Hack Proofing Your E-Commerce Site Fast Track • Appendix B 595 Code Signing: Solution or More Problems? ; Digital signatures can be used to guarantee the integrity of files and that the package being installed is authentic and unmodified.This signature is attached to the file being downloaded.The signature identifies who is distributing the files and shows that they were unmodified since being created.The certificate helps to keep mali- cious users from impersonating someone else. ; A major problem with code signing is that you must rely on a third-party for checking authenticity. If a programmer provided fake information to a CA or stole the identity of another individual or company, then it would be possible to effectively distribute a mali- cious program over the Internet. Another problem is if valid infor- mation is provided to the CA, but the certificate is attached to software with bad or malicious code. ; Using software such as Microsoft Certificate Server, you can create your own digital certificates for use on a network.This allows someone to self-sign their code with their own CA, and make it appear that the code is valid and secure.You should verify the validity of the CA before accepting any files to avoid installing a hacker’s code onto your system. Should I Outsource the Design of My Site? ; You should determine what information will need to be provided for the contractor to do her job right without compromising the security of your network, and you should also determine what security policies will be used for the Web server to keep the con- tractor from accessing unauthorized data (and whether these poli- cies will impact existing policies). ; A very real complication in outsourcing is that who you hire may not be who does the work.When determining whom to hire, you should inquire as to whether they will do the job themselves or use outside contractors. www.syngress.com Chapter 3 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 595 596 Appendix B • Hack Proofing Your E-Commerce Site Fast Track ; Accept another person’s design without checking to see if there are any existing security vulnerabilities or problems is foolish.You will need to go through each page of the site to view the source code and determine whether that information represents a security threat. ; Before making the site public, you should view content, run scripts, applets, components, and other programs on a test server.You should also use more than one type of browser when checking your site for problems. Last, you should ensure that any software on the machine has the latest patches and security packs applied to them. ❖ Chapter 4: Designing and Implementing Security Policies Why Are Security Policies Important to an E-Commerce Site? ; Failing to implement cost-effective security solutions affects the profitability of your site from several perspectives. Insufficient secu- rity can lead to expenses from downtime, lawsuit, or data loss; secu- rity that is too extreme can inhibit productivity, constrict customer interaction, or require too much in the way of administration costs. Profitability lies somewhere in the middle, and that somewhere is different for every e-commerce venture. ; Security policies should exist to help others make good decisions, not to get in the way of productivity. Cost effective security doesn’t spend more to protect an asset than it’s worth to the business, although its value to a particular business may be more or less than the actual market or street value. Security improvements generally have an inverse relationship with productivity, but both end up costing money if taken to the extreme. ; As you develop the policy, try to be brief.The longer the policy, the less likely that users will read it.The policies need to be clear, doable in your environment, and enforceable. Generally, if the www.syngress.com Chapter 3 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 596 Hack Proofing Your E-Commerce Site Fast Track • Appendix B 597 policy specifies the “what” without specifying the “how,” supporting departments are granted greater leeway to develop innovative solu- tions to problems and still stick to the overall security goals. Defining words in simple terms before they are used prevents dif- fering interpretations later on. What Elements Should My Security Policy Address? ; A comprehensive security policy is actually made up of several indi- vidual policies, each of which targets unique lateral aspects of the site’s business processes.The individual policies work together to provide three basic assurances for the site: confidentiality, integrity, and availability of data. ; To be certain that your site is not handing out confidential infor- mation to impersonators, you should authenticate customers as well as assuring your site’s identity to them.A site SSL certificate doesn’t tell the server anything about the client’s identity, which could be impersonating your real customer.The security policy defines client authentication requirements for your site. ; Most external theft of data from Web sites occurs because the data is not properly encrypted or stored after the Web server has received it. Security policy should be clear about requirements for encryption at every stage of processing, from client browser to Web server, to application server, to database.The policy needs to require session management that prevents others from viewing pages that are part of another users session. ; Protecting information while it is stored on your site means pro- tecting the servers themselves by defining specifically what a secure server, or bastion host, should look like. A bastion host is a computer system with special modifications that fortify its ability to withstand a targeted attack.The security policy specifies the steps to take to produce a bastion host from an initially installed operating system. www.syngress.com Chapter 4 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 597 598 Appendix B • Hack Proofing Your E-Commerce Site Fast Track ; Quality assurance