background preloader

Security

Facebook Twitter

A Proposal for Secure Storage of Credit Card Data. We were asked by a company in the retailing/catalog business how they might secure their customer credit card data, and we were surprised not to find any obvious references to this other than what happens if you don't. Clearly this involves cryptography, but the micro problem of "which encryption? " is substantially less difficult than the macro problem of how this change affects how they do business. It's always dangerous to roll your own crypto solutions, but we'll step into the breach with thoughts of how this could be achieved in practice. We very much welcome feedback on how this might fit into other enterprises, or where there might be holes in our reasoning. This paper is an attempt to think out loud about the issues involved (beyond "just encrypt the data") as it applies to a real enterprise application. We'll note that we use the term "The bank" to refer to the party that performs credit card authorizations at the other end of a dedicated circuit.

In no particular order. SSL/TLS Strong Encryption: How-To. The solution to this problem is trivial and is left as an exercise for the reader. -- Standard textbook cookie How to solve particular security problems for an SSL-aware webserver is not always obvious because of the interactions between SSL, HTTP and Apache's way of processing requests. This chapter gives instructions on how to solve some typical situations. Treat it as a first step to find out the final solution, but always try to understand the stuff before you use it. Nothing is worse than using a security solution without knowing its restrictions and how it interacts with other systems. Cipher Suites and Enforcing Strong Security How can I create a real SSLv2-only server? The following creates an SSL server which speaks only the SSLv2 protocol and its ciphers. httpd.conf SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP How can I create an SSL server which accepts strong encryption only?

The following enables only the seven strongest ciphers: This can be done as follows: Threatpost | The first stop for security news. Revocation list. In the operation of some cryptosystems, usually public key infrastructures (PKIs), a certificate revocation list (CRL) is a list of certificates (or more specifically, a list of serial numbers for certificates) that have been revoked, and therefore, entities presenting those (revoked) certificates should no longer be trusted. Revocation states[edit] There are two different states of revocation defined in RFC 3280: Revoked: A certificate is irreversibly revoked if, for example, it is discovered that the certificate authority (CA) had improperly issued a certificate, or if a private-key is thought to have been compromised.

Certificates may also be revoked for failure of the identified entity to adhere to policy requirements, such as publication of false documents, mis-representation of software behavior, or violation of any other policy specified by the CA operator or its customer. Reasons for revocation[edit] Reasons to revoke a certificate according to RFC 5280 p69 are: See also[edit] RSA - Information Security, Governance, Risk, and Compliance.

Intrusion detection system. An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts.

In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization.[1] Terminology[edit] Server Management and Support by rackAID. Security Auditing. Updated: January 25, 2010 Applies To: Windows Server 2008, Windows Server 2008 R2 This navigation topic for the IT professional describes the documentation available to plan, implement, and monitor events by using features found in Windows Security Auditing. Security auditing is one of the most powerful tools that you can use to maintain the security of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment.

Advanced Security Auditing Walkthrough This step-by-step guide uses Windows Server 2008 R2 and Windows 7 to demonstrate the process of setting up an advanced audit policies infrastructure in a test environment. Planning and Deploying Advanced Security Audit Policies This topic explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network. HTTP/1.1: Status Code Definitions. Each Status-Code is described below, including a description of which method(s) it can follow and any metainformation required in the response. 10.1 Informational 1xx This class of status code indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line.

There are no required headers for this class of status code. Since HTTP/1.0 did not define any 1xx status codes, servers MUST NOT send a 1xx response to an HTTP/1.0 client except under experimental conditions. A client MUST be prepared to accept one or more 1xx status responses prior to a regular response, even if the client does not expect a 100 (Continue) status message. Proxies MUST forward 1xx responses, unless the connection between the proxy and its client has been closed, or unless the proxy itself requested the generation of the 1xx response. 10.1.1 100 Continue The client SHOULD continue with its request. 10.1.2 101 Switching Protocols 10.2 Successful 2xx - Date.

Securing Internet Information Services 6.0. Updated : July 21, 2006 On This Page Introduction Before You Begin Reducing the Attack Surface of the Web Server Configuring Accounts Configuring Security for Files and Directories Securing Web Sites and Virtual Directories Configuring Secure Sockets Layer on Your Web Server Related Information Introduction Web servers are frequent targets for various types of security attacks.

Some of these attacks are serious enough to cause significant damage to business assets, productivity, and customer relationships—and all attacks are inconvenient and frustrating. The security of your Web servers is vital to the success of your business. This document explains how to begin the process of securing a Web server that is running Internet Information Services (IIS) 6.0 on the Microsoft® Windows Server™ 2003, Standard Edition operating system. IIS 6.0 takes a more proactive stance against malicious users and attackers by making the following changes from earlier versions of IIS: Objective of This Document.

Configure Linux As Bastion Host. What is bastion host? How do I configure bastion host under Linux? How do I create a firewall for a bastion host under any Linux distribution? A bastion host is high risk host on your network. It can be a dedicated Linux running netfilter or OpenBSD box running PF or a Cisco PIX device. This device is designed to protect your network from external threats. The Internet \\ \\ Bastion Host // // Your Network Usually bastion host placed outside your corporate firewall or in the DMZ itself. The Internet \\ +---------------+ | Bastion Host | <--- Outside firewall +---------------+ // +---------------+ | DMZ | <---- Inside firewall +---------------+ \\ || +---------------+ | LAN1 LAN2 | +---------------+ In most cases it has access from the Internet or untrusted parties / computers. Web serverDNS ServerFTP ServerProxy ServerHoney potsEmail Server etc WARNING!

Bastion Host and Screened Subnet Bastion host adds an extra layer of security to the screened host architecture. . #! References: Bastion host. Background[edit] ...a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.[2] Definition[edit] It is a system identified by firewall administrator as critical strong point in network security. A bastion host is a computer that is fully exposed to attack. The system is on the public side of the demilitarized zone (DMZ), unprotected by a firewall or filtering router. Frequently the roles of these systems are critical to the network security system. Placement[edit] Examples[edit] These are several examples of bastion host systems/services: Best Practices[edit] Because bastion hosts are particularly vulnerable to attack, due to the level of required access with the outside world to make them useful, there are several best practice suggestions to follow: See also[edit] References[edit]

Zend Framework. SQL Injection Attacks by Example. A customer asked that we check out his intranet site, which was used by the company's employees and customers. This was part of a larger security review, and though we'd not actually used SQL injection to penetrate a network before, we were pretty familiar with the general concepts. We were completely successful in this engagement, and wanted to recount the steps taken as an illustration. "SQL Injection" is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended.

If the application is creating SQL strings naively on the fly and then running them, it's straightforward to create some real surprises. We'll note that this was a somewhat winding road with more than one wrong turn, and others with more experience will certainly have different -- and better -- approaches. But the fact that we were successful does suggest that we were not entirely misguided. Category:OWASP Top Ten Project.

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. Globally recognized by developers as the first step towards more secure coding. Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.

Top 10 Web Application Security Risks There are three new categories, four categories with naming and scoping changes, and some consolidation in the Top 10 for 2021. A01:2021-Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. Efforts have been made in numerous languages to translate the OWASP Top 10 - 2021. Top10:2021 Completed Translations: Historic: Goals. OWASP.