Ecommerce Security   «Prev  Next»
Lesson 4Operating System Security
ObjectiveDesign for e-commerce System Security at the Operating System Level.

Operating System Security Design for e-commerce Protection

Protection deals with protecting files and other resources from accidental misuse by cooperating users sharing a system, generally using the computer for normal purposes.
  1. Security deals with protecting systems from deliberate attacks from individuals intentionally attempting to steal information, damage information, or otherwise deliberately wreak havoc in some manner.
  2. Some of the most common types of violations include:
    1. Breach of Confidentiality: Theft of private or confidential information, such as credit-card numbers, trade secrets, patents, secret formulas, manufacturing procedures, medical information, financial information, etc.
    2. Breach of Integrity: Unauthorized modification of data, which may have serious indirect consequences. For example a popular game or other program's source code could be modified to open up security holes on users systems before being released to the public.
    3. Breach of Availability: Unauthorized destruction of data, often just for the "fun" of causing havoc and for bragging rites. Vandalism of web sites is a common form of this violation.
    4. Theft of Service: Unauthorized use of resources, such as theft of CPU cycles, installation of daemons running an unauthorized file server, or tapping into the target's telephone or networking services.
    5. Denial of Service, DOS: Preventing legitimate users from using the system, often by overloading and overwhelming the system with an excess of requests for service.
  3. One common attack is masquerading, in which the attacker pretends to be a trusted third party. A variation of this is the man-in-the-middle, in which the attacker masquerades as both ends of the conversation to two targets.
  4. A replay attack involves repeating a valid transmission. Sometimes this can be the entire attack, (such as repeating a request for a money transfer), or other times the content of the original message is replaced with malicious content.

Network Security Essentials

Four Levels System Protection

There are four levels at which a system must be protected:
  1. Physical: The easiest way to steal data is to pocket the backup tapes. Also, access to the root console will often give the user special privileges, such as rebooting the system as root from removable media. Even general access to terminals in a computer room offers some opportunities for an attacker, although today's modern high-speed networking environments provide more and more opportunities for remote attacks.
  2. Human: There is some concern that the humans who are allowed access to a system be trustworthy, and that they cannot be coerced into breaching security. However, more and more attacks today are made by means of social engineering, which basically means fooling trustworthy people into accidentally breaching security. A commonly used technique known as phishing involves sending an innocent-looking e-mail or web site designed to fool people into revealing personal or confidential information, which will enable the attacker to obtain access to several accounts by means of deception. An example of this might be receiving spam e-mails pretending to be from ebay, PayPal or any of a number of banks or credit-card companies.
    1. Dumpster Diving involves searching the trash or other locations for passwords that are written down. (Note: Passwords that are too hard to remember, or which must be changed frequently are more likely to be written down somewhere close to the user's station.)
    2. Password Cracking involves deriving user passwords, either by watching them type in their passwords, knowing something about them like their pet's names, or simply trying all words in common dictionaries. ( Note: "Good" passwords should involve a minimum number of characters, include non-alphabetical characters, and not appear in any dictionary ( in any language ), and should be changed frequently. Note also that it is proper etiquette to look away from the keyboard while someone else is entering their password.)
  3. Operating System: The OS must protect itself from security breaches, such as runaway processes (DOS: denial of service ), memory-access violations, stack overflow violations, the launching of programs with excessive privileges, and many others.
  4. Network: As network communications become ever more important and pervasive in modern computing environments, it becomes ever more important to protect this area of the system. (Both protecting the network itself from attack, and protecting the local system from attacks coming in through the network.) This is a growing area of concern as wireless communications and portable devices become more and more prevalent
The best way to implement security at the operating system level is to divide the operating system into the categories shown in the following seven bullet points.

  1. Users and Groups:
    1. Assign the lowest level of access for each user or group that allows it to perform its job.
    2. Carefully examine any default accounts and remove, reset, or rename them as appropriate
    3. Create special accounts for public servers that access resources through the operating system
  2. File System:
    1. Tightly secure individual directories and programs on your system
    2. Partition the physical disk on a program or functional needs basis.
    3. Restrict a service or daemon's access to only a specific partition
    4. In Windows, use NFTS rather than FAT partitions whenever possible
  3. System Defaults:
    1. Change all default settings
    2. Locate support accounts (created by the manufacturer for system access in case of a problem.)
  4. Known Vulnerabilities:
    1. Contact the operating system vendor for known problems when loading an operating system for the first time or upgrading an existing one.
    2. Monitor your operating system vendor's website to keep abreast of security problems
    3. Obtain patches, fixes, and workarounds for problems as they arise. Apply them judiciously so that you do not open up new security holes
  5. Remove Unnecessary Services and Ports:
    1. Remove any operating system service that you do not specifically require.
    2. Conduct a port scan of your system to see what ports you can safely shut down to strengthen your system.
  6. Operating System Specific
    • Implement security measures that are OS specific , such as securing the registry in Windows and enabling shadow password in UNIX systems
  7. Policies:
    • Ensure that you have established operating system policies such as minimum password length, max password age, and restricted logins

Operating System Security

Operating system security is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or intrusions. Operating system security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised. OS security encompasses many different techniques and methods which ensure safety from threats and attacks. OS security allows different applications and programs to perform required tasks and stop unauthorized interference. OS security may be approached in many ways, including adherence to the following:
  1. Performing regular OS patch updates
  2. Installing updated antivirus engines and software
  3. Scrutinizing all incoming and outgoing network traffic through a firewall
  4. Creating secure accounts with required privileges only (i.e., user management)

Remove unnecessary services that might create an unintentional back door.

Dropshipping

Operating System Security and Auditing

The best way to ensure operating system security is to check log files. In UNIX systems, configure the syslog.conf file to tell the syslog daemon to capture relevant logins and messages concerning your Web server. You can also use the lastlog and last commands to determine who has logged in locally and remotely. The Windows User Manager for Domains program allows you to set auditing levels for the system. The Windows Event Viewer contains a list of logged users, as well as items of interest. Even if you secure your files, remove irrelevant services, install intrusion detection software, and enforce strong passwords, neglecting system logs will seriously impair the security of your e-commerce site. Operating systems are the core of the computing environment providing users a common and interface to the hardware and software installed on a computer. Exploits in operating system code wreak havoc on computers, giving hackers the ability to steal data and to damage both hardware and software. Operating system security is crucial because it protects the central control system of a computer.
Operating System Security
Operating System Security

  • Software Vulnerabilities: Operating systems are composed of hundreds of thousands of lines of code. Because humans program and debug each operating system, hundreds of vulnerabilities are introduced into the code at development time. These weaknesses, ranging from simple unwanted behavior or error messages to full-scale system crashes and data corruption, can have catastrophic consequences on data management and productivity. Operating system manufacturers, such as Microsoft and Apple, frequently publish updates to the code, called patches, to fix these vulnerabilities and to ensure system stability.
    In the next lesson, you will learn about e-commerce system security at the server level.

SEMrush Software 4 SEMrush Banner 4