The likelihood that companies will be hit with a security attack is growing, and chief information officers need contingency plans for how to deal with mounting threats. Computer Economics, a Carlsbad, California, research firm, estimates that computer crime will grow more than 200 percent in 2002 and Internet fraud/viruses more than 100 percent.

"A firm foundation is required to develop satisfactory security protection and that foundation is an organizational security policy that covers all the necessary contingencies," says Michael Erbschloe, vice president of research at Computer Economics. "Among those contingencies are procedures for installing applications, e-mail and Internet practices, IT user policies, password protection, downloading data considerations and network monitoring. The policy must provide a plan for responding to security attacks, and that plan must be rehearsed through dry runs and other simulated methods."

There are several potential security weaknesses in corporate Web sites, he says. They include:

  • Buffer overflow – This type of attack floods a server with data in an attempt to crash the system. The classic example of buffer overflow is attempting to store more data in the field of an HTML form than the field can contain.
  • Back doors – Developers often leave a back door into applications that permit them to troubleshoot the software without going through standard security such as authentication and logging on. These holes often remain in deployed software, and hackers exploit them to gain unauthorized system access.
  • CGI scripting – Changing HTML forms that are processed by CGI scripts can allow changing or deleting files.
  • Detecting hidden HTML data – Some applications bury passwords in HTML form fields. Unfortunately, this information is easily detected by determined hackers through such means as source viewing and becomes the key to opening a site to theft.
  • Failing to update – Software vendors issue patches as they discover security holes in their products, but many users fail to maintain their applications. All patches should be installed as soon as possible.
  • Illegal browsing – Some systems provide so little protection that unauthorized users can browse Web pages that should require authentication for access. Once into the page, the hacker can steal proprietary information.
  • Malicious scripts – The attacker disguises JavaScript code as an innocent HTML form. When the message is read, the JavaScript tags along and is executed by the browser on the client with disastrous results.
  • Poison cookies – Web sites frequently store identity information, passwords, account numbers or other sensitive data in cookies. Criminals seeking to illegally enter a site or to damage it can steal this content.
  • URL manipulation – URLs can sometimes be changed to enable unauthorized users to break into back-end databases of Web applications. Naïve developers frequently include SQL calls in the URL, which enable hackers to acquire credit card numbers and other customer information. "The soft spots in Web applications range from clients to firewalls, servers and databases," Erbschloe says. "Learning the technical basics of possible problem areas will provide a foundation to discourage intruders.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access