by Michael Cobb
Keeping a Web site secure is not just a case of relying on a firewall or hoping that a few short-term fixes will stop a problem from re-emerging. It is a continuous undertaking. By following a structured approach, you can make your security management tasks easier and increase your chances of success.
The initial hardening and configuration of your server is based solely on facts known at the time of set up. Reassessing a system on a continuous basis ensures that its security adapts and evolves to keep up with changes in technology that can affect the system and reduce the effectiveness of future attacks.
A lifecycle management process uses a standardized, repeatable set of procedures to upgrade, reassess and defend a site. Standardization ensures proper control over configurations of software and that tasks are executed in an orderly and predictable manner. Standardization also ensures no tasks are forgotten or left uncompleted. With well-defined policy guidelines an organization also ensures that responses to problems are suitably covered.
Lifecycle management means taking a long-term view and implementing proactive as well as reactive policies. For example, periodic vulnerability assessments ensure that you remain secure (proactive) and assess whether your policies support quick incident response (reactive). Always make sure those responsible for security have the training and the time to do the job. There is no point having regularly scheduled log reviews performed by someone who does not have the time or knowledge to analyze them effectively.
Vulnerability assessments are a critical process in the security lifecycle. They determine the security bill of health for your system. They should be planned as a regular part of your security maintenance procedures because vulnerabilities are continuously being discovered. You can use the same or similar tools to those of hackers to ensure your site is secure from attacks employed in the wild. My recommendations for free tools are:
- Network Mapper (Nmap) from www.insecure.org/nmap
- Nessus from www.nessus.org
- Microsoft Security Baseline Analyzer available from www.microsoft.com/technet/security/tools/mbsahome.mspx
Responding to an intrusion
Despite your best efforts, your server may be successfully attacked. First, consult your security policy, which should outline procedures for responding to the compromise. If you do not have a security policy, immediately consult with management to ensure the recovery effort is coordinated with other departments such as the media and legal teams.
Next, regain control of your system. Disconnect all compromised machines from the network, including any dial-in connections to prevent the intruder from defeating your attempts to recover the machines. After that, you may wish to operate in single-user mode in Unix or as the local administrator in Windows, to ensure that you have complete control of the machine. This will prevent users, intruders and intruder processes from accessing or changing state on the compromised machine while you continue the recovery process. Note, however, that if you reboot you may lose some useful information, because all processes executing at the time of discovery will be killed. Therefore, you may want to determine if the compromised system is running a network sniffer in order to remove it before rebooting. If you are dealing with a mission-critical application, you probably cannot wait for the outcome of a detailed post-mortem to determine how the compromise occurred, so create a backup of your system. This will provide a "snapshot" of the file system at the time that the compromise was first discovered. You can refer to this backup in the future when analyzing the intrusion. You may also wish to contact law enforcement agencies to investigate the case.
To recover from the intrusion you must install a clean version of the OS and ensure all unnecessary services are disabled. Next, consult CERT advisories, summaries and vendor bulletins for the latest configuration guidelines for your OS, the services you are running and any security tools being used. Ensure that you install all vendor security patches and that all passwords are changed. Enable maximum logging for a while in case you are subject to another attack. Before you restore data from backups ensure that they have not been compromised by the attack.
Finally, as your Web site has been compromised, you must obviously look to enhance the security of your system and network before reconnecting it to the Internet. You will need to update your security policy to document the lessons learned and incorporate the changes made to the system. You should also calculate the cost of the incident to help with future risk analysis cost return calculations.
An excellent checklist and steps to follow to recover from a Unix or Windows system compromise is available at http://www.cert.org/tech_tips/root_compromise.html.
This was first published in June 2005