Part 2 of 7 of an article on Web Site Security by Steve Avery MSc BA
Broadly speaking, three types of risk exist. Although they are discrete, they share common aspects.
1. Web server risks.
Web servers are large, complex programs. It is quite likely, therefore, that they contain a bug. Problems can be caused not just by a programming bug, however, but also by poor configuration. Either of these scenarios can enable remote unauthorized users to:
- View and/or capture confidential documents;
- Execute direct commands on the Web server's host machine, enabling them to modify the system, perhaps radically;
- Discover information about the Web server's host machine that will enable them to gain access to the system and deposit any kind of malicious program;
- Cause the Web server's host machine to become unusable by denying access or service to users.
2. Browser risks.
- Downloading "active content", e.g., ActiveX controls or Java applets, that may freeze or close the browser, harm the local machine's operating system, or merely cause temporary or permanent annoyance;
- The browser user's privacy is compromised, leading to the misuse of personal information, with or without the browser user being aware of the breach.
3. Transmission risks.
At any point between the remote Web server and the local client Web browser data can be intercepted. Unauthorized eavesdropping can occur in either direction of the transmission. Points of interception include:
- The local area network at the browser (client) end of the connection.
- The remote network at the Web server end of the connection. This includes any intranet system attached to it.
- The browser user's Internet service provider (ISP).
- The Web server's Internet service provider.
- The regional access provider for either of these Internet service providers.
Nowadays, when Website hacking, electronic industrial espionage, identity theft and cyber crime are so sophisticated, it is of paramount importance to ensure that the entire system is secure: service providers, Web server, intranet, local area network and browser.