Tài liệu Hack Proofing E-Commerce Site docx

xi Chapter 1 Applying Security Introduction 2Security as a Foundation 3Confidentiality 3Integrity 4Availability 4Presenting Security As More Than The Goals of Security in E-Commerce 9Pl

From the authors

L Brent Huston Technical Editor

The Only Way to Stop a Hacker Is to Think Like One

• Step-by-Step Instructions for Securing Financial Transactions and Implementing a Secure E-Commerce Site

• Hundreds of Tools & Traps and Damage & Defense Sidebars and Security Alerts!

• Complete Coverage of How to Hack Your Own Site

s o l u t i o n s @ s y n g r e s s c o m

With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Ciscostudy guides in print, we continue to look for ways we can better serve theinformation needs of our readers One way we do that is by listening

Readers like yourself have been telling us they want an Internet-based vice that would extend and enhance the value of our books Based onreader feedback and our own strategic plan, we have created a Web sitethat we hope will exceed your expectations

ser-Solutions@syngress.com is an interactive treasure trove of useful

infor-mation focusing on our book topics and related technologies The siteoffers the following features:

■ One-year warranty against content obsolescence due to vendorproduct upgrades You can access online updates for any affectedchapters

■ “Ask the Author”™ customer query forms that enable you to postquestions to our authors and editors

■ Exclusive monthly mailings in which our experts provide answers toreader queries and clear explanations of complex material

■ Regularly updated links to sites specially selected by our editors forreaders desiring additional reliable information on key topics

Best of all, the book you’re now holding is your key to this amazing site

Just go to www.syngress.com/solutions, and keep this book handy when

you register to verify your purchase

Thank you for giving us the opportunity to serve your needs And be sure

to let us know if there’s anything else we can do to help you get the imum value from your investment We’re listening

max-www.syngress.com/solutions

The Only Way to Stop a Hacker is to Think Like One

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold

AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other dental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

inci-You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks

of Syngress Media, Inc “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER

Hack Proofing Your E-Commerce Site

Copyright © 2001 by Syngress Publishing, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed

in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-928994-27-X

Technical edit by: L Brent Huston Copy edit by: Darren Meiss and Beth A Roberts Technical review by: Kevin Ziese Freelance Editorial Manager: Maribeth Corona-Evans Co-Publisher: Richard Kristof Index by: Robert Saigh

Developmental Editor: Kate Glennon Page Layout and Art by: Shannon Tozier

Acquisitions Editor: Catherine B Nolan

Distributed by Publishers Group West in the United States.

Acknowledgments

v

We would like to acknowledge the following people for their kindness and support

in making this book possible

Richard Kristof and Duncan Anderson of Global Knowledge, for their generousaccess to the IT industry’s best courses, instructors and training facilities

Ralph Troupe, Rhonda St John, and the team at Callisma for their invaluable insightinto the challenges of designing, deploying and supporting world-class enterprise networks

Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, BillRichter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing theirincredible marketing experience and expertise

Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, JonathanBunkell, and Klaus Beran of Harcourt International for making certain that ourvision remains worldwide in scope

Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm withwhich they receive our books

Kwon Sung June at Acorn Publishing for his support

Ethan Atkin at Cranbury International for his help in expanding the Syngress program

Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help

Contributors

Ryan Russell(CCNA, CCNP) is the best-selling author of Hack

Proofing Your Network: Internet Tradecraft (ISBN: 1-928994-15-6) He is MIS

Manager at SecurityFocus.com, has served as an expert witness on rity topics, and has done internal security investigation for a major soft-ware vendor Ryan has been working in the IT field for over 11 years, thelast 6 of which have been spent primarily in information security He hasbeen an active participant in various security mailing lists, such as

secu-BugTraq, for years Ryan has contributed to four Syngress titles on thetopic of networking He holds a Bachelors of Science degree inComputer Science Ryan wishes to thank Karen Mathews at the U.S.Department of Energy for her assistance in preparing Chapter 10

Mark S Merkow(CCP) has been an Information Systems professionalsince 1975, working in a variety of industries For the last 12 years he hasbeen working for a Fortune 50 financial services company in Phoenix,

AZ Mark holds a Masters in Decision and Information Systems fromArizona State University’s College of Business and is completing hisMasters of Education in Educational Technology at ASU’s College ofEducation, specializing in developing distance learning courses.Today heserves as an e-commerce Security Advisor working with both internaland external Web designers and developers Mark has authored or co-authored six books on computer technology since 1990, including

Breaking Through Technical Jargon, Building SET Applications for Secure Transactions, Thin Clients Clearly Explained, Virtual Private Networks For Dummies, A Complete Guide to Internet Security, and The ePrivacy Imperative.

In addition, Mark is a computer columnist for several local, national, andinternational print publications, along with an e-zine hosted

at Internet.com

Robin Walshaw(MCSE, DPM), author of Mission Critical Windows

2000 Server Administration (ISBN: 1-928994-16-4), is an independent

consultant who architects security and infrastructure solutions for large

corporations around the globe By applying a combination of sound ness sense and technical insight, Robin is able to design and deliver scal-able solutions targeted at enabling the enterprise to effectively leveragetechnology.With a flair for developing strategic IT solutions for diverseclients, he has worked in the world of computers in 8 countries, and hastraveled to over 30 in the last 10 years A veteran of numerous global pro-jects, Robin has honed his skills across a wide variety of businesses, plat-forms, and technologies He has managed to scratch his head and lookslightly confused in the world of security, network operating systems,development, and research

busi-Having traversed the globe and seen its many beautiful wonders,Robin is still captivated by the one thing that leaves him breathless—Natalie, his wife She is a light against the darkness, a beauty whose smilecan melt even the coldest heart

