4 Chapter 1 • Applying Security Principles to Your E-Business
If your company had exposed the records of these clients, what
would the damage to your bottom line have been? How would your
company deal with such a situation?
Integrity
Integrity is perhaps the most difficult of the principles to achieve, yet it
is the most vital of the three. Businesses must manage and maintain the
integrity of the information with which they are entrusted. Even the
slightest corruption of that data can cause complete chaos.The myriad
of decisions based upon that integrity range from the basic business
operation to the growth plans of the business long term. Over the cen-
turies, various methods have evolved for building and maintaining the
integrity of information.The double entry accounting system, the cre-
ation of jobs such as editors and proofreaders, and the modern checksum
methods are all technical advances aimed at creating integrity.Yet, even
with these modern tools and all the attention paid to the process over
the years, integrity remains one of our greatest concerns. Integrity is
something we almost take for granted.We assume that the database
system we are using will maintain the records of our sales correctly.We
believe that our billing system is smart enough to add the items on a
customer’s bill.Without some form of integrity checking, neither of
these situations may be true. Integrity of information can have an even
larger impact on an organization.
Imagine a computer virus that infected your accounting systems and
modified all the sevens in your Excel spreadsheets, turning them into
threes.What would the effect of those illicit modifications mean to your
business? What steps would your organization take to recover the correct
figures and how would you even discover the damage?
Availability
Last, but not least, of the three principles is availability. Availability is the
lifeblood of any business. If a consumer can’t get to your business to
purchase your goods, your business will soon fail. In the e-commerce
world, where every moment can directly translate to thousands of dollars
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 5
in sales, even downtimes of less than an hour can do immense financial
damage to a company. Consider the amount of damage done to your
company if your Web site became unavailable for four hours, which is
the length of time that most vendors used as a benchmark for
turnaround time in the pre-Internet world. Such an outage in e-com-
merce could cost tens of thousands of dollars, as we will see in Chapter
2. How long could your company continue to do business if your
Internet presence was destroyed? How much money per hour would
your organization lose if you could not do business online?
Security also entails a three-step process of assessment, revision, and
implementation of changes (see Figure 1.1).This continual process of
Figure 1.1 The Continual Security Assessment Process
Assess
Imp
ise
lem
Rev
ent
evaluation and feedback is necessary to adapt processes and products to
the ever-changing conditions of the online world. As hackers examine
existing software and hardware systems and discover new vulnerabilities,
these vulnerabilities must be tested against your own systems and
changes made to mitigate the risks they pose.The systems must then be
tested again to ensure that the changes did not create new weaknesses or
expose flaws in the systems that may have been previously covered. For
example, it is fairly for common for software patches and version
upgrades to replace configuration files with default settings. In many
www.syngress.com
6 Chapter 1 • Applying Security Principles to Your E-Business
cases, this opens additional services on the box, or may re-enable proto-
cols disabled by the administrator in a previous configuration.This
ongoing process of evaluation strengthens the three principles and
ensures their continued success.
Based on these ideas and the scenarios that can occur when the
three principles are not managed well, you can see why building security
from the ground up is so important. Building the three principles into a
business certainly requires work and planning. Security is neither easy
to accomplish nor easy to maintain, but with proper attention, it is
sustainable.
Presenting Security As
More Than a Buzzword
Security must be more than a buzzword or a group within your organi-
zation. Security needs to be on the mind of every employee and in the
forefront of the day-to-day operations. Security staff members need to
work as partners or consultants to other groups within the company.
They need to remain approachable and not be seen as “Net cops” or
tyrants.They need to allow for dialogue with every employee, so that
they can make suggestions or bring to their attention any events that
seem out of place.
Security works best when all employees are attentive to situations
that may expose customers to danger or the site to damage.The key to
achieving this level of awareness is education. Education is the tool that
disarms attackers who prey on miscommunication, poorly designed pro-
cesses, and employee apathy. Such attacks, often called “social engi-
neering” by hackers, can be devastating to a company and its reputation.
The best way to defend against these attacks is to educate your
employees on your policies regarding security and customer privacy.
They also need to see those policies being followed by all members of
the team, from management down to the entry-level employees.They
need reminders, refreshers, and periodic updates whenever changes to
the procedures are made. In other words, security has to be an attitude
from the top down.The highest levels of management must support the
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 7
policies and their enforcement for long-term success to be achieved and
maintained.
