(Fortify Software Inc., 2008); (Fortify Software, n. d.)
Servers are targets of security attacks due to the fact that servers contain valuable data and services. For instance, if a server contains personal information about employees, it can become a target for stealing identities. All types of servers, which include file, database, web, email and infrastructure management servers are vulnerable to security attacks with the threat coming from both external as well as internal sources.
Some of the server problems that can jeopardize its security include: (i) Weakly encrypted or unencrypted information, especially of a sensitive nature, can be intercepted for malicious use while being transmitted from server to client. (ii) Software bugs present in the server Operating System or server hardware may be exploited for illegal access to the system. (iii) the server and its related network infrastructure may become the target of Denial of Service (DoS) attacks hampering valid user entries. (iv) Inability to prevent unauthorized access to the server may result in vital information being read or changed by unauthorized users. (v) Once a hacker breaks into the server system, it becomes easy to manipulate or destroy other resources linked to the organization's server. External servers may also be targeted and viruses placed in the system to exploit the loopholes present in the compromised system. (Scarfone; Jansen; Tracy, 2008) vi) Non-standardized software configurations which do not adhere to the security policy of the organization. (vii) Lack of company-wide system-security policy. (viii) Server complexity is also a source of many server security problems. (ix) Failure to assign file system permissions like read, write and execute. (x) Lack of separation of privileges on the server may jeopardize the system security. For example, the role of database administrator and system administrator should be kept separate. (xi) Failure to keep logs and records. Logs and records can provide valuable information regarding the methods and means of a security breach which can be utilized for preventing future attacks. (xii) Allowing remote administration of the server without proper planning and risk analysis. One of the main server problems which lead to a compromise of system security is the use of general operating systems without proper configuration. Default configurations are aimed at user friendliness and not security. (Scarfone; Jansen; Tracy, 2008)
Therefore, it is essential to change the default software and hardware configurations in favor of a configuration which has the following features: (i) removal or disabling of unnecessary applications, network protocols and services. (ii) Installation of patches or upgradation of OS. (iii) Conducting security testing of OS. (iv) Configuration of user authentication in the OS. (v) Installation of extra security controls and applications like host-based firewall, network-based firewall, packet filtering router, mail gateways, proxy, and antivirus applications. (vi) Configuration of resource controls. (Scarfone; Jansen; Tracy, 2008)
An "Intrusion Detection System," a second line of defense for a system's security, is one which identifies an intruder who has gained unauthorized access to the computer system and can disable or foil the intrusion rapidly before any damage is done. The faster an intrusion is exposed, the more rapidly a recovery plan can be implemented and lesser will be the damage done to the system. Installing a good intrusion detection system also acts as a preventive measure discouraging potential intruders. Intrusion detection systems generate vital information about the intrusion methods which can help to make the detection system more robust. The idea behind the intrusion detection principle is that an intruder's behavior will differ from a valid user's behavior. Since this behavior may be overlapping in many cases, the distinction may be very subtle and often be blurred leading to "false positives" -where valid users are mistaken as intruders and "false negatives" - where intrusion activity is taken to be valid). Therefore, intrusion detection requires skill as well as a certain degree of compromise which may be essential in order to safeguard vital system data. The challenge lies in identifying a misfeasor, a valid user or insider trying to gain access in an unauthorized manner, and a clandestine user. (Stallings, 2006); (Trcek, 2006)
Intrusion detection systems generally follow two approaches. These are: (a) Statistical anomaly detection and (b) Rule-based detection. Statistical anomaly detection involves collecting legitimate user behavior over a certain time period. This data is subjected to statistical tests to determine legitimate and unauthorized behavior with a high degree of confidence. Statistical...
Threshold detection involves demarcating user-independent thresholds to compute the frequency of incidence of events. Profile-based detection involves developing the activity profile of every user and employing it to distinguish between authorized and unauthorized behavior of each account. Rule-based detection involves outlining a set of rules which can be used as a benchmark for deciding intrusion behavior. This approach can also be of two types - anomaly detection and penetration identification. Rules in anomaly detection are developed in such a manner as to detect any kind of departure from past usage patterns. In rule-based detection involving penetration identification, an expert system is employed to detect unusual behavior. (Stallings, 2006); (Trcek, 2006)
Security mechanism of an organization's information system may refer to a process or device which is used to execute a security service that is present or installed in the system. There are various types of security mechanisms like physical mechanisms, logical mechanisms, pseudo-random generators, cryptographic algorithms, and one-way hash functions. Cryptography, which is concerned with the transformation of plain readable text into encrypted unreadable text or ciphertext and vice versa, is one of the most important elements of security mechanisms. Effective intrusion detection systems should be able to detect intrusion on the basis of event semantics and should be independent of the syntax, data type, platform or protocol. (Trcek, 2006); (Bace; Bace, 2000)
System security is required in practically all organizations which depend on information systems for their business and other organizational processes. However, it is common to note a lack of organized approach towards proper design and analysis of information systems development. The responsibility of system security is frequently perceived as the task of a security administrator. This means that security control mechanisms are deployed only after the system development is over. Therefore, it leaves very little choice for the system administrator or the system designer to incorporate security features in the system right from the beginning. (Tipton; Krause, 2004); (Gasser; Reinhold, 1988)
It is important that the foundations of information system security are laid when the design of the information system is being considered. A complete solution to system security can be provided by an OOSM or Object-Oriented Security Model which can be described as "a security oriented extension of the object oriented model." This should be designed and executed during the "system analysis and design stage of system development." In depth research is required in the field of system security in order to come up with a security mechanism that can address all aspects of system security. Developing security systems in distributed environments is a challenging task as it involves multiple security domains. Progress in this field is slow and needs to be speeded up. With an increase in network use and our increasing dependence on them, the vulnerability of computer systems has increased. This makes the urgency of coming up with effective security systems even more acute. (Tipton; Krause, 2004); (Gasser; Reinhold, 1988)
References
Bace, Rebecca Gurley; Bace, Rebecca. (2000) "Intrusion Detection"
Sams Publishing.
Fortify Software Inc. (2008) "Fortify Taxonomy: Software Security Errors" Retrieved 17 November, 2008 at http://www.fortify.com/vulncat/en/vulncat/index.html
Fortify Software. (n. d.) "Seven Pernicious Kingdoms: A Taxonomy of Software Security
Errors" Retrieved 17 November, 2008 at http://www.fortify.com/vulncat/en/docs/Fortify_TaxonomyofSoftwareSecurityErrors.pdf
Gasser, Morrie; Reinhold, Van Nostrand. (1988) "Building a secure computer system"
1988. Retrieved 17 November, 2008 at http://cs.unomaha.edu/~stanw/gasserbook.pdf
Loader, David; Biggs, Graeme. (2002) "Managing Technology in the Operations
Function." Butterworth-Heinemann.
Scarfone, Karen; Jansen, Wayne; Tracy, Miles. (2008) "Guide to General Server Security
Recommendations of the National Institute of Standards and Technology" Retrieved 17 November, 2008 at http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
Stallings, William. (2006) "Network Security Essentials: Applications and Standards"
Prentice Hall.
Tipton, Harold F; Krause, Micki. (2004) "Information Security Management Handbook"
CRC Press.
Trcek, Denis. (2006) "Managing Information Systems Security and Privacy"
Birkhauser.
