17.11.13

Measures against hacking of websites

There is some of the Best Practices you could adopt in preventing your websites from hackers.

This blog just covers only the main areas you need to more focused.

You'll want to use the concept of least privilege. 

Ensure a firewall is blocking all ports except those absolutely necessary (80/TCP, 443/TCP).  
For the required ports that remain, consider using application firewalls.   Place a Web Application Firewall in front of the webserver to inspect requests, such as ModSecurity with the OWASP ModSecurity Core Rule Set (CRS).  This product is capable of "virtual patching"-- that is intercepting malicious requests and modifying them to be inert in transit.

Best Practices: Use of Web Application Firewalls
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls

In addition, you'll want to harden your server OS, web server, and web application code.  For web applications see the OWASP Top 10 Vulnerabilities and Securing Web Application Technologies[SWAT] Checklists.

Developer Awareness Training Modules [Videos]

A1-Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross-Site Scripting (XSS)
      
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9-Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

To harden your OS, see:
http://usgcb.nist.gov/
https://www.sans.org/course/securing-windows
https://www.sans.org/course/securing-linux-unix

Twenty Critical Security Controls for Effective Cyber Defense

Windows

Going Beyond Just Anti-Virus Scanning
    How your AV scanners can fail you
    Application whitelisting
    AppLocker
    Script and executable signing
    Controlling USB devices
    DEP, ASLR, and SEHOP
    Benevolent Microsoft rootkit: EMET
    Restoring to a pristine OS image
    Virtual Desktop Infrastructure (VDI)

OS Hardening with security templates
    INF vs. XML security templates
    How to edit and apply templates
    Security configuration and analysis
    SECEDIT.EXE
    Security configuration wizard
    Auditing with templates

Hardening with Group Policy
    Group Policy Objects (GPOs)
    Third-party GPO enhancements
    Pushing out PowerShell scripts
    GPO remote command execution
    GPO troubleshooting tools
    Custom ADM/ADMX templates

Enforcing Critical Controls for applications
    Protected Mode Sandboxes
    Metro AppContainer Sandboxes
    Hardening Internet Explorer
    Hardening Google Chrome
    Hardening Adobe Reader
    Hardening Java
    Hardening Microsoft Office

Compromise of Administrative Powers
    Hackers and malware LOVE administrative users
    Partially limiting pass-the-hash attacks and token abuse
    How to get users out of the administrators group
    Secretly limiting the power of administrative users
    Limiting privileges, logon rights and permissions
    User Account Control (making it less annoying)
    Kerberos armoring and eliminating NTLM
    Picture password on touch tablets
    Windows Credential Manager vs. KeePass

Active Directory Permissions and Delegation
    Active Directory permissions
    Active Directory auditing
    Delegating authority at the OU level
    Domains are not security boundaries
    Logging attribute content changes

Updating Vulnerable Software
    Everything must be patched every week
    Patching off-site tablets and laptops
    Identifying rogue devices (BYOD Hell)
    WSUS shortcomings
    WSUS third-party enhancements
    Windows App Store (Metro)
    The future: continuous updates

Why Have a PKI?
    Strong authentication and encryption
    Passwords are dead
    Smart cards, IPSec, wireless, SSL, S/MIME, etc.
    Mobile and BYOD computers
    Code and document signing

Deploying Smart Cards
    Everything you need is built-in
    TPM virtual smart cards
    Smart card enrollment station
    Group policy deployment
    Smart cards on a limited budget

BitLocker Drive Encryption and Secure Boot
    UEFI Secure Boot
    TPM boot integrity checking
    Cold boot and 1394 port attacks
    USB device encryption
    Mounting encrypted VHD files
    BitLocker emergency recovery
    BitLocker network unlock of the PIN

Why IPSec?
    IPSec is NOT just for VPNs!
    More secure than SSL
    User/computer authentication
    Transparent to users
    No user training required
    NIC hardware acceleration
    Compatible with NAT

 Windows Firewall
    Group Policy management
    Metro app and service awareness
    Roaming and VPN compatibility
    Deep IPSec integration
    NETSH and PowerShell scripting

Securing Wireless Networks
    Wi-Fi Protected Access (WPA2)
    Pre-shared key weaknesses
    DoS attack vulnerabilities
    Rogue access point detection
    BYOD and network bridging
    Wireless best practices

RADIUS for Wireless and Ethernet
    Certificate authentication and PKI
    How to use smart cards
    EAP vs. PEAP
    PEAP-MS-CHAPv2
    802.1X for Ethernet switches
    Account lockout DoS attacks
    Group Policy configuration of clients

Dangerous Server Protocols
    Eliminate SSL, only use TLS
    Requiring strong ciphers and keys
    RDP man in the middle attacks
    SMBv3 native encryption
    SMB downgrade attacks
    NTLM, NTLMv2 and Kerberos
    Kerberos armoring
    Hardening the protocol stack
    What about IPv6?

Server Hardening
    Server Manager and PowerShell
    Server Core/Minimal/Full
    Security templates and Group Policy
    Preparing for incidents: pre-forensics
    Service account security
    Scheduling tasks remotely and safely

Internet-Exposed Member Servers
    Not every server can be a stand-alone
    Active Directory for the DMZ or the cloud
    Cross-forest trusts and Selective Authentication
    Read-only domain controllers (RODC)
    Firewall design for DMZ or cloud member servers

Dynamic Access Control (DAC)
    Claims-based access control and auditing
    DAC does not require Windows 8
    DAC conditional expressions
    DAC and complying with regulations
    Automatic file classification infrastructure
    User and device identity restrictions
    Auditing without managing SACLs
    Central access policy deployment


Microsoft Baseline Security Analyzer
Microsoft Web Application Configuration Analyzer

 
Posted by at

No comments:

Post a Comment