In computing and security, authentication is a term used to describe the process of identifying someone or something by comparing them to whom or what they are supposed to be. One of the most common authentication processes includes providing a password or other login information (Whatis.com – Authentication, 2006). Authentication should not be confused with authorization. The latter is a term used to describe which permissions are assigned to a person or thing. For example, someone must be given authorization to access certain resources. Then the process used to identify the person as being who they claim to be would be accomplished by some form of authentication (Whatis.com – Authorization, 2006).
There are also more advanced techniques of authenticating someone’s identity, such as biometric technologies, which are able to authenticate a person’s identity by scanning some unique biological characteristic, such as fingerprints or eye retinas. A common form of authentication used for Internet transactions utilizes digital certificates, which are provided by a Certificate Authority. Digital certificates and Certificate Authorities (CA) are components of a larger system known as a public key infrastructure (PKI). Using an algorithm, a CA creates a private key and then issues public keys through digital certificates. For transmission to occur, data is encrypted using a cryptography method. Public keys can be distributed and used for authenticating an objects identity, such as a computer or person. The public key must be compared against the private key and they must match in order for something to be authenticated. Once an object is authenticated, the data can be decrypted (Whatis.com – PKI, 2006).
There are several built-in authentication options available in ASP.NET. Custom authentication methods can be developed as well. Some of the built-in methods supported by ASP.NET include Form-based authentication and Passport authentication. Integrated Windows authentication is a common method, which uses Windows credentials to verify a user’s identity. Windows authentication is flexible and easy to implement. It is not necessary to hard-code anything because IIS controls the authentication process (ASP 101 – Security Features in ASP.NET, 2006).
Resources:
Whatis.com – Authentication. (2006). Retrieved July 27, 2006 from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.html
Whatis.com – Authorization. (2006). Retrieved July 27, 2006 from http://searchappsecurity.techtarget.com/sDefinition/0,,sid92_gci211622,00.html
Whatis.com – PKI. (2006). Retrieved July 27, 2006 from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214299,00.html
ASP 101 – Security Features in ASP.NET. (2006). Retrieved July 27, 2006 from http://www.asp101.com/articles/cynthia/authentication/default.asp
Large organizations are faced with many challenges when it comes to systems and data security. A small organization may have one person who is responsible for vulnerability management but in a larger organization, there may be an entire team of individuals devoted to maintaining security within the company. Their sole responsibility is to develop strategies, which help protect the organization from virus outbreaks and hacker attacks. They are also responsible for maintaining data integrity and ensuring that systems are not compromised by other various security threats. In the event of a virus outbreak or network intrusion, the security team must respond as quickly as possible and have tactics in place to minimize the damage caused (e-Security Threats aren’t Just the Enemy of the Corporate, 2006).
One of the most common ways a company can secure their network and data is to set up a firewall system which blocks access to systems through the use of port blocking and port forwarding (Bird & Harwood, 2003. p. 476). It is also common for companies to set up an internal network where each system is assigned an internal IP address that is not visible on the Internet. All internal systems connect to the Internet via an internal gateway. The gateway may be a router, firewall, or NAT enabled computer. Organizations should also enable strict password policies, which require users to use passwords that are difficult to guess or crack using password cracking software. The policy should require users to change their password every 30 days (Bird & Harwood, 2003. pp. 466 – 468).
The company I work for, Oracle Corporation is a very large organization consisting of over 40,000 employees and 100 global offices. We employ an entire security team that responds to emergency situations. They are also responsible for staying informed about the latest security threats, such as new viruses and recently discovered security holes in software. It is their responsibility to inform the entire organization of new threats and to recommend that employees update their virus definitions and install any recently released patches. Being a software company, we also have to worry about security vulnerabilities within our own software (Oracle, Inc – Critical Patch Updates and Security Alerts, 2006). There is an entirely different team within our organization that is responsible for fixing security issues in our own software. This team develops software patches, which we recommend users and clients install. Sometimes we even develop new versions of software and ask users to upgrade.
Microsoft, Macromedia, and Lotus are all large software companies that deal with vulnerabilities and security issues within their own software. Microsoft is often criticized for having too many security problems and for not responding to them fast enough. One such issue that affects Microsoft Windows 2000 systems running Internet Information Services 5.0 is a security hole that allows attackers to gain complete control of the system. The exploit pertains to all systems that have not yet been patched, which means any system that has not had the proper software patch installed. Not having the patch installed makes the system vulnerable to attack, and allows a hacker to modify and delete files. The flaw was detected by a security professional at Eeye, which is a large security firm that specializes in detecting vulnerabilities in software (Microsoft Security Problem, 2006).
