Internet and Web Application Attacks - an Overview of Protection Measures
Due to reliance upon online services for our day-to-day activities, higher emphasis is placed on various layers of network, server, and application security to protect against attacks that may impact an application's availability to users. From a high-level perspective, we will list and review various security strategies that may increase the likelihood of protection should an application attack launch on a company. We need to understand that technologies are constantly evolving, new and improved techniques are always available to add to your strategy. However, attackers tend always to be a step ahead. This article will cover a general rule of thumb, assuming that patching and routine maintenance is practiced, disallowing stale, aged, unsupported operating systems, applications, and services from participating in production-grade networks and datacenters.
Physical Security
- Keep equipment locked in their cabinets, allowing authorized personnel only!
- Isolate cables such as electrical and circuits in wiring management troughs, eliminating the ease of tracing lines to/from devices.
- Keep Power Distribution Units (PDU), and all electrical connections and circuit breakers locked to eliminate the potential accidental or malicious electrical socket disconnect from network equipment; if PDU's are managed, strong security practices should also be implemented.
- Secure both electrical and network circuits connected to equipment to eliminate an "easy tug" of cables to unplug or disconnect cables from network equipment.
- Leverage surveillance cameras, alarms, and alerts when activity is detected in the data room.
- Leverage an "out of band" management server to allow yourself access to a console management port.
Internet Service Provider (ISP)
- Protect the network border from allowing traffic that should not exist on the Internet. Networkers usually call this a "bogon or bogus" Access Control List (ACL). Its intended purpose is to filter fake or private IP addresses and allow only publicly routable traffic to and from the Internet.
- Filter routes by allowing existing routes only to be announced to the service providers. Non-existent paths may never leak or accidentally become reachable to your organization's circuits and routers.
- Reverse Path forwarding inspection, where traffic is evaluated for a reverse path existence before it is allowed entry, so that you may prevent spoofing.
- Protect routing protocol process peering with encrypted/hashed passphrases so that routing may not be highjacked, altered, or misrouted by rogue devices and actors.
- Filtering abnormal packets in either direction. Inspect traffic to ensure IP packets are within the range of specifications for their existence. Some IP packets may be smaller than their respective range, known as "fragments," which should be denied entry.
- Protect the "Control and Data Plane" of routers and switches by disabling IP redirects, restricting Internet Control Message Protocol (ICMP) or "ping" reachable messages for ICMP probing, limiting, or restricting IP options (record-route, timestamp, source record, etc.). Disable proxy address resolution and IP redirects (where a better route may exist for a target host) and limit the scope of Time to Live (TTL) limits for your internal network. Unless necessary, IP-directed broadcasts should also be disabled to deter traffic amplification broadcast messages on a target network.
Firewall Security
- Associate each firewall interface with "zones," then apply specific network interfaces and networks behind the zone so that you may prevent spoofing or access through a firewall from a new or spontaneous unauthorized network. It's also a good idea to avoid "free-flow" traffic from different interfaces that are assigned to the same firewall zone so that you may control such traffic with explicit rules.
- Leverage specific Network Address Translations (NAT), both inbound or outbound, as necessary. Don't automatically create "two-way NATs unless driven by a business case.
- Use explicit ports for all inbound or outbound traffic rules for either TCP or/and UDP segments. Avoid unnecessary ports and IP ranges, eliminate guesswork. Examine the firewall logs during validation, determine necessary, and apply as needed.
- Leverage AppID in your rules for an additional layer of security. Specifically, add the type of application IDs to specify a specific sub-type of applications, allowing that extra layer of precision for traffic types under your ports.
- Prevent Internet access from servers or peripherals, network devices, or appliances that do not need Internet access. If necessary, allow such devices access to the Internet with specific rules that leverage URL whitelists, destination IP addresses, specific ports, and application ID. Always apply a Data Leakage Prevention (DLP) policy so that you may prevent unauthorized data from leaving the organization.
- Always apply threat profiles that include anti-virus, malware, Universal Resource Location (URL) filtering, intrusion detection to all the rules you create. Some organizations may relax threat rules for internal types of traffic, applying the most rigor to Internet-based and Demilitarized Zone (DMZ) traffic.
- Subscribe to threat definitions, such as anti-virus, malware, intrusion detection, URL filtering, and other offered services, so that you may obtain the latest version of updated threats available to apply to rules. In today's fast-paced networks and new methods for breaching, "zero-day" exploits reported to your vendor's security repository become available to subscribers to install within minutes, giving you an instant protection profile against such vulnerabilities.
- Encrypted traffic is inspectable. We don't know what's in the payload, so decrypting traffic allows us to review threat contents and evaluate other compliance parameters. Decrypt all traffic for inspection, create exceptions where you must. Exception typically applies to an application that is sensitive to decryption and re-encryption, in which case you should work with the application vendor to find a way to use decryption/re-encryption. Other exceptions may apply to compliance and privacy, defined by your organization. Once inspected and allowed, traffic is re-encrypted and submitted to the intended target host, otherwise, blackholed.
- Apply DDoS protection to both inbound and outbound rules. Should your organization become a target for an attack, inbound flood traffic may be rate-limited, or the best-case scenario dropped from legitimate traffic. Suppose users launch an attack from a compromised computer on the internal network. In that case, you may also stop such traffic flood to other networks, even preventing establishing an attack outbound to new targets, potentially compromising the organization's public IP space as a source of the attack to other entities.
