SECURING NETWORK SOFTWARE APPLICATIONS.(Internet/Web/Online Service Information)

ASK A SCHOOL-AGE child about Melissa, and instead of hearing about the "red-haired girl in Mrs. Stiefel's class," the most likely answer would point to the Microsoft Word macro virus that wreaked havoc around the world in March 1999. The impact of the ubiquitous World Wide Web, the fastest growing element of the Internet, is mind-boggling. The debate about its social and economic impacts will go on for ages, but one fact remains--the Internet is here to stay. Today we have the ability to conduct online shopping, talking, dating, and even smelling(1) (business-to-consumer; B2C). Similarly, businesses can share and exchange information for more efficient business practices (business-to-business; B2B). And in the same vein, individuals--most of the time complete strangers--exchange useful and sometimes profitable information with each other (individual-to-individual; i2i) [1]. Information sharing over the Internet has become a prevailing practice in every segment of our esociety.

While extremely useful for conducting day-to-day business operations, the proliferation of e-commerce over the Internet has provided a perfect target for computer crackers, script-kiddies, and other such bad guys. Since the Web is being utilized by both small and large corporations, and by governments for conducting their business electronically, people with malicious intent do not have to leave their computers to bring a business to its knees. Although it is a little more difficult to take down a government's computer networks, it can be done. Recent cyber-warfare attacks between the Palestinians and Israelis in the Middle East conflicts indicate this is probably likely to become more common in the future. The reliance of a business on the Internet makes it extremely vulnerable to all sorts of attacks. While some readers may be viewing these words over the Internet, we can safely say that many people are trying to discover illegitimate ways to exploit loopholes in computers around the world.

Completely securing a computer against unauthorized access is extremely difficult--there are many ways for an attacker to gain access. In general, however, an attacker employs the easiest ways to fulfill his or her malicious intentions. Some of these attacks include shoulder surfing, dumpster diving, network sniffing, exploiting code weaknesses (such as buffer overflows), denial-of-service attacks, and others. These attacks can come from outside as well as from within. Hence, it is equally important to provide adequate safeguards for both internal and external threat sources.

At this point, it is important to understand some basic terminology. What exactly is security? According to Descartes, we know what time is until we are asked to define it. Similarly, we know or have a sense of what security is. But regardless of how we define it, security is a multidimensional concept that needs to be explored in detail to understand and measure it. Some of these dimensions include privacy; physical access restrictions, application availability, network confidentiality, content integrity, and access policy. Each of these dimensions is continuously evolving in terms of both scope and solution, but no standards can effectively address the subject. Security is all about managing risks. When people think of security, they generally refer to one or more of the following aspects (definitions as described by the Internet Society [1] are as follows):

* Authentication: The process of verifying an identity claimed by or for a system entity.

* Access control: Protection of system resources against unauthorized access; a process by which use of system resources is regulated according to a security policy and is permitted by only authorized entities (users, programs, processes, or other systems) according to that policy.

* Audit trail: A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation, procedure, or event in a security-relevant transaction from inception to final results.