# Sql Injection May Cause Harm Computer Science Essay

Published:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In our company YouMusic the network information security risk is very important. So in our company, we need to make some countermeasure to reduce our loss on the security problems. The following is our network security of some of the ideas and Countermeasures. Want to play in information security minimize the risk. Network security market in many ways, how do we choose the right methods? This is an important issue. Many different security technologies and their benefits will be listed in this proposal we can choose a more appropriate method of our company.

## Cost

Firstly we need to know in the losses caused by security. Before our company was be attack with the hacker. It was make a loss. We could, according to past experience to calculate the potential losses in the future.

## The cost of the hardware

This is the cost of 20 web servers and the 4 Database servers.

20 x 6000 + 4 x 10000 = \$160,000 for 4 years

## The cost of annual support

This is the support for 20 web servers annual fee and the Database servers annual fee.

(20 web servers) + (4 Database servers) = annual support cost.

(20 x 1200) + (4 x 3000) = \$36,000 per year

The company employs 4 full-time web administrators and an infrastructure administrator cost.

The annual labor support is 5 x 40000 = \$200,000

The TCO is: Hardware + (annual support cost + annual labor cost) x years = TCO

Over 4 years = 160000 + (36000 + 200000) x 4 = \$1104000

The TCO for 4 years is \$ 1,104,000

## This is the security breaches for each place cost

5000 music x (each track fraudulently purchased + refunded per track) = security breaches for each place cost.

5000 x (0.9+1.1) = \$100,000 in losses

The expected downtime of (48 +72) = 120 hours per year

\$200m per year is equivalent to \$22,831 per hour

200,000,000 / (360 x 24)= \$22,831

Annual cost of being offline is:

22,831 x 120 = \$2,739,720

The Each breach costs 0.5% TCO =\$6700

ALE = 100000 + 2,739,720 + (3 x 6700) = \$2,859,820 per year

## The Savings

The Savings over the next 4 years is:

Security Admin =7 full-time security administrators = 7 x 40,000 = \$280,000 per year

Annual Security budget is \$400,000 per year

Each cost is \$280,000 + \$400,000 = \$680,000

Savings = (ALE)-(Annual Security budget)

=\$2,859,820 - (\$680,000) = \$2,179,820 per year

## Intrusion Detection

We know the cost of ownership. Next we need to know how to prevent the risk. In our case the loss is always in the intrusion. So find intrusion detection is important of our project.

Intrusion detection is a type of security management system for computers networks. An Intrusion detection system is collect and analyzes the information in computers or a network to identify possible security problem, which include intrusions (outside attacks) and misuse (inside attacks). Intrusion detection usesÂ vulnerability assessment, which is a technology developed to assess the security of a computer system or network.

## Intrusion detection functions include:

Monitoring and analyzing both user and system activities

Analyzing system configurations and vulnerabilities

Assessing system and file integrity

Ability to recognize patterns typical of attacks

Analysis of abnormal activity patterns

Tracking user policy violations

## IDS (Intrusion Detection System)

IDS can use to detect the extensive network attack. It include network peeping, port scanning, DoS, The broadband full load attack, TCP scan, OS Intrusion hole attack. Today had more Enterprise using the IDS system.

The IDS main function is using to detect and analysis the suspicious activity in the network. It include the staff access the files, remote to access mechanism, sometime include there allow external access the WWW Server. In the firewall this is approved activity, but some time hacker will attack between approved activities. If any people between this "approved activity" had the attack intent. The firewall generally can't to solve or analysis.

So different of firewall or access control mechanism, Intrusion Detection System is analysis each event (include lawful or unlawful event) had or hadn't the attack intent. This is the intrusion detection system thinking patterns.

## Signature-based System

IDS will protect the about attack features database, each features is a group of relate in intrusion behavior rule.

The features can relate of only one packet property list. May be it can relate one series packet.

The network supervisor can adjust their features or add the new features into the data base.

Features

Signature-based IDS can probe all allowed packet, every probed packet will compare with the features data base. If they are accord, the system will send the warn message.

The disadvantage of IDS

The system had the prior knowledge of the attack to create the features database before the attack. So if the attack is new, it can't find it out.

Even if the features is accord, always may be not attack, and the system will warn.

Because all packet will compare with a mass of features data base. So it may be can't cope and can't detect the malicious packet.

In the Enterprise the IDS always build up the Signature-based system.

## Anomaly-based System

Anomaly-based System

The Anomaly-based System IDS will observe the normal loading in the network, and create the features a statistics. It will search the unusual packet included the streaming. Because it is not rely on the prior knowledge. So it can detect the new and no record attack.

