Solved

Measures against hacking of websites

Posted on 2013-11-10
3
440 Views
Last Modified: 2016-03-23
Lately, an anonymous group has appeared in youtube
to hack websites, possibly by altering the pages on
the websites:
  http://www.youtube.com/watch?v=AJCU14M7PBU

I'll need to brainstorm for a list of preventive measures to
pre-empt the above attacks.

a) run vulnerability scan (Nessus) ?
b) apply latest MS security patches ?

Anything else?
0
Comment
Question by:sunhux
  • 2
3 Comments
 
LVL 13

Assisted Solution

by:Norm Dickinson
Norm Dickinson earned 80 total points
Comment Utility
Backups of the website are crucial as is a complex password. Also keep a close eye on the website for any signs of an attack. Set a low tolerance for blacklisting attempted login IPs as well - it is easier to reset those legitimate users who make a mistake than to fix the results of a hack.
0
 
LVL 14

Accepted Solution

by:
Giovanni Heward earned 420 total points
Comment Utility
You'll want to use the concept of least privilege.  Ensure a firewall is blocking all ports except those absolutely necessary (80/TCP, 443/TCP).  For the required ports that remain, consider using application firewalls.   Place a Web Application Firewall in front of the webserver to inspect requests, such as ModSecurity with the OWASP ModSecurity Core Rule Set (CRS).  This product is capable of "virtual patching"-- that is intercepting malicious requests and modifying them to be inert in transit.

Best Practices: Use of Web Application Firewalls
https://www.owasp.org/index.php/Category:OWASP_Best_Practices:_Use_of_Web_Application_Firewalls

In addition, you'll want to harden your server OS, web server, and web application code.  For web applications see the OWASP Top 10 Vulnerabilities and Securing Web Application Technologies[SWAT] Checklists.

Developer Awareness Training Modules [Videos]

A1-Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

A2-Broken Authentication and Session Management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.

A3-Cross-Site Scripting (XSS)
      
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

A4-Insecure Direct Object References
A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.

A5-Security Misconfiguration
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.

A6-Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

A7-Missing Function Level Access Control
Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization.

A8-Cross-Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

A9-Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts.

A10-Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

To harden your OS, see:
http://usgcb.nist.gov/
https://www.sans.org/course/securing-windows
https://www.sans.org/course/securing-linux-unix

Twenty Critical Security Controls for Effective Cyber Defense

Windows
Going Beyond Just Anti-Virus Scanning
    How your AV scanners can fail you
    Application whitelisting
    AppLocker
    Script and executable signing
    Controlling USB devices
    DEP, ASLR, and SEHOP
    Benevolent Microsoft rootkit: EMET
    Restoring to a pristine OS image
    Virtual Desktop Infrastructure (VDI)

OS Hardening with security templates
    INF vs. XML security templates
    How to edit and apply templates
    Security configuration and analysis
    SECEDIT.EXE
    Security configuration wizard
    Auditing with templates

Hardening with Group Policy
    Group Policy Objects (GPOs)
    Third-party GPO enhancements
    Pushing out PowerShell scripts
    GPO remote command execution
    GPO troubleshooting tools
    Custom ADM/ADMX templates

Enforcing Critical Controls for applications
    Protected Mode Sandboxes
    Metro AppContainer Sandboxes
    Hardening Internet Explorer
    Hardening Google Chrome
    Hardening Adobe Reader
    Hardening Java
    Hardening Microsoft Office

Compromise of Administrative Powers
    Hackers and malware LOVE administrative users
    Partially limiting pass-the-hash attacks and token abuse
    How to get users out of the administrators group
    Secretly limiting the power of administrative users
    Limiting privileges, logon rights and permissions
    User Account Control (making it less annoying)
    Kerberos armoring and eliminating NTLM
    Picture password on touch tablets
    Windows Credential Manager vs. KeePass

Active Directory Permissions and Delegation
    Active Directory permissions
    Active Directory auditing
    Delegating authority at the OU level
    Domains are not security boundaries
    Logging attribute content changes

