Need help with security / hacker proof.

[v6maro]

I'm developing a website that needs VERY high security. It is protecting bank account/aba #'s, ssn #'s, you name it. It's all high risk info. What I need to know is, what are some of the best practices for users logging on for the first time, and each consecutive time, and how to prevent hack attacks.

 

[Zwitterion]

Maybe they need someone a bit more qualified. I guess you can get started by using encryption/SSL for data exchanges.

 

[CefiroZ]

Maybe they need someone a bit more qualified. I guess you can get started by using encryption/SSL for data exchanges.

I would agree. If you don't already know this sort of stuff then this is not the place to be learning it. If you do continue, make sure to use SSL3.0 and stick with the higher-bit (128 at the very least) encryption algorithms. I would recommend RSA since it has a consistent and proven record of being resistant to attacks. And please at least hire someone reputable in the area to assist you.

 

[fluxion]

and all user input fields should be carefully inspected and restricted to very specific values

use taint mode for perl scripts, etc

 

[ameoba]

Segment database permissions - don't let the account that the web-app uses to access the DB have read access to the tables of interest.

 

[v6maro]

Thanks for the input guys. Listen, I know quite a bit about security, I was just hoping someone here knows more and can offer me some resources.

We are using a seperate iis/mssql server and the sql user will only have select and insert ability. Also, each user field is checked with regexp's in javascript, then in php again. We also have a 128bit Cert for the SSL layer.
We will be logging everything, and have a group watching the logs for attacks.
We are protecting for sql injection attacks, along with a few other things.

I will look into rsa, if it's that good, we will use it.

I was just hoping more or less for a best practices outline maybe.

Thanks

 

[mikeblas]

A group of what? People? Why not have machine do at least a part of it? They might not be as creative, but they're more reliable and far cheaper.

Why are you checking user input with regular expressions? That seems computationally intensive. You've got much less risk of SQL injection if you bind your inputs; then, you don't need to fool around with regexes and can put the data domain validation on the server.

Are your IIS and SQL Servers on a domain? IPSEC between them? Encrypted endpoints?

What's your backup strategy? How is that encrypted and physically secured?

How is the server physically secured?

Are you using SQL Server row level security? Are you planning to use SQL Server encryption?

You don't mention anything about the app-side security. What are you doing there?

How will you interview and screen DBAs and system administrators?

Who is doing your hosting?

Why are you using PHP on Windows?

What's your plan to balance uptime with security patches?

What's your strategy for index defragmentation and statistics generation?

 

[maxedoutcc]

I agree that the architecture your asking for should be left up to someone with the proper experience. If the "group" watching can not tell you how to secure your app then I would imagine they shouldn't be watching it. What happens is someone DOES exploit your system? Are they going to be able to tell you how they did it? Are they going to be able to tell you how to fix it?

Here is something to read. It is the payment card industry data storage standards. https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

To answer at least part of your answer, personally I would not build an app that requires high security without at least a three tier model. - http://en.wikipedia.org/wiki/Three-tier_(computing)#Web_Development_usage Creating different connections with different accounts and then restricting said accounts will help with your security greatly.

 

[maxedoutcc]

A group of what? People? Why not have machine do at least a part of it? They might not be as creative, but they're more reliable and far cheaper.

Why are you checking user input with regular expressions? That seems computationally intensive. You've got much less risk of SQL injection if you bind your inputs; then, you don't need to fool around with regexes and can put the data domain validation on the server.

Are your IIS and SQL Servers on a domain? IPSEC between them? Encrypted endpoints?

What's your backup strategy? How is that encrypted and physically secured?

How is the server physically secured?

Are you using SQL Server row level security? Are you planning to use SQL Server encryption?

You don't mention anything about the app-side security. What are you doing there?

How will you interview and screen DBAs and system administrators?

Who is doing your hosting?

Why are you using PHP on Windows?

What's your plan to balance uptime with security patches?

What's your strategy for index defragmentation and statistics generation?

That's assuming he's using mssql server and not mysql

 

[gryphon]

To answer at least part of your answer, personally I would not build an app that requires high security without at least a three tier model. - http://en.wikipedia.org/wiki/Three-tier_(computing)#Web_Development_usage

I know its not really so much of a microsoft technology, but the SDN architecture is probably a bit more elegant than using the Three Tier model, and can provide stronger security (if set up correctly)
http://nl.sun.com/companyinfo/nieuws/evenementen/2006/pdf/SunTT-SDN-concepts.pdf

 

[v6maro]

A group of what? People? Why not have machine do at least a part of it? They might not be as creative, but they're more reliable and far cheaper.

Yes, people. Machines will do a lot of it, we just need someone to monitor some of it once in a while.

We are a small company, 23 people. Hiring someone new is not going to happen (not my choice). Myself, and one other programmer were tasked with this, and I have to try my best. I warned my boss of all the possibilities, he seems to think we can do this...so...I have no choice.

Why are you checking user input with regular expressions? That seems computationally intensive. You've got much less risk of SQL injection if you bind your inputs; then, you don't need to fool around with regexes and can put the data domain validation on the server.