A vulnerability in Macromedia’s ColdFusion MX software was recently discovered which opens a system up to a possible scripting attack. Though the issue was considered a moderate threat, it was highly recommended by Macromedia that all ColdFusion MX users install the appropriate security patch to correct the issue and protect their systems from a possible attack (ColdFusion MX 7 – Cross-site Scripting in Default Error Page, 2006). A user of the software likely reported this issue. Macromedia encourages users to send a report of any and all security related issues to secure@macromedia.com. They claim to be committed to keeping their software up to date as to protect their customers from such security breaches. Information regarding Macromedia security issues can be found at http://www.macromedia.com/security.
At DefCon 8, which is an annual computer security convention where hackers and other security professionals join together to discuss security issues, a group of consultants demonstrated how an attacker could exploit a specific vulnerability in Lotus’ Notes Domino software. The vulnerability was considered low impact because physical access to the system was required, however they were able to show how an attacker could potentially gain access to a user’s account by exploiting the vulnerability. To protect a system, they recommended upgrading the encryption of http passwords and to not leave a system unattended with the Notes software up and running. Lotus recommends users and administrators visit http://www.lotus.com/security to stay informed on security related issues involving their software (Vulnerabilities in Lotus Notes Domino Aired at DefCon, 2006).
For more information on security and vulnerability management, you can visit http://www.securitydocs.com/Vulnerability_Management, which is a site containing several white papers and other helpful links.
References:
Bird, D. & Harwood, M. (2003). Network+, Exam N10-002. Que Publishing
e-Security Threats aren’t Just the Enemy of the Corporate. Retrieved January 31, 2006 from http://www.scmagazine.com/asia/news/article/419796/esecurity-threats-arent-just-enemy-corporate/
Oracle, Inc – Critical Patch Updates and Security Alerts. Retrieved January 31, 2006 from http://www.oracle.com/technology/deploy/security/alerts.htm
Microsoft Security Problem. Retrieved January 31, 2006 from http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2001/05/02/BU178838.DTL&type=business
ColdFusion MX 7 – Cross-site Scripting in Default Error Page. Retrieved January 31, 2006 from http://www.macromedia.com/devnet/security/security_zone/mpsb05-03.html
Vulnerabilities in Lotus Notes Domino Aired at DefCon 8. Retrieved January 31, 2006 from http://www.ciac.org/ciac/bulletins/k-062.shtml
Security Docs – Vulnerability Management. Retrieved January 31, 2006 from
Any company that develops and distributes software for profit must deal with the issues revolving around software theft. When software is stolen, it is known as piracy. To legally guard against piracy, software developers include with their software a licensing agreement, which states under which circumstances a person is allowed to use, copy and/or redistribute their software (Cashman, Shelly, & Vermaat, 2004, p. 359). There are different licensing models available from which developers can choose.
Some of the different licensing models include single-user licensing, multi-user licensing and on-demand licensing. A single-user license is commonly used when distributing desktop software such as word processing and graphics applications. A single-user licensing agreement typically states that the software may be installed on one computer only and that one backup copy of the software can be made. If the software is removed from the computer, it may be sold or given to someone else. The software may not be installed on a network server or on multiple computers (Cashman et al., 2004, p. 360). To install software on a network or on multiple computers, software distributors will often require the purchase of a multi-user license (EditPad Pro, 2005). Often times, a software company will offer multi-user licenses at somewhat of a bulk discount price however it is up to the company to determine the overall cost. Another type of licensing agreement that is gaining popularity is known as on-demand licensing, or subscription based licensing (CNET, 2005). In the on-demand licensing model, a user purchases the right to use a company’s software on a limited time basis. For instance, a company might agree to allow the user to access their software for a 12-month period, after which time the user may purchase another license or discontinue use of the software. In an on-demand hosted environment, the software is actually located at the software vendor’s location but can be accessed by the customer during their subscription period (Sand Hill, 2005). This type of licensing model offers the most benefit to the actual software developer because it provides them with more control over how the customer uses their software. They are able to cut off access to their software as needed which reduces the risk of unauthorized access and virtually eliminates the possibility of illegal redistribution.
I would recommend that any software development company if possible, adopt the on-demand hosted licensing model, as it will provide the most security when dealing with issues revolving around software piracy.
