Threat Analysis of web security

This article is reproduced from http://www.xuebuyuan.com/60198.html

Major threats:

Brute force attacks (Brute-force attack): These attacks by trying all possible combinations of characters to discover user certificates. First try using dictionary words, common passwords, or a predictable combination of characters to optimize brute force attacks.

account hijacking: This threat involves taking over the account of a legitimate user and sometimes even denying legitimate users access to their account.

Social engineering (social engineering): This is the process of using soft techniques (rather than software and hardware technology to obtain sensitive information such as passwords) that can be used to affect the security of the system.

spam (spamming): We are all familiar with this threat. It is to send a large amount of useless e-mail to the user or Web site, thus clogging the internet, and sometimes even cause the server to crash.  

1.2 Creating a user certificate

1.2.1 Enforcing Strong passwords

Summary: Use technical methods and policies to ensure strong user passwords.

Threats: Violent attacks, account hijacking

Reliable Password Policy:

• Implement a password with a minimum length of 8 characters
• Do not limit the maximum length of a password
• Requires multiple character sets, including lowercase letters, uppercase letters, numbers, and punctuation marks
• Allow users to use any keyboard characters, including spaces, in their passwords
• Dictionary words are not allowed
• User name not allowed in password

Attack Tools:

Http://neworder.box.sk/codebox.links.php?key=wwwcrks

http://www.securityfocus.com/tools/1127

Dictionary:

Http://www.gattinger.org/wordlists/download.html

Http://neworder.box.sk/codebox.links.php?key=passdict

1.2.2 Avoid using easy-to-guess certificates

Summary: Easy-to-guess usernames and passwords will be vulnerable to use with accounts

Threats: Brute force attacks, account speculation, account hijacking

Security Policy:

• Do not allow customer service personnel to select passwords for customers
• If a password is randomly generated, the password does not follow a predictable pattern or is based on the user name
• Never use the default password on any system
• do not use predictable or sequential user account names       
• do not use a clear name for the admin account         

Prohibit the use of names that sound "official" (e.g., administrator,support,root,postmaster,abuse,webmaster,security, etc.)

1.2.3 Preventing certificate Acquisition

Summary: Certificate acquisition exposes users to a variety of attacks

Threats: Violent attacks, social engineering, junk mail

Security Policy:

• Never use an e-mail address as your username, and avoid displaying the user's e-mail address elsewhere Ø
• Avoid using public user directories and white pages         
• allow users to change their user name when needed         
• allow users to assign one or more public aliases to their accounts         
• Allow detection of brute force attacks or acquisition of attacks

• 1.2.4 Limit the Idle account

  Summary: Free accounts are more likely to be targeted by computer hackers

  Threat: Account Hijacking

  Security Policy:

  If the account is idle for a long time, it should be controlled, which requires a reactivation process similar to the password retrieval process

  Avoid giving other people information that indicates that an account is free

  Notify the user by e-mail, mail, or other means, in case the action is not done with the user, after changing any account information or performing important transactions

  Use anti-spoofing techniques, for example, to monitor account activity in the palace

  Do not automatically activate online account access for customers using offline accounts

  
  

  1.3 Managing Passwords

  1.3.1 Storing passwords

  Summary: Passwords stored in a database are dangerous for applications and others

  Threats: Account hijacking, potential possibilities

  Security Policy:

  Never store passwords in plain text, or use reversible encryption methods

  Use strong hashing algorithms, such as MD5, sha-1,sha256, or SHA512

  1.3.2 Password Aging and history

  Summary: An old password or a password that is reused will give an attacker more opportunity

  Threats: Violent attacks, account hijacking

  Security Policy:

  Set Maximum password aging for applications and users

  Keep a list of recent passwords to prevent password reuse

  If possible, implement the minimum interval between password re-settings

  1.3.3 Change Password

  Summary: Simplify and encourage users to change passwords on a regular basis

  Threats: Violent attacks, account hijacking

  Security Policy:

  Always allow users to change their passwords themselves

  Users can change their passwords intuitively and simply

  Remind or force users to change their passwords regularly

  Need to know the original password to change the new password

  Users are required to enter two new passwords to ensure accuracy

  Confirm account changes by email or other means of communication

  After changing the password, terminate all active sessions and require authentication

  
  

  1.4 Reset lost or forgotten passwords

  1.4.1 Reset Password

  Summary: Reset lost or forgotten passwords in a well-planned process

  Threats: Violent attacks, account hijacking

  Security Policy:

  Treats the password reset as a security event, logs the IP address of the client, and takes other practical security measures

  Never retrieve the user's password, only allow the user to set a new password

  Never use a password hint to remind the user of the actual password

  Ask the user to indicate an understanding of the account by answering security questions or by providing information related to the account. Never allow anonymous re-setting of passwords

  Send a message to the user confirming the password reset and providing a secure link to complete the process

  Clear any sensitive information that uses account storage, for example: credit card number, if applicable

  Terminate all existing sessions after password reset

  1.4.2 Sending information by email

  Summary: E-mail is unsafe and should not be used to transmit sensitive information

  Threats: Sensitive information disclosure, account hijacking, user privacy

  Security Policy:

  Never send sensitive information by email, such as a user certificate or credit card information

  Never rely solely on e-mail to verify a user's identity

  Do not use e-mail to save Web Form submission results that contain sensitive information

  Digitally sign or encrypt e-mail communications, if possible

  1.4.3 Assigning temporary passwords

  Summary: The user will not change the temporary password unless forced to do so

  Threats: Account hijacking, password guessing

  Security Policy:

  Avoid allowing a customer service representative to set a temporary password
  Use a strong random password generator If you must use a temporary password

  If you must use a temporary password, provide a short expiration date, or set the password to expired

  1.4.4 using Secret questions

  Summary: Secret issues are not substitutes for passwords

  Threats: Sensitive information disclosure, account hijacking, user privacy

  Example of a better secret question:

  A
  What is the name of the first boyfriend or girlfriend?

  b
  In childhood, which phone number is the deepest impression?

  C
  Where is the favorite place to go in childhood?

  D
  Who are the favorite actors, musicians and artists?

  Security Policy:

  The secret question itself is not safe and should never be equated with the use of passwords

  Allow users to change secret questions and answers when they need them

  Detection of violent attacks on secret issues

  
  

  1.5 Authorized users

  1.5.1 Education Users

  Summary: Users must know how to protect their accounts

  Threats: Account hijacking, social engineering, identity theft

  Security Policy:

  Various types of media that educate users about the security risks involved in using Web applications

  If possible, provide a forum for users to discuss security issues
  Never send a link or form to a user in an email that asks them to sign in to the account

  1.5.2 allows users to be in the midst of

  Summary: Engaging users in security protection improves user understanding of security and helps to limit attacks

  Threats: Account hijacking, social engineering

  Security Policy:

  Allow users to access the history of security transactions and events

  Provide users with a clear and simple way to report security incidents and ask them to report any suspicious events
  If possible, provide a forum for users to discuss security issues and incidents
  Allow users with advanced security security options to access these options
  Provide a way for users to revoke accounts they no longer want to use

Threat Analysis of web security