| Abstract: | | Every day, criminals in all parts of the world probe the application as real penetration tests to see if they can discover a vulnerability - our role is to understand what they are doing and always be one step ahead. | | Due to the very high cost of preparing, monitoring, analysing the results and changing proven designs, the obsession with penetration testing exceeds all reasonable boundaries. The cost of the external consultants is trivial by comparison with internal staff costs. |
| Jez: July 12, 2011: | | The external test must be performed against the infrastructure and web application stack. This activity must test all components of the system that are externally accessible / exposed and mimic the journey that an external hacker could perform. |
| Security Surface: | | The web application stack and security surface has been simplified to one URL name that supports every web page facility. Th URL query string has been simplified to make it hard for the hacker and easy to detect hacking behaviour. |
| Blacklist: | | An IP black list and white list are also employed to keep hackers away and to help authorized users to sign in. To prevent password guessing utilities from being used, the user profile is blacklisted without any error message when hacking is detected. | | As a policy, the only error message is to show the home page and blacklist the user profile. |
| Authentication: | | Sign in Handle should not the same as a persons name on a business card. | | Email should be a private email address and not what is on a business card. | | Pass Phrase must be valid within three attempts else the user profile is blacklisted. | | Mode each user is told what mode to select. | | Time of Day must be within assigned business working hours. | | Day of Week must be within assigned business working days. | | Geo-Location IP address must be registed to the users approved country. | | IP Address may be from an assigned IP address or IP address range. | | ISP Name may be from an assigned ISP name. | | OS may be from an assigned computer operating system such as MAC-OSX or WXP. | | Browser may be from an assigned browser such as Safari or IE7. | | Cookies can written to a trusted computer so it can be identified when working from a different country. |
| Preparation: | | Before an external penetration test can take place, a lot of normal use should be undertaken and web page source code analysed, specifically the menu navigation mechanism. The criminal not only looking how to navigate between normal public pages, but how they may attempt to navigate to other web pages that they would not normally be able to view. | | The cost to the criminal in trying to access invalid web pages is made so high that it exceeds the rewards. |
| Visitor: | | The sign in handle and email address are used as a pair of fields. The visitor is given four attempts to get this pair of field right before their IP address is blacklisted. | | Where the sign in and email data is correct and the pass phrase is invalid, then three attempts are permitted before the user profile is blacklisted. It is critical to prevent continual hacking attempts by brute forse utilities that can make 200,000 guesses using all the words from a dictionary in a few hours. |
| | | Sign In Page: | | The most attacked web page is the sign in page with 3 fields that an attacker may test to see if it is vulnerable. The criminal needs to be able to gather or guess three bits of information. | | The criminal may start with a business card, telephone number list, brochure showing a contact name and email address and newletters that may disclose valuable name and email information. The criminal will extract information from social media sites regarding a persons favourity football team, the names of children, pets and other places that may imply a possible password. | | By carefully collating personal information for more than 30 years, we now have valuable name and address information on more than 20 million people. Recruitment agencies who collect the CV from a large number of people over many years, can end up with a wealth of personal information, including date of birth, health, driving license, hobbies, sports, family and children. Social networking provides a wealth of personal information and this will imply possible passwords that are assigned by the user. |
| Data Entry: | | Sign In handle should not be the same as a persons name on their business card. The name must be between 12 and 64 alphabetic (not case sensitive) characters or spaces or hyphen - no other symbols are permitted. | | Email address should a private email address that is not the same on a persons business card or other publication. The email must be between 12 and 64 alphanumeric (not case sensitive) characters with one "at" symbol, underscores, hyphens and periods. | | Pass Phrase must be between 12 and 64 alphanumeric upper and lower case characters with a small number of symbols. "Mary had_a l1ttle-lamb." is a typical memorable phrase that may be assigned to a user named Mary.. |
| Trusted Computers: | | When certain authorized users sign in to their computer it becomes a trusted computer. A set of data cookies are written to the trusted computer so it can be identified at a later date. | | When a visitor with an IP address in the UK, France or Greece links to the sign in page, they are shown the real sign-in page. Where the IP address is not registered in the UK, France or Greece, the visitors cookies are read and if the computer is trusted, the real sign-in page is shown. | | All search engines and other visitors are shown a dummy sign in page that looks similar, but no matter what is entered, the only reply is to show the home page. Criminal hackers in most countries can enter anything they like in the dummy sign in page and they will be shown the home page. | | A small number of trusted computers will be shown the real sign in page using an IP address registered in any country. |
|