The security team also requires the support of management. A uni-
versal attitude of cooperation must be presented and maintained across all
lines of business with the security group. Every employee needs to feel
that the security group is approachable and they should have no fear of
reporting things that seem suspicious. Employees need to know exactly
whom to contact, and they need to be treated with respect instead of sus-
picion when they talk to the security team and its members.
Tools & Traps…
Social Engineering
In the average business there are a number of avenues ripe for
social engineering exploitation. With the security focus often
turned to the more romantic notions of stealthy hacks and exotic
code, the more prosaic methods of bypassing security are often
neglected. Unfortunately, attempting to prevent social engineering
can be a double-edged sword. Processes and procedures aimed at
reducing the possibility of social engineering can do as much harm
as good, driving users to ignore them due to their overly rigid and
complex implementation. This said, there are a number of areas
that are commonly open for abuse, including the following:
s Passwords Overly complex passwords are often written
down and easily accessible. More memorable pass-
words, however, are often a greater risk because simpler
passwords such as a husband’s first name are easily
guessed. Some companies employ strong authentication
that requires the user to use a combination of a pass-
word and a number generated by a special token which
the user possesses.
Continued
www.syngress.com
8 Chapter 1 • Applying Security Principles to Your E-Business
s Support Services When a user calls a help desk or a
network engineer for support, the authenticity of the
user is often taken for granted. A negligent help desk
could easily respond to a request for a password change
for a user’s account without a guarantee that the caller
is who he says he is. In this scenario the hacker typically
leverages the anonymity provided by a telephone or e-
mail message. Using a similar angle, a hacker could pre-
tend to be part of the support services and during a
phony “support” call obtain a user’s logon ID and pass-
word.
s Physical Access Without adequate physical security a
hacker or even a non-technical criminal with a confident
bearing can walk directly into an office and begin using
computer systems. In fact, a case reported in China
detailed how a man walked into a securities firm posing
as an employee and used an unsecured terminal to
affect stock prices and the stability of the Shanghai
stock market.
Since social engineering is such a dangerous weapon in the
attacker’s toolkit, it only makes sense to educate yourself about it.
Here are some Web sites where you can learn more about social
engineering:
s www.netsecurity.about.com/compute/netsecurity/
cs/socialengineering
s www.cert.org/advisories/CA-1991-04.html
s www.pacbell.com/About/ConsumerInfo/
0,1109,157,00.html
Remember, too, that social engineering may be used to attack
more than your computer security. It is a wide-ranged tool used for
fraud and privacy violations as well, or can be used to gather infor-
mation to plan a larger attack.
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 9
The Goals of Security in E-Commerce
Security plays a very important role in e-commerce, and is essential to
the bottom line.While e-commerce done correctly empowers your
company and the consumer, e-commerce done poorly can be devas-
tating for those same participants.The goals of security in the commerce
process must be to:
s Protect the privacy of the consumer at the point of purchase.
s Protect the privacy of the customers’ information while it is
stored or processed.
s Protect the confidential identity of customers, vendors,
and employees.
s Protect the company from waste, fraud, and abuse.
s Protect the information assets of the company from discovery
and disclosure.
s Preserve the integrity of the organization’s information assets.
s Ensure the availability of systems and processes required for
consumers to do business with the company.
s Ensure the availability of systems and processes required for the
company to do business with its vendors and partners.
These goals are a starting point for the creation of a good security
policy. A great security policy, as described in Chapter 4, will address all
of these goals and lay out processes and practices to ensure that these
goals are met and maintained.Think of your security policy as your first
line of defense, because from it should come all the processes and tech-
nical systems that protect your business and your customer.
Any security measures you implement without a policy become de
facto policies. A policy created that way was probably created without
much forethought.The problem with unwritten policies is that you can’t
look them up, and you don’t know where to write the changes.
www.syngress.com
10 Chapter 1 • Applying Security Principles to Your E-Business
Planning with Security in Mind
Building the foundation from a secure starting point is very important.