This website isn't going to be used a lot. Actually quite in-frequent. Using regex is the least of my worries. Explain binding inputs? I think I know what you mean, but you may be saying some term I refer to as something else.

Are your IIS and SQL Servers on a domain? IPSEC between them? Encrypted endpoints?

Yes, on a seperate domain. IPSEC, not sure, I will have to ask the IT guy. Enc endpoints, again, I need to ask.

What's your backup strategy? How is that encrypted and physically secured?

That is already dealt with on our current system, I'm sure they will deal with it the same.

How is the server physically secured?

They are all locked up in a secure server room. Credit card key access and physical number code must be entered to gain access. Also, 24x7 employees in the room.

Are you using SQL Server row level security? Are you planning to use SQL Server encryption?

I will ask the current DBA about the row level security & encryption.

You don't mention anything about the app-side security. What are you doing there?

as far as iis / php or windows itself?

How will you interview and screen DBAs and system administrators?

Don't need to, we aren't hiring anyone.

Who is doing your hosting?

We do.

Why are you using PHP on Windows?

Why not?

What's your plan to balance uptime with security patches?

We have 24x7 computer operators who take care of this. Again, this system is low-use.

What's your strategy for index defragmentation and statistics generation?

Thats up to the DBA, I have no clue.

 

[v6maro]

That's assuming he's using mssql server and not mysql

we are using mssql

 

[mikeblas]

That's assuming he's using mssql server and not mysql

What he said in Post #6 made me think he was using Microsoft SQL Server. Was I wrong to assume SQL Server when he said "We are using a seperate iis/mssql server"?

 

[mikeblas]

I warned my boss of all the possibilities, he seems to think we can do this...so...I have no choice.

Of course you have a choice. You're not a victim. Every day when you wake up, you control your own destiny. Unless, of course, you've already given up.

This website isn't going to be used a lot. Actually quite in-frequent. Using regex is the least of my worries. Explain binding inputs? I think I know what you mean, but you may be saying some term I refer to as something else.

You've asked for advice about security, but you haven't told us what you have done or didn't do. (You didn't even tell us what tools and platform you were using until your third post into the thread.) I'm asking lots of questions about security to see what you have or have not done. Funny thing is, you're not answering those questions after thoughtfully considering security. You're offering reaosns not to investigate rather than explanations of everything you've thought through, which, if I were your boss, I'd find very disappointing.

Your site will be lots less vulnerable when you drop the victim attitude; and it'll be less vulnerable still when you get your security attitude on.

Using regexes a mediocre idea for data integrity and is not great for performance. But it's stupid for security. An error in your regex, or in your regex handling code, causes a security hole. If you bind your inputs, then you've got nearly no surface area for SQL injection because it's impossible to inject SQL since you're not concatenating any command strings together based on user input. If you really understand SQL injection, then you know this is what causes the problem in the first place. Why not eliminate the root cause?

To read more about binding parameters for Microsoft SQL Server queries in PHP, see the mssql_bind documentation. If you have further questions, let me know and I'll be happy to help.

Yes, on a seperate domain. IPSEC, not sure, I will have to ask the IT guy. Enc endpoints, again, I need to ask.

Again, you don't need to ask -- you need to figure out if they're necessary for your network topology and demand that they're provided to you, or document why they're not necessary.

That is already dealt with on our current system, I'm sure they will deal with it the same.

Do you know the policy and procedures for the old system? Are you satisfied with them? Does your planned system have the same exposure as the current system? What's the offsite backup procedure? How is the data protected, particularly in transit?

They are all locked up in a secure server room. Credit card key access and physical number code must be entered to gain access. Also, 24x7 employees in the room.

With employees in there 24x7, they'll have every opportunity to copy data off the machines and take it home, or move it to a less secure machine so that it's vulnerable. Have you audited access to the room? How often? How often must passcodes be changed? How long are they, over how many digits?

I will ask the current DBA about the row level security & encryption.

If they say they're not using it, how will you respond? If they say they are using it, how will you respond?

as far as iis / php or windows itself?

Both, plus whatever else is used on the client side.

Don't need to, we aren't hiring anyone.

How were your existing administrators screend? Background checks? Credit reports? PIs?

We do.

How do you manage physical access to your cabling? After the cables leave your secure room, where do they go? How is access to them controlled?

Why not?

Windows is not PHP's home platform. As such, it's something of a second class citizen on that platform. Say there's a high-priority bug in PHP, but it only manifests on Windows. What's PHP.net's motivation to fix it, compared to Microsoft's motivation to fix a similarly classed ASP.Net bug? Are you comfortable with the level of support you've got from them?

We have 24x7 computer operators who take care of this. Again, this system is low-use.

System load is orthogonal to security.

Thats up to the DBA, I have no clue.

Don't you think you should find out?

 

[Wingy]

Out of curiosity, what sort of degree/certification does one need to be proficient with these issues? At Michigan State, I know there's a specialization in our Masters program for security... I imagine there's something else too....

 

[mikeblas]

A No B.S. from the School of Hard Knocks is the only one I know about.

