Notes from the field is an effort to share some of the technology issues we faced on our customer site with initial observations , case studies and possible solutions . We will not disclose any specific details or identities of our customers to protect their privacy . These data provided here is just for case study purpose for networking students and professionals .
** The data provided here is for academic purpose and the customer information are removed for the best interest of our client .
Scenario : Attack on a mission critical sever on ABC corporation which is a per call customer of Corona Systems .
We have limited access to the aspects of networking because the firewall , server and software are managed by different organizations . The DoS attack is originated from a different country that made the troubleshooting of the situation rather difficult .
There are 3 fundamental approaches to secure web applications :
1. Improve the code security to prevent application level attacks like :
a) SQL Injection attack
b) XSS Injection attack
c ) Remote and local file inclusion attack
d) Null byte exploits
e) Hexa-decimal attack
f) Poisoning the HTTP header
g) Compromising trust between browser and web application
2. Place the web application behind a firewall to prevent variety of attacks at the network level like session hijack,flooding and DDOS.
3. Implement a IDS(Intrusion Detection System) and IPS (Intrusion Prevention System) with a routine maintenance and tuning to prevent attacks in both application layer and network layer.
Possible reasons for the DoS attack at our client side : Initial report
The reason why the web application was hacked may be failure to one or more approaches done to secure the web-server.
Now a days it is very easy to use free tools like hotspot shield or any other free vpn application to remotely dial into free VPN services and get a fake ip address. Unless and until deep tests are conducted to verify the IP address at the Internet Service Provider level;it cannot be verified whether the attack came from a different country .It is possible that the attack may be done even by an insider by using simple exploits like this.
Lack of technical knowledge in configuring firewall : – The firewall settings and firewall may be configured mostly with the default settings.Custom security profiles and configurations may not be done.
What if the hacker is from inside ? : There has been many references in history where a terminated employee or an ex-employee with his old user name and password gain access to the application or hardware with a login which is active.
What can be done immediately :
1. Review the source code completely and thoroughly.Also check for flaws in database design of the application.Review the validation controls.
2. Scrutiny the web-server configuration and the internal database used by the web-server.
3. Disable any ports which are open.
4. Disable user login of ex-employees.Also change the existing passwords and use complex pass phrases than just passwords.
5. Enable remote access to web server from trusted IP address only and preferable with the use of a security token.
6. Review the logs from the web-server and firewalls if any to identify repeating patterns in attacks.
7. Implement an open source IDS/IPS like OWASP.Hardware based IPS/IDS takes comparatively more time to install,configure and use.
Report prepared by Devassy Jose Tharakan,Project Manager