134_ecomm_FC
6/19/01
2:14 PM
Page 1
1 YEAR UPGRADE
BUYER PROTECTION PLAN
™
e
t
i
S
e
c
r
e
m
m
o
c
Your EThe Only Way to Stop a Hacker Is to Think Like One
• Step-by-Step Instructions for Securing Financial Transactions
and Implementing a Secure E-Commerce Site
• Hundreds of Tools & Traps and Damage & Defense Sidebars
and Security Alerts!
• Complete Coverage of How to Hack Your Own Site
Ryan Russell
Teri Bidwell
Oliver Steudler
Robin Walshaw
L. Brent Huston
Technical Editor
From the authors
of the best-selling
HACK PROOFING™ YOUR NETWORK
134_ecomm_FM
6/19/01
11:49 AM
Page i
[email protected]
With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco
study guides in print, we continue to look for ways we can better serve the
information needs of our readers. One way we do that is by listening.
Readers like yourself have been telling us they want an Internet-based service that would extend and enhance the value of our books. Based on
reader feedback and our own strategic plan, we have created a Web site
that we hope will exceed your expectations.
[email protected] is an interactive treasure trove of useful information focusing on our book topics and related technologies. The site
offers the following features:
■
One-year warranty against content obsolescence due to vendor
product upgrades. You can access online updates for any affected
chapters.
■
“Ask the Author”™ customer query forms that enable you to post
questions to our authors and editors.
■
Exclusive monthly mailings in which our experts provide answers to
reader queries and clear explanations of complex material.
■
Regularly updated links to sites specially selected by our editors for
readers desiring additional reliable information on key topics.
Best of all, the book you’re now holding is your key to this amazing site.
Just go to www.syngress.com/solutions, and keep this book handy when
you register to verify your purchase.
Thank you for giving us the opportunity to serve your needs. And be sure
to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.
www.syngress.com/solutions
134_ecomm_FM
6/19/01
11:49 AM
Page ii
134_ecomm_FM
6/19/01
11:49 AM
Page iii
1 YEAR UPGRADE
BUYER PROTECTION PLAN
™
e
t
i
S
e
c
r
e
m
m
o
Your E-c
The Only Way to Stop a Hacker is to Think Like One
134_ecomm_FM
6/19/01
11:49 AM
Page iv
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from
the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold
AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow
the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable case, including backup and other appropriate precautions, when working
with computers, networks, data, and files.
Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks
of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack
Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are
trademarks or service marks of their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010
SERIAL NUMBER
AERAF43495
VNA49FU4FJ
CAKL3956FM
BNA424TURT
BNTUR495QF
596JFA3RRF
Y745T9TBLF
QW5VCD986H
BN3TE5876A
NVA384NHS5
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Hack Proofing Your E-Commerce Site
Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America.
Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written
permission of the publisher, with the exception that the program listings may be entered, stored, and executed
in a computer system, but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-928994-27-X
Technical edit by: L. Brent Huston
Technical review by: Kevin Ziese
Co-Publisher: Richard Kristof
Developmental Editor: Kate Glennon
Acquisitions Editor: Catherine B. Nolan
Copy edit by: Darren Meiss and Beth A. Roberts
Freelance Editorial Manager: Maribeth Corona-Evans
Index by: Robert Saigh
Page Layout and Art by: Shannon Tozier
Distributed by Publishers Group West in the United States.
134_ecomm_FM
6/19/01
11:49 AM
Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and support
in making this book possible.
Richard Kristof and Duncan Anderson of Global Knowledge, for their generous
access to the IT industry’s best courses, instructors and training facilities.
Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight
into the challenges of designing, deploying and supporting world-class enterprise
networks.
Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill
Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their
incredible marketing experience and expertise.
Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan
Bunkell, and Klaus Beran of Harcourt International for making certain that our
vision remains worldwide in scope.
Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all
their help.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,
Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with
which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Ethan Atkin at Cranbury International for his help in expanding the Syngress
program.
Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help.
v
134_ecomm_FM
6/19/01
11:49 AM
Page vi
134_ecomm_FM
6/19/01
11:49 AM
Page vii
Contributors
Ryan Russell (CCNA, CCNP) is the best-selling author of Hack
Proofing Your Network: Internet Tradecraft (ISBN: 1-928994-15-6). He is MIS
Manager at SecurityFocus.com, has served as an expert witness on security topics, and has done internal security investigation for a major software vendor. Ryan has been working in the IT field for over 11 years, the
last 6 of which have been spent primarily in information security. He has
been an active participant in various security mailing lists, such as
BugTraq, for years. Ryan has contributed to four Syngress titles on the
topic of networking. He holds a Bachelors of Science degree in
Computer Science. Ryan wishes to thank Karen Mathews at the U.S.
Department of Energy for her assistance in preparing Chapter 10.
Mark S. Merkow (CCP) has been an Information Systems professional
since 1975, working in a variety of industries. For the last 12 years he has
been working for a Fortune 50 financial services company in Phoenix,
AZ. Mark holds a Masters in Decision and Information Systems from
Arizona State University’s College of Business and is completing his
Masters of Education in Educational Technology at ASU’s College of
Education, specializing in developing distance learning courses.Today he
serves as an e-commerce Security Advisor working with both internal
and external Web designers and developers. Mark has authored or coauthored six books on computer technology since 1990, including
Breaking Through Technical Jargon, Building SET Applications for Secure
Transactions, Thin Clients Clearly Explained, Virtual Private Networks For
Dummies, A Complete Guide to Internet Security, and The ePrivacy Imperative.
In addition, Mark is a computer columnist for several local, national, and
international print publications, along with an e-zine hosted
at Internet.com.
Robin Walshaw (MCSE, DPM), author of Mission Critical Windows
2000 Server Administration (ISBN: 1-928994-16-4), is an independent
consultant who architects security and infrastructure solutions for large
vii
134_ecomm_FM
6/19/01
11:49 AM
Page viii
corporations around the globe. By applying a combination of sound business sense and technical insight, Robin is able to design and deliver scalable solutions targeted at enabling the enterprise to effectively leverage
technology.With a flair for developing strategic IT solutions for diverse
clients, he has worked in the world of computers in 8 countries, and has
traveled to over 30 in the last 10 years. A veteran of numerous global projects, Robin has honed his skills across a wide variety of businesses, platforms, and technologies. He has managed to scratch his head and look
slightly confused in the world of security, network operating systems,
development, and research.
Having traversed the globe and seen its many beautiful wonders,
Robin is still captivated by the one thing that leaves him breathless—
Natalie, his wife. She is a light against the darkness, a beauty whose smile
can melt even the coldest heart.
Teri Bidwell (GCIA) has been involved in Internet security for over 10
years as an analyst, engineer, and administrator and is a SANS-Certified
GCIA Intrusion Analyst. Her career began securing Unix networks at the
University of Colorado and continued as a Cisco network engineer and
DNS manager for Sybase, Inc.Today,Teri is a security analyst for a firm
headquartered in Reston,VA. She is a key contributor to corporate security strategy and is an advisor for e-business development. Her specialties
include policy creation, vulnerability assessment, penetration testing, and
intrusion detection for corporate environments.
Teri received a Computer Science degree from the University of
Colorado and sits on the SANS GCIA Advisory Board. She currently
lives and works in Boulder, CO with her family, Clint,Wes, and Michael.
Michael Cross (MCSE, MCP+I, CNA) is a Microsoft Certified System
Engineer, Microsoft Certified Product Specialist, Microsoft Certified
Professional + Internet, and a Certified Novell Administrator. Michael is
the Network Administrator, Internet Specialist, and a Programmer for the
Niagara Regional Police Service. He is responsible for network security
and administration, programming applications, and is Webmaster of their
Web site at www.nrps.com. He has consulted and assisted in computerrelated/Internet criminal cases, and is part of an Information Technology
viii
134_ecomm_FM
6/19/01
11:49 AM
Page ix
team that provides support to a user base of over 800 civilian and uniform
users. His theory is that when the users carry guns, you tend to be more
motivated in solving their problems.
Michael owns KnightWare, a company that provides consulting, programming, networking,Web page design, computer training, and other
services. He has served as an instructor for private colleges and technical
schools in London, Ontario Canada. He has been a freelance writer for
several years and has been published over two dozen times in books and
anthologies. Michael currently resides in St. Catharines, Ontario Canada
with his lovely fiancée Jennifer.
