control procedures provide security at the level of the computer system, while some others function at several layers. The classifications of control procedures are not closed. With endless exploration in the field, new methods are being presented. We may safely contemplate some of the functional controls in two broad categories: Intrusion Detection System (IDS) and Honey Pots. INTRUSION DETECTION SYSTEM: The Intrusion Detection System is a type of observation, which is intended to precisely identify malevolent activities at the earliest opportunity in order to reply properly. The Intrusion Detection System is categorized into two categories: the Host based Intrusion Detection System and the Network based Intrusion Detection System. The Host based Intrusion Detection System operates on a software operating in the system, to oversee the movement of the system itself and to identify signs of malevolent activity. HIDS functions at the level of the operating system, rather than at the network level, a shared example is the anti-virus software, which is used to guard the system against computer virus assaults. On the other hand, the Network Intrusion Detection System operates on software that scrutinizes network movement for signs of an invader. Research results have revealed that the best common type of IDS in operation is the NIDS. Subsequently I look at some of the conspicuous Network based Intrusion Detection Systems: Signature-Based Network Intrusion Detection System: This type of system operates much comparably to the virus-detection software. A catalogue of signatures is established for notorious assaults. The network intrusion detection system suite pays attention to all network traffic movement, relates it to the stored signatures, and activates an alarm if it senses a match. Analysis-Based Network Intrusion Detection System: The system is built on the analysis of packets. As an alternative of using signatures to monitor the network traffic, the system essentially scrutinizes or evaluates the packets for marks of malevolent operator action. Upon identifying any such malevolent operator action, the alert is allotted. One of the first scrutiny’s built NIDS merchandises is the shadow method which is used by the Navy facilities. Shadow practices the freeware top dump to collect the headers from the network movement. These headers are scrutinized for marks of malevolent action. Firewalls: A firewall is a system intended to regulate peripheral admission to an enterprise’s inner systems and material. The firewall method is that computers managing delicate material are secluded from the internet, though still being adept to getting user material from it. The server computer, which ensures all the communication with external operators, acts as a middle man, getting any private material, without keeping it and then passing it on, via an inner link, to the establishment’s focal computers. These focal computers have no other association with the internet and are automated to only reply to the server computer. Thus, there exists a fire wall shielding the central computer. Encryption Program: As the practice of the e-mail has augmented, so too has alarm over the subject of the confidentiality of the mails. To resolve the difficulty, the encryption platform was established. The methodology of the platform is to clamber your files afore it leaving your browser. For this to operate successfully, the receiver needs to have the identical software with which to decrypt the dispatch. The encryption program is not constrained to e-mails only. It is also applied to protect complex data in credit cards and other electronic cards. Honey Pots: Honey pots are intended to entice probable hackers, in the same way honey lures insects. This notion is to cause would be aggressors to waste time and energy in cracking what is in effect a bogus objective, allowing you time and opportunity to go after them, or resolve how to reply to their spasm. Honey pots differ broadly in latitude. They could be as modest as a deception you can build yourself, using apparatuses like net cat, or as ostentatious as the two viable products presently in use; Man trap and Cyber Cop Sting. CONCLUSION Web security is not an instant success story but, instead, requires ongoing implementation of counter measures that try to curb any malpractices that may pose a threat to secure information transfer. With the right technology and tools, the user is able to successfully transfer information and receive it without any leakage. Several experts have come up with different tools such as SWEET that provides a better environment for the training and management of security operations in the web. There are also various web tools that can detect record and or prevent any attack that comes from the net. With the introduction of the Internet, the world has turned into a small global village. With the assistance of the Internet, individuals can send and obtain letters, files and data from all over the world. The web is the collaborative, enlightening place with every zone interconnected so that one can change from one setting to the other in a flash. This has brought a lot of challenges on the subject of information security. References 1. Achkoski, Jugoslav. Trajkovik, Vladimir and Dojchinovski, Metodija. "An Intelligence Information System Based on Service-Oriented Architecture: A Survey of Security Issues." Information & Security 27.1 (2011): 91-110.ProQuest. It deliberates on information systems and security. 2. Andrew Cormack (2000) “Web Security”, Manchester: JISC Technology Applications Programme. It details all current issues in web security. 3. Alanazi, Fahad, and Mohamed Sarrab. "The History of Web Application Security Risks." International Journal of Computer Science and Information Security 9.6 (2011): 40-47.ProQuest. The journal details all information security matters. 4. Elizabeth D Zwicky, Simon Cooper, D Brent Chapman. (2000) “Building internet firewalls: Internet and web security.” Beijing; Cambridge, Mass. OReilly. The book gives details and reasons for a secure internet system. 5. Kapodistria, Helen, Sarandis Mitropoulos, and Christos Douligeris. "An Advanced Web Attack Detection and Prevention Tool." Information Management & Computer Security 19.5 (2011): 280-299. ProQuest. The journal details on information security management. 