Your SlideShare is downloading. ×
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Protecting Your Network from Web Application Vulnerabilities
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Protecting Your Network from Web Application Vulnerabilities

968

Published on

Are any corporate Web applications running on your network susceptible to cross-site request forgery (CSRF)? It’s a question worth asking, because a successful CSRF attack — aka an XSRF, Sea Surf, …

Are any corporate Web applications running on your network susceptible to cross-site request forgery (CSRF)? It’s a question worth asking, because a successful CSRF attack — aka an XSRF, Sea Surf, session riding, hostile linking or One-Click attack — can have devastating consequences, potentially costing your company a great deal of money or resulting in the loss of confidential information.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
968
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Protecting YourNetwork fromWeb ApplicationVulnerabilities ® an Security eBook
  • 2. Contents… Protecting Your Network from Web Application Vulnerabilities This content was adapted from the Enterprise Networking Planet website. Contributors: Paul Rubens and Drew Robb.2 2 Five Ways to Reduce Your Vulnerability to CSRF Attacks 4 Watch for Authentication Bypass Vulnerabilities4 7 7 Protect Your Web Apps from Insecure Direct Object References 10 Battling Malicious Widgets for Network Security10 12 Managing Social Media for Network Security 12
  • 3. Protecting Your Network from Web Application Vulnerabilities Five Ways to Reduce Your Vulnerability to CSRF Attacks By Paul Rubens A re any corporate Web applications running How Does a CSRF Attack Work? on your network susceptible to cross-site request forgery (CSRF)? It’s a question worth To carry out a CSRF attack, a hacker places a specially asking, because a successful CSRF attack — crafted link to your Web application (that a potentialaka an XSRF, Sea Surf, session riding, hostile linking or victim is known to use) on some other Web page or inOne-Click attack — can have devastating consequences, an email. But rather than making the link a standardpotentially costing your company a great deal of money hyperlink, the hacker typically hides the link by placing itor resulting in the loss of confidential information. in an image or script tag, with the link as the image’s or script’s source.What is CSRF? An example of such a link (fromA CSRF attack causes your Web Wikipedia) is:application to carry out an action(such as transferring money, img src=”http://bank.making a purchase or changing example.com/withdraw?accoan account password) by making unt=bob&amount=100000&for=the application believe that the mallory”request resulting in this action iscoming from an authorized user Now if the victim views the Webof the application. That could be page with this “image” on it inan employee at your company, a their browser, or reads an emailbusiness partner, or an external containing this link in an emailcustomer. program that uses the browser’s HTML rendering capabilities, theTo achieve this, a CSRF attack browser will attempt to fetch therelies on the fact that many “image” by following the link.Web applications use nothing And if the victim has recentlymore than a cookie with a logged in to the site, theirrelatively long expiration time to enable users to continue browser will provide a cookie to authenticate, and tell theaccessing the application after they initially authenticate Web application to transfer $100,000 from the accountthemselves. “bob” to the account “mallory.” In general there is no reason that the victim would know that the transactionFor a CSRF attack to work, then, a potential victim first has been carried out (at least until they check their bankhas to use their browser to authenticate themselves and balance) because the victim’s browser would carry outlog on to your Web application. As long as the user does the transaction without displaying any feedback (such asnot subsequently log out of the application, and until the a confirmation Web page) from bank.example.com.cookie from the application in the user’s browser expires,the user is a potential victim of a CSRF attack. In the example above, the link is specifically targeted at 2 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 4. Protecting Your Network from Web Application Vulnerabilitiesbob, which limits its usefulness. In practice a hacker is are valid, the smaller the window of opportunity for alikely to try to use a more generic link that would work hacker to exploit your Web application. However, thewith any potential victim that happens to be logged in shorter the period the more inconvenient it is for users.to your Web application. But crafting a successful CSRF In the end, as is often the case, there is a compromiseis hard for the attacker precisely because they get no to be made between convenience and security.feedback from your Web application during the attack.That means that the attack is only likely to be successful 2. Make users submit additional information beforeas long as the responses from your Web application allowing important transactions to be carried out.are entirely predictable, and involve nothing more than Requiring a user to solve a CAPTCHA or enter afurther clicks (for example, to confirm a transaction) which password before important transactions can be carriedcan be included in a script. out can prevent a hacker from carrying out an attack (as long as the password is not stored in the browser)So for your Web application to be susceptible to a CSRF because this information is not predictable (CAPTCHA)attack, it must: or freely available (password).