Website Hardening Presentation - Information Security & Privacy

greenpepperwhinnyΑσφάλεια

3 Νοε 2013 (πριν από 4 χρόνια και 7 μέρες)

68 εμφανίσεις

Website Hardening

HUIT IT

Security | Sep 30 2011

Agenda:


Introduction


Anatomy of an Attack


Recommendations


Q & A


Demos

3

Sep 30 2011

HUIT Security | Website Hardening

Introduction



Citation

Breadcrumb

4

Sep 30 2011

HUIT Security | Website Hardening

Introduction


Content is the cornerstone of information
management. The web delivers content, and the
model for serving content has progressed from onsite
hosting, to managed hosting and is continuing to
cloud computing.


With this evolution comes new challenges to
protecting both institutional reputation and data.
Attackers have shifted their focus from infrastructure
resources, to exploiting application code itself. A
holistic strategy is critical.


Citation

Breadcrumb

5

Sep 30 2011

HUIT Security | Website Hardening

Introduction


A
new breed of
attacker
is focusing on these
“soft”
targets. These
attackers seek to gain a widespread
audience for their agenda and use anyone
leaving
themselves open to compromised as a platform to
spread their message.



Cyber
-
Hacktivists
” with personal, political or other
motivation have proven adept enough at their craft to
gather their share of recent headlines.

Citation

Breadcrumb

6

Sep 30 2011

HUIT Security | Website Hardening

Introduction


In the light of several recent web application
compromises across campus, we would like to share
some specific recommendations and best practices
resulting from our investigation into those
compromises; and these suggestions complement
existing hardening guidance.



Citation

Breadcrumb

7

Sep 30 2011

HUIT Security | Website Hardening

Anatomy of an Attack




Before we dive in to the details. Chris Fahey will take
us through an attack.

Citation

Breadcrumb

8

Sep 30 2011

HUIT Security | Website Hardening

Recommendations

Introduction

As
web application attacks continue to increase in
frequency,
we must work to integrate a thorough
approach to security throughout the delivery stack.

It
has been our experience that the guidance for
hardening networks and hosts also offers a
framework for approaching web application security.


Everyone can
benefit from immediate proactive
measures in advance of any eventual
compromise.




Citation

Breadcrumb

9

Sep 30 2011

HUIT Security | Website Hardening

Recommendations

In general:



Build and integrate security into the application


Assess and remediate vulnerabilities and risks


Implement strong access control measures


Leverage controls in the web server and application
framework


Log use and Monitor


Document and maintain policies and procedures


Raise awareness and educate





Citation

Breadcrumb

10

Sep 30 2011

HUIT Security | Website Hardening

Recommendations

The below
suggestions
complement existing
controls:


Risk Management and Compliance


Host hardening


Network hardening


User education and awareness

-
You’ve been hacked


now what?





Image goes here

Citation

Breadcrumb

11

Recommendations

Recommendation

Benefit

Effort to
Implement

Availability

Remind staff of
password policies


Prevent cracking passwords.
Limit
the scope of a
compromise to a single site
.


Low

Immediate:


Eureka!


Security

Confirm computers
have basic security
protections in place.

Protect computers against
malicious software.

Low

Immediate:


Inspect computers
to verify patching is
enabled and
antivirus is installed

Scan web
applications for
security
vulnerabilities.

Reduce the risk of a security
vulnerability being exploited
resulting in a compromise.

Moderate

Immediate:


via the IT Security
Code Analysis
service

12

Recommendations

Recommendation

Benefit

Effort to
Implement

Availability

Configure SSL on
the web site.

Encrypt sessions via SSL to
reduce the risk of purloining
login credentials.

Low

Immediate

Limit access to the
web administration
interface to only
secure, trusted IP
addresses.

Allow only the VPN server
access to the web server.



Moderate

Immediate


HUIT can

provision
a VPN, VPN client
to be installed on

computers and staff
trained



Replace
administrator
passwords with
digital password
vault.

Manage credentials with
elevated privileges to
prevent passwords from
being cracked.

Moderate

February 2012




13

Recommendations

Recommendation

Benefit

Effort to
Implement

Availability

Perform an IT Risk
Assessment of web
application

Ensure security controls exist
to comply with the University’s
Enterprise Information
Security Policy.

Low

Immediate


via the IT Security
Consulting service



Monitor network
traffic to the web
site.

Proactively detect,
suspicious activity and notify
the support team for a
timely response.


Moderate

Near term


Collaborate

with
HUIT Cyber
Security


Content auditing


Log changes to content and
notify support team for a
timely response.

Difficult

Long

term




14

Recommendations

Recommendation

Benefit

Effort to
Implement

Availability

Monitor web site for
malicious code and
notify if detected.

24 x 7 x 365 monitoring by an
external vendor to proactively
detect malicious application
code running on web site and
notify support team for a
timely response.


Moderate

Near term


Evaluate several
vendors, subscribe
to best service




HUIT Security | Website Hardening

15

Sep 30 2011

HUIT Security | Website Hardening

Q & A


The objective of Risk Management:


Mitigate


Remediate


Transfer, or


Accept





Image goes here

Citation

Breadcrumb

16

Sep 30 2011

HUIT Security | Website Hardening

IT Security Contact Info



itsecurity@harvard.edu


Helpdesk at x 57777







These slides will be on http://
security.harvard.edu

Citation

Breadcrumb

17

Sep 30 2011

HUIT Security | Website Hardening

Demos





Password Vaults


Tenable


Hailstorm


Citation

Breadcrumb

Esmond Kane

|

Website Hardening

September 30, 2011

Thank you.