Internet Security Costs To Businesses Computer Science

The firewall that is between the internal network and the DMZ, we can change the rules to block all incoming traffic (i.e., traffic originating from the Internet or DMZ). This change would ensure that if abusers gained control of servers within the DMZ, the abusers could not access servers within the internal network.

We can allow all outgoing traffic (i.e., traffic originating from the internal network to the DMZ or Internet). Because many employees used the Internet connection for a variety of reasons and the IT staff had to support the servers located within the DMZ, this configuration was easiest to support.

For the firewall that sat between the DMZ and the Internet, we can allow incoming Web, e-mail, and VPN traffic. All other traffic would be blocked until a valid business need arose. These rules would block a majority of traffic that abusers could use to attack.

The same external firewall, we can allow only outbound traffic for Web, e-mail, VPN, DNS, and a handful of other categories of network protocols that employees used. This restriction is mainly designed to ensure that attacks could not easily be launched using internal servers

Different networking components used in this network architecture are described below. Major components are: Switch, Internet router, DMZ, VPN server,FirewallSwitch:

Switches are layer two devices. Here switches are used for creating plans and different networks. A network switch is a small hardware device that joins multiple computers together within one local area network (LAN). Technically, network switches operate at layer two (Data Link Layer) of the OSI model. Network switches appear nearly identical to network hubs, but a switch generally contains more intelligence (and a slightly higher price tag) than a hub. Unlike hubs, network switches are capable of inspecting data packets as they are received, determining the source and destination device of each packet, and forwarding them appropriately. By delivering messages only to the connected device intended, a network switch conserves network bandwidth and offers generally better performance than a hub. As with hubs, Ethernet implementations of network switches are the most common. Mainstream Ethernet network switches support either 10/100 Mbps Fast Ethernet or Gigabit Ethernet (10/100/1000) standards.

Router:

Routers are layer three devices. They can communicate with different plans and networks. A device that forwards data packets along networks. A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISPs network. Routers are located at gateways, the places where two or more networks connect. Routers use headers and forwarding tables to determine the best path for forwarding the packets, and they use protocols such as ICMP to communicate with each other and configure the best route between any two hosts. Very little filtering of data is done through routers. When multiple routers are used in interconnected networks, the routers exchange information about destination addresses, using a dynamic routing protocol. Each router builds up a table listing the preferred routes between any two systems on the interconnected networks..

Firewall:

A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through. For example, at a company with 50 employees. The company will therefore have hundreds of computers that all have network cards connecting them together. In addition, the company will have one or more connections to the Internet through something like T1 or T3 lines. Without a firewall in place, all of those hundreds of computers are directly accessible to anyone on the Internet.

Web Server and database server:

In computing, the term server is used to refer to one of the following:

a computer program running as a service, to serve the needs or requests of other programs (referred to in this context as "clients") which may or may not be running on the same computer.

a physical computer dedicated to running one or more such services, to serve the needs of programs running on other computers on the same network.

a software/hardware system (i.e. a software service running on a dedicated computer) such as a database server, file server, mail server, or print server.

A server computer is a computer, or series of computers, that link other computers or electronic devices together. They often provide essential services across a network, either to private users inside a large organization or to public users via the internet. For example, when you enter a query in a search engine, the query is sent from your computer over the internet to the servers that store all the relevant web pages. The results are sent back by the server to your computer.

VPN Server:

A virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organization's network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization. It encapsulates data transfers using a secure cryptographic method between two or more networked devices which are not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks. There are many different classifications, implementations, and uses for VPNs.This functionalities can be implemented using a VPN server.

DMZ:

In computer security, a DMZ, or demilitarized zone is a physical or logical sub network that contains and exposes an organization's external services to a larger entrusted network, usually the Internet. The term is normally referred to as a DMZ by information technology professionals. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Reference:

http://www.wikipedia.com

http://www.Howstuffswork.com

Task 3Answer:

The most common web application attacks are illustrated below.

Remote code execution

SQL injection

Format string vulnerabilities

Cross Site Scripting (XSS)

Username enumeration

Remote code execution

An attacker runs arbitrary, system level code on the vulnerable server and retrieves any desired information contained. Improper coding errors lead to this vulnerability.In computer security, arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such vulnerability is called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shell code to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution. It is the worst effect a bug can have because it allows an attacker to completely take over the vulnerable process. From there the attacker can potentially take complete control over the machine the process is running on. Arbitrary code execution vulnerabilities are commonly exploited by malware to run on a computer without the owner's consent.

