Introduction
Internet or Web Security is a branch of Computer Networks Security concerned with the procedures and regulations taken to guard against internet intrusions and attacks. The web provides a channel of communication and exchanging of crucial information. Currently, the internet is the leading channel for doing business. However, it is also the most insecure channel for communicating such crucial information. ‘Companies and Internet Services Providers (ISP) have developed several schemes such as encryption to protecting internet users’ . Hackers have since been able to bypass these measures and continue to attack internet users.
Privacy issues are becoming a primary concern for internet users, whether it is usually from an informed or non-informed consent. This implies that internet users and the providers of such services are supposed to guarantee privacy when online. Anonymity when communicating via the internet has become significant to most of the internet users mainly because most of the websites today log various personal details for diverse purposes such as marketing, surveys and maintaining a database of the web page visitors. Addressing the issue of web privacy requires the implementation of strict electronic privacy laws and policies through internet regulation.
Current Happenings
Research has found that web security may be curtailed by technical issues in the design of the systems. However, studies into individual incidents and common targets reveal a more in-depth analysis of the maneuvers used by hackers and the motives behind such attacks. A database has been developed called the Web Hacking Incidents Database (WHID) which helps keep a record of hacking incidences and has since revealed a common trend taking root among internet hackers.
In the 2009 analysis of the WHID revealed that social websites were the most commonly attacked websites in the world. It also exposed that the most ‘commonly used methods for intrusion was via Standard Query Language (SQL) injection into a website code’ . This method also accounts for nearly 20 percent of all internet intrusions. Social websites such as Facebook and Twitter were found to be the most vulnerable sites for attacks. One in every five attacks carried out on the web targeted social websites. An in-depth analysis indicated two methods devised by the hackers.
One of the methods used is known as cross-site scripting (XSS) worms, which is a malicious code written in JavaScript that broadcasts that is injected on common websites. The code broadcasts itself on the websites and if a user accesses such websites, the worm would lodge itself on the user’s computer and access the credentials of the new host computer. That way, the creator of the worm can access personal information of the user.
In some separate cases, a more different method was used. This method makes use of the weaknesses of automation codes used to change log-in credentials. Hackers wait for the point when system credential are changing and peek to know the new credentials. An example of such an attack occurred at the Twitter Admin Account Password Reset Tool. ‘Twitter Admin Passwords are made to reset at random intervals’. This Twitter Admin Password is meant to protect 33 high profile Twitter accounts of very important persons in the world including that of the President Obama’s. The hackers managed to attack this admin system due to the weakness inherent in the automated reset tool.
The leading motive behind most internet attacks in the world is crime. Contrary to common belief, hackers do not perform such intrusions for the sake of fame and glory; instead, they do so for a living and money. Several people in the world would benefit from private information found on the web. Thus, such persons would pay hackers to perform such intrusions. In some cases, hackers were found to attach websites so that they would benefit professionally in seeking to advance a much greater motive.
IPsec Protocols and Other Technical Protocols
According to Garfinkel & Spafford (2002), ‘web developers have been too concerned with new features and attractive aspects of their websites without regard to proper input validation and appropriately secured databases’. Experts argue that the underlying Hyper Text Tranter Protocol (HTTP) is the inherent problem with our internet security system. While it suitably allows integration with XML and SOAP codes making it suitable for internet applications, it has also made internet venerable to extreme ends of code intrusion and network breakdown. To try and avert such problems, developers of Operating Software and internet applications have developed some technical protocols that guide the industry in the network security.
IPsec Protocol
One of the main protocols developed is the IPsec Protocol. This protocol makes use of cryptography to ensure secure communication and proper authentication in any TCP connection. Data to be transferred is encrypted before it is encapsulated to have an encapsulation header (AH) and the Encapsulation Security Payload (ESP). In some cases, the resulting data may undergo a further encapsulation process. This protocol has been proved to provide data integrity and authentication of the sender.
Firewall Protocols
Other protocols that have been developed by Operating System developers include Firewalls and its role in internet security. A firewall is a protocol that scans all incoming and outgoing data and restricts flow of such data. Different protocols and rules define how these firewalls operate. An example of such a firewall is known as the Packet Firewall. This kind of firewall filters every packet that is coming in from a remote Internet Protocol (IP) Address. Thus, this kind of firewall makes us e of a screening router that identifies the source of all incoming packet and confirms that one of the host in the private network has requested for such a packet.
Another kind of a fire protocol developed is the Circuit-Level Firewall. This kind of firewall statically identifies the kind of data allowed into the network. Using port numbers, the circuit firewall allows only packets from allowed port numbers to pass through.
A last kind of firewall implemented is the Application-level Firewall. This kind of firewall operates at the TCP/IP or he Transport layer of the network to define laws that will govern allowed application and active connections over the internet. The gateway analyzes oncoming messages and codes as opposed to packet analysis.
Protection 1 Privacy Policy
However, even with these measures in place, the internet has since suffered several intrusions and attacks. Companies that hold key information about customers are tasked with the role of developing more secure systems. As earlier stated, the internet has become a business and trading center, with electronic money being the main currency. ‘Credit card information is used to carry out transactions over websites such eBay and Amazon’ . Such companies are required to develop their own web security policies that guide in their relation with customer information.
