فا

‫ Website Security

IRCAR201404210
Date: 2014-04-16

Introduction

Every community organization, corporation, business, or government agency relies on an outward-facing website to provide information about themselves, announce an event, or sell a product or service. Consequently, public facing websites are often the most targeted attack vectors for malicious activity. Web server attacks include:

·         Exploitation of software bugs in the web server

·         Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks

·         Compromising "backend" data through command injection attacks, such as Structured Query Language (SQL) injection; Lightweight Directory Access Protocol (LDAP) injection; and cross-site scripting (XSS)

·         Website defacement for malicious purposes

·         Using compromised web server capabilities to attack external entities

·         Using a compromised web server to distribute malware.

There are a number of challenges associated with securing a web server because not only does the operating system need to be secured but so do the associated web applications and services running on the device. One of the most difficult aspects is often keeping abreast of new and emerging vulnerabilities to both the Operating system and the web applications as well as keeping those systems patched and up to date.

 

Mitigation Strategies

The purpose of this document is to provide basic guidelines and security safeguard concepts that can be applied to public facing websites to reduce the attack surface area or mitigate the effects of a compromise. It is recommended that organizations routinely conduct a risk assessment on their environment to identify weaknesses or vulnerabilities.

·         Web Server Security:

o    Recommended web server security.

§ Ensure that web server host systems are built with only essential applications and components required to perform their intended functions. All other applications should be removed or disabled. For example, a web server does not require web browsing capability and if a web server is not performing FTP functionality there is no need to have that service running. Removing or disabling any unused components will reduce the attack surface area.

§ Web servers should be designed with very strict access to any back end data.

§ Web SQL services:

          Prevent applications from connecting to databases with privileged access.

          Validate input for length, range, format, and type.

          Restrict input to lists of acceptable characters and deny any other characters not on the list.

          Limit the use of dynamic SQL code. Use prepared statements, queries with parameters, or stored procedures whenever possible.

o    Recommended Operating System Security:

§ Accounts that enable access to the underlying operating system of the web server should follow the concept of least-privileges and should be unique for each individual. A single admin account will prevent non-repudiation of activity and limit forensic capabilities if a compromise occurs. Also, a web server should be considered a critical service and thus should require two- factor authentication.

§ Enforce a strong password creation policy for administrators such as:

          Minimum password length of 15 characters for privileged accounts.

          Use of strong passwords requiring alphanumeric, uppercase, lowercase, and special characters.

          Require recurring password changes at least every 90-180 days.

          Enable password history limits to prevent the reuse of previous passwords.

          Prevent the use of personal information in usernames and passwords, such as phone numbers, date of birth, and first name [dot] last name.

          Require the use of passphrases instead of passwords.

§ Change all default usernames and passwords.

§ Disable or delete all unused accounts such as Guest accounts.

§ Disable credential caching for critical systems if possible.

o    Keep web servers patched and up to date.

o    Monitor mailing lists and/or websites for security related announcements.

o    Web servers should be built on isolated hardware or on secure multi-tenant virtualized technology with direct communication to potential other virtualized guests disabled. This can potentially help limit the damage or compromise of multiple services if a single service is attacked as well as reduce the attack surface area of a single service.

o    Employ web authentication and encryption technologies such as SSL/TLS based upon the nature of web server data (e.g. sensitive, private, confidential, etc.).

Employ revision control processes to document all changes being made to the system, application, or web content.

·         Secure Web Services:

Below is a list of possible mitigations an organization can consider to further secure web services and applications. Not all items will be applicable to all organizations, a balance must be struck between the cost benefits provided by each mitigation and the potential risk an organization is willing to accept for their web services.

o    Enable extensive logging and collect the IP address of the system accessing the service, the username, the resource accessed, account privilege changes, whether the attempt was successful or not, and other potential suspect activities. Unusual/questionable access must be reported immediately and will require investigation.

o    Data service replication – DoS and DDoS attacks are not new, but they are still occurring and have become a favorite attack method of some groups, so it is in the best interest of any organization to have applications and data replicated or backed up on a recurring basis, preferably to an offline storage location. Offline backup storage will help prevent tampering of the data and applications as well as provide redundancy in the event that the data and applications need to be moved to other platforms.

o    Logging services are critical to provide non-repudiation and accountability for any transaction preformed on a server. Logging is also critical in identifying malicious activity after a compromise has occurred as well as potentially identifying malicious activity that is occurring. How much logging to enable and how often to archive the logs will be determined by how much storage space is available in your environment as well as how active your network is. Additional services or software may be required to support the level of security and accountability and non-repudiation that your environment requires.

o    Secure software development and design – Secure software development is one of the most critical aspects in application security, simply because the less built-in vulnerabilities that any application has the less likely it is to be compromised.Another aspect of secure software is maintaining the security of the software. This can be accomplished through recurring patching and monitoring the Vulnerability Database for any new vulnerabilities.

o    Securing web server infrastructure – Web servers should be located inside a secure Demilitarized Zone (DMZ) structure with one-way trust relationships configured to have the DMZ trust the internal network, but the internal network not trusting communications from the DMZ. Also consider restricting any communications or requests from web servers to internal resources.

In conclusion, web servers and services are responsible for providing web content and are a necessary component for many business and organizations. The extended loss of these services can have catastrophic results. Because of this it is essential to treat these services as essential and protect them as such.

Resource:

www.Us-cert.gov

 

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0