When operating system patches are released and tested in your environment, Web servers should be the first servers patched to prevent a Web server hack. Exploit code is becoming more readily available to anyone within days of a vulnerability discovery. A few days after it's been in the hands of hackers, a scripted attack is likely to take place that could successfully attack your unpatched Web server. This gives little time to test and install patches for such vulnerabilities, so it's important to devise a deployment plan prior to patch release.
Looking at Web code itself, there are several ways hackers can manipulate the URL of a website to perform SQL injection, directory traversals, buffer overflows, etc. There are two common methods to defend against these types of vulnerabilities. One is to have your Web code reviewed by a person or a tool in an effort to identify and correct vulnerabilities. Or you can install an application firewall that examines user input to verify that it is not malicious or malformed before allowing it to pass to the backend application. Blue Coat Systems Inc. and Sanctum Inc. are two vendors that offer such products, which may be worth looking into, especially if you don't think you can retrain your programmers to write secure code.
If you use a website to sell products or provide financial services, it is of utmost importance to check the data being submitted to the server that processes the online order. If your security simply relies on the price or account information shown to the user on the webpage, this can be manipulated easily using free proxy tools running on an attacker's PC. Such tools allow the attacker to change the information being submitted to your server, removing all restrictions enforced by the webpage itself. A $50 book could be changed to $1, and a bank account number could be changed to someone else's in an effort to transfer funds or show balances of other accounts.
Depending on how you handle information submitted by end users, you'll likely have some way of validating end-user information. For instance, most programs can be written to check the submitted data for inappropriate characters and length before the data is processed. This validation should be performed on the back-end instead of putting constraints on a webpage's input fields, which can be bypassed using the proxy tools mentioned above.
Web servers are the number one way into a company's network from the outside. By securing Web servers enforcing adequate Web server protection, you'll be addressing one of the riskiest areas of your network and preventing a potentially extremely harmful attack.
About the author
Vernon Haberstetzer, president of security seminar and consulting company i.e.security, has seven years of in-the-trenches security experience in healthcare and retail environments.
HACKER ATTACK TECHNIQUES AND TACTICS
Introduction: Hacker attack tactics
How to stop hacker theft
Hacker system fingerprinting, probing
Using network intrusion detection tools
Authentication system security weaknesses
Improve your access request process
Social engineering hacker attack tactics
Secure remote access points
Securing your Web sever
Wireless security basics
How to tell if you've been hacked
