Tài liệu Hack proofing your e-commerce web site

  • Số trang: 50 |
  • Loại file: PDF |
  • Lượt xem: 104 |
  • Lượt tải: 0

Đã đăng 29304 tài liệu

Mô tả:

134_ecomm_FC 6/19/01 2:14 PM Page 1 1 YEAR UPGRADE BUYER PROTECTION PLAN ™ e t i S e c r e m m o c Your EThe Only Way to Stop a Hacker Is to Think Like One • Step-by-Step Instructions for Securing Financial Transactions and Implementing a Secure E-Commerce Site • Hundreds of Tools & Traps and Damage & Defense Sidebars and Security Alerts! • Complete Coverage of How to Hack Your Own Site Ryan Russell Teri Bidwell Oliver Steudler Robin Walshaw L. Brent Huston Technical Editor From the authors of the best-selling HACK PROOFING™ YOUR NETWORK 134_ecomm_FM 6/19/01 11:49 AM Page i solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 134_ecomm_FM 6/19/01 11:49 AM Page ii 134_ecomm_FM 6/19/01 11:49 AM Page iii 1 YEAR UPGRADE BUYER PROTECTION PLAN ™ e t i S e c r e m m o Your E-c The Only Way to Stop a Hacker is to Think Like One 134_ecomm_FM 6/19/01 11:49 AM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER AERAF43495 VNA49FU4FJ CAKL3956FM BNA424TURT BNTUR495QF 596JFA3RRF Y745T9TBLF QW5VCD986H BN3TE5876A NVA384NHS5 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your E-Commerce Site Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-27-X Technical edit by: L. Brent Huston Technical review by: Kevin Ziese Co-Publisher: Richard Kristof Developmental Editor: Kate Glennon Acquisitions Editor: Catherine B. Nolan Copy edit by: Darren Meiss and Beth A. Roberts Freelance Editorial Manager: Maribeth Corona-Evans Index by: Robert Saigh Page Layout and Art by: Shannon Tozier Distributed by Publishers Group West in the United States. 134_ecomm_FM 6/19/01 11:49 AM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help. v 134_ecomm_FM 6/19/01 11:49 AM Page vi 134_ecomm_FM 6/19/01 11:49 AM Page vii Contributors Ryan Russell (CCNA, CCNP) is the best-selling author of Hack Proofing Your Network: Internet Tradecraft (ISBN: 1-928994-15-6). He is MIS Manager at SecurityFocus.com, has served as an expert witness on security topics, and has done internal security investigation for a major software vendor. Ryan has been working in the IT field for over 11 years, the last 6 of which have been spent primarily in information security. He has been an active participant in various security mailing lists, such as BugTraq, for years. Ryan has contributed to four Syngress titles on the topic of networking. He holds a Bachelors of Science degree in Computer Science. Ryan wishes to thank Karen Mathews at the U.S. Department of Energy for her assistance in preparing Chapter 10. Mark S. Merkow (CCP) has been an Information Systems professional since 1975, working in a variety of industries. For the last 12 years he has been working for a Fortune 50 financial services company in Phoenix, AZ. Mark holds a Masters in Decision and Information Systems from Arizona State University’s College of Business and is completing his Masters of Education in Educational Technology at ASU’s College of Education, specializing in developing distance learning courses.Today he serves as an e-commerce Security Advisor working with both internal and external Web designers and developers. Mark has authored or coauthored six books on computer technology since 1990, including Breaking Through Technical Jargon, Building SET Applications for Secure Transactions, Thin Clients Clearly Explained, Virtual Private Networks For Dummies, A Complete Guide to Internet Security, and The ePrivacy Imperative. In addition, Mark is a computer columnist for several local, national, and international print publications, along with an e-zine hosted at Internet.com. Robin Walshaw (MCSE, DPM), author of Mission Critical Windows 2000 Server Administration (ISBN: 1-928994-16-4), is an independent consultant who architects security and infrastructure solutions for large vii 134_ecomm_FM 6/19/01 11:49 AM Page viii corporations around the globe. By applying a combination of sound business sense and technical insight, Robin is able to design and deliver scalable solutions targeted at enabling the enterprise to effectively leverage technology.With a flair for developing strategic IT solutions for diverse clients, he has worked in the world of computers in 8 countries, and has traveled to over 30 in the last 10 years. A veteran of numerous global projects, Robin has honed his skills across a wide variety of businesses, platforms, and technologies. He has managed to scratch his head and look slightly confused in the world of security, network operating systems, development, and research. Having traversed the globe and seen its many