ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for the ‘Information Security’ Category

Newer Entries »

Malware Vectors and Remediation for Web Sites

Monday, October 19th, 2009

Last week’s blog I discussed mitigation steps recommended end users for protecting themselves from malware in general and specifically from drive by malware.

This week I will identify some of most common (popular) malware technical vectors for infecting web sites, and how web site owners can protect their sites.

Technical Malware Vectors

  • SQL Injection Attack – exploit application layer security vulnerabilities in order to inject active code or change code in applications or direct attack of databases.
  • Javascript Injection Attack – one form of an SQL attack.
  • IFrame Injection Attack – strings or active code injected into the web page, sometimes due to poor input data validation.
  • Javascript injection- invokes IFrames, active code.
  • Stolen FTP credentials Attack – stolen FTP credentials for the web site to gain unauthorized access.
  • Server Application Code Vulnerabilities – poorly written or not thoroughly tested code.
  • Redirect Injection Attack – takes advantage of function of a web page to a web server of attacker’s choice.
  • Malvertising – grabs user information even if publisher is doing a good job.  Malvertizing injects dangerous code especially where there is the opportunity for user generated.

Mitigation Steps for Web Site Owners

  • Incorporate security into application development / database access at the design stage.  Do not treat application security as a bolt-on or afterthought. Particular emphasis on data input fields.
  • Thoroughly test all data input fields and validation for input fields.  Audit all user input fields and user contribution fields by internal audit or by a group other than the developers.
  • Update and patch the Java Virtual Machine (JVM) and Java Developer Kits (JDK).
  • Ensure the integrity of any third party tools for managing a web site, even seemingly innocuous apps like traffic counters.
  • Constantly look for unauthorized changes in web site code, such as strings that cause URL redirects.  Employ tools to identify unauthorized changes in code.
  • Update and patch web server software.
  • Harden the web server platform.  Eliminate all unnecessary accounts, privileges, restrict access, and vigilantly monitor the logs for attempted but failed access, attempted unauthorized access, and of course successful unauthorized accesses.
    • Consider deploying a second layer of anti-malware monitoring and diagnostic technology that is

specifically designed for web site security, with the abilities to block attack attempts, log the

attempted and successful attacks, and which will generate reports and alerts.

  • Identify and remedy all network vulnerabilities for the infrastructure which houses the web site, its

platform, and of course its Internet access.

  • Have an impartial set of eyes review all aspects of network security, including architecture (isolation of web site on a DMZ, etc.), policies and score of compliance with policies, security architecture and how effectively it is used, event log monitoring, and with the risk of repetition; timely and consistent upgrades and patching.

Have a secure week.

Regards

Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditor

www.ere-security.ca

Tags: , , , ,
Posted in Information Security, Internet Security, Security Postings | 3 Comments »

Preventative Measures for Drive-By Malware

Monday, October 12th, 2009

My last blog discussed the financial motivation for creating malware.  This article identifies preventative measures that both end users and web site managers can implement to protect all concerned from the dangers of drive-by malware.

As a brief reminder, drive-by malware is:

A download which the user indirectly authorized by clicking on a link or by being redirected to a misleading link, but without understanding the consequences.  For instance the user could be installing an unknown ActiveX component or Java applet.   Or any of this happens without the user even knowing about it.

The damaging occurs when the download contains spyware, a computer virus or any kind of malware. Download of malware through exploitation of a web browser, e-mail client or operating system bug, without any user intervention whatsoever. Websites that exploit the Windows Metafile vulnerability may provide examples of “drive-by downloads” of this sort.

Common occurrences of drive-by downloads happen when a user:

  • Visits a website.
  • Views an e-mail message.
  • Clicks on a deceptive popup window believing that, for instance, it is a bone fide message while in fact they have just initiated a malicious software download.

Mitigation Steps Recommended for the End User

  • In order of simple to more complex:
  • Do not store unencrypted personal information on a workstation.
  • Use strong passwords for encryption, access to the workstation, and to any services or devices to which access would be granted by using a workstation.
  • Do not use the same password for multiple devices / services.
  • Change the passwords regularly.
  • Do not open email from unknown senders.
  • Never click on attachments or links embedded within emails, even when the emails are from friends.  A friend may provide an attachment or link that, unknown to them, is infected with malware.
  • Do not go to unknown web sites that could be potentially dangerous.  If in doubt about the veracity of a web site, check its credentials on any number of black listed web sites; search black listed web sites.
  • Do not assume that the web site of a small organization is less prone to malware.  The trend is for criminals to install malware even on small and medium size sites.
  • Verify the certificates of web sites on which the user will be divulging confidential information and / or performing a financial transaction.  Where possible, I recommend, do the transaction by telephone, unless the end user is highly confident in the identity and reputation of the web site.
  • Install an anti-malware package on each workstation.
  • Use a browser with anti-malware features.
  • Judiciously apply security patches to:
    • Anti-malware software.
    • Anti-malware features on a browser.
    • Operating system software.
    • All other application software.
    • At the very least, install a personal firewall in front of any Internet facing workstation.

My Next Blog Article

Next week I will identify some of the technical vectors used to install malware on web sites and the preventative and restorative steps web site owners can implement.

Have a secure week.

Regards,

Ron Lepofsky,

ERE Information Security Auditors.

Tags: , , , ,
Posted in Information Security, Internet Security, Security Postings | No Comments »

Newer Entries »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button