• Allow access to users with nothing more than a valid cookie with a usefully long time before expiry 3. Use secret non-predictable validation tokens. CSRF• Allow transactions to be carried out on submission of attacks work when a session is identified only by the a suitable URL that can be sent from an external site cookie stored in the user’s browser. So they can be• Respond in a predictable way foiled by having additional session-specific information in each HTTP request that an attacker can’t know inWhat Can a CSRF Attack Achieve? advance, and therefore add to a link. If the app has an existing cross-site scripting vulnerability it mightAlthough a CSRF attack can “only” carry out a still enable a hacker to access this validation token,transaction in a Web application, the results can be very however.far-ranging indeed. For example, it could result in thevictim unwittingly making a forum posting, subscribing 4. Use custom HTTP headers. The XMLHttpRequestto a mailing list, making purchases or stock trades, or API can be used to protect against CSRF attackscarrying out activities such as changing a user name or if all requests that carry out a transaction usepassword. CSRF attacks work on applications protected XMLHttpRequest and attach a custom HTTP header,behind the same firewall as the victim, and can allow a rejecting any such requests that lack the customhacker to access an application that has access restricted header. This is useful because browsers normally onlyby IP range if the victim’s machine is within that range. allow sites to send custom HTTP headers to the same site, thus preventing a transaction being initiated fromA strange twist on CSRF is called login CSRF, which the site that is the source of the CSRF attack.logs a victim into a Web application using the attacker’scredentials. This allows the hacker to log in subsequently 5. Check the referrer header. When a browser sendsand retrieve information about the victim, such as the an HTTP request it usually includes the URL thatuser’s activity history, or any confidential information that it originated from in the referrer header. In theoryhas been submitted by the victim. you can use this information to block requests that originate from another site instead of from withinHow to Mitigate the Risk of Your Web Applications the Web application itself. Unfortunately the referrerBeing Vulnerable to CSRF Attacks header is not always present (some organizations strip it out for privacy reasons, for example) or can be1. Limit the time-to-expiration of authentication spoofed, so this measure is not really effective. cookies. The shorter the period in which these cookies 3 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 5. Protecting Your Network from Web Application Vulnerabilities Watch for Authentication Bypass Vulnerabilities By Paul Rubens I magine the front door to your house is equipped with heavy duty locks and bolts, but has a giant cat flap big enough for a man to crawl through fitted at the bottom of it.Why would a thief bother picking the locks when he couldbypass them all by entering your home though the catflap?A vulnerability like this in your home is pretty unlikely,but believe it or not there are many network devices andWeb applications that suffer from something analogous:authentication bypass vulnerabilities. These let hackersinto networks and Web applications by allowing themto skip the authentication stage that is supposedto keep them out. They are a real treat for hackersbecause exploiting them is often far easier and less timeconsuming than other hacking techniques like trying tobrute-force passwords. way to get to the configuration pages is through theAuthentication bypass vulnerabilities, like buffer login page, but what if users can go directly to theoverflows, are generally caused by programmers configuration pages, bypassing authentication?assuming that users will behave in a certain way andfailing to foresee the consequences of users doing Essentially the router would be relying on security bythe unexpected. The Metasploit penetration testing obscurity, but in practice it is probably not hard for aframework includes a number of authentication bypass hacker to find out the exact URLs of the configurationmodules that use techniques such as exploiting buffer pages. There are a number of ways that this could beoverflows in the authentication mechanism, but there are done, including:simpler methods that hackers can use as well. • Buying or otherwise getting authorizedBasic Authentication Bypass access to a similar piece of hardware and establishing the configuration page URLsFor example, a very basic error that a surprising number • Finding them out from an onlineof developers make when coding an authentication manual or a Web forummechanism for Web applications or network hardware • Sniffing network trafficis simply to ask for a user name and password at a login • Educated guessing (perhapspage, and then to allow authorized users unrestricted remotemanagement.html?)access to other Web pages without any further checks.The problem with this is that it assumes that the only To prevent this type of simple bypass it is essential that 4 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 