1. Trang chủ
  2. » Công Nghệ Thông Tin

Tài liệu Hack Proofing E-Commerce Site docx

689 293 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 689
Dung lượng 7,34 MB

Nội dung

From the authors of the best-selling HACK PROOFING ™ YOUR NETWORK Your E-commerce Site ™ 1 YEAR UPGRADE BUYER PROTECTION PLAN Your E-commerce Site From the authors of the best-selling HACK PROOFING ™ YOUR NETWORK Ryan Russell Teri Bidwell Oliver Steudler Robin Walshaw L. Brent Huston Technical Editor The Only Way to Stop a Hacker Is to Think Like One • Step-by-Step Instructions for Securing Financial Transactions and Implementing a Secure E-Commerce Site • Hundreds of Tools & Traps and Damage & Defense Sidebars and Security Alerts! • Complete Coverage of How to Hack Your Own Site 134_ecomm_FC 6/19/01 2:14 PM Page 1 solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the max- imum value from your investment. We’re listening. www.syngress.com/solutions 134_ecomm_FM 6/19/01 11:49 AM Page i 134_ecomm_FM 6/19/01 11:49 AM Page ii The Only Way to Stop a Hacker is to Think Like One Your E-commerce Site ™ 1 YEAR UPGRADE BUYER PROTECTION PLAN Your E-commerce Site 134_ecomm_FM 6/19/01 11:49 AM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 AERAF43495 002 VNA49FU4FJ 003 CAKL3956FM 004 BNA424TURT 005 BNTUR495QF 006 596JFA3RRF 007 Y745T9TBLF 008 QW5VCD986H 009 BN3TE5876A 010 NVA384NHS5 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your E-Commerce Site Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-27-X Technical edit by: L. Brent Huston Copy edit by: Darren Meiss and Beth A. Roberts Technical review by: Kevin Ziese Freelance Editorial Manager: Maribeth Corona-Evans Co-Publisher: Richard Kristof Index by: Robert Saigh Developmental Editor: Kate Glennon Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Distributed by Publishers Group West in the United States. 134_ecomm_FM 6/19/01 11:49 AM Page iv v Acknowledgments v We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help. 134_ecomm_FM 6/19/01 11:49 AM Page v 134_ecomm_FM 6/19/01 11:49 AM Page vi vii Contributors Ryan Russell (CCNA, CCNP) is the best-selling author of Hack Proofing Your Network: Internet Tradecraft (ISBN: 1-928994-15-6). He is MIS Manager at SecurityFocus.com, has served as an expert witness on secu- rity topics, and has done internal security investigation for a major soft- ware vendor. Ryan has been working in the IT field for over 11 years, the last 6 of which have been spent primarily in information security. He has been an active participant in various security mailing lists, such as BugTraq, for years. Ryan has contributed to four Syngress titles on the topic of networking. He holds a Bachelors of Science degree in Computer Science. Ryan wishes to thank Karen Mathews at the U.S. Department of Energy for her assistance in preparing Chapter 10. Mark S. Merkow (CCP) has been an Information Systems professional since 1975, working in a variety of industries. For the last 12 years he has been working for a Fortune 50 financial services company in Phoenix, AZ. Mark holds a Masters in Decision and Information Systems from Arizona State University’s College of Business and is completing his Masters of Education in Educational Technology at ASU’s College of Education, specializing in developing distance learning courses.Today he serves as an e-commerce Security Advisor working with both internal and external Web designers and developers. Mark has authored or co- authored six books on computer technology since 1990, including Breaking Through Technical Jargon, Building SET Applications for Secure Transactions, Thin Clients Clearly Explained, Virtual Private Networks For Dummies, A Complete Guide to Internet Security, and The ePrivacy Imperative. In addition, Mark is a computer columnist for several local, national, and international print publications, along with an e-zine hosted at Internet.com. Robin Walshaw (MCSE, DPM), author of Mission Critical Windows 2000 Server Administration (ISBN: 1-928994-16-4), is an independent consultant who architects security and infrastructure solutions for large 134_ecomm_FM 6/19/01 11:49 AM Page vii viii corporations