IMGCAP(1)]
From the September 2008 Issue
Web-based applications enable users to view or update information using Web browsers, such as Firefox and Internet Explorer, instead of downloading programs to their personal computers. They also are common targets for hackers, so assessors of college-campus security typically focus much of their
risk-management efforts on finding potential weaknesses criminals might exploit.
In June, the Arizona Office of the Auditor General announced its investigators had found security flaws in the Web-based computer applications of Arizona's three public universities. Arizona State University, the University of Arizona and Northern Arizona University together use at least 205 Web-based applications to support educational and administrative functions.
"These computer systems process various types of information, such as contact information, Social Security numbers and credit card numbers, for nearly 25,000 faculty and staff, more than 122,000 students, some of the 625,000 alumni and others, including prospective students applying for admission," the Auditor General's report says.
In two Web applications, auditors found security weaknesses that would have enabled hackers to take control of several user accounts, including some accounts "with high-level access" to sensitive information. Auditors were able to obtain more than 10,000 records that included names and Social Security numbers, and they discovered another security flaw that would enable hackers to install malicious software.
Based on their limited testing, the auditors concluded that vulnerabilities likely exist in many more of the universities' Web-based applications. In written responses to the report, the presidents of all three universities announced plans to find and fix any network-security weaknesses.
Universities are not alone in their use of Web-based applications. Correspondingly, one of the most recent updates to the Payment Card Industry Data Security Standard concerns Web applications.
PCI requirement 6.6 addresses Web-application use by any merchant. It requires merchants to use firewalls and to have all customized software reviewed for vulnerabilities.
"I like 6.6 because it doesn't focus on an explicit list of threats," says Danny Allen, director of security research for IBM Rational, a software development and testing division of Armonk, N.Y.-based IBM Corp. "There's a recognition that common vulnerabilities are going to change over time."
Finding and correcting those vulnerabilities is part of Allen's job. "We have yet to come across a Web application we could not compromise," he says. To combat the potential for compromises, merchants should test applications for security flaws during each stage of development and then again periodically after the applications are in use, Allen says. CP