6. Protecting Your Network from Web Application Vulnerabilitieschecks are made that the user has been authenticated on IDs, making the short random part susceptible to a bruteevery single page, rather than assuming that if a user has force attack. If a hacker can get access to a valid sessionreached a given page they must have been previously ID then they can carry out authentication bypassing byauthenticated. doing a session hijack attack— essentially providing the server with the session ID of someone who has alreadyChanging Fixed Parameters been authenticated, thereby impersonating them.When an application or device checks that the user has Session IDs can be strengthened by linking them to the IPpreviously been authenticated, it’s important that this address of the user who originally authenticated, but thischeck is effective. Authentication bypass vulnerabilities is ineffective when the user is connecting from a publicwill occur if this is not the case. A simple example of Internet spot where everyone, including hackers, have thethis is when a simple parameter is appended to the same public IP address.end of a URL. For example, imagine a system thatuses a parameter “auth” to signify if a user has been The weakness of session IDs in some circumstances wasauthenticated, and prompts for the log in procedure if highlighted with the release of a Firefox browser add-auth=0, switching it to auth=1 once a successful login on called Firesheep. This exploits the fact that manyhas taken place. As long as auth=1, the user remains Web applications such as Facebook carry out initialauthenticated and able to access restricted pages. authentication using a secure SSL connection, but thenTrying to get to a restricted page, a user’s browser might allow the user to carry on using the application on ansubmit: unencrypted channel. That means that a user connecting to the application at a public Wi-Fi hotspot sends theirhttp://www.mycorporatewebapp.com/ session ID over the air in the clear, and Firesheep simplyremotemanagement.asp?auth=0 captures it. Armed with a captured valid session ID, Firesheep then makes it trivial to carry out a sessionBypassing this authentication might then be as simple as hijack by connecting to the application and submitting it,changing auth=0 to auth=1. allowing the hacker to bypass authentication completely. In a corporate context, Firesheep highlights a potentialSession Prediction/Firesheep weakness with using session IDs on your network if they can be intercepted by a hacker to use for authenticationA more sophisticated way of authenticating a user bypass purposes.on every page, or “keeping a user logged in,” is tosend the user a session ID, usually in a cookie, which Obscuring Restricted URLscontains a unique number or string that allows the serverto recognize the user as one who has been recently Some Web applications or devices maintain a list of URLsauthenticated and entitled to view restricted pages. that are restricted and prompt the user for authentication credentials before allowing the user to access theseSession IDs should be random, making them impossible URLS. The question that hackers ask is whether there areto predict, and this is often achieved by passing some alternative URLs, which are not on the “restricted list,”more predictable value through a hashing function to which point to the same restricted pages?produce a session ID that is entirely unrelated to theprevious ones that have been generated. A mistake For example, imagine a restricted Web page:that some Web developers make is to use session IDsthat are predictable — perhaps by incrementing them http://mycorporatedevice/admin/configuration/sequentially — or to randomize only a part of session 5 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 7. Protecting Your Network from Web Application VulnerabilitiesWhat if a hacker were to append an extra “/” at the end The hacker has effectively injected a whole OR conditionof this URL: into the authentication process. Worse, the condition ‘1’ = ‘1’ is always true, so this SQL query will always result inhttp://mycorporatedevice/admin/configuration// the authentication process being bypassed.or add some other character like “?” or “%” or “~”? Preventing Authentication BypassIn some cases these URLs are effectively equivalent, Vulnerabilitieseven though they look different. If the authenticationmechanism only checks for the original URL but not the Authentication bypass vulnerabilities can have so manyvariations then it can easily be bypassed. different root causes that it is impossible to give a comprehensive list of measures to take to prevent them.SQL Injection But steps you can take include:SQL injection can be used to bypass authentication by • Use the Metasploit penetration testing frameworkfooling a login page into evaluating an expression that (http://www.metasploit.com/) to check for knownis always true instead of checking that a login name and authentication vulnerabilities in your IT infrastructure.password is valid. • If you are developing your own authentication code, be alert for possible buffer overflowSo, for example, the authentication mechanism might errors or SQL injection vulnerabilities.involve an expression like: • Be aware of the sorts of vulnerabilities outlined in this article.