Teri Bidwell(GCIA) has been involved in Internet security for over 10years as an analyst, engineer, and administrator and is a SANS-CertifiedGCIA Intrusion Analyst Her career began securing Unix networks at theUniversity of Colorado and continued as a Cisco network engineer andDNS manager for Sybase, Inc.Today,Teri is a security analyst for a firmheadquartered in Reston,VA She is a key contributor to corporate secu-rity strategy and is an advisor for e-business development Her specialtiesinclude policy creation, vulnerability assessment, penetration testing, andintrusion detection for corporate environments

Teri received a Computer Science degree from the University ofColorado and sits on the SANS GCIA Advisory Board She currentlylives and works in Boulder, CO with her family, Clint,Wes, and Michael

Michael Cross(MCSE, MCP+I, CNA) is a Microsoft Certified SystemEngineer, Microsoft Certified Product Specialist, Microsoft CertifiedProfessional + Internet, and a Certified Novell Administrator Michael isthe Network Administrator, Internet Specialist, and a Programmer for theNiagara Regional Police Service He is responsible for network securityand administration, programming applications, and is Webmaster of theirWeb site at www.nrps.com He has consulted and assisted in computer-related/Internet criminal cases, and is part of an Information Technology

team that provides support to a user base of over 800 civilian and uniformusers His theory is that when the users carry guns, you tend to be moremotivated in solving their problems

Michael owns KnightWare, a company that provides consulting, gramming, networking,Web page design, computer training, and otherservices He has served as an instructor for private colleges and technicalschools in London, Ontario Canada He has been a freelance writer forseveral years and has been published over two dozen times in books andanthologies Michael currently resides in St Catharines, Ontario Canadawith his lovely fiancée Jennifer

pro-Oliver Steudler(CCNP, CCDP, CSE, CNE) is a Senior SystemsEngineer at iFusion Networks in Cape Town, South Africa Oliver spe-cializes in routing, switching, and security and has over 10 years of experi-ence in consulting, designing, implementing, and troubleshooting

complex networks He has written articles on TCP/IP, networking, rity, and data communications and also co-authored another Syngress title,

secu-Managing Cisco Network Security (ISBN: 1-928994-17-2).

Kevin Zieseis a computer scientist at Cisco Systems, Inc Prior tojoining Cisco, he was a senior scientist and founder of the WheelgroupCorporation, which was acquired by Cisco Systems in April of

1998 Before founding the Wheelgroup Corporation, he was Chief of theAdvanced Countermeasures Cell at the Air Force Information WarfareCenter

L Brent Hustonearned his Associate of Applied Science degree inElectronics at DeVry Technical Institute (Columbus, Ohio) in 1994 Hehas more than 10 years of experience in IT, mostly in the areas of cybersecurity testing, network monitoring, scanning protocols, firewalls, virusesand virus prevention formats, security patches, and hacker techniques AsPresident and CEO of his own information security company,

MicroSolved, Inc., he and his staff have performed system and networksecurity-consulting services for Fortune 500 companies and all levels ofgovernmental facilities He is well versed in the use and implementation

of all the major security tools and appliances In the past, Brent developed

“Passys”—a passive intrusion detection system for Unix and has also tified previously unknown security vulnerabilities in Ascom routers,Windows NT, and Linux operating systems

iden-Brent is an accomplished computer and information security speakerand has published numerous white papers on security-related topics.Recently he was involved in the laboratory testing of major firewall appli-ances at his company’s central Ohio facilities.This testing was to prove theworthiness of each appliance as well as possible vulnerabilities that hadnot as yet been established by their parent companies He reported hisresults both to the individual product companies and at a national securityindustry presentation Brent is also currently engaged with the Office ofIndependent Oversight and Performance Assurance in Columbus, OH

He was responsible for designing and implementing a state-of-the-artcyber security testing and research lab for this office and several DOEnational laboratories have utilized his expertise to perform network pene-tration and detection services Such services have required a high securityclearance from Brent Brent is an Internet Security Systems CertifiedEngineer, Sidewinder Firewall Certified Administrator, IBM SecureNetwork Gateway Certified Administrator, and Phoenix FirewallCertified Administrator

Technical Editor

and Contributor

xi

Chapter 1 Applying Security

Introduction 2Security as a Foundation 3Confidentiality 3Integrity 4Availability 4Presenting Security As More Than

The Goals of Security in E-Commerce 9Planning with Security in Mind 10Security during the Development Phase 13Implementing Secure Solutions 14Managing and Maintaining Systems in

a Secure Environment 15Applying Principles to Existing Sites 20

It All Starts with Risk 21Fix the Highest Risks First 22Management and Maintenance during

the Patching Process 23Impact of Patching on Production

The Never-Ending Cycle of Change 25Developing a Migration Plan 26How to Justify a Security Budget 27The Yardstick Approach 27

Understand the Goals

of Security in the

Commerce Process

■ Protect the privacy of

the consumer at the

■ Protect the company

from waste, fraud, and

business with its

vendors and partners.

