Slide 1

Website Hardening HUIT IT Security | Sep 30 2011

Slide 2

Agenda: Introduction Anatomy of an Attack Recommendations Q & A Demos

Slide 3

3 Sep 30 2011 HUIT Security | Website Hardening Introduction Citation Breadcrumb

Slide 4

4 Sep 30 2011 HUIT Security | Website Hardening Introduction Content is the cornerstone of information management. The web delivers content, and the model for serving content has progressed from onsite hosting, to managed hosting and is continuing to cloud computing. With this evolution comes new challenges to protecting both institutional reputation and data. Attackers have shifted their focus from infrastructure resources, to exploiting application code itself. A holistic strategy is critical. Citation Breadcrumb

Slide 5

5 Sep 30 2011 HUIT Security | Website Hardening Introduction A new breed of attacker is focusing on these soft targets. These attackers seek to gain a widespread audience for their agenda and use anyone leaving themselves open to compromised as a platform to spread their message. Cyber-Hacktivists with personal, political or other motivation have proven adept enough at their craft to gather their share of recent headlines. Citation Breadcrumb

Slide 6

6 Sep 30 2011 HUIT Security | Website Hardening Introduction In the light of several recent web application compromises across campus, we would like to share some specific recommendations and best practices resulting from our investigation into those compromises; and these suggestions complement existing hardening guidance. Citation Breadcrumb

Slide 7

7 Sep 30 2011 HUIT Security | Website Hardening Anatomy of an Attack Before we dive in to the details. Chris Fahey will take us through an attack. Citation Breadcrumb

Slide 8

8 Sep 30 2011 HUIT Security | Website Hardening Recommendations Introduction As web application attacks continue to increase in frequency, we must work to integrate a thorough approach to security throughout the delivery stack. It has been our experience that the guidance for hardening networks and hosts also offers a framework for approaching web application security. Everyone can benefit from immediate proactive measures in advance of any eventual compromise. Citation Breadcrumb

Slide 9

9 Sep 30 2011 HUIT Security | Website Hardening Recommendations In general: Build and integrate security into the application Assess and remediate vulnerabilities and risks Implement strong access control measures Leverage controls in the web server and application framework Log use and Monitor Document and maintain policies and procedures Raise awareness and educate Citation Breadcrumb

Slide 10

10 Sep 30 2011 HUIT Security | Website Hardening Recommendations The below suggestions complement existing controls: Risk Management and Compliance Host hardening Network hardening User education and awareness -Youve been hacked now what? Image goes here Citation Breadcrumb

Slide 11

11 Recommendations RecommendationBenefit Effort to Implement Availability Remind staff of password policies Prevent cracking passwords. Limit the scope of a compromise to a single site. LowImmediate: Eureka! Security Confirm computers have basic security protections in place. Protect computers against malicious software. LowImmediate: Inspect computers to verify patching is enabled and antivirus is installed Scan web applications for security vulnerabilities. Reduce the risk of a security vulnerability being exploited resulting in a compromise. ModerateImmediate: via the IT Security Code Analysis service

Slide 12

12 Recommendations RecommendationBenefit Effort to Implement Availability Configure SSL on the web site. Encrypt sessions via SSL to reduce the risk of purloining login credentials. LowImmediate Limit access to the web administration interface to only secure, trusted IP addresses. Allow only the VPN server access to the web server. ModerateImmediate HUIT can provision a VPN, VPN client to be installed on computers and staff trained Replace administrator passwords with digital password vault. Manage credentials with elevated privileges to prevent passwords from being cracked. ModerateFebruary 2012

Slide 13

13 Recommendations RecommendationBenefit Effort to Implement Availability Perform an IT Risk Assessment of web application Ensure security controls exist to comply with the Universitys Enterprise Information Security Policy. LowImmediate via the IT Security Consulting service Monitor network traffic to the web site. Proactively detect, suspicious activity and notify the support team for a timely response. ModerateNear term Collaborate with HUIT Cyber Security Content auditingLog changes to content and notify support team for a timely response. DifficultLong term

Slide 14

14 Recommendations RecommendationBenefit Effort to Implement Availability Monitor web site for malicious code and notify if detected. 24 x 7 x 365 monitoring by an external vendor to proactively detect malicious application code running on web site and notify support team for a timely response. ModerateNear term Evaluate several vendors, subscribe to best service HUIT Security | Website Hardening

Slide 15

15 Sep 30 2011 HUIT Security | Website Hardening Q & A The objective of Risk Management: Mitigate Remediate Transfer, or Accept Image goes here Citation Breadcrumb

Slide 16

16 Sep 30 2011 HUIT Security | Website Hardening IT Security Contact Info itsecurity@harvard.edu Helpdesk at x 57777 These slides will be on http://security.harvard.edu Citation Breadcrumb

Slide 17

17 Sep 30 2011 HUIT Security | Website Hardening Demos Password Vaults Tenable Hailstorm Citation Breadcrumb

Slide 18

Esmond KaneEsmond Kane | Website Hardening September 30, 2011 Thank you.