Apache Security - Ivan Ristic [8]
Attackers commonly work in the dark and perform reconnaissance to uncover as much information about the target as possible. We should not help them. Keep information private whenever you can. But keeping information private is not a big security tool on its own. Unless the system is secure, obscurity will not help much.
Fail safely
Make sure that whenever a system component fails, it fails in such a way as to change into a more secure state. Using an obvious example, if the login procedure cannot complete because of some internal problem, the software should reject all login requests until the internal problem is resolved.
Secure the weakest link
The whole system is as secure as its weakest link. Take the time to understand all system parts and focus your efforts on the weak parts.
Practice simplicity
Humans do not cope with complexity well. A study has found we can only hold up to around seven concepts in our heads at any one time. Anything more complex than that will be hard to understand. A simple system is easy to configure, verify, and use. (This was demonstrated in a recent paper, "A Quantitative Study of Firewall Configuration Errors" by Avishai Wool: http://www.eng.tau.ac.il/~yash/computer2004.pdf.)
Common Security Vocabulary
At this point, a short vocabulary of frequently used security terms would be useful. You may know some of these terms, but some are specific to the security industry.
Weakness
A less-than-ideal aspect of a system, which can be used by attackers in some way to bring them closer to achieving their goals. A weakness may be used to gain more information or as a stepping-stone to other system parts.
Vulnerability
Usually a programming error with security consequences.
Exploit
A method (but it can be a tool as well) of exploiting a vulnerability. This can be used to break in or to increase user privileges (known as privilege elevation).
Attack vector
An entry point an adversary could use to attempt to break in. A popular technique for reducing risk is to close the entry point completely for the attacker. Apache running on port 80 is one example of an entry point.
Attack surface
The area within an entry point that can be used for an attack. This term is usually used in discussions related to the reduction of attack surface. For example, moving an e-commerce administration area to another IP address where it cannot be accessed by the public reduces the part of the application accessible by the attacker and reduces the attack surface and the risk.
Security Process Steps
Expanding on the four generic phases of the security process mentioned earlier (assessment, protection, detection, and response), we arrive at seven practical steps that cover one iteration of a continuous process:
Understand the environment and the security requirements of the project.
Establish a security policy and design the system.
Develop operational procedures.
Configure carefully.
Perform maintenance and patch regularly.
Monitor.
Handle attacks.
The first three steps of this process, referred to as threat modeling, are covered in the next section. The remaining steps are covered throughout the book.
Threat Modeling
Threat modeling is a fancy name for rational and methodical thinking about what you have, who is out there to get you, and how. Armed with that knowledge, you decide what you want to do about the threats. It is genuinely useful and fun to do, provided you do not overdo it. It is a loose methodology that revolves around the following questions:
What do you have that is valuable (assets)?
Why would attackers want to disrupt your operation (motivation)?
Where can they attack (entry points)?
How would they attack (threats)?
How much would it cost to protect from threats (threat ranking)?
Which threats will you fight against and how (mitigation)?
The best time to start is at the very beginning, and use threat modeling for system design. But since the methodology is attack-oriented, it is never too late to start. It is especially