Developing a security policy

Ever since the provision of internet connections became a must-have for the vast majority of businesses, the threat from malicious hackers and viruses has been growing exponentially.

However, despite the almost daily barrage of news detailing the latest devastating virus or Microsoft security vulnerability, analyst IDC recently reported that fewer than 10 per cent of European companies have a security policy in place.

This failure to implement effective security policies is leaving the majority of companies open to what experts describe as "surprisingly common" flaws. Although the task of developing a security risk assessment strategy and, from this, a viable and effective security policy, may seem daunting. But it's not something that can be swept under the carpet.

The first place to start is with a detailed network audit which should identify the points at which outsiders can access your systems.

At its most basic level, for a small company this may be just securing internet connected computers with regularly updated software firewalls like ZoneAlarm from www.zonelabs.com.

In addition it's vital to make sure that virus checkers are installed and kept updated.

Similarly vital is the process of ensuring that manufacturers' security alerts pertaining to any equipment you have are monitored and the appropriate patches implemented promptly.

According to security watchdog the Computer Emergency Response Team, a good security policy should specify how much responsibility and authority users and system administrators should have to take specific actions to protect their computers against viruses and similar threats.

In the plan, describe how users should apply the available antivirus tools for workstations, and describe any limitations on the authority of users to download and install new software.

Such apparently common sense measures represent the absolute minimum level of security awareness.

According to the Open Web Application Security Project (OWASP), which has published a list of the most dangerous internet application security problems, the greatest threat comes from ignoring exploits that are well understood and well documented.

Many of the problems on OWASP's list can be executed by inexperienced 'script kiddies' using automated cracking tools.

This US-based open source project was surprised to find that, despite repeated warnings, firms are not deploying security policies that target well-known threats.

"The security issues raised here are not new. In fact, some have been well understood for decades," it said.

"Yet for some reason, major software development projects are still making these mistakes and jeopardising not only their customers' security, but the security of the entire internet."

The list, which we reproduce below, provides a good starting point for companies developing a security policy.

Future articles in this special series will see vnunet.com examine these "surprisingly common" vulnerabilities in greater detail and offer help and advice on how the respective threats many be overcome.

Invalidated Parameters
Information from web requests is not validated before being used by a web application. Attackers can use these flaws to attack backside components through a web application.

Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users' accounts, view sensitive files, or use unauthorised functions.

Broken Account and Session Management
Account credentials and session tokens are not properly protected. Attackers who can compromise passwords, keys, session cookies or other tokens, can defeat authentication restrictions and assume other users' identities.

Cross-Site Scripting Flaws
The web application can be used as a mechanism to transport an attack to an end user's browser. A successful attack can disclose the end user's session token, attack the local machine, or spoof content to fool the user.

Buffer Overflows
Web application components in some languages that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and web application server components.

Command Injection Flaws
Web applications pass parameters when they access external systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the web application.

Error Handling Problems
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur that the web application does not handle, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.

Insecure Use of Cryptography
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them have proved difficult to code properly, frequently resulting in weak protection.

Remote Administration Flaws
Many web applications allow administrators to access the site using a web interface. If these administrative functions are not very carefully protected, an attacker can gain full access to all aspects of a site.

Web and Application Server Misconfiguration
Having a strong server configuration standard is critical to a secure web application. These servers have many configuration options that affect security and are not secure out of the box.