Biomedical Engineering Reference
In-Depth Information
versions, etc.) This can all be put in an error log and viewed securely
by a support team.
SQL injection
This is a technique whereby an attacker can run a database search that
the software would not normally allow, by manipulating the input to
the application. This is not diffi cult to prevent if developers are
thinking about security, so that the system only ever runs validated
input that it is expecting.
Concurrent sessions
Users should not be able to log into the system more than once at any
given time.
Web server advertises version information in headers
Revealing the version of the server software currently running makes
it easier for hackers to search for vulnerabilities for that version.
Even if a system has been found to have no known vulnerabilities during
testing, there are further steps that can to be taken to minimise any risks.
Regular security re-testing, at least at each version release - this, of
course, costs money to maintain.
Use of virtual private clouds, where private data are clearly segregated.
Use of IP fi ltering at the fi rewall to reject any IP address other than the
approved ones. Although IP addresses can be spoofed, a hacker would
need to know the correct ones to spoof.
Use of appropriate validated authentication standards, obviating the
need for services to provide their own ad hoc systems.
Use of remote encryption key servers, which would prevent even the
vendor hosting the software from being able to view the private data
they are hosting.
Use of two factor authentication. Many users will use the same short
password for every service, meaning that once an attacker has found a
user name and password at one site, they can quickly try it at many
others. Two factor authentication usually takes the form of a device
that can give a seemingly random number that changes on a regular
basis which would need to be entered along with the traditional user
name and password.
The use of appropriate insurance to provide some fi nancial
compensation if a service is down or breached.
￿ ￿ ￿ ￿ ￿
 
Search WWH ::




Custom Search