Українська   Русский
DonNTU   Masters' portal

Abstract

Content

Introduction

For many production and trading companies in today's reality, it is the online store that holds a key position in the list of revenue-generating units. The security of a web resource, whose activities are directly related to finance, is an important and one of the top priorities. To date, very little attention is paid to security when creating official sites of enterprises, web directories, and also online stores.

The uninterrupted operation of the online store significantly increases the chances of successful promotion of goods and services, their subsequent implementation and profit. To ensure uninterrupted operation, it is necessary to take into account a number of problems, to formulate and effectively solve which can be based on the construction of attack trees.

The task of analyzing the protection of commercial Internet resources at various stages of their life cycle, the main of which are the stages of design and operation, is increasingly becoming the subject of discussion at specialized conferences devoted to ensuring information security.

1. Theme urgency

In connection with the continuous development of high-speed Internet access technologies, important business components are moved to the Web environment. Systems such as Bank-Client, public sites of organizations, online stores, news, entertainment and trading platforms, blogs, state portals are an indispensable component of the worldwide network. Because of their accessibility, they often become an attractive target for cybercriminals, so decisions to effectively protect web resources are now more relevant and in demand.

At the same time, providing security involves protecting values, where value is defined as something that has value. Some assets are tangible and have monetary expression, others are immaterial, but, nevertheless, they have value. The need to protect "almost tangible" assets, such as the company's property register, personal data of users, customers and employees, electronic money does not cause doubts. But it is also important to understand that such an undoubtedly intangible value, like the company's reputation, also has value and needs to be protected.

2. Goal and tasks of the research

The main goal of the work is to increase the effectiveness of the protection of the online store at the design and operation stages based on the development and use of computer attack models, attack tree formation, evaluation of the level of security and methods for analyzing the security of computer networks.

Main tasks of the research:

  1. Analysis of existing methods and models of protection of online stores.
  2. Evaluation of models of protection of web resources, identification of their weak and strong points.
  3. Building a tree attacks online stores to find vulnerabilities.
  4. Minimize security threats and the risk of their implementation by analyzing the attack tree.
  5. Development of its own methodology and model for protecting online stores based on attack trees.

Research object: safety of online stores.

Research subject: application of the method of attack trees to develop a methodology and model for protecting online stores.

For the experimental evaluation of the theoretical results obtained and the formation of the foundation for subsequent research, practical results are expected to be developed for the development of a proprietary model for protecting online stores based on the method of constructing attack trees.

3. Methods of protecting the online store

At its core, an online store is a web application consisting of client and server parts that implement client-server technology. The client part implements the application interface, sends requests to the server and processes the responses to these requests. The server part receives the request, performs calculations on the request, and then forms the web page that the user sees. The application itself can act as a client of other services, for example, a database or another web application located on another server.

It is much easier to fix problems at the design stage than to solve them in the process of operating a finished web resource. Attack trees allow you to simulate possible attacks and disruptions in the operation of the resource, as well as find ways to solve them by protecting the online store.

Most of the attacks on web sites are carried out automatically, through automatic scanning programs and similar tools of special software, which allows to detect "holes" in securing the site. The appearance of any CMS in the web site software makes this site less secure. The site is served by http-server. Http-servers are checked for vulnerabilities, but even in them continue to find new "holes". Any CMS is installed in addition to the http-server, and this leads to the fact that the vulnerabilities of CMS are added to those already available. And yet, the fact that the CMS reduces the security of the site should not become an obstacle to the implementation of the CMS.

CIn practice, risk management is more important. Even a secure online store can be hacked because the owner has set an easy-to-guess password. Thus, the risks associated with the use of CMS can be significantly lower than the risks in the organization of the web resource itself.

The security of a web resource is defined as the degree of adequacy of the information security mechanisms implemented in it (identification, authentication, access control, logging and audit, cryptography, screening), compliance of security measures to existing risks in the given environment, the ability of protection mechanisms to ensure confidentiality, integrity and accessibility information. For today, the most effective mechanism for building defense models is attack trees.

Attack trees are diagrams that show how the target can be attacked. In the field of information technology, they are used to describe potential threats to the computer system and possible methods of attack that implement these threats.

A threat is understood as a set of conditions and factors that determine the potential or actual risk of an incident that may lead to damage to the functioning of a web resource protected by assets or individuals. Threats can be classified according to various signs. In particular, the nature of the origin of the threat is divided into two groups: intentional and natural.

The main deliberate threats are:

- connection of the intruder to communication channels;

- unauthorized access;

- theft of information carriers.

The main natural threats include:

- accidents (fires, accidents, explosions);

- natural disasters (hurricanes, floods, earthquakes);

- errors in the process of processing information (hardware malfunctions).

When analyzing the security of computer networks, all types of threats should be taken into account, but the most attention should be paid to those that are related to human actions.

All analyzed data are presented in the form of an attack tree, which allows to visually demonstrate threats to the system.

Natural threats are almost impossible to prevent because they are mostly of a natural nature. To reduce to zero the theft of information carriers is an irresistible task. To reduce the risk, you must take primitive measures to protect physical objects.