A Yardstick Approach Case Study 29Possible Results of Failure 30The Fear Tactic Approach 31

A Fear Tactic Approach Case Study 32Possible Results of Failure 34Security as a Restriction 35Security as an Enabler 36Summary 38Solutions Fast Track 39Frequently Asked Questions 43

Chapter 2 DDoS Attacks:

Introduction 46What Is a DDoS Attack? 47Laying the Groundwork: DoS 48Resource Consumption Attacks 50Malformed Packet Attacks 57Anatomy of a DDoS attack 60The Attacks of February 2000 63Why Are E-Commerce Sites Prime Targets

A Growing Problem 68How the Media Feeds the Cycle 69What Motivates an Attacker to Damage

Companies? 70Ethical Hacking: A Contradiction in Terms? 70Hacktivism 72Fifteen Minutes of Fame 72Hell Hath No Fury Like a Hacker Scorned 73Show Me the Money! 73Malicious Intent 74What Are Some of the Tools Attackers Use

to Perform DDoS Attacks? 75Trinoo 76Understanding How Trinoo Works 76

Damage & Defense

Sidebars Provide You

One method of instigating

a DoS is by altering the

configuration of key

devices such as routers

and servers Routing

tables, registry databases,

and UNIX configuration

files are just a few of the

potential configuration

databases that can be

used against a business It

goes without saying, then,

that all Internet-facing

devices should undergo

strict change control

procedures and that a

backup of the last known

good configuration

should be available on

TFN2K:The Portable Monster 78Understanding How TFN2K Works 78Stacheldraht—A Barbed-Wire Offensive 81Understanding How Stacheldraht Works 81More DDoS Families 86How Can I Protect My Site against These

Types of Attacks? 87Basic Protection Methods 90Using Egress Rules to Be a

Better “Net Neighbor” 95Defending against the SYN’s of

the Internet 99Methods for Locating and Removing

Zombies 103Summary 109Solutions Fast Track 111Frequently Asked Questions 117

Introduction 120Choosing a Web Server 121Web Server versus Web Service 121Factoring in Web Servers’ Cost and

Supported Operating Systems 122Comparing Web Servers’ Security Features 127Authentication 127Using the SET Protocol 133Setting Permissions 134Using CGI Applications 134Security Features Side By Side 134The Basics of Secure Site Design 143Creating a Security Plan 143Protecting against Internal Threats 145Adding Security Tiers beyond the

Web Server 146Apache versus Internet Information Services 149Installation:The First Step 151

Know What You May

Be Giving Away in

Your HTML Code

Each hidden tag can be

used with forms on your

site and includes a name

and a value When the

form is submitted, the

name and value in the

hidden field is included

with the results For

example, the following

line of code shows an

hacker could alter the

value so that the value is

Installing and Configuring Apache 152Installing and Configuring Internet

Information Server 5.0 164Windows 2000 Server and Internet

Information Server 5.0 Security 168Hardening the Server Software 173Install Patches 174Disable Unneeded Ports, Services, and

Components 174Delete Unneeded Scripts and Files 175Hardening the Overall System 176Password Hacking and Analysis Tools 178Web Design Issues Dealing with HTML

Code 183Information in HTML Code 183Using Server Side Includes (SSI) in

HTML Code 186Guidelines for Java, JavaScript, and Active X 189

Understanding Java, JavaScript, andActiveX—and the Problems TheyMay Cause 189Preventing Problems with Java,

JavaScript, and ActiveX 191Programming Secure Scripts 196Code Signing: Solution or More Problems? 199Understanding Code Signing 199The Strengths of Code Signing 200Problems with the Code Signing Process 201Should I Outsource the Design of My Site? 202Understanding the Required Skills 203Pros and Cons of Outsourcing Design Work 204Workload 204Security 205Contracts and Cost 206

No Matter Who Designs It, Double-Checkbefore You Implement It 207

Summary 209Solutions Fast Track 210Frequently Asked Questions 214

Chapter 4 Designing and Implementing

Introduction 220Why Are Security Policies Important to an

E-Commerce Site? 220What Is a Security Policy? 221Value versus Risk 222Security versus Services Provided 223Cost of Security versus Cost of Not

Having Security 224Where Do I Begin? 225What Elements Should My Security Policy

Confidentiality and Personal Privacy Policies 230Requirements for Authentication 231Requirements for Protecting Customer

Information 236Privacy Policies 239Information Integrity Policies 240Quality Assurance Policies 241Assuring Information Integrity through

Technology 244Availability of Service Policies 244Are Prewritten Security Policies Available on

All Organizations Are Different—and SoAre Their Policies 246Example Policies and Frameworks 247

A Word about the Outsourcing of PolicyDevelopment 248How Do I Use My Security Policy to

Implement Technical Solutions? 248

Learn How to Produce a

Conduct Review Workshop

Proposed Policy Draft

Final Policy Draft

Executive Approval

Edit Draft Policy

Publication Legal Review

End User Training

How Do I Inform My Clients of MySecurity Policies? 251Building Customer Confidence through

Disclosure 252Security as a Selling Point 253Summary 254Solutions Fast Track 255Frequently Asked Questions 259

Chapter 5 Implementing a Secure

Introduction 262Introduction to E-Commerce Site

Components 262Implementing Security Zones 264Introducing the Demilitarized Zone 266Multiple Needs Equals Multiple Zones 268Problems with Multi-Zone Networks 271Understanding Firewalls 272Exploring Your Firewall Options 272Designing Your Firewall Rule Set 275

It Starts with a “Deny All” Attitude 276Common Ports for Common

Communications 276Converting Pseudo-Code to Firewall

Rules 278Protocols and Risks: Making Good

Decisions 279How Do I Know Where to Place My

Components? 280Profiling Systems by Risk 280Establishing Risk Control Requirements 282Creating Security Zones through

Requirement Grouping 283Implementing Intrusion Detection 283What Is Intrusion Detection? 285Your Choices in Intrusion Detection 286

Chapter 5 Answers All

Your Questions About

Implementing a

Secure Site

Q:How do I know if I am

logging too much or

too little information

on my systems?