policies specify enforcement mechanisms that include change control, auditing, reporting, and intrusion detection. Availability of service policies specify uptime requirements, accept- able use guidelines, and disaster recovery procedures. Are Any Prewritten Security Policies Available on the Net? ; The companies that are most successful at implementing security policies are those that avoid the “do it and forget it” mentality and somehow convince all the employees that security belongs to each of them, that it is an ongoing function of doing business, and that success of the company depends on it. Beyond that, the content of the security policies will vary as greatly as businesses themselves do. ; If you are determined to do the work in-house, start with an out- line of items that must be covered somewhere in the policy and begin fleshing it out after obtaining the necessary input from others.The Internet is a good resource for locating templates to begin the process. If you don’t have time to write one yourself, you can hire a security company to do the legwork for you. If a security consultant tries to sell you a canned policy without spending con- siderable time investigating your business culture, management goals, and unique business aspects, run away fast, because you’d be wasting your money. How Do I Use My Security Policy to Implement Technical Solutions? ; The task of enforcing the policy begins by implementing technical solutions to perform that enforcement at every tier of security within the company. Perimeter security primarily concerns itself with lower protocol layers where policy can be enforced by lim- iting traffic flows at those layers. Host and applications security rep- resents the upper protocol layers, where session controls and www.syngress.com Chapter 4 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 598 Hack Proofing Your E-Commerce Site Fast Track • Appendix B 599 application security can be used for enforcement. Network security mechanisms fill in any gaps between the two and perform logging and auditing enforcement functions. ; If a policy requires a certain network transport, enforcement mechanisms include a firewall at the perimeter, access lists on net- work routers internally, and session-based controls on the host or application. How Do I Inform My Clients of My Security Policies? ; Electronic selling is still selling, just the same. E-commerce lends itself wonderfully to everything about selling except the first thing customers expect to see when they walk in the door. Disclosure of security policy is a way to build customer confidence by putting a kinder, gentler face on at least a portion of your site. ; Disclose the components of your site’s security policy that will assure customers of the safety of their transactions, but don’t do it with great fanfare. A small link that takes customers to a page detailing what they want to know meets the need without over doing it. ; Customers choose to do business with companies that are successful in projecting an image of being the helping hand that guides them, the one that’s in their corner, the one that can meet their need and be trusted. In the end, the successful e-commerce ventures will be the ones that sell this same image to their customers as hard and fast as the physical products or services those customers are buying. www.syngress.com Chapter 4 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 599 600 Appendix B • Hack Proofing Your E-Commerce Site Fast Track ❖ Chapter 5: Implementing a Secure E-Commerce Web Site Implementing Security Zones ; Security zones are discrete network segments holding systems that share common requirements, such as the types of information they handle, who uses them, and what levels of security they require to protect their data.They may be the same type of operating system or different operating systems altogether.They may be PCs, or servers, or even a mainframe. ; DMZ systems are offered some level of protection from the public Internet while they remain accessible for the specific services they provide. In addition, the internal network is protected by firewall and from the systems in the DMZ. Because the DMZ systems still offer public access, they are more prone to compromise and thus they are untrusted by the systems in the protected network.This scenario allows for public services while still maintaining a degree of protection against attack. ; Customer names, addresses, order information, and especially finan- cial data are protected from unauthorized access through the cre- ation of specialized segments similar to the DMZ called security zones. Many sites choose to implement a multiple segment structure to better manage and secure their business information. ; Access controls also regulate the way in which network conversa- tions are initiated. It is always preferable that DMZ systems do not initiate connections into more secure areas, but that systems with higher security requirements initiate those network conversations. ; Creating and managing the security controls such as firewall rules, IDS signatures, and user access regulations is a large task. Start with deny-all strategies and permit only the services and network trans- actions that are required to make the site function. Carefully manage the site’s performance and make small changes to the access controls to more easily manage the rule sets. www.syngress.com 134_ecomm_appB 6/19/01 11:57 AM Page 600 Hack Proofing Your E-Commerce Site Fast Track • Appendix B 601 Understanding Firewalls ; Packet filtering firewalls make decisions about whether or not to pass network traffic based upon the source and destination informa- tion in the headers of the packets being transmitted. ; Proxy-based firewalls also make decisions based upon the source and destination addresses of packets, as well as the ports used for the conversation.The additional work done by a proxy firewall is that it is inspects the data load portion of a packet and attempts to decide if the data fits the proxies’ requirements for such a conversation. ; Hybrids between the two technologies have also emerged and may be a good fit for your organization if you desire the proxy level of control and the speed of a packet filter.These firewall devices inte- grate both the proxy and packet-filtering technologies to create solu- tions that monitor data load and achieve high throughput speeds. ; The process of designing the rule set for any firewall should always start with a “deny all” attitude.That means that you begin by making the firewall deny any connections that you do not specifi- cally allow.Thus, starting with nothing, you can add in the connec- tions required between each of the security zones to allow the systems on those segments to perform their work and to be admin- istered, but nothing else.This helps to prevent the possibility of allowing unneeded services and additional gateways for an attacker to compromise your servers. ; After you have come to terms with the rule sets for your site oper- ation, you need to ensure that you allowed only the required proto- cols, and only to the servers or segments where they are needed. How Do I Know Where to Place My Components? ; Evaluate your systems using such criteria as users, sensitivity of data, external visibility, internal access controls required, and encryption requirements. www.syngress.com Chapter 5 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 601 602 Appendix B • Hack Proofing Your E-Commerce Site Fast Track ; Using those criteria, decide what systems will be primarily pro- tected by the firewall, what systems will be dependant on internal authentication methods, and what systems will require additional tools for protecting them from unauthorized access. ; Group the systems together and assign them to network segments by looking for the commonalities and placing those systems together. Consider also using host-based tools such as IDS, log monitoring, or a customized configuration when for some reason a system should not be placed with its similar peers, or create another network segment specifically for that system. ; When you have your systems placed, create your firewall rule set. Generally, start with a basic principle that everything that is not specifi- cally allowed is denied and then add in the conversations that you want to allow. Implementing Intrusion Detection ; Intrusion detection is the name given to a family of products that are deployed to look for suspicious events that occur on a network or system.When the tool notices an event that matches its defini- tion of “suspicious,” it will perform some action such as logging the details, alerting an administrator, killing the traffic or process, and/or updating other devices such as firewalls to prevent the problem from happening again. ; Host-based IDS tools reside on the host and watch events from the view of the computer’s operating system. As events occur, they compare those events against their rules base, and if they find a match, they alert and/or take action. Network-based IDS products monitor the network traffic streams for suspicious traffic patterns. The system acts as a sensor reading the data flow off of the wire and parsing it against a database of patterns. ; Although some IDS tools are very versatile, others may be very dif- ficult to configure and may not be able to recognize patterns out- side of those programmed into it by its creators. Most IDS systems www.syngress.com Chapter 5 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 602 Hack Proofing Your E-Commerce Site Fast Track • Appendix B 603 compare traffic or user patterns against databases of known attack fingerprints or signatures.When selecting your IDS, one of the pri- mary questions you should ask is how easy it is to have signatures added to the database. ; Open source tools such as Snort!, Shadow, and PortSentry have brought IDS to market as well. Some of the freeware security tools have complete documentation, online support, and a plethora of add-ons, plug-ins, and extensions. Managing and Monitoring the Systems ; Patches, hot fixes, and workarounds have to be applied as new secu- rity issues and other problems are discovered and repaired. Each of these revisions has to be authenticated, tested, and will require re- verification of the security posture of your site. Changes to the con- tent and features of your site will also require ongoing evaluation. ; Use automated tools (or agents) that reside on the host computer being monitored and communicate with a management console via a network connection.The agent watches usage patterns, processor workload, log files, disk space, and other items for signs of a problem. If a problem occurs, the agent sends a message to the management console with the appropriate details.The management console often assigns a follow-up task to the appropriate adminis- trator and alerts them to the condition. Some management systems also track the problem through its resolution and log the collected information for trend analysis and other types of reporting. ; Automating monitoring processes is usually a good idea as long as a human is involved somewhere in the process to evaluate the auto- mated alerts and output and to periodically check for missing events. In addition, if you do choose to automate the security log inspection process, make sure that you have multiple levels of secu- rity devices observing your traffic. www.syngress.com Chapter 5 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 603 604 Appendix B • Hack Proofing Your E-Commerce Site Fast Track Should I Do It Myself or Outsource My Site? ; Consider the feasibility of training a staff member or members to perform the functions against the costs of hiring someone who already has those skills to perform it for you. Look also at the secu- rity requirements for your site and determine if your policy and processes allow for outsourcing to hired personnel. ; If an ASP assumes the responsibility of providing and maintaining the security of your site, be sure to maintain the rights to