References
Cash Cashman, T.J., Shelly, G.B, & Vermaat, M. E. (2004). Discovering Computers: Fundamentals editions. Boston: Course Technology
EditPad Pro. (2005). Retrieved December 15, 2005 from
http://www.editpadpro.com/multiuser.html
CNET. (2005). Retrieved December 15, 2005 from
http://news.com.com/Software+No+longer+business+as+usual/2100-1012_3-5958760.html?tag=html.alert
Sand Hill. (2005). Retrieved December 15, 2005 from http://www.sandhill.com/opinion/editorial.php?id=56
Many people today may be aware of the fact that there are risks involved in making purchases online but unfortunately, they may not be as educated on the types of precautions that companies take to protect their customers against these risks. Without being informed on how they are protected, people will continue to be leery of making purchases online. Some of the risks involved in purchasing products and services online include: information theft, identify theft, and credit card fraud.
Information theft occurs when someone’s personal information is obtained through unlawful activities (Cashman, Shelly, & Vermaat, 2004, p. 360). Stealing confidential information is another form of information theft. Identify theft is another risk involved in making purchases online. When someone uses another person’s confidential and personal information to impersonate them, this is known as identity theft (Identity Theft, 2005). The impersonator may use their false identity to obtain credit cards, property, or other items of which the person with the true identity becomes liable. When a person uses stolen credit card information, this is known as credit card fraud (Credit Card Fraud, 2005).
To guard against information theft, many Internet companies employ the use of data encryption (Cashman et al., 2004, p. 361). When data is encrypted, it is converted into an unreadable format and must be decrypted before it can be read or understood. To encrypt data, an encryption key is used which is similar to a password. The encryption key must be provided to decrypt the data before it can be read (Cashman et al., 2004, p. 361). When information is transmitted over the Internet, it becomes extremely vulnerable to security risks (Cashman et al., 2004, p. 363). Most browsers are capable of using encryption to help secure data transmission. A website that uses encryption to secure data while being transmitted is known as a secure site (Cashman et al., 2004, p. 364). Some sites use digital certificates to validate the authenticity of a user or website. Occasionally websites will use SET encryption to secure financial transactions. SET is the Secure Electronics Transactions specification (Cashman et al., 2004, p. 364).
It is common for companies to collect information about their customers; however this can become a privacy concern. To ensure that customers are aware of how an organization protects their privacy, many Internet companies provide an online privacy policy which explains the type of information collected by the customer as well as how their information is used (Cashman et al., 2004, p. 367). It is recommended for customers to read a company’s privacy policy before purchasing their products or services online.
References:
Cashman, T.J., Shelly, G.B, & Vermaat, M. E. (2004). Discovering Computers: Fundamentals editions. Boston: Course Technology
Identity Theft (2005). Retrieved December 13, 2005 from http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci801871,00.html
Credit Card Fraud. (2005). Retrieved December 13, 2005 from http://retailindustry.about.com/od/lp/g/credit_fraud.htm
Nearly all businesses today have some sort of presence on the Internet. Even if the only information they have available on their website is a phone number and address, most companies have something on the Internet with their name on it (Cashman, Shelly, & Vermaat, 2004, p. 58). Many of these companies even offer their products or services for purchase through their websites. This type of business is called e-commerce (Cashman et al., 2004, p. 62). E-commerce is a type of business transaction that takes places over a secure internet connection (Cashman et al., 2004, p. 63). Typically, the customer selects the items they would like to purchase and then places them into an online shopping cart (Cashman et al., 2004, p. 63). They then provide a username and password, along with their payment method and billing information (Cashman et al., 2004, p. 356). This information is usually encrypted as it is sent over the Internet (Cashman et al., 2004, p. 361). Almost all businesses that accept online payments offer these types of secure transactions (Cashman et al., 2004, p. 364).
Data encryption and secure transactions are used to protect customers and their privacy (Cashman et al., 2004, p. 367). As a result of things like identity theft and consumer fraud, customers are becoming more concerned about their privacy when doing business online. Any company that offers their products or services for purchase online should be aware of how to take the necessary precautions to protect their customer’s privacy. Using encryption and secured transactions will allow the company to provide their customers with protection against identity theft and consumer fraud (Federal Trade Commission, 2005).
Some of the other concerns a company might have when they choose to do business online include data storage and integrity as well as system installation and maintenance. If the company chooses to host their website in-house, they will have to set up a system that will be used for online transactions. This system will be vulnerable to various types of security breaches. Some security concerns include attacks by hackers and crackers (Cashman et al., 2004, p. 354). They will also need to protect themselves and their customers against system failure and data loss (Cashman et al., 2004, p. 361). However, if the company were to outsource the system, they will likely have to be less concerned with these areas as the company that hosts the website will be responsible for system availability and maintenance.
References:
Cashman, T.J., Shelly, G.B, & Vermaat, M. E. (2004). Discovering Computers: Fundamentals editions. Boston: Course Technology
Federal Trade Commission (2005). Retrieved December 8, 2005 from http://www.consumer.gov/idtheft/con_minimize.htm
