search for books and compare prices
Tables of Contents for Hack Proofing Your E-Commerce Site
Chapter/Section Title
Page #
Page Count
Foreword
xxv
Applying Security Principles to Your E-Business
1
44
Introduction
2
1
Security as a Foundation
3
17
Confidentiality
3
1
Integrity
4
1
Availability
4
2
Presenting Security As More Than a Buzzword
6
3
The Goals of Security in E-Commerce
9
1
Planning with Security in Mind
10
3
Security during the Development Phase
13
1
Implementing Secure Solutions
14
1
Managing and Maintaining Systems in a Secure Environment
15
5
Applying Principles to Existing Sites
20
7
It All Starts with Risk
21
1
Fix the Highest Risks First
22
1
Management and Maintenance during the Patching Process
23
1
Impact of Patching on Production Systems
24
1
The Never-Ending Cycle of Change
25
1
Developing a Migration Plan
26
1
How to Justify a Security Budget
27
8
The Yardstick Approach
27
2
A Yardstick Approach Case Study
29
1
Possible Results of Failure
30
1
The Fear Tactic Approach
31
1
A Fear Tactic Approach Case Study
32
2
Possible Results of Failure
34
1
Security as a Restriction
35
1
Security as an Enabler
36
2
Summary
38
1
Solutions Fast Track
39
4
Frequently Asked Questions
43
2
DDoS Attacks: Intent, Tools, and Defense
45
74
Introduction
46
1
What Is a DDoS Attack?
47
20
Laying the Groundwork: DoS
48
2
Resource Consumption Attacks
50
7
Malformed Packet Attacks
57
3
Anatomy of a DDoS attack
60
3
The Attacks of February 2000
63
4
Why Are E-Commerce Sites Prime Targets for DDoS?
67
3
A Growing Problem
68
1
How the Media Feeds the Cycle
69
1
What Motivates an Attacker to Damage Companies?
70
5
Ethical Hacking: A Contradiction in Terms?
70
2
Hacktivism
72
1
Fifteen Minutes of Fame
72
1
Hell Hath No Fury Like a Hacker Scorned
73
1
Show Me the Money!
73
1
Malicious Intent
74
1
What Are Some of the Tools Attackers Use to Perform DDoS Attacks?
75
12
Trinoo
76
1
Understanding How Trinoo Works
76
2
TFN2K: The Portable Monster
78
1
Understanding How TFN2K Works
78
3
Stacheldraht---A Barbed-Wire Offensive
81
1
Understanding How Stacheldraht Works
81
5
More DDoS Families
86
1
How Can I Protect My Site against These Types of Attacks?
87
22
Basic Protection Methods
90
5
Using Egress Rules to Be a Better ``Net Neighbor''
95
4
Defending against the SYN's of the Internet
99
4
Methods for Locating and Removing Zombies
103
6
Summary
109
2
Solutions Fast Track
111
6
Frequently Asked Questions
117
2
Secure Web Site Design
119
100
Introduction
120
1
Choosing a Web Server
121
22
Web Server versus Web Service
121
1
Factoring in Web Servers' Cost and Supported Operating Systems
122
5
Comparing Web Servers' Security Features
127
1
Authentication
127
6
Using the SET Protocol
133
1
Setting Permissions
134
1
Using CGI Applications
134
1
Security Features Side By Side
134
9
The Basics of Secure Site Design
143
46
Creating a Security Plan
143
2
Protecting against Internal Threats
145
1
Adding Security Tiers beyond the Web Server
146
3
Apache versus Internet Information Services
149
2
Installation: The First Step
151
1
Installing and Configuring Apache
152
12
Installing and Configuring Internet Information Server 5.0
164
4
Windows 2000 Server and Internet Information Server 5.0 Security
168
5
Hardening the Server Software
173
1
Install Patches
174
1
Disable Unneeded Ports, Services, and Components
174
1
Delete Unneeded Scripts and Files
175
1
Hardening the Overall System
176
2
Password Hacking and Analysis Tools
178
5
Web Design Issues Dealing with HTML Code
183
1
Information in HTML Code
183
3
Using Server Side Includes (SSI) in HTML Code
186
3
Guidelines for Java, JavaScript, and Active X
Understanding Java, JavaScript, and ActiveX---and the Problems They May Cause
189
2
Preventing Problems with Java, JavaScript, and Active X
191
5
Programming Secure Scripts
196
3
Code Signing: Solution or More Problems?