Oliver Steudler (CCNP, CCDP, CSE, CNE) is a Senior Systems
Engineer at iFusion Networks in Cape Town, South Africa. Oliver specializes in routing, switching, and security and has over 10 years of experience in consulting, designing, implementing, and troubleshooting
complex networks. He has written articles on TCP/IP, networking, security, and data communications and also co-authored another Syngress title,
Managing Cisco Network Security (ISBN: 1-928994-17-2).
Kevin Ziese is a computer scientist at Cisco Systems, Inc. Prior to
joining Cisco, he was a senior scientist and founder of the Wheelgroup
Corporation, which was acquired by Cisco Systems in April of
1998. Before founding the Wheelgroup Corporation, he was Chief of the
Advanced Countermeasures Cell at the Air Force Information Warfare
Center.
ix
134_ecomm_FM
6/19/01
11:49 AM
Page x
Technical Editor
and Contributor
L. Brent Huston earned his Associate of Applied Science degree in
Electronics at DeVry Technical Institute (Columbus, Ohio) in 1994. He
has more than 10 years of experience in IT, mostly in the areas of cyber
security testing, network monitoring, scanning protocols, firewalls, viruses
and virus prevention formats, security patches, and hacker techniques. As
President and CEO of his own information security company,
MicroSolved, Inc., he and his staff have performed system and network
security-consulting services for Fortune 500 companies and all levels of
governmental facilities. He is well versed in the use and implementation
of all the major security tools and appliances. In the past, Brent developed
“Passys”—a passive intrusion detection system for Unix and has also identified previously unknown security vulnerabilities in Ascom routers,
Windows NT, and Linux operating systems.
Brent is an accomplished computer and information security speaker
and has published numerous white papers on security-related topics.
Recently he was involved in the laboratory testing of major firewall appliances at his company’s central Ohio facilities.This testing was to prove the
worthiness of each appliance as well as possible vulnerabilities that had
not as yet been established by their parent companies. He reported his
results both to the individual product companies and at a national security
industry presentation. Brent is also currently engaged with the Office of
Independent Oversight and Performance Assurance in Columbus, OH.
He was responsible for designing and implementing a state-of-the-art
cyber security testing and research lab for this office and several DOE
national laboratories have utilized his expertise to perform network penetration and detection services. Such services have required a high security
clearance from Brent. Brent is an Internet Security Systems Certified
Engineer, Sidewinder Firewall Certified Administrator, IBM Secure
Network Gateway Certified Administrator, and Phoenix Firewall
Certified Administrator.
x
134_ecomm_TOC
6/19/01
11:47 AM
Page xi
Contents
Understand the Goals
of Security in the
Commerce Process
■
■
■
■
■
■
■
■
Protect the privacy of
the consumer at the
point of purchase.
Protect the privacy of
the customers’
information while it is
stored or processed.
Protect the
confidential identity of
customers, vendors,
and employees.
Protect the company
from waste, fraud, and
abuse.
Protect the
information assets of
the company from
discovery and
disclosure.
Preserve the integrity
of the organization’s
information assets.
Ensure the availability
of systems and
processes required for
consumers to do
business with the
company.
Ensure the availability
of systems and
processes required for
the company to do
business with its
vendors and partners.
Foreword
Chapter 1 Applying Security
Principles to Your E-Business
Introduction
Security as a Foundation
Confidentiality
Integrity
Availability
Presenting Security As More Than
a Buzzword
The Goals of Security in E-Commerce
Planning with Security in Mind
Security during the Development Phase
Implementing Secure Solutions
Managing and Maintaining Systems in
a Secure Environment
Applying Principles to Existing Sites
It All Starts with Risk
Fix the Highest Risks First
Management and Maintenance during
the Patching Process
Impact of Patching on Production
Systems
The Never-Ending Cycle of Change
Developing a Migration Plan
How to Justify a Security Budget
The Yardstick Approach
xxv
1
2
3
3
4
4
6
9
10
13
14
15
20
21
22
23
24
25
26
27
27
xi
134_ecomm_TOC
xii
6/19/01
11:47 AM
Page xii
Contents
A Yardstick Approach Case Study
Possible Results of Failure
The Fear Tactic Approach
A Fear Tactic Approach Case Study
Possible Results of Failure
Security as a Restriction
Security as an Enabler
Summary
Solutions Fast Track
Frequently Asked Questions
Damage & Defense
Sidebars Provide You
with Additional
Information on
Minimizing Risk
Damage & Defense…
Configuration
Management
One method of instigating
a DoS is by altering the
configuration of key
devices such as routers
and servers. Routing
tables, registry databases,
and UNIX configuration
files are just a few of the
potential configuration
databases that can be
used against a business. It
goes without saying, then,
that all Internet-facing
devices should undergo
strict change control
procedures and that a
backup of the last known
good configuration
should be available on
Chapter 2 DDoS Attacks:
Intent, Tools, and Defense
Introduction
What Is a DDoS Attack?
