Hack Proofing Your Ecommerce Site The Only Way To Stop A Hacker Is To Think Like One Ryan Russell

Hack Proofing Your Ecommerce Site The Only Way
To Stop A Hacker Is To Think Like One Ryan
Russell download
https://ebookbell.com/product/hack-proofing-your-ecommerce-site-
the-only-way-to-stop-a-hacker-is-to-think-like-one-ryan-
russell-4342140
Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.
Hack Proofing Your Network David R Mirza Ahmad Ryan Russell Et Al
https://ebookbell.com/product/hack-proofing-your-network-david-r-
mirza-ahmad-ryan-russell-et-al-4102074
Hack Proofing Your Wireless Network Christian Barnes Neal Ofarrell Et
Al
https://ebookbell.com/product/hack-proofing-your-wireless-network-
christian-barnes-neal-ofarrell-et-al-4118394
Hack Proofing Your Identity In The Information Age Protect Your Family
On The Internet Teri Bidwell
https://ebookbell.com/product/hack-proofing-your-identity-in-the-
information-age-protect-your-family-on-the-internet-teri-
bidwell-4342152
Hack Proofing Your Network 1st Edition Ed Mitchell Ido Dubrawsky
https://ebookbell.com/product/hack-proofing-your-network-1st-edition-
ed-mitchell-ido-dubrawsky-1217412

Hackproofing Your Wireless Network 1st Edition Syngress Eric Ouellet
https://ebookbell.com/product/hackproofing-your-wireless-network-1st-
edition-syngress-eric-ouellet-2215432
Hack Proofing Coldfusion Greg Meyer Steven Casco Et Al
https://ebookbell.com/product/hack-proofing-coldfusion-greg-meyer-
steven-casco-et-al-4102068
Hack Proofing Linux The Only Way To Stop A Hacker Is To Think Like One
James Stanger And Patrick T Lane Eds
https://ebookbell.com/product/hack-proofing-linux-the-only-way-to-
stop-a-hacker-is-to-think-like-one-james-stanger-and-patrick-t-lane-
eds-4342142
Hack Proofing Xml 1st Edition Larry Loeb Jeremy Faircloth Ken Ftu
https://ebookbell.com/product/hack-proofing-xml-1st-edition-larry-
loeb-jeremy-faircloth-ken-ftu-1203578
Hack Proofing Windows 2000 Server 1st Edition Chad Todd
https://ebookbell.com/product/hack-proofing-windows-2000-server-1st-
edition-chad-todd-1740600

We would like to acknowledge the following people for their kindness and support
in making this book possible.
Richard Kristof and Duncan Anderson of Global Knowledge, for their generous
access to the IT industry's best courses, instructors and training facilities.
Ralph Troupe, IZhonda St.John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill
Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their
incredible marketing experience and expertise.
Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan
Bunkell, and Klaus Beran of Harcourt International for making certain that our
vision remains worldwide in scope.
Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all
their help.
David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with
which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help.

Ryan Russell (CCNA, CCNP) is the best-selling author of"Hack
ProofingYour Network: Internet Tradecraft(ISBN: 1-928994-15-6). He is MIS
Manager at SecurityFocus.com, has served as an expert witness on secu-
rity topics, and has done internal security investigation for a major soft-
ware vendor. 1Kyanhas been working in the IT field for over 11 years, the
last 6 of which have been spent primarily in information security. He has
been an active participant in various security mailing lists, such as
BugTraq, for years. Ryan has contributed to four Syngress titles on the
topic of networking. He holds a Bachelors of Science degree in
Computer Science. 1Kyanwishes to thank Karen Mathews at the U.S.
Department of Energy for her assistance in preparing Chapter 10.
Mark S. Merkow (CCP) has been an Information Systems professional
since 1975, working in a variety of industries. For the last 12 years he has
been working for a Fortune 50 financial services company in Phoenix,
AZ. Mark holds a Masters in Decision and Information Systems from
Arizona State University's College of Business and is completing his
Masters of Education in Educational Technology at ASU's College of
Education, specializing in developing distance learning courses. Today he
serves as an e-commerce Security Advisor working with both internal
and external Web designers and developers. Mark has authored or co-
authored six books on computer technology since 1990, including
Breaking Through Technical.Jargon, Building SET Applicationsfor Secure
Transactions, Thin Clients Clearly Explained, Virtual Private Networks For
Dummies, A Complete Guide to Internet Security, and The ePrivacy Imperative.
In addition, Mark is a computer columnist for several local, national, and
international print publications, along with an e-zine hosted
at Internet.com.
Robin Walshaw (MCSE, DPM), author of Mission CriticalWindows
2000 ServerAdministration (ISBN: 1-928994-16-4), is an independent
consultant who architects security and infrastructure solutions for large
vii

corporations around the globe. By applying a combination of sound busi-
ness sense and technical insight, Robin is able to design and deliver scal-
able solutions targeted at enabling the enterprise to effectively leverage
technology. With a flair for developing strategic IT solutions for diverse
clients, he has worked in the world of computers in 8 countries, and has
traveled to over 30 in the last 10 years. A veteran of numerous global pro-
jects, Robin has honed his skills across a wide variety of businesses, plat-
forms, and technologies. He has managed to scratch his head and look
slightly confused in the world of security, network operating systems,
development, and research.
Having traversed the globe and seen its many beautiful wonders,
Robin is still captivated by the one thing that leaves him breathless~
Natalie, his wife. She is a light against the darkness, a beauty whose smile
can melt even the coldest heart.
Teri Bidwell (GCIA) has been involved in Internet security for over 10
years as an analyst, engineer, and administrator and is a SANS-Certified
GCIA Intrusion Analyst. Her career began securing Unix networks at the
University of Colorado and continued as a Cisco network engineer and
DNS manager for Sybase, Inc. Today, Teri is a security analyst for a firm
headquartered in Reston,VA. She is a key contributor to corporate secu-
rity strategy and is an advisor for e-business development. Her specialties
include policy creation, vulnerability assessment, penetration testing, and
intrusion detection for corporate environments.
Teri received a Computer Science degree from the University of
Colorado and sits on the SANS GCIA Advisory Board. She currently
lives and works in Boulder, CO with her family, Clint, Wes, and Michael.
viii
Michael Cross (MCSE, MCP+I, CNA) is a Microsoft Certified System
Engineer, Microsoft Certified Product Specialist, Microsoft Certified
Professional + Internet, and a Certified Novell Administrator. Michael is
the Network Administrator, Internet Specialist, and a Programmer for the
Niagara Regional Police Service. He is responsible for network security
and administration, programming applications, and is Webmaster of their
Web site at www.nrps.com. He has consulted and assisted in computer-
related/Internet criminal cases, and is part of an Information Technology

team that provides support to a user base of over 800 civilian and uniform
users. His theory is that when the users carry guns, you tend to be more
motivated in solving their problems.
Michael owns KnightWare, a company that provides consulting, pro-
gramming, networking, Web page design, computer training, and other
services. He has served as an instructor for private colleges and technical
schools in London, Ontario Canada. He has been a freelance writer for
several years and has been published over two dozen times in books and
anthologies. Michael currently resides in St. Catharines, Ontario Canada
with his lovely fiancSe Jennifer.
Oliver Steudler (CCNP, CCDP, CSE, CNE) is a Senior Systems
Engineer at iFusion Networks in Cape Town, South Africa. Oliver spe-
cializes in routing, switching, and security and has over 10 years of experi-
ence in consulting, designing, implementing, and troubleshooting
complex networks. He has written articles on TCP/IR networking, secu-
rity, and data communications and also co-authored another Syngress title,
Mana2ing, Cisco Network Security (ISBN: 1-928994-17-2).
Kevin Ziese is a computer scientist at Cisco Systems, Inc. Prior to
joining Cisco, he was a senior scientist and founder of the Wheelgroup
Corporation, which was acquired by Cisco Systems in April of
1998. Before founding the Wheelgroup Corporation, he was Chief of the
Advanced Countermeasures Cell at the Air Force Information Warfare
Center.
ix

