Normally, a website is considered to be a part of the untrusted outer perimeter of a company network infrastructure. Hence, system administrators usually put a web server in the DMZ part of a network and assume the information security risk from the website to the network is mitigated. However, several industry security standards have been imposed to protect the public infrastructure such as webs servers and name servers in addition to the services directly subjected to the standard application scope. Some companies are hiring people with computer forensics degrees to find out where threats are coming from. Why is it so important to protect your website even if it is not closely connected to your critical data infrastructure?
Social Impact
Humans are the weakest link in the chain of a company’s security. The experience gathered during more than 5 years of penetration testing shows that almost no large-scale companies can resist a social-engineering attack vector. In companies which have more than 30 employees, a penetration tester or a real intruder can pretext, deceive, and easily persuade at least 10% of the available employees to open an attachment or follow a link to the malicious website containing an exploit pack and a viral payload. Basic countermeasures include restricting network access to all websites but whitelisted sites, which includes your own website, or simply educating the employees. So, what happens when an intruder gains access to the website? The following list highlights what can be done with a web server located in DMZ:
• Inject an exploit pack and payload into the main page or create malicious pages
• Send spam and scam letters to the company employees inviting them to visit a malicious page at the website
• Install a rootkit and sniffer to maintain access and get all password inputs by system administrators or website maintainers
• Modify links from legitimate sites to malicious ones, for instance, to redirect Internet bankin link to http://ibank.y0urbank.ru instead of http://ibank.yourbank.com
• Pivot client-side payloads through the web server in the case of networks with restricted Internet access
This list includes only those risks related to successful network penetration. In addition, there are business image risks such as defacing, modifying sensitive public information (e.g. exchange rates at bank’s website, payment credentials at some charity company’s website, phone numbers etc.), or denial of service by deleting everything and bringing the web server down.
Ways to Protect
There are several methodologies to assess website security and mitigate risks connected with the website. One of the most popular is the OWASP Testing Guide, which includes more than 300 checks and addresses almost all known web vulnerabilities. The PCI Data
Security Standard refers to the top 10 most widespread vulnerabilities in the software, called the OWASP Top Ten, and is a basic requirement for any website dealing with credit card payments. For developers, there is also a Development Guide, the goal of which is to prevent mistakes affecting security.
To companies willing to protect their websites and networks, Informzaschita offers the following services:
• Complete website assessment according to OWASP Testing Guide (300+ checks)
• Express assessment according to OWASP Top Ten and deployment of Web Application Firewalls for small businesses or companies falling under PCI DSS requirements
• Complete PCI PA-DSS assessment for companies developing payment applications
• Automated security web and network scanning
Source of Information : Hakin9 December 2010
0 comments: on "Insecure Websites in DMZ Still Pose a Risk"
Post a Comment