Appendix L
381
Risk:
The risk of not enforcing strong passwords is that users will have
weak passwords that can be exploited to gain unauthorized access to the
B2C application.
Client Response:
18. Does the application lock users out automatically after a certain number
of failed log-on attempts?
Guidance:
The lockout feature helps prevent malicious users from trying to
use brute force techniques to gain unauthorized access. An account is effec-
tively frozen for a period of time after a certain number of failed log-on
attempts. It can then be available for that user after a set period of time or it
may require the consumer to call and have the password reset. This is a very
useful feature that should be used if available. If B2C applications are being
developed, this feature should be built in. This feature, along with other pass-
word-related security features, should be used for effective password security.
Risk:
The risk of not having the lockout feature is that it allows malicious
users to use brute force methods gain unauthorized access to B2C applica-
tions and potentially conduct fraudulent activity.
Client Response:
19. If a customer requires a password to be reset, what is the process for
giving the reset password to the user? Is the customer authenticated before
giving that individual the password? Is the password sent to the customer’s
e-mail address?
Guidance:
Password resets should be communicated to customers once
they have been authenticated in some way. Companies should enforce and
have documented procedures for communicating password resets, as this
is a popular social engineering method used to gain authentication informa-
tion of users. Ideally, support personnel should ask customers for additional
information about themselves to authenticate them. A few methods that
can be used include:
• Send the password to the consumer’s electronic mail address, which
was supplied when the account was created.
• Communicate the password over the phone once the customer is prop-
erly authenticated.
• Leave the password on the employee’s voice mail.
AU1706_book.fm Page 381 Tuesday, August 17, 2004 11:02 AM
382
A Practical Guide to Security Assessments
Risk:
The risk with not properly authenticating customers prior to reset-
ting and communicating password information is that the password might
be given to the wrong person, who can then use that information to gain
unauthorized access to another person’s account.
Client Response:
20. Is administrator access to the Web server limited to only those individuals
who require it?
Guidance:
Administrator access to the Web server allows full access
rights to the Web server — i.e., an administrator can make any change or
see anything on the Web server. This access should not be taken lightly and
should be provided to only those individuals who require such access to do
their jobs. Ideally, this access should be given to the system administrator
who maintains the Web server and a person who serves as the backup. The
server should be configured so that administrator activity is tracked, so a
security breach related to the Web server can be researched. In addition,
the administrator should have a regular account, which is used when not
performing administrator activities.
Risk:
If administrator access to the Web server where B2C operations re-
sides is not strictly controlled, that access, in the wrong hands, can be used
to damage the B2C Web site. This is especially true in the case of disgrun-
tled employees in companies where the termination practices are not effec-
tively performed.
Client Response:
21. If the application was built in house, do changes go through a change
management process before being migrated into production? Is there a
development and test environment to facilitate this?
Guidance:
Change management is evaluated closely in another question-
naire but is included here to determine whether it is used for B2C applica-
tions. The change management process should always be used when
making changes to B2C applications (or any applications), to ensure that
changes have been properly tested and that the appropriate individuals
have approved the change. Because the B2C application is customer facing
AU1706_book.fm Page 382 Tuesday, August 17, 2004 11:02 AM
Appendix L
383
and the risks associated with it not functioning can result in lost revenue
and customers, proper approval and testing of all changes are critical.
Risk:
The risk associated with not having a sound change management
process is that vulnerabilities can be introduced into production as a result
of untested changes. This could result in a lack of availability of the appli-
cation or some other security breach.
Client Response:
22. For any products or services being offered on the B2C Web site, what
controls are in place to ensure that access to changing item, pricing, or
other catalog information is strictly controlled?
Guidance:
This question deals with the process of how the B2C applica-
tion works. There should be controls in place to ensure that catalog infor-
mation, especially pricing, is not changed without proper authorization.
The ability to make these changes should be limited to specific individuals,
and these changes should follow an approval process. In addition, edit lists
should be generated and reviewed independently once changes have been
made to ensure that changes were approved and correctly made.
Risk:
The risk associated with not having these controls in place is that
critical catalog information can be changed without proper approvals,
which can potentially result in customers seeing and using incorrect infor-
mation relating to products, pricing, etc. For example, unauthorized or in-
correct pricing changes may be made, resulting in customers being
charged wrong prices.
Client Response:
23. Is there any ongoing vulnerability assessment of the B2C application?
Does the application have any of the Top Ten OWASP (Open Web Appli-
cation Security Project) vulnerabilities?
Guidance:
OWASP is a project dedicated to application-level security.
OWASP has a top ten list of vulnerabilities for which applications should be
checked. Tools are available in the marketplace to evaluate application code;
they can determine what application security vulnerabilities exist including
AU1706_book.fm Page 383 Tuesday, August 17, 2004 11:02 AM
384
A Practical Guide to Security Assessments
the OWASP Top Ten. Addressing these vulnerabilities, some of which in-
clude cross-site scripting, unvalidated input, buffer overflows, and Structure
Query Language (SQL) injection, can significantly reduce the risk with B2C
applications. The OWASP Top Ten is available at http://www.owasp.org/doc-
umentation/topten.
Risk:
Some of the risks associated with the OWASP Top Ten vulnerabili-
ties include the application not being available and unauthorized access to
sensitive customer information.
Client Response:
24. Are all relevant logs from the Web server, database server, intrusion
detection system, and firewall reviewed?
Guidance:
For the various parts of the B2C infrastructure, logs exist that
are worth reviewing on a periodic basis. One of the issues with many com-
panies is that they do not have the time or resources to do these reviews,
and as a result, the reviews are not done. Log review tends to be done as a
reactive measure when a security incident occurs. One solution is to use
automated tools to generate exception reports from the log data so the time
required for review is minimized. Another solution is outsourcing. Com-
panies are increasingly looking to Managed Security Service Providers
(MSSPs), who provide managed security services at a lower cost than
managing it internally. This book includes a separate questionnaire devot-
ed to the use of MSSPs, which should be reviewed if a MSSP is being used.
Risk:
The risk associated with not performing proactive log review is that
the client might not know about potential security breaches on a timely
basis and, as a result, would not be able to take action proactively. Al-
though no guarantee exists that log review will necessarily provide useful
information on potential security breaches, periodic review of logs can
provide early detection of problems.
Client Response:
AU1706_book.fm Page 384 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.