Laying the Groundwork: DoS
Resource Consumption Attacks
Malformed Packet Attacks
Anatomy of a DDoS attack
The Attacks of February 2000
Why Are E-Commerce Sites Prime Targets
for DDoS?
A Growing Problem
How the Media Feeds the Cycle
What Motivates an Attacker to Damage
Companies?
Ethical Hacking: A Contradiction in Terms?
Hacktivism
Fifteen Minutes of Fame
Hell Hath No Fury Like a Hacker Scorned
Show Me the Money!
Malicious Intent
What Are Some of the Tools Attackers Use
to Perform DDoS Attacks?
Trinoo
Understanding How Trinoo Works
29
30
31
32
34
35
36
38
39
43
45
46
47
48
50
57
60
63
67
68
69
70
70
72
72
73
73
74
75
76
76
134_ecomm_TOC
6/19/01
11:47 AM
Page xiii
Contents
Know What You May
Be Giving Away in
Your HTML Code
Each hidden tag can be
used with forms on your
site and includes a name
and a value. When the
form is submitted, the
name and value in the
hidden field is included
with the results. For
example, the following
line of code shows an
input value of $100.00
associated with a variable
called "cost."
Using a text editor or
HTML editing program, a
hacker could alter the
value so that the value is
changed to a lower
amount. For example, the
$100.00 could be changed
to $1.00. This would allow
buyers to purchase
products at a significantly
reduced amount.
TFN2K:The Portable Monster
Understanding How TFN2K Works
Stacheldraht—A Barbed-Wire Offensive
Understanding How Stacheldraht Works
More DDoS Families
How Can I Protect My Site against These
Types of Attacks?
Basic Protection Methods
Using Egress Rules to Be a
Better “Net Neighbor”
Defending against the SYN’s of
the Internet
Methods for Locating and Removing
Zombies
Summary
Solutions Fast Track
Frequently Asked Questions
78
78
81
81
86
87
90
95
99
103
109
111
117
Chapter 3 Secure Web Site Design
119
Introduction
120
Choosing a Web Server
121
Web Server versus Web Service
121
Factoring in Web Servers’ Cost and
Supported Operating Systems
122
Comparing Web Servers’ Security Features
127
Authentication
127
Using the SET Protocol
133
Setting Permissions
134
Using CGI Applications
134
Security Features Side By Side
134
The Basics of Secure Site Design
143
Creating a Security Plan
143
Protecting against Internal Threats
145
Adding Security Tiers beyond the
Web Server
146
Apache versus Internet Information Services 149
Installation:The First Step
151
xiii
134_ecomm_TOC
xiv
6/19/01
11:47 AM
Page xiv
Contents
Installing and Configuring Apache
Installing and Configuring Internet
Information Server 5.0
Windows 2000 Server and Internet
Information Server 5.0 Security
Hardening the Server Software
Install Patches
Disable Unneeded Ports, Services, and
Components
Delete Unneeded Scripts and Files
Hardening the Overall System
Password Hacking and Analysis Tools
Web Design Issues Dealing with HTML
Code
Information in HTML Code
Using Server Side Includes (SSI) in
HTML Code
Guidelines for Java, JavaScript, and Active X
Understanding Java, JavaScript, and
ActiveX—and the Problems They
May Cause
Preventing Problems with Java,
JavaScript, and ActiveX
Programming Secure Scripts
Code Signing: Solution or More Problems?
