Solved

I need a security audit report whether the system is tamper-proof.

Posted on 2006-06-20
5
466 Views
Last Modified: 2010-04-11
I need a security audit report whether the system is tamper-proof.

The website is www.2bid.com.au and I am writing a report to outline how secure the website on the server is. Can anyone point me in the right direction to get a report complete, or conduct the tests themselves?

Thanks
0
Comment
Question by:Adamylo
5 Comments
 
LVL 5

Accepted Solution

by:
kevinf40 earned 250 total points
ID: 16949804
Depending on the level of confidence you require there are several options -

Employ a professional pen test company to test the site and audit the code.

Use various open source tools such as metasploit, wikto, nikto etc to test the site.
Use paid for tools such as core impact, ISS internet scanner, GFI Languard etc to test the site

I would definitely advise a code review.

Also both privileged and non - privileged scans should be undertaken - e.g.
scan the O/S, apps, and site internally with a root / admin  level account - this will provide full details of patch levels, running services, and configuration of the server and web server etc - allowing remediation of any issues such as patching, correctly hardening the web server etc
then
scan the site as an external user - e.g. thought the firewall where you can only see a couple of ports and don't have admin level access (initially at least... ;)  )

This is a non trivial task to perform correctly, and ideally should have been performed before the site went live.

cheers

Kevin
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16954506
I would use Nessus.

http://www.nessus.org/download/

This is a free tool and can scan with latest vulnerabilities .






0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 16954643
There are some things right off I'd change... However this is a very public site and this sort of activity isn't condoned by the EE EULA. If we did publish our findings, someone may come across them and use them to their advantage.

There is no real exploit for this, but if it were me, I'd keep folders from being browsable by anyone other than the webserver, not that the two folders below "img" are.. but the img directory can be made this way as well. There are tools out there for this, nessus, gfi languard security scanner and many others. you should hire a consultant or a web developer with a reputation in security, web security. http://www.2bid.com.au/themes/2bid/img/

This data should not be returned on those other dir's, you should have the webserver issue a 404 or similar error, access denied is always good.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
</body>
</html

You also cannot hire or attempt to solicit EE members. There are a number of books on the topic as well.
-rich
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now