NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
NIST 800-44 Version 2 Guidelines on Securing Public Web Servers
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GUIDELINES ON SECURING PUBLIC WEB SERVERS<br />
C<strong>on</strong>sider performing automatic updates from the authoritative copy to the <strong>Web</strong> server periodically<br />
(e.g., every 15 minutes, hourly, or daily) because this will overwrite a <strong>Web</strong> site defacement<br />
automatically.<br />
9.3 Recovering From a Security Compromise<br />
Most organizati<strong>on</strong>s eventually face a successful compromise of <strong>on</strong>e or more hosts <strong>on</strong> their network. The<br />
first step in recovering from a compromise is to create and document the required policies and procedures<br />
for resp<strong>on</strong>ding to successful intrusi<strong>on</strong>s before an intrusi<strong>on</strong>. 77 The resp<strong>on</strong>se procedures should outline the<br />
acti<strong>on</strong>s that are required to resp<strong>on</strong>d to a successful compromise of the <strong>Web</strong> server and the appropriate<br />
sequence of these acti<strong>on</strong>s (sequence can be critical). Most organizati<strong>on</strong>s already have a dedicated<br />
incident resp<strong>on</strong>se team in place, which should be c<strong>on</strong>tacted immediately when there is suspici<strong>on</strong> or<br />
c<strong>on</strong>firmati<strong>on</strong> of a compromise. In additi<strong>on</strong>, the organizati<strong>on</strong> may wish to ensure that some of its staff are<br />
knowledgeable in the fields of computer and network forensics. 78<br />
A <strong>Web</strong> server administrator should follow the organizati<strong>on</strong>’s policies and procedures for incident<br />
handling, and the incident resp<strong>on</strong>se team should be c<strong>on</strong>tacted for guidance before the organizati<strong>on</strong> takes<br />
any acti<strong>on</strong> after a suspected or c<strong>on</strong>firmed security compromise. Examples of steps comm<strong>on</strong>ly performed<br />
after discovering a successful compromise are as follows:<br />
Report the incident to the organizati<strong>on</strong>’s computer incident resp<strong>on</strong>se capability.<br />
Isolate the compromised systems or take other steps to c<strong>on</strong>tain the attack so that additi<strong>on</strong>al<br />
informati<strong>on</strong> can be collected. 79<br />
C<strong>on</strong>sult expeditiously, as appropriate, with management, legal counsel, and law enforcement.<br />
Investigate similar 80 hosts to determine if the attacker also has compromised other systems.<br />
Analyze the intrusi<strong>on</strong>, including—<br />
• The current state of the server, starting with the most ephemeral data (e.g., current network<br />
c<strong>on</strong>necti<strong>on</strong>s, memory dump, files time stamps, logged in users)<br />
• Modificati<strong>on</strong>s made to the system’s software and c<strong>on</strong>figurati<strong>on</strong><br />
• Modificati<strong>on</strong>s made to the data<br />
• Tools or data left behind by the attacker<br />
• System, intrusi<strong>on</strong> detecti<strong>on</strong>, and firewall log files.<br />
77<br />
78<br />
79<br />
80<br />
For more informati<strong>on</strong> <strong>on</strong> this area, see <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-61, Computer Security Incident Handling Guide, and <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-18<br />
Revisi<strong>on</strong> 1, Guide for Developing Security Plans for Federal Informati<strong>on</strong> Systems<br />
(http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
More informati<strong>on</strong> <strong>on</strong> computer and network forensics is available from <str<strong>on</strong>g>NIST</str<strong>on</strong>g> SP <str<strong>on</strong>g>800</str<strong>on</strong>g>-86, Guide to Integrating Forensic<br />
Techniques Into Incident Resp<strong>on</strong>se (http://csrc.nist.gov/publicati<strong>on</strong>s/nistpubs/).<br />
Isolating the system must be accomplished with great care if the organizati<strong>on</strong> wishes to collect evidence. Many attackers<br />
c<strong>on</strong>figure compromised systems to erase evidence if a compromised system is disc<strong>on</strong>nected from the network or rebooted.<br />
One method to isolate a system would be to rec<strong>on</strong>figure the nearest upstream switch or router.<br />
Similar hosts would include hosts that are in the same IP address range, have the same or similar passwords, share a trust<br />
relati<strong>on</strong>ship, and/or have the same OS and/or applicati<strong>on</strong>s.<br />
9-9