Thursday, November 12, 2009

Threats to the websites

Following are the threats to a normal website(not a secured one).

1) Excess Privileges & Tampering : If a user gets more permission than required & Modification of resources/WebPages without authorization
2) Spoofing : Using another users credentials to login to the system and modify the contents
3) Backdoors : Use developer created maintenance hooks to logon to the system
4) Information Disclosure : Eg disclosure of users Credit card information

But Don’t feel like there is no solution for these threats.
Following are them.

1) Tampering:

These are very common with less secured sites. You have to cross verify all the security permissions. Most of them can be caught at the time of unit testing itself.

Following are the tips to avoid tampering in the application.
1) Don’t pass any sensitive information through query strings
2) Use encryption for all sensitive data
3) Don’t store any sensitive data in cookies.
4) 4) Check for cookies safety always.( add <httpCookies domain="String" httpOnlyCookies="true" requireSSL="false" /> in config file)
5) the application side vulnerabilities including SQL injection occurs when user input is not filtered for escape characters and is then passed into a SQL statement. This result in the potential manipulation of the statements performed on the database by the end user of the application. Another eg is an anonymous user is allowed to access privileged area in an application which is somehow bypassed while testing the application.
6) Run the application with minimum privileges

2) Spoofing.

Mostly spoofing is happened by the weak passwords. So the application should enforce the user to have a strong password. It should have a certain standard. E.g. 6charactered alphanumerical passwords with extra characters like #, $ * can consider as a strong one. Also alphabets and numeric should be in a combination mode.

3) Backdoors
Backdoors are being developer created holes to bypass the actual authentication and logon to the system easily for maintenance purposes. These vulnerabilities should be closed before making the application online.

4) Backdoors Information Disclosure: Information disclosure can happen in several ways including hacking activity, low application/server security; failure in using encryption for critical data, login information and another big element is humans. Most of the application/server securities issues can be mitigated by applying patches, implementing SSL etc.but the difficult part is humans associated with each project. When they move from one to another company some critical information like passwords/backdoors etc also goes with them. Even though completely removing the risk is impossible some of the things we can do to reduce the risk are: Non Disclosure Agreements when the employee leaving the organization. And Exit interview explaining the consequences of disclosing the information.
Disabling logins and changing all passwords whenever an employee terminate/leave

Things to consider:
1. Consider the security of the application from the initial stages of the project.
2. Testing of the software should include application side vulnerabilities and input text filtering capabilities which cause buffer overflows.
3. Change default passwords and remove unwanted accounts from the application before moving the system to production. Passwords policies should be enforced in the application.
4. Infra team should take care of server vulnerabilities. Update patches and antivirus patterns on a regular basis. Lock down files, directories, and other resources. The application should also run with minimum privileges
5. The application administrator should be careful about giving privileges to each user.
6. Implement SSL for critical data and passing credentials.
7. Limiting the application access by predefining IP Address or number of allowed connections at web server level.
8. Let the developers provide the installation docs to the Server admin team and let them deploy the application on the production server.
9. Periodic evaluation of security in all servers and applications.
10. Sign Non Disclosure Agreement when the employee leaving the organization.
11. Exit interview explaining the consequences of disclosing the information.
12. Disabling logins and changing all passwords whenever an employee terminate/leave

No comments:

Post a Comment


Obstacles are those frightful things you see when you take your eyes off your goal.------> by Henry Ford