GEOG5870/1M: Web-based GIS A course on web-based mapping

General: Introduction to web security

Introduction

Web security is a huge area, but some key ideas will get you a long way. We can look at security in a number of frameworks:

Machine attacks vs. manipulation of human elements (and between)

One element of attacking systems is convincing humans to reveal their passwords (for example by pretence) or to allow attackers direct physical access to a machine or network (some attacks are simplier if you can boot a machine or work inside a firewall – we'll come back to firewalls). This is known as social engineering. In a lot of modern cases people break into servers only to serve webpages out from a trusted website that appear to be legitimate but which lead to malicious downloads – as trust is part of the attack, such attacks fall somewhere between machine attacks and social attacks. A good default starting point as a systems administrator is therefore "Trust No One".

Attacks against servers vs. attacks against clients (and attacks against servers to attack clients).

Direct attacks against software clients usually involve convincing the user to download malicious software, although occasionally holes are found in client browsers or browser/OS combinations that allow a direct attack. Direct attacks against connected servers or other computers are generally less successful because most people now connect through a firewall-enabled router. Nevertheless, most internet-connected machines will be hit plenty of times a week by automated attacks. Most pernicious is probably attacking servers to then farm out malware downloads to clients.

Scripted attacks vs. bespoke attacks (and between).

Most attacks these days are scripted, and it is not only possible for people to get hold of and run a wide variety of attack scripts without necessarily understanding them in detail (so called 'script-kiddies'), but it is possible to download whole OSs set up for scripted attack work, the idea being that the better such things are understood, the easier it is to prevent such attacks. At the other end of the spectrum are bespoke hackers who work at the machine-code level or lower to find exploits. An interesting recent article on the levels at which such attackers can work at can be found on Ars Technica.

Attacks to stop business vs. attacks that should go undetected.

On the web we can distinquish between noisy attacks that aim for maximum distruption, against attacks that aim to go undetected for as long as possible, for example to spread further or gain greater advantages.

Attacks by one source vs. attacks by multiple sources.

With the rise of scripted attacks, we've also seen the rise of symultaneous attacks from multiple sources, either knowingly, or from multiple compromised machines.


As we look at several attacks you should prepare for, you'll see they fall across these spectrums.


[ Next: Attacks]