(Study Program)
The web provides a platform for interaction between different types of web-users such as organizations, employees, customers, businesses, etc. Web users use HTML to interact with web applications that reside on web servers. The use of web traffic was initially designed to allow interaction through legitimate messages. However, with the change in technology, criminals often use such type of interaction to compromise security weak points. Web applications are, therefore, prone to the different type of web attacks. Some of the web attacks are as follows:
- Cross Site Scripting (XSS)
XSS attacks are web-based attacks that involve the attacker injecting malicious code designed as browser-side scripts to trusted websites. The attacker crafts a website that has a deceiving genuine look, but is designed to cause harm. When victims visit the website using their browsers, they execute the malicious code and if it is successful; it affects their systems. In an effort to mitigate such an attack, it is imperative to perform data integrity checks and also restrict input from users to alphanumeric only. It helps to format user data to prevent its interpretation as script data.
- SQL Injection
Such is a form of web-based attack that utilizes weaknesses of web application systems to modify the information from the database. Most web developers fail to format user input not to accommodate unnecessary special characters. Intruders use such characters to execute malicious commands in the web applications. In order to alleviate such risks, it is important for web administrators to device proper mechanism of handling user input. They should also ensure proper security controls for database access.
- Server Side Includes (SSI)
SSIs are web application features that enable HTML pages to behave dynamically. They execute different functionalities before the loading of the web pages or when a web user is viewing current web pages. Web servers conduct SSI analysis before delivering pages to the users. SSI attacks use web applications or user input to execute malicious codes in the HTML pages. In order to prevent SSI web attacks, it is imperative to disable SSI in web pages where they are not necessary. Such reduces the chance of an attacker compromising a system through such an attack.
A typical diagram that indicates the prevention of DOS attacks is as shown below:
Security risks in U.S. Government Websites
All websites are prone to web attacks. However, the nature of web security practices deployed by website administrators dictates the extent to which their websites remain vulnerable to web attacks. Government websites are among the most widely targeted websites for web attacks. As such, it is important for the website administrators of such websites to enact the most secure policies in an effort to safeguard on minimize the possibilities of web attacks. In some previous instances, there were security risks that faced the U.S. government websites. However, such security risks were not dealt with or recognized as such. The potential reasons for such a scenario include the following:
- Non-Compliance with DNSSEC technology
Cyber security professionals have in the past warned IT departments in government institutions to adopt DNSSEC technology. The technology helps to install an additional authentication platform on websites to prevent intruders from redirecting web traffic from government sites to fake websites. The government agencies had a deadline of until 2009 to implement DNSSEC technology in their websites. However, 40 % of the agencies were yet to comply with such directives. Such may have been one of the causes of not dealing with web related risks in such agencies.
- Low-risk levels
Some of the government websites provide basic information regarding specific government services. The nature of such services is that they may remain unchanged for long periods. As such, websites that contain such information also tend to remain static for similar long periods until the introduction of new services. An attack on such websites, particularly where there is no user interaction involved, would result into less severe consequences than in dynamic websites with a lot of user interaction. Administrators can easily restore such web sites in case of attacks. Such low-risk levels may lead to lack of addressing of web-based threats owing to their low-risk levels.
Mitigation Measures
The government plays a big role in alleviating web-based attacks on government websites. Some of the mitigation that the government could deploy in an effort to prevent web attacks include the following:
- Enacting rules and regulations to make all government websites DNSSEC compliant: The government has the power to enact IT-based rules and regulations to help prevent and manage cyberspace attacks. Such laws should have the main objective of precautionary measures to help detect and avert attacks based on web application vulnerabilities. In order to enforce the same, the government should impose punitive measures for the government agents who are reluctant in adhering to the set rules and regulations. A sample punitive measure in this case might be failure to renew licenses for being non-compliant. Such a move would see almost all government agencies implement IT policies and procedures that improve web-based security.
- IT Security awareness: The government could facilitate IT workshops for professionals to offer training to government employees on the best computing security practices. Such translates to equipping all employees with the basic and moderate skills of ensuring IT practices that best serve to alleviate or minimize web-based attacks.
References
Ingle, D. (2012). Attacks on Web Based Software and Modelling Defence Mechanisms. International Journal of UbiComp, 11-30.
Lowe, N. (2009). Shields Up! Protecting browsers, endpoints and enterprises against web-based attacks. Network Security, 4-7.
Marsan, C. (2012). 40% of U.S. government Web sites fail security test. Retrieved December 12, 2014, from http://www.networkworld.com/article/2186860/data-center/40--of-u-s--government-web-sites-fail-security-test.html
Shema, M. (2010). Seven deadliest web application attacks. Amsterdam: Syngress/Elsevier Science.