NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
• Request a copy of your credit report yearly from each of the three credit reporting agencies:<br />
Equifax, TransUni<strong>on</strong>, and Experian. If an identity thief opens accounts in your name, they will<br />
likely show up <strong>on</strong> your credit report. 38<br />
Validating official communicati<strong>on</strong> by pers<strong>on</strong>alizing emails and providing unique identifying<br />
informati<strong>on</strong> that <strong>on</strong>ly the organizati<strong>on</strong> and user should know. However, c<strong>on</strong>fidential informati<strong>on</strong><br />
should not be disclosed.<br />
Using digital signatures <strong>on</strong> e-mail. However, digital signatures may not be validated automatically by<br />
the user’s email applicati<strong>on</strong>.<br />
Performing c<strong>on</strong>tent validati<strong>on</strong> within the <strong>Web</strong> applicati<strong>on</strong>. Vulnerabilities in the organizati<strong>on</strong>’s <strong>Web</strong><br />
applicati<strong>on</strong>s may be used in a phishing attack.<br />
Pers<strong>on</strong>alizing <strong>Web</strong> c<strong>on</strong>tent, which can aid users in identifying a fraudulent <strong>Web</strong> site.<br />
Using token-based or mutual authenticati<strong>on</strong> at the <strong>Web</strong> site to prevent phishers from reusing previous<br />
authenticati<strong>on</strong> informati<strong>on</strong> to impers<strong>on</strong>ate the user.<br />
Most <strong>Web</strong> browsers provide some level of phishing protecti<strong>on</strong>. All <strong>Web</strong> browsers inform users when<br />
they visit a secured site via a padlock or some other GUI mechanism, and they also inform users if the<br />
Domain Name System (DNS) address visited does not match that of the <strong>Public</strong> Key Infrastructure (PKI)<br />
certificate. However, phishing sites often use DNS addresses that are similar to those of the original sites<br />
and that have a valid PKI certificate, making them harder to detect. In such cases, a <strong>Web</strong> browser would<br />
notify the user of the danger <strong>on</strong>ly if the site was a known phishing site. Browsers may either download a<br />
phishing blacklist from the browser manufacturer’s <strong>Web</strong> site periodically or check all <strong>Web</strong> requests<br />
against an anti-phishing database. Organizati<strong>on</strong>s should use <strong>Web</strong> browser-provided anti-phishing features<br />
where applicable. In additi<strong>on</strong>, a number of vendors offer more advanced anti-phishing soluti<strong>on</strong>s and<br />
services [APWG07]:<br />
Cousin Domain M<strong>on</strong>itoring and Preventi<strong>on</strong>—Vendors (primarily domain name registrars) m<strong>on</strong>itor<br />
and in some instances prevent the creati<strong>on</strong> of domain names similar to those of organizati<strong>on</strong>s that<br />
may be subject to phishing attacks.<br />
Attack Detecti<strong>on</strong> and Analysis—Vendors m<strong>on</strong>itor e-mail and <strong>Web</strong> communicati<strong>on</strong> to discover<br />
<strong>on</strong>going phishing campaigns so that organizati<strong>on</strong>s can take appropriate resp<strong>on</strong>ses.<br />
Takedown—Vendors aid in limiting access to the phishing <strong>Web</strong> site.<br />
Fraud Analysis—Vendors m<strong>on</strong>itor access to the organizati<strong>on</strong>’s <strong>Web</strong> site for potential fraud attempts<br />
(such as phishers attempting to use captured credentials) or m<strong>on</strong>itor the <strong>Web</strong> for fraudulent use of an<br />
organizati<strong>on</strong>’s identity.<br />
Forensic Services—After discovery of a successful phishing attack, vendors aid in addressing issues<br />
that arise as a result of the attack.<br />
38<br />
Under the Fair and Accurate Credit Transacti<strong>on</strong>s Act of 2003, c<strong>on</strong>sumers can request a free credit report from each of the<br />
three c<strong>on</strong>sumer credit reporting companies <strong>on</strong>ce every 12 m<strong>on</strong>ths. See http://www.ftc.gov/os/statutes/fcrajump.shtm for<br />
more informati<strong>on</strong>.<br />
6-6