NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS relevant and necessary to the business purpose, 33 and, in many cases, to collect information, to the greatest extent practicable, directly from the subject individual. 34 In addition, accepted practices (many of which are reflected in laws applicable to both private and public institutions) are to provide subject individuals: Notice that information about them is being collected, including descriptions of what data is being collected, with whom it is being shared, and what is being done with that data Opportunities to opt out of data collection unless the data collection is mandatory under law, necessary to the performance of a contract with the subject individual, or if the individual has freely offered his/her PII Opportunities to access and review the records kept about themselves, and to request corrections or additions, especially if that information may be used to make a determination about the individuals’ rights, opportunities, or benefits. The following are examples of personal information: Name E-mail address Mailing address Telephone number SSN Financial information. Federal agencies and many state agencies are also restricted in their ability to use Web browser cookies [OMB00a, OMB00b, OMB00c, and MASS99]. A cookie is a small piece of information that may be written to a user’s hard drive when a Web site is visited. There are two principal types of cookies: Persistent cookies cause the most concern. These cookies can be used to track activities of users over time and across different Web sites. The most common use of persistent cookies is to retain and correlate information about users between sessions. Federal agencies and many state agencies are generally prohibited from using persistent cookies on publicly accessible Web sites. Session cookies are valid for a single session (visit) to a Web site. These cookies expire at the end of the session or within a limited time frame. Because these cookies cannot be used to track personal information, they are generally not subject to the prohibition that applies to persistent cookies. However, their use must be clearly stated and defined in the Web site’s privacy statement. 33 34 “Each agency that maintains a system of records shall….maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by Executive order of the President.” Privacy Act, 5 USC § 552a(e)(1), http://www.usdoj.gov/oip/privstat.htm. “Each agency that maintains a system of records shall…. collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs.” Privacy Act, 5 USC § 552a(e)(2), http://www.usdoj.gov/oip/privstat.htm. 6-4
GUIDELINES ON SECURING PUBLIC WEB SERVERS 6.3 Mitigating Indirect Attacks on Content Indirect content attacks are not direct attacks on a Web server or its contents; they involve roundabout means to gain information from users who normally visit the Web site maintained on the Web server. The common theme of these attacks is to coerce users into visiting a malicious Web site set up by the attacker and divulging personal information in the belief that the site they visited is the legitimate Web site. While customers of electronic commerce and financial institutions are often targeted, such attacks are not limited to those Web sites. Besides acquiring personal information related to the targeted Web site, attacks may also be directed against the user’s computer from the malicious Web site visited. The types of indirect attacks described in this section are phishing and pharming. 6.3.1 Phishing Phishing attackers use social engineering techniques to trick users into accessing a fake Web site and divulging personal information. In some phishing attacks, attackers send a legitimate-looking e-mail asking users to update their information on the company’s Web site, but the URLs in the e-mail actually point to a false Web site. 35 Other phishing attacks may be more advanced and take advantage of vulnerabilities in the legitimate Web site’s application. 36 Although phishing cannot be prevented entirely through technical means employed on a Web server, many techniques can reduce the likelihood that a Web site’s users will be lured into a phishing attack 37 [Ollm04]: Ensuring customer awareness of the dangers of phishing attacks and how to avoid them. The Federal Trade Commission (FTC) has posted a consumer alert outlining steps that users should take [FTC06a]: • Do not reply to email messages or popup ads asking for personal or financial information. • Do not trust telephone numbers in e-mails or popup ads. Voice over Internet Protocol technology can be used to register a telephone with any area code. • Use antivirus, anti-spyware, and firewall software. These can detect malware on a user’s machine that is participating in a phishing attack. • Do not email personal or financial information. • Review credit card and bank account statements regularly. • Be cautious about accessing untrusted Web sites because some Web browser vulnerabilities can be exploited simply by visiting such sites. Users should also be cautious about opening any attachment or downloading any file from untrusted emails or Web sites. • Forward phishing-related emails to spam@uce.gov and to the organization that is impersonated in the email. 35 36 37 <strong>NIST</strong> SP <strong>800</strong>-45 version 2, <strong>Guidelines</strong> on Electronic Mail Security, contains information on detecting phishing emails. It is available at http://csrc.nist.gov/publications/nistpubs/. An example of an advanced phishing attack occurred on the PayPal Web site [Netcraft06]. Organizations should ensure that their internal users are also made aware of these techniques so that they can avoid phishing attacks directed at them. 6-5
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6: GUIDELINES ON SECURING PUBLIC WEB S
Page 55: GUIDELINES ON SECURING PUBLIC WEB S
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?