Preventing webpage Trojan attacks starts from evaluating the security of WEB sites

Comments: For some large websites, there is usually a complete set of Security Solutions for WEB sites that have been implemented. But why are some websites still mounted by attackers? One of the main reasons is that the implemented website security solution can only cope with existing security vulnerabilities and threats. Attackers always analyze the potential weakness of websites by various means. For some large websites, they usually have a complete set of website security defense solutions. However, why do some websites still have Trojans mounted by attackers? One of the main reasons is that the implemented website security solution can only cope with existing security vulnerabilities and threats. Attackers are always using various means to analyze possible vulnerabilities or vulnerabilities on the website, so that they can successfully bypass the current security measures of the website to launch Trojan attacks. The best way to address the security status of such a WEB site is to deploy the corresponding security protection solution while taking the same measures as the attacker, that is to say, during the operation of the website, we constantly evaluate its security to find possible vulnerabilities and vulnerabilities on the website.

Security Evaluation of WEB sites is an important part in the process of WEB security defense. It should run through the entire lifecycle of the site. The purpose of security assessment for WEB sites is to enable the Security Assessment personnel to use appropriate evaluation tools and technologies through a series of appropriate methods, conducts comprehensive detection and evaluation on the security mechanisms implemented on the WEB server itself, server system, backend database system, and network to check whether the entire WEB system still has vulnerabilities, and verify whether the security mechanism is effective. Based on the final evaluation and analysis results, the existing security policies are revised to supplement the implemented security mechanisms.

　　1. Develop a WEB site security assessment plan

To evaluate the security of WEB sites, it is very meaningful to first develop a realistic security evaluation solution to achieve the final effect. Of course, for some personal websites, or for only one WEB site vulnerability detection, you can skip the process of developing a security assessment solution, directly use the system or WEB vulnerability detection tool to perform detailed Vulnerability Detection on the system where the WEB site is located and on its own.

If you need a comprehensive security assessment for a WEB site, or you need a security assessment solution to guide you through the corresponding WEB site vulnerability detection task, then, we can build a WEB site security evaluation solution that suits our actual needs according to the following content:

1. Determine a final goal for the WEB site security evaluation, that is, why, and what needs to be achieved.

2. Designate Security evaluators for WEB site security evaluation.

3. determine the specific evaluation objects during security evaluation.

4. Develop a specific time schedule for the security evaluation of the WEB site. If there are no special circumstances, we should perform security evaluation on the WEB site according to the time specified in this Schedule.

5. Specify specific evaluation tools for the security evaluation of the WEB site, and require the evaluators to learn these tools to achieve the purpose of training and mastering them, it is also required that evaluators constantly update the assessment vulnerability libraries and software on time.

6. Whether to securely install the Security Evaluation Tool on the target WEB server for security evaluation, or install the Evaluation Software on specialized hardware devices (such as laptops, then, access the target network to implement the evaluation task during use.

7. Define specific security assessment methods

8. Clarify the precautions during the security evaluation process;

9. clarify the rules and regulations for security assessment and the responsibilities of the evaluators;

10. Define the record methods of security evaluation results and the reporting, archiving and retrieval methods of evaluation reports.

The website Security Evaluation solution should be completed by the security evaluation Participants after detailed investigation and analysis based on the actual network environment and the specific content and functions of the site. Of course, the content of an actual Website Security Evaluation solution may be much more detailed than the content listed above, here is just a simple description of them. The specific content also needs to be supplemented according to the actual situation.

II. Implementation of WEB site security assessment

The specific implementation of the WEB site security evaluation involves four key factors: Security evaluators, evaluation tools, evaluation methods, and evaluation objects.

1. Security Evaluators

Security Assessment personnel should include the website owner, administrators, and security assessment implementers. The technical experience and attitude of the Security Evaluation implementers determine the effectiveness and credibility of the evaluation to a certain extent.

Sometimes, some websites have to outsource their security assessment tasks to third-party organizations with security assessment qualifications, this is also a frequently used method for small and medium-sized enterprise websites without specific WEB site administrators.