Seriously, there's applied security, which is what we're talking about here. It's just thinking through your tools and your exposure. You can get the basics from reading a book. You can get some of the way towards it by trying to think like a hacker. I don't think like a hacker; I know where the key vulnerabilities are and have a sense for what's risky, but I'm not good at leveraging a bug into a vulnerability.

And then there's pure security. Cryptography, encryption, understanding the information theory behind it, and all that stuff. Crypto and encryption are purely math, though their applied use can be covered in Computer Science. Information Theory is tought in different disciplines, too.

 

[v6maro]

Of course you have a choice. You're not a victim. Every day when you wake up, you control your own destiny. Unless, of course, you've already given up.

Uh, ok. I haven't given up, that's why I am asking.

You've asked for advice about security, but you haven't told us what you have done or didn't do. (You didn't even tell us what tools and platform you were using until your third post into the thread.) I'm asking lots of questions about security to see what you have or have not done. Funny thing is, you're not answering those questions after thoughtfully considering security. You're offering reaosns not to investigate rather than explanations of everything you've thought through, which, if I were your boss, I'd find very disappointing.

I just started this project yesterday.

Your site will be lots less vulnerable when you drop the victim attitude; and it'll be less vulnerable still when you get your security attitude on.

Using regexes a mediocre idea for data integrity and is not great for performance. But it's stupid for security. An error in your regex, or in your regex handling code, causes a security hole. If you bind your inputs, then you've got nearly no surface area for SQL injection because it's impossible to inject SQL since you're not concatenating any command strings together based on user input. If you really understand SQL injection, then you know this is what causes the problem in the first place. Why not eliminate the root cause?

I don't show it below, but there is a db.inc file which handles all database interaction, each command is prefixed with @ to not display a message and custom error / logging occurs.

I am binding inputs, see below:

@include_once("include/db.inc");

//Get Data from post
$fname = stripslashes($_POST["fname"]);
$lname = stripslashes($_POST["lname"]);
$ssn   = sha1($_POST["ssn4"]);
$dob   = stripslashes($_POST["dob"]);
$email = stripslashes($_POST["email"]);
$uname = sha1($_POST["persid"]);
$passw = sha1($_POST["password"]);

$sSPName = "spSSW_InsertUser";
  
//Setup the Database object
$db     = new DMPSDatabase;
$conn   = $db->connect_db();
$sql    = $db->init_sp($sSPName, $conn);
		
mssql_bind($sql,"@FirstName",$fname,SQLVARCHAR);    
mssql_bind($sql,"@LastName",$lname,SQLVARCHAR); 
mssql_bind($sql,"@SSN",$ssn,SQLINT4); 
mssql_bind($sql,"@DOB",$dob,SQLVARCHAR); 
mssql_bind($sql,"@Email",$email,SQLVARCHAR); 
mssql_bind($sql,"@UserName",$uname,SQLVARCHAR); 
mssql_bind($sql,"@Password",$passw,SQLVARCHAR); 
  
$result = $db->execute_sp($sql, $sSPName);  
$close  = $db->close_conn($conn);
 	
//refer back to page and post OK

$db = "";

Header("Location: signup.php");

To read more about binding parameters for Microsoft SQL Server queries in PHP, see the mssql_bind documentation. If you have further questions, let me know and I'll be happy to help.

Again, you don't need to ask -- you need to figure out if they're necessary for your network topology and demand that they're provided to you, or document why they're not necessary.

I'm not too worried about the network as my only job is to do the code side of things.

Do you know the policy and procedures for the old system? Are you satisfied with them? Does your planned system have the same exposure as the current system? What's the offsite backup procedure? How is the data protected, particularly in transit?

Again, I am only responsible for the code, not the infrastructure.

With employees in there 24x7, they'll have every opportunity to copy data off the machines and take it home, or move it to a less secure machine so that it's vulnerable. Have you audited access to the room? How often? How often must passcodes be changed? How long are they, over how many digits?

Again, more or less not what my point is here, but, all of that is handled.

If they say they're not using it, how will you respond? If they say they are using it, how will you respond?

I haven't a clue.

Both, plus whatever else is used on the client side.

How were your existing administrators screend? Background checks? Credit reports? PIs?

We have one system admin, he's the CEO. He doesn't trust ANYONE.

Also, anyone hired has a background check, credit check, piss check, and references called.

How do you manage physical access to your cabling? After the cables leave your secure room, where do they go? How is access to them controlled?

I'm just a coder damnit, lol.

Windows is not PHP's home platform. As such, it's something of a second class citizen on that platform. Say there's a high-priority bug in PHP, but it only manifests on Windows. What's PHP.net's motivation to fix it, compared to Microsoft's motivation to fix a similarly classed ASP.Net bug? Are you comfortable with the level of support you've got from them?

yes, this should be fine.

System load is orthogonal to security.

Don't you think you should find out?

Yeah, I'll look into it.

 

[calebb]

Any plans for Sarbanes-Oxley compliance?

If so, you might want to consider Java or .NET instead of PHP.