L. Brent Huston earned his Associate of Applied Science degree in
Electronics at DeVry Technical Institute (Columbus, Ohio) in 1994. He
has more than 10 years of experience in IT, mostly in the areas of cyber
security testing, network monitoring, scanning protocols, firewalls, viruses
and virus prevention formats, security patches, and hacker techniques. As
President and CEO of his own information security company,
MicroSolved, Inc., he and his staff have performed system and network
security-consulting services for Fortune 500 companies and all levels of
governmental facilities. He is well versed in the use and implementation
of all the major security tools and appliances. In the past, Brent developed
"Passys"~a passive intrusion detection system for Unix and has also iden-
tified previously unknown security vulnerabilities in Ascom routers,
Windows NT, and Linux operating systems.
Brent is an accomplished computer and information security speaker
and has published numerous white papers on security-related topics.
Recently he was involved in the laboratory testing of major firewall appli-
ances at his company's central Ohio facilities. This testing was to prove the
worthiness of each appliance as well as possible vulnerabilities that had
not as yet been established by their parent companies. He reported his
results both to the individual product companies and at a national security
industry presentation. Brent is also currently engaged with the Office of
Independent Oversight and Performance Assurance in Columbus, OH.
He was responsible for designing and implementing a state-of-the-art
cyber security testing and research lab for this office and several DOE
national laboratories have utilized his expertise to perform network pene-
tration and detection services. Such services have required a high security
clearance from Brent. Brent is an Internet Security Systems Certified
Engineer, Sidewinder Firewall Certified Administrator, IBM Secure
Network Gateway Certified Administrator, and Phoenix Firewall
Certified Administrator.

xxvi Foreword
avoid the trap of recommending ill-defined "black-box" hardware solu-
tions, a trap that other books in the field often fall into.
This book shares a feature in common with many Syngress books: It
teaches why along with how.This is especially critical in the world of
information security because technologies evolve at such a rapid pace
and are also incredibly diverse. There are as many different ways to piece
together an e-commerce site as there are e-commerce sites. It wouldn't
be possible to anticipate any given reader's configuration.We present
material that is designed to make you think.We want you to be able to
take the information presented and adapt it to your situation.
We really hope you enjoy this book.You'll notice that Syngress
offers an "Ask the Author" feature on their Web site for folks who have
purchased the book. Please take advantage of that; we'd love to hear
from you.
~Ryan Russell, CCNA, CCNP

2 Chapter 1 9 Applying Security Principles to Your E-Business
Introduction
Security in the virtual world of the Internet is even more confusing
than in the real world we inhabit. Buzzwords and marketing hype only
serve to add to the puzzle.Vendors and free products abound, but
according to the experts, the Internet world is becoming more dan-
gerous every day. How can that be? How can all these solutions from so
many directions not solve even the basic problems?
The answer is not simple because the problems are so complex.
Security is difficult to create and maintain. Security is messy. The
problem is that the online world was built around a system of protocols
and rules, but unfortunately, those rules are not always followed. The
complexity of today's computer systems and software applications often
creates programs that act in a manner unforeseen by the Internet's oper-
ational guidelines. Add to that scenario a few humans who insist on
testing the rules and purposefully acting unexpectedly, and you have a
huge potential for a rather large mess.
Attaining and maintaining suitable levels of security also requires
resources. It requires people with the technical and business skills in bal-
ance. It requires time, energy, and of course, money. Security is not
cheap. Products and training and doing things the right way are usually
more expensive in the short term than taking shortcuts and cutting cor-
ners, but in the long run, security protects the assets that your organiza-
tion depends on for survival.
Given all these dynamics, the concept of security can be seen as an
ever-changing ideal that encompasses these threats and adapts as they
adapt, like a living process. Security is most assuredly a journey and
not a destination.
The easiest starting point on that journey is from the ground up. In
the e-commerce world, those who benefit the most from security's elu-
sive protections are those who started the process with security firmly in
mind.While it is possible to apply security to existing sites, the imple-
mentation is often more difficult than starting the process anew.
In this chapter, we discuss how to bring security into focus from the
start, what roles it should play, and how to get it included in the budget
of a project.We also talk about how to justify its ongoing existence and

Applying Security Principles to Your E-Business 9 Chapter 1 3
measure its successes. For those of you who are tasked with defending an
existing e-commerce site or other Web presence, we will explore the
roles you should play in your organization and the process by which you
can improve your site's security posture.
Security as a Foundation
The easiest, and many agree, the best way to create a secure environment
is to start with security in mind. This means applying the principles of
secure operation as the foundation upon which the rest of the project
will be built. The primary principles of security are confidentiality,
integrity, and availability. To succeed, the project must address these prin-
ciples in all phases and applications.
Confidentiality
Confidentiality is the most widely known of the principles. Businesses
have been dealing with confidentiality since commerce began. Today, it is
a basic expectation of consumers that their personal information will be
protected from disclosure.Vendors also expect a level of confidentiality
to protect custom pricing, custom scheduling, and contractual details of
their transactions with your company.Yet, as widely accepted as the con-
cept of confidentiality is, it remains difficult to execute. Companies are
in the news regularly because information about clients, vendors, or the
politics of business relationships has become known.
Towards the end of 2000 a prominent U.S. hospital discovered that
its security infrastructure had been breached and the confidentiality of
5,000 patient records had been violated. The risks to confidentiality do
not stop with access to data; credit card details are illegally obtained from
Internet facing systems, then used or sold, with alarming frequency.
Some analysts have estimated that online credit card fraud incurs dam-
ages worldwide to the tune of $9 billion annually. Information is pos-
sibly one of the most valuable assets most companies possess; losing it or
caring for it negligently could spell disaster and possibly even ruin.
www.syngress.com

If your company had exposed the records of these clients, what
would the damage to your bottom line have been? How would your
company deal with such a situation?
Integrity
Integrity is perhaps the most difficult of the principles to achieve, yet it
is the most vital of the three. Businesses must manage and maintain the
integrity of the information with which they are entrusted. Even the
slightest corruption of that data can cause complete chaos. The myriad
of decisions based upon that integrity range from the basic business
operation to the growth plans of the business long term. Over the cen-
turies, various methods have evolved for building and maintaining the
integrity of information. The double entry accounting system, the cre-
ation of jobs such as editors and proofreaders, and the modern checksum
methods are all technical advances aimed at creating integrity.Yet, even
with these modern tools and all the attention paid to the process over
the years, integrity remains one of our greatest concerns. Integrity is
something we almost take for granted.We assume that the database
system we are using will maintain the records of our sales correctly. We
believe that our billing system is smart enough to add the items on a
customer's bill.Without some form of integrity checking, neither of
these situations may be true. Integrity of information can have an even
larger impact on an organization.
Imagine a computer virus that infected your accounting systems and
modified all the sevens in your Excel spreadsheets, turning them into
threes.What would the effect of those illicit modifications mean to your
business? What steps would your organization take to recover the correct
figures and how would you even discover the damage?
Availability
Last, but not least, of the three principles is availability. Availability is the
lifeblood of any business. If a consumer can't get to your business to
purchase your goods, your business will soon fail. In the e-commerce
world, where every moment can directly translate to thousands of dollars

