Chapter 1: Managing Users - Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Chapter 1: Managing Users

Introduction

Users are generally a large component of Web applications and a focus point for a Web application’s security. In fact, much of a Web application’s security is intended to protect users and their private information.

Every Web application has different levels of risk and sensitivity. You must assess this risk in your organization to determine how much emphasis you put on user security. How you build your Web application will greatly affect how your users participate in security. Your users may or may not take security as seriously as you want them to, but as a security professional, it is your job to ensure that the data is properly protected.

Consider a magazine’s online article archive that is available to authenticated subscribers. The owners want to protect their copyrighted content, so they require users to authenticate to gain access to certain articles. However, readers will not store personal information on the site, and they might not be careful with security, perhaps even sharing their login information with friends to allow them to gain access to protected articles.

Perhaps more often, users are more concerned about security than are the Web site operators. Too many companies do not put a great emphasis on security until after it is too late. In March 2001, the Federal Bureau of Investigation (FBI) National Infrastructure Protection Center (NIPC) issued an advisory that hackers were targeting e-commerce and e-banking Web sites, stealing credit card information, and attempting to extort money from the site owners. The hackers exploited well-known Windows vulnerabilities, all of which were moot if the site operators had kept up to date with security patches. The NIPC advisory stated that hackers have stolen more than a million credit card numbers from 40 companies. Obviously, these companies recklessly handled sensitive user information by not taking security seriously. Their lack of diligence put private user information at risk.

Whether the weakness lies with Web site operators or users, a Web site’s security begins with the basic fundamentals of managing users.

Understanding the Threats

The primary threats covered in this chapter are:

Brute-force attacks These attacks involve the process of discovering user credentials by trying every possible character combination. Brute-force attacks can be optimized by first trying dictionary words, common passwords, or predictable character combinations.

Account hijacking This threat involves taking over the account of a legitimate user, sometimes denying the rightful user access to his or her account.

Social engineering This is the process of using soft skills (rather than software or hardware techniques) to obtain sensitive information (i.e. passwords) that can be used to compromise a system.

Spamming We’re all familiar with this one—it involves the process of sending large quantities of unwanted e-mail to a user or Web site, thus jamming Internet lines and sometimes causing servers to crash.