Web services are almost irresistible. By nature, they allow one system to find and interact with another, with little or no human intervention. Yet, the very virtues that make web services compelling; their use of trusted protocols and their use of multiple intermediaries make them a potential access for criminals. Ultimately, the recognition that we need to tackle is the Web services' vulnerabilities as part of a growing awareness that security must be addressed in the code of applications, not just through firewalls and gateways.
The common reasons for vulnerabilities are the mistaken belief that applications are exposed only to internal personnel rather than the world at large. Web services frequently pass messages through several intermediaries before they reach their final destination, undercutting technologies such as SSL, which secures connections only across the open Internet.
A high percentage of Web services interact with databases. SOAP and XML make it easy to disguise malicious payloads, opening new avenues for buffer-overflow attacks, targeting an enterprise's most vital systems. Other common Web service exploits include XML parser attacks, in which an infinite string leads to a denial of service, and XML external entity attacks, in which a request points to an invalid file, resulting in an error that may cause the Web service to give out information it shouldn't disclose.
Defensive Measures: Although Web services raise risks, organizations need not fall victim to security breaches if they take proactive measures. That means the biggest defense comes from ensuring code works, preferably before it's ever exposed to the Net. Although plenty of coders use blacklists to prevent well-known types of malicious routines from being executed, the more prudent approach is to employ white lists, for example; a field that asks for a Social Security number will accept only a positive value that has nine digits.
Security professionals should also take careful inventory of every service that's exposed to the Internet, preferably through an audit carried out by someone external to the IT department. That approach can be particularly effective in identifying services left behind by a previous generation of developers. Whether the services are already in place or not yet deployed, each one needs to be thoroughly tested using a variety of methods: 1) scan every port of every IP address and carefully query each service that responds, 2) looking to see whether UDDI servers, WSDLs and/or other self-describing mechanisms are giving up information that could aid an attacker.
Thus this article is closely related to both the chapter 7 (Telecommunication, the internet and wireless) and chapter 8 (Securing Information System). Technology has brought tremendous positive changes in terms of a variety of systems but has also raised major concerns over security. It is for sure, that the more we innovate there will always be someone better working to destroy it.
Dan Goodin, InfoWorld, San Mateo: Nov 27, 2006. Volume 28, Issue 48; pg. 29, 3 pgs
Showing posts with label week6. Show all posts
Showing posts with label week6. Show all posts
Sunday, May 4, 2008
Saturday, May 3, 2008
A stolen Laptop at the Department of Veterans Affairs: The Worst Data Theft Ever?
Q1. List and describe the security weakness at the department of Veterans Affairs.
Ans: The department of Veterans Affairs has several security problems in the areas indicated:
· Not Encrypted Records: Most noteworthy is that all the information data including names, social security numbers, health records and financial records were not encrypted. This makes any outsider easy access to sensitive information.
· Lack of Proper Rules: There are no established rules and regulations in regards to handling and managing the data systems. Among these is the relaxed feeling about this private and sensitive information allowing employees to take the office software and other accessories to their home.
· Cost Savings: The department is too overly concentrated on savings than implementing a secure IT environment. Their resistance to undergo change for a centralized management of IT programs and activities has further weakened the overall enforcement.
· CIO and Chief Information Security Officer lack direct authority to implement regulations.
The above drawbacks clearly show prominent weakness in their security system. This indeed can be rectified.
Q3. How effectively did the VA deal with these problems?
Ans: The VA did not deal with the problems effectively from the start. When the incident occurred, the superior did not tell the Inspector Generals Office and they did not inform the respective authorities. As matter of fact, Jim Nicholson, the secretary of VA learned about this after 13 days. Also, law enforcement was not informed until 2 weeks after it was discovered.
This delayed a thorough investigation to help solve the case. If the respective authorities were informed immediately it would have prevented this dilemma. Seeing the chain of events unfold it is quite obvious of their inability to handle the problem.
Ans: The department of Veterans Affairs has several security problems in the areas indicated:
· Not Encrypted Records: Most noteworthy is that all the information data including names, social security numbers, health records and financial records were not encrypted. This makes any outsider easy access to sensitive information.
· Lack of Proper Rules: There are no established rules and regulations in regards to handling and managing the data systems. Among these is the relaxed feeling about this private and sensitive information allowing employees to take the office software and other accessories to their home.
· Cost Savings: The department is too overly concentrated on savings than implementing a secure IT environment. Their resistance to undergo change for a centralized management of IT programs and activities has further weakened the overall enforcement.
· CIO and Chief Information Security Officer lack direct authority to implement regulations.
The above drawbacks clearly show prominent weakness in their security system. This indeed can be rectified.
Q3. How effectively did the VA deal with these problems?
Ans: The VA did not deal with the problems effectively from the start. When the incident occurred, the superior did not tell the Inspector Generals Office and they did not inform the respective authorities. As matter of fact, Jim Nicholson, the secretary of VA learned about this after 13 days. Also, law enforcement was not informed until 2 weeks after it was discovered.
This delayed a thorough investigation to help solve the case. If the respective authorities were informed immediately it would have prevented this dilemma. Seeing the chain of events unfold it is quite obvious of their inability to handle the problem.
Subscribe to:
Posts (Atom)