Securing E-Commerce

CSEM02

University of Sunderland

Harry R. Erwin, PhD

Resources

• Garfinkel and Spafford, 1996, Practical UNIX and Internet Security, O’Reilly, ISBN: 1-56592-148-8

• Anderson, 2001, Security Engineering, Wiley, ISBN: 0-471-38922-6.

• Norberg, 2001, Securing Windows NT/2000 Servers, O'Reilly, ISBN: 1-56592-768-0. Most of this lecture is based on Norberg.

• Zwicky, Cooper, and Chapman, 2000, Building Internet Firewalls, second edition, O'Reilly, ISBN: 1-56592-871-7.

The Most Common Threats Involving E-Commerce

• Intrusion—typically in the form of site defacement, with damage to the company’s reputation.

• Denial of service—preventing authorized users from using the system, resulting in loss of business.

• Information theft—unauthorized persons obtaining private information, resulting in legal liability.

A Typical Attack

How <http://www.apache.org> was hacked: (from Norberg, based on a BugTraq report on May 4, 2000)

1. The attackers uploaded a PHP script to a world-writeable ftp directory (dubious).

2. The web server root directory was the same as the ftp server root directory (bad).

3. The PHP script executed UNIX commands (bad) that created a shell server bound to a high port that was open (bad—no firewall).

4. Finally, they used a database process that was running as root (more bad) to create a setuid root shell.

What is a Body to Do?

• You must have and maintain a high level of security for your site.

• This is feasible, but it requires awareness and knowledge.

Security Strategies (Zwicky)

• Least privilege—processes and users should have only the privileges they need for their job

• Defense in depth—multiple security layers• Choke point—limit access to your system• Weakest link—attacks will seek vulnerabilities• Fail-safe stance—deny access if the system fails• Universal participation—everybody buys in• Diversity of defense—multiple mechanisms• Simplicity—only the simple can be made secure• Security through obscurity—is valid (but weak)

Building a Secure Site

• Plan for it. Cover all the bases and formally analyze your requirements.

• Define your policies. (UK and Microsoft definition, not US government definition.) See RFC 2196, Site Security Handbook.

• Provide physical security.• Implement access control.• Use a firewall.

Operating a Secure Site

• Audit access policy violations.

• Make frequent backups.

• Collect logs on a separate and secure system.

• Ask others to review your plans and work.

• Use encryption.

The Bastion Host

• The critical strongpoint in the network’s security.• Are hardened.• Are audited regularly.• May use modified software.• The software in use will be trusted—hence should

be designed, tested, and configured for safe operation.

• Be prepared for their being compromised.

The Perimeter Network

• A DMZ (‘demilitarized zone’)• A firewall system, serving as a single point of

entry.• An untrusted network on the outskirts of the

private trusted network.• Serves as an intermediate stage between the

internet and the internal network.• Multiple compartments.• Default-deny access.

What is the Problem with this Network?

internet

firewall

Web Server

DBMSServer

firewall

internal network

http only

odbconly

Perimeter Components

• Routers (provide access control)• Firewall gateways

– Application-level gateways (layer 7)– Packet filters (layer 4)

• Bastion hosts– email servers– www servers– ftp servers– victim machines (or sacrificial goats)– etc.

• Switches and hubs

Rules of Thumb

• Default-deny

• Defense in depth

• Keep it simple

• Take a phased approach

• Plan, plan, plan

Hardening a Bastion Host

• Enforce least privilege—applications and users should run with only the privilege level needed to run correctly

• Separate ports—one or a few fixed TCP/IP ports per application. Block the rest.

• Use cryptography

• Don’t trust your applications

Host Design Steps

1. Minimal OS with the latest service pack.

2. Install only the applications you need.

3. Reapply the service pack and add necessary patches

4. Remove/disable unneeded OS components

5. Harden the OS

6. Restrict access to files and other objects.

UNIX, Windows, or MacOS X?

• MacOS X—is BSD UNIX, and Apple takes security very seriously. Now considered the most secure commercially available solution.

• UNIX is preferred over Windows—has better tools for building a bastion host and better remote management.

• Windows NT/2000—in some ways stronger than UNIX, but network security is much weaker—too many ports open and too many services. Much harder to administer if UNIX-style hardening is done. Much weaker security if not. YMMV.

Windows NT Rules

• NetBIOS—avoid. TCP/IP only. Do not connect to the public network until fully hardened.

• Never, ever, install MS Office or development tools. Remove all unnecessary applications, network services, and system processes.

• No LINUX dual boot. Use CYGWIN instead.• US version of Windows (updated most quickly)• NTFS• “Standalone” member server. No domains. No user

accounts.

Secure Remote Administration of Windows Servers

• Symantec pcAnywhere• Windows 2000 Terminal Services with IPSec. Use

File Copy utility from the Server Resource Kit.• Open Source

– SSH

– Cygwin (UNIX emulation)

– TCP Wrappers

– VNC

Backup Policy

Think about:

• Who does backups?

• How often are backups taken?

• Local or network?

• Where are the media stored?

• Who may restore data to the system?

• How often are the backups tested?

Remember Bruce Schneier’s Three Rules of Security

• Schneier Risk Demystification: Numbers do matter and are not that hard to understand.

• Schneier Secrecy Demystification: Secrecy is anathema to security:– It’s brittle– It conceals abuse– It prevents sensible trade-offs

• Schneier Agenda Demystification: Know the agendas of the people involved in a security decision. That will usually predict their decisions.

Conclusions

• You can secure e-commerce, but…– Plan carefully– Define your policies– Provide physical security– Implement access control– Firewalls– And manage it carefully

After All That, You Still Want to Be Certified

• SSCP– One year of experience in at least one area– Three-hour exam in seven areas– Agree to the code of ethics– Continuing education

• CISSP– Three to four years of experience– Six-hour exam in ten areas– Agree to the code of ethics– Background approval– Continuing education

SSCP Knowledge Areas

• Access Controls

• Administration

• Audit and Monitoring

• Risk, Response and Recovery

• Cryptography

• Data Communications

• Malicious Code/Malware

CISSP Knowledge Areas

• Access Control Systems & Methodology• Applications & Systems Development• Business Continuity Planning• Cryptography• Law, Investigation & Ethics• Operations Security• Physical Security• Security Architecture & Models• Security Management Practices• Telecommunications, Network & Internet Security