Solved

I need a security audit report whether the system is tamper-proof.

Posted on 2006-06-20
5
480 Views
Last Modified: 2010-04-11
I need a security audit report whether the system is tamper-proof.

The website is www.2bid.com.au and I am writing a report to outline how secure the website on the server is. Can anyone point me in the right direction to get a report complete, or conduct the tests themselves?

Thanks
0
Comment
Question by:Adamylo
5 Comments
 
LVL 5

Accepted Solution

by:
kevinf40 earned 250 total points
ID: 16949804
Depending on the level of confidence you require there are several options -

Employ a professional pen test company to test the site and audit the code.

Use various open source tools such as metasploit, wikto, nikto etc to test the site.
Use paid for tools such as core impact, ISS internet scanner, GFI Languard etc to test the site

I would definitely advise a code review.

Also both privileged and non - privileged scans should be undertaken - e.g.
scan the O/S, apps, and site internally with a root / admin  level account - this will provide full details of patch levels, running services, and configuration of the server and web server etc - allowing remediation of any issues such as patching, correctly hardening the web server etc
then
scan the site as an external user - e.g. thought the firewall where you can only see a couple of ports and don't have admin level access (initially at least... ;)  )

This is a non trivial task to perform correctly, and ideally should have been performed before the site went live.

cheers

Kevin
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16954506
I would use Nessus.

http://www.nessus.org/download/

This is a free tool and can scan with latest vulnerabilities .






0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 16954643
There are some things right off I'd change... However this is a very public site and this sort of activity isn't condoned by the EE EULA. If we did publish our findings, someone may come across them and use them to their advantage.

There is no real exploit for this, but if it were me, I'd keep folders from being browsable by anyone other than the webserver, not that the two folders below "img" are.. but the img directory can be made this way as well. There are tools out there for this, nessus, gfi languard security scanner and many others. you should hire a consultant or a web developer with a reputation in security, web security. http://www.2bid.com.au/themes/2bid/img/ 

This data should not be returned on those other dir's, you should have the webserver issue a 404 or similar error, access denied is always good.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
</body>
</html

You also cannot hire or attempt to solicit EE members. There are a number of books on the topic as well.
-rich
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
jump server vs push server 6 150
end-to-end encrypted email 16 73
SSH over http/https 8 104
If cmd & Powershell is blocked, can users still run tools from Taskmgr or other means 9 103
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now