in sales, even downtimes of less than an hour can do immense financial
damage to a company. Consider the amount of damage done to your
company if your Web site became unavailable for four hours, which is
the length of time that most vendors used as a benchmark for
turnaround time in the pre-Internet world. Such an outage in e-com-
merce could cost tens of thousands of dollars, as we will see in Chapter
2. How long could your company continue to do business if your
Internet presence was destroyed? How much money per hour would
your organization lose if you could not do business online?
Security also entails a three-step process of assessment, revision, and
implementation of changes (see Figure 1.1). This continual process of
Figure 1.1 The Continual Security Assessment Process
~
evaluation and feedback is necessary to adapt processes and products to
the ever-changing conditions of the online world. As hackers examine
existing software and hardware systems and discover new vulnerabilities,
these vulnerabilities must be tested against your own systems and
changes made to mitigate the risks they pose. The systems must then be
tested again to ensure that the changes did not create new weaknesses or
expose flaws in the systems that may have been previously covered. For
example, it is fairly for common for software patches and version
upgrades to replace configuration files with default settings. In many
www.syngress.com

cases, this opens additional services on the box, or may re-enable proto-
cols disabled by the administrator in a previous configuration. This
ongoing process of evaluation strengthens the three principles and
ensures their continued success.
Based on these ideas and the scenarios that can occur when the
three principles are not managed well, you can see why building security
from the ground up is so important. Building the three principles into a
business certainly requires work and planning. Security is neither easy
to accomplish nor easy to maintain, but with proper attention, it is
sustainable.
Presenting Security As
More Than a Buzzword
Security must be more than a buzzword or a group within your organi-
zation. Security needs to be on the mind of every employee and in the
forefront of the day-to-day operations. Security staff members need to
work as partners or consultants to other groups within the company.
They need to remain approachable and not be seen as "Net cops" or
tyrants. They need to allow for dialogue with every employee, so that
they can make suggestions or bring to their attention any events that
seem out of place.
Security works best when all employees are attentive to situations
that may expose customers to danger or the site to damage. The key to
achieving this level of awareness is education. Education is the tool that
disarms attackers who prey on miscommunication, poorly designed pro-
cesses, and employee apathy. Such attacks, often called "social engi-
neering" by hackers, can be devastating to a company and its reputation.
The best way to defend against these attacks is to educate your
employees on your policies regarding security and customer privacy.
They also need to see those policies being followed by all members of
the team, from management down to the entry-level employees. They
need reminders, refreshers, and periodic updates whenever changes to
the procedures are made. In other words, security has to be an attitude
from the top down. The highest levels of management must support the

policies and their enforcement for long-term success to be achieved and
maintained.
The security team also requires the support of management. A uni-
versal attitude of cooperation must be presented and maintained across all
lines of business with the security group. Every employee needs to feel
that the security group is approachable and they should have no fear of
reporting things that seem suspicious. Employees need to know exactly
whom to contact, and they need to be treated with respect instead of sus-
picion when they talk to the security team and its members.
Continued
www.syngress.com

Chapter 1 9 Applying Security Principles to Your E-Business

The Goals of Security in E-Commerce
Security plays a very important role in e-commerce, and is essential to
the bottom line.While e-commerce done correctly empowers your
company and the consumer, e-commerce done poorly can be devas-
tating for those same participants. The goals of security in the commerce
process must be to:
9 Protect the privacy of the consumer at the point of purchase.
9 Protect the privacy of the customers' information while it is
stored or processed.
9 Protect the confidential identity of customers, vendors,
and employees.
9 Protect the company from waste, fraud, and abuse.
9 Protect the information assets os the company from discovery
and disclosure.
9 Preserve the integrity of the organization's information assets.
9 Ensure the availability of systems and processes required for
consumers to do business with the company.
9 Ensure the availability of systems and processes required for the
company to do business with its vendors and partners.
These goals are a starting point for the creation of a good security
policy. A great security policy, as described in Chapter 4, will address all
of"these goals and lay out processes and practices to ensure that these
goals are met and maintained. Think of your security policy as your first
line of defense, because from it should come all the processes and tech-
nical systems that protect your business and ,your customer.
Any security measures you implement without a policy become de
facto policies. A policy created that way was probably created without
much forethought. The problem with unwritten policies is that you can't
look them up, and you don't know where to write the changes.
www.syngress.com

Planning with Security in Mind
Building the foundation from a secure starting point is very important.
For this reason, the three principles have to be applied to the process
from the beginning stages of planning. Examine the business plan and
apply the aspects of confidentiality, integrity, and availability. Ask your
staff and yourself questions such as:
How are we going to ensure the confidentiality of our
customers?
9 How will we protect our business information from disclosure?
9 What steps are we taking to double-check the integrity of our
data gathering?
[] What processes are we using to ensure that our data maintains
integrity over time?
9 How are we protecting ourselves against the loss of availability?
9 What are our plans for failure events?
As the business plans begin to take shape, apply the three principles
to them. Keep the principles involved continually as the planning
evolves, and you will find that your questions give birth to scenarios, and
those scenarios lead to solutions.
Spend time thinking about the threats to your site. Profile the flow
of likely attacks and determine the probable ease of their success. For
example, if an attacker wanted to gather customer financial information,
could he or she simply compromise your Web server and gain access to
it? There have been countless examples of situations exactly like this
one, where what should have been a simple Web server compromise
ended up exposing sensitive customer data to the attackers. Had those
credit card numbers and other information been stored on a separate
machine, or better yet, on a more protected network segment, the
attacker may not have been able to harvest it. Avoid single points of
failure. Ensure that compromise of one network component does not
jeopardize your entire operation. Apply these scenarios to each step of
the plans and revise them until you have resolved the apparent issues.

An example scenario for this process might include something like
this: If an attacker used the latest exploit of the week to gain access to
your Web server, what other systems could be easily compromised? In a
recent, all too real example, a client called me when this had happened.
The attacker had used the Unicode exploit (See Rain Forest Puppy's
page at www.wiretrip.net/rfp/p/doc.asp?id=57&iface=6 for more details
on Unicode.) against my client's Web server to gain access to the file
system. After uploading a Trojan horse program, they quickly managed
to grab the Repair password file and crack Administrator access to the
system. Unfortunately, for my client, the attacker had compromised the
system that they had designated to be the Domain Controller for all the
Web server systems in the DMZ. They had chosen, unwisely, to deploy a
Windows Domain for easier systems management of the Web servers
and the server they used to allow vendors to pickup orders from their
site. Also members of the same domain used their primary e-mail server
and their ftp server. Each of these systems was, in turn, compromised by
the attacker. By the time the damage had been discovered, each of these
systems had to be removed from service and completely rebuilt. Their
partners were advised of the damage, and they lost valuable time and
money, not to mention confidence in their company by their partners.
To date, that single mistake of making each of the systems a member of
a Windows Domain instead of stand-alone servers has cost them thou-
sands of dollars and several IT managers their jobs. Even small miscalcu-
lations can have large ramifications on security.
Understand that for every scenario and threat that you think of,
dozens of others may exist or may come to exist in the future. Don't be
alarmed if you feel like you have only thought of the most basic threats.
This very act of preparation and scenario development will create large
amounts of awareness to the issues encompassed in the three principles.
In addition, your team's ability to handle security incidents down the
road will be increased as you become more familiar with details of your
business process.
At the end of this process, you should have some basic plans for your
site. One of the best ways to organize this planned information is in a
chart that details your risks and how you plan to mitigate them. An
www.syngress.com

example is shown in Table 1.1. These examples are basic, and you should
certainly have many more than this, but it is a start to give you the idea
of a framework.
Table 1.1 Sample Risk Mitigation Chart
Phase of E-commerce Explanation of
Process the Risk
Strategy for Risk
Mitigation
Consumer Check-out
Credit Card Data
Transfer to the ISP
Credit Systems
Any Phase
Any Phase
An attacker could mon- We will use SSL encryp-
itor the transmission of tion to protect the
the credit card and con- information as it
sumer data. travels across the
Internet.
An attacker could mon- We will use SecureFTP
to send the data down
an SSH tunnel to pre-
vent sniffing attacks.
itor our credit card
batch file when we
transfer it to the ISP
credit card system each
hour for processing.
An attacker could com-
promise our database
server that we use to
store our client's per-
sonal information and
purchase history.
An attacker could seek
to shut us down by
flooding our network.
We will protect the
server by removing all
unneeded services and
installing a file system
checksum program to
alert us to changes. We
will also locate the
server in separate DMZ
segment and only
allow encrypted
transfer through a SQL
proxy to interact with
the system.
We will protect our-
selves by using redun-
dant servers and a load
balancing router. We
will also be prepared
to implement traffic
blocking access control
rules on the ISP router
by calling their help
desk line.

