WindowSecurity.com - September 2011 Newsletter

-------------------------------------------------------
WindowSecurity.com Newsletter of September 2011
Sponsored by: ManageEngine <http://www.manageengine.com/products/eventlog/?utm_source=wownsec&utm_medium=newsletter&utm_campaign=textlinkELA&utm_term=aug11>
-------------------------------------------------------

Welcome to the WindowsSecurity.com newsletter by George Chetcuti, BSc in Computing & IS (Honors), CISA, MCP, HP Certified. Each month we will bring you interesting and helpful information on the world of Security. We want to know what all *you* are interested in hearing about. Please send your suggestions for future newsletter content to: gchetcuti@windowsecurity.com

1. Web Application Security
-------------------------------------------------------

We hear of large investments in expensive firewalls, intrusion detection and prevention tools that certainly reduce web security risks, but do these devices actually address web application SQL injection or cross-site scripting flaws, weak authentication or unsanitized inputs? Definitely not. In this month&#146;s newsletter, we will be talking about web application flaws that require a different mitigation approach.

*What are the implications of a poorly secured web application?*

An organization can suffer a breach and be heavily fined if confidential data like customers&#146; credit card details are stolen. Fines are growing as there are stricter penalties now, and may result in thousands if not millions of dollars in liabilities. An organization can suffer IP (Intellectual Property) theft as organizational private data like product designs may end up in the hands of cyber criminals. Additionally, customers start to distrust the business website and the business is likely to suffer damage to its brand.

*What are the most common flaws of web applications?*

Among the top web application flaws we find input validation faults which can allow an attacker to bypass the application interface and send commands directly to the database or inject malicious scripts into a trusted site. Injection flaws may include malicious calls to the operating system apart from calls to the application! We find web applications that lack the proper authentication and session management where an attacker can eavesdrop on a user session and compromise the user session or even worse the user account. Poor access controls and direct object references in web applications may enable an attacker to access some modules without being authorized, which could lead to access to sensitive data such as users&#146; accounts in a database.

How many organizations claim that they have their hosts locked down using appropriate patch management tools, malware and anti-virus protection and the perimeter hardened with modern firewalls, DMZ configurations and IDS/IPS solutions? But still there are many security misconfigurations out there, such as weak passwords or default settings. The recent hack of digital certificates and the later confirmation that one breached setup had weak passwords and failed to update software on its public servers is really worrying.

A common mistake is to allow configuration mismatch between staging and production environments and giving developers full admin privileges on staging machines. Putting aside for a moment the successful attacks on digital certificates, strong encryption for both data storage and data in transit still remains the most important measure which guarantees the security of websites. Though attackers may not be able to break into the encrypted data, they may be able to find the secret keys or get clear text data while it is being manipulated. Make sure that you encrypt all sensitive data and protect passwords with strong hashes. Encrypting traffic such as using SSL/TLS should not stop after the authentication handshake but should continue during the rest of the user session. When the transport layer is not encrypted, all communication between the website and client is sent in clear text!

Restriction of sensitive URLs is another fault that we frequently tend to ignore as admin consoles give us a quick way to fix things and we may need access while we are away from the office. Sensitive URLs should not be made public unless they are absolutely needed. Remember, that security by obscurity is not sufficient! Web application sites should avoid the use of invalidated redirects and forwards as these could enable an attacker to redirect users to rogue sites and getting your site blacklisted.

*What are the best practices in securing web applications?*

The top requirement is training, train developers on web application security. Integrate application security into every phase of the software development lifecycle, especially in the design phase and this should be verified by a web security expert. Implement application firewalls that can protect data while being accessed and manipulated by the logic modules of the web application. Use reliable and modern source code analyzers and perform thorough code reviews. Additional information about vulnerability scanners can be found here:

* Nessus - http://www.tenable.com/products/nessus
* QualysGuard - http://www.qualys.com/
* NeXpose - http://www.rapid7.com/
* Acunetix - http://www.acunetix.com/

*What can you do to flag potential breaches?*

Implement application controls. Application controls ensure that data is processed as intended in an acceptable time period, is output and stored accurately and complete, and that input is accurate, complete, authorized and correct. Data can be tracked from input to storage to output. Application controls can be application specific that support a particular business process or generic such as, accounts and passwords, system parameters and settings.

Application controls provide consistency and reliability while they reduce the probability of errors. They automate the process for you and can't go wrong. They can also increase the efficiency of business processes and be used as a frontline defense against certain forms of attacks.

*What happens when web application security fails?*

Then what, start looking for a new job? Prepare yourself for the eventuality of a data loss. Not handling data loss appropriately is expensive. Prepare yourself for the legal requirements and prepare for post incident management. In August's newsletter <http://www.windowsecurity.com/pages/newsletters/august2011.asp> we discussed Computer Security Incident Response Teams and we have seen the importance of having one in your organization. These entities can help in post incident management and if your organization does not have one you can subcontract or try to get help from a national one.

To recap I would like to highlight two points. Investments in Firewalls, IPS/IDS and other security tools reduce web application risks but do not prevent them. Strong encryption prevents data loss.

