Thesis on "System Security"

Thesis 9 pages (2884 words) Sources: 9 Style: APA

[EXCERPT] . . . .

System Security

Every organization which is dependent on computer systems for its vital activities needs to have a certain degree of system security, the level depending on the nature of data and the vulnerability of its system. With cyber-crime and computer-related crime on the rise, system security has become a necessity. System Security can be implemented in hardware, software, network or the information system. Apart from limiting remote and local access to the physical components of the computer system, security also focuses on limiting the coding errors which compromises system security. These source code errors may include buffer/integer overflows, faulty string manipulations, password mismanagement, improper function calls, etc. Servers which contain valuable personal, organizational and system information, and are connected to other vital system resources via a network, need to be especially protected. Establishing firewalls, proper encryption methods, antivirus, mail gateways etc. may help provide server security. There should be an effective intrusion detection system in place which helps to identify and foil the dangerous intents of an intruder who accesses privileged system information in an unauthorized way. Early detection of such acts helps in damage control as well as safeguards against future attacks. Cryptography, which includes encryption and decryption, of sensitive data lies at the core of intrusion detection. Distributed systems are more vulnerable to security attacks given the nature of its working, layout and importance in performing organizational operations. Importance must be given to developing future systems which involve all aspects of security mechanisms and are implemented right from the design and analysis phase of system development rather than considering system security as an afterthought. An approach to system security which can be explored is the Object Oriented Security Model which includes the security aspect as an inherent part of the Object Oriented Approach.

System Security Paper

Computer security or system security, as a concept began to evolve in the later part of the 1960s when many private sector and government bodies began to recognize the vulnerability of computers and the data that it contained. In 1969, a breakthrough report was brought out by RAND's Willis Ware, which warned the Department of Defense about the technical weaknesses that existed in their system security. This concern came to the notice of the general public when IBM invested 40 million dollars to deal with system security in the early 1970s. Earlier, system security focused on the physical security of the machine itself instead of concentrating on protecting the data which, by all means, is more important than the system itself. (Gasser; Reinhold, 1988); (Loader; Biggs, 2002)

System security traditionally referred to protecting the hardware and information contained therein from damage or theft and to prevent any disruption of services. However, with later advances in networking, communications and remote terminal access, the perception of system security has undergone a major change. Technology criminals, "for fun" hackers, fraud, data manipulation and the like have changed the system security scenario. It has been proved that most of the computer crimes are perpetrated by insiders and therefore security must take the "insider problem" quite seriously. However, system security also encompasses unintentional errors, apart from the intentional attacks, that can cause a disruption of the usual functioning of the computer systems. (Gasser; Reinhold, 1988); (Loader; Biggs, 2002)

Security mechanisms are intended to protect the assets of an organization's computer systems while allowing authorized users the flexibility of operating the system in a manner that will ensure availability of information, confidentiality and integrity. We can categorize the security aspects of a system into four basic types which include software security, hardware security, information system security and network security. Software security involves securing the OS, application programs and database management systems. Hardware security involves securing computer-related equipment from unauthorized access. Information system security refers to the design and analysis of the information system of the organization such that critical data cannot be accessed, altered or utilized in a malicious way. Network security refers to the control of data encryption and security of transmission protocol. (Tipton; Krause, 2004)

It is the responsibility of the operations manager to make sure that the data is entered and read from the system in a controlled manner by providing authorized access. The best way to go about this would be to allow a single person to handle these vital operations. System security can be compromised if setting and usage of passwords are not monitored. Access codes of retired, dismissed or departed employees are often left accessible leading to a potentially harmful situation. Another potentially dangerous situation is the use of internet to conduct organizational transactions or sharing of information. Adequate security measures are often compromised when dealing with this issue but it should be remembered that system security can be threatened by hackers, viruses, cyber-criminals, terrorists or rival companies. All these are external errors related to System Security. (Loader; Biggs, 2002)

