1) Field of the Invention
This invention pertains to the field of computer security, and more particularly, to a system and process for analyzing potential security flaws in an Internet Web site.
2) Description of the Related Art
Increasingly, Internet Web sites are being exposed to external attack, or “hacking,” which has been defined as the act of penetrating a closed computer system to gain access to knowledge and information that is contained within. Individuals attack Web sites for a variety of reasons. A report by the United States Federal Bureau of Investigation (FBI) indicates that the originators of proprietary information theft can be classified into six categories. The report shows 35% of the criminals were discontented employees, 28% hackers, 18% other U.S. companies, 11% foreign companies, 8% foreign governments, and 10% miscellaneous. Examples of some well-known attack methods include e-mail bombing, denial-of-service attacks, Trojan horses, worms, and simple back-door entry to a Web site. These attacks can not only cripple or shut down access to an attacked Web site, but can result in unauthorized access to confidential customer information, including access passwords, and even credit card account numbers. The resulting damage to a commercial Web site can easily run into the millions of dollars.
According to the most recent FBI report, cyber crimes increased from 547 in 1998 to 1,154 in 1999. The FBI and the Computer Security Institute (Silicon Valley) found that 62% of information security officials reported security breaches in 1999 (National Journal's Technology Daily). These break-ins resulted in $123 million losses from fraud, information theft, sabotage, and viruses.
Many companies use a proprietary base software product for conducting business and are focusing on tools for managing risk, and controlling sabotage against their applications. According to a Cyber-source study of online E-tailors, 75% consider fraud to be a problem, and 62% consider it to be a serious problem. The NIPC, FBI, and United States Treasury, along with the President, have committed themselves to working along side the private sector in putting these concerns to rest. Both the Economic Espionage Act of 1996, and the Theft of Trade Secrets Act (section 1832) have caused organizations to react promptly to damaging acts of violations.
Yet this problem is still not controlled and is in need of counter-measures. In January of 2000, several denial-of-service (DOS) attacks occurred to well known E-commerce Web sites such as YAHOO® and E-BAY®. Incidents like this have brought the issue of Web site security directly into the public limelight. Of all the individuals polled on the questions of online banking, 65% stated that security was the main concern.
Maintaining control of electronic fraud can be a time consuming process for E-commerce companies, banks, brokerage firms, and electronic billing/payment providers. Both the network administrators and Web-masters do not have the proper tools to detect Web-based vulnerabilities. The complexity of information, separate system options, assessing the significance of penetrations, and a decision for correction is not prevalent in today's workplace. On-line fraud has a special significance for an E-commerce site. The fear of security exploits can cause a negative impact on consumer confidence in an E-commerce site, which ultimately destroys the brand's image.
To prevent such attacks, Web site administrators manually search for and close potential security holes in their own Web sites. Because most Web sites undergo changes over time, and because new vulnerabilities and attack techniques are continually being developed, the Web site administrators must continually probe their sites for security weaknesses. This is time-consuming and fraught with the likelihood of undetected security flaws.
As the Internet continues to expand, more and more Web sites are being developed and operated by less experienced and trained personnel. And it becomes more and more difficult for all of these individuals to be knowledgeable in all of the latest techniques for hacking a Web site. This increases the potential for Web site security flaws to exist which can be exploited by hackers.
Accordingly, there is a need for an advanced Web security analysis system and process that can be used by Web site developers and administrators to identify security flaws in their Internet Web sites. It would also be advantageous to provide such a system and process which can be used by third party individuals who lack specific knowledge of an individual Web site's architecture and design. It would be further advantageous to provide such a system and process which is automated, and which performs a security check without significant manual user intervention. Other and further objects and advantages will appear hereinafter.