around the globe. By applying a combination of sound busi- ness sense and technical insight, Robin is able to design and deliver scal- able solutions targeted at enabling the enterprise to effectively leverage technology.With a flair for developing strategic IT solutions for diverse clients, he has worked in the world of computers in 8 countries, and has traveled to over 30 in the last 10 years. A veteran of numerous global pro- jects, Robin has honed his skills across a wide variety of businesses, plat- forms, and technologies. He has managed to scratch his head and look slightly confused in the world of security, network operating systems, development, and research. Having traversed the globe and seen its many beautiful wonders, Robin is still captivated by the one thing that leaves him breathless— Natalie, his wife. She is a light against the darkness, a beauty whose smile can melt even the coldest heart. Teri Bidwell (GCIA) has been involved in Internet security for over 10 years as an analyst, engineer, and administrator and is a SANS-Certified GCIA Intrusion Analyst. Her career began securing Unix networks at the University of Colorado and continued as a Cisco network engineer and DNS manager for Sybase, Inc.Today,Teri is a security analyst for a firm headquartered in Reston,VA. She is a key contributor to corporate secu- rity strategy and is an advisor for e-business development. Her specialties include policy creation, vulnerability assessment, penetration testing, and intrusion detection for corporate environments. Teri received a Computer Science degree from the University of Colorado and sits on the SANS GCIA Advisory Board. She currently lives and works in Boulder, CO with her family, Clint,Wes, and Michael. Michael Cross (MCSE, MCP+I, CNA) is a Microsoft Certified System Engineer, Microsoft Certified Product Specialist, Microsoft Certified Professional + Internet, and a Certified Novell Administrator. Michael is the Network Administrator, Internet Specialist, and a Programmer for the Niagara Regional Police Service. He is responsible for network security and administration, programming applications, and is Webmaster of their Web site at www.nrps.com. He has consulted and assisted in computer- related/Internet criminal cases, and is part of an Information Technology 134_ecomm_FM 6/19/01 11:49 AM Page viii ix team that provides support to a user base of over 800 civilian and uniform users. His theory is that when the users carry guns, you tend to be more motivated in solving their problems. Michael owns KnightWare, a company that provides consulting, pro- gramming, networking,Web page design, computer training, and other services. He has served as an instructor for private colleges and technical schools in London, Ontario Canada. He has been a freelance writer for several years and has been published over two dozen times in books and anthologies. Michael currently resides in St. Catharines, Ontario Canada with his lovely fiancée Jennifer. Oliver Steudler (CCNP, CCDP, CSE, CNE) is a Senior Systems Engineer at iFusion Networks in Cape Town, South Africa. Oliver spe- cializes in routing, switching, and security and has over 10 years of experi- ence in consulting, designing, implementing, and troubleshooting complex networks. He has written articles on TCP/IP, networking, secu- rity, and data communications and also co-authored another Syngress title, Managing Cisco Network Security (ISBN: 1-928994-17-2). Kevin Ziese is a computer scientist at Cisco Systems, Inc. Prior to joining Cisco, he was a senior scientist and founder of the Wheelgroup Corporation, which was acquired by Cisco Systems in April of 1998. Before founding the Wheelgroup Corporation, he was Chief of the Advanced Countermeasures Cell at the Air Force Information Warfare Center. 134_ecomm_FM 6/19/01 11:49 AM Page ix [...]... 