199
3
Understanding Code Signing
199
1
The Strengths of Code Signing
200
1
Problems with the Code Signing Process
201
1
Should I Outsource the Design of My Site?
202
7
Understanding the Required Skills
203
1
Pros and Cons of Outsourcing Design Work
204
1
Workload
204
1
Security
205
1
Contracts and Cost
206
1
No Matter Who Designs It, Double-Check before You Implement It
207
2
Summary
209
1
Solutions Fast Track
210
4
Frequently Asked Questions
214
5
Designing and Implementing Security Policies
219
42
Introduction
220
1
Why Are Security Policies Important to an E-Commerce Site?
220
8
What Is a Security Policy?
221
1
Value versus Risk
222
1
Security versus Services Provided
223
1
Cost of Security versus Cost of Not Having Security
224
1
Where Do I Begin?
225
3
What Elements Should My Security Policy Address?
228
18
Confidentiality and Personal Privacy Policies
230
1
Requirements for Authentication
231
5
Requirements for Protecting Customer Information
236
3
Privacy Policies
239
1
Information Integrity Policies
240
1
Quality Assurance Policies
241
3
Assuring Information Integrity through Technology
244
1
Availability of Service Policies
244
2
Are Prewritten Security Policies Available on the Net?
246
2
All Organizations Are Different---and So Are Their Policies
246
1
Example Policies and Frameworks
247
1
A Word about the Outsourcing of Policy Development
248
1
How Do I Use My Security Policy to Implement Technical Solutions?
248
3
How Do I Inform My Clients of My Security Policies?
251
3
Building Customer Confidence through Disclosure
252
1
Security as a Selling Point
253
1
Summary
254
1
Solutions Fast Track
255
4
Frequently Asked Questions
259
2
Implementing a Secure E-Commerce Web Site
261
52
Introduction
262
2
Introduction to E-Commerce Site Components
262
2
Implementing Security Zones
264
8
Introducing the Demilitarized Zone
266
2
Multiple Needs Equals Multiple Zones
268
3
Problems with Multi-Zone Networks
271
1
Understanding Firewalls
272
8
Exploring Your Firewall Options
272
3
Designing Your Firewall Rule Set
275
1
It Starts with a ``Deny All'' Attitude
276
1
Common Ports for Common Communications
276
2
Converting Pseudo-Code to Firewall Rules
278
1
Protocols and Risks: Making Good Decisions
279
1
How Do I Know where to Place My Components?
280
3
Profiling Systems by Risk
280
2
Establishing Risk Control Requirements
282
1
Creating Security Zones through Requirement Grouping
283
1
Implementing Intrusion Detection
283
12
What Is Intrusion Detection?
285
1
Your Choices in Intrusion Detection
286
2
Network-Based IDS
288
2
Host-Based IDS
290
2
Example of a Network-Based IDS
292
1
Example of a Host-Based IDS
293
2
Managing and Monitoring the Systems
295
6
What Kind of Management Tasks Can I Expect to Perform?
295
1
What Kinds of Monitoring Should I Be Performing?
296
2
Basic System Monitoring
298
1
Monitoring Your Security Devices
299
1
Log File Management
300
1
Should I Do It Myself or Outsource My Site?
301
4
Pros and Cons of Outsource Your Site
302
1
Co-Location: One Possible Solution
303
1
Selecting an Outsource Partner or ASP
303
2
Summary
305
1
Solutions Fast Track
305
6
Frequently Asked Questions
311
2
Securing Financial Transactions
313
68
Introduction
314
1
Understanding Internet-Based Payment Card Systems
315
12
Credit, Charge, or Debit Cards: What Are the Differences?
315
2
Point-of-Sale Processing
317
1
Differences That Charge Cards Bring into the Picture
318
1
Capture and Settlement
319
2
Steps in an Internet-Based Payment Card Transaction
321
4
Toxic Data Lives Everywhere!
