|
 |
|
General Information
|
Add To My Personal Library |
July 31, 2009
• Vol.31 Issue 20
Page(s) 28 in print issue
|
Identify The Top Web Threats To Your Enterprise
Keep Networks Safe From SQL Injection Attacks & Unknown Users
|
Most organizations no longer have a strict divide between their network and the Web, and as a result, many of the biggest SME security threats have a Web-based component. Below is a collection of some of the biggest Web-based threats out there, along with some tips on how to combat them.
 Defend Against Cross-Site Scripting
XSS (cross-site scripting) attacks are a top Web threat, says Ralph DeFrangesco, a security expert and adjunct professor in computer security at Drexel University. In an XSS attack, malicious code gets injected into a Web page, and when an unsuspecting user clicks on a link, he or she is redirected to what looks to be a similar page and then risks having credentials or personal data stolen.
Carl Herberger, vice president of information security and compliance services at managed technology service provider Evolve IP (www.evolveip.net), adds that because most Web applications display dynamic data originating outside the application, the client’s Web browser has the potential to execute malicious client-side scripting. “Because the malicious script is sent by the application Web server, it will execute under the trusted context of the vulnerable Web site,” Herberger says.
To combat XSS attacks, Herberger recommends validating all headers, cookies, query strings, form fields, and hidden fields against rigorous specifications; not allowing user information to be displayed in error situations; and implement scanning tools to detect XSS vulnerabilities of all pages where input from an HTTP request could possibly make its way into the HTML output.
Prevent SQL Injection
The Web Application Security Consortium describes an SQL injection as “an attack technique used to exploit Web sites that construct SQL statements from user-supplied input. When a Web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of backend SQL statements.”
Mandeep Khera, CMO for Web application security provider Cenzic (www.cenzic.com), recommends reviewing all logs to determine the types of activities taking place at the Web layer. “Any hacking attempts with SQL injection and XSS types of entry should show up in the logs,” Khera says. “Once you know that hackers are attempting hacks through the Web, you [can take] steps to ensure that a comprehensive vulnerability assessment at the Web application layer is performed,” he says.
Properly Configure Devices
Internet access requires a host of devices, such as routers, switches, and firewalls, to route Internet traffic and defend networks. If these devices are not properly installed, hackers can exploit weaknesses caused by these configurations to access and steal information, says Christopher Burgher, associate principal of availability services consulting at SunGard Availability Services (www.availability.sungard.com).
In addition to keeping devices properly patched, Burgher recommends making sure you don’t put systems in production with default configurations, limit the number of services exposed to the Internet, and create hardening standards for new devices.
Don’t Get Speared
Spear-phishing attacks constitute one of the fastest growing threats to your enterprise. Unlike general phishing attacks, in which out of a million targets only a few people will fall victim, an attacker using spear-phishing masquerades as an employee from a distant department of, say, a bank and requests sensitive information, says Kunal Johar, president of security consulting firm vOfficeware (www.vofficeware.com) .
“For example, the attacker could spoof an email from a West Coast office and send it to people on an East Coast office,” says Johar. “If even one person falls victim, he or she could get discrete access to the enterprise network to commit more severe crimes.”
According to Johar, the best defense against this type of attack is user training. He says “mock phishing” exercises, where a specially crafted email is sent to your employees and their responses are measured, are best for teaching users about this threat. 
by Robyn Weisman
Bonus Tips
Watch for false security padlocks. Remind your employees that a padlock icon on a Web site does not guarantee the page is secure. “Cyberthieves are capable of providing a padlock graphic, creating the illusion that the site is secure,” says Fred Touchette, senior security analyst at hosted solutions provider AppRiver (www.appriver.com). As part of your security policies, make sure your employees double-click on these padlocks to display the certificate information guaranteeing they are on safe, secure Web sites—and that the issued certificate matches the company they are visiting.
Inspect encrypted Web traffic. Traditionally, enterprises have relied on firewalls and UTM devices to monitor Web traffic, but encrypted Web traffic provides attackers with a means to bypass these security products, says Jeff Hajek, SVP of Americas operations at integrated network security solutions provider Stonesoft (www.stonesoft.com).
Therefore, enterprises must find a controlled way to submit encrypted traffic for the same inspection as clear text HTTP data. “Not only will this give data centers’ Web traffic an added layer of security, it can allow [IT] to comprehensively monitor the traffic inside of the TLS/SSL encryption, as well as detect and react to any unwanted content,” Hajek says. |
Smartest Tip: Know Who’s On Your Network
You need to know who can access your enterprise network and how they access it, says Matt Bishop, a professor of computer science at UC Davis and a member of the IEEE computer society (www.ieee.org).
“If there is a network connection you don’t know about or a virtual private network into your installation but with an untrusted end point, such as a home computer, then you are trusting something (or someone) you do not know about,” Bishop says. “Not knowing what assumptions you are making or not knowing how accurate those assumptions [are] is a security problem.”
Bishop’s solution is basic: Figure out who is connecting to you and from where and assess whether you trust them. “If not, prevent the connections. If so, worry about other problems,” he says. |
Most Basic Threat: Improper Patch Management
Improper patch management can leave your enterprise susceptible to Web-based threats because unpatched servers are exposed to manual and automated attacks, says Randy Abrams, director of technical education at security solutions provider ESET (www.eset.com). “Patch management identifies Web threats, and it prevents many threats from being an issue,” Abrams says. If a user’s computer is properly patched, a Web site that has exploit code on it won’t work.
But we are often our own worst enemy in this area, says Ralph DeFrangesco, a security expert and adjunct professor in computer security at Drexel University. “It is easy to fall into the trap of putting off patching. Companies like Microsoft, Adobe, and Apple are all releasing patches on the same day [while] every other software company can, and does, release patches at some time during the year,” DeFrangesco says. “Most companies have a test and production environment to which these patches need to be applied. It’s a tremendous amount of work, and it’s easy to drop the ball.” |
|
|