A:Log the information

you feel that you need

to make good

decisions If you have

problems sifting

through the logs to

locate issues and you

have had proper

training, then you need

to eliminate the log

entries that you do not

use to make decisions

or keep those log

entries and use an

automated tool to

select only the entries

you are interested in.

You are logging too

little information if you

do not have a picture

of your systems’

operations and your

users’ behaviors.

Network-Based IDS 288Host-Based IDS 290Example of a Network-Based IDS 292Example of a Host-Based IDS 293Managing and Monitoring the Systems 295What Kind of Management Tasks Can

I Expect to Perform? 295What Kinds of Monitoring Should I Be

Performing? 296Basic System Monitoring 298Monitoring Your Security Devices 299Log File Management 300Should I Do It Myself or Outsource My Site? 301Pros and Cons of Outsourcing Your Site 302Co-Location: One Possible Solution 303Selecting an Outsource Partner or ASP 303Summary 305Solutions Fast Track 305Frequently Asked Questions 311

Chapter 6 Securing Financial Transactions 313

Introduction 314Understanding Internet-Based Payment

Card Systems 315Credit, Charge, or Debit Cards:What Are

the Differences? 315Point-of-Sale Processing 317Differences That Charge Cards

Bring into the Picture 318Capture and Settlement 319Steps in an Internet-Based Payment

Card Transaction 321Toxic Data Lives Everywhere! 325Approaches to Payments via the Internet 326Options in Commercial Payment Solutions 327Commerce Server Providers 328Braving In-house Resources 329

Secure Payment Processing Environments 331Additional Server Controls 335Controls at the Application Layer 336Understanding Cryptography 337Methodology 337Substitution Method 337Transposition Method 338Transposition Example 339The Role of Keys in Cryptosystems 342Symmetric Keys 342Asymmetric Keys 342Principles of Cryptography 343Understanding Hashing 344Digesting Data 345Digital Certificates 348CCITT X.509 349Examining E-Commerce Cryptography 351Hashing Functions 351Block Ciphers 352Implementations of PPK Cryptography 352The SSL Protocol 353Transport Layer Security (TLS) 355Pretty Good Privacy (PGP) 356S/MIME 357Secure Electronic Transactions (SET) 357XML Digital Signatures 359Virtual POS Implementation 362ICVERIFY 362Alternative Payment Systems 364Smart-Card-Based Solutions 365EMV 365MONDEX 367

The Common Electronic PurseSpecification (CEPS) 369Proxy Card Payments 369PayPal 370

■ Importing credit card

transaction data from

time for authorization.

■ Support for Address

■ Data import analysis of

files for errors before

import.

Amazon Payments 370Funny Money 371Beenz 371Flooz 371Summary 372Solutions Fast Track 373Frequently Asked Questions 379

Introduction 382Anticipating Various Types of Attacks 382Denial of Service Attacks 382Information Leakage Attacks 384File Access Attacks 385Misinformation Attacks 386Special File/Database Access Attacks 387Elevation of Privileges Attacks 388Performing a Risk Analysis on Your Site 389Determining Your Assets 390Why Attackers Might Threaten Your Site

and How to Find Them 392Testing Your Own Site for Vulnerabilities 395Determining the Test Technique 396Researching Your Vulnerabilities 399Mapping Out a Web Server 407Using Automated Scanning Tools 409Hiring a Penetration Testing Team 414Summary 418Solutions Fast Track 419Frequently Asked Questions 423

Chapter 8 Disaster Recovery

Introduction 426What Is Disaster Recovery Planning? 426Structuring a Disaster Recovery Plan 428Loss of Data or Trade Secrets 429

Tools & Traps, Security

Alerts, and Damage &

Defense Sidebars

Make Sure You Don’t

Miss a Thing:

Tools & Traps…Gauge

Your Threat Level with a

tactics of attackers and

possibly pick up a new

attack or two along the

way Naturally, the

attacker shouldn’t be

aware that he has broken

into a honeypot, and he

should think that he’s

gotten into an ordinary

machine with no special

monitoring In fact, a

honeypot machine

typically has extensive

monitoring in place

around it, either on the

machine itself or via the

network In order for the

honeypot to be effective,

as much information as

possible must be collected

about the attacker.

Loss of Access to Physical Systems 431Loss of Personnel or Critical Skill Sets 436Practicing Compliance with Quality

Standards 436Ensuring Secure Information Backup and

Restoration 438The Need for Backups and Verification 439

An Example Backup Rotation Process 440Storage Area Networks 442Protecting Backups of Sensitive Information 443User Authentication 444Data Encryption and Controls 445Key Management 446Planning for Hardware Failure or Loss of

Services 447The Single Point of Failure Problem 448ISP Redundancy 449Network Hardware Redundancy 451System Hardware Redundancy 451Expanding the Scope of Your Solutions 453How Do I Protect against Natural Disasters? 454Hot Sites:The Alternate Path to Recovery 455How Do I Choose a Hot Site? 456Testing the Process 456Understanding Your Insurance Options 457Errors and Omissions Coverage 458Intellectual Property Liability 459First Party E-Commerce Protection 460Determining the Coverage You Need 461Financial Requirements 463The Delicate Balance: Insurance and

the Bottom Line 464Coverage That May Not Be Needed 464Summary 466Solutions Fast Track 467Frequently Asked Questions 472

Chapter 8 Answers All

Your Questions About

Disaster Recovery

Planning:

Q:How does e-commerce

insurance pay out

benefits when I incur a

loss?