Should you have any ideas for content in future editions of the WindowSecurity.com newsletter or would like to ask questions, you&#146;re more than welcome to e-mail me at gchetcuti@windowsecurity.com

See you next month! &#150; George

2. WindowSecurity.com Articles of Interest
----------------------------------------

* Security Considerations for the Private Cloud \IaaS (Part 1)
<http://www.windowsecurity.com/articles/Security-Considerations-Private-Cloud-IaaS-Part1.html>

* The future of computer and mobile security
<http://www.windowsecurity.com/articles/The-future-computer-mobile-security.html>

* Video: Leveraging the Windows Server Security Database
<http://www.windowsecurity.com/articles/Video-Leveraging-Windows-Server-Security-Database.html>

* Hunt Down and Kill Malware with Sysinternals Tools (Part 2) - Autoruns
<http://www.windowsecurity.com/articles/Hunt-Down-Kill-Malware-Sysinternals-Tools-Part2.html>

* Operating System Fingerprinting with Packets (Part 1)
<http://www.windowsecurity.com/articles/Operating-System-Fingerprinting-Packets-Part1.html>

* Windows Security Tools
<http://www.windowsecurity.com/articles/Windows-Security-Tools.html>

* Eight Things You Can Do Today to Improve Security on Your Microsoft Network
<http://www.windowsecurity.com/articles/Eight-Things-You-Can-Do-Today-Improve-Security-Your-Microsoft-Network.html>

3. Tip of the Month
-----------------------------------------------

In order to stay up-to-date with top web application vulnerabilities, I recommend the following sources:

* OWASP - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
* SANS - http://www.sans.org/top25-software-errors/
* WHID - http://www.webappsec.org/projects/whid/
* SAFECODE - http://www.safecode.org/

4. Latest Security Exploits and Concerns
-------------------------------------------

* Will HTML5 be secure enough?
<http://blogs.windowsecurity.com/chetcuti/2011/09/06/will-html5-be-secure-enough/>

* Upstream Security
<http://blogs.windowsecurity.com/chetcuti/2011/09/02/upstream-security/>

* Sidejacking
<http://www.itinfomag.com/security-governance/sidejacking/>

* Best Practices: UAC in Windows 7
<http://blogs.windowsecurity.com/shinder/2011/08/27/best-practices-uac-in-windows-7/>

* Comodohacker threatens to issue fake Windows updates
<http://blogs.windowsecurity.com/shinder/2011/09/13/comodohacker-threatens-to-issue-fake-windows-updates/>

* Advanced Persistent Threat (APT)
<http://www.itinfomag.com/security-governance/advanced-persistent-threat-apt/>

* Protect your computer with BitLocker
<http://www.windows7library.com/blog/security/protect-your-computer-with-bitlocker/>

* Microsoft releases updates blocking DigiNotar certificates
<http://blogs.windowsecurity.com/shinder/2011/09/07/microsoft-releases-updates-blocking-diginotar-certificates/>

5. Ask George a question
--------------------------

QUESTION:

These articles are awesome and are an excellent resource for any serious Cyber Security professional. My question is can you provide me some instructions, guides, or tutorials on setting up a virtual lab at home so that I may develop an environment to practice ethical hacking, pen testing as I am moving to a new position and need to update my skills. Thanks and keep those articles coming, they are great.

J Cruz

ANSWER:

Hi J Cruz,

Most often, we opt to build our own test labs at home without considering other options. Yes, this solution may give you the flexibility and total control of your environment, and if you have some hardware to spare then go for it. Make sure that your machine has a 64 bit processor supporting HT and as much RAM as you can get and adequate storage space. Then install a virtualization platform of your choice, you can get free versions from all major brands plus others such as, VirtualBox which I find pretty cool. The caveat with this setup is that you still need valid licensed software to play with! Other things to consider are the power consumption, noise generated and location to place your hardware.

As mentioned earlier on, nowadays thanks to Cloud Computing you can use online virtual test labs even for free. For instance, with Amazon AWS you can run a couple of VMs for a few bucks, keeping in mind that you run the VMs for a limited time and that you do not consume much bandwidth. I suggest that you perform a quick search for online virtual labs. Microsoft offers Forefront Security Virtual labs for free. Check TechNet Virtual Lab here. http://technet.microsoft.com/en-us/virtuallabs/bb499665

If you&#146;re into application security you can try some stuff here. http://msdn.microsoft.com/en-us/aa740391

TechGenix Sites
----------------------------------------------------------------
ISAserver.org <http://www.isaserver.org/>
MSExchange.org <http://www.msexchange.org/>
VirtualizationAdmin.com <http://www.virtualizationadmin.com/>
WindowsNetworking.com <http://www.windowsnetworking.com/>

----------------------------------------------------------------
Visit the Subscription Management (http://www.techgenix.com/newsletter/) section to unsubscribe.
WindowSecurity.com is in no way affiliated with Microsoft Corp.
For sponsorship information, contact us at advertising@windowsecurity.com

Copyright c WindowSecurity.com 2011. All rights reserved.