376
A Practical Guide to Security Assessments
Client Response:
8. If the B2C application was developed in house, was security built in from
the beginning?
Guidance:
With application development, security is not always consid-
ered during the early phases including gathering business requirements
and design. One way to determine whether security was considered is to
inquire about the team involved in gathering requirements and designing
the application and determine whether any team member considered secu-
rity. In addition, you should specifically ask what security features were
considered during the early stages of the development process. If this in-
formation is available, it might be appropriate to verify it. If security was
not considered, a more detailed review of the application and its function-
ality will be required. As application-level security is becoming more im-
portant, tools now exist to help developers build security into applications
during the development process.
Risk:
The risk of not building in security in the beginning of the develop-
ment process is twofold. First, there is a risk that the application will not ad-
equately ensure the integrity and confidentiality of information (similar to
the risk with commercial applications). Second, potentially significant costs
are associated with additional development and potential reengineering of
processes when trying to add security to an already-developed application.
Client Response:
9. Has the Web server where the B2C application resides been hardened and
patched according to the vendor best practice standards?
Guidance:
One of the key aspects of any information security program is
the concept of layered information security. As it relates to B2C, hardening
the Web server is another layer of security beyond application-level secu-
rity. The Web server is potentially the first line of defense against someone
trying to hack the B2C application. If the Web server is secured, it can help
in preventing or making an attack more difficult. Best practices for hard-
ening Web servers can be found on the vendor Web sites as well as other
independent information security Web sites. Hardening should be done on
an ongoing basis as part of system administration efforts.
AU1706_book.fm Page 376 Tuesday, August 17, 2004 11:02 AM
Appendix L
377
Risk:
The risk of not hardening the Web server where the B2C application
resides is that vulnerabilities in the Web server can be exploited to hack the
B2C application. This can lead negative consequences for the Web site
(e.g., B2C Web site not available, defacement), which could result in lost
revenues and customers and damage to the reputation of the company.
Client Response:
10. If the Web site were to be defaced or brought down, how would you know
and how long would it take before you found out? Are any intrusion
management systems running to help detect potential attacks?
Guidance:
The ability to quickly detect whether the B2C Web site is de-
faced is critical because it is a customer-facing process on the Internet. In
protecting this Web presence, consider the following:
• The first step in protecting it is to have the ability to know something
has happened in the first place.
• Attacks do not just happen during business hours — they can happen
at any time.
Intrusion management systems can help with being able to detect potential
attacks on a 24/7 basis. Intrusion management is essentially an alarm that
alerts personnel of attacks. Some intrusion management software also has
the ability to stop certain attacks in progress. When reviewing intrusion
management, determine what is running and whether it is appropriate.
Also, you should ensure that appropriate procedures are in place for signa-
ture updates (if required), incident handling, and logging and monitoring.
If the company is already running intrusion management software, deter-
mine whether it is managed properly. Many companies that have deployed
intrusion management have not devoted the appropriate resources to man-
age it properly. Intrusion management is something that needs significant
administrative effort for it to be effective. Keep in mind that intrusion man-
agement is only as effective as the time that is put into it. If used effective-
ly, it can significantly mitigate risks associated with Web site defacement
and other intrusions.
Risk:
Without some mechanism for detecting attacks, the company might
not know if the B2C Web site has been defaced or is not available. This can
lead to loss of revenue and customers as well as damage to the reputation
of the company.
Client Response:
AU1706_book.fm Page 377 Tuesday, August 17, 2004 11:02 AM
378
A Practical Guide to Security Assessments
11. Do the B2C application and the database both reside on the same server
or is there a “tiered” architecture where the application and the database
are on different servers?
Guidance:
Ideally, the database supporting B2C operations should not re-
side on the same server as the application to better manage risk. Assuming
they are on separate systems, if the B2C Web site is attacked or brought
down, the database is still safe as it resides on another machine. In a typical
architecture, the B2C application is in front of a firewall, which customers
can reach via the Internet,
and the database is on a separate server, which
is protected behind the firewall. With this question, you should review the
network topology diagram and determine whether the B2C is set up in a
secure manner.
Risk:
The risk of having the database and application on the same server
is that if the server is attacked or brought down, the database and the ap-
plication can be compromised, resulting in sensitive information (e.g., cus-
tomer data, credit card information) being exposed or the permanent loss
of information (depending on the backup process).