The advantage is it can detect unknown patterns of intrusion. But the error will very more, because it is not easy to define what is the normal loading, and the user Practices is always changing. It will cause more error.

## Snort: A public domain, open source IDS

Snort is use the signature-based and communications protocol method to detect. It is Origins of the open code IDS. Today had more than one hundred thousand Snort was deployment.

Snort advantage is it had numerous users and expert to maintain the features database. Always the new attack appear within a few hours, the community will create the features database and publish out. Before the features will download and publish the worldwide snort device.

This is the snort several models:

Sniffer

It is only capture the network following packet and display in the terminal.

Packet logger

Capture the network following packet and display in the terminal and store in the hardisk.

Network intrusion detection system

It is high adjustable. Can use the Snort according to user setting to analysis the network loading and take the reactions.

## Online service potential risk

Online service / Web service developed many time, the web service is very Diversification. This is representative the network risk is increasingly high. The large enterprises always had the web portal to provide online services. Normally user use the network service to process each affairs.

e.g. Email, online shopping, jobs interview. You only had open the bowers can link to each web site and input your Account and password you can enjoy different services. In the user view is very convenient. But in the intruder view is good chance for attack.

## Web Application

What is the web application? Web application is a network software, you can use the links to connect web server and user in the bowers to run the online program. Normally is Web Mail services, Online Banking, Online Shopping. But their online services was had high Information Disclosure. In the world some famous enterprises had be hacker use the Web Application weakness to invade. It will lead the enterprises have great financial and reputational damage. e.g.: The "Barclays Bank Phishing Attacks" and the Microsoft "Hotmail Input Validation Flaw". This attack is using the online program loophole to intrusion.

Why it is not security?

Web Application Security is not being taken seriously of information security. For the enterprises is very strange area. Famously the enterprises had used the firewall to protect the network security. Many enterprises was said "I had the firewall or IDS also need to Web security?

## Firewall

The firewall can't use the HTTP protocol control Web Application. Firewall only can protect the network or Server. Only to checking or control each communication port and each online service can success. But it can't against the "SQL Injection" or "Parameter tampering" attack to response.

## The www server potential risk

Although we want to avoid the intrusion, but we also need to provide the service to untrusted users. The web server is the common example. This appears to be a dilemma. We need to opening up to the outside world both we need to protect this.

If the www server place in outside of the firewall, the web server will completely exposed external attack area. If the www server place in inside of the firewall, we will worry this passageway will bring our risk.

## Solution of the potential risk

If we need to solution this problem, the effective method is the public service place in Third-party network, this network always call DMZ (De Militarized Zone)ã€‚

Use the Third-party network to build up administrator necessary publish to public service system in the DMZ. Setting external can access this system service at same time can't access the internal other system service.

## The DMZ how to protect the web server

In the DMZ architecture, external can access the Web Server only in port 80 web service. In this system other service e.g. FTP / SMTP services and other communication protocol e.g. ICMP, UDP, RPC, are blocked. So the intrusion from external is only can attack in web services. So only in the web service had the security weaknesses, the attacker will success attack in this system. Contrary if this system is build outside of the firewall, the all server and communication protocol (FTP, SMTP, ICMPâ€¦.) had the security weaknesses, it will be a target of attacker. So the DMC architecture can reduce being attacked risk.

## DMZ to protect of the internal network

Although DMZ can reduce being attacked risk. But can't exclude all risks, if the web service had a security weaknesses, the web server will had opportunity being intrusion.

If the web server and the internal network with not the safety protect. If the web server been hacked, it will make serious security affect. If used the DMZ build up between web server and the internal network security barrier, the firewall was not open any from DMZ internal network service, Even if the web server intrusion, it will not affect to the network security status. So at the same time DMZ system is proved internal network product.

## DMZ (Demilitarized Zone)

Organization network may be setup one or more than one IDS system.

Always divided into 2 zones:

High secure zone: Protected by the packet filter and the program gateway, simultaneously protected by the IDS sensors.

Low secure zone: This is the DMZ (Lift garrison zone). This is area is only protected by the packet filter, but simultaneously protected by the IDS sensors.

DMZ (Demilitarized Zone) is between the Enterprise private and Internet buffer zone or small network. DMZ can interpreted as different of external network and internal network special area. DMZ is the excluding the confidential information public server, e.g. Web server, Mail Server, FTP server. From external network visitors can visit the DMZ services, but they can't access the internal company confidential and private information. Even the DMZ server had damage, the internal company confidential and private information will not had affect.

