Your company's Web site is one of the first places a hacker will look for misconfigurations, poorly written code and vulnerable services. If you house your own Internet-facing Web server, and it's connected to your internal network, it's worth your time to investigate the security controls in place that protect this server. This is even more critical if your company has an online store or account management system.
When operating system patches are released and tested in your environment, your Web servers should be the first servers patched. Exploit code is becoming more readily available to anyone within days of a vulnerability being discovered. A few days after it's been in the hands of hackers, a scripted attack is likely to take place that could successfully attack your unpatched Web server. This gives very little time to test and install patches for such vulnerabilities, so you should devise a deployment plan prior to patch release.
Read more
Protecting the network from Web-based service attacks with defense-in-depth
In this week's tip, Mike Chapple explains how to build a multilayered defense to protect the network from Web-based service attacks.
Looking at Web code itself, there are several ways hackers can manipulate the URL of a Web site to perform SQL injection, directory traversals, buffer overflows, etc. There are two common methods to defend against these types of vulnerabilities. One is to have your Web code reviewed by a person or a tool in an effort to identify and correct vulnerabilities. Or you can install an application firewall that examines the input from the user and verifies that it is not malicious or malformed before allowing it to pass to the backend application. Blue Coat Systems Inc. and Sanctum Inc. are two vendors of such products, both worth looking into, especially if you don't think you can retrain your programmers to write secure code.
If you use a Web site to sell products or provide financial services, it is of utmost importance to check the data being submitted to the server that processes the online order. If your security simply relies on the price or account information shown to the user on the Web page, this can be manipulated very easily using free proxy tools running on the attacker's PC. Such tools allow the attacker to change the information being submitted to your server, removing all restrictions enforced by the Web page itself. A $50 book could be changed to $1, and a bank account number could be changed to someone else's in an effort to transfer funds or show balances of other accounts.
Depending on how you handle information submitted by end users, you'll likely have some way of validating the information coming from the user. For instance, most programs can be written to check the submitted data for inappropriate characters and length before the data is processed. This validation should be performed on the backend instead of putting constraints on a Web page's input fields, which can be bypassed using the proxy tools mentioned above.
Web servers are the number one way into a company's network from the outside. By enforcing adequate security on these servers you'll be addressing one of the riskiest areas of your network.
Missed part of this series? Check out the online archive.
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