beautiful wonders, Robin is still captivated by the one thing that leaves him breathless— Natalie, his wife. She is a light against the darkness, a beauty whose smile can melt even the coldest heart. Teri Bidwell (GCIA) has been involved in Internet security for over 10 years as an analyst, engineer, and administrator and is a SANS-Certified GCIA Intrusion Analyst. Her career began securing Unix networks at the University of Colorado and continued as a Cisco network engineer and DNS manager for Sybase, Inc.Today,Teri is a security analyst for a firm headquartered in Reston,VA. She is a key contributor to corporate security strategy and is an advisor for e-business development. Her specialties include policy creation, vulnerability assessment, penetration testing, and intrusion detection for corporate environments. Teri received a Computer Science degree from the University of Colorado and sits on the SANS GCIA Advisory Board. She currently lives and works in Boulder, CO with her family, Clint,Wes, and Michael. Michael Cross (MCSE, MCP+I, CNA) is a Microsoft Certified System Engineer, Microsoft Certified Product Specialist, Microsoft Certified Professional + Internet, and a Certified Novell Administrator. Michael is the Network Administrator, Internet Specialist, and a Programmer for the Niagara Regional Police Service. He is responsible for network security and administration, programming applications, and is Webmaster of their Web site at www.nrps.com. He has consulted and assisted in computerrelated/Internet criminal cases, and is part of an Information Technology viii 134_ecomm_FM 6/19/01 11:49 AM Page ix team that provides support to a user base of over 800 civilian and uniform users. His theory is that when the users carry guns, you tend to be more motivated in solving their problems. Michael owns KnightWare, a company that provides consulting, programming, networking,Web page design, computer training, and other services. He has served as an instructor for private colleges and technical schools in London, Ontario Canada. He has been a freelance writer for several years and has been published over two dozen times in books and anthologies. Michael currently resides in St. Catharines, Ontario Canada with his lovely fiancée Jennifer. Oliver Steudler (CCNP, CCDP, CSE, CNE) is a Senior Systems Engineer at iFusion Networks in Cape Town, South Africa. Oliver specializes in routing, switching, and security and has over 10 years of experience in consulting, designing, implementing, and troubleshooting complex networks. He has written articles on TCP/IP, networking, security, and data communications and also co-authored another Syngress title, Managing Cisco Network Security (ISBN: 1-928994-17-2). Kevin Ziese is a computer scientist at Cisco Systems, Inc. Prior to joining Cisco, he was a senior scientist and founder of the Wheelgroup Corporation, which was acquired by Cisco Systems in April of 1998. Before founding the Wheelgroup Corporation, he was Chief of the Advanced Countermeasures Cell at the Air Force Information Warfare Center. ix 134_ecomm_FM 6/19/01 11:49 AM Page x Technical Editor and Contributor L. Brent Huston earned his Associate of Applied Science degree in Electronics at DeVry Technical Institute (Columbus, Ohio) in 1994. He has more than 10 years of experience in IT, mostly in the areas of cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, security patches, and hacker techniques. As President and CEO of his own information security company, MicroSolved, Inc., he and his staff have performed system and network security-consulting services for Fortune 500 companies and all levels of governmental facilities. He is well versed in the use and implementation of all the major security tools and appliances. In the past, Brent developed “Passys”—a passive intrusion detection system for Unix and has also identified previously unknown security vulnerabilities in Ascom routers, Windows NT, and Linux operating systems. Brent is an accomplished computer and information security speaker and has published numerous white papers on security-related topics. Recently he was involved in the laboratory testing of major firewall appliances at his company’s central Ohio facilities.This testing was to prove the worthiness of each appliance as well as possible vulnerabilities that had not as yet been established by their parent companies. He reported his results both to the individual product companies and at a national security industry presentation. Brent is also currently engaged with the Office of Independent Oversight and Performance Assurance in Columbus, OH. He was responsible for designing and implementing a state-of-the-art