An example of such a policy is the Protection 1 Privacy Policy developed by Protection 1 Company. Protection 1 is one of the largest electronic company in the United States with several million of users in business and home appliances. Protection 1 Privacy Policy was developed in recognition to the trust that customers have on the company and its affiliates and to hold such information in confidentiality.
Scope of the Policy
Protection 1 Privacy Policy identifies the kind of information provided to the company and its other four affiliates and the measures that company has taken to protect such information. ‘This policy focuses on Personal Identifying Information (PII), which is private information that uniquely identifies a customer’ . It however, does not cover actions from third party companies which are not affiliates of Protection One even though these companies have used Protection One products for their own services.
Protection Measures
According to the policy, the company has developed measures to protect customer PII. The first step the company has taken is to ensure that all employees are subject to policies and procedures of the company regarding customer private information. Employees are trained on how to handle customer PII and sign documents that will make them liable in case they breach such rules.
Technology has also been employed to safeguard such data. ‘Computers holding PII data are kept in a secure location and entry in such a room requires several security measures to be met’ . Username and password credentials are used to limit the number of employee who can access PII data. Encryption is used in case of transfer of such data within company computers and utilities. Third party companies are also required to access PII data in accordance with this policy.
Rules on Disclosure
The company will, at no time, provide private information collected about a customer to a third party or the public. Such private information has been defined in the policy to include name, address, and telephone number and email address. Other private information includes payment, billing, social security number, account numbers and credit card information. Such information also collected through the websites is considered private information and treated as so.
‘Express consent of the customer will be required to allow disclosure of such information’ . However, policy has outlined situations in which the company may disclose PII. Such a situation is a case where the company seeks to obtain payment for its product and services advanced to a customer according to customer agreement. In such a situation, the company is allowed to reveal private information to an enforcing body to obtain it payment. A second situation in which the company can disclose personal information is in complying with court ordered and other such judicial proceedings as the court may deem fit. The company also has responsibility to disclose such information in cases that require a responsible government entity to be notified or emergency response to activated alarms and other emergencies that may arise.
Federal and State Regulations
Governments and regulatory agencies have developed laws that require business entities running databases with customers to document all efforts taken to safeguard customer information. In cases where the company has documented any such effort, businesses will be legally responsible for any disclosure resulting from security leakages.
Americans have expressed the need for a federal oversight agency to curb the growing trend in information leakage. A different concern from Americans also arises from employers peeking into instant massages and emails between the employees. While there is no federal legislation regarding each of these issues, several states have their own rules that help protect private information .
A landmark legislation set forth by a state is the California Senate Bill (SB) 1386. The bill requires that businesses, agencies or persons holding private information of other individuals, inform the individuals as soon as possible in the event of a security breach. The bill was proposed with the hope that individuals would take necessary measures to adjust credentials such a passwords so as to safeguard their information. The bill seems to have ripple effect in the country. Other states seem to be following this precedent by enacting similar laws.
Other laws enacted by states include Privacy of Personal Information applied in Nevada and Minnesota. These laws require that Internet Service providers (ISP) keep information provided by customers private and confidential. Other states such as Utah and Colorado have rules that require a written consent from the customer in case of any disclosure to third parties. Connecticut ensures that any business entities holding social security numbers of clients, outlines clearly the measures it has taken safeguard that information .
As regards privacy of employees, the State of Tennessee has code of conduct that requires state agencies and any other organizations running a central electronic communication system develop a written policy as regards access of such mail. Circumstances leading to the scrutiny of such mail must be clearly stated in the written policy.
Conclusion
With the ever increasing number of web applications, the chances of network hacking and intrusions will also be on the rise. Furthermore, an increasing numbers of companies prefer “web-ifying” their databases. Therefore, developing thoroughly configured SQL construction and properly secured web code is vital. A good company should also invest in a good intrusion detection and response system. Privacy is threatened mainly through a breach of the aspects of confidentiality, identity theft and information collection. Confidentiality breaches usually involve an unauthorized disclosure of information to unauthorized people. Confidentiality is needed although it is not enough to guarantee people’s privacy. It can be eliminated through encryption of information and restriction of access to systems that hold personal information of individuals. Identity theft involves a scenario whereby a person usually uses the identity/ credentials of another person for ill intentions such as gaining access to information and data theft. Identity theft can be avoided by making use of double authentication and verification in order to ensure that a person is who he/she claims to be. Information collection serves to violate people’s privacy even in cases whereby the information is not used. In addition, information can be collected using methods that respect privacy, but they can be processed in a way that it interferes with privacy. This can be reinforced by ensuring information security and that information gathered is used for its intended purpose without making the information available to secondary users. This helps in eliminating potential cases associated with information disclosure.
Bibliography
Barnett, R. (2010, Feb 17). The State of Web Security. from networkworld.com: http://www.networkworld.com/news/tech/2010/100217-techupdate.html [Retrieved Nov 28, 2011,]
Garfinkel, S., & Spafford, G. (2002). Web security, privacy and commerce. O'Reilly Media, Inc .
Protection One, :. (2007). Protection 1 Privacy Policy. from www.protection1.com: www.protection1.com [Retrieved Nov 28, 2011,]