Understanding Code Signing
The Strengths of Code Signing
Problems with the Code Signing Process
Should I Outsource the Design of My Site?
Understanding the Required Skills
Pros and Cons of Outsourcing Design Work
Workload
Security
Contracts and Cost
No Matter Who Designs It, Double-Check
before You Implement It
152
164
168
173
174
174
175
176
178
183
183
186
189
189
191
196
199
199
200
201
202
203
204
204
205
206
207
134_ecomm_TOC
6/19/01
11:47 AM
Page xv
Contents
Summary
Solutions Fast Track
Frequently Asked Questions
209
210
214
Chapter 4 Designing and Implementing
Security Policies
219
Introduction
220
Why Are Security Policies Important to an
E-Commerce Site?
220
What Is a Security Policy?
221
Learn How to Produce a
Security Policy
Value versus Risk
222
Security versus Services Provided
223
Cost of Security versus Cost of Not
Having Security
224
Where Do I Begin?
225
What Elements Should My Security Policy
Address?
228
Confidentiality and Personal Privacy Policies 230
Requirements for Authentication
231
Requirements for Protecting Customer
Information
236
Privacy Policies
239
Information Integrity Policies
240
Quality Assurance Policies
241
Assuring Information Integrity through
Technology
244
Availability of Service Policies
244
Are Prewritten Security Policies Available on
the Net?
246
All Organizations Are Different—and So
Are Their Policies
246
Example Policies and Frameworks
247
A Word about the Outsourcing of Policy
Development
248
How Do I Use My Security Policy to
Implement Technical Solutions?
248
New Security
Issue
Identify Key
Stakeholders
Policy
Research
Review
Procedure
Baseline Policy
Solicit
Feedback
Conduct
Review
Workshop
Edit
Draft
Policy
Proposed
Policy Draft
Legal Review
Final Policy
Draft
Executive
Approval
Publication
End User
Training
xv
134_ecomm_TOC
xvi
6/19/01
11:47 AM
Page xvi
Contents
How Do I Inform My Clients of My
Security Policies?
Building Customer Confidence through
Disclosure
Security as a Selling Point
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 5 Answers All
Your Questions About
Implementing a
Secure Site
Q: How do I know if I am
A:
logging too much or
too little information
on my systems?
Log the information
you feel that you need
to make good
decisions. If you have
problems sifting
through the logs to
locate issues and you
have had proper
training, then you need
to eliminate the log
entries that you do not
use to make decisions
or keep those log
entries and use an
automated tool to
select only the entries
you are interested in.
You are logging too
little information if you
do not have a picture
of your systems’
operations and your
users’ behaviors.
Chapter 5 Implementing a Secure
E-Commerce Web Site
Introduction
Introduction to E-Commerce Site
Components
Implementing Security Zones
Introducing the Demilitarized Zone
Multiple Needs Equals Multiple Zones
Problems with Multi-Zone Networks
Understanding Firewalls
Exploring Your Firewall Options
Designing Your Firewall Rule Set
It Starts with a “Deny All” Attitude
Common Ports for Common
Communications
Converting Pseudo-Code to Firewall
Rules
Protocols and Risks: Making Good
Decisions
How Do I Know Where to Place My
Components?
Profiling Systems by Risk
Establishing Risk Control Requirements
Creating Security Zones through
Requirement Grouping
Implementing Intrusion Detection
What Is Intrusion Detection?
Your Choices in Intrusion Detection
251
252
253
254
255
259
261
262
262
264
266
268
271
272
272
275
276
276
278
279
280
280
282
283
283
285
286
134_ecomm_TOC
6/19/01
11:47 AM
Page xvii
Contents
Network-Based IDS
Host-Based IDS
Example of a Network-Based IDS
Example of a Host-Based IDS
Managing and Monitoring the Systems
What Kind of Management Tasks Can
I Expect to Perform?
What Kinds of Monitoring Should I Be
Performing?
Basic System Monitoring
Monitoring Your Security Devices
Log File Management
Should I Do It Myself or Outsource My Site?