cyber security testing and research lab for this office and several DOE national laboratories have utilized his expertise to perform network penetration and detection services. Such services have required a high security clearance from Brent. Brent is an Internet Security Systems Certified Engineer, Sidewinder Firewall Certified Administrator, IBM Secure Network Gateway Certified Administrator, and Phoenix Firewall Certified Administrator. x 134_ecomm_TOC 6/19/01 11:47 AM Page xi Contents Understand the Goals of Security in the Commerce Process ■ ■ ■ ■ ■ ■ ■ ■ Protect the privacy of the consumer at the point of purchase. Protect the privacy of the customers’ information while it is stored or processed. Protect the confidential identity of customers, vendors, and employees. Protect the company from waste, fraud, and abuse. Protect the information assets of the company from discovery and disclosure. Preserve the integrity of the organization’s information assets. Ensure the availability of systems and processes required for consumers to do business with the company. Ensure the availability of systems and processes required for the company to do business with its vendors and partners. Foreword Chapter 1 Applying Security Principles to Your E-Business Introduction Security as a Foundation Confidentiality Integrity Availability Presenting Security As More Than a Buzzword The Goals of Security in E-Commerce Planning with Security in Mind Security during the Development Phase Implementing Secure Solutions Managing and Maintaining Systems in a Secure Environment Applying Principles to Existing Sites It All Starts with Risk Fix the Highest Risks First Management and Maintenance during the Patching Process Impact of Patching on Production Systems The Never-Ending Cycle of Change Developing a Migration Plan How to Justify a Security Budget The Yardstick Approach xxv 1 2 3 3 4 4 6 9 10 13 14 15 20 21 22 23 24 25 26 27 27 xi 134_ecomm_TOC xii 6/19/01 11:47 AM Page xii Contents A Yardstick Approach Case Study Possible Results of Failure The Fear Tactic Approach A Fear Tactic Approach Case Study Possible Results of Failure Security as a Restriction Security as an Enabler Summary Solutions Fast Track Frequently Asked Questions Damage & Defense Sidebars Provide You with Additional Information on Minimizing Risk Damage & Defense… Configuration Management One method of instigating a DoS is by altering the configuration of key devices such as routers and servers. Routing tables, registry databases, and UNIX configuration files are just a few of the potential configuration databases that can be used against a business. It goes without saying, then, that all Internet-facing devices should undergo strict change control procedures and that a backup of the last known good configuration should be available on Chapter 2 DDoS Attacks: Intent, Tools, and Defense Introduction What Is a DDoS Attack? Laying the Groundwork: DoS Resource Consumption Attacks Malformed Packet Attacks Anatomy of a DDoS attack The Attacks of February 2000 Why Are E-Commerce Sites Prime Targets for DDoS? A Growing Problem How the Media Feeds the Cycle What Motivates an Attacker to Damage Companies? Ethical Hacking: A Contradiction in Terms? Hacktivism Fifteen Minutes of Fame Hell Hath No Fury Like a Hacker Scorned Show Me the Money! Malicious Intent What Are Some of the Tools Attackers Use to Perform DDoS Attacks? Trinoo Understanding How Trinoo Works 29 30 31 32 34 35 36 38 39 43 45 46 47 48 50 57 60 63 67 68 69 70 70 72 72 73 73 74 75 76 76 134_ecomm_TOC 6/19/01 11:47 AM Page xiii Contents Know What You May Be Giving Away in Your HTML Code Each hidden tag can be used with forms on your site and includes a name and a value. When the form is submitted, the name and value in the hidden field is included with the results. For example, the following line of code shows an input value of $100.00 associated with a variable called "cost." Using a text editor or HTML editing program, a hacker could alter the value so that the value is changed to a lower amount. For example, the $100.00 could be changed to $1.00. This would allow buyers to purchase products at a significantly reduced amount. TFN2K:The Portable Monster Understanding How TFN2K Works Stacheldraht—A Barbed-Wire Offensive Understanding How Stacheldraht Works More DDoS Families How Can I Protect My Site against These Types of Attacks? Basic Protection Methods Using Egress Rules to Be a Better “Net Neighbor” Defending against the SYN’s of the Internet Methods for Locating and Removing Zombies Summary Solutions Fast Track Frequently Asked Questions 78 78 81 81 86 87 90 95 99 103 109 111 117 Chapter 3 Secure