website hardening

Website Hardening

HUIT IT Security | Sep 30 2011

Agenda:

• Introduction• Anatomy of an Attack• Recommendations• Q & A• Demos

3

Sep 30 2011

HUIT Security | Website Hardening

Introduction

4

Sep 30 2011

HUIT Security | Website Hardening

Introduction

Content is the cornerstone of information management. The web delivers content, and the model for serving content has progressed from onsite hosting, to managed hosting and is continuing to cloud computing.

With this evolution comes new challenges to protecting both institutional reputation and data. Attackers have shifted their focus from infrastructure resources, to exploiting application code itself. A holistic strategy is critical.

5

Sep 30 2011

HUIT Security | Website Hardening

Introduction

A new breed of attacker is focusing on these “soft” targets. These attackers seek to gain a widespread audience for their agenda and use anyone leaving themselves open to compromised as a platform to spread their message.

“Cyber-Hacktivists” with personal, political or other motivation have proven adept enough at their craft to gather their share of recent headlines.

6

Sep 30 2011

HUIT Security | Website Hardening

Introduction

In the light of several recent web application compromises across campus, we would like to share some specific recommendations and best practices resulting from our investigation into those compromises; and these suggestions complement existing hardening guidance. 

7

Sep 30 2011

HUIT Security | Website Hardening

Anatomy of an Attack

Before we dive in to the details. Chris Fahey will take us through an attack.

8

Sep 30 2011

HUIT Security | Website Hardening

Recommendations

IntroductionAs web application attacks continue to increase in frequency, we must work to integrate a thorough approach to security throughout the delivery stack.

It has been our experience that the guidance for hardening networks and hosts also offers a framework for approaching web application security.

Everyone can benefit from immediate proactive measures in advance of any eventual compromise.

9

Sep 30 2011

HUIT Security | Website Hardening

Recommendations

In general:

• Build and integrate security into the application• Assess and remediate vulnerabilities and risks• Implement strong access control measures• Leverage controls in the web server and application

framework• Log use and Monitor• Document and maintain policies and procedures• Raise awareness and educate

10

Sep 30 2011

HUIT Security | Website Hardening

Recommendations

The below suggestions complement existing controls:• Risk Management and Compliance• Host hardening• Network hardening• User education and awareness

- You’ve been hacked – now what?

Image goes here

11

Recommendations

Recommendation Benefit Effort to Implement Availability

Remind staff of password policies

Prevent cracking passwords. Limit the scope of a compromise to a single site.

Low Immediate:

• Eureka!

• Security

Confirm computers have basic security protections in place.

Protect computers against malicious software.

Low Immediate:

Inspect computers to verify patching is enabled and antivirus is installed

Scan web applications for security vulnerabilities.

Reduce the risk of a security vulnerability being exploited resulting in a compromise.

Moderate Immediate:

via the IT Security Code Analysis service

12

Recommendations

Recommendation Benefit Effort to Implement Availability

Configure SSL on the web site.

Encrypt sessions via SSL to reduce the risk of purloining login credentials.

Low Immediate

Limit access to the web administration interface to only secure, trusted IP addresses.

Allow only the VPN server access to the web server. 

Moderate Immediate

HUIT can provision a VPN, VPN client to be installed oncomputers and staff trained

Replace administrator passwords with digital password vault.

Manage credentials with elevated privileges to prevent passwords from being cracked.

Moderate February 2012

13

Recommendations

Recommendation Benefit Effort to Implement Availability

Perform an IT Risk Assessment of web application

Ensure security controls exist to comply with the University’s Enterprise Information Security Policy.

Low Immediate

via the IT Security Consulting service

Monitor network traffic to the web site.

Proactively detect, suspicious activity and notify the support team for a timely response. 

Moderate Near term

Collaborate with HUIT Cyber Security

Content auditing Log changes to content and notify support team for a timely response.

Difficult Long term

14

Recommendations

Recommendation Benefit Effort to Implement Availability

Monitor web site for malicious code and notify if detected.

24 x 7 x 365 monitoring by an external vendor to proactively detect malicious application code running on web site and notify support team for a timely response.

Moderate Near term

Evaluate several vendors, subscribe to best service

HUIT Security | Website Hardening

15

Sep 30 2011

HUIT Security | Website Hardening

Q & A

The objective of Risk Management:

• Mitigate• Remediate• Transfer, or• Accept

Image goes here

16

Sep 30 2011

HUIT Security | Website Hardening

IT Security Contact Info

• itsecurity@harvard.edu

• Helpdesk at x 57777

These slides will be on http://security.harvard.edu

17

Sep 30 2011

HUIT Security | Website Hardening

Demos

• Password Vaults• Tenable• Hailstorm

Esmond Kane | Website Hardening

September 30, 2011

Thank you.