For this reason, the three principles have to be applied to the process
from the beginning stages of planning. Examine the business plan and
apply the aspects of confidentiality, integrity, and availability. Ask your
staff and yourself questions such as:
s How are we going to ensure the confidentiality of our
customers?
s How will we protect our business information from disclosure?
s What steps are we taking to double-check the integrity of our
data gathering?
s What processes are we using to ensure that our data maintains
integrity over time?
s How are we protecting ourselves against the loss of availability?
s What are our plans for failure events?
As the business plans begin to take shape, apply the three principles
to them. Keep the principles involved continually as the planning
evolves, and you will find that your questions give birth to scenarios, and
those scenarios lead to solutions.
Spend time thinking about the threats to your site. Profile the flow
of likely attacks and determine the probable ease of their success. For
example, if an attacker wanted to gather customer financial information,
could he or she simply compromise your Web server and gain access to
it? There have been countless examples of situations exactly like this
one, where what should have been a simple Web server compromise
ended up exposing sensitive customer data to the attackers. Had those
credit card numbers and other information been stored on a separate
machine, or better yet, on a more protected network segment, the
attacker may not have been able to harvest it. Avoid single points of
failure. Ensure that compromise of one network component does not
jeopardize your entire operation. Apply these scenarios to each step of
the plans and revise them until you have resolved the apparent issues.
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 11
An example scenario for this process might include something like
this: If an attacker used the latest exploit of the week to gain access to
your Web server, what other systems could be easily compromised? In a
recent, all too real example, a client called me when this had happened.
The attacker had used the Unicode exploit (See Rain Forest Puppy’s
page at www.wiretrip.net/rfp/p/doc.asp?id=57&iface=6 for more details
on Unicode.) against my client’s Web server to gain access to the file
system. After uploading a Trojan horse program, they quickly managed
to grab the Repair password file and crack Administrator access to the
system. Unfortunately, for my client, the attacker had compromised the
system that they had designated to be the Domain Controller for all the
Web server systems in the DMZ.They had chosen, unwisely, to deploy a
Windows Domain for easier systems management of the Web servers
and the server they used to allow vendors to pickup orders from their
site. Also members of the same domain used their primary e-mail server
and their ftp server. Each of these systems was, in turn, compromised by
the attacker. By the time the damage had been discovered, each of these
systems had to be removed from service and completely rebuilt.Their
partners were advised of the damage, and they lost valuable time and
money, not to mention confidence in their company by their partners.
To date, that single mistake of making each of the systems a member of
a Windows Domain instead of stand-alone servers has cost them thou-
sands of dollars and several IT managers their jobs. Even small miscalcu-
lations can have large ramifications on security.
Understand that for every scenario and threat that you think of,
dozens of others may exist or may come to exist in the future. Don’t be
alarmed if you feel like you have only thought of the most basic threats.
This very act of preparation and scenario development will create large
amounts of awareness to the issues encompassed in the three principles.
In addition, your team’s ability to handle security incidents down the
road will be increased as you become more familiar with details of your
business process.
At the end of this process, you should have some basic plans for your
site. One of the best ways to organize this planned information is in a
chart that details your risks and how you plan to mitigate them. An
www.syngress.com
12 Chapter 1 • Applying Security Principles to Your E-Business
example is shown in Table 1.1.These examples are basic, and you should
certainly have many more than this, but it is a start to give you the idea
of a framework.
Table 1.1 Sample Risk Mitigation Chart
Phase of E-commerce Explanation of Strategy for Risk
Process the Risk Mitigation
Consumer Check-out An attacker could mon- We will use SSL encryp-
itor the transmission oftion to protect the
the credit card and con-information as it
sumer data. travels across the
Internet.
Credit Card Data An attacker could mon- We will use SecureFTP
Transfer to the ISP itor our credit card to send the data down
Credit Systems batch file when we an SSH tunnel to pre-
transfer it to the ISP vent sniffing attacks.
credit card system each
hour for processing.
Any Phase An attacker could com- We will protect the
promise our database server by removing all
server that we use to unneeded services and
store our client’s per- installing a file system
sonal information and checksum program to
purchase history. alert us to changes. We
will also locate the
server in separate DMZ
segment and only
allow encrypted
transfer through a SQL
proxy to interact with
the system.
Any Phase An attacker could seek We will protect our-
to shut us down by selves by using redun-
flooding our network. dant servers and a load
balancing router. We
will also be prepared
to implement traffic
blocking access control
rules on the ISP router
by calling their help
desk line.
