The key issues described in the Security Threats article reveal the numerous ways that an internet application might become compromised by various external threats such as hackers. The purpose of the article is to highlight the more common threats and security weaknesses, to show how hackers might utilize different methods of accessing information. Each of the threats are given a brief description on how they might become exploited and the type of risk they present. The key issues are identified as follows:
• Cookies, which are temporary text files that are used in order for a system to recognize a particular user; however, these text files often involve making usernames and passwords visible within the text file, making them easily exploitable.
• Debugging information, which is code used to identify potential errors within the application; however, if this debugging information is not turned off before the application is made available to the public, it can become exploited by hackers who add additional information through accessing the Query String, allowing them to find identifiable information.
• Unused Open Connections, which might be opened for a variety of reasons such as performing tests on a server; however, if these connections remain unused, they can be potentially accessed by hackers to gain information on a database.
• Improper session handling, which is similar to an unused open connection but involves connections that are left open even if an application is logged off, allowing hackers access to a page without providing authentication.
• SQL Injection, which involves including queries to a server that are specifically designed to return a known value, effectively fooling the server into returning information that is sensitive or normally inaccessible.
• Unsecure Server Privileges, which refers to access by someone not normally granted access to a network.
• Scripting errors and code, which describes how poorly written code can be exploited if the application’s code itself has flaws in its algorithms.
• Data mining applications, which are applications designed to track an internet user’s behavior; the information gained from a data mining app might include personal details such as spending habits and lifestyle choices.
• Phishing, which involves queries sent to a user designed to fool the user into providing sensitive information, such as username or password data, which can subsequently be used by a hacker to gain access to a system.
• DOS Attacks, or denial of service attacks, which involves a number of simultaneous queries or attempts to access a system to the point where the system is overloaded; this has the effect of basically shutting down a site, which can be very disruptive to a business organization.
• Other forms of attacks, such as those targeted against vulnerable websites where special query strings disrupt a network and cause it to crash.
The various types of attacks described in the article not only describe the various methods of attacks that hackers might use, but also addresses various reasons a system might be attacked. Thus, this comprehensive list reveals the necessity of providing adequate security against different types of threats that seek to gain unauthorized access or disrupt a network of functioning. By understanding both the motivation and methods for an attack, security measures can be designed to thwart against these types of intrusions.
The motivation for attacks tends to fall under one of two main categories: attacks that are meant to gain unauthorized access to a network, and those that are designed to disrupt a network, such as DOS attacks. In the first instance, the attempt to gain access to unauthorized information might be motivated by seeking sensitive financial data, such as credit card information, or it could be used to identify personal information that might be used to exploit an individual or organization. In the second, involving disruptive attacks, the attack is motivated to cause harm or disruption to a website or service. In this instance, sensitive information may not be targeted, but instead the focus is on making a website or service essentially crash and become inaccessible.
The variety of attacks also highlight the numerous security cautions that should be in place when designing a security system. For instance, guarding against one type of attack, such as ensuring that application code does not have inherent flaws or scripting errors that might be exploited by hackers, does not ensure that a security application is adequate against other types of attacks, such as SQL injections. Thus, security systems should address all types of potential threats, in order to minimize the threat of external attacks which may take a variety of forms.
The article also reveals that several types of threats do not necessarily come from security flaws, but from methods that hackers and other malicious agents might use in order to cause disruption to a service. For instance, DOS attacks do not inherently indicate a vulnerability in a security system; these types of attacks when someone simply targets a website with requests for information to the point of essentially overloading the site, making it crash. In this instance, security measures would include finding ways to increase the amount of server capability or other aspect of the system in order to handle excessive requests. However, this might cause a substantial financial investment that an organization does not have, and the cost of ensuring against these types of attacks may come down to the amount of perceived threat. For instance, a website for a small business may indeed crash if targeted, but because these types of attacks are not intended to access sensitive information and instead simply intended to be disruptive, the actual risk may be low.