There are also some WEB sites, all the work is done by the site administrator, for such a WEB site security evaluation report, usually only accepted by himself, that is, it is used to perform a simple health check on the current security status of the site.

2. Security Evaluation Tools

The security evaluation tool should be selected based on the specific objects to be evaluated. Different evaluation objects use different evaluation tools. This is because some security evaluation tools are only for a certain service or software, some are for the entire host or network; some security evaluation tools can only run under a certain operating system platform, however, some security evaluation tools can run on many popular operating system platforms. Some security evaluation tools are software-based and some are stored on independent hardware; some security software is free of charge, while others are commercial. Therefore, finding a suitable security evaluation tool is not as easy as choosing a few. In addition, some other people think that this is a very useful security evaluation tool, which we don't like very much for ourselves. Therefore, sometimes we have to go through continuous trials to know which evaluation software is best for ourselves.

Fortunately, there are still many powerful evaluation tools available for us to choose from:

(1) Nmap

Nmap is a network detection and security scanning program. We can use it to scan the system or the entire network where the WEB site is located, and obtain what services the System of the WEB site is running and providing, information such as what port is opened and What Operating System is used. Nmap supports scanning methods such as UDP, TCP connect (), tcp syn (), ICMP, FIN, and ACK, many scanning methods can also be used to detect responses from firewall, IDS, IPS, and other devices.

Nmap can run commands on UNIX-like systems and Windows terminals. Its Command Execution format is nmap [Scan Type (s)] [Options]. We can download the latest version from the http://insecure.org/website to provide detailed instructions.

(2) Nessus

Nessus is also a powerful security detection tool that allows users to use plug-ins to expand its functionality. Nessus uses a frequently updated vulnerability Library as the basis for security detection. We can download the free version of Nessus3 from www.nessus.org and obtain its detailed usage documents. Most security personnel now use it to perform comprehensive security checks on networks or host systems.

(3) Nikto

Nikto is an open-source and powerful WEB vulnerability scanning and evaluation software that can test various security projects of WEB servers, it can scan more than 230 potentially dangerous files, CGI and other problems on more than 2600 servers. Nikto uses the LibWhiske vulnerability library. Nikto has become one of the necessary WEB security detection tools for WEB site administrators.

Go to http://www.cirt.net/to download nikto's latest website. Nikto is a program developed based on PERL. Therefore, the PERL environment is required. Therefore, when Nikto needs to be used in Windows, it is necessary to download and install the ActiveState Perl environment at the same time. Net: SSLeay PERL mode is also used when Nikto needs to use SSL for security scanning of WEB sites. OpenSSL must be installed in the system. For details about their installation and usage, refer to their help documentation.

In addition, there is a WEB vulnerability scanning tool similar to Nikto, which not only has the same features as Nikto, but also provides a GUI, but can only run in Windows. It can be downloaded at http://www.sensepost.com/research/wikto ..

(4) N-Stealth

N-Stealth is a commercial WEB site security scanning software developed by ZMT. It also has a free version, but features are not as many as commercial versions, the vulnerability library does not support automatic updates. We can download the latest version from www.nstalker.com. It can run in win98/ME/2000/XP/2003.

(5) ISS Database migration

ISS DataBase Scanner is a risk assessment tool for DataBase management systems. It can automatically identify various potential security problems in the database system and generate easy-to-understand reports to indicate security risks and weaknesses, it also proposes modification suggestions for vulnerabilities and vulnerabilities that violate and do not follow the database security policy.

Data that can be scanned by Database Audit includes Microsoft SOL Server 6.x or 7.x, Sybase Adaptive Server 11. x, and Oracle 8i, 8.0 or 7.3. It can quickly and conveniently scan the database through the network, check possible security vulnerabilities in the database, and fully assess all security vulnerabilities and authentication, authorization, and integrity issues.