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 13
Security during the Development Phase
The steps involved in translating the plans established into actual prod-
ucts and processes can be very dangerous to the security principles.
Often, compromises must be made to facilitate budgets, timeframes, and
technical requirements. Many times, these compromises impact the
overall security of a project.
The single best way to ensure that the underlying security of the
project remains intact through the development phase is through con-
tinual involvement. As each process or product is defined, apply the three
principles to it and revise the definition to answer the scenarios you cre-
ated in the planning process. If compromises must be made that impact
the security of the project, carefully profile those changes and create a
list of the risks involved in them.This list of risks will become important
in the implementation phase, as it gives you a worksheet for problems
that must be mitigated through the combination of technology, policy,
and awareness. Often, compromises in key areas will have a major impact
on attempts to secure other dependent areas. Be sure that attempts to
save a dollar when building an underlying component doesn’t cost you
ten in trying to patch the pieces sitting on top.
Each process and product must be carefully examined to define the
various risk factors involved. Attention to detail is highly important in
this step, as is the cross-examination of a process or product by the var-
ious team members. Each of the team members will have his or her area
of concern, and thus will bring a different angle of examination to the
table.This cross-examination, or “peer review,” often creates stronger
designs and more secure solutions. In fact, peer review can be a very
helpful tool in your policy creation tool box as well.The whole concept
is to pass each policy or development process by each team member
allowing each to comment on the process or policy from their point of
view. At the end, someone, usually the original author, edits all the com-
mentary back into the policy or process to create a better end product.
Peer review is often done across the board for policies, technical infor-
mation, and new processes before they are released to the general public.
After each of the processes has been defined and developed, recon-
vene the examination team to review the complete procedure from
www.syngress.com
14 Chapter 1 • Applying Security Principles to Your E-Business
beginning to end. Many times, during the combination of the various
discreet processes into the overall product, security holes are created
inadvertently through the communication and storage of information.
Two components may not be insecure on their own, but can create a
hole when they interact. An example might be two e-commerce systems
that both store their information in encrypted databases but interact
with each other, moving that same information over an unencrypted
link. In this example, the vulnerability is not in the database servers, but
in the method used to communicate with each other. Examine these
types of scenarios carefully. Again, revise the processes as required, or
note the accepted risks for mitigation during the implementation phase.
Implementing Secure Solutions
The most important thing to remember as your business moves into the
implementation phase is to only bring systems online after they have been
thoroughly tested and established as being secure.The largest danger faced
in this phase is that the systems will be rushed into operation before they
have been thoroughly evaluated. Securing your systems after they have
been brought online could leave you vulnerable for long enough to allow
an attacker to plant a backdoor for later attack, or to compromise the
system at that time. Securing an already compromised setup is not only
futile, it is often very difficult to detect.The moral of the story is: Don’t
bring it online until you know it is ready for the world.
The evaluation of your systems involves using the tools and processes
outlined in Chapter 8. Mainly, the process is to test your actual imple-
mentation against the three principles. Automated tools are used to
examine each component and to determine the risks and weaknesses
associated with them.Vulnerabilities may have been created through mis-
configurations, last-minute technical revisions, or unforeseen issues with
a software program or hardware device. Repair of these vulnerabilities
may include applying patches, reengineering processes or network seg-
ments, or other changes. It is very important to evaluate each of these
modifications in regard to the surrounding security and to reevaluate the
systems from scratch once they have been applied.
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 15
Once you have successfully secured your environment and processes
down to the level of your accepted risks, it is time to mitigate those issues
through a combination of technology, policy, and awareness. Begin by
using your list of accepted risks to create a policy to deal with them.
Security policies are the backbone of your system of defense.These poli-
cies act as the basis for determining actions, system configurations, and
the types of devices you will use to secure your network.They should be
generated by your security staff, in conjunction with team members from
Human Resources, your legal team, and the group that is developing and
implementing your site. Involving these other teams in the policy cre-
ation will establish not only a sense of trust, but also a more open policy.
It is easy to establish a restrictive, draconian security policy, but very diffi-
cult to create one that balances corporate, technical, and legal factors
while still allowing the business to perform its needed functions.
Ensure that all of these issues are added to your security policy, and
then implement technical systems to enforce those policies in real time.