Mitigations:

More recent PHP versions have register_globals set to off by default, however some users will change the default setting for applications that require it. This register can be set to "on" or "off" either in a php.ini file or in a .htaccess file. The variable should be properly initialized if this register is set to "on." Administrators who are unsure should question application developers who insist on using register_globals.

It is an absolute must to sanitize all user input before processing it. As far as possible, avoid using shell commands. However, if they are required, ensure that only filtered data is used to construct the string to be executed and make sure to escape the output.

SQL Injection

SQL injection is a very old approach but it's still popular among attackers. This technique allows an attacker to retrieve crucial information from a Web server's database. Depending on the application's security measures, the impact of this attack can vary from basic information disclosure to remote code execution and total system compromise.SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

Mitigations: 

Avoid connecting to the database as a superuser or as the database owner. Always use customized database users with the bare minimum required privileges required to perform the assigned task.

If the PHP magic_quotes_gpc function is on, then all the POST, GET, COOKIE data is escaped automatically.

PHP has two functions for MySQL that sanitize user input: addslashes (an older approach) and mysql_real_escape_string (the recommended method). This function comes from PHP >= 4.3.0, so you should check first if this function exists and that you're running the latest version of PHP 4 or 5. MySQL_real_escape_string prepends backslashes to the following characters: x00, n, r, , ', "and x1a.

Format String Vulnerabilities

This vulnerability results from the use of unfiltered user input as the format string parameter in certain Perl or C functions that perform formatting, such as C's printf().

A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory. One may also write arbitrary data to arbitrary locations using the %n format token, which commands printf() and similar functions to write back the number of bytes formatted. This is assuming that the corresponding argument exists and is of type int * .

Mitigation:

Many compilers can statically check format strings and produce warnings for dangerous or suspect formats. In the GNU Compiler Collection, the relevant compiler flags are, -Wall,-Wformat, -Wno-format-extra-args, -Wformat-security, -Wformat-nonliteral, and -Wformat=2. This is only useful for detecting bad format strings that are known at compile-time. If the format string may come from the user or from a source external to the application, the application must validate the format string before using it. Care must also be taken if the application generates or selects format strings on the fly. Edit the source code so that the input is properly verified

Cross Site Scripting

The success of this attack requires the victim to execute a malicious URL which may be crafted in such a manner to appear to be legitimate at first look. When visiting such a crafted URL, an attacker can effectively execute something malicious in the victim's browser. Some malicious javascript, for example, will be run in the context of the web site which possesses the XSS bug.

Mitigation:

The code can be edited in the following manner to avoid XSS attacks:

 Your Name
"; echo ($html); ?>

Username enumeration

Username enumeration is a type of attack where the backend validation script tells the attacker if the supplied username is correct or not. Exploiting this vulnerability helps the attacker to experiment with different usernames and determine valid ones with the help of these different error messages.

Mitigation:

Display consistent error messages to prevent disclosure of valid usernames. Make sure if trivial accounts have been created for testing purposes that their passwords are either not trivial or these accounts are absolutely removed after testing is over - and before the application is put online.

Reference:

http://www.securityfocus.com

Task 4Answer:

NIDS can easily monitor malicious events within a network. We can have a better understanding of activity taking place on the network. Network IDS system will monitor the critical attack avenue from the Internet also. On the other hand, we can now go for a few HIDS to monitor some network elements which are vulnerable to attack such as web servers and mail servers. After installing the HIDS sensor software on each servers we can reroute all the alerts to the database servers which Intrusion detection in a computer network is very essential for ensuring security of a particular network. By intrusion detection one can monitor the harmful traffic travelling through the network and take necessary steps to mitigate the harmful effect. By examining each network packet, security professionals can catch malicious activity before it reaches an internal system. This type of examination is known as intrusion detection.

There are several types of IDS system is available. The most common are described below.

Network intrusion detection systems (NIDS)

host intrusion detection systems (HIDS)

honeypots

Network intrusion detection systems (NIDS)

Network IDS refers to computer systems or network devices that are deployed at various locations on the network to monitor network traffic. Different packet examining software can be deployed on a network segment to monitor and inspect data traffic. Network administrators review header details and peer into the contents of network packets to troubleshoot network problems. NIDS systems consist of at least one sensor, a collector or manager, a database, and a console. Each component has a specific function.

Deciding on the optimal placement of the sensor is crucial to building an effective IDS architecture. Each organization has different needs; however, there are several general guidelines that should be considered:

â-  Multiple sensors should be deployed. For example, if a router divides the network into three logical segments, companies should deploy three separate NIDS sensors.