(authorize a user) WHERE Password=’$password’ • As ever, ensure that your applications are patched and up to date, and your networkUsing a Web interface, when prompted for his password, hardware is running the latest firmware.a malicious user might enter:ABC’ or ‘1’ = ‘1resulting in the query:(authorize a user) WHERE Password=’ABC’ OR ‘1’ =‘1’ 6 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 8. Protecting Your Network from Web Application Vulnerabilities Protect Your Web Apps from Insecure Direct Object References By Paul Rubens I magine a malicious hacker could access all your organization’s customer account details, or charge an online purchase to someone else’s credit card just by changing a coupleof digits in a URL. It sounds unlikely, but it’s preciselythe kind of thing that a hacker can do if your Webapplications are susceptible to an insecure direct objectreference.What is an Insecure Direct Object Reference?The “objects” in question are internal implementationobjects such as files, directories, database recordsor database keys, and a problem occurs when anapplication exposes a reference to one of these objectsin a URL (or form parameter). It’s a problem because ahacker can change these direct object references, for methodical approach would be to look for somethingexample, by altering a URL before it is submitted, to specific elsewhere on the system, using a path traversalattempt to access a different, unauthorized file, directory attack. Essentially this means accessing a completelyor database entry. This attempt may be successful unless different directory to the anything the developer ofsome other authorization check is enforced. the vulnerable application intended. To access Apache Tomcat usernames and passwords, the hacker might alterInsecure Direct Object Reference Examples the last part of the URL to “filename=../../tomcat/conf/ tomcat-users.xml .”Imagine a Web app that ends up generating the URL: Not all insecure direct object references provide accesshttp://www.insecurewebapp.com/getfile. to files, or course. Another type of URL that would be acfm?filename=sometextfile.txt red flag to a hacker would be one that ended with:Here there is a very obvious direct reference to a file ...account.cfm?customerid=4566called “sometextfile.txt,” and the temptation for a hackerwould be to see what happens when this filename is which leads our hacker to next ask, “what happens if Ichanged to some other filename, like “passwords.txt” or modify this by changing the customerid to something like“accounts.txt.” 4567?”To succeed like this the hacker would have to correctly Similarly, what happens if a Web application allows aguess the name of another file on the system, but a more user to select a credit card from one or more stored in a 7 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 9. Protecting Your Network from Web Application Vulnerabilitiesdatabase for that user, referenced by database key: value: int cartID = Integer.parseInt( request.<select name=”choosecreditcard”> getParameter( “cartID” ) ); <option value=”35”> String query = “SELECT * FROM table WHERE XXXXXXXXXXXX6002 cartID=” + cartID; </option> <option value=”67”> This can be prevented by only allowing authorized XXXXXXXXXXXX1516 records to be shown: </option> int cartID = Integer.parseInt( request.</select> getParameter( “cartID” ) ); User user = (User)request.getSession().and the hacker modifies the database key? getAttribute( “user” ); String query = “SELECT * FROM table WHEREHere a user would be asked to select from one of cartID=” + cartID + “ AND userID=” + user.two credit cards, ending in 6002 and 1516, which the getID();application has on file for them, referenced by their  database key. In the resulting URL, a hacker would only An alternative to direct object references, which shouldhave to change the 35 or 67 option value to another be used whenever possible, is to use per user or sessionnumber, like 36, to reference some other credit card indirect object references.number, belonging to another user, stored with thatdatabase key. Unless, as mentioned at the start of this In the example earlier a user was asked to select a creditarticle, there are other authorization checks in force to card from a choice of two that exposed direct referencesprevent this, the attack could be successful. to the database of credit cards. A better method would be to take the two credit card records and store them inAvoiding Insecure Direct Object References an array specific to that user. The credit card selection box would be coded like this:The best way to avoid insecure direct object referencevulnerabilities is not to expose private object references <select name=” choosecreditcard”>at all, but if they are used then it is important to ensure <option value=”1”>that any user is authorized before providing access XXXXXXXXXXXX6002to them. OWASP (www.owasp.org) recommends </option>establishing a standard way of referring to application <option value=”2”>objects as follows: XXXXXXXXXXXX1516 </option>• Avoid exposing your private object references to users </select> whenever possible, such as primary keys or filenames• Validate any private object references extensively This way there is only a direct reference to an array for with an “accept known good” approach. This means that user, containing only that user’s data. Changing the determining what files a user should be allowed to option value to a value greater than two would not result access, and only granting them access to those files in any other user’s credit card details being used. The• Verify authorization to all referenced objects application would then map the