Web Site Design 119 Introduction 120 Choosing a Web Server 121 Web Server versus Web Service 121 Factoring in Web Servers’ Cost and Supported Operating Systems 122 Comparing Web Servers’ Security Features 127 Authentication 127 Using the SET Protocol 133 Setting Permissions 134 Using CGI Applications 134 Security Features Side By Side 134 The Basics of Secure Site Design 143 Creating a Security Plan 143 Protecting against Internal Threats 145 Adding Security Tiers beyond the Web Server 146 Apache versus Internet Information Services 149 Installation:The First Step 151 xiii 134_ecomm_TOC xiv 6/19/01 11:47 AM Page xiv Contents Installing and Configuring Apache Installing and Configuring Internet Information Server 5.0 Windows 2000 Server and Internet Information Server 5.0 Security Hardening the Server Software Install Patches Disable Unneeded Ports, Services, and Components Delete Unneeded Scripts and Files Hardening the Overall System Password Hacking and Analysis Tools Web Design Issues Dealing with HTML Code Information in HTML Code Using Server Side Includes (SSI) in HTML Code Guidelines for Java, JavaScript, and Active X Understanding Java, JavaScript, and ActiveX—and the Problems They May Cause Preventing Problems with Java, JavaScript, and ActiveX Programming Secure Scripts Code Signing: Solution or More Problems? Understanding Code Signing The Strengths of Code Signing Problems with the Code Signing Process Should I Outsource the Design of My Site? Understanding the Required Skills Pros and Cons of Outsourcing Design Work Workload Security Contracts and Cost No Matter Who Designs It, Double-Check before You Implement It 152 164 168 173 174 174 175 176 178 183 183 186 189 189 191 196 199 199 200 201 202 203 204 204 205 206 207 134_ecomm_TOC 6/19/01 11:47 AM Page xv Contents Summary Solutions Fast Track Frequently Asked Questions 209 210 214 Chapter 4 Designing and Implementing Security Policies 219 Introduction 220 Why Are Security Policies Important to an E-Commerce Site? 220 What Is a Security Policy? 221 Learn How to Produce a Security Policy Value versus Risk 222 Security versus Services Provided 223 Cost of Security versus Cost of Not Having Security 224 Where Do I Begin? 225 What Elements Should My Security Policy Address? 228 Confidentiality and Personal Privacy Policies 230 Requirements for Authentication 231 Requirements for Protecting Customer Information 236 Privacy Policies 239 Information Integrity Policies 240 Quality Assurance Policies 241 Assuring Information Integrity through Technology 244 Availability of Service Policies 244 Are Prewritten Security Policies Available on the Net? 246 All Organizations Are Different—and So Are Their Policies 246 Example Policies and Frameworks 247 A Word about the Outsourcing of Policy Development 248 How Do I Use My Security Policy to Implement Technical Solutions? 248 New Security Issue Identify Key Stakeholders Policy Research Review Procedure Baseline Policy Solicit Feedback Conduct Review Workshop Edit Draft Policy Proposed Policy Draft Legal Review Final Policy Draft Executive Approval Publication End User Training xv 134_ecomm_TOC xvi 6/19/01 11:47 AM Page xvi Contents How Do I Inform My Clients of My Security Policies? Building Customer Confidence through Disclosure Security as a Selling Point Summary Solutions Fast Track Frequently Asked Questions Chapter 5 Answers All Your Questions About Implementing a Secure Site Q: How do I know if I am A: logging too much or too little information on my systems? Log the information you feel that you need to make good decisions. If you have problems sifting through the logs to locate issues and you have had proper training, then you need to eliminate the log entries that you do not use to make decisions or keep those log entries and use an automated tool to select only the entries you are interested in. You are logging too little information if you do not have a picture of your systems’ operations and your users’ behaviors. Chapter 5 Implementing a Secure E-Commerce Web Site Introduction Introduction to E-Commerce Site Components Implementing Security Zones Introducing the Demilitarized Zone Multiple Needs Equals Multiple Zones Problems with Multi-Zone Networks Understanding Firewalls Exploring Your Firewall Options Designing Your Firewall Rule Set It Starts with a “Deny All” Attitude Common Ports for Common Communications Converting Pseudo-Code to Firewall Rules Protocols and Risks: Making Good Decisions How Do I Know Where to Place My Components? Profiling Systems by Risk Establishing Risk Control Requirements Creating Security Zones through Requirement Grouping Implementing Intrusion Detection What Is Intrusion