A:Types of insurance

payout provisions are

"Pay on Behalf" versus

"Indemnification." Pay

on Behalf takes care of

expenses as they are

incurred by the insured

and works a bit like

homeowner’s

insurance If the policy

covers your defense in

a lawsuit, the legal

fees will be paid as

they are incurred.

Indemnification

reimburses the insured

for covered expenses

already incurred and

works a bit like

traditional health

insurance You pay for

the covered expense

and then apply for

reimbursement from

the insurer Most

insurance offerings for

e-commerce are of the

"Pay on Behalf" variety.

Q:What’s the difference

password and "4 sc0re

& s3v3n ye4r5 @go" is

a passphrase.

Chapter 9 Handling Large Volumes

Introduction 476What If My Sites Popularity Exceeds My

Expectations? 476Determining the Load on Your Site 478Determining Router Load 479Determining Switch Load 483Determining Load Balancer Load 484Determining Web Server Load 485Performance Tuning the Web Server 488How Do I Manage My Bandwidth Needs? 493Contracting for Bandwidth 493Estimating Required Service Levels 496How Do I Know When I Need More

Bandwidth? 497Obtaining Bandwidth on Demand 498Introduction to Load Balancing 499What Is Load Balancing? 500Changing the Destination MAC Address 501Modifying the IP Addresses 502Using a Proxy Server 503Finding a Custom Software/Clustering

Solution 504Determining Load 504The Pros and Cons of Load Balancing 505Load Balancing and Security 505Summary 509Solutions Fast Track 510Frequently Asked Questions 512

Chapter 10 Incident Response,

Introduction 516Why Is an Incident Response Policy Important? 516Panic or Be Calm:You Decide 516How Not to Handle an Incident 517

Understand Load

Balancing and Security

For the most part, load

balancers don’t change

security much, and in fact

some can enhance it by

acting as limited firewalls.

However, in a few cases,

security may be impacted.

Obviously the load

balancer itself may have

security problems—most

products do Attacks

against the management

interface or address of the

load balancer may occur.

In this sense, it’s much like

any system on your

network, which might be

compromised and give an

attacker better leverage

for other attacks If an

attacker manages to gain

administrative control over

your load balancer, they

might be able to cause a

"virtual defacement" by

redirecting your Web

traffic to a page of their

choosing

Proper Policy Pays Off 518Incident Response Policy Recap 524Establishing an Incident Response Team 525Setting the Prosecution Boundaries 526Attackers Crossing the Line 526Understanding the Chain of Custody 529Establishing an Incident Response Process 530Introduction to Forensic Computing 531Tracking Incidents 538Resources 542Legal/Government/Law Enforcement 542Backup/Forensics 542Incident Tracking Systems 543Miscellaneous 544Summary 545Solutions Fast Track 546Frequently Asked Questions 550

Appendix A Cisco Solutions

Introduction 554Improving Security Using Cisco LocalDirector 555LocalDirector Technology Overview 555LocalDirector Product Overview 556LocalDirector Security Features 557Filtering of Access Traffic 557

Using synguard to Protect against

SYN Attacks 557Using Network Address Translation

to Hide Real Addresses 559Restricting Who Is Authorized to

Have Telnet Access to theLocalDirector 560Password Protection 561Syslog Logging 562Security Geographically Dispersed Server

Farms Using Cisco DistributedDirector 563

DistributedDirector Technology Overview 563DistributedDirector Product Overview 565DistributedDirector Security Features 565Limiting the Source of DRP Queries 565Authentication between

DistributedDirector and DRP Agents 566Password Protection 568Syslog Logging 570Improving Security Using the Cisco Content

Services Switch 570Content Services Switch Technology

Overview 571Content Services Switch Product Overview 572Content Services Switch Security Features 573FlowWall Security 573Using Network Address Translation

to Hide Real Addresses 574Firewall Load Balancing 575Password Protection 576Disabling Telnet Access 577Syslog Logging 578Known Security Vulnerabilities 578Summary 580Frequently Asked Questions 581

Appendix B Hack Proofing Your

Hack Proofing Your E-Commerce Site was written in response to requests from

readers of our first book, Hack Proofing Your Network: Internet Tradecraft Many of

you asked us for more detail on how to protect e-commerce sites, given the

unique risk and exposure such sites represent to organizations.We hope this book

answers all of your questions on the topic and then some If your organization

engages in e-commerce, you will find this book invaluable, especially if security

has been dealt with in a reactive fashion in the past If you are a seasoned security

professional, we believe that the level of detail in this book will be useful in

cov-ering topics such as customer privacy policies and securing financial transactions

As practitioners, we encounter two types of networks:Those that haven’t been

hacked and those that have Our goal is to provide you with the tools and

resources to avoid seeing your network become part of the latter group.To that

end, this book is thoroughly practical.We recognize that doing the “right”

thing—creating a forensics laboratory and halting production to investigate each

breach in painstaking detail—is beyond most staff resources, so we offer

real-world solutions to approach that ideal within your limits

We believe that for this book to be practical, it must also cover topics such as

disaster recovery, load balancing, and performance optimization.We’ve tried to

Foreword

xxv

avoid the trap of recommending ill-defined “black-box” hardware tions, a trap that other books in the field often fall into.