However, for a major e-commerce site that handles much of its business operations online, a DOS attack that disrupts service can be significantly disruptive and costly, as it may not only cause the business to lose potential customers, but can also lead to customer complaints, delays and negative press if the attack becomes publicized. Therefore, each business will need to identify the specific risks likely to occur and ensure security measures in place. Nevertheless, for a DOS attack of significance, there is no security measure that would absolutely guarantee a system does not become vulnerable to this type of attack.
Additionally, the article reveals numerous threats that do not involve a specific exploit or even a technologically advanced means of obtaining sensitive data; for instance, phishing schemes might be targeted toward users of a network, and in these instances, a user might be fooled into believing a fraudulent email requesting sensitive information such as a password is legitimate. However, once the information is handed over, the malicious agent can use the information to gain access to a network, and if savvy enough, once access is gained then the agent might identify potential other exploits and access information that even the user targeted in a phishing scheme might not be able to access. The specific threat in this type of scheme is that unauthorized access gained in this manner becomes extremely difficult to detect, as the point of access does not rely on a technical flaw and the system will be fooled into simply thinking the unauthorized person has legitimate access based on a recognized and authentic password being used to gain entry.
The implications of the article is that due to the numerous threats that exist, ensuring that security vulnerabilities are addressed is an essential goal of any business, let alone ones that focus primarily on e-commerce as a central aspect. If information is compromised, it can have serious ramifications for a business; this has been evidenced in numerous publicized attacks that have already happened to major corporations such as Sony, Target and Microsoft, all of which faced different types of attacks in recent years. In each of these instances, the motivation behind the attacks were different, which reveals how these various types of attacks can disrupt an organization. In the Sony attack, illegal access to internal systems resulted in the loss of sensitive information, such as embarrassing emails and even intellectual properties such as films that were eventually distributed online before their release date. In the Target situation, the motivation was purely financial, as hackers were able to gain access to internal data that revealed customers’ financial records and credit card numbers. In the Microsoft instance, customer anger over gaming services led to a DOS attack that disrupted Microsoft’s online services for a short period of time. The variety of these threats are indeed real, as has been evidenced by these recent real-world experiences.
The challenge with addressing security threats is that they are constantly evolving, and there is no guarantee that security protocols will be successful against all types of threats. There is also the potential that inadequate resources made available to security measures will result in easily compromised security systems, and that some exploits do not even involve a particular vulnerability that resides on the security system itself. Many exploits and attacks are designed to escape detection, so by the time these intrusions are identified, the damage will already have been done. Considering adequate security protocols can therefore be daunting, as it requires financial investment and knowledgable programmers and other computer technology professionals who know how to recognize and protect against potential exploits. Decisions made regarding security protocols will also need to be authorized by management and other higher-ups within a company who will need to be convinced that the threat exists. Thus, security protocols should involve consideration of both the technology being used as well as internal policies, such as how password and username information is handled, in order to reduce the threat.
However, even if security systems are adequately addressed, as technology continues to evolve there will be other threats that become accessible. Hackers and other malicious agents are constantly looking to find new ways to exploit systems, so anticipating new threats as they emerge can be difficult. Nevertheless, if adequate security systems are in place the threat will be reduced, so addressing security threats should be a key component of internal security measures even though there is no guarantee that an organization will remain free from all external threats. Security should therefore correlate with the amount of perceived threat, along with an understanding of the type of harm that might occur if an exploit happens. In some instances, these types of attacks can be extremely damaging to a company, as not only will sales be lost but public trust may diminish over time. Therefore, understanding exactly how hackers identify targets, including the various motivations that might exist for hackers and other malicious agents, will hopefully encourage businesses to ensure that all sensitive data is secure as much as possible, particularly in a world where most information is stored digitally, and therefore vulnerable to an online attack or exploit.
- Research Journal Science and Tech 8(3): July-September 2016, pp. 146-149