Detection? Your Choices in Intrusion Detection 251 252 253 254 255 259 261 262 262 264 266 268 271 272 272 275 276 276 278 279 280 280 282 283 283 285 286 134_ecomm_TOC 6/19/01 11:47 AM Page xvii Contents Network-Based IDS Host-Based IDS Example of a Network-Based IDS Example of a Host-Based IDS Managing and Monitoring the Systems What Kind of Management Tasks Can I Expect to Perform? What Kinds of Monitoring Should I Be Performing? Basic System Monitoring Monitoring Your Security Devices Log File Management Should I Do It Myself or Outsource My Site? Pros and Cons of Outsourcing Your Site Co-Location: One Possible Solution Selecting an Outsource Partner or ASP Summary Solutions Fast Track Frequently Asked Questions 288 290 292 293 295 295 296 298 299 300 301 302 303 303 305 305 311 Chapter 6 Securing Financial Transactions 313 Introduction 314 Understanding Internet-Based Payment Card Systems 315 Credit, Charge, or Debit Cards:What Are the Differences? 315 Point-of-Sale Processing 317 Differences That Charge Cards Bring into the Picture 318 Capture and Settlement 319 Steps in an Internet-Based Payment Card Transaction 321 Toxic Data Lives Everywhere! 325 Approaches to Payments via the Internet 326 Options in Commercial Payment Solutions 327 Commerce Server Providers 328 Braving In-house Resources 329 xvii 134_ecomm_TOC xviii 6/19/01 11:47 AM Page xviii Contents Complete Coverage of Third Party Merchants' POS Systems. ICVERIFY's features include the following: ■ Importing credit card transaction data from other PC applications, such as spreadsheets or databases. ■ Offline group mode to submit a batch of transactions at one time for authorization. ■ Support for Address Verification Systems (AVSs), Retail AVSs, CVV2s, and CVC2s to help reduce fraud due to stolen or fraudulent cards. ■ Data import analysis of files for errors before import. Secure Payment Processing Environments Additional Server Controls Controls at the Application Layer Understanding Cryptography Methodology Substitution Method Transposition Method Transposition Example The Role of Keys in Cryptosystems Symmetric Keys Asymmetric Keys Principles of Cryptography Understanding Hashing Digesting Data Digital Certificates CCITT X.509 Examining E-Commerce Cryptography Hashing Functions Block Ciphers Implementations of PPK Cryptography The SSL Protocol Transport Layer Security (TLS) Pretty Good Privacy (PGP) S/MIME Secure Electronic Transactions (SET) XML Digital Signatures Virtual POS Implementation ICVERIFY Alternative Payment Systems Smart-Card-Based Solutions EMV MONDEX Visa Cash The Common Electronic Purse Specification (CEPS) Proxy Card Payments PayPal 331 335 336 337 337 337 338 339 342 342 342 343 344 345 348 349 351 351 352 352 353 355 356 357 357 359 362 362 364 365 365 367 368 369 369 370 134_ecomm_TOC 6/19/01 11:47 AM Page xix Contents Amazon Payments Funny Money Beenz Flooz Summary Solutions Fast Track Frequently Asked Questions Tools & Traps, Security Alerts, and Damage & Defense Sidebars Make Sure You Don’t Miss a Thing: Tools & Traps…Gauge Your Threat Level with a Honeypot A honeypot (in an information security context) is a system that is designed to be broken into. Setting up a honeypot will give you an opportunity to study tactics of attackers and possibly pick up a new attack or two along the way. Naturally, the attacker shouldn’t be aware that he has broken into a honeypot, and he should think that he’s gotten into an ordinary machine with no special monitoring. In fact, a honeypot machine typically has extensive monitoring in place around it, either on the machine itself or via the network. In order for the honeypot to be effective, as much information as possible must be collected about the attacker. Chapter 7 Hacking Your Own Site Introduction Anticipating Various Types of Attacks Denial of Service Attacks Information Leakage Attacks File Access Attacks Misinformation Attacks Special File/Database Access Attacks Elevation of Privileges Attacks Performing a Risk Analysis on Your Site Determining Your Assets Why Attackers Might Threaten Your Site and How to Find Them Testing Your Own Site for Vulnerabilities Determining the Test Technique Researching Your Vulnerabilities Mapping Out a Web Server Using Automated Scanning Tools Hiring a Penetration Testing Team Summary Solutions Fast Track Frequently Asked Questions Chapter 8 Disaster Recovery Planning: The Best Defense Introduction What Is Disaster Recovery Planning? Structuring a Disaster Recovery Plan Loss of Data or Trade Secrets 370 371 371 371 372 373 379 381 382 382 382 384 385 386 387 388 389 390 392 395 396 399 407 409 414 418 419 423 425 426 426 428 429 xix
- Xem thêm -