## The Network Architecture of the online music shop

Fig1

This is the network architecture diagram of the online music shop.

## Internet

In the Internet are more crises. So we need to use some equipment to logically protect our web servers and database servers.

## Router

Router is a network device. It can transmission the data packet to the distinction. In this process the router make the path for the data transmission.

## Firewall

The Firewall is a system or a group of the system. It is between the networks to control the requests. The firewall operating in different ways. The firewall had the one mechanism is block the transmission way. Another mechanism is allow the transmission. The network administrator can adjust the firewall to allow or block the IP or suspect access.

Why do I need a firewall? Because in the internet we should block the bother request or some people to malicious attacks. If out network be attacks the network will increase the pay load, and the information leakage risk.

The firewall can't use the HTTP protocol control Web Application. Firewall only can protect the network or Server. Only to checking or control each communication port and each online service can success. But it can't against the "SQL Injection" or "Parameter tampering" attack to response. Some time the firewall will only access the e-mail services so it can block all the attack other attack except e-mail attack. So we can adjust the port to protect our network. This can prevent us from unknown attacks.

## IDS (Intrusion Detection System)

Between the firewall and the database or web server we need to install the IDS. Because we have some necessary port need to open with user. The hacker has the opportunity to use this port attack our servers. So we need in this part to check the data is have intrusion or not.

Intrusion detection is a type of security management system for computers networks. An Intrusion detection system is collect and analyzes the information in computers or a network to identify possible security problem, which include intrusions (outside attacks) and misuse (inside attacks). Intrusion detection usesÂ vulnerability assessment, which is a technology developed to assess the security of a computer system or network.

IDS can use to detect the extensive network attack. It include network peeping, port scanning, DoS, The broadband full load attack, TCP scan, OS Intrusion hole attack. Today had more Enterprise using the IDS system.

The IDS main function is using to detect and analysis the suspicious activity in the network. It include the staff access the files, remote to access mechanism, sometime include there allow external access the WWW Server. In the firewall this is approved activity, but some time hacker will attack between approved activities. If any people between this "approved activity" had the attack intent. The firewall generally can't to solve or analysis.

So different of firewall or access control mechanism, Intrusion Detection System is analysis each event (include lawful or unlawful event) had or hadn't the attack intent. This is the intrusion detection system thinking patterns.

## Switch

This is a network expand equipment. Can provide the subnet have many ports for connection.

The Switch can classification to 2 Layers, 3 Layers, 4 Layers, 7 Layers.

2 Layer switch had the VLAN partition, auto connect port, MAC address access control list, always had the GUI (graph user interface) or command control, for the network administrator to adjust the parameters.

3 Layer can prove the 3 Layer protocols. It can using the Gateway to build connection for different Layer to communication.

4 Layer can prove the 4 Layer protocols. It is include the session protocols, using the virtual IP.

The Switch and the Hub is different. The switch will use the ARP protocol to made the connection. It can reduce the data collision and reduce the information be tapped. The Switch can process the packet at same time, but the Hub is can't.

## Database server

This is using to store of the information. If the clients request, it can find the information in the database server. The database server always can execute: Create, Read, Update, Delete.

The database is using a certain way to store. It can share the information for multi users. It can make the interactive with any program, for create the independent data collection.

## Database Management System (DBMS)

This is design to manage the Database Server software. Always have Create, Read, Update, Delete basis function. Database is functions are depends on the DBMS to classify. Even have type of Relational database, XML; or support computer type to classify e.g. Mobile phone; and depends on the language to classify. e.g. SQL, XQuery.

## DMZ (Demilitarized Zone)

Organization network may be setup one or more than one IDS system.

Always divided into 2 zones:

High secure zone: Protected by the packet filter and the program gateway, simultaneously protected by the IDS sensors.

Low secure zone: This is the DMZ (Lift garrison zone). This is area is only protected by the packet filter, but simultaneously protected by the IDS sensors.

DMZ (Demilitarized Zone) is between the Enterprise private and Internet buffer zone or small network. DMZ can interpreted as different of external network and internal network special area. DMZ is the excluding the confidential information public server, e.g. Web server, Mail Server, FTP server. From external network visitors can visit the DMZ services, but they can't access the internal company confidential and private information. Even the DMZ server had damage, the internal company confidential and private information will not had affect.

## Web Servers

The web server had two meaning.

The web servers is a provide web services computer, mainly had HTML document. Use the HTTP protocol to connect to clients, the clients use the program to connect the web server always call it browser.