Systems such as firewalls, intrusion detection systems, and monitoring
tools can be used to mitigate the risks you have accepted as an inherent
part of your process.
Once you have mitigated your risks, you can begin to bring your
systems online and offer access to the public. Many sites choose to roll
out their systems in phases of deployment, while others release the entire
site at once. Making this selection depends on your site and the level of
staffing resources you have to handle situations as they arise. Remain
attentive as the site begins to become popular. Carefully watch your pro-
cesses and continue to evaluate your performance against the three prin-
ciples. Remember, security is a journey and not a destination.
Managing and Maintaining Systems
in a Secure Environment
One of the most complicated issues surrounding an e-commerce site is
the secure management and maintenance of the systems involved.
Software systems require periodic patching as programmers repair security
and functional problems. Hardware devices may require patches as well as
www.syngress.com
16 Chapter 1 • Applying Security Principles to Your E-Business
physical maintenance. Log files have to be monitored, backups have to be
performed, and the systems have to be administered for day-to-day opera-
tion. In addition, all of these events are expected to occur without com-
promising security or impacting the operation of the business.
In the pre-Internet days, data systems had scheduled outage times to
handle maintenance and administration issues. However, in today’s 24-
hour consumer environment of the online world, sites must be available
at all times to consumers or they will simply take their business else-
where.Thus today, system operators and e-commerce businesses must
strive for zero downtime and lower impact on the site to perform these
management functions.This is made possible by hardware that is more
powerful, faster networks, and redundancy for mission-critical systems.
Damage & Defense…
Providing Mirrored Implementations
for Administrators
Zero downtime is nearly impossible without creating a near dupli-
cate environment for your system administrators to test their
patches, fixes, modifications, and ideas. Ideally, this mirrored envi-
ronment should be exactly like your production site. The smaller
the variances between the test setup and the real site, the smaller
the chance for problems or unpredicted behavior. While expense is
often a factor in building such a mirrored lab, the long-term ben-
efits are usually significant.
Mirroring your site or creating a test bed does not have to be
cost prohibitive. If you cannot exactly duplicate your existing pro-
duction systems, come as close as your budget will allow. At a min-
imum, allow your staff to create a test network segment with
several systems that have swappable hard drives to allow them to
be configured in a multitude of ways. With some imagination,
using flexible hardware, you will find that you can simulate many
varying environments.
Continued
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 17
I had the experience of assisting a client using Windows NT after
they had neglected to use a test bed before applying a service
pack. They had applied the service pack to a server upon which
they had used Partition Magic to grow the main partition to larger
than the Windows Disk Manager would allow. Everything worked
fine before the service pack, but afterward the system would not
boot. What had happened was this: Partition Manager had made
the drive so large that the newer versions of the Windows NT
software could not access them correctly and thus could not locate
the kernel files for NT. While the solution in this case was simply to
resize the partition back to less than the minimum, it also required
moving data to the new extended partitions and reconfiguring
several applications. The downtime for this system exceeded two
hours, which was a costly timeframe for the company. However,
they did learn an expensive lesson.
Patches and upgrades often have unexpected effects. Using a
test bed or mirror site allows you to carefully test the process and
the behavior of all modifications before you apply them to your
real site.
Day-to-day management is mainly performed through automated
processes on systems remote from the mission-critical systems to take
advantage of speed and to reduce the danger of human error. Secure
tunnels transfer log files and other monitoring information across our
networks to prevent unauthorized observance and discovery. Devices
communicate events back to common monitoring stations via commu-
nications bursts to alert operators and administrators that events have
occurred or that they need attention. Administrators may then remotely
access the systems across these secure tunnels or by physically visiting the
machines if required.
Keep in mind that while the process of managing these machines
seems largely automated, it still has inherent risks. Software packages
require continual patching as vulnerabilities are discovered and repaired.
Each of these patches could cause unexpected behavior in your environ-
ment.Vendors do test their patches, but the complexities and individual-
ization of today’s Internet sites make it impossible for them to test their
www.syngress.com
18 Chapter 1 • Applying Security Principles to Your E-Business
software for every circumstance. In addition, the slightest change to your
network components could also have a vast impact on the security of
your site. As administrators change out equipment for maintenance or
replace components or applications with new revisions. they may acci-
dentally introduce misconfigurations or other weaknesses into your site.