Sometimes, software developers unwittingly introduce errors in the source code of an application. These coding errors create serious problems in system security. When there are internal errors or errors related to the coding itself, we can refer to them as software security errors. These errors can be classified into seven categories: (i) Input validation and representation - this includes problems caused by alternate encodings, numeric representations and metacharacters. The problems caused by trusting inputs involve buffer overflows, integer overflow, format strings, command injection, SQL injection, cross-site scripting, illegal pointer value, path manipulation, process control, etc. (Fortify Software Inc., 2008); (Fortify Software, n. d.) ii) API (Application Programming Interface) abuse - this happens when the contract between the caller and callee program modules (functions) is violated. For instance, if the caller module fails to honor its part of the contract when calling another module for a subtask in the program, it results in a loophole in the program. Modules or functions which cannot be used in a safe manner (dangerous functions) should not be used at all. If the chroot () system call is made in an improper way, it may result in the intruder managing to escape the chroot () jail. Buffers storing sensitive information should not be resized using realloc (). Sometimes inadequate exception handling may cause a dangerous function to throw an exception causing a system crash. String manipulation functions are known to cause buffer overflows and therefore should be used with caution. A function's return value should never be ignored since it may result in unexpected situations. (Fortify Software Inc., 2008); (Fortify Software, n. d.) iii) Security features - "password mismanagement" is a big issue here. Hard-coded passwords, using weak encoding of password, storage of password as plaintext, usage of empty string as password, and storing passwords in config file may compromise system security. Privacy violation like mishandling of social security numbers and customer passwords not only infringes on user privacy but is also illegal. (Fortify Software Inc., 2008); (Fortify Software, n. d.) iv) Errors - error handling is a part of API but since it is so important, it should be considered separately. Producing errors that are difficult to handle or leak vital information to potential attackers may compromise system security. Poor error handling may also jeopardize the system. Developers should watch out for throwing excessively broad exceptions, catching overly broad exceptions, ignoring exceptions and catching NullPointerException. (Fortify Software Inc., 2008); (Fortify Software, n. d.) v) Code quality - poorly written software can result in irregular system behavior. From the point-of-view of system security, it gives the attacker a break in the system which he can utilize for his own benefit. Errors in code may include using obsolete functions, accessing a memory location after it has been dereferenced, failure to free memory or a system resource leading to memory leak, using the free () module twice for the same memory location leading to buffer overflow, and dereferencing a null pointer. (Fortify Software Inc., 2008); (Fortify Software, n. d.) vi) Time and State - distributed, multi-core and multi-CPU systems are more prone to errors regarding time, information, threads and processes. Errors may creep in code development of such systems which have to deal with multithreading, multitasking and multiprocessing. Such defects may include deadlocks resulting from poor locking discipline, signal handling race condition, failure to begin a new session after authentication, using thread management in applications where it is forbidden, accessing/using insecure temporary files, attempting to shut down the container of a web application. (Fortify Software Inc., 2008); (Fortify Software, n. d.) vii) Encapsulation - failure to encapsulate private data from unauthorized use or allowing modules to access and alter vital private data leads to errors in system security. Defects in this case may include data leaking between users through public objects or member variables, leftover debug code which can provide unauthorized entry points into the system, using non-final public variables which can be used to plant malicious code into the system by an attacker, usage of inner classes which may expose private code to attackers, trust boundary violation and leaking of vital system information like debugging techniques can… READ MORE

How to Reference "System Security" Thesis in a Bibliography

Related Thesis Papers:

Security Self-Assessment Coyote Systems Security Self-Assessment Organization Thesis

Security Self-Assessment

Coyote Systems Security Self-Assessment

Organization Description

The company Coyote Systems develops enterprise software applications for the world's leading manufacturing companies. It has development offices in Chicago, Illinois, throughout… read more

Thesis 7 pages (2030 words) Sources: 1 Topic: Management / Organizations

---

Security Policy Dr. Fossett's Dental Office Term Paper

Security Policy of a Dental Office

Information Technology Security for XYZ's Dental Office will be achieved by implementing these controls, policies, procedures and standards. This approved Security policy reflects the… read more

Term Paper 3 pages (1254 words) Sources: 0 Topic: Computers / IT / Internet

---

Security Issues of Cloud Computing Data Analysis Chapter

Security Issues in Cloud Computing

The name Cloud computing was coined from the drawings oftentimes employed to illustrate the internet. Cloud computing is an innovative consumption and new delivery approach… read more

Data Analysis Chapter 5 pages (1450 words) Sources: 5 Topic: Computers / IT / Internet

---

Information Security Policy Research Proposal

it Systems Security Guidelines several insights emerge from an analysis of its intent, structure and definition of best practices. In completing an assessment of this document it is imperative to… read more

Research Proposal 3 pages (870 words) Sources: 10 Style: APA Topic: Management / Organizations

---

Security Overview Businesses Today Research Paper

Security Overview

Businesses today are faced with a range of security challenges unlike any of those that their predecessors have ever faced. Among these different challenges are the physical protection… read more

Research Paper 13 pages (3366 words) Sources: 5 Style: Turabian Topic: Business / Corporations / E-commerce

---

View 100+ more related papers  >>