Security during the Development Phase
The steps involved in translating the plans established into actual prod-
ucts and processes can be very dangerous to the security principles.
Often, compromises must be made to facilitate budgets, timeffames, and
technical requirements. Many times, these compromises impact the
overall security of a project.
The single best way to ensure that the underlying security of the
project remains intact through the development phase is through con-
tinual involvement. As each process or product is defined, apply the three
principles to it and revise the definition to answer the scenarios you cre-
ated in the planning process. If compromises must be made that impact
the security of the project, carefully profile those changes and create a
list of the risks involved in them. This list of risks will become important
in the implementation phase, as it gives you a worksheet for problems
that must be mitigated through the combination of technology, policy,
and awareness. Often, compromises in key areas will have a major impact
on attempts to secure other dependent areas. Be sure that attempts to
save a dollar when building an underlying component doesn't cost you
ten in trying to patch the pieces sitting on top.
Each process and product must be carefully examined to define the
various risk factors involved. Attention to detail is highly important in
this step, as is the cross-examination of a process or product by the var-
ious team members. Each of the team members will have his or her area
of concern, and thus will bring a different angle of examination to the
table. This cross-examination, or "peer review," often creates stronger
designs and more secure solutions. In fact, peer review can be a very
helpful tool in your policy creation tool box as well. The whole concept
is to pass each policy or development process by each team member
allowing each to comment on the process or policy from their point of
view. At the end, someone, usually the original author, edits all the com-
mentary back into the policy or process to create a better end product.
Peer review is often done across the board for policies, technical infor-
mation, and new processes before they are released to the general public.
After each of the processes has been defined and developed, recon-
vene the examination team to review the complete procedure from
v-- .~
www.syngress.com

beginning to end. Many times, during the combination of the various
discreet processes into the overall product, security holes are created
inadvertently through the communication and storage of information.
Two components may not be insecure on their own, but can create a
hole when they interact. An example might be two e-commerce systems
that both store their information in encrypted databases but interact
with each other, moving that same information over an unencrypted
link. In this example, the vulnerability is not in the database servers, but
in the method used to communicate with each other. Examine these
types of"scenarios carefully. Again, revise the processes as required, or
note the accepted risks for mitigation during the implementation phase.
Implementing Secure Solutions
The most important thing to remember as your business moves into the
implementation phase is to only bring systems online after they have been
thoroughly tested and established as being secure. The largest danger faced
in this phase is that the systems will be rushed into operation before they
have been thoroughly evaluated. Securing your systems after they have
been brought online could leave you vulnerable for long enough to allow
an attacker to plant a backdoor for later attack, or to compromise the
system at that time. Securing an already compromised setup is not only
futile, it is often very difficult to detect. The moral of"the story is: Don't
bring it online until you know it is ready for the world.
The evaluation os your systems involves using the tools and processes
outlined in Chapter 8. Mainly, the process is to test your actual imple-
mentation against the three principles. Automated tools are used to
examine each component and to determine the risks and weaknesses
associated with them.Vulnerabilities may have been created through mis-
configurations, last-minute technical revisions, or unforeseen issues with
a software program or hardware device. Repair of"these vulnerabilities
may include applying patches, reengineering processes or network seg-
ments, or other changes. It is very important to evaluate each of"these
modifications in regard to the surrounding security and to reevaluate the
systems from scratch once they have been applied.
www.syngress.com

Once you have successfully secured your environment and processes
down to the level of your accepted risks, it is time to mitigate those issues
through a combination of technology, policy, and awareness. Begin by
using your list of accepted risks to create a policy to deal with them.
Security policies are the backbone of your system of defense. These poli-
cies act as the basis for determining actions, system configurations, and
the types of devices you will use to secure your network. They should be
generated by your security staff, in conjunction with team members from
Human Resources, your legal team, and the group that is developing and
implementing your site. Involving these other teams in the policy cre-
ation will establish not only a sense of trust, but also a more open policy.
It is easy to establish a restrictive, draconian security policy, but very diffi-
cult to create one that balances corporate, technical, and legal factors
while still allowing the business to perform its needed functions.
Ensure that all of these issues are added to your security policy, and
then implement technical systems to enforce those policies in real time.
Systems such as firewalls, intrusion detection systems, and monitoring
tools can be used to mitigate the risks you have accepted as an inherent
part of your process.
Once you have mitigated your risks, you can begin to bring your
systems online and offer access to the public. Many sites choose to roll
out their systems in phases of deployment, while others release the entire
site at once. Making this selection depends on your site and the level of
staffing resources you have to handle situations as they arise. Remain
attentive as the site begins to become popular. Carefully watch your pro-
cesses and continue to evaluate your performance against the three prin-
ciples. Remember, security is a journey and not a destination.
Managing and Maintaining Systems
in a Secure Environment
One of the most complicated issues surrounding an e-commerce site is
the secure management and maintenance of the systems involved.
Software systems require periodic patching as programmers repair security
and functional problems. Hardware devices may require patches as well as
www.syngress.com

physical maintenance. Log files have to be monitored, backups have to be
performed, and the systems have to be administered for day-to-day opera-
tion. In addition, all of these events are expected to occur without com-
promising security or impacting the operation of the business.
In the pre-Internet days, data systems had scheduled outage times to
handle maintenance and administration issues. However, in today's 24-
hour consumer environment of the online world, sites must be available
at all times to consumers or they will simply take their business else-
where. Thus today, system operators and e-commerce businesses must
strive for zero downtime and lower impact on the site to perform these
management functions. This is made possible by hardware that is more
powerful, faster networks, and redundancy for mission-critical systems.
Continued

Day-to-day management is mainly performed through automated
processes on systems remote from the mission-critical systems to take
advantage of speed and to reduce the danger of human error. Secure
tunnels transfer log files and other monitoring information across our
networks to prevent unauthorized observance and discovery. Devices
communicate events back to common monitoring stations via commu-
nications bursts to alert operators and administrators that events have
occurred or that they need attention. Administrators may then remotely
access the systems across these secure tunnels or by physically visiting the
machines if required.
Keep in mind that while the process of managing these machines
seems largely automated, it still has inherent risks. Software packages
require continual patching as vulnerabilities are discovered and repaired.
Each of these patches could cause unexpected behavior in your environ-
ment.Vendors do test their patches, but the complexities and individual-
ization of today's Internet sites make it impossible for them to test their
www.syngress.com

18 Chapter
19Applying Security Principles to Your E-Business
software for every circumstance. In addition, the slightest change to your
network components could also have a vast impact on the security of
your site. As administrators change out equipment for maintenance or
replace components or applications with new revisions, they may acci-
dentally introduce misconfigurations or other weaknesses into your site.
The method used to avoid these issues is to continually evaluate your
site against your known baselines. If new vulnerabilities or risks appear,
changes may have been made. These changes may be the result of new
vulnerabilities that have been discovered or the result of changes made
to components. Either way, these vulnerabilities must be immediately
mitigated through repair or by managing them through your combina-
tion of technology, policy, and awareness. The only way to ensure the
long-term security of your site is to continually assess it, revise it, and
implement the changes required to mitigate your risks. To help you
maintain the process, the flow chart shown in Figure 1.2 can be used as
a reference.
Figure 1.2 Continuous Evaluation Process
--I S,o
Nere
t
Yes
~.b Perform
~~'1 Assessment
Yes
l ResearcFihx~tChes/
No No ~ .
BeginAgainat
NextInterval CreateOther
Methods
for
Mitigatingthe
Risks
ApplyPatches/
Fixes

Continued
IF~
www.syngress.com

Applying Principles to Existing Sites
While it is optimal to begin the e-commerce process with security in
mind, it is possible to apply the three principles of confidentiality,
integrity, and availability to already operational sites as well. In fact, since
much of the site development work is done, these sites are often able to
apply greater time, effort, and money to securing their environment.
The process of applying the three principles to existing sites differs a
bit from new sites, but many of the concepts are the same. Obviously,
the principles themselves don't change, nor does the cycle of continuous
security assessment. However, what does change is where and when
these tools begin to be applied. For example, beginning the assessment
process on your existing site could damage your production systems, so
most sites begin by testing their development environment or a mirror
of their production environment created just for the purpose of testing.
They then begin to apply the revisions and patches to these test systems,
giving them time to examine the impact before making these changes to
the production site.Always remember, though, that security fixes are a
race against the clock as attackers may be probing for those vulnerabili-
ties while you are testing the fixes. The major effort here is to limit the
size of this window of opportunity without causing damage to your site.

