Having a website on the internet is so easy and affordable these days that the most businesses in the world have their own websites. This increases their reach to more potential customers. Some people open their business completely online without any local presence. But, opening a website is not the end of it. One must make it secure to take real advantage of this platform. Many evil persons can try to attack the site and damage the website, which can have negative impact on the business or whatever the purpose of that site is. So, securing a website is the most important process in website lifecycle. It’s usually a continuous process but many things have to be considered on its development and deployment. Usually there are three main objectives of securing one’s web presence. These are confidentiality, integrity and availability. These are the three main topics that must be covered in securing the web presence.
Confidentiality means that the information or the website’s sensitive content in this case is accessible only to the authorized users. For example, information about a customer’s credit card and other personal info must only be accessible to that customer only. No unauthorized person should be able to obtain that information by any means. Failing to maintain confidentiality means that some unauthorized person who shouldn’t have access to the sensitive content has managed to get it. This is called a data breach which usually cannot be undone. As someone’s got that information, there is no way to remove from him. This information is usually used for evil purposes or sold to the black market, which in turn is used for evil purposes by many persons. This is a huge thing for customers of the site who put faith in company to secure their personal information. Incidents like this really degrade reputation of that business or whatever niche that website has. Confidentiality is maintained by only allowing authorized users to sensitive information. In my comp424 class we did a lot of exercises that dealt with confidentiality. Me and my partner would generate a public and private key. If my partner gave me his private key I would be able to encrypt the messages, but for whatever reason he gave me a wrong key I would not be able to read the message. A lot of companies would make their keys public so the good hackers can hack their site or servers and tell the company that their site has potential breaches and they can give them tips on how to make their information more secure. But the downfall to this is it leaves the company prone to getting hacked by the bad hackers who just want to commit malicious acts.
Data integrity and data security are different terms. Data security is the protection of data. Data Integrity means that the information is authentic. It ensures that the information going from or to the website is genuine and not altered by anyone either deliberately or accidently. This is a major security issue and can affect a business very badly. For example, an evil person exploits a flaw in one’s website structure and change the prices of the things he can buy to very low or even nothing at all and buy everything without paying. This can impact the business financially. Another common attack is redirecting user to another site which looks like the original one but steals the user’s information. It’s a direct violation of integrity of that website. Integrity in website can be made possible by checking outgoing and incoming information properly but attacks like redirecting users on network level cannot be stopped from website side. Integrity is maintained by making sure the information coming from or to the website is authentic and not tempered with. It is important to maintain data integrity because business are constantly making data driven business decisions and data without integrity can have a detrimental effect on the company’s bottom line goals. Data integrity can be compromised through human error or malicious acts. Data that has been changed during a transfer from one device to a different one has a chance of being destroyed or changed. When I took comp424 I learned that there were a lot of attacks that caused a lot of harm for our military when an organization changed some data to trick a team into thinking the delivery would be in one location instead of another. This caused the soldiers to die from starvation and lack of resources. These sort of attacks can be very detrimental because it can be hard to tell if the device got hacked. All the hacker has to do is change some information or alter some coordinates and it can cause a huge disruption.
Availability means that the information on the website is available and accessible to the authorized user anytime. This means the website be online and serving its information to its users. Not being able to access information on critical time can be life threatening on some systems. Even if its not life threatening, it can cause huge losses in many businesses. To prevent these problems, the website should have backup power and connectivity systems and techniques to prevent attackers from executing attacks like Denial of Service. In these types of attacks, the attackers try to bring down the server or make it so busy that it cannot process more requests. Availability is maintained by making sure the website is up and running at all the time. Another way to prevent an attack is to have a plan when such a breach occurs. Maintaining data availability should be one of the biggest priorities in a companies recovery plan. This should contain a recovery point objective and a recovery time objective which helps determine what data needs to be restored and when it must be accessible in order for operations to resume after a disruption. For whatever reason data gets interrupted or stolen, there should be a backup stored locally that way you can retrieve the data if it gets lost.
This was a great course and I really enjoyed it. Thanks for offering this course I think It will help many students in computer science.