solu-This book shares a feature in common with many Syngress books: It

teaches why along with how.This is especially critical in the world of

information security because technologies evolve at such a rapid paceand are also incredibly diverse.There are as many different ways to piecetogether an e-commerce site as there are e-commerce sites It wouldn’t

be possible to anticipate any given reader’s configuration.We presentmaterial that is designed to make you think.We want you to be able totake the information presented and adapt it to your situation

We really hope you enjoy this book.You’ll notice that Syngress offers an “Ask the Author” feature on their Web site for folks who havepurchased the book Please take advantage of that; we’d love to hearfrom you

—Ryan Russell, CCNA, CCNP

Applying Security Principles to Your E-Business

Solutions in this chapter:

; Summary

; Solutions Fast Track

; Frequently Asked Questions

Chapter 1

1

Security in the virtual world of the Internet is even more confusingthan in the real world we inhabit Buzzwords and marketing hype onlyserve to add to the puzzle.Vendors and free products abound, butaccording to the experts, the Internet world is becoming more dan-gerous every day How can that be? How can all these solutions from somany directions not solve even the basic problems?

The answer is not simple because the problems are so complex.Security is difficult to create and maintain Security is messy.Theproblem is that the online world was built around a system of protocolsand rules, but unfortunately, those rules are not always followed.Thecomplexity of today’s computer systems and software applications oftencreates programs that act in a manner unforeseen by the Internet’s oper-ational guidelines Add to that scenario a few humans who insist ontesting the rules and purposefully acting unexpectedly, and you have ahuge potential for a rather large mess

Attaining and maintaining suitable levels of security also requiresresources It requires people with the technical and business skills in bal-ance It requires time, energy, and of course, money Security is notcheap Products and training and doing things the right way are usuallymore expensive in the short term than taking shortcuts and cutting cor-ners, but in the long run, security protects the assets that your organiza-tion depends on for survival

Given all these dynamics, the concept of security can be seen as anever-changing ideal that encompasses these threats and adapts as theyadapt, like a living process Security is most assuredly a journey and not a destination

The easiest starting point on that journey is from the ground up Inthe e-commerce world, those who benefit the most from security’s elu-sive protections are those who started the process with security firmly inmind.While it is possible to apply security to existing sites, the imple-mentation is often more difficult than starting the process anew

In this chapter, we discuss how to bring security into focus from thestart, what roles it should play, and how to get it included in the budget

of a project.We also talk about how to justify its ongoing existence and

measure its successes For those of you who are tasked with defending anexisting e-commerce site or other Web presence, we will explore theroles you should play in your organization and the process by which youcan improve your site’s security posture.

Security as a Foundation

The easiest, and many agree, the best way to create a secure environment

is to start with security in mind.This means applying the principles ofsecure operation as the foundation upon which the rest of the projectwill be built.The primary principles of security are confidentiality,integrity, and availability.To succeed, the project must address these prin-ciples in all phases and applications

in the news regularly because information about clients, vendors, or thepolitics of business relationships has become known

Towards the end of 2000 a prominent U.S hospital discovered thatits security infrastructure had been breached and the confidentiality of5,000 patient records had been violated.The risks to confidentiality donot stop with access to data; credit card details are illegally obtained fromInternet facing systems, then used or sold, with alarming frequency

Some analysts have estimated that online credit card fraud incurs ages worldwide to the tune of $9 billion annually Information is pos-sibly one of the most valuable assets most companies possess; losing it orcaring for it negligently could spell disaster and possibly even ruin

dam-If your company had exposed the records of these clients, whatwould the damage to your bottom line have been? How would yourcompany deal with such a situation?

Integrity

Integrity is perhaps the most difficult of the principles to achieve, yet it

is the most vital of the three Businesses must manage and maintain theintegrity of the information with which they are entrusted Even theslightest corruption of that data can cause complete chaos.The myriad

of decisions based upon that integrity range from the basic businessoperation to the growth plans of the business long term Over the cen-turies, various methods have evolved for building and maintaining theintegrity of information.The double entry accounting system, the cre-ation of jobs such as editors and proofreaders, and the modern checksummethods are all technical advances aimed at creating integrity.Yet, evenwith these modern tools and all the attention paid to the process overthe years, integrity remains one of our greatest concerns Integrity issomething we almost take for granted.We assume that the databasesystem we are using will maintain the records of our sales correctly.Webelieve that our billing system is smart enough to add the items on acustomer’s bill.Without some form of integrity checking, neither ofthese situations may be true Integrity of information can have an evenlarger impact on an organization

Imagine a computer virus that infected your accounting systems andmodified all the sevens in your Excel spreadsheets, turning them intothrees.What would the effect of those illicit modifications mean to yourbusiness? What steps would your organization take to recover the correctfigures and how would you even discover the damage?

Availability

Last, but not least, of the three principles is availability Availability is thelifeblood of any business If a consumer can’t get to your business topurchase your goods, your business will soon fail In the e-commerceworld, where every moment can directly translate to thousands of dollars

in sales, even downtimes of less than an hour can do immense financialdamage to a company Consider the amount of damage done to yourcompany if your Web site became unavailable for four hours, which isthe length of time that most vendors used as a benchmark for

turnaround time in the pre-Internet world Such an outage in merce could cost tens of thousands of dollars, as we will see in Chapter

e-com-2 How long could your company continue to do business if yourInternet presence was destroyed? How much money per hour wouldyour organization lose if you could not do business online?