It All Starts with Risk
Whether you choose to start with your test environment or take the
risks of auditing your production site, the beginning point for applying
the principles is to identify risks. The same tools from Chapter 8 are
again used to perform an audit of your processes and applications to
determine what vulnerabilities and risks already exist. Each of these
risks must then be examined, and your site either fixed or revised to
provide mitigation.
Depending on the complexity, nature, and size of your site, you may
discover a few vulnerabilities, or thousands. Checkout www.cve.mitre
.org for a dictionary of known vulnerabilities. Each of these vulnerabili-
ties may vary in its significance, from allowing an attacker to gain infor-
mation about your network to allowing someone complete access to
your most critical systems at the highest level. The tools used to perform
the audit should explain, in detail, the risks associated with each vulnera-
bility. Keep in mind that in some circumstances, minor and medium vul-
nerabilities could be used to create major problems within your site, and
could even be used to create denial of service (DOS) conditions.
Continued
www.syngress.com

Fix the Highest Risks First
Once you have the report of your vulnerabilities and have examined the
impact of the findings on your environment, begin to put the actions
required for fixing them into order based on the levels of risk.
How do you know the level of risk for each vulnerability? Easy.
Relate the risks to the real assets that your need to protect. By taking
the time to identify company assets, the risk evaluation process gets
much easier. Spend time thinking about your company and the business
it does.What assets does the company hold that are valuable to it?
Where are those resources located and how are they protected? Use the
peer review process to create a detailed list of these assets and then relate
the risks to that list. If any risk has even a remote possibility of compro-
mising those assets then that risk gains the highest priority. Multiples of
conditions that must be met to impact an asset gains the risk a medium
level, while the lowest risk are those that have little impact on any crit-
ical asset. Again, use peer review to ensure that you have an accurate
view of the priorities for the risks you have developed.
Fix those vulnerabilities with the highest risk first. Often, it is a good
idea to mitigate these risks through additional means (such as by
blocking the appropriate ports at the firewall or at border routers) while
your staff works toward implementing the patches and modifications. In
general, ensure that each and every process or application running on
your production systems is up to the highest and most current patch

levels and versions. Pay special attention to the popular services such as
DNS, HTTR SMTP, SNMP, FTR POE IMAR and security-related appli-
cations such as firewalls or intrusion detection programs.
By repairing the highest risks first, you help your site to protect its
mission-critical information and systems.When creating the priority of
vulnerabilities, always remember to take into consideration other mitiga-
tion strategies and the criticality of the systems impacted and their data.
In other words, if the audit tool reports a high risk vulnerability on a
system that is not mission critical or that handles no mission-critical data
and/or is adequately protected by a firewall, it may fall in priority when
compared to a vulnerability that allows an attacker access to a database
that holds customer information for a short time during gathering and
initial processing, but is accessible from the public Internet. For this
reason, information from the audit tools must be parsed by comparing
the actual impact to your environment.
After you have parsed and prioritized your work, begin the process
of applying the fixes and revisions to your environment. Remember to
allow sufficient time, traffic, and use to measure the impact of the
changes before replicating them into your production environment.
Then proceed through your list, applying the changes to the various
affected systems. When you have finished and documented your work,
then begin the process again to ensure that your modifications have not
created new issues.
Management and Maintenance
during the Patching Process
The primary reason to test the modifications required to mitigate your
risks is because of the unpredictability of computer programs and sys-
tems. Many times, the software or hardware fixes issued by a vendor or
programmer affect the operation of those systems at a very deep level. In
fact, the changes required may affect the very core processes or routines
of the system. Because of this, these changes may actually create addi-
tional security risks or cause the system to perform in a new way.
Many examples have come to light in which software patches cre-
ated by vendors to fix vulnerabilities have failed to solve the issue,
www.syngress.com

resolved the problem incompletely, or created additional security prob-
lems. Discussions of these issues have found their way into many public
forums such as Bugtraq and Usenet. The moral of the story here is that
each patch really does need to be evaluated, and each system will require
testing after applying the fixes. Failure to follow that model could result
in disaster!
Impact of Patching on Production Systems
Applying patches to your production systems does not have to be a
major risk. The solution is to create an environment that mirrors your
production site and test the fixes there first. However, in some cases, a
vulnerability may be so dangerous as to require immediate action or risk
damage to your customers and your business. In this case, it may be nec-
essary to apply patches directly to your production systems~do so only
if there is no alternative. If at all possible, at least test the installation pro-
cedure on a staging machine, which normally only takes a short amount
of time.
In such times when you must patch your production systems
without adequate testing of the fix, here are some steps to help you
manage some of the risks you face:
, First, before applying the patch, make a complete backup of the
entire system.
~
,
~
Also before applying the patch, use cryptographic signatures or
hash totals to validate the true authenticity of the patch code.
Trojan horse patches are not unheard of.
After applying the patch, carefully monitor the CPU usage,
memory statistics, and general operation of the server for a
period of no less than one week. This will give the system time
to experience variances of traffic and use that may exist.
Immediately after applying the patch, begin a complete auto-
mated scan of the system for new vulnerabilities or unexpected
behaviors (remember to monitor the statistics above during
the scan).
www.syngress.com

~ If the patch does not perform as expected, or the software
behavior changes in a way that causes you concern, reload the
backup data from step 1. Kesearch the patch and test the process
again before your next attempt.
If at any time you feel the system is behaving in an unexpected way
or if the patch does not resolve the security problem immediately, stop
and contact the vendor or programmer for support with the issues.
The Never-Ending Cycle of Change
One thing is for sure" patches and security vulnerabilities are here to stay.
As our systems and software programs grow in useful features and bells
and whistles, they also grow in complexity. With so many lines of code
and so many programmers working on the products today, bugs and vul-
nerabilities are a surety. As vendors and programmers scramble to
respond to the security issues as they are discovered, there is more and
more pressure on them to release patches in a shorter amount of time.
Some vendors respond by publishing fixes that are not completely tested
or that simply hide the problem instead of solving it.
While you can never be totally sure of the impact of a patch or
modification, you can hedge your bet by implementing proper controls
on the patching process. Steps such as creating a mirrored test network,
authenticating the origins of a patch before installing it, and creating
good communications channels with your vendors and staff members
will take you a long way toward safety.
A large multi-national financial institution was in the process of
upgrading their worldwide firewall infrastructure to a different product.
Taking stability as a priority they decided to implement the most
mature, but not most current, version of the firewall. During the global
rollout a new and unexpected vulnerability was discovered, effectively
exposing the institution to risk. The question now, was whether to halt
the current upgrade cycle and patch the newly installed firewalls or to
continue the implementation and instigate a patching regime after
deployment. Before the deployment had even completed, a change cycle
was required!
www.syngress.com

