Presentation on theme: "Csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)"— Presentation transcript:
csci5931 Web Security1 Case Study: A Forensic Lesson for Web Security (MSS, part one)
csci5931 Web Security2 A Hacked E-commerce Site A security officer’s nightmare! Users’ passwords got stolen! Customers’ credit card numbers were exposed. Merchandize were purchased on line using the stolen credit cards. The company’s reputation was ruined. The CIO or security officer’s job is at stake. …
csci5931 Web Security3 Case Study: A Forensic Log page 2 of the MSS book: Five groups of log entries (a, b, …, f) The company’s firewall was configured to prevent any traffic but HTTP traffic via port 80 (HTTP) and port 443 (SSL). The intruder exploited a vulnerability in the index.cgi script to list the content of the system password file. Q: What vulnerability was exploited?
csci5931 Web Security4 Analysis of the Hacking Incident pages 2 to 9 What knowledge and skills does a “successful” hacker need to possess? Understanding of Web server operation, scripting language used, activation mechanisms Understanding of operating system commands Lots of patience and some luck Anything missing from the list?
csci5931 Web Security5 Can the Incident Have Been Prevented? Yes. There exist “stronger” security technology to counter the potential attacks. Examples? Elimination of source code exposure Set-up of a DMZ Enforcement of access control list The “least privilege” rule … See an overview of common solutions in GS Chapter 1.
csci5931 Web Security6 Lessons Learned from the Case Study A firewall does not guarantee a secure e-commerce site. Why? Security auditing has its limits. Why? Strong password protection may not be enough. Why? The bottom line: The secure operation of a web site requires a mixture of protection mechanisms, each taking care of one of the many components and links in a N-tier web-based application and all together deliver a secure web site.
csci5931 Web Security7 Next Review of the N-tier web based applications Review of cryptography Java security model