Hack Proofing: Your E-Commerce Site, Syngress

Hack Proofing: Your E-Commerce Site, Syngress

Now pay Easier and Secure using Paypal

Read more

The Only Way to Stop a Hacker Is to Think Like One

• Step-by-Step Instructions for Securing Financial Transactionsand Implementing a Secure E-Commerce Site• Hundreds of Tools & Traps and Damage & Defense Sidebarsand Security Alerts!
• Complete Coverage of How to Hack Your Own Site

Ryan Russell
Teri Bidwell
Oliver Steudler
Robin Walshaw L.
Brent Huston Technical Editor

E-books Shop
Hack Proofing: Your E-Commerce Site

Hack Proofing Your E-Commerce Site was written in response to requests from
readers of our first book, Hack Proofing Your Network: Internet Tradecraft. Many of
you asked us for more detail on how to protect e-commerce sites, given the
unique risk and exposure such sites represent to organizations.

We hope this book
answers all of your questions on the topic and then some. If your organization
engages in e-commerce, you will find this book invaluable, especially if security
has been dealt with in a reactive fashion in the past. If you are a seasoned security
professional, we believe that the level of detail in this book will be useful in covering
topics such as customer privacy policies and securing financial transactions.


Foreword xxv
Chapter 1 Applying Security
Principles to Your E-Business 1
Introduction 2
Security as a Foundation 3
Confidentiality 3
Integrity 4
Availability 4
Presenting Security As More Than a Buzzword 6
The Goals of Security in E-Commerce 9
Planning with Security in Mind 10
Security during the Development Phase 13
Implementing Secure Solutions 14
Managing and Maintaining Systems in a Secure Environment 15
Applying Principles to Existing Sites 20
It All Starts with Risk 21
Fix the Highest Risks First 22
Management and Maintenance during the Patching Process 23