By assessing the risks and applying the basic security principles the
company arrived at the conclusion that their best option was to com-
plete the deployment and patch the deployed firewalls after completion.
This decision turned out to be the right one, due in no small part to the
fact that they understood how to patch their infrastructure and their
levels of exposure.
Developing a Migration Plan
Have a plan for performing these patches and modifications on your sys-
tems. Put into effect a framework for testing the patches, and create rules
for what testing must be done before implementing the changes on your
production systems. Such policies are called migration plans.
Migration plans also begin with risks, just like an assessment. The
plan outlines which systems and components at your site are considered
mission critical, and defines the systems that fit into lesser categories as
well. The migration plan is used by to determine when a vulnerability is
of the most urgent nature or when it resides lower in the queue. From
there, the plan illustrates how the administrators should handle patches
and modifications to each category of system. It defines the steps to be
followed for authenticating a patch and backing up a system, as well as
the testing required for a patch to be approved for implementation on
the production site. It may also require peer review of the patched
system, or documentation of the changes for archival by a systems man-
agement group. The migration plan is simply the administrator's guide to
making changes in your organization.
Many frameworks for migration plans exist online today and can be
used as templates for customizing the processes to your site. Microsoft
offers some basic templates for use with their products to develop and
publish migration plans. The Microsoft tools are available at
www.microsoft.com/technet/iis/enfortem.asp.Using a search engine
such as Google (www.google.com), it is easy to search for specific
migration planning tools for your environment. Other resources include
books on the subject and software packages that create the plans for you
through interview style or electronic templates. Many sites include their
migration plan in their security policies or their general employment
www.syngress.com

policies as well. However you care to publish it, be sure that it exists and
that your staff is following it.
How to Justify a Security Budget
The most common problem with implementing security in any organi-
zation is finding the budget to get the people, tools, and time to perform
the process. Security staff members are generally well compensated.
Security tools and products are often expensive. In many organizations,
the time required to apply security to processes is considered prohibitive.
When security measures are working correctly, management generally
doesn't have to worry about them. In the "New Economy," being first to
market or timely in delivery is often more profitable in the short term
than being secure.With all of these obstacles, how can you justify the
budget you need to bring and maintain security at your site?
Over the years, several methods have been tried. Some have suc-
ceeded and many have failed. In many cases, what ultimately brings the
security budget is an attacker. Inmost organizations, the knee-jerk reac-
tion to a security incident is to throw money at the problem. This, how-
ever, is the wrong model to follow. The primary issue is that damage has
usually already been done in one form or another, and the event may
very well be a devastating one that causes a major loss of consumer con-
fidence and thus an immense amount of financial damage.
The better solution is to use one of the strategies described in the next
sections; these strategies build awareness of the security issues and make a
case for the continued existence of information security in your organiza-
tion, although they both can have negative possibilities. Let's call the first
one the yardstick approach,and the second one the fear tacticapproach.
The YardstickApproach
I have had the most success with this one. In this tactic, we use security
and risk as yardsticks to measure the gains that security measures have
made for the organization. Basically, we try to convert the security pro-
cesses we have already created into a dollar amount versus the dollar
www.syngress.com

amount of the damage that we might have faced should we have accepted
those risks without mitigation. Dollar amounts seem to work the best,
although I have also tried labor hours and other units of measure.
The first step in this process is to create a realistic risk profile for
your site. Do this by examining the traffic flowing into your site from
the Internet. One common method is to deploy an intrusion detection
system outside of your firewall and use that to create baselines of the
scans, probes, and attacks that you are seeing on a weekly basis.
Extrapolate the data and calculate those figures into whatever timeframe
you wish to use.
Next, review the attacks seen by the intrusion detection system
(IDS) and estimate the amount of damage those attacks might have been
able to do to the organization should they have been successful.
Remember that IDSs are like virus scanners; they must be updated fre-
quently to be effective. The easiest way to estimate the damage is to esti-
mate the time required to rebuild the devices in the event of a
compromise. If the device attacked is a mission-critical device or handles
sensitive data, make a special note of that to use as collateral damages.
You may be amazed to discover the amount of attacks that are actually
going on. I have seen sites being probed several times a minute!
Lastly, throw into this mix the actual numbers estimated from any
security incidents or damages that your site may have experienced in the
last year or so. These numbers have extra leverage because your manage-
ment is probably already painfully aware of the events and the damages
that have been suffered. For these situations, show the processes that you
have either implemented or plan to implement to mitigate these risks
from reoccurring. Use real numbers instead of estimates where possible.
Now take these figures and chart them against your existing security
budget. Develop the details into a full presentation and get in front of
your upper management to explain them. If your numbers turn out as
most do, you will be able to demonstrate that there is vast savings being
generated through the risk mitigation steps that you have already taken.
Don't forget to explain the probable damage from exposure of mission-
critical systems or data to attack. Plot out worse-case scenarios and men-
tion them, but don't be too strong with them.Your strategy here is to
simply make a business case for your budget, not to cause fear or doubt.
Figure 1.3 is an example of such a chart.

Figure 1.3 A Security Budget Yardstick Slide from PowerPoint
Using this method to build a business case for a security budget has
worked in many companies of various sizes and markets. By appealing to
the financial processes of the organization with clear, concise, and factual
information, we bring a better view of the security situation to light,
and we do so without causing fear and doubt, which can sometimes
backfire on the security team.
A Yardstick Approach Case Study
I once used the yardstick approach to assist in growing the security
budget of a client with whom I was working. The client was a network
facility for a major university and they were experiencing large numbers
of attacks on a continual basis. They had deployed some basic security
measures to protect the student, faculty, and business information of the
school, but wanted additional funding to grow the security staff and
build some protection systems for a new business-partnered research
facility that they were building.
They already had a basic firewall and some internal IDS systems
deployed in their organization, and these tools were mitigating most
of the attacks. The only incidents they had experienced had been a
www.syngress.com

compromise of a departmental e-mail system and a simple Web page
defacement of a Web server in their demilitarized zone (DMZ) segment.
I followed the process of deploying an IDS outside of their firewall
and discovered several interesting things"
9 They were experiencing scans and probes on an average of one
attack every half-hour.
9 A UNIX system in their DMZ had been compromised and was
being used as a distribution site for pirated software.
9 Their internal routers and firewall were misconfigured and were
passing nonroutable Internet Protocol (IP) addresses to the
public Internet.
While the last item is simply a matter of network nicety, they were
giving away the address schemes used behind the firewall. The real value,
however, was the frequency of the detected attacks and the fact that they
had a compromise in progress that could have caused a large amount of
bad publicity and embarrassment to the school and its staff members.
We used the same formulas mentioned previously and estimated that
attacks to the school would have cost the university in the neighbor-
hood of half a million dollars in lost time and labor costs in the last year.
We balanced this against the approximate costs of the firewall and the
internal protection systems combined with the salary wages, taxes, and
benefits for a total of approximately $130,000 over the last year.We cre-
ated a short presentation from these figures and delivered it at the next
budget meeting. The outcome was amazing. The university nearly dou-
bled the security budget for the following year and provided for two
additional team members to be hired. It was a complete victory.
Possible Results of Failure
Not all of the attempts to use the yardstick approach have been suc-
cessful. There are times when the approach has caused management to
perceive that the security team had been less than effective. Sometimes
the figures show that the security budget outweighs the threat levels and
the value of the assets that are being secured. If this is the case, presenting

the figures to management may be damaging to your team.You also
should revisit the strategies you have used to secure your site, try to
determine where the cost factors were too high, and evaluate the costs
of keeping those solutions in place over time.
Another side effect of failing with this approach is that it often
causes a loss of morale amongst your security team. They may feel
devalued or unappreciated by the management team. The best way to
combat this situation is to really work hard on building awareness in the
coming year.You may need to create a "security evangelist" within your
team and send him or her out to build excitement and educate the
other members of your company.
Side effects of failure with this strategy are usually pretty easy to
manage. They usually have less far reaching effects than the fear tactic
approach. In addition, failing with this strategy often leaves room for
another try during the following budget cycle, and you may find that
you will achieve consistent victories, even after the first year of failure. It
seems that this approach makes sense to management staff and that they
often respond favorably to it. Consider trying this approach with your
site, and use it before you attempt the fear tactic approach.
The Fear Tactic Approach
The second strategy I have used to .justify a security budget is the fear
tactic approach. I have come to see this approach as a sometimes-neces-
sary evil. This is a very common approach and it can be a very damaging
situation if this strategy fails to convince the management team. In addi-
tion, I have seen even successful use of this tactic cause the end of
careers for others in some organizations.
The whole point of this tactic is to use fear to raise awareness.
Success depends on the reaction of management when confronted with
a horrifying scenario or profile~the desired outcome is a knee-jerk
reaction of providing resources to make the scenario go away.
Occasionally, though, the opposite happens and the management team
goes after the messengers, on the grounds that the security team has
failed to protect them from these situations.
www.syngress.com

