Security tips

Information and advice to avoid the top security risks found by NTA Monitor during testing in 2010.

1. SQL injection: to address SQL issues, it is important that all user input is parameterised (where possible). Most databases and languages support parameterised queries (i.e. PREPARE for MySQL? and PreparedStatement? for Java). If prepared statements are not possible, it is important that all META characters (i.e. single quote) input be sanitised before being allowed to pass to the backend database (i.e. htmlspecialchars with ENT_QUOTES for PHP).
2. Patch management: it is recommended that systems are updated with the latest service pack and patches. It is also suggested that a patch management policy to update IT systems on a frequent basis is implemented.
3. Cross-site scripting: to avoid XSS, all areas of an application must be checked and sanitised against invalid character input where user input is required. All Meta characters and HTML tags (i.e. < >) should be restricted where possible before allowing it to the backend.
4. Cross-site request forgery: switching from a persistent authentication method (e.g. a cookie or http authentication) to a transient authentication method (e.g. a hidden field provided on every form) will help prevent CSRF attacks. A similar approach is to include a secret, user-specific token in forms that is verified in addition to the cookie. Contrary to popular belief, using POST instead of GET does not offer sufficient protection. JavaScript can be used to forge POST requests with ease. But, requests that perform an action should always use POST. It is therefore recommended that a random token be applied to each form to provide form-based security and to prevent rogue form submission.
5. Password issues: tighter restrictions must be placed on password length and more stringent controls on what users can choose as their password need to be applied. This will help users protect their account more effectively. It would also be beneficial to provide some online documentation on choosing secure passwords. In addition, characters allowed in the password and all other fields submitted using web forms should be reviewed, taking care to filter out any characters, which may cause back-end systems to execute unwanted commands.
6. Denial of Service (DoS Apache): if web servers are running a version of Apache Web Server that is vulnerable to a denial of service, appropriate patches should be applied or servers upgraded to the latest version.
7. No account lockout mechanism: it is recommended locking accounts out after around three consecutive failed logon attempts. This will prevent attackers from being able to brute force accounts. To avoid locking an account out indefinitely, best practice is to lock a user out for a substantial amount of time eg between 30 mins and two hours after three incorrect attempts. There is a good chance that this won't affect the user, but will certainly hamper an attacker's progress.
8. Static session ID is used before and after authentication: it is recommended that an old session ID is expired and a new session ID is issued after successful authentication.
9. No, or weak, encryption: access to sensitive or confidential information should only be allowed over SSL. It is particularly important to ensure login form details are submitted to an HTTPS URL.

And here are some general security tips to help improve network security:

• Put your IT security policies in writing and ensure that all staff members have access to it - the more ways the better. Post them on noticeboards, intranets, in staff induction manuals and put up posters.
  
• Ensure that all levels of employees are aware of IT security policies - top level management should not be excluded from policy implementation and quite often, the most sensitive corporate information is held by those at the top.
  
• Make sure that your security policy covers mobile devices - do you know how many of your staff plug in their MP3 players or USB sticks and transport information to and from work?
  
• Ensure that you are aware of any legal or best practice requirements - acts like Sarbanes Oxley are more far-reaching than many people realise.
  
• Discourage staff members from leaving their passwords lying around, ensure that passwords are changed frequently and that they are difficult to guess.
  
• Never open emails with vbs, shs or pif file attachments, they are commonly used by worms and viruses.
  

Site disclaimer | Privacy Policy | Terms and Conditions | Tel: +44 1634 721 855 | Email: marketing@nta-monitor.com           © NTA Monitor Ltd. 2011