Nowadays when mankind explores Mars, it seems that problem of information protection should not exist at all. But we see and read mentions about new viruses and gaps in security systems and about hacking all the time. We can not rectify situation if problem is in other people's mistakes, but we can try to avoid our own ones.
Everyone does his own tasks in modern society -- someone programs well and someone repair cars well. But such situation has large disadvantage - we become dependent on other people. Besides we depend on them we need to give them very important information sometimes. Banks have information about our accounts and purchases, hospitals know everything about our health:
Probably everyone has some information which he would not like to lay open to the public or lose. But you cannot be sure that software installed in bank has no mistakes, can you? So we hope for the best, choose best firms, trusting that if it is the best it will never let us down! And to some extent it is so. Trusted firms are in earnest about their clients' and employees' information security. Thus if you want to see you company in the top list you have to think of security. Are products you make secure? How secure can your clients feel?
Data security problem in multi-tier, client-server and network applications
Long time ago, when Novell DOS 7.0 was installed on my computer, I used its outstanding feature to lock files with password. And how upset I was when accidentally got access to protected files from Windows for Workgroups 3.11 (with 32-bits disk access on). In general for opening files closed with password it was enough to use MS DOS diskette to boot. But it was long time ago. And how do matters stand now? Do you think anything has changed? Let's take for example Windows XP. Probably many people heard and even used programs that let one get access to the data bypassing the operating system protection.
While working with network applications the user exposes to danger much more information, since the attacker can access not only data stored but also information transferred over network.
Main security threats and their description are listed below.
Unauthorized data access - kind of threat when unauthorized person gets access to confidential information. It can lead to situation when such information becomes public or is used against its owner.
Companies and private users use open communication channels for data transfer. So data transfer over such channels is in extreme need of protection in order to save confidentiality.
Possible causes of unauthorized access to secret data are:
- network traffic transfer in clear (not encrypted) form;
- absence of authorization mechanisms for access to secret data;
- absence of access isolation mechanisms.
Unauthorized data modifications - kind of threat when data can be changed or deleted accidentally or intentionally by the person that has no permissions for such actions.
Threat of this type can damage data integrity or have an influence on information that is not directly linked with modified data. Such modifications are especially dangerous since they can be left without attention for a long time.
Possible causes of unauthorized modification:
- absence of data integrity verification in software;
- password sharing or leakage;
- easily-guessed passwords;
- passwords keeping at easily accessible places;
- identification and authentication schemes are absent or weak.
Users of Internet and other communication channels run to the most danger when such channels are not controlled by company that uses these channels. Even when talking about the company LAN (local area network), which might seem to be protected from outside attacks, it can turn out that some of employees would like to use secret information to satisfy his own needs.
The worst and most dangerous in such situation is not bad system security itself, but the fact that the user believes that he is protected and he's mistaken. Most users do not know computer and software well enough to be able to tell whether the system is secure or their data are in danger of unauthorized access. So the developer must take care of user's security. Developer must foresee possibility of attack on the data stored on user's computer as well as possibility of attack on the data during network operations.