user specific indirect object reference (option value=1 or option value=2) backAn illustration, of this third point, also provided by to the underlying database key (35 or 67 in the exampleOWASP, comes from a code sample in which a hacker earlier) .could change an ecommerce cart ID parameter to any 8 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 10. Protecting Your Network from Web Application VulnerabilitiesTesting for Insecure Direct Object ReferencesUnfortunately vulnerability scanners are not very effectiveat finding insecure direct object reference vulnerabilities,so the best options are:1. Code reviews to identify whether important parameters are susceptible to manipulation2. Penetration testing 9 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 11. Protecting Your Network from Web Application Vulnerabilities Battling Malicious Widgets for Network Security By Drew RobbW eb 2.0 makes it easy for users to share used for Audience Measurement such as Google Analytics, content with each other. When widgets Quantcast and ScorecardResearch; advertising widgets by get compromised via Web application DoubleClick and Google AdSense; Google Ajax Widgets; vulnerabilities or other means, Web 2.0 sites and Facebook Widgets.can end up serving malware even if those sites are notdirectly hosting the malware themselves. They are sometimes referred to as “third-party” widgets when the site that is using the widget is not the siteHow prevalent are these threats? that built the widget--the code and function that is provided by the widget comes from another site. Thus“Seventy percent to 80 percent of drive-by downloads canthreats propagate through Web occur by exploiting structuralapplication layer attacks instead vulnerabilities that exist in third-of network layer attacks, yet most party widgets?of the security budget is allocatedto network-layer attacks,” said “While the widgets themselvesNeil Daswani, CTO and co- are legitimate, cybercriminals willfounder of Dasient. “There will compromise them and/or servebe a shift over the next few years malicious code through them towhere increasing parts of the spread malware,” said Daswani.security budget will get spenton application layer defenses That in turn leads to all kindsto match the current threat of problems. Malware ends uplandscape.” posted on legitimate sites which then causes these sites to get toWidgets, of course, are pieces of become blacklisted by Google,code that can be used to render Yahoo and other search enginesa part of a Web page. They often and browsers. Reason: When aprovide some piece of functionality of an overall Web website uses a widget to render a part of a page, the sitepage. For instance, a widget can be used to render an ad owner is effectively giving control of that part of the pageor a video. At the same time, a widget does not always over to a third party. If that third party gets compromised,have to add something visual to a Web page. Some of the site owner is often not in the best position to havethe most popular ones, for example, do not render any visibility or take action to mitigate the issue.content, but just gather information about site visitors toallow website owners to conduct audience measurement Preventing Malicious Widgetsand learn about their user base. “Websites should take preventative steps to vet third-According to Dasient, the most popular widgets are: those party widgets that they use on their site,” said Daswani. 10 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 12. Protecting Your Network from Web Application Vulnerabilities“However, even though a third-party can be secure atthe time of vetting, they could get compromised anytimethereafter. As such, website owners can have the third-party widgets on their sites monitored so that they canquickly react to security issues that may arise from them.”Research by Dasient reveals that most of the high-trafficsites on the Web depend about a relative handful of similarwidgets. Thus a fairly narrow line of vigilance over widgetscan reap big rewards.“Compromise of just a few popular widgets can be usedto turn most trafficked websites on the Internet intodistribution vehicles for malware,” said Daswani.If you follow the pattern of audience measurement andadvertising widgets that have been compromised, it showsthe same few widgets over and over again. Most of the top1000 sites on the Web, per survey, are dependent on themost popular widgets.“Such widgets can be targeted by cybercriminals to spreada mass Web-based malware attack against the most highlytrafficked part of the Web,” said Daswani. “The good newsis that the top widgets do not have dependencies on eachother.” 