â-  A sensor should be deployed in a manner that ensures the sensor is not overwhelmed by network traffic. Massive amounts of traffic can cause the NIDS sensor to drop packets, which can allow malicious activity to go undetected.

â-  A NIDS sensor should be placed at every Internet access point. Because an Internet access point offers the greatest avenue of attack, each Internet connection should be monitored.

â-  A NIDS sensor should be placed at every extranet connection. As with Internet access points, connections with other networks also open unwanted avenues of attack.

â-  NIDS sensors should be positioned on both sides of a firewall, one in front of a firewall (e.g., connected to the Internet) to see all incoming attacks and one behind a firewall to view only attacks that have made it past the firewall.

The information analyzed by managers is directed to the console for more action. Managers store information in the database and pass real-time alerts to the console. At the console, security professionals react to alerts, run reports on stored information, modify signatures and generally coordinate all NIDS activity. In some organizations, multiple consoles are necessary to facilitate monitoring by multiple console operators.

Advantages:

Simple to implement.

Easy to maintenance and upgrade.

Easy to monitor malicious events within a network.

Cost effective.

Do not use system resources of network elements.

Disadvantage:

Cannot monitor a particular host.

Require extra hardware installation.

Require investigation to deploy network sensors correctly.

HOST INTRUSION DETECTION (HIDS)

Host intrusion detection complements the functionality of network IDS by monitoring activity on computer systems. HIDS sensors monitor traffic on the host itself. However, much like NIDS, the HIDS sensor can compare data to a list of known signatures and generate an event for any data that matches a signature.

Advantages:

Easy to monitor malicious events within a single host.

Simple in design.

No hardware setup is required.

Disadvantage:

Cannot monitor network malicious events.

Complex to implement.

Difficult to maintenance and upgrade.

Not cost effective as we have to installed software in every servers or computers that we want to monitor.

Use system resource on which machine it runs.

HONEYPOTS

Honeypot refers to a computer system masking its identity and inviting abuse to collect information on attackers. There are a number of tools that can be installed on a honeypot, and a honeypot can serve any number of purposes. For example, A Linux server that is configured to respond like a Windows machine to record malicious attacks against Windows hosts by using honeypots.

Advantages:

Honeypots is they are easier to configure.

There are no industry standard software packages for honeypots; instead, honeypots are installed with whatever tools are necessary.

They can buy times against intruders attacks.

Disadvantages:

Its flexibility may lend itself to many labour hours in maintenance.

A honeypot that is constantly attacked may require frequent rebuilds and software updates.

Recommendations to the company about Intrusion Detection and Prevention with justification:

After analyzing all the IDS system we can come to conclusion that since we cannot detect intrusion by a single software or hardware or IDS system, therefore we need to design a combine system which includes NIDS, HIDS and Honeypots to make our system cost effective.

Information required during a breach:

We can gather different type of information during a breach of depending on the nature of attacks. There are many factors that go into making this determination:

Every network develops its own "personality" and a false positive on one network may be an attack on another network.

To form a larger picture of a possible attack, the operator looks at other events, such as those generated at approximately the same time period, or events from the same source IP address, or destination IP address.

If an operator is still unsure, he performs his own analysis or hands off the information to an IDS analyst.

If the malicious activity is determined to be an attack, the operator or analyst takes responsive action.

Reference: http://www.securityfocus.com

Task 5Answer:Mental Poker

Computer networks and especially the Internet have allowed some common activities such as shopping or gambling to become remote (e-shopping and e-gambling). Mental poker is a card game. This is played over telephone or internet with two or more persons. Here is no trusted third party for shuffling the cards. There are between 2 and 10 players and an (imaginary) pack of 52 standard cards. Each player is dealt 5 cards, then there is a round of betting after which all players hands are revealed. This last requirement is not a desired situation as in poker the ability to bluff is important.. In this game the player have disjoint hands. So, players can have any possible hand. No player can discover another player hand.

Basic of poker and how it is played:

Here we briefly describe the basic of poker and how it is play.

Card Abbreviations and Ranks

Here is a list of card abbreviations and their ranks:

A - Ace ("bullet")

K- King ("cowboy")

Q - Queen

J - Jack ("hook")

T - Ten

9 - Nine

8 - Eight

7 - Seven

6 - Six

5 - Five

4 - Four

3 - Three

2 - Two ("deuce" "duck")

AA - Pair of aces

AK - Ace and king ("big slick")

Q9s - Queen and nine, suited

In order to succeed at poker, we must memorize the ranking of hands. All poker players should know, for instance, that a flush beats a straight. Here is the ranking, from the strongest to the weakest hand.