Security also entails a three-step process of assessment, revision, andimplementation of changes (see Figure 1.1).This continual process of

evaluation and feedback is necessary to adapt processes and products tothe ever-changing conditions of the online world As hackers examineexisting software and hardware systems and discover new vulnerabilities,these vulnerabilities must be tested against your own systems and

changes made to mitigate the risks they pose.The systems must then betested again to ensure that the changes did not create new weaknesses orexpose flaws in the systems that may have been previously covered Forexample, it is fairly for common for software patches and versionupgrades to replace configuration files with default settings In many

Assess

Revise

Implement

cases, this opens additional services on the box, or may re-enable cols disabled by the administrator in a previous configuration.Thisongoing process of evaluation strengthens the three principles andensures their continued success.

proto-Based on these ideas and the scenarios that can occur when thethree principles are not managed well, you can see why building securityfrom the ground up is so important Building the three principles into abusiness certainly requires work and planning Security is neither easy

to accomplish nor easy to maintain, but with proper attention, it is sustainable

Presenting Security As More Than a Buzzword

Security must be more than a buzzword or a group within your zation Security needs to be on the mind of every employee and in theforefront of the day-to-day operations Security staff members need towork as partners or consultants to other groups within the company.They need to remain approachable and not be seen as “Net cops” ortyrants.They need to allow for dialogue with every employee, so thatthey can make suggestions or bring to their attention any events thatseem out of place

organi-Security works best when all employees are attentive to situationsthat may expose customers to danger or the site to damage.The key toachieving this level of awareness is education Education is the tool thatdisarms attackers who prey on miscommunication, poorly designed pro-cesses, and employee apathy Such attacks, often called “social engi-neering” by hackers, can be devastating to a company and its reputation.The best way to defend against these attacks is to educate youremployees on your policies regarding security and customer privacy.They also need to see those policies being followed by all members ofthe team, from management down to the entry-level employees.Theyneed reminders, refreshers, and periodic updates whenever changes tothe procedures are made In other words, security has to be an attitudefrom the top down.The highest levels of management must support the

policies and their enforcement for long-term success to be achieved andmaintained.

The security team also requires the support of management A versal attitude of cooperation must be presented and maintained across alllines of business with the security group Every employee needs to feelthat the security group is approachable and they should have no fear ofreporting things that seem suspicious Employees need to know exactlywhom to contact, and they need to be treated with respect instead of sus-picion when they talk to the security team and its members

uni-Social Engineering

In the average business there are a number of avenues ripe for social engineering exploitation With the security focus often turned to the more romantic notions of stealthy hacks and exotic code, the more prosaic methods of bypassing security are often neglected Unfortunately, attempting to prevent social engineering can be a double-edged sword Processes and procedures aimed at reducing the possibility of social engineering can do as much harm

as good, driving users to ignore them due to their overly rigid and complex implementation This said, there are a number of areas that are commonly open for abuse, including the following:

■ Passwords Overly complex passwords are often written

down and easily accessible More memorable words, however, are often a greater risk because simpler passwords such as a husband’s first name are easily guessed Some companies employ strong authentication that requires the user to use a combination of a pass- word and a number generated by a special token which the user possesses.

pass-Tools & Traps…

Continued

■ Support Services When a user calls a help desk or a

network engineer for support, the authenticity of the user is often taken for granted A negligent help desk could easily respond to a request for a password change for a user’s account without a guarantee that the caller

is who he says he is In this scenario the hacker typically leverages the anonymity provided by a telephone or e- mail message Using a similar angle, a hacker could pre- tend to be part of the support services and during a phony “support” call obtain a user’s logon ID and pass- word.

■ Physical Access Without adequate physical security a

hacker or even a non-technical criminal with a confident bearing can walk directly into an office and begin using computer systems In fact, a case reported in China detailed how a man walked into a securities firm posing

as an employee and used an unsecured terminal to affect stock prices and the stability of the Shanghai stock market

Since social engineering is such a dangerous weapon in the attacker’s toolkit, it only makes sense to educate yourself about it Here are some Web sites where you can learn more about social engineering:

The Goals of Security in E-Commerce

Security plays a very important role in e-commerce, and is essential tothe bottom line.While e-commerce done correctly empowers yourcompany and the consumer, e-commerce done poorly can be devas-tating for those same participants.The goals of security in the commerceprocess must be to:

■ Protect the privacy of the consumer at the point of purchase

■ Protect the privacy of the customers’ information while it isstored or processed

■ Protect the confidential identity of customers, vendors,and employees

■ Protect the company from waste, fraud, and abuse

■ Protect the information assets of the company from discoveryand disclosure

■ Preserve the integrity of the organization’s information assets

■ Ensure the availability of systems and processes required forconsumers to do business with the company

■ Ensure the availability of systems and processes required for thecompany to do business with its vendors and partners

These goals are a starting point for the creation of a good securitypolicy A great security policy, as described in Chapter 4, will address all

of these goals and lay out processes and practices to ensure that thesegoals are met and maintained.Think of your security policy as your firstline of defense, because from it should come all the processes and tech-nical systems that protect your business and your customer

Any security measures you implement without a policy become defacto policies A policy created that way was probably created withoutmuch forethought.The problem with unwritten policies is that you can’tlook them up, and you don’t know where to write the changes

Planning with Security in Mind

Building the foundation from a secure starting point is very important.For this reason, the three principles have to be applied to the processfrom the beginning stages of planning Examine the business plan andapply the aspects of confidentiality, integrity, and availability Ask yourstaff and yourself questions such as:

■ How are we going to ensure the confidentiality of our customers?

■ How will we protect our business information from disclosure?