11 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 13. Protecting Your Network from Web Application Vulnerabilities Managing Social Media for Network Security By Brian Proffitt M anaging network security is all about media sites, because if one of their social media accounts controlling the attack surface. gets compromised, it’s a fair bet their password will be repeated on other sites. This leaves them vulnerable to If your network users need to communicate being hacked on banking and commerce sites, which canwith services A, B and C through channels X, Y and Z, impact their productivity as they spend days if not weeksit’s not impossible (with a little elbow grease) to manage trying to get their online and financial identities backthe potential attack surfaces in order. Not to mention whatin the network and control the happens if they use the samesecurity risk. When it was all password for your network.about communication with emailand a few Web applications, Depending on the brazennessnetwork security could be better of a criminal targeting yourmanaged, because you knew company, your very organizationwhere the potential holes were can even be put at risk. A recentand could close them off when story on Inc. related the talenew threats were revealed. of a manufacturing company undergoing an expansion ofBut now network managers their warehouse and announcinghave a whole new attack surface it to the world at large on theirto manage: the vast multitude corporate blog, Facebook andof potential entry points to a Twitter.network created by the useof social media sites. And as “As the day for the big movesocial media services get more approached, they told customersrobust, the potential for a security breach goes up almost about potential shipping delays, but said they’d returnexponentially for both your organization and individual with better service than ever.users themselves. “On the first day, several men wearing the uniforms ofIt’s become a well-known scenario: An employee visits a well-known logistics company showed up to help witha social media site on a corporate machine during some the move. With dozens of legitimate workers swarmingidle time and ends up picking up a piece of malware from around the site, they blended in easily and no oneone of the dozens of trojans that proliferate through that questioned them as they loaded equipment into theirsite. That malware may just turn the machine into a spam own van. They drove off before anyone realized theygenerator, if you’re lucky. More sophisticated malware were interlopers,” the article related.will log keystrokes and provide the malware author withplenty of authentication information from your network. This kind of incident is rare, but virtual criminal activityUsers themselves are particularly at risk while using social doesn’t have to remain virtual; reports of armed 12 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.
  • 14. Protecting Your Network from Web Application Vulnerabilitiesrobberies and assaults around Craigslist-initiated sales must never assume that a link or software download ismeetings are also on the rise. actually from a friend — even if it’s from their friend’s account. They need to challenge such receipts andSocial Networking Security Policies: Should You confirm that the package was indeed intended to beBan? delivered.As a networking manager, it’s not your responsibility to The second approach is to enforce better passwordkeep employees safe from harm on their own time. But management. This is partly educational, since you willthere are some policies you can consider implementing need to convince users that it’s in their best interests tothat will decrease the size of your network’s attack have different passwords for each network and servicesurface and — if implemented with a fair dose of training they visit anyway. But you have some control over this,— will also keep your co-workers safe on their own as well: implement a password policy that will enforce amachines. password change every month. Even if the user has used like passwords across multiple sites, it is very unlikelyOne policy that bears exploring is the straightforward that will continue to be the case after a month or two ofbanning of social media activity on your network. That resetting passwords on your network. They may still havemay indeed be necessary, if your organization’s Internet a problem with a single password for multiple sites, butpolicy already discourages personal use of company your network won’t be one of them.assets. It’s a little hard to police that kind of policy onemail, since you can’t really tell what messages are On the broader problem of social media as a corporatepersonal or business without treading into privacy waters. attack surface, make sure you impress upon the peopleBut unless the user is with sales or marketing, it’s a pretty in your organization who do use social media to do theirreasonable assumption that they aren’t on Facebook or jobs that care should be taken in sharing informationFoursquare for business reasons. about the company or its employees. Social media is a great tool to reach customers, but it’s not just yourOf course, this won’t make you popular, and it doesn’t customers who are listening to what your company has toaddress the larger problem of social media: it’s still say. Think about risk in every corporate statement, evenvery easy to phish for information across social media a tweet.networks. Phishing attacks are rampant on all forms ofcommunication, but they are especially troublesome onsocial media because it’s not that hard to fool someone.If open source guru Simon Phipps tweets me a link from@webmink, will I notice that it’s really from @webmink2before I click the link to a fake login page? Hopefully yes,but if I’m not paying attention, I could just as easily befooled.Education and Password ManagementMost experts agree that a two-pronged solution isneeded to control the size of the social media attacksurface in your organization.The first is purely an educational tactic: deliver themessage to users that if they are using social media, they 13 Back to Contents Protecting Your Network from Web Application Vulnerabilities an Internet.com Security eBook. © 2011, Internet.com, a division of QuinStreet, Inc.

×