Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

Dedicated to security

IT SPECIAL: Terrorists are not the only ones who could hack into your web applications and rifle through your building designs. Mark Hansford finds out how to ensure your system is safe from unwelcome visitors.

E-commerce, e-procurement and project extranets are bringing increasing benefits for companies in terms of collaboration, sharing and communication, but there is a downside.

An online document management store or procurement system is effectively an open database, and even though protected by a security system, project documents are at risk of being exposed to the outside world. Critical business applications could be disabled or compromised.

There are a number of different types of security attack that need to be identified, quantified and mitigated against, according to Felix Bauer, head of technology development at procurement solutions provider Indeco.

The easiest to perpetrate, yet very hard to guard against, explains Bauer, is a 'denial of service' attack. This slows down or disables a web or database server, denying access to users.

More severe is a 'sniff attack', which captures network traffic to obtain database passwords or private information to alter, corrupt or steal information. Most severe is a 'spoofing attack', which falsifies a site to steal data or disrupt services.

These attacks prey on a number of vulnerabilities which systems need to address, says Bauer, starting with the system installation.

'Most web applications come pre-installed on a non-dedicated server used by many companies, ' he says. 'These installations are harder to be tailored to the security needs of individual companies.'

Furthermore large numbers of users are accessing web applications through open ports.

'Both legitimate users and attackers will connect to the system via open ports, so it is important to keep the least number of ports open, ' says Bauer.

'This can be better secured if companies and their suppliers work on their own dedicated web application and server.'

The key is for applications to have an integrated security system that combines intrusion detection with vulnerability assessment, with the application's provider controlling and monitoring the risk and taking action as necessary, explains Bauer.

'Systems should allow different levels and layers of security, ' he says.

A robust security system will ideally incorporate four key security features across all areas and on different layers of the application: authentication, authorisation, integrity of data during transfer, and integrity of data during storage.

On most computer networks, authentication is commonly done through the use of passwords. But the weakness in this system is that passwords can often be stolen, accidentally revealed, or forgotten.

For this reason, a more stringent authentication processes using a unique digital signature is becoming popular. This electronic 'credit card' contains the user's name, a serial number, expiry dates, and the digital signature of the certificate-issuer.

Logically, authentication is followed by authorisation. In multi-user computer systems, a system administrator defines which users are allowed access to the system and what privileges of use they have (such as access to which file directories, hours of access, or the amount of allocated storage space).

At the next level, ensuring the integrity of data during transfer and storage is also of paramount importance. Online transfer of data should only occur in an encrypted form, typically using secure protocols such as https - the secure version of the standard http web language. Stored data needs to be protected by state of the art firewalls which are audited and regularly updated.

However, managing user access remains the most effective way of combating security breaches. 'Despite rumours to the contrary, the greatest security threat to any organisation comes from within, ' explains Bauer. 'Over 90% of security breaches are conducted by employees. Companies should carefully consider who is given access to what information and how that is to be administered.'

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions. Please note comments made online may also be published in the print edition of New Civil Engineer. Links may be included in your comments but HTML is not permitted.