Tuesday, June 17, 2008

The Importance of IT Alerting and IT Incident Handling

In the Information Technology industry, immediate notification of critical events is essential. The Internet never sleeps, and neither do customers or employees in this age of global business and commerce. IT services must be available 24 hours a day, 7 days a week, without exception. When a computer or email server goes down, it can mean the difference between a corporation closing that $1 million dollar deal or losing it, or between a small business making its 100th sale or losing it. In any business or organization that contains more than a handful of people, enterprise email and communications are essential tools that must be available at all times. Electronic shopping carts and informational websites also must have near-zero downtime in order to be successful and effective.

So how can IT professionals ensure that they are notified the instant an error occurs on one of their systems? IT alerting is the answer. A notification service can contain a database with all IT employees contact information, including email, home phone, cell phone, work phone, and instant message screen name. These individuals can be divided into groups and scenarios can be created based on what type of event occurs. Then, when an incident does occur, the appropriate person can be notified based on the severity of the event. If multiple servers go down and a company's main revenue-generating service becomes unavailable, then most like the Chief Technology Officer and his team as well as Customer Service, the CEO and other executives should be notified. If a single email server goes down or becomes overloaded, then only a lower IT technician would be notified in order to fix the relatively small problem.

IT incident handling can be made much simpler using a reliable notification service. If a major IT incident occurs, then IT professionals need to be reached no matter what time of day, no matter where they are. It is not guaranteed that an IT expert will be located in front of his computer, able to receive email, when an emergency occurs. That is why robust, customizable notification service is necessary-to be able to send a voice and text message to the IT professional at all of his or her contact points, including email, cell phone, home phone, work phone, instant message screen name, or BlackBerry PIN, and also to get word back from the employee in response to the message. This guarantees the fastest possible reaction to an unforeseen event.

Learn more about IT Alerting and IT Incident Handling

Wednesday, June 11, 2008

Web Applications Penetration Testing - Security Measures - Security Assessment

1. Introduction

What is a web application? Why web applications are the first target for hackers? Why vulnerabilities occur in web applications? How we can make a web application a cure portal. As I understand a web application is a portal available on internet for the general public who can easily make use of it positively for different purpose or for the reason the web application exists. You must be aware, web applications are the easy target for hackers to gain access because it is publicly available, and a hacker needs to know only the name of the organization which he wants to hack. Vulnerability is the weakness or lack of control exists in the application. Vulnerabilities can be due to insecure programming in web applications, lack of access control places or configured, miss configuration of applications and server or due to any other reason, there is no limit.

There are many ways to harden your web application or your web server we will discuss this in a while. Let's see what are the key requirements which makes up a web application live?

a. Web Server

b. Application content displayed

c. And or databases

These are the key components of any web application.

Web server is a service which runs on the computer and serves of web content/application content. This server typically listen on port 80(http) or on port 443(https). There are many web servers which are freely available or commercial including top contributors

a. I.I.S by Microsoft

b. Apache by Open source community

c. Tomcat etc

Application content is what you see on the website, it can be dynamic or static, dynamic content containing web applications are at more risk as compare to static content containing web applications. Dynamic content containing web applications uses database to store the changing content. This database can be one of the following types.

a. MySql Server

b. SQL Sever

c. Oracle Server

d. MS Access or any other

We have discussed a lot on web application architecture now I will show you how to perform penetration on web application (what we say a Pen-test).

2. Information Gathering

Any pen-test can not be accomplished without performing the information gathering phase. This is the phase which is the heart of pen test, there are many ways to do information gathering lets discuss here.

a. Hacking with Search engines.

I would not list specific search engine which can be used in information gathering phase, there are lots of search engine which are more power full from which secret/confidential information can be gather. There are techniques which you can use to gather information on the target.

b. For example

You can use 'inurl:' in search engines to know what are the complete site map of the web portal, you can also use intitle: admin to gain access to the admin panel of the web portal, you can use inurl: Admin filetype: asp or aspx in order to search for admin login pages or simply you can lock for login page for any portal.

c. You can also look for the email address of the technical staff, email address shows the user id for that specific person

d. You can also use archives for more info to gather. This is the short list of the techniques, to explain more I would be writing a book

3. Attacks

Here I will explain you what are the major attacks which hackers use on web applications or the attacks which are dangerous for web applications. We will only discuss application level vulnerabilities and attacks.

a. Miss configuration? If you are a technical person your priority would be availability of your server, you should be asked by your senior management for the 100% up time of your server, this is the point where technical staff left security holes in the configuration just to make it live or in order to give 100% up time as directed. This miss configuration may lead to the compromise of the complete server.
Examples: default passwords, default settings for server, weaker passwords.

b. SQL Injection? A very high rated attack which can lead to complete web server compromise or complete administrative level access to hacker. SQL is a query language which programmers use for query the content from database in dynamic web applications. Many times a less experienced programmer left bugs in applications which if attacker discovered can be very harmful. SQL injection attacks occurs due weakness in input validation, insecure programming or due to insecure web application architecture. SQL inject can be used to by pass logins, gain admin level access, can be very harmful if a hackers gain access to admin logins. SQL Injection 'UNION' attack is commonly used in dynamic web applications penetration testing. There is more stuff which can be written on sql injection, I think this info is more than enough at this stage.

c. CSS/XSS (Cross site scripting)
XSS/CSS is a client side vulnerability which can be used in phishing attacks. Many hackers use XSS in order to gain secret information which can be credit card numbers, login passwords, private information and more. As XSS runs on client's browser hackers use to insert scripts in order to gather information from user. If XSS used in phishing attack it can be highly rated vulnerability.

4. Be Cure

To be cure complete assessment of web application should be performed in order to test the application and make it bug free, continuous testing should be maintained. Input validation should be implemented. Default configurations should be removed or changed, secure database connectivity should be maintained and in last directory listing on every directory should be turned off, file permissions should be reviewed, access rights need to be maintained.

5. Summary

This is the short article to develop awareness on web application security, what are the holes which can be used by hackers to do security breaches. These days there is a war on survivability of web applications. Is cure being long live?

article by Raheel Ahmad, CISSP