Client Response:
12. Are there any firewalls deployed to help secure the B2C infrastructure
and are they properly configured?
Guidance:
Part of the B2C infrastructure is a firewall. In many cases, it
might be the only security device in place. Although a firewall can be very
effective, it can only be effective if it is configured properly. Many compa-
nies do not take the time to properly architect the firewall or configure the
rule base. When reviewing the firewalls, you should ask for the rationale
for how the architecture is set up and what justifications were used in con-
figuring the firewall rule base. Both of these should be documented and if
not, this information should be readily known by IT or dedicated security
personnel. Based on the risk, it may make sense to review the firewall rule
base in detail and determine whether any changes are required.
Risk:
The wrong placement of the firewall or a firewall with an incorrectly
configured rule base can result in unauthorized traffic into the network.
Thus, the B2C system is not protected as intended.
Client Response:
AU1706_book.fm Page 378 Tuesday, August 17, 2004 11:02 AM
Appendix L
379
13. Does the B2C application use cookies to cache any sensitive data?
Guidance:
If certain information such as authentication data is cached or
stored, sensitive data can be divulged. Caching can be done with cookies,
which are pieces of information stored locally on a machine. This informa-
tion can include a user’s preferences on a Web site or authentication data.
The Internet browser uses cached information to speed up performance
and bring up Web pages more quickly. System settings related to caching
should be reviewed from a technical perspective to determine whether they
are appropriate from a security perspective.
Risk:
The risk with caching sensitive data is that if a person’s authentica-
tion data is cached, another person can potentially log on as the preceding
person. In an e-commerce setting, this can result in fraudulent activity. To
mitigate this risk, clients should not allow authentication data to be cached
and should ensure that any cookies expire once the session is over.
Client Response:
14. Does the B2C application’s logout capability work as intended?
Guidance:
B2C applications should have a logout function allowing users
to log out of the application. The logout feature does not always work, re-
sulting in users being logged in when they think they have logged out. The
other issue is re-entering the session when pressing the back button even
though the user has logged out. The only way to determine whether the
logout functionality is working is to test some sample scenarios.
Risk:
The risk associated with the logout function not working properly is
people having unauthorized access to each other’s accounts. This can hap-
pen in public Internet cafés or kiosks in public places. If the logout func-
tion (or lack thereof) can be exploited to gain unauthorized access to a
person’s account, it could lead to fraudulent activity and a loss of customer
confidence.
Client Response:
15. Does the application, which resides on the Web server, use a secure
protocol when sending information across the Internet?
Guidance:
E-commerce transactions generally require some exchange of
sensitive information sent over the Internet. These communications should
AU1706_book.fm Page 379 Tuesday, August 17, 2004 11:02 AM
380
A Practical Guide to Security Assessments
be sent using secure protocols that encrypt any sensitive information. One
way to evaluate information flow is
to review the network and security ar-
chitecture and determine how information is flowing and what protocols
are in use. To the extent that sensitive customer information is transmitted,
adequate measures should be in place to protect the confidentiality of that
information. Consumers assume that their information is confidential.
Risk:
In an e-commerce transaction, sensitive information such as peo-
ple’s demographic data and credit card information is sent across the Inter-
net. If this information is sent in an insecure manner such as clear text, this
information can be intercepted and used to gain unauthorized access to
other people’s accounts, resulting in fraudulent transactions and the loss of
customer confidence.
Client Response:
16. When someone is using the B2C application, is the password obscured
when entered?
Guidance:
Obscuring the password is a feature that B2C applications
should have. Although many have this feature, you should not assume it
works this way because it is a very important feature.
Risk:
The risk associated with the password-obscuring feature not in place
is having users’ authentication data be accidentally divulged, which can
lead to fraudulent activity and a loss of customer confidence.
Client Response:
17. Does the application enforce strong password rules when users are cre-
ating accounts?
Guidance:
Passwords are the first line of defense for consumers. However,
consumers will generally not use strong passwords when they create an ac-
count on an e-commerce site unless they are forced to. If the B2C applica-
tion has the capability to force users to create strong passwords, it should
be used. Weak passwords are one of the first exploits tried by those seeking
to gain unauthorized access. The balance here is to force users to have
strong passwords but not so strong that they forget them or paste them onto
their monitors.
AU1706_book.fm Page 380 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.