Website Hardening HUIT IT Security | Sep 30 2011
Feb 24, 2016
Website Hardening
HUIT IT Security | Sep 30 2011
Agenda:
• Introduction• Anatomy of an Attack• Recommendations• Q & A• Demos
3
Sep 30 2011
HUIT Security | Website Hardening
Introduction
4
Sep 30 2011
HUIT Security | Website Hardening
Introduction
Content is the cornerstone of information management. The web delivers content, and the model for serving content has progressed from onsite hosting, to managed hosting and is continuing to cloud computing.
With this evolution comes new challenges to protecting both institutional reputation and data. Attackers have shifted their focus from infrastructure resources, to exploiting application code itself. A holistic strategy is critical.
5
Sep 30 2011
HUIT Security | Website Hardening
Introduction
A new breed of attacker is focusing on these “soft” targets. These attackers seek to gain a widespread audience for their agenda and use anyone leaving themselves open to compromised as a platform to spread their message.
“Cyber-Hacktivists” with personal, political or other motivation have proven adept enough at their craft to gather their share of recent headlines.
6
Sep 30 2011
HUIT Security | Website Hardening
Introduction
In the light of several recent web application compromises across campus, we would like to share some specific recommendations and best practices resulting from our investigation into those compromises; and these suggestions complement existing hardening guidance.
7
Sep 30 2011
HUIT Security | Website Hardening
Anatomy of an Attack
Before we dive in to the details. Chris Fahey will take us through an attack.
8
Sep 30 2011
HUIT Security | Website Hardening
Recommendations
IntroductionAs web application attacks continue to increase in frequency, we must work to integrate a thorough approach to security throughout the delivery stack.
It has been our experience that the guidance for hardening networks and hosts also offers a framework for approaching web application security.
Everyone can benefit from immediate proactive measures in advance of any eventual compromise.
9
Sep 30 2011
HUIT Security | Website Hardening
Recommendations
In general:
• Build and integrate security into the application• Assess and remediate vulnerabilities and risks• Implement strong access control measures• Leverage controls in the web server and application
framework• Log use and Monitor• Document and maintain policies and procedures• Raise awareness and educate
10
Sep 30 2011
HUIT Security | Website Hardening
Recommendations
The below suggestions complement existing controls:• Risk Management and Compliance• Host hardening• Network hardening• User education and awareness
- You’ve been hacked – now what?
Image goes here
11
Recommendations
Recommendation Benefit Effort to Implement Availability
Remind staff of password policies
Prevent cracking passwords. Limit the scope of a compromise to a single site.
Low Immediate:
• Eureka!
• Security
Confirm computers have basic security protections in place.
Protect computers against malicious software.
Low Immediate:
Inspect computers to verify patching is enabled and antivirus is installed
Scan web applications for security vulnerabilities.
Reduce the risk of a security vulnerability being exploited resulting in a compromise.
Moderate Immediate:
via the IT Security Code Analysis service
12
Recommendations
Recommendation Benefit Effort to Implement Availability
Configure SSL on the web site.
Encrypt sessions via SSL to reduce the risk of purloining login credentials.
Low Immediate
Limit access to the web administration interface to only secure, trusted IP addresses.
Allow only the VPN server access to the web server.
Moderate Immediate
HUIT can provision a VPN, VPN client to be installed oncomputers and staff trained
Replace administrator passwords with digital password vault.
Manage credentials with elevated privileges to prevent passwords from being cracked.
Moderate February 2012
13
Recommendations
Recommendation Benefit Effort to Implement Availability
Perform an IT Risk Assessment of web application
Ensure security controls exist to comply with the University’s Enterprise Information Security Policy.
Low Immediate
via the IT Security Consulting service
Monitor network traffic to the web site.
Proactively detect, suspicious activity and notify the support team for a timely response.
Moderate Near term
Collaborate with HUIT Cyber Security
Content auditing Log changes to content and notify support team for a timely response.
Difficult Long term
14
Recommendations
Recommendation Benefit Effort to Implement Availability
Monitor web site for malicious code and notify if detected.
24 x 7 x 365 monitoring by an external vendor to proactively detect malicious application code running on web site and notify support team for a timely response.
Moderate Near term
Evaluate several vendors, subscribe to best service
HUIT Security | Website Hardening
15
Sep 30 2011
HUIT Security | Website Hardening
Q & A
The objective of Risk Management:
• Mitigate• Remediate• Transfer, or• Accept
Image goes here
16
Sep 30 2011
HUIT Security | Website Hardening
IT Security Contact Info
• Helpdesk at x 57777
These slides will be on http://security.harvard.edu
17
Sep 30 2011
HUIT Security | Website Hardening
Demos
• Password Vaults• Tenable• Hailstorm
Esmond Kane | Website Hardening
September 30, 2011
Thank you.