Impact of Patching on Production Systems 24
The Never-Ending Cycle of Change 25
Developing a Migration Plan 26
How to Justify a Security Budget 27
The Yardstick Approach 27
A Yardstick Approach Case Study 29
Possible Results of Failure 30
The Fear Tactic Approach 31
A Fear Tactic Approach Case Study 32
Possible Results of Failure 34
Security as a Restriction 35
Security as an Enabler 36
Summary 38
Solutions Fast Track 39
Frequently Asked Questions 43
Chapter 2 DDoS Attacks: Intent, Tools, and Defense 
Introduction 46
What Is a DDoS Attack? 47
Laying the Groundwork: DoS 48
Resource Consumption Attacks 50
Malformed Packet Attacks 57
Anatomy of a DDoS attack 60
The Attacks of February 2000 63
Why Are E-Commerce Sites Prime Targets
for DDoS? 67
A Growing Problem 68
How the Media Feeds the Cycle 69
What Motivates an Attacker to Damage
Companies? 70
Ethical Hacking: A Contradiction in Terms? 70
Hacktivism 72
Fifteen Minutes of Fame 72
Hell Hath No Fury Like a Hacker Scorned 73
Show Me the Money! 73
Malicious Intent 74
What Are Some of the Tools Attackers Use
to Perform DDoS Attacks? 75
Trinoo 76
Understanding How Trinoo Works 76
TFN2K:The Portable Monster 78
Understanding How TFN2K Works 78
Stacheldraht—A Barbed-Wire Offensive 81
Understanding How Stacheldraht Works 81
More DDoS Families 86
How Can I Protect My Site against These
Types of Attacks? 87
Basic Protection Methods 90
Using Egress Rules to Be a
Better “Net Neighbor” 95
Defending against the SYN’s of
the Internet 99
Methods for Locating and Removing
Zombies 103
Summary 109
Solutions Fast Track 111
Frequently Asked Questions 117
Chapter 3 Secure Web Site Design 
Introduction 120
Choosing a Web Server 121
Web Server versus Web Service 121
Factoring in Web Servers’ Cost and
Supported Operating Systems 122
Comparing Web Servers’ Security Features 127
Authentication 127
Using the SET Protocol 133
Setting Permissions 134
Using CGI Applications 134
Security Features Side By Side 134
The Basics of Secure Site Design 143
Creating a Security Plan 143
Protecting against Internal Threats 145
Adding Security Tiers beyond the
Web Server 146
Apache versus Internet Information Services 149
Installation:The First Step 151
Installing and Configuring Apache 152
Installing and Configuring Internet
Information Server 5.0 164
Windows 2000 Server and Internet
Information Server 5.0 Security 168
Hardening the Server Software 173
Install Patches 174
Disable Unneeded Ports, Services, and
Components 174
Delete Unneeded Scripts and Files 175
Hardening the Overall System 176
Password Hacking and Analysis Tools 178
Web Design Issues Dealing with HTML
Code 183
Information in HTML Code 183
Using Server Side Includes (SSI) in
HTML Code 186
Guidelines for Java, JavaScript, and Active X 189
Understanding Java, JavaScript, and
ActiveX—and the Problems They
May Cause 189
Preventing Problems with Java,
JavaScript, and ActiveX 191
Programming Secure Scripts 196
Code Signing: Solution or More Problems? 199
Understanding Code Signing 199
The Strengths of Code Signing 200
Problems with the Code Signing Process 201
Should I Outsource the Design of My Site? 202
Understanding the Required Skills 203
Pros and Cons of Outsourcing Design Work 204
Workload 204
Security 205
Contracts and Cost 206
No Matter Who Designs It, Double-Check
before You Implement It 207
Summary 209
Solutions Fast Track 210
Frequently Asked Questions 214
Chapter 4 Designing and Implementing Security Policies
Introduction 220
Why Are Security Policies Important to an
E-Commerce Site? 220
What Is a Security Policy? 221
Value versus Risk 222
Security versus Services Provided 223
Cost of Security versus Cost of Not
Having Security 224
Where Do I Begin? 225
What Elements Should My Security Policy
Address? 228
Confidentiality and Personal Privacy Policies 230
Requirements for Authentication 231
Requirements for Protecting Customer
Information 236
Privacy Policies 239
Information Integrity Policies 240
Quality Assurance Policies 241
Assuring Information Integrity through
Technology 244
Availability of Service Policies 244
Are Prewritten Security Policies Available on
the Net? 246
All Organizations Are Different—and So
Are Their Policies 246
Example Policies and Frameworks 247