Royal Flush: A royal flush is a straight flush with the ace as the highest of five cards. For example: A-K--Q-J-T.

Straight Flush: A straight flush is a straight all of the same suit. For example: 9-8-7-6-5. In the case of two straight flushes during one hand, the one containing the highest card is the winner. The pot is split if both players have the same high card. (A "hand" can mean either the cards in a player's hand or a round of play; in this case, "hand" refers to a round of play.)

Four of a Kind: Four cards of the same rank. For example: 9--9-9-9. Four of a kind is often referred to as "quads." The highest four of a kind is four aces followed by four kings on down to four twos.

Full House: A full house consists of three of a kind and two of a kind. For example: K-K-K-6-6. This would be called "kings full of sixes." If there are two full houses during one hand, the one with the largest three of a kind wins. In Texas Hold'em, it is possible for two players to have the same three of a kind; in those situations the pairs determine the winner. If two players have identical hands, the pot is split.

Flush: A flush consists of five cards of the same suit. For example: K-J-9-7-2. In the event of two flushes during one hand, the flush with the highest card wins. If they are the same rank, it goes to the next highest card, and on down to the fifth card if necessary. If the two hands are identical, the pot is split between the winners.

Straight: A straight consists of five cards of any suit in order. For example: Q-J-T-9-8. As with the other hands, in the event of two straights, the one that starts with the highest rank wins. Aces can be used as a high card above a king or as a low card below a

two to make a straight. You can't, however, use a king, ace, two sequence; and an ace below a two cannot be used as the high card.

Three of a kind: Three of the same rank. For example: Q-Q-Q. Three of a kind is often called a "set" or "trips."

Two Pairs: Four cards of two ranks. For example: J-J-6-6 This would be called "Jacks up." In the event of two players holding two pairs at the same time, the highest pair wins.

One Pair: Two cards of the same rank. For example: 8-8. If two players have an identical pair, such as two aces,

High Card: In the event no player has a hand containing at least one pair, the hand with the highest card is the winner. The rank of cards starting from highest is ace, king, queen, jack, 10, 9, 8, 7, 6, 5, 4, 3, 2, and 1 if the ace is used as a 1.

Problem associate with mental poker:

Cheating is generally harder to catch in mental poker and is also known as collusion. This is when players share their cards with one another to help them make better choices when it comes to odds. For the most part, this cheating is normally not very beneficial to the cheaters to begin with except in few situations where the information may actually help. With more than 2 players in on it however, it may become a problem with 4 players are all sharing information. This is difficult to catch because in this scenario, cheaters will fold their hand when they realize another one of theirs has a stronger hand. Since you can't see mucked cards online, it's impossible to know if people are folding monsters. However, the poker site may or may not be able to detect this type of play. For instance, if a flop showed A/K/2

and cheater #1 held KK while cheater #2 held AK, if cheater #2 folded to a bet from cheater #1, there should (one would hope) be some warning bells raised from the server end.

Lastly, there have been inquiries about the possibility of cheat software or ways to view your opponent's cards. Obviously these inquiries are usually made by players who want to cheat instead of the worried players.

Problem Solving Scheme:

Better performance through increased trust

Any mental poker protocol that relies on the players to perform the encryption is bound by the requirement that every player encrypt every card that is dealt. However, by making limited assumptions about the trustworthiness of third parties, significantly more efficient protocols may be realized. The protocol for choosing cards without shuffling may be adapted so that the encryption is handled by two or more servers. Under the assumption that the servers are non-colluding, such a protocol is secure.

The basic protocol using two servers is as follows:

Servers S1 and S2 encrypt and shuffle a deck of cards, and publish a non-malleable commitment to some permutation of encrypted cards to the players. This can be done with any of several well-understood cryptographic protocols.

Players compute independent random numbers in {0,...,51}, which are combined to generate a random number in {0,..., 51}, as in [GOL05]

The random number is used as an index into the random permutation, the appropriate player gains "ownership" of the specified card, and the servers send that player the keys to read the card's value.

In this protocol, servers S1 and S2 must collude if either is to learn the values of any cards. Furthermore, because players ultimately decide which cards are dealt, non-trustworthy servers are unable to influence the game to the extent that is possible in traditional online poke

Article name: Internet Security Costs To Businesses Computer Science essay, research paper, dissertation