NIST: Linee guida per la sicurezza dei siti web pubblici

 Il Computer Security Resourcer center (CSRC) del National Institute of Standards and Technology (NIST), ha pubblicato la seconda bozza delle "Guidelines on Securing Public Web Servers" (pdf, 1.3 M).

Minacce

Il documento prende in considerazione le seguenti classi di minacce:

  • Malicious code
  • Attacchi di tipo Denial of service (DoS)
  • Accesso non autorizzato alle informazioni sensibili
  • Injection attacks (SQL injection, LDAP injection, cross-site scripting).
  • Intercettazione di dati on cifrati
  • Modifiche no autorizzate ai dati compreso il “site defacement”
  • Botnet

 

Phishing e pharming

Un parte del documento si occupa in particolare degli attacchi di tipo phishing e pharming

Indice del documento

  • Executive Summary
  • 1. Introduction
    • 1.1 Authority
    • 1.2 Purpose and Scope
    • 1.3 Audience and Assumptions
    • 1.4 Document Structure
  • 2. Background
  • 3. Planning and Managing Web Servers
    • 3.1 Installation and Deployment Planning
    • 3.2 Security Management Staff
    • 3.2.1 Senior IT Management/Chief Information Officer
    • 3.2.2 Information Systems Security Program Managers
    • 3.2.3 Information Systems Security Officers
    • 3.2.4 Web Server and Network Administrators
    • 3.2.5 Web Application Developers
    • 3.3 Management Practices
    • 3.4 System Security Plan
    • 3.5 Human Resources Requirements
    • 3.6 Alternative Web Server Platforms
    • 3.6.1 Trusted Operating Systems
    • 3.6.2 Web Server Appliances
    • 3.6.3 Pre-Hardened Operating Systems and Web Servers
    • 3.6.4 Virtualized Platforms
    • 3.7 Checklist for Planning and Managing Web Servers
  • 4. Securing the Web Server Operating System
    • 4.1 Installing and Configuring the Operating System
    • 4.1.1 Patch and Upgrade Operating System
    • 4.1.2 Remove or Disable Unnecessary Services and Applications
    • 4.1.3 Configure Operating System User Authentication
    • 4.1.4 Configure Resource Controls Appropriately
    • 4.1.5 Install and Configure Additional Security Controls
    • 4.2 Security Testing the Operating System
    • 4.3 Checklist for Securing the Web Server Operating System
  • 5. Securing the Web Server
    • 5.1 Securely Installing the Web Server
    • 5.2 Configuring Access Controls
    • 5.2.1 Configuring the Permissions of the Web Server Application
    • 5.2.2 Configuring Secure Web Content Directory
    • 5.2.3 Uniform Resource Identifiers and Cookies
    • 5.2.4 Controlling Impact of Web “Bots” on Web Servers
    • 5.3 Checklist for Securing the Web Server
  • 6. Securing Web Content
    • 6.1 Publishing Information on Public Web Sites
    • 6.2 Observing Regulations About the Collection of Personal Information
    • 6.3 Mitigating Indirect Attacks on Content
    • 6.3.1 Phishing
    • 6.3.2 Pharming
    • 6.4 Securing Active Content and Content Generation Technologies
    • 6.4.1 Client-Side Active Content Technologies and Related Vulnerabilities
    • 6.4.2 Server-Side Content Generation Technologies and Related Vulnerabilities
    • 6.4.3 Server-Side Content Generator Security Considerations
    • 6.4.4 Location of Server-Side Content Generators
    • 6.4.5 Cross-Site Scripting Vulnerabilities
    • 6.5 Checklist for Securing Web Content
  • 7. Using Authentication and Encryption Technologies
    • 7.1 Determining Authentication and Encryption Requirements
    • 7.2 Address-Based Authentication
    • 7.3 Basic Authentication
    • 7.4 Digest Authentication
    • 7.5 SSL/TLS
    • 7.5.1 SSL/TLS Capabilities
    • 7.5.2 Weaknesses of SSL/TLS
    • 7.5.3 Example SSL/TLS Session
    • 7.5.4 SSL/TLS Encryption Schemes
    • 7.5.5 Implementing SSL/TLS
    • 7.5.6 SSL/TLS Implementations
    • 7.6 Brute Force Attacks
    • 7.7 Checklist for Using Authentication and Encryption Technologies for Web Servers
  • 8. Implementing a Secure Network Infrastructure
    • 8.1 Network Composition and Structure
    • 8.1.1 Inadvisable Network Layout
    • 8.1.2 Demilitarized Zone
    • 8.1.3 Outsourced Hosting
    • 8.1.4 Management Network
    • 8.2 Network Element Configuration
    • 8.2.1 Router/Firewall Configuration
    • 8.2.2 Intrusion Detection and Prevention Systems
    • 8.2.3 Network Switches
    • 8.2.4 Load Balancers
    • 8.2.5 Reverse Proxies
    • 8.3 Checklist for Implementing a Secure Network Infrastructure
  • 9. Administering the Web Server
    • 9.1 Logging
    • 9.1.1 Identifying the Logging Capabilities of a Web Server;
    • 9.1.2 Identifying Additional Logging Requirements
    • 9.1.3 Recommended Generic Logging Configuration
    • 9.1.4 Reviewing and Retaining Log Files
    • 9.1.5 Automated Log File Analysis Tools
    • 9.2 Web Server Backup Procedures
    • 9.2.1 Web Server Backup Policies and Strategies
    • 9.2.2 Maintain a Test Web Server
    • 9.2.3 Maintain an Authoritative Copy of Organizational Web Content
    • 9.3 Recovering From a Security Compromise
    • 9.4 Security Testing Web Servers
    • 9.4.1 Vulnerability Scanning
    • 9.4.2 Penetration Testing
    • 9.5 Remotely Administering a Web Server
    • 9.6 Checklist for Administering the Web Server
  • Appendices
    • Appendix A— Online Web Server Security Resources
    • Appendix B— Glossary
    • Appendix C— Web Security Tools and Applications
    • Appendix D— References
    • Appendix E— Web Server Security Checklist
    • Appendix F— Acronym List

Altri articoli sul NIST in questo sito

AG-Vocabolario: