NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
6.3 Mitigating Indirect Attacks <strong>on</strong> C<strong>on</strong>tent<br />
Indirect c<strong>on</strong>tent attacks are not direct attacks <strong>on</strong> a <strong>Web</strong> server or its c<strong>on</strong>tents; they involve roundabout<br />
means to gain informati<strong>on</strong> from users who normally visit the <strong>Web</strong> site maintained <strong>on</strong> the <strong>Web</strong> server.<br />
The comm<strong>on</strong> theme of these attacks is to coerce users into visiting a malicious <strong>Web</strong> site set up by the<br />
attacker and divulging pers<strong>on</strong>al informati<strong>on</strong> in the belief that the site they visited is the legitimate <strong>Web</strong><br />
site. While customers of electr<strong>on</strong>ic commerce and financial instituti<strong>on</strong>s are often targeted, such attacks<br />
are not limited to those <strong>Web</strong> sites. Besides acquiring pers<strong>on</strong>al informati<strong>on</strong> related to the targeted <strong>Web</strong><br />
site, attacks may also be directed against the user’s computer from the malicious <strong>Web</strong> site visited. The<br />
types of indirect attacks described in this secti<strong>on</strong> are phishing and pharming.<br />
6.3.1 Phishing<br />
Phishing attackers use social engineering techniques to trick users into accessing a fake <strong>Web</strong> site and<br />
divulging pers<strong>on</strong>al informati<strong>on</strong>. In some phishing attacks, attackers send a legitimate-looking e-mail<br />
asking users to update their informati<strong>on</strong> <strong>on</strong> the company’s <strong>Web</strong> site, but the URLs in the e-mail actually<br />
point to a false <strong>Web</strong> site. 35 Other phishing attacks may be more advanced and take advantage of<br />
vulnerabilities in the legitimate <strong>Web</strong> site’s applicati<strong>on</strong>. 36<br />
Although phishing cannot be prevented entirely through technical means employed <strong>on</strong> a <strong>Web</strong> server,<br />
many techniques can reduce the likelihood that a <strong>Web</strong> site’s users will be lured into a phishing attack 37<br />
[Ollm04]:<br />
Ensuring customer awareness of the dangers of phishing attacks and how to avoid them. The Federal<br />
Trade Commissi<strong>on</strong> (FTC) has posted a c<strong>on</strong>sumer alert outlining steps that users should take<br />
[FTC06a]:<br />
• Do not reply to email messages or popup ads asking for pers<strong>on</strong>al or financial informati<strong>on</strong>.<br />
• Do not trust teleph<strong>on</strong>e numbers in e-mails or popup ads. Voice over Internet Protocol technology<br />
can be used to register a teleph<strong>on</strong>e with any area code.<br />
• Use antivirus, anti-spyware, and firewall software. These can detect malware <strong>on</strong> a user’s<br />
machine that is participating in a phishing attack.<br />
• Do not email pers<strong>on</strong>al or financial informati<strong>on</strong>.<br />
• Review credit card and bank account statements regularly.<br />
• Be cautious about accessing untrusted <strong>Web</strong> sites because some <strong>Web</strong> browser vulnerabilities can<br />
be exploited simply by visiting such sites. Users should also be cautious about opening any<br />
attachment or downloading any file from untrusted emails or <strong>Web</strong> sites.<br />
• Forward phishing-related emails to spam@uce.gov and to the organizati<strong>on</strong> that is impers<strong>on</strong>ated in<br />
the email.<br />
35<br />
36<br />
37<br />
<str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-45 versi<strong>on</strong> 2, <str<strong>on</strong>g>Guidelines</str<strong>on</strong>g> <strong>on</strong> Electr<strong>on</strong>ic Mail Security, c<strong>on</strong>tains informati<strong>on</strong> <strong>on</strong> detecting phishing emails. It is<br />
available at http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/.<br />
An example of an advanced phishing attack occurred <strong>on</strong> the PayPal <strong>Web</strong> site [Netcraft06].<br />
Organizati<strong>on</strong>s should ensure that their internal users are also made aware of these techniques so that they can avoid phishing<br />
attacks directed at them.<br />
6-5