audit and inspect the security processes of the ASP you work with. Performing regular vulnerability assessments against your site and the ASP itself will ensure that your policies are being enforced. ; Co-location is a service provided by many vendors to allow compa- nies to share the costs of establishing bandwidth and other infras- tructure components (such as credit processing systems and the like) while still providing them with the freedom of owning their own servers and support systems; this a popular solution for companies who want control over the day-to-day management and operation of their site, but who may not be able to afford or manage the entire e-commerce network on their own. ❖ Chapter 6: Securing Financial Transactions Understanding Internet-Based Payment Card Systems ; Hackers love credit card data for a number of reasons: It’s easy to steal, it’s easy to resell, and it’s hard to get caught.The best targets are those that are loosely protected, contain large volumes of pay- ment card data, and are easy to access over the Internet. ; Credit cards, charge cards, bank cards, and payment cards all relate to a family of payment options that involve relationships rooted in www.syngress.com Chapter 5 Continued 134_ecomm_appB 6/19/01 11:57 AM Page 604 [...]... powerful mechanism to protect user passwords on e-commerce sites Should your site require IDs and passwords for personalization reasons, you’ll want to store the passwords that people create in the form of a hash value.That way, even if a hacker steals your security database records, the hacker won’t be able to use the data to impersonate your customers directly Secure Sockets Layer (SSL) has emerged... Availability configuration www.syngress.com 134 _ecomm_ appB 6/19/01 11:57 AM Page 617 Hack Proofing Your E-Commerce Site Fast Track • Appendix B 617 Chapter 8 Continued If your line to one ISP goes down one day, you’ll want a second redundant ISP ready to cut over immediately to take its place.You might contract with this second ISP to advertise a low priority route to your site while the first advertises a high... caused your primary site to be unavailable A yearly practice disaster drill should be performed to ensure that your DRP is up to date and everyone knows the part they need to play recovering systems and software Disaster drills force people to think about questions they don’t normally have to ask www.syngress.com 134 _ecomm_ appB 618 6/19/01 11:57 AM Page 618 Appendix B • Hack Proofing Your E-Commerce Site. .. lot to go wrong www.syngress.com 134 _ecomm_ appB 620 6/19/01 11:57 AM Page 620 Appendix B • Hack Proofing Your E-Commerce Site Fast Track Chapter 9 Continued Assuming that you’ve gone through the process of tuning your server-side processing, and you’re not stalling out waiting on external bottlenecks, such as a database server, then your only real choice is to upgrade your hardware, whether getting a faster... feature any attacker would love to have www.syngress.com 134 _ecomm_ appB 614 6/19/01 11:57 AM Page 614 Appendix B • Hack Proofing Your E-Commerce Site Fast Track Chapter 7 Continued Even if automated scanning tools were 100 percent accurate, the majority of them will not actually carry out a penetration, they will only try to determine if a site is vulnerable or not It will be up to you to actually exercise... the card is used MONDEX is one smart-card-based electronic purse applications E-purses eliminate the requirement to share payment account www.syngress.com 134 _ecomm_ appB 610 6/19/01 11:57 AM Page 610 Appendix B • Hack Proofing Your E-Commerce Site Fast Track Chapter 6 Continued information with a merchant, eliminating many of the threats to large databases full of “toxic data.” MONDEX uses strong cryptography... broken due to bad design, a bug, or just because the administrator implemented the mechanism improperly www.syngress.com 134 _ecomm_ appB 612 6/19/01 11:57 AM Page 612 Appendix B • Hack Proofing Your E-Commerce Site Fast Track Chapter 7 Continued Performing a Risk Analysis on Your Site Assets at risk can include money and financial information, customer information, products, intellectual property, employees,... a hard look at your procedures for tracking new vulnerabilities and applying vendor patches www.syngress.com 134 _ecomm_ appB 6/19/01 11:57 AM Page 613 Hack Proofing Your E-Commerce Site Fast Track • Appendix B 613 Chapter 7 Continued Types of knowledge you should take advantage of include the following:Trust relationships, IP addresses on all network segments, brands and versions of all your software,... and removal of servers www.syngress.com 134 _ecomm_ appB 6/19/01 11:57 AM Page 621 Hack Proofing Your E-Commerce Site Fast Track • Appendix B 621 Chapter 9 Continued Drawbacks of load balancers are that they introduce one more single point of failure or bottleneck, and they are as open to compromise by an attacker as any other system on your network ❖ Chapter 10: Incident Response, Forensics, and the Law... dictates how you will respond when an incident occurs, you need to build a set of processes to support your responses.This covers the range from minor attempts to full intrusions www.syngress.com 134 _ecomm_ appB 6/19/01 11:57 AM Page 623 Hack Proofing Your E-Commerce Site Fast Track • Appendix B 623 Chapter 10 Continued You will first need to understand how the files are stored on disk, how the processes interact, . improperly. www.syngress.com Chapter 7 Continued 134 _ecomm_ appB 6/19/01 11:57 AM Page 611 612 Appendix B • Hack Proofing Your E-Commerce Site Fast Track Performing a Risk Analysis on Your Site ; Assets at risk can include. buying. www.syngress.com Chapter 4 Continued 134 _ecomm_ appB 6/19/01 11:57 AM Page 599 600 Appendix B • Hack Proofing Your E-Commerce Site Fast Track ❖ Chapter 5: Implementing a Secure E-Commerce Web Site Implementing Security. secu- rity devices observing your traffic. www.syngress.com Chapter 5 Continued 134 _ecomm_ appB 6/19/01 11:57 AM Page 603 604 Appendix B • Hack Proofing Your E-Commerce Site Fast Track Should I Do