To prevent attacks that occur more often than others (connection to communication channels), it is more efficient to use more common CMS, in this case, there is a slightly higher probability that vulnerabilities in them are already detected and closed. However, there are no guarantees that in the future in the system will not find new "holes".

The optimal choice is the system, the development of which does not stop. If developers stopped developing the system, then there is a possibility that the newly discovered vulnerability will not be corrected in time.

It is also necessary to monitor all CMS updates, oriented to its security and to install these updates in a timely manner. Some modern CMS, for example "1C: Bitrix", allow to automate the process of searching and installing updates.

Conclusion

The analysis leads to the conclusion that the protection of web-applications should be carried out during the design and development of web-resource, and in the course of its operation with the introduction, if necessary, timely adjustments. At the same time, protection must be built in two main directions:

- avoiding errors in scripts when developing a web application;

- the use of specialized firewall application layer (e.g., ApplicationFirewall type solutions) which are integrated functional intrusion and provide protection from targeted web-attacks, such as buffer overflows, SQL injection Sross-Site-Ssrirting, change request parameters and others. Solutions of this class filter requests for access to the application and block all actions that do not relate to the permitted activity of users.

Thus, creating a model, to protect the company from all sorts of threats and troubles can be due to the following actions:

- the optimal choice of content management system (CMS);

- use of a hosting with sufficient reliability;

- application of necessary server software;

- timely actions, allowing to minimize the possibility of occurrence of unforeseen problem situations on web sites.

The use of the offered model of the analysis of the security of the online store is an essential step towards the complex automation stage of one of the main functions of the system administrator (designer) of the network - providing the required level of security of the computer network being used (planned).

Further research is directed to the following aspects:

Qualitative improvement of the developed methodology and model of protection of online stores, their addition and expansion.

Practical application and implementation of the developed model in existing functioning online stores.

Adapt the protection model for a wide range of web resources and web applications.

This master's work is not completed yet. Final completion: May 2018. The full text of the work and materials on the topic can be obtained from the author or his head after this date.

References

  1. Статистика web-уязвимостей за 2013 год. [Электронный ресурс] – Режим доступа: http://netnsk.ru/publica/security/sec_10.php
  2. Леонтьев В.С. Безопасность в сети интернет. – М.: ОЛМА Медиа Групп, 2008. – 256 с.
  3. Рэйнолдс М. Сделай сам Интернет-магазин. – М.: Изд-во “Лори”, 2009. – 538 с.
  4. Статистика национального домена в рунете//Координационный центр национального домена сети интернет: URL - http://www.cctld.ru/ru/statistics .
  5. Деревья атак // Википедия [электронный ресурс] – Режим доступа: https://ru.wikipedia.org/wiki/Деревья_атак
  6. Котенко, И. В. Обманные системы для защиты информационных ресурсов в компьютерных сетях Текст. / И. В. Котенко, М. В. Степашкин // Труды СПИИРАН. — СПб.: Наука, 2004. — т. 1. — С. 211..
  7. Информационная безопасность: концептуальные и методологические основы защиты информации. Учеб. пособие для вузов / А. А. Малюк. — М.: Горячая линия-Телеком, 2015. — 280 с.
  8. Hack Attack Testing— How to Conduct Your Own Security Audit Text. / J. Chirillo. — [S. 1.]: Wiley Publishing, 2003.
  9. Степашкин, М. В. Структура базы знаний об уязвимостях для системы моделирования атак на web-сервер Текст. / М. В. Степашкин // Труды конференции «Информационная безопасность регионов России (ИБРР-2003)». — СПб.: Издательство Политехника, 2003.
  10. Holdsworth B. Digital logic design / B. Holdsworth, C. Woods. – Prentice Hall, 2002. – 519 pp.
  11. Lala P. Principles of modern digital design / P. Lala. – Wiley, 2007. – 419 pp.
  12. Обнаружение атак Текст. / А. Лукацкий. — СПб.: BHV-СПб, 2003. — 608 с.
  13. Основы защиты информации Текст. / В. А. Герасименко, А. А. Малюк. — М.: МИФИ, 1997, —539 с.
  14. Shiva S. Introduction to logic design / S. Shiva. – CRC Press, 1998. – 628 pp.
  15. Инструменты, тактика и мотивы хакеров. Знай своего врага : Пер. с англ. — М.: ДМК Пресс, 2003. —312 с.
  16. Теоретические основы защиты информации: Учебное пособие Текст. / С. С. Корт. — М.: Гелиос АРВ, 2004. — 240 с.
  17. Кононов, А. Страхование нового века. Как повысить безопасность информационной инфраструктуры Текст. / А. Кононов // Connect. — М., 2001. — № 12.
  18. Ілляшенко, С.М. Актуальні проблеми забезпечення економічної безпеки підприємства / Ілляшенко С.М., Нілова Н.О. – Донецк: Луч, 2001. – 266 с
  19. В.Г. Иванов, М.Г. Любарский, В.В. Карасюк, Ю.В. Ломоносов. //Защита авторских прав мультимедийных данных – Харьков, 2011 г. – С. 3-10.
  20. Грибунин В. Г., Оков И. Н., Туринцев И. В. //Цифровая стаганография. M. : Солон-Пресс, 2002. 272 с.