The method used to avoid these issues is to continually evaluate your
site against your known baselines. If new vulnerabilities or risks appear,
changes may have been made.These changes may be the result of new
vulnerabilities that have been discovered or the result of changes made
to components. Either way, these vulnerabilities must be immediately
mitigated through repair or by managing them through your combina-
tion of technology, policy, and awareness.The only way to ensure the
long-term security of your site is to continually assess it, revise it, and
implement the changes required to mitigate your risks.To help you
maintain the process, the flow chart shown in Figure 1.2 can be used as
a reference.
Figure 1.2 Continuous Evaluation Process
Start Here
Has Your Site Yes
Changed?
No Perform
Assessment
Has the
Assessment
Time Limit
Expired? Yes
Are There New Research Patches/
Vulnerabilities? Fixes
No No
Can They Be Yes
Safely Applied? Apply Patches/
Fixes
Stop for Now No
Begin Again at
Next Interval Create Other
Methods for
Mitigating the
Risks
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 19
Tools & Traps…
Sources to Learn The Basics
Security is a field that is both wide and deep. There are a lot of
bases to cover when you are first getting started and a lot of
places to look for good security information. Here is a list of some
basic sites, mailing lists, and magazines that you might want to
visit to widen your horizons or learn the ropes.
s www.securityfocus.com Site for general security news,
also the host of Bugtraq, the world famous announce-
ment mailing list for new vulnerabilities. SecurityFocus
also has a very useful vulnerability database.
s www.securityportal.com Another great site for
keeping up to date on security happenings. They also
have excellent articles for beginners that cover the
basics of security and hacking.
s www.atstake.com/security_news/ Security news from
the hacker’s point of view.
s http://phrack.infonexus.com The immortal Phrack
online Zine, which has years and years of hacker history,
techniques, and insight. Read them all and learn to see
inside the mind of your adversary.
s www.defcon.org The largest gathering of hackers in
the world happens yearly in Las Vegas. Keep up to date
on this site or better yet come and out and meet face to
face with real, live hackers.
s www.sans.org The SANS page details training that is
available to security professionals and gives insight into
the status of threats from around the online world.
Continued
www.syngress.com
20 Chapter 1 • Applying Security Principles to Your E-Business
s http://packetstorm.securify.com The most popular site
for hacker tools, toys, and exploits. The tools can come
in handy for administrators and security professionals,
but use caution.
s www.astalavista.com Search engine entrance to the
underground. This is a very loosely organized search
engine for finding hacking tools, exploits, and pirated
programs (warez) from around the Web. Again, use
your discoveries with caution because some of these
programs may be more Trojan horse than useful utility.
Applying Principles to Existing Sites
While it is optimal to begin the e-commerce process with security in
mind, it is possible to apply the three principles of confidentiality,
integrity, and availability to already operational sites as well. In fact, since
much of the site development work is done, these sites are often able to
apply greater time, effort, and money to securing their environment.
The process of applying the three principles to existing sites differs a
bit from new sites, but many of the concepts are the same. Obviously,
the principles themselves don’t change, nor does the cycle of continuous
security assessment. However, what does change is where and when
these tools begin to be applied. For example, beginning the assessment
process on your existing site could damage your production systems, so
most sites begin by testing their development environment or a mirror
of their production environment created just for the purpose of testing.
They then begin to apply the revisions and patches to these test systems,
giving them time to examine the impact before making these changes to
the production site. Always remember, though, that security fixes are a
race against the clock as attackers may be probing for those vulnerabili-
ties while you are testing the fixes.The major effort here is to limit the
size of this window of opportunity without causing damage to your site.
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 21
It All Starts with Risk
Whether you choose to start with your test environment or take the
risks of auditing your production site, the beginning point for applying
the principles is to identify risks.The same tools from Chapter 8 are
again used to perform an audit of your processes and applications to
determine what vulnerabilities and risks already exist. Each of these
risks must then be examined, and your site either fixed or revised to
provide mitigation.
Depending on the complexity, nature, and size of your site, you may
discover a few vulnerabilities, or thousands. Checkout www.cve.mitre
.org for a dictionary of known vulnerabilities. Each of these vulnerabili-
ties may vary in its significance, from allowing an attacker to gain infor-
mation about your network to allowing someone complete access to
your most critical systems at the highest level.The tools used to perform
the audit should explain, in detail, the risks associated with each vulnera-
bility. Keep in mind that in some circumstances, minor and medium vul-
nerabilities could be used to create major problems within your site, and
could even be used to create denial of service (DoS) conditions.