A Word about the Outsourcing of Policy
Development 248
How Do I Use My Security Policy to
Implement Technical Solutions? 248
How Do I Inform My Clients of My
Security Policies? 251
Building Customer Confidence through
Disclosure 252
Security as a Selling Point 253
Summary 254
Solutions Fast Track 255
Frequently Asked Questions 259
Chapter 5 Implementing a Secure E-Commerce Web Site
Introduction 262
Introduction to E-Commerce Site
Components 262
Implementing Security Zones 264
Introducing the Demilitarized Zone 266
Multiple Needs Equals Multiple Zones 268
Problems with Multi-Zone Networks 271
Understanding Firewalls 272
Exploring Your Firewall Options 272
Designing Your Firewall Rule Set 275
It Starts with a “Deny All” Attitude 276
Common Ports for Common
Communications 276
Converting Pseudo-Code to Firewall
Rules 278
Protocols and Risks: Making Good
Decisions 279
How Do I Know Where to Place My
Components? 280
Profiling Systems by Risk 280
Establishing Risk Control Requirements 282
Creating Security Zones through
Requirement Grouping 283
Implementing Intrusion Detection 283
What Is Intrusion Detection? 285
Your Choices in Intrusion Detection 286
Network-Based IDS 288
Host-Based IDS 290
Example of a Network-Based IDS 292
Example of a Host-Based IDS 293
Managing and Monitoring the Systems 295
What Kind of Management Tasks Can
I Expect to Perform? 295
What Kinds of Monitoring Should I Be
Performing? 296
Basic System Monitoring 298
Monitoring Your Security Devices 299
Log File Management 300
Should I Do It Myself or Outsource My Site? 301
Pros and Cons of Outsourcing Your Site 302
Co-Location: One Possible Solution 303
Selecting an Outsource Partner or ASP 303
Summary 305
Solutions Fast Track 305
Frequently Asked Questions 311
Chapter 6 Securing Financial Transactions 
Introduction 314
Understanding Internet-Based Payment
Card Systems 315
Credit, Charge, or Debit Cards:What Are
the Differences? 315
Point-of-Sale Processing 317
Differences That Charge Cards
Bring into the Picture 318
Capture and Settlement 319
Steps in an Internet-Based Payment
Card Transaction 321
Toxic Data Lives Everywhere! 325
Approaches to Payments via the Internet 326
Options in Commercial Payment Solutions 327
Commerce Server Providers 328
Braving In-house Resources 329
Secure Payment Processing Environments 331
Additional Server Controls 335
Controls at the Application Layer 336
Understanding Cryptography 337
Methodology 337
Substitution Method 337
Transposition Method 338
Transposition Example 339
The Role of Keys in Cryptosystems 342
Symmetric Keys 342
Asymmetric Keys 342
Principles of Cryptography 343
Understanding Hashing 344
Digesting Data 345
Digital Certificates 348
CCITT X.509 349
Examining E-Commerce Cryptography 351
Hashing Functions 351
Block Ciphers 352
Implementations of PPK Cryptography 352
The SSL Protocol 353
Transport Layer Security (TLS) 355
Pretty Good Privacy (PGP) 356
S/MIME 357
Secure Electronic Transactions (SET) 357
XML Digital Signatures 359
Virtual POS Implementation 362
Alternative Payment Systems 364
Smart-Card-Based Solutions 365
EMV 365
Visa Cash 368
The Common Electronic Purse
Specification (CEPS) 369
Proxy Card Payments 369
PayPal 370
Amazon Payments 370
Funny Money 371
Beenz 371
Flooz 371
Summary 372
Solutions Fast Track 373
Frequently Asked Questions 379
Chapter 7 Hacking Your Own Site
Introduction 382
Anticipating Various Types of Attacks 382
Denial of Service Attacks 382
Information Leakage Attacks 384
File Access Attacks 385
Misinformation Attacks 386
Special File/Database Access Attacks 387
Elevation of Privileges Attacks 388
Performing a Risk Analysis on Your Site 389
Determining Your Assets 390
Why Attackers Might Threaten Your Site
and How to Find Them 392
Testing Your Own Site for Vulnerabilities 395
Determining the Test Technique 396
Researching Your Vulnerabilities 399
Mapping Out a Web Server 407
Using Automated Scanning Tools 409
Hiring a Penetration Testing Team 414
Summary 418
Solutions Fast Track 419
Frequently Asked Questions 423
Chapter 8 Disaster Recovery Planning: The Best Defense 
Introduction 426
What Is Disaster Recovery Planning? 426
Structuring a Disaster Recovery Plan 428
Loss of Data or Trade Secrets 429
Loss of Access to Physical Systems 431