Pros and Cons of Outsourcing Your Site
Co-Location: One Possible Solution
Selecting an Outsource Partner or ASP
Summary
Solutions Fast Track
Frequently Asked Questions
288
290
292
293
295
295
296
298
299
300
301
302
303
303
305
305
311
Chapter 6 Securing Financial Transactions 313
Introduction
314
Understanding Internet-Based Payment
Card Systems
315
Credit, Charge, or Debit Cards:What Are
the Differences?
315
Point-of-Sale Processing
317
Differences That Charge Cards
Bring into the Picture
318
Capture and Settlement
319
Steps in an Internet-Based Payment
Card Transaction
321
Toxic Data Lives Everywhere!
325
Approaches to Payments via the Internet 326
Options in Commercial Payment Solutions
327
Commerce Server Providers
328
Braving In-house Resources
329
xvii
134_ecomm_TOC
xviii
6/19/01
11:47 AM
Page xviii
Contents
Complete Coverage of
Third Party Merchants'
POS Systems.
ICVERIFY's features include
the following:
■ Importing credit card
transaction data from
other PC applications,
such as spreadsheets or
databases.
■ Offline group mode to
submit a batch of
transactions at one
time for authorization.
■ Support for Address
Verification Systems
(AVSs), Retail AVSs,
CVV2s, and CVC2s to
help reduce fraud due
to stolen or fraudulent
cards.
■ Data import analysis of
files for errors before
import.
Secure Payment Processing Environments
Additional Server Controls
Controls at the Application Layer
Understanding Cryptography
Methodology
Substitution Method
Transposition Method
Transposition Example
The Role of Keys in Cryptosystems
Symmetric Keys
Asymmetric Keys
Principles of Cryptography
Understanding Hashing
Digesting Data
Digital Certificates
CCITT X.509
Examining E-Commerce Cryptography
Hashing Functions
Block Ciphers
Implementations of PPK Cryptography
The SSL Protocol
Transport Layer Security (TLS)
Pretty Good Privacy (PGP)
S/MIME
Secure Electronic Transactions (SET)
XML Digital Signatures
Virtual POS Implementation
ICVERIFY
Alternative Payment Systems
Smart-Card-Based Solutions
EMV
MONDEX
Visa Cash
The Common Electronic Purse
Specification (CEPS)
Proxy Card Payments
PayPal
331
335
336
337
337
337
338
339
342
342
342
343
344
345
348
349
351
351
352
352
353
355
356
357
357
359
362
362
364
365
365
367
368
369
369
370
134_ecomm_TOC
6/19/01
11:47 AM
Page xix
Contents
Amazon Payments
Funny Money
Beenz
Flooz
Summary
Solutions Fast Track
Frequently Asked Questions
Tools & Traps, Security
Alerts, and Damage &
Defense Sidebars
Make Sure You Don’t
Miss a Thing:
Tools & Traps…Gauge
Your Threat Level with a
Honeypot
A honeypot (in an
information security
context) is a system that is
designed to be broken
into. Setting up a
honeypot will give you an
opportunity to study
tactics of attackers and
possibly pick up a new
attack or two along the
way. Naturally, the
attacker shouldn’t be
aware that he has broken
into a honeypot, and he
should think that he’s
gotten into an ordinary
machine with no special
monitoring. In fact, a
honeypot machine
typically has extensive
monitoring in place
around it, either on the
machine itself or via the
network. In order for the
honeypot to be effective,
as much information as
possible must be collected
about the attacker.
Chapter 7 Hacking Your Own Site
Introduction
Anticipating Various Types of Attacks
Denial of Service Attacks
Information Leakage Attacks
File Access Attacks
Misinformation Attacks
Special File/Database Access Attacks
Elevation of Privileges Attacks
Performing a Risk Analysis on Your Site
Determining Your Assets
Why Attackers Might Threaten Your Site
and How to Find Them
Testing Your Own Site for Vulnerabilities
Determining the Test Technique
Researching Your Vulnerabilities
Mapping Out a Web Server
Using Automated Scanning Tools
Hiring a Penetration Testing Team
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 8 Disaster Recovery
Planning: The Best Defense
Introduction
What Is Disaster Recovery Planning?
Structuring a Disaster Recovery Plan
Loss of Data or Trade Secrets
370
371
371
371
372
373
379
381
382
382
382
384
385
386
387
388
389
390
392
395
396
399
407
409
414
418
419
423
425
426
426
428
429
xix