- Apply URL filtering to all types of traffic. Internal, DMZ, Internet, all zones should be subject to URL filtering so that either category is used or allow lists are created. Along with URL filtering, develop a good policy that identifies what needs to be blocked and allowed. This type of policy may vary from department to department, so work with business leaders to see what best fits their requirements.
Load Balancer
- Use Transmission Control Protocol (TCP) host headers for your web application. It will assure you have explicit hostnames for your apps, increase the ability to host more apps per service, and reduce the possibility of creating rouge/false domain names that resolve your websites.
- Implement HTTP to HTTPS redirects. Web apps over port 80 are frowned upon in today's computing world. It's always a good idea to redirect web app sessions to an encrypted web session.
- Eliminate the need for weak ciphers and old, deprecated Secure Sockets Layer (SSL). Apply Transport Layer Security (TLS) to your SSL sessions. The world is moving toward TLS versions 1.2 and 1.3, respectively.
- Enable rate limiting and traffic throttling on high volumes of new requests, indicating an attack. Alerts and notifications may engage the appropriate team members to take additional steps to mitigate such activities further.
- Enable "bot" protection so that you may mitigate a wide array of threats such as scripts, toolkits, scans, scraping, password attacks, and misuse of your API gateways.
- Use content switching technologies to apply some logic to identify all app traffic patterns, sending them to the web farm. In contrast, unidentified source traffic requests may be redirected/forwarded to a different web farm, acting as a sinkhole or a deterrent for a potential attacker.
Application Layer Firewall or Web App Firewall (WAF)
- Start URLs, Cookie consistencies, hijacking,
- Buffer overflows,
- File upload types,
- Form field consistencies, field formats, tagging,
- HTML cross-site scripting, forgery, SQL injection, command injection,
- An array of XML, JSON, URL Encoding, Multipart form content types of inspections to drop attacks and vulnerability exploitations.
Domain Name Service (DNS) security
- For Internet DNS, subscribe to a "scrubbed" or "cleaned" DNS service offered by Open DNS, where malicious hostnames are denied resolution, stopping attacks immediately as unaware clients attempt to access links with a high level of confidence.
- Host applications in your DNS service with DNS Security (DNS Sec). This service will ensure valid name lookups arrive from authoritative, authentic domain servers.
- Because attacks are predominantly initiated through email phishing, leverage Sender Policy Framework (SPF) records to tighten down allowed email servers, preventing email server hijacking, relaying, blacklisting, etc.
- Use domain keys to authenticate services, further assuring a certified, verified service between vendors and organizations.
- Where possible, structure your name records correctly with IP address records to names, and correct Canonical Names (C-Names) to hosts, for redundancy and proper IP address resolution.
- Control forwarders, cache-only, advertisers, resolvers, and protect against cache pollution and zone transfers.
- Additional due diligence and proper DNS architecture may add an extra layer of protection against DNS DDoS.
Web or URL filtering
- Compromised – sites that may have been compromised.
- Criminal Skills/Hacking – sites describing criminal behavior "how-to." Download, peer-to-peer networking sites (file sharing) may distribute malicious files and programs that are altered, illegal, and may damage your company systems and reputation.
- Gambling – as much as these sites may hinder productivity, gambling sites are usually hosted outside the US. Due to loose regulations, such sites may spread malicious content that deploys spyware and malware.
- Adult/Pornography/Sex – aside from harassment, such sites may also distribute spyware and malware.
- Spam – sites associated with collecting user data and targeting with pop-ups, irrelevant content,
- Spyware and Malicious – software deployment may ham your computer operation and compromise your data.
- Web-based email – such sites leak organizational protected files, introduce malware and spyware.
Service Provider DDoS
Endpoint Computer Protection
- Anti-virus/malware protection on each computer node.
- Process “whitelisting,” allowing approved software execution in the computer environment. Should unauthorized software spawn and attempt to run in memory space, it would automatically be disabled and quarantined.
- Data leak prevention, a service tailored to information loss and using such information to exploit ransom, threats, and other criminal behavior against an organization.
- Servers should be "hardened" and "tuned" to serve their intended purpose only. Work with application developers to identify application verbs in use and further configure your web servers to only explicitly allow what's necessary.
Security Operational Activities
- Routinely scan your network and applications for vulnerabilities. Such scans can be performed by professional services as an anonymous user, even an authenticated user, gaining a deeper security insight into the application's operating system.
- Periodically emulate an attack by utilizing a professional security service vulnerability scanner, and work through your action plan. Escalate, notify, engage with proper team members, run through your drill, and validate that the correct individuals will be available to "react" and "work “ the defense plan, further preparing, should an actual attack occur.
- Hire a professional "Red Team" ethical hacking company, who will be tasked to launch an external attack or even breach your organization. The attack can also be internal, so be sure to focus a “Red Team” professional on your internal infrastructure. Should they successfully breach your systems and gain access to data, these vulnerabilities will be discussed confidently and remediated with the urgency it deserves.
- Review security metrics at least once a month, report on attack attempts, abnormal traffic patterns, availability, application performance, incidents, and review the root cause of such problems. Engage organization's departments to discuss abnormalities and irregularities in their IT responsibility domains.
- Conduct periodic security training using videos, speeches, interactive training and make it mandatory. Security is everyone’s job, and the weakest link may open a path to your organization’s applications and data; therefore, focus on training!
- Maintain a running list of security-related vulnerabilities, incidents, and exceptions you must oversee for your organization’s IT infrastructure. Routinely reviewing these ticket items will assure you have delegated responsibilities for remediation to completion and carefully track exceptions that remain an area of oversight and work to be done.
Comments
Post a Comment