Even though this tactic raises the level of fear, uncertainty, and doubt
in the organization, it is often very successful in raising the level of
awareness. Tools such as penetration tests, real-life security incidents, and
information warfare scenarios are the basis for this strategy. The bottom
line here is to figure out what hurts an organization, and if it is a possi-
bility, either exploit or explain it. The worst-case scenario is often easily
understandable in the most basic of terms, and more times than not it
will bring about the desired results.
Use the fear tactic approach only as a last resort or when manage-
ment will not respond to other methods. The results of the methods
used in this approach are often controversial and may cause political
damage to the security team if the process is not carefully managed,
monitored, and controlled. While tools such as penetration testing
and information warfare techniques may seem flashy, they can be
dangerous if they are misused or get out of control. Always select
qualified teams for this type of activity, create a well-defined scope
of work, and maintain regular communication with participants.
A Fear Tactic Approach Case Study
A few years ago I had a client that had tried many different approaches
to raising security awareness in his company. He was a high-level
director in the Information Technologies section of a software company,
and he reported directly to a vice president. His company was a fast-
growing firm, mainly through the acquisition of competing companies.
Security had always been an afterthought for their organization, and he
feared that things had gotten out of control.
Inside the company, several groups had created their own networks
and private connections to the Internet. Additionally, as they acquired
new companies, these groups were rapidly connected to the internal
networks and allowed to maintain their own connections to the

Internet. Devices were popping up on the company networks at the rate
of several systems a day, and they had no control over the deployment
and no idea what all was out there. To make matters even worse, they
had deployed no internal control methods, many of the employees in the
purchased companies were openly hostile, and they were being rushed
to market with a new e-commerce product offering. My client felt that
things had to change before major damage occurred.
His team had tried, unsuccessfully, to raise awareness using the stan-
dard methods. They had created user groups, performed internal evange-
lism, hosted various security meetings, had outreach seminars for
developers, and much more. Finally, as a last resort it was decided that
they needed a vulnerability analysis and penetration test to give the com-
pany examples of the risks they were facing from the public Internet.
The tests began after all the contracts were finalized and the scoping of
the testing was performed and agreed upon. Immediately, risks became
vulnerabilities, and within hours, many systems were compromised. A soft-
ware development group had left their systems unprotected and connected
to the Internet. These systems were used as launching points to attack the
internal network. Over the next few days, my team compromised many
systems and thousands of accounts, finally ending with the capture and
compromise of their newly deployed e-commerce systems.
In the weeks that followed, we created reports and gave presentations
to many of their management teams and IT staff members. There were a
few political situations, but overall management was responsive when
confronted with the truth. The security group received their additional
funding, and staff members were added as well as supplemented with
consultants. Over the next year, the director rebuilt the network,
deployed the e-commerce systems in a more secure fashion, and today is
well on his way to regaining control and establishing safe management.
New systems are no longer added to the network without appropriate
migration planning, and connectivity is becoming centrally managed.
They have added a complete incident response process and intrusion
detection measures.While not all of the uses of this strategy end this
successfully, this was one case where things turned out well.
www.syngress.com

Possible Results of Failure
The fear tactic approach is not without its drawbacks. As expressed ear-
lier, there are times when using this approach has come back against the
security team itself as management ends up feeling that they have not
functioned properly and blames them for the current problems.While
this is not common, it is certainly a risk when dealing with this strategy.
Political problems often arise from this approach as well. Groups that
are exposed as having been vulnerable are often blamed for the damages,
or may become difficult to work with in the future. The best way to
control this side effect is to continually reinforce that individuals are not
to blame, but that the whole process requires change and better control.
Extra effort to build relationships with the affected groups and offers of
assistance with repair are often helpful as well.
Another problem with fear tactics is that sometimes management
responds by creating a rush to "get secure." Often this problem leads to
large-scale panic and chaos. The best method to avoid this problem is to
create a step-by-step process for implementing the required solutions
prior to presenting the results of the testing to the management team. In
this way, you can better control the responses and demonstrate that you
have a plan for resolving the issues without the need for panic. Careful
application of the repair process can bring value to the security team
and enhance its image within the company.
Additionally, a fear tactic often leads to a cycle of breaking systems to
prove that they are insecure, rather than reaching a point where security
operations happen proactively. The greatest danger here is to those sys-
tems that the team is not able to prove vulnerable~they may not be
repaired despite your knowing that they may be vulnerable by an
attacker with the proper skill level or resources. For example, your secu-
rity team may not have the resources to properly design an exploit for a
specific buffer overflow, but attackers may have access to a working tool
outside of public knowledge. If you are caught in this cycle, you will
need to break out of it by immediately stepping back and using an
approach such as the yardstick method discussed earlier. Continuing to
feed the "prove it or lose it" cycle only does your team and your organi-
zation a disservice.

Even with all the negatives this approach can provide, it is the most
common method used for raising awareness in an organization. This often
leads management to be distrustful of its results and methodologies,
because they have heard similar scenarios many times and they often feel
that the security team is crying wolf. If this is the case, you have to be
able to demonstrate real-world exercises that lead to serious damage for
the site and its clients.You also have to be able to deliver the solutions if
they fund them, or you may find yourself polishing your r&umS.
Security as a Restriction
One of the largest challenges facing security teams today is the nature of
how they are perceived. In many organizations, the history of the secu-
rity team is intertwined with the roles of physical security guards. Many
of these security teams are seen by their co-workers as little more than
Net cops or computer guards. In addition, since the role of the security
team members is often to work with the Human Resources team
whenever a problem of usage occurs, the other employees of the com-
pany sometimes see the security team in a bad light.
These images and perceptions cause damage to the security process.
By alienating the other employees, it becomes more difficult for the
security team to perform its duties. The team members will receive less
and less cooperation and will become unable to properly interface with
the other groups.
The reason that this situation develops is that the wrong images are
being portrayed to the other employees. The image is that security is a
restriction. Often, this situation arises immediately after the implementa-
tion of controls or monitoring software is put into place to better
manage the use of network resources or performance during business
hours. While these technologies are not the cause, they are often seen as
being a symptom of a "Big Brother" approach. No one likes to have
their privacy violated, so remember to offer similar protections to your
staff as you do to your clients. Doing so will let you avoid the dangers of
playing "Net cop."
www.syngress.com

If a user makes a mistake and falls for a social engineering attack, and
gives someone his or her password, you want him or her to be able to
come tell you about it, and not be afraid of punishment.
Security as an Enabler
To overcome the restrictive view of security, change the overall image of
your team to be seen as enablers. Security as an enabler is best portrayed
when the security team takes the role of consultant to the other mem-
bers of your organization.When security is portrayed in this manner and
the proper levels of awareness are in place, you will find that other
groups begin to actually include your team in the planning and develop-
ment stages of their projects.
By assuming a consultant role, your team is able to build rapport
with the other groups and become a resource for them on which to
depend. Often, the best way to create this situation is to continually
work on awareness and use evangelism. Create informal challenges for
the other groups that teach security principles (see the "Last Password
Standing" sidebar for an example of a fun challenge).
p,~
www.syngress.com
h,~
Continued

The other way that security can be seen as an enabler is by building
awareness of how a secure environment can assist your employees with
performing their jobs. Explain how tools such as Secure Shell and virtual
private networks (VPNs) can allow them to perform their job duties
remotely. Demonstrate and explain technical solutions that enable a
greater range of services to be performed by your development groups
by including secure tunneling and strong authentication.When other
teams begin to see security as a flexible tool that creates options for their
projects instead of a tight set of rules that they have to follow, you will
have created a partnering image for your team.
Portraying your team as being enablers makes it much easier for your
team members to perform. Organizations in which these types of part-
nerships exist between the security team and the other groups often
have a much lower rate of incidents and a much higher rate of job satis-
faction. Be seen as enablers instead of"Net cops" and you will find
much more success in the e-commerce world.

