ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

Similar documents
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Where every interaction matters.

Magento Security and Vulnerabilities. Roman Stepanov

Sitefinity Security and Best Practices

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

OWASP Top Ten Tools and Tactics

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

OWASP AND APPLICATION SECURITY

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Adobe Systems Incorporated

Application Security Vulnerabilities, Mitigation, and Consequences

Web Application Vulnerability Testing with Nessus

Essential IT Security Testing

OWASP TOP 10 ILIA

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Web Engineering Web Application Security Issues

Web Application Penetration Testing

Web Application Security Assessment and Vulnerability Mitigation Tests

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

The Top Web Application Attacks: Are you vulnerable?

Overview of the Penetration Test Implementation and Service. Peter Kanters

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

(WAPT) Web Application Penetration Testing

Sichere Software- Entwicklung für Java Entwickler

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

What is Web Security? Motivation

Data Breaches and Web Servers: The Giant Sucking Sound

Cloud Security:Threats & Mitgations

Criteria for web application security check. Version

Workday Mobile Security FAQ

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Web Application Firewall on SonicWALL SSL VPN

Rational AppScan & Ounce Products

Testing the OWASP Top 10 Security Issues

05.0 Application Development

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Web Application Guidelines

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Columbia University Web Security Standards and Practices. Objective and Scope

Quality Assurance version 1

Web Application Security

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Hack Proof Your Webapps

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Security features of ZK Framework

Security Testing with Selenium

Application Security Testing. Generic Test Strategy

Web Application Report

Cross Site Scripting in Joomla Acajoom Component

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Secure Programming Lecture 12: Web Application Security III

Hardening Moodle. Concept and Realization of a Security Component in Moodle. a project by

A6- Sensitive Data Exposure

Still Aren't Doing. Frank Kim

Web application security

WEB APPLICATION SECURITY

Latin ISRM EFFECTIVE APPLICATION SECURITY STRATEGY FOR MANAGING ONGOING PCI-DSS 2.0 COMPLIANCE

Using Free Tools To Test Web Application Security

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Integrating Security Testing into Quality Control

How To Fix A Web Application Security Vulnerability

Passing PCI Compliance How to Address the Application Security Mandates

Ethical Hacking as a Professional Penetration Testing Technique

Network Security Exercise #8

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Web Application Security

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Check list for web developers

Pentests more than just using the proper tools

Pentests more than just using the proper tools

Agenda. How to configure

How To Understand And Understand The Security Of A Web Browser (For Web Users)

SQuAD: Application Security Testing

Vulnerability Assessment and Penetration Testing

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Security

Auditing Web Applications

Attack and Penetration Testing 101

OWASP Application Security Building and Breaking Applications

Web Application Security

Common Criteria Web Application Security Scoring CCWAPSS

SERENA SOFTWARE Serena Service Manager Security

Transcription:

ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young

Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary

Introduction Application Security Risks * OWASP Top 10-2013

Threats Standardized Vulnerability Ranking Common Vulnerability Scoring System (CVSS) - Open and standardized method for rating IT vulnerabilities - Overall score based on input from 3 scores - Base - Temporal - Environmental

Threats Calculate Your Vulnerability Risk NIST online calculator for calculating vulnerability risk http://nvd.nist.gov/cvss.cfm?calculator&version=2

Attacks Injection What - Tricking an application into including unintended commands in the data set to an interpreter Example - Attacker sends attack in form data, such as or 1=1 - Application forwards attack to database in a SQL query - Database runs modified query containing attack and sends results to app Recommendations - Utilize standardized queries added in 10.2+ - Minimize database privileges to reduce impact

Attacks Cross-Site Scripting (XSS) What - Raw data from attacker is sent to an innocent user s browser Example - Attacker sets trap by entering a malicious script into a web page that stores the data on the server - Victim views the page and the script runs inside the victim s browser with full access to the DOM and cookies - Script silently sends attacker victim s session cookie Recommendations - Don t include user supplied input in the output page - Ensure any ArcGIS Server security patches are applied

Attacks Security Misconfiguration What - Web applications rely on a secure foundation from OS up through Application Server Example - Install backdoor through missing OS or server patch - Accidentally exposing ArcGIS Admin and Manager interfaces to Internet Recommendations - Ensure security patches in place e.g. OpenSSL/Heartbleed - Utilize the ArcGIS Web Adaptor - Server hardening guide coming

Attacks Sensitive Data Exposure What - Storing and transmitting sensitive data insecurely Example - Victim enters sensitive information in a form - Error handler logs sensitive info - Logs accessible to all IT staff for debugging purposes providing opportunity for malicious insider to review sensitive info Recommendations - Utilize encryption and ensure rigorous key management - Require SSL for services

Attacks Cross-Site Request Forgery (CSRF) What - Victim s browser is tricked into issuing a command to a vulnerable web app Example - Attacker sets trap on a website or email Hidden <img> tag contains attack against vulnerable site - While logged onto vulnerable site, victim views attackers site where the <img> tag is loaded by browser, sending GET request (including credentials) to vulnerable site - Vulnerable site sees legitimate request from victim and performs the action requested Recommendations - Properly encode all input on the way out.

Attacks Using Components with Known Vulnerabilities What - Vulnerable components are common can be identified and exploited with automated tools Example - Vulnerable framework library incorporated as part of web application - Developer does not know dependent component being used, let alone the version - Results in application weakness such as injection, broken access control, XSS Recommendations - Incorporate automated checks for libraries being out of date, such as Maven Versions Plugin - Subscribe to Trust.ArcGIS.com feed soon for security patch info

Attacks Un-validated Redirects and Forwards What - Web application redirect includes user supplied parameters in the destination URL and are not validated Example - Attacker sends attack to victims email/webpage - Victim clicks link containing un-validated parameter and app redirects victim to attacker s site. Attackers site installs malware on victim system Recommendations - Minimize use of redirects and validate target URL to ensure authorized external site

Attacks Risk Factor Summary

Best Practices

Disable the primary site administrator Enterprise users? Recommend: Disable the Primary Site Administrator (PSA) account Can be re-enabled if locked out of ArcGIS Server

Worried about token sniffing? How do tokens work? Recommend: Use https and shorten the max token times

Disable Services Directory What is services directory? Recommend: Disable on non-development machines

Limiting access to your web services Which web apps can access your services? Default: Any Recommend: Specify

Preventing Injection and Spying Use HTTPS for everything Don t use dynamic work spaces Upgrade to 10.2 or later

Infrastructure Settings

Infrastructure Settings 1. Firewall Ports 2. Least privileges 3. Protect the config-store

Firewall ports Product Port Purpose Who Accesses Server 6080 Service Access Web Adaptor or Reverse Proxy Server 6443 Encrypted Access Web Adaptor or Reverse Proxy Portal 7080 Service Access Web Adaptor or Reverse Proxy Portal 7443 Encrypted Access Web Adaptor or Reverse Proxy Server 4000-4003 Internal communications Other machines in site

Least privileges 10.0 and prior admin required 10.1 and later minimal privileges Windows - run as a service. Linux use SELinux

Protect your config-store at all costs config-store and directories must be secured Be paranoid don t even allow read access Securing Your ArcGIS for Server

Processes

Simple processes go a long way. 1. Monitor your logs 2. Review elevated privileges 3. Change SSL certs yearly 4. Change token key yearly

Monitor the logs ArcGIS Server logs dodgy things. Bad password attempts Locked out accounts Potential CSRF attacks and IP

Review Elevated Privileges Admin API (10.2+) Review groups with publisher, administrator privileges

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information