Securing E-Commerce

1
Securing E-Commerce

• CSEM02
• University of Sunderland
• Harry R. Erwin, PhD

2
Resources

• Garfinkel and Spafford, 1996, Practical UNIX and
  Internet Security, OReilly, ISBN 1-56592-148-8
• Anderson, 2001, Security Engineering, Wiley,
  ISBN 0-471-38922-6.
• Norberg, 2001, Securing Windows NT/2000 Servers,
  O'Reilly, ISBN 1-56592-768-0. Most of this
  lecture is based on Norberg.
• Zwicky, Cooper, and Chapman, 2000, Building
  Internet Firewalls, second edition, O'Reilly,
  ISBN 1-56592-871-7.

3
The Most Common Threats Involving E-Commerce

• Intrusiontypically in the form of site
  defacement, with damage to the companys
  reputation.
• Denial of servicepreventing authorized users
  from using the system, resulting in loss of
  business.
• Information theftunauthorized persons obtaining
  private information, resulting in legal liability.

4
A Typical Attack

• How lthttp//www.apache.orggt was hacked
• (from Norberg, based on a BugTraq report on May
  4, 2000)
• The attackers uploaded a PHP script to a
  world-writeable ftp directory (dubious).
• The web server root directory was the same as the
  ftp server root directory (bad).
• The PHP script executed UNIX commands (bad) that
  created a shell server bound to a high port that
  was open (badno firewall).
• Finally, they used a database process that was
  running as root (more bad) to create a setuid
  root shell.

5
What is a Body to Do?

• You must have and maintain a high level of
  security for your site.
• This is feasible, but it requires awareness and
  knowledge.

6
Security Strategies (Zwicky)

• Least privilegeprocesses and users should have
  only the privileges they need for their job
• Defense in depthmultiple security layers
• Choke pointlimit access to your system
• Weakest linkattacks will seek vulnerabilities
• Fail-safe stancedeny access if the system fails
• Universal participationeverybody buys in
• Diversity of defensemultiple mechanisms
• Simplicityonly the simple can be made secure
• Security through obscurityis valid (but weak)

7
Building a Secure Site

• Plan for it. Cover all the bases and formally
  analyze your requirements.
• Define your policies. (UK and Microsoft
  definition, not US government definition.) See
  RFC 2196, Site Security Handbook.
• Provide physical security.
• Implement access control.
• Use a firewall.

8
Operating a Secure Site

• Audit access policy violations.
• Make frequent backups.
• Collect logs on a separate and secure system.
• Ask others to review your plans and work.
• Use encryption.

9
The Bastion Host

• The critical strongpoint in the networks
  security.
• Are hardened.
• Are audited regularly.
• May use modified software.
• The software in use will be trustedhence should
  be designed, tested, and configured for safe
  operation.
• Be prepared for their being compromised.

10
The Perimeter Network

• A DMZ (demilitarized zone)
• A firewall system, serving as a single point of
  entry.
• An untrusted network on the outskirts of the
  private trusted network.
• Serves as an intermediate stage between the
  internet and the internal network.
• Multiple compartments.
• Default-deny access.

11
What is the Problem with this Network?
internet
firewall
http only
odbc only
Web Server
DBMS Server
firewall
internal network
12
Perimeter Components

• Routers (provide access control)
• Firewall gateways
• Application-level gateways (layer 7)
• Packet filters (layer 4)
• Bastion hosts
• email servers
• www servers
• ftp servers
• victim machines (or sacrificial goats)
• etc.
• Switches and hubs

13
Rules of Thumb

• Default-deny
• Defense in depth
• Keep it simple
• Take a phased approach
• Plan, plan, plan

14
Hardening a Bastion Host

• Enforce least privilegeapplications and users
  should run with only the privilege level needed
  to run correctly
• Separate portsone or a few fixed TCP/IP ports
  per application. Block the rest.
• Use cryptography
• Dont trust your applications

15
Host Design Steps

1. Minimal OS with the latest service pack.
2. Install only the applications you need.
3. Reapply the service pack and add necessary
   patches
4. Remove/disable unneeded OS components
5. Harden the OS
6. Restrict access to files and other objects.

16
UNIX, Windows, or MacOS X?

• MacOS Xis BSD UNIX, and Apple takes security
  very seriously. Now considered the most secure
  commercially available solution.
• UNIX is preferred over Windowshas better tools
  for building a bastion host and better remote
  management.
• Windows NT/2000in some ways stronger than UNIX,
  but network security is much weakertoo many
  ports open and too many services. Much harder to
  administer if UNIX-style hardening is done. Much
  weaker security if not. YMMV.

17
Windows NT Rules

• NetBIOSavoid. TCP/IP only. Do not connect to the
  public network until fully hardened.
• Never, ever, install MS Office or development
  tools. Remove all unnecessary applications,
  network services, and system processes.
• No LINUX dual boot. Use CYGWIN instead.
• US version of Windows (updated most quickly)
• NTFS
• Standalone member server. No domains. No user
  accounts.

18
Secure Remote Administration of Windows Servers

• Symantec pcAnywhere
• Windows 2000 Terminal Services with IPSec. Use
  File Copy utility from the Server Resource Kit.
• Open Source
• SSH
• Cygwin (UNIX emulation)
• TCP Wrappers
• VNC

19
Backup Policy

• Think about
• Who does backups?
• How often are backups taken?
• Local or network?
• Where are the media stored?
• Who may restore data to the system?
• How often are the backups tested?

20
Remember Bruce Schneiers Three Rules of Security

• Schneier Risk Demystification Numbers do matter
  and are not that hard to understand.
• Schneier Secrecy Demystification Secrecy is
  anathema to security
• Its brittle
• It conceals abuse
• It prevents sensible trade-offs
• Schneier Agenda Demystification Know the agendas
  of the people involved in a security decision.
  That will usually predict their decisions.

21
Conclusions

• You can secure e-commerce, but
• Plan carefully
• Define your policies
• Provide physical security
• Implement access control
• Firewalls
• And manage it carefully

22
After All That, You Still Want to Be Certified

• SSCP
• One year of experience in at least one area
• Three-hour exam in seven areas
• Agree to the code of ethics
• Continuing education
• CISSP
• Three to four years of experience
• Six-hour exam in ten areas
• Agree to the code of ethics
• Background approval
• Continuing education

23
SSCP Knowledge Areas

• Access Controls
• Administration
• Audit and Monitoring
• Risk, Response and Recovery
• Cryptography
• Data Communications
• Malicious Code/Malware

24
CISSP Knowledge Areas

• Access Control Systems Methodology
• Applications Systems Development
• Business Continuity Planning
• Cryptography
• Law, Investigation Ethics
• Operations Security
• Physical Security
• Security Architecture Models
• Security Management Practices
• Telecommunications, Network Internet Security