Tools & Traps…
Vulnerability Chaining
Vulnerability chaining is the name given to a situation in which
certain vulnerabilities become more significant when combined
with other vulnerabilities. An example of this is the classic echo/
chargen attack.
Echo is a service that runs on most UNIX systems by default.
Its behavior is just as expected: characters sent to the echo port are
simply echoed back. Chargen is also a basic UNIX service and it
simply generates characters continuously upon connection to its
port. While the existence of either of these services alone poses
little risk, together they can be used to cause a simple denial of
service attack.
Continued
www.syngress.com
22 Chapter 1 • Applying Security Principles to Your E-Business
To perform the assault, the attacker spoofs a conversation
between the two services and redirects the output of each service
to the other, creating a rapidly expanding spiral of traffic.
Essentially, the system begins to consume memory and processor
power, eventually causing the whole device to become non-
responsive to user commands.
By chaining together two minimal vulnerabilities, the attacker
creates a serious issue for the target system. Many combinations
such as this exist. Your vulnerability scanner should consider these
situations when assigning levels of risk to a vulnerability.
Fix the Highest Risks First
Once you have the report of your vulnerabilities and have examined the
impact of the findings on your environment, begin to put the actions
required for fixing them into order based on the levels of risk.
How do you know the level of risk for each vulnerability? Easy.
Relate the risks to the real assets that your need to protect. By taking
the time to identify company assets, the risk evaluation process gets
much easier. Spend time thinking about your company and the business
it does.What assets does the company hold that are valuable to it?
Where are those resources located and how are they protected? Use the
peer review process to create a detailed list of these assets and then relate
the risks to that list. If any risk has even a remote possibility of compro-
mising those assets then that risk gains the highest priority. Multiples of
conditions that must be met to impact an asset gains the risk a medium
level, while the lowest risk are those that have little impact on any crit-
ical asset. Again, use peer review to ensure that you have an accurate
view of the priorities for the risks you have developed.
Fix those vulnerabilities with the highest risk first. Often, it is a good
idea to mitigate these risks through additional means (such as by
blocking the appropriate ports at the firewall or at border routers) while
your staff works toward implementing the patches and modifications. In
general, ensure that each and every process or application running on
your production systems is up to the highest and most current patch
www.syngress.com
Applying Security Principles to Your E-Business • Chapter 1 23
levels and versions. Pay special attention to the popular services such as
DNS, HTTP, SMTP, SNMP, FTP, POP, IMAP, and security-related appli-
cations such as firewalls or intrusion detection programs.
By repairing the highest risks first, you help your site to protect its
mission-critical information and systems.When creating the priority of
vulnerabilities, always remember to take into consideration other mitiga-
tion strategies and the criticality of the systems impacted and their data.
In other words, if the audit tool reports a high risk vulnerability on a
system that is not mission critical or that handles no mission-critical data
and/or is adequately protected by a firewall, it may fall in priority when
compared to a vulnerability that allows an attacker access to a database
that holds customer information for a short time during gathering and
initial processing, but is accessible from the public Internet. For this
reason, information from the audit tools must be parsed by comparing
the actual impact to your environment.
After you have parsed and prioritized your work, begin the process
of applying the fixes and revisions to your environment. Remember to
allow sufficient time, traffic, and use to measure the impact of the
changes before replicating them into your production environment.
Then proceed through your list, applying the changes to the various
affected systems.When you have finished and documented your work,
then begin the process again to ensure that your modifications have not
created new issues.
Management and Maintenance
during the Patching Process
The primary reason to test the modifications required to mitigate your
risks is because of the unpredictability of computer programs and sys-
tems. Many times, the software or hardware fixes issued by a vendor or
programmer affect the operation of those systems at a very deep level. In
fact, the changes required may affect the very core processes or routines
of the system. Because of this, these changes may actually create addi-
tional security risks or cause the system to perform in a new way.
Many examples have come to light in which software patches cre-
ated by vendors to fix vulnerabilities have failed to solve the issue,
www.syngress.com