This is a program and provide web services.

Each web servers perform at least one web services program. The common web server had:

Apache software funding- Apache HTTP web server

Microsoft - Internet Information server (IIS)

Zeus Technology - Zeus web server

The most common is the Apache software funding- Apache HTTP web server, in 2004 Oct, over 67% web server use the Apache provide web services.

Although the web had different web services software, but they had same characteristic. Each web server program can access the HTTP request and reply to the clients. The HTTP reply had a HTML document, text document, pictures files. This document are store in the web server local file system. The web services program will call the file in the local directory.

## Web Application Security

What is the web application security risk?

In our company we need to improve the web application security ability to prevent Data leakage. In the Internet have many Insecurity problems. Below I have listed the common web application vulnerabilities.

## SQL Injection

SQL Injection attack is a web program does not meet the security codes. In order to prevent attacks. We should verification all the web page input character string function. The hacker can use the login page in the user name and password column attack with SQL Injection.

SQL Injection is occurring between the web programs and database security vulnerabilities. It is input the SQL codes between the strings and submit to the web program. In the poor web programs was ignore the check this. The database will mistake for SQL command to execute. Therefore it will destruction the database. All support for SQL command database servers will had SQL Injection security risk.

## Reason of the SQL injection

The web applications using the "string linking" to combine into the SQL command.

At the web applications connect the database server the web applications using excessive big permissions to access data.

The database server was open excessive big permissions.

Excessive trust the user input data, had not limit the user input type, had not security check for the potential security risk with the input string.

## The SQL how to works?

The SQL command can request the database server to search, inserts, update, delete command string. The SQL Command if input the string parameter. It will use the Quotation marks to wrap.

The SQL can add the comment use the( /* ) and ( */) to wrap. So at the combine the SQL string had not against the Quotation marks character processing. The hacker can use this Loophole to tampering SQL command.

For example:

If this is your web login SQL Verification:

strSQL = "SELECT * FROM users WHERE (name = '" + userName + "')

Malice fill:

userName = "1' OR '1'='1";

The SQL will change to:

strSQL = "SELECT * FROM users WHERE (name = '1' OR '1'='1')

The real execute SQL command is:

strSQL = "SELECT * FROM users;"

So the command will request no user name.

## SQL injection may cause harm

The database table information leakage. e.g. Personal confidential information, Account Information or passwords.

The hacker can know our database structure. Can use this for further attacks.

The database server be attack and the administrator account be tampering.

The hacker got the high Competence, they can input the malice links.

Distraction the hardisk and paralysis the system.

So we should had high alertness for the web application security. It can make you have Huge loss.

## Improve your code

At design program don't use the "Parameterized Query" to design the information access functions. At combination of the SQL string, argument passed for the characters to replace. (Replace all the Quotation marks to double Quotation marks.)

If use the PHP to development the web applications, you can open the PHP Magic quote(Auto all page input the parameter and replace all the Quotation marks to double Quotation marks.

Filtering the SQL command e.g. INSERT, CREATE, UPDATE.

Adjust the input conditions e.g. can access the Upper and lower case letters of the alphabet and Integer.

## Make sure you database is stand-alone installation, ensure they are update version.

Every server had be attack risk, so the database and the web application install in different computer is a good choose. If you web server be attack and been compromised the hacker will easy to hack you database server. Another if any one server been hacked you can don't shutdown the server.

## Close any default users include super user.

The default user in include super user in the user manual can easy to find it. In 2002-2003 have any worm used this default user or super user account to attack the server. More people haven't attentive this problem. So the hacker is easy to hack in the system and use the super user competence to adjust or create accounts.

In the database create the user account, this account is had least competence. Only can access the necessary information. Close all default progress, prevent unnecessary access produce SQLÂ Injection.

## SQL request must be through the web application and only can use the allowed request. e.g. Select, Insert, Update.

Most of the web application was setting the SQL competence, occasionally had the delete competence. If the web application no need the drop command. You should block the request.

## In the web application insert the verification.

In the web application insert the verification is very important. Using the verification code can prevent most of SQL Injection attacks. The verification can classify to:

Information type: confirm the input type is corrected. If the input type is the integer, we will make the equation to convert the integer. If the result is not a number, the system will response the user this is wrong input.

Information length: check the input length include the maxima and minima characters length. If input is not with in the ring, the system will response the error message.

Information format: another should be noted the input format. If the column should input the telephone numbers format is XXX-XXXXXXXX if user input format is wrong the system will response the user.

On the market have any Code improvement software. They can improve your code and Clear vulnerability.

