NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

More documents

Recommendations

Info

GUIDELINES ON SECURING PUBLIC WEB SERVERS • Request a copy of your credit report yearly from each of the three credit reporting agencies: Equifax, TransUnion, and Experian. If an identity thief opens accounts in your name, they will likely show up on your credit report. 38 Validating official communication by personalizing emails and providing unique identifying information that only the organization and user should know. However, confidential information should not be disclosed. Using digital signatures on e-mail. However, digital signatures may not be validated automatically by the user’s email application. Performing content validation within the Web application. Vulnerabilities in the organization’s Web applications may be used in a phishing attack. Personalizing Web content, which can aid users in identifying a fraudulent Web site. Using token-based or mutual authentication at the Web site to prevent phishers from reusing previous authentication information to impersonate the user. Most Web browsers provide some level of phishing protection. All Web browsers inform users when they visit a secured site via a padlock or some other GUI mechanism, and they also inform users if the Domain Name System (DNS) address visited does not match that of the Public Key Infrastructure (PKI) certificate. However, phishing sites often use DNS addresses that are similar to those of the original sites and that have a valid PKI certificate, making them harder to detect. In such cases, a Web browser would notify the user of the danger only if the site was a known phishing site. Browsers may either download a phishing blacklist from the browser manufacturer’s Web site periodically or check all Web requests against an anti-phishing database. Organizations should use Web browser-provided anti-phishing features where applicable. In addition, a number of vendors offer more advanced anti-phishing solutions and services [APWG07]: Cousin Domain Monitoring and Prevention—Vendors (primarily domain name registrars) monitor and in some instances prevent the creation of domain names similar to those of organizations that may be subject to phishing attacks. Attack Detection and Analysis—Vendors monitor e-mail and Web communication to discover ongoing phishing campaigns so that organizations can take appropriate responses. Takedown—Vendors aid in limiting access to the phishing Web site. Fraud Analysis—Vendors monitor access to the organization’s Web site for potential fraud attempts (such as phishers attempting to use captured credentials) or monitor the Web for fraudulent use of an organization’s identity. Forensic Services—After discovery of a successful phishing attack, vendors aid in addressing issues that arise as a result of the attack. 38 Under the Fair and Accurate Credit Transactions Act of 2003, consumers can request a free credit report from each of the three consumer credit reporting companies once every 12 months. See http://www.ftc.gov/os/statutes/fcrajump.shtm for more information. 6-6
GUIDELINES ON SECURING PUBLIC WEB SERVERS Consumer Toolbars—Vendors provide browser plug-ins that can provide or augment phishing detection available in users’ browsers. E-mail Authentication—Vendors provide secure e-mail solutions allowing users to discern whether or not an e-mail is from the organization itself or is a potential phishing attack. E-mail Filtering—Vendors provide solutions to prevent an organization’s internal users from receiving phishing e-mails. Web Filtering—Vendors monitor an organization’s outbound Web requests and prevent users from accessing known or suspected phishing Web sites. Authentication—Vendors provide strong authentication solutions that are less susceptible to phishing attacks. Law Enforcement Enablement—Vendors assist organizations in contacting law enforcement officials to aid in shutting down and prosecuting phishing attacks. When contemplating anti-phishing measures, it is important to consider the type of information being hosted on the Web site. Web sites with little or no sensitive information may not need to implement more advanced or costly anti-phishing measures. Web sites storing PII should strongly consider implementing more robust anti-phishing measures. 6.3.2 Pharming Pharming attackers use technical means, instead of social engineering, to redirect users into accessing a fake Web site masquerading as a legitimate one and divulging personal information. Pharming is normally accomplished either by exploiting vulnerabilities in DNS software, which is used to resolve human-readable Internet domain names into IP addresses, or by altering the host files maintained on a client computer for locally resolving Internet domain names. In either case, the affected system incorrectly resolves legitimate names to the malicious Web site address. Various techniques can help reduce the likelihood that a Web site’s users become involved in a pharming attack [Ollm05]: Using the Current <strong>Version</strong>s of DNS Software with the Latest Security Patches Applied—A compromised DNS server will allow attackers to direct users to a malicious server while maintaining a legitimate DNS name. Installing Server-Side DNS Protection Mechanisms Against Pharming—There are tools available to mitigate threats to DNS software, such as the DNS Security Extensions; these are discussed in <strong>NIST</strong> SP <strong>800</strong>-81, Secure Domain Name System (DNS) Deployment Guide. 39 Monitoring Organizational Domains and the Registration of Similar Domains—Pharming attacks may take advantage of users who misspell the organization’s domain name when accessing the site. Simplifying the Structure and Number of Organizational Domain Names—If an organization has a complicated naming structure for its servers, it becomes increasingly difficult for users to discern whether they are on an illegitimate site. For example, many organizations will have users login at one 39 <strong>NIST</strong> SP <strong>800</strong>-81, Secure Domain Name System (DNS) Deployment Guide, is available at http://csrc.nist.gov/publications/nistpubs/ 6-7
Page 1 and 2:
Special Publication 800</st
Page 3 and 4:
GUIDELINES ON SECURING PUBLIC WEB S
Page 5 and 6:
Page 7 and 8: GUIDELINES ON SECURING PUBLIC WEB S
Page 57: GUIDELINES ON SECURING PUBLIC WEB S
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
show all

NIST 800-44 Version 2 Guidelines on Securing Public Web Servers

Create successful ePaper yourself

Delete template?

Save as template?