Best Practices for Protecting Banking Sites
Terence Cornelius, CISSP
The scale of the global criminal operation on the internet has reached such proportions that Sophos discovers one new infected webpage every 4.5 seconds - 24 hours a day, 365 days a year. With statistics like that it is highly possible that at least one of your bank's websites is already a victim. At least you should be wondering about the security of your websites very seriously. Nowadays, defaced banking websites or fraudulent sites posing as your website aren't the only worry. Even your actual production website can be dangerous if hackers can get their hooks into it. During 2008, Symantec observed more than 18 million drive-by download attacks. "Drive by download" is a type of attack where downloads happen from the website without the knowledge of the user. Hackers can set up an attack scenario in which visitors to a section of the website could have their own computers compromised and their data stolen. One prominent drive-by download example is the Bank of India hack in August 2007 that was widely reported in the media.
There is no such thing as a totally hack-proof system, and people managing websites are only human. Combined, they form a double weakness. But then people are also the most resilient defense force. This article aims to provide a checklist for management to give them a few quick tips to protect their websites without expensive infrastructure investments.
Bringing to bear selected defenses during different stages of a website roll-out gives the maximum bang for the buck.
Planning Phase Activities
Avoid Shared Hosting
When you use web hosting companies, your security is only as good as theirs. Even if your website is secured against all vulnerabilities, an attack can compromise a vulnerable co-hosted site, gain administrative control of the underlying operating system and play havoc with your site and its contents.
If any of your sites are co-hosted with other sites, consider moving the sites to a dedicated server. If you cannot move them, ensure that the web hosting company has good security practices in place to ensure that all vulnerabilities are mitigated. At least ensure that only required services are exposed and that unused modules are disabled. Also increase the vulnerability assessments and penetration testing carried out on these servers.
Review the Network Architecture
All the servers related to the websites should be placed in proper segments. A web server needs to be in a segment which has only Internet-facing servers; the application and database servers should be in different segments. Web servers must only access the application servers and the application servers must only access the database servers. The database servers must not be directly accessed by the web servers. Server access should be given only if it is required and only after proper approval from management.
A review of the network architecture should be done on a periodic basis either by the internal audit department or by the third party auditors.
Baseline the systems and do a vulnerability assessment
Baseline hardening should be done on all systems before going into production, based on the company's security policy.
After baseline hardening, a vulnerability assessment should be carried out on all the systems that are involved with the website before the website goes live. This would include the web server application (IIS, Apache?etc), operating system that is hosting the website, the application servers and the database servers. A vulnerability sssessment will ensure that well-known vulnerabilities are patched up and all the systems are up to date with the latest software updates and patches. After the initial implementation, vulnerability assessments should be carried out on a periodic basis either by tools that can be run by the audit department by third party auditors.
Test the application's security
Application testing should be carried out before the application goes into the production environment. This will ensure that vulnerabilities related to the applications are patched. Examples of application vulnerabilities would be improper data validation, encryption not present, SQL injection, cross-site scripting (XSS), etc.
Application testing should be carried out on a periodic basis either by the internal audit department or third party auditors.
Carry out an external penetration test
External Penetration testing uses a third party to scan your website (publicly available URL or external IP address) and find vulnerabilities that can be exploited by a hacker on the Internet.
External penetration testing will ensure that the vulnerabilities that can be exploited from outside the network are mitigated. External penetration testing should be done on the website before it goes live and then it should be continued on a periodic basis by the internal audit department or professional third party auditors.
Carry out an internal penetration test
Internal penetration testing uses your internal audit team or a third party to scan all your internal IP addresses (all systems related to the website) and find vulnerabilities that can be exploited by a hacker (internal employee) on your intranet.
Internal penetration testing will ensure that the vulnerabilities that can be exploited from inside the network are mitigated. Internal penetration testing should be done on all systems (related to the website) before they go live and then it should be continued on a periodic basis by the internal audit department or professional third party auditors.
Monitor for malicious activities
Any malicious activities are detected by intrusion detection systems. Many organizations do logging but fail to monitor these suspicious logs.
Your organization should have real-time monitoring and alerting mechanisms for quickly detecting any issues. If your company cannot monitor malicious activities, monitoring can be outsourced to a third-party security operations center where monitoring of malicious activities happens on a real-time basis.
Setup anti-phishing defenses (only for sites that carry out financial transactions)
Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
Real-time monitoring of phishing attacks should be done for critical websites. This will help to detect a phishing site and black-list it before it becomes a big issue. If your company cannot monitor phishing attacks then it can be outsourced to another company which offers the service.
Review all changes to the website's environment (don't allow ad-hoc changes)
Changes to the information system (all system related to the website) should be performed in a controlled manner. Security should sign-off before moving systems to production. All changes should be done on a UAT system before going to a production system. If this is not possible, get the parties making the modification to say that they take full responsibility. The changes should be implemented only after proper approval from management.
Plan for a user acceptance testing system
Typically, a user acceptance testing (UAT) system is a replica of the production system or the data present on the UAT system will be a 3/6 month old production data. Ensure that strong controls are present on the UAT system and accesses to these systems are also restricted in a manner similar to the production system. Even if there is no replica, use a VMware environment for testing the changes before rolling it out into production.
Control third-party access
Third party vendors may have access to the web servers (or application/database servers) for troubleshooting. Ensure that —
- third-party vendors are not granted unrestricted access. This would include all types of access, e.g. physical, logical , remote access
- monitoring and review of third party activities is performed.
- a non-disclosure agreement (NDA) is signed with all third-party vendors to ensure that they agree not to disclose information.
Review the security of your outsourced partner
Your organization needs to make sure that the outsourced IT project or service (maintenance of the web site and all systems related to the web site) does not introduce issues in security.
- Non-disclosure agreement (NDA) should be signed by all outsourced personnel to protect against unauthorized disclosures of confidential information accessed by the personnel in the course of their work.
- Monitoring - The organization should monitor activities by the supplier of the outsourced service on a periodic basis.
Wipe out data before disposing of your data-containing hardware
Don't forget that valuable data sitting on neglected documents and machines is prey to anyone. It has no security shell in place to protect it. Media (soft/hard copy) should be disposed off securely and safely when no longer required. Shred all paper containing confidential information, and degauss hard disks and other magnetic media before disposing of them.
The objective is to avoid leakage of information to malicious users and giving them a head start in their activities.
Train employees on security awareness
Ensure that personnel have been properly trained in security and will not become weak links in the organization's security. Verify training by interviewing or administering periodic tests. Be certain that your users are notified about what they can and cannot do via an Acceptable Use and Access policy.
About the author: Terence Cornelius CISSP is an information security consultant currently in the employ of Paladion, an India-based security consulting and implementation firm.
First published on BankersOnline.com 6/12/2009
First published on 06/12/2009