## Fig.2

This program can audit Your Website Security with Acunetix Web Vulnerability Scanner.

Firewalls, SSL and Locked-Down Servers are Futile Against Web Application Hacking!

Web application attacks, launched on port 80/443, go straight through the firewall, past operating system and network level security, and right in to the heart of your application and corporate data. Tailor-made web applications are often insufficiently tested, have undiscovered vulnerabilities and are therefore easy prey for hackers.

## Information security

In YourMusic web site we require customers to input there personal data using to contact them. But this progress is presence the Personal Data Security Risk. Because the personal data is private and confidential. The Hackers may be very interested in this information. So we need improve protection for personal information.

In our database the username, email and password details in unencrypted form in database. If the client's data be leakage our company may have the laws liability. So the "personal data security risk" is very important in YourMusic web site.

## How can we do in the Information security?

Since the data protection is so important. We should take so action for the information security. e We have several available methods:

## Encryption

We can between the information sending to encryption it.

SSL

Password Advice

## SSL (Secure Sockets Layer)

This is the security technology between the web server and the bowers using encryption to communication. It can protect the server and bowers communicate the information Privacy and Integrity. SSL is an enterprise-class standards. It is used by millions of websites to protect their customers online transaction information, In order to use SSL secure connection, A web server requires a certificate.

When you enable the SSL service on your web server. You will be prompted to fill several recognized about your server's identity problem (e.g. your web server website)and your company information(e.g. your company name or location). Then your web server will create two key, one for private one for public. Your private key is so called because it is used to maintain the privacy and security. The public key is you do not confidential and placed in the file of the CSR (Certificate Signing Request). It file is contains detailed information. You must use this CSR sent to the Certification Center. Through SSL certificate application procedures to Certification Authority. it will verify your details information and send the include your information certificate to you. You will use the SSL to communication. If that is ok, you will between the server and bowers had the encryption link.

The client's will not see the complex SSL setting, they will only in the bowers see the lock symbol to the client's the web have SSL protect.

The Internet Explore users will see this.

Click the lock to your SSL certificate and your details will be displayed:

The typical SSL certificate will include your domain name, company name (YouMusic), address, city, state and your country. It also contains details of the maturity date of the certificate and is responsible for the issuance of this certificate issuing center. When a browser link to a secure Web site It will receive this site's SSL certificate and verify that is it expired. Whether it has been issued by the browser credible the issuing center and is it like to Issuance registration Content is using in the web. If anyone is not access The browser will display a warning message to the user.

## Hash

Hash algorithm in the end what use is it? Hash algorithm in information security is mainly reflected in the following three aspects:

## File checksum:

They are to a certain extent, be able to detect and correct the channel errors in the data transmission. But it can't prevent malicious damage to data.

## Digital signature:

The Hash algorithm on cryptography is an important part. Because the "asymmetric algorithm" is slow. So the digital signature agreement, the one-way hash function plays an important role.

## Authentication Protocol

Authentication Protocol can call "Challenges - authentication mode". The Transmission channel can be listener but can't tamper. This is a simple and safe way.

## CRC

(CRC) algorithm is a common method for error detection.CRC is a mathematical algorithm that is use the original data send input and send outputs and check number to the end of the data transmission. Then check the result of CRC and received successfully.

## MD5 (Message-Digest Algorithm 5)

MD5 is used to ensure complete and consistent message transmission widely used hash calculation. Mainstream programming languages â€‹â€‹have generally MD5 implementation.

## SHA 1(Secure Hash Algorithm)

SHA is the encryption method. It length is short than 264 input, it can produce length 160bit hash value. So the brute-force is better. SHA-1 is base on MD4 method to design. It is using the same algorithm. SHA-1 is issued by the National Institute of Standards by NIST (National Institute of Standards and Technology).it is the most widely used hash function algorithm. It is currently the most advanced encryption technology. It is Government departments and private owners use to handle sensitive information technology. SHA-1 based on MD5, MD5 based on MD4. Forum system image file hash is Microsoft's official SHA-1 value, this value corresponds to download. Help you download the file has not been changed, belonging to the original.

## Summary

YourMusic is a web-based electronic trading shop, for the hacker is a good treasure house, so we must take external preventive work. Or we will be a huge loss. So the information security in our company is very important.

## LuxSci.com

Retrieved 20 April 2013from

http://luxsci.com/blog/secure-web-pages-and-web-forms-what-you-need-to-know.html

NCC IS_Textbook_2008 Syllabus

NCC_Textbook_2008

NCC IS_Visuals_2007