In addition to the security scanning software described above, there are also some software that can be used for security detection, including X-scan3.3, WebInject1.41 and Acunetix WVS Free Edition, and a comprehensive and powerful commercial security scanning software, ISS Internet Scanner.

In addition, you must upgrade the vulnerability library before using any evaluation tool. This is because most security evaluation tools currently use vulnerability feature libraries for vulnerability detection, and only ensure that their vulnerability feature libraries are up-to-date, to discover the latest vulnerabilities that may exist on the WEB site and the dependent system.

3. Security Evaluation Methods

The security evaluation method is a specific security evaluation implementation method, which involves the following five specific aspects:

(1) test from external to internal

This security evaluation method performs security scanning on the external network structure of the website from the perspective of attackers to detect the WEB site's ability to prevent remote attacks from the Internet. This testing method can be performed using tools such as N-stealth, X-Scan, and WebInject in the above evaluation tool.

(2) internal and external tests

The internal and external security detection method is to perform security scanning from the inside of the network structure of the website. This security detection method is mainly used to test the website's defense against internal attacks, as well as the user permission distribution and security during internal data transmission. In this case, you can use some internal network commands of the operating system, such as Netstat, Hping, Nikto, X-scan, Nmap, Acunetix WVS Free Edition, and other tools to complete the detection task.

(3) simulated attack testing

Simulated attack testing does not actually attack the server system, WEB applications, and network devices of the website. This test method does not affect the performance of the WEB site. Most of the security evaluation work should be carried out using a simulated attack test method.

(4) real attack test

When the simulated attack test cannot really check the security status of the website, you can use the actual attack test. Because the attack is true, it will affect the performance of the WEB site. Therefore, this method is best performed at the initial stage of WEB development and when there is no WEB service. Currently, many websites require dedicated hackers to launch real attacks on their websites to detect security vulnerabilities on websites to the greatest extent possible.

(5) social engineering attack test

Many people think that social engineering is only a means for attackers to conduct attacks, but they do not know that it is also a good tool for evaluating the strength of anti-social engineering attack capabilities of employees and site administrators in enterprises. We can test the same social engineering attacks as attacks by phone, text message, and email. Similarly, we can also test and evaluate the social engineering attacks of the evaluated users through direct contact. When we decide to carry out the security evaluation of social engineering, it is best to let a trusted third party to achieve the best evaluation results.

4. Evaluation objects

The evaluation object refers to the specific evaluation implementation objectives during the evaluation process, including the WEB server host operating system, WEB application framework, database system and network infrastructure.

These four factors are indispensable in the WEB site security evaluation. The absence of any or any problems will interrupt the overall evaluation or make the evaluation results untrusted. In addition, the evaluation tool does not necessarily have to use only one tool at a time. We can combine and apply it based on the objects to be evaluated and the content to be evaluated. After all, sometimes a tool is effective only in one aspect, and the evaluation software still has the issue of false positives and false negatives. The tool can be used in combination, coupled with the evaluation staff's own experience, the effectiveness of the evaluation results can be increased to the highest level.

After the website security evaluation is completed, we should revise the security policy based on the security evaluation results, and supplement the implemented security mechanism. WEB site security evaluation can be performed repeatedly until we believe that all known vulnerabilities have been fixed before the site is truly put into operation. At the same time, we also need to conduct security assessment during the WEB site operation process to discover potential security threats.

A few points cannot be ignored. Today, attackers are good at analyzing and discovering new vulnerabilities, which creates some bottlenecks for existing vulnerability scanning systems, this does not completely address the threat of website Trojans. Therefore, while using it, we must use other methods to supplement its shortcomings.

Therefore, as a Web site administrator, You need to constantly evaluate the security of the WEB site so that attackers can discover potential vulnerabilities in the Website step by step, then, these vulnerabilities can be fixed before the attack is launched, so as to minimize the risk of website Trojans. To better understand the security trend, we can also subscribe to the latest security vulnerability email list at www.cert.org and www. securityfocus. comh, so that we can learn about security vulnerability information every day.