Updating Vulnerable Software
    Everything must be patched every week
    Patching off-site tablets and laptops
    Identifying rogue devices (BYOD Hell)
    WSUS shortcomings
    WSUS third-party enhancements
    Windows App Store (Metro)
    The future: continuous updates

Why Have a PKI?
    Strong authentication and encryption
    Passwords are dead
    Smart cards, IPSec, wireless, SSL, S/MIME, etc.
    Mobile and BYOD computers
    Code and document signing

How to Install the Windows PKI
    Root vs. subordinate certification authorities
    Should you be your own root CA?
    Custom certificate templates
    Controlling certificate enrollment

How to Manage Your PKI
    Group policy deployment of certificates
    Group policy PKI settings
    How to revoke certificates
    Automatic private key backup
    Credential roaming of keys
    Delegation of authority

Deploying Smart Cards
    Everything you need is built-in
    TPM virtual smart cards
    Smart card enrollment station
    Group policy deployment
    Smart cards on a limited budget

BitLocker Drive Encryption and Secure Boot
    UEFI Secure Boot
    TPM boot integrity checking
    Cold boot and 1394 port attacks
    USB device encryption
    Mounting encrypted VHD files
    BitLocker emergency recovery
    BitLocker network unlock of the PIN

Why IPSec?
    IPSec is NOT just for VPNs!
    More secure than SSL
    User/computer authentication
    Transparent to users
    No user training required
    NIC hardware acceleration
    Compatible with NAT

Creating IPSec Policies
    Require vs. prefer encryption
    Share permissions on TCP ports
    IDS/IPS compatibility options
    IPSec-based encrypted VLANs
    Group Policy management
    Scripting for BYOD stand-alones

Windows Firewall
    Group Policy management
    Metro app and service awareness
    Roaming and VPN compatibility
    Deep IPSec integration
    NETSH and PowerShell scripting

Securing Wireless Networks
    Wi-Fi Protected Access (WPA2)
    Pre-shared key weaknesses
    DoS attack vulnerabilities
    Rogue access point detection
    BYOD and network bridging
    Wireless best practices

RADIUS for Wireless and Ethernet
    Certificate authentication and PKI
    How to use smart cards
    EAP vs. PEAP
    PEAP-MS-CHAPv2
    802.1X for Ethernet switches
    Account lockout DoS attacks
    Group Policy configuration of clients

Dangerous Server Protocols
    Eliminate SSL, only use TLS
    Requiring strong ciphers and keys
    RDP man in the middle attacks
    SMBv3 native encryption
    SMB downgrade attacks
    NTLM, NTLMv2 and Kerberos
    Kerberos armoring
    Hardening the protocol stack
    What about IPv6?

Server Hardening
    Server Manager and PowerShell
    Server Core/Minimal/Full
    Security templates and Group Policy
    Preparing for incidents: pre-forensics
    Service account security
    Scheduling tasks remotely and safely

Internet-Exposed Member Servers
    Not every server can be a stand-alone
    Active Directory for the DMZ or the cloud
    Cross-forest trusts and Selective Authentication
    Read-only domain controllers (RODC)
    Firewall design for DMZ or cloud member servers

Dynamic Access Control (DAC)
    Claims-based access control and auditing
    DAC does not require Windows 8
    DAC conditional expressions
    DAC and complying with regulations
    Automatic file classification infrastructure
    User and device identity restrictions
    Auditing without managing SACLs
    Central access policy deployment


Microsoft Baseline Security Analyzer
Microsoft Web Application Configuration Analyzer

The Web Application Security Consortium (WASC) has a list of web application security scanners.
The Open Web Application Security Project (OWASP) Phoenix has a list of various web application testing tools.

I've had good results with NTOSpider.
0
 
LVL 14

Expert Comment

by:Giovanni Heward
Comment Utility
Here's a sample diagram depicting my recommended approach.

Recommended Approach
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

So, a cyberiminal’s ultimate goal and motivation has to involve financial gain, right?—not necessarily. There are at least five other motivations behind cybercriminal activities.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now