11 a6 security misconfiguration.pptx
-
Upload
rap-payne -
Category
Technology
-
view
66 -
download
3
description
Transcript of 11 a6 security misconfiguration.pptx
A6 Security Misconfiguration
Problem and Protection
o
o
o
o
o
o
Security Misconfiguration
o New to the OWASP Top 10. Was there in 2004. Dropped out in 2007
o This happens when the system admins, DBAs, and developers leave security holes in the configuration of computer systems
How attackers do it
o Glean info about the targeted system's stack • OS and version number • Web server type (Apache, IIS, etc.) • RDBMS (MySQL, SQL Server, Oracle, etc.) • Web development language • Tools/libraries used (Castle, NHibernate, etc.)
o Check their data sources for all known exploits against any part of that stack. • There are known vulnerabilities for each level of the
stack. o Begin hacking away
How we protect ourselves
o Don't give away info about your stack o Change default user accounts o Delete unused pages and user accounts o Turn off unused services o Whitelist pages o Stay up-to-date on patches o Consider internal attackers as well as
external o Use automated scanners
Be secretive
o Obfuscate or anonymize ... • Error
messages • HTTP headers • URLs
o Don't let anyone know what makes up your stack • Anybody know for sure what the big boys use?
Change default accounts
o When you install an OS or server tool, it has a default root account with a default password
o Examples: • Windows – "Administrator" & "Administrator" • Sql Server – "sa" & no password • Oracle – "MASTER" & "PASSWORD" • Apache – "root" & "changethis"
o Make sure you change these passwords! o Completely delete the accounts when possible
Delete unused pages o Remove all files and
pages that are no longer needed
o Focus on: • Installation default and
sample pages • Pages that we've migrated • Old and backed-up config
files
Delete unused accounts
o As soon as an employee or contractor leaves, change his password
o Change his username o Move files and delete the account o Look for old client accounts and delete them
Turn off unused services o Look through all running services o If they're not being used, turn them off o Disable them upon system startup o Pay particular attention to:
• Services enabled upon install ― Remote debugging ― Content management
• Services turned on ad-hoc ― One-time use ― "This is a temporary fix. We'll put a better solution in later."
o Inside IIS, too • Directory browsing • Ability to run scripts and executables
Whitelist pages
o Serve only pages that are allowed o Intercept requests for pages and disallow
any request for something other than ... • *.html • *.jsp • *.js • *.css • etc.
o Whitelists are better than blacklists
Update patches
o Patch Tuesday is the most overlooked defense
o Day-one vulnerabilities
Follow the news
o Subscribe to vendors' alert lists o RSS feed to Wired, Slashdot, etc. o Use Ifttt.com to get alerts sent to your email
or phone o Twitter users to follow:
• @ZeroDayDan – Insider's POV • @AaronPortnoy – Development techniques • @PaulDotCom – Podcasts & videos also • @SteveWerby – Hacker with a business mind
Consider internal attackers
o Not just disgruntled folks either o Rootkits can be installed o Private files can be exposed o Web.config can't be served to browsers, but
it can be read by employees • Encrypt parts of it
Use automated scanners
o Download and install one or more automated scanners • Microsoft Baseline Security Analyzer (MBSA) • WebScarab from OWASP • Burp • Paros
o After all, attackers will use tools like this against you
o Harden yourself against them
Summary
o Many hackers find ways to damage our systems that can be stopped by some simple maintenance of the stack • Applying patches • Removing or changing authentication on
unneeded or default accounts • Whitelist the files served • Using automated scanners
Like a garden ... If you tend to it a tiny bit every day, it will be beautiful But if you neglect it for a period of time, it gets very out-of-hand
Further study
o TED Talk on Stuxnet: o http://bit.ly/StuxnetTEDTalk
o Secure deployment section in the OWASP Development Guide: • http://www.owasp.org/index.php/Configuration
o DB of known default accounts: o http://www.cirt.net/passwords
o Vulnerability scanning software: o http://sectools.org/web-scanners.html