581 Appendix B Hack Proofing Your E-Commerce Site Fast Track 583 Index 625 xxiii 134_ecomm_TOC 6/19/01 11:47 AM Page xxiv 134_ecomm_FRD_rev 6/19/01 11:48 AM Page xxv Foreword Hack Proofing Your E-Commerce Site was written in response to requests from readers of our first book, Hack Proofing Your Network: Internet Tradecraft Many of you asked us for more detail on how to protect e-commerce sites, given the... Chapter 7 Hacking Your Own Site Introduction Anticipating Various Types of Attacks Denial of Service Attacks Information Leakage Attacks File Access Attacks Misinformation Attacks Special File/Database Access Attacks Elevation of Privileges Attacks Performing a Risk Analysis on Your Site Determining Your Assets Why Attackers Might Threaten Your Site and How to Find Them Testing Your Own Site for Vulnerabilities... Malformed Packet Attacks Anatomy of a DDoS attack The Attacks of February 2000 Why Are E-Commerce Sites Prime Targets for DDoS? A Growing Problem How the Media Feeds the Cycle What Motivates an Attacker to Damage Companies? Ethical Hacking: A Contradiction in Terms? Hacktivism Fifteen Minutes of Fame Hell Hath No Fury Like a Hacker Scorned Show Me the Money! Malicious Intent What Are Some of the Tools Attackers... piece together an e-commerce site as there are e-commerce sites It wouldn’t be possible to anticipate any given reader’s configuration.We present material that is designed to make you think.We want you to be able to take the information presented and adapt it to your situation We really hope you enjoy this book.You’ll notice that Syngress offers an “Ask the Author” feature on their Web site for folks who... are interested in You are logging too little information if you do not have a picture of your systems’ operations and your users’ behaviors Chapter 5 Implementing a Secure E-Commerce Web Site Introduction Introduction to E-Commerce Site Components Implementing Security Zones Introducing the Demilitarized Zone Multiple Needs Equals Multiple Zones Problems with Multi-Zone Networks Understanding Firewalls... 134_ecomm_01 6/19/01 11:41 AM Page 9 Applying Security Principles to Your E-Business • Chapter 1 The Goals of Security in E-Commerce Security plays a very important role in e-commerce, and is essential to the bottom line.While e-commerce done correctly empowers your company and the consumer, e-commerce done poorly can be devastating for those same participants.The goals of security in the commerce process... Security Principles to Your E-Business • Chapter 1 measure its successes For those of you who are tasked with defending an existing e-commerce site or other Web presence, we will explore the roles you should play in your organization and the process by which you can improve your site s security posture Security as a Foundation The easiest, and many agree, the best way to create a secure environment is to... that the caller is who he says he is In this scenario the hacker typically leverages the anonymity provided by a telephone or email message Using a similar angle, a hacker could pretend to be part of the support services and during a phony “support” call obtain a user’s logon ID and password s Physical Access Without adequate physical security a hacker or even a non-technical criminal with a confident... Hardware Redundancy Expanding the Scope of Your Solutions How Do I Protect against Natural Disasters? Hot Sites:The Alternate Path to Recovery How Do I Choose a Hot Site? Testing the Process Understanding Your Insurance Options Errors and Omissions Coverage Intellectual Property Liability First Party E-Commerce Protection Determining the Coverage You Need Financial Requirements The Delicate Balance: Insurance... "virtual defacement" by redirecting your Web traffic to a page of their choosing Chapter 9 Handling Large Volumes of Network Traffic 475 Introduction 476 What If My Sites Popularity Exceeds My Expectations? 476 Determining the Load on Your Site 478 Determining Router Load 479 Determining Switch Load 483 Determining Load Balancer Load 484 Determining Web Server Load 485 Performance Tuning the Web Server . best-selling HACK PROOFING ™ YOUR NETWORK Your E-commerce Site ™ 1 YEAR UPGRADE BUYER PROTECTION PLAN Your E-commerce Site From the authors of the best-selling HACK. The Only Way to Stop a Hacker is to Think Like One Your E-commerce Site ™ 1 YEAR UPGRADE BUYER PROTECTION PLAN Your E-commerce Site 134_ecomm_FM 6/19/01

Ngày đăng: 10/12/2013, 16:16

TỪ KHÓA LIÊN QUAN