Loss of Personnel or Critical Skill Sets 436
Practicing Compliance with Quality
Standards 436
Ensuring Secure Information Backup and
Restoration 438
The Need for Backups and Verification 439
An Example Backup Rotation Process 440
Storage Area Networks 442
Protecting Backups of Sensitive Information 443
User Authentication 444
Data Encryption and Controls 445
Key Management 446
Planning for Hardware Failure or Loss of
Services 447
The Single Point of Failure Problem 448
ISP Redundancy 449
Network Hardware Redundancy 451
System Hardware Redundancy 451
Expanding the Scope of Your Solutions 453
How Do I Protect against Natural Disasters? 454
Hot Sites:The Alternate Path to Recovery 455
How Do I Choose a Hot Site? 456
Testing the Process 456
Understanding Your Insurance Options 457
Errors and Omissions Coverage 458
Intellectual Property Liability 459
First Party E-Commerce Protection 460
Determining the Coverage You Need 461
Financial Requirements 463
The Delicate Balance: Insurance and
the Bottom Line 464
Coverage That May Not Be Needed 464
Summary 466
Solutions Fast Track 467
Frequently Asked Questions 472
Chapter 9 Handling Large Volumes of Network Traffic 
Introduction 476
What If My Sites Popularity Exceeds My
Expectations? 476
Determining the Load on Your Site 478
Determining Router Load 479
Determining Switch Load 483
Determining Load Balancer Load 484
Determining Web Server Load 485
Performance Tuning the Web Server 488
How Do I Manage My Bandwidth Needs? 493
Contracting for Bandwidth 493
Estimating Required Service Levels 496
How Do I Know When I Need More
Bandwidth? 497
Obtaining Bandwidth on Demand 498
Introduction to Load Balancing 499
What Is Load Balancing? 500
Changing the Destination MAC Address 501
Modifying the IP Addresses 502
Using a Proxy Server 503
Finding a Custom Software/Clustering
Solution 504
Determining Load 504
The Pros and Cons of Load Balancing 505
Load Balancing and Security 505
Summary 509
Solutions Fast Track 510
Frequently Asked Questions 512
Chapter 10 Incident Response, Forensics, and the Law 
Introduction 516
Why Is an Incident Response Policy Important? 516
Panic or Be Calm:You Decide 516
How Not to Handle an Incident 517
Proper Policy Pays Off 518
Incident Response Policy Recap 524
Establishing an Incident Response Team 525
Setting the Prosecution Boundaries 526
Attackers Crossing the Line 526
Understanding the Chain of Custody 529
Establishing an Incident Response Process 530
Introduction to Forensic Computing 531
Tracking Incidents 538
Resources 542
Legal/Government/Law Enforcement 542
Backup/Forensics 542
Incident Tracking Systems 543
Miscellaneous 544
Summary 545
Solutions Fast Track 546
Frequently Asked Questions 550
Appendix A Cisco Solutions
for Content Delivery 553
Introduction 554
Improving Security Using Cisco LocalDirector 555
LocalDirector Technology Overview 555
LocalDirector Product Overview 556
LocalDirector Security Features 557
Filtering of Access Traffic 557
Using synguard to Protect against
SYN Attacks 557
Using Network Address Translation
to Hide Real Addresses 559
Restricting Who Is Authorized to
Have Telnet Access to the
LocalDirector 560
Password Protection 561
Syslog Logging 562
Security Geographically Dispersed Server
Farms Using Cisco DistributedDirector 563
DistributedDirector Technology Overview 563
DistributedDirector Product Overview 565
DistributedDirector Security Features 565
Limiting the Source of DRP Queries 565
Authentication between
DistributedDirector and DRP Agents 566
Password Protection 568
Syslog Logging 570
Improving Security Using the Cisco Content
Services Switch 570
Content Services Switch Technology
Overview 571
Content Services Switch Product Overview 572
Content Services Switch Security Features 573
FlowWall Security 573
Using Network Address Translation
to Hide Real Addresses 574
Firewall Load Balancing 575
Password Protection 576
Disabling Telnet Access 577
Syslog Logging 578
Known Security Vulnerabilities 578
Summary 580
Frequently Asked Questions 581
Appendix B Hack Proofing Your
E-Commerce Site Fast Track 583
Index 625


Purchase Now !
Just with Paypal

Product details
 File Size
  7,517 KB
  689 p
 File Type
  PDF format
  2001 by Syngress Publishing, Inc 

═════ ═════