6. Li-Chiou, Chen, and Lixin Tao. “Teaching Web Security using Portable Virtual Labs.” Educational Technology & Society, 15.4 (2012): 39 –46. ProQuest. It elucidates on educational and societal views on web security. 7. Rolf Oppliger, (2000) “Security for the world wide web,” Boston, MA: Artech House. The book is all about internet security. 8. Simson Garfinkel; Gene Spafford, (2002), “Web security, privacy and commerce”, Cambridge, Mass.: OReilly. The book discusses web security in the commerce industry. 9. Torchiano, Marco, FilippoRicca, and Alessandro Marchetto. "Are Web Applications More Defect-Prone than Desktop Applications?" International Journal on Software Tools for Technology Transfer 13.2 (2011): 151-166.ProQuest. The journal talks about ways of managing web security. 10. Wills, Craig E., and Zeljkovic, Mihajlo. "A Personalized Approach to Web Privacy: Awareness, Attitudes and Actions." Information Management & Computer Security 19.1 (2011): 53-73.ProQuest. The journal discusses in depth web security issues. The references mentioned above have been very helpful as they have given me the knowledge needed in coming up with this final report on Web Security. I have used them as online books and they are a great source of wealth. Achkoski, Jugoslav. Trajkovik, Vladimir and Dojchinovski, Metodija publishes their journal in 2011 and it goes in to explain how intelligence systems can be used to make the web secure. Andrew Cormack in his journal explains what entails web security and how this can be improved. Alanazi, Fahad, and Mohamed Sarrab was a very useful resource as it gave me a clear view about how the web has evolved and some of the issues that has faced the web in terms of security. Elizabeth D Zwicky, Simon Cooper, D Brent Chapman was a very useful resorce in letting me understand how firewalls work and some of the reasons why people use firewalls. Kapodistria, Helen, Sarandis Mitropoulos, and Christos Douligeris. Discusses some of the protocols that internet web browsers have and how they can be made secure. Li-Chiou, Chen, and Lixin Tao were really useful for their contribution to the journal about teaching web users how to be sucure while using the net. Rolf Oppliger, in their journal gave a clear view about web security and how it affects people today. I used it to find out more information about the magnitude of web insecurity. Simson Garfinkel; Gene Spafford, was also useful in defining how relevant web security was to commerce and how to improve it. Torchiano, Marco, Filippo Ricca, and Alessandro Marchetto. Were one of the major contributors to this report as they gave a review of how desktop applications are secure and how web applications can be made to be more secure. Wills, Craig E., and Zeljkovic, Mihajlo gave solutions to various privacy issues faced by web users and how to make them a thing of the past. APPENDIX A. GLOSSARY Intrusion Detection System- The Intrusion Detection System is a type of observation, which is intended to precisely identify malevolent activities at the earliest opportunity in order to reply properly. Internet Controls- These are measures and procedures aimed at reducing internet malice and threat to information. Sweet- It is a tool that ensures that users are taught to learn to operate in a secure manner. FIREWALLS- A firewall is a system intended to regulate peripheral admission to an enterprise’s inner systems and material. HONEY POTS- This is a trick intended to entice probable hackers, in the same way honey lures insects. Intelligent Information Systems - These are secure systems developed and can automatically detect threats and ensure that they are removed without the involvement of the user. Encryption program- These are program software that are used to somehow engulf information before leaving their original browsers in order to protect the information from potential hackers who may want to use it for malice. Web Security: This is the ability of a web application to securely protect data communicated between a sender and a receiver without the involvement of any other third party APPENDIX B. RESEARCH METHODS. I primarily used all available sources that I could come up with. The ACTM online library proved to be of great help to me as most of my reference sources are found in this library. To facilitate my research in this report I also sourced the views of my fellow students on their thoughts about web security and I must admit it proved to be very helpful as I got different ideas and reasoning from different perspectives which on analyzing proved to be a very helpful line of action. I also applied the knowledge that I have earned from attending my classes as they have helped me contrast and compare some of the ideas I have come across in the process of doing my research. I also applied my day to day knowledge of web applications to come up with some of the necessary information. The use of SWEET and its procedure proved to be very useful to me in ensuring that I get to know more about web applications. I used various statistical information to analyze, how web and desktop applications vary and an ANOVA test was very useful here. In addition to the statistical tests done to prove the security of desktop applications as compared to web application, most resources used here also supported this fact and was very useful in ensuring that I got the most upto date information on how to make web applications secure. Identifying the history of web security was also important to ensure that I got a brief description of how the applications have evolved over time and how to make future web application much better. Various resources were useful especially from Torchiano, Marco, FilippoRicca, and Alessandro Marchetto. They had a clear history of how different web and desktop applications have been evolving over time and the types of protocols that web applications have had to change in order to match desktop applications. Alanazi, Fahad, and Mohamed Sarrab were also a major boost to providing the history of web security and how to ensure that past mistakes in technology are done away with. Read More