■ What steps are we taking to double-check the integrity of ourdata gathering?

■ What processes are we using to ensure that our data maintainsintegrity over time?

■ How are we protecting ourselves against the loss of availability?

■ What are our plans for failure events?

As the business plans begin to take shape, apply the three principles

to them Keep the principles involved continually as the planningevolves, and you will find that your questions give birth to scenarios, andthose scenarios lead to solutions

Spend time thinking about the threats to your site Profile the flow

of likely attacks and determine the probable ease of their success Forexample, if an attacker wanted to gather customer financial information,could he or she simply compromise your Web server and gain access toit? There have been countless examples of situations exactly like thisone, where what should have been a simple Web server compromiseended up exposing sensitive customer data to the attackers Had thosecredit card numbers and other information been stored on a separatemachine, or better yet, on a more protected network segment, theattacker may not have been able to harvest it Avoid single points offailure Ensure that compromise of one network component does notjeopardize your entire operation Apply these scenarios to each step ofthe plans and revise them until you have resolved the apparent issues

An example scenario for this process might include something likethis: If an attacker used the latest exploit of the week to gain access toyour Web server, what other systems could be easily compromised? In arecent, all too real example, a client called me when this had happened.

The attacker had used the Unicode exploit (See Rain Forest Puppy’spage at www.wiretrip.net/rfp/p/doc.asp?id=57&iface=6 for more details

on Unicode.) against my client’s Web server to gain access to the filesystem After uploading a Trojan horse program, they quickly managed

to grab the Repair password file and crack Administrator access to thesystem Unfortunately, for my client, the attacker had compromised thesystem that they had designated to be the Domain Controller for all theWeb server systems in the DMZ.They had chosen, unwisely, to deploy aWindows Domain for easier systems management of the Web serversand the server they used to allow vendors to pickup orders from theirsite Also members of the same domain used their primary e-mail serverand their ftp server Each of these systems was, in turn, compromised bythe attacker By the time the damage had been discovered, each of thesesystems had to be removed from service and completely rebuilt.Theirpartners were advised of the damage, and they lost valuable time andmoney, not to mention confidence in their company by their partners

To date, that single mistake of making each of the systems a member of

a Windows Domain instead of stand-alone servers has cost them sands of dollars and several IT managers their jobs Even small miscalcu-lations can have large ramifications on security

thou-Understand that for every scenario and threat that you think of,dozens of others may exist or may come to exist in the future Don’t bealarmed if you feel like you have only thought of the most basic threats

This very act of preparation and scenario development will create largeamounts of awareness to the issues encompassed in the three principles

In addition, your team’s ability to handle security incidents down theroad will be increased as you become more familiar with details of yourbusiness process

At the end of this process, you should have some basic plans for yoursite One of the best ways to organize this planned information is in achart that details your risks and how you plan to mitigate them An

example is shown in Table 1.1.These examples are basic, and you shouldcertainly have many more than this, but it is a start to give you the idea

of a framework

Consumer Check-out

Credit Card Data Transfer to the ISP Credit Systems

Any Phase

Any Phase

We will use SSL tion to protect the information as it travels across the Internet.

encryp-We will use SecureFTP

to send the data down

an SSH tunnel to vent sniffing attacks.

pre-We will protect the server by removing all unneeded services and installing a file system checksum program to alert us to changes We will also locate the server in separate DMZ segment and only allow encrypted transfer through a SQL proxy to interact with the system.

We will protect selves by using redun- dant servers and a load balancing router We will also be prepared

our-to implement traffic blocking access control rules on the ISP router

by calling their help desk line.

An attacker could itor the transmission of the credit card and con- sumer data.

An attacker could itor our credit card batch file when we transfer it to the ISP credit card system each hour for processing.

mon-An attacker could promise our database server that we use to store our client’s per- sonal information and purchase history.

com-An attacker could seek

to shut us down by flooding our network.

Phase of E-commerce Explanation of Strategy for Risk

Security during the Development Phase

The steps involved in translating the plans established into actual ucts and processes can be very dangerous to the security principles

prod-Often, compromises must be made to facilitate budgets, timeframes, andtechnical requirements Many times, these compromises impact theoverall security of a project

The single best way to ensure that the underlying security of theproject remains intact through the development phase is through con-tinual involvement As each process or product is defined, apply the threeprinciples to it and revise the definition to answer the scenarios you cre-ated in the planning process If compromises must be made that impactthe security of the project, carefully profile those changes and create alist of the risks involved in them.This list of risks will become important

in the implementation phase, as it gives you a worksheet for problemsthat must be mitigated through the combination of technology, policy,and awareness Often, compromises in key areas will have a major impact

on attempts to secure other dependent areas Be sure that attempts tosave a dollar when building an underlying component doesn’t cost youten in trying to patch the pieces sitting on top

Each process and product must be carefully examined to define thevarious risk factors involved Attention to detail is highly important inthis step, as is the cross-examination of a process or product by the var-ious team members Each of the team members will have his or her area

of concern, and thus will bring a different angle of examination to thetable.This cross-examination, or “peer review,” often creates strongerdesigns and more secure solutions In fact, peer review can be a veryhelpful tool in your policy creation tool box as well.The whole concept

is to pass each policy or development process by each team memberallowing each to comment on the process or policy from their point ofview At the end, someone, usually the original author, edits all the com-mentary back into the policy or process to create a better end product

Peer review is often done across the board for policies, technical mation, and new processes before they are released to the general public

infor-After each of the processes has been defined and developed, vene the examination team to review the complete procedure from