Another Random Document on
Scribd Without Any Related Topics

about donations to the Project Gutenberg Literary Archive
Foundation.”
• You provide a full refund of any money paid by a user who
notifies you in writing (or by e-mail) within 30 days of receipt
that s/he does not agree to the terms of the full Project
Gutenberg™ License. You must require such a user to return or
destroy all copies of the works possessed in a physical medium
and discontinue all use of and all access to other copies of
Project Gutenberg™ works.
• You provide, in accordance with paragraph 1.F.3, a full refund of
any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™
electronic work or group of works on different terms than are set
forth in this agreement, you must obtain permission in writing from
the Project Gutenberg Literary Archive Foundation, the manager of
the Project Gutenberg™ trademark. Contact the Foundation as set
forth in Section 3 below.
1.F.
1.F.1. Project Gutenberg volunteers and employees expend
considerable effort to identify, do copyright research on, transcribe
and proofread works not protected by U.S. copyright law in creating
the Project Gutenberg™ collection. Despite these efforts, Project
Gutenberg™ electronic works, and the medium on which they may
be stored, may contain “Defects,” such as, but not limited to,
incomplete, inaccurate or corrupt data, transcription errors, a
copyright or other intellectual property infringement, a defective or

damaged disk or other medium, a computer virus, or computer
codes that damage or cannot be read by your equipment.
1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except for
the “Right of Replacement or Refund” described in paragraph 1.F.3,
the Project Gutenberg Literary Archive Foundation, the owner of the
Project Gutenberg™ trademark, and any other party distributing a
Project Gutenberg™ electronic work under this agreement, disclaim
all liability to you for damages, costs and expenses, including legal
fees. YOU AGREE THAT YOU HAVE NO REMEDIES FOR
NEGLIGENCE, STRICT LIABILITY, BREACH OF WARRANTY OR
BREACH OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE TRADEMARK
OWNER, AND ANY DISTRIBUTOR UNDER THIS AGREEMENT WILL
NOT BE LIABLE TO YOU FOR ACTUAL, DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE OR INCIDENTAL DAMAGES EVEN IF
YOU GIVE NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.
1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you
discover a defect in this electronic work within 90 days of receiving
it, you can receive a refund of the money (if any) you paid for it by
sending a written explanation to the person you received the work
from. If you received the work on a physical medium, you must
return the medium with your written explanation. The person or
entity that provided you with the defective work may elect to provide
a replacement copy in lieu of a refund. If you received the work
electronically, the person or entity providing it to you may choose to
give you a second opportunity to receive the work electronically in
lieu of a refund. If the second copy is also defective, you may
demand a refund in writing without further opportunities to fix the
problem.
1.F.4. Except for the limited right of replacement or refund set forth
in paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
1.F.5. Some states do not allow disclaimers of certain implied
warranties or the exclusion or limitation of certain types of damages.
If any disclaimer or limitation set forth in this agreement violates the
law of the state applicable to this agreement, the agreement shall be
interpreted to make the maximum disclaimer or limitation permitted
by the applicable state law. The invalidity or unenforceability of any
provision of this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the Foundation,
the trademark owner, any agent or employee of the Foundation,
anyone providing copies of Project Gutenberg™ electronic works in
accordance with this agreement, and any volunteers associated with
the production, promotion and distribution of Project Gutenberg™
electronic works, harmless from all liability, costs and expenses,
including legal fees, that arise directly or indirectly from any of the
following which you do or cause to occur: (a) distribution of this or
any Project Gutenberg™ work, (b) alteration, modification, or
additions or deletions to any Project Gutenberg™ work, and (c) any
Defect you cause.
Section 2. Information about the Mission
of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new computers.
It exists because of the efforts of hundreds of volunteers and
donations from people in all walks of life.
Volunteers and financial support to provide volunteers with the
assistance they need are critical to reaching Project Gutenberg™’s
goals and ensuring that the Project Gutenberg™ collection will

remain freely available for generations to come. In 2001, the Project
Gutenberg Literary Archive Foundation was created to provide a
secure and permanent future for Project Gutenberg™ and future
generations. To learn more about the Project Gutenberg Literary
Archive Foundation and how your efforts and donations can help,
see Sections 3 and 4 and the Foundation information page at
www.gutenberg.org.
Section 3. Information about the Project
Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-profit
501(c)(3) educational corporation organized under the laws of the
state of Mississippi and granted tax exempt status by the Internal
Revenue Service. The Foundation’s EIN or federal tax identification
number is 64-6221541. Contributions to the Project Gutenberg
Literary Archive Foundation are tax deductible to the full extent
permitted by U.S. federal laws and your state’s laws.
The Foundation’s business office is located at 809 North 1500 West,
Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up
to date contact information can be found at the Foundation’s website
and official page at www.gutenberg.org/contact
Section 4. Information about Donations to
the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission of
increasing the number of public domain and licensed works that can
be freely distributed in machine-readable form accessible by the
widest array of equipment including outdated equipment. Many

small donations ($1 to $5,000) are particularly important to
maintaining tax exempt status with the IRS.
The Foundation is committed to complying with the laws regulating
charities and charitable donations in all 50 states of the United
States. Compliance requirements are not uniform and it takes a
considerable effort, much paperwork and many fees to meet and
keep up with these requirements. We do not solicit donations in
locations where we have not received written confirmation of
compliance. To SEND DONATIONS or determine the status of
compliance for any particular state visit www.gutenberg.org/donate.
While we cannot and do not solicit contributions from states where
we have not met the solicitation requirements, we know of no
prohibition against accepting unsolicited donations from donors in
such states who approach us with offers to donate.
International donations are gratefully accepted, but we cannot make
any statements concerning tax treatment of donations received from
outside the United States. U.S. laws alone swamp our small staff.
Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.
Section 5. General Information About
Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could be
freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose network of
volunteer support.

Project Gutenberg™ eBooks are often created from several printed
editions, all of which are confirmed as not protected by copyright in
the U.S. unless a copyright notice is included. Thus, we do not
necessarily keep eBooks in compliance with any particular paper
edition.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.
This website includes information about Project Gutenberg™,
including how to make donations to the Project Gutenberg Literary
Archive Foundation, how to help produce our new eBooks, and how
to subscribe to our email newsletter to hear about new eBooks.

Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.
More than just a book-buying platform, we strive to be a bridge
connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.
Join us on a journey of knowledge exploration, passion nurturing, and
personal growth every day!
ebookbell.com

Hack Proofing Your Ecommerce Site The Only Way To Stop A Hacker Is To Think Like One Ryan Russell

More Related Content

Similar to Hack Proofing Your Ecommerce Site The Only Way To Stop A Hacker Is To Think Like One Ryan Russell (20)

Recently uploaded (20)

Hack Proofing Your Ecommerce Site The Only Way To Stop A Hacker Is To Think Like One Ryan Russell