325
1
Approaches to Payments via the Internet
326
1
Options in Commercial Payment Solutions
327
4
Commerce Server Providers
328
1
Braving In-house Resources
329
2
Secure Payment Processing Environments
331
6
Additional Server Controls
335
1
Controls at the Application Layer
336
1
Understanding Cryptography
337
14
Methodology
337
1
Substitution Method
337
1
Transposition Method
338
1
Transposition Example
339
3
The Role of Keys in Cryptosystems
342
1
Symmetric Keys
342
1
Asymmetric Keys
342
1
Principles of Cryptography
343
1
Understanding Hashing
344
1
Digesting Data
345
3
Digital Certificates
348
1
CCITT X.509
349
2
Examining E-Commerce Cryptography
351
11
Hashing Functions
351
1
Block Ciphers
352
1
Implementations of PPK Cryptography
352
1
The SSL Protocol
353
2
Transport Layer Security (TLS)
355
1
Pretty Good Privacy (PGP)
356
1
S/MIME
357
1
Secure Electronic Transactions (SET)
357
2
XML Digital Signatures
359
3
Virtual POS Implementation
362
2
ICVERIFY
362
2
Alternative Payment Systems
364
8
Smart-Card-Based Solutions
365
1
EMV
365
2
MONDEX
367
1
Visa Cash
368
1
The Common electronic Purse Specification (CEPS)
369
1
Proxy Card Payments
369
1
PayPal
370
1
Amazon Payments
370
1
Funny Money
371
1
Beenz
371
1
Flooz
371
1
Summary
372
1
Solutions Fast Track
373
6
Frequently Asked Questions
379
2
Hacking Your Own Site
381
44
Introduction
382
1
Anticipating Various Types of Attacks
382
7
Denial of Service Attacks
382
2
Information Leakage Attacks
384
1
File Access Attacks
385
1
Misinformation Attacks
386
1
Special File/Database Access Attacks
387
1
Elevation of Privileges Attacks
388
1
Performing a Risk Analysis on Your Site
389
6
Determining Your Assets
390
2
Why Attackers Might Threaten Your Site and How to Find Them
392
3
Testing Your Own Site for Vulnerabilities
395
19
Determining the Test Technique
396
3
Researching Your Vulnerabilities
399
8
Mapping Out a Web Server
407
2
Using Automated Scanning Tools
409
5
Hiring a Penetration Testing Team
414
4
Summary
418
1
Solutions Fast Track
419
4
Frequently Asked Questions
423
2
Disaster Recovery Planning: The Best Defense
425
50
Introduction
426
1
What Is Disaster Recovery Planning?
426
12
Structuring a Disaster Recovery Plan
428
1
Loss of Data or Trade Secrets
429
2
Loss of Access to Physical Systems
431
5
Loss of Personnel or Critical Skill Sets
436
1
Practicing Compliance with Quality Standards
436
2
Ensuring Secure Information Backup and Restoration
438
9
The Need for Backups and Verification
439
1
An Example Backup rotation Process
440
2
Storage Area Networks
442
1
Protecting backups of Sensitive Information
443
1
User Authentication
444
1
Data Encryption and Controls
445
1
Key Management
446
1
Planning for Hardware Failure or Loss of Services
447
7
The Single Point of Failure Problem
448
1
ISP Redundancy
449
2
Network Hardware Redundancy
451
1
System Hardware Redundancy
451
2
Expanding the Scope of Your Solutions
453
1
How Do I Protect against Natural Disasters?
454
3
Hot Sites: The Alternate Path to Recovery
455
1
How Do I Choose a Hot Site?
456
1
Testing the Process
456
1
Understanding Your Insurance Options
457
9
Errors and Omissions Coverage
458
1
Intellectual Property Liability
459
1
First Party E-Commerce Protection
460
1
Determining the Coverage You Need
461
2
Financial Requirements
463
1
The Delicate Balance: Insurance and the Bottom Line
464
1
Coverage That May Not Be Needed
464
2
Summary
466
1
Solutions Fast Track
467
5
Frequently Asked Questions
472
3
Handling Large Volumes of Network Traffic
475
40
Introduction
476
1
What If My Sites Popularity Exceeds My Expectations?
476
17
Determining the Load on Your Site
478
1
Determining Router Load
479
4
Determining Switch Load
483
1
Determining Load Balancer Load
484
1
Determining Web Server Load
485
3
Performance Tuning the Web Server
488
5
How Do I Manage My Bandwidth Needs?
493
6
Contracting for bandwidth
493
3
Estimating Required Service Levels
496
1
How Do I Know When I Need More Bandwidth?
497
1
Obtaining Bandwidth on Demand
498
1
Introduction to Load Balancing
499
10
What Is Load Balancing?
500
1
Changing the Destination MAC Address
501
1
Modifying the IP Addresses
502
1
Using a Proxy Server
503
1
Finding a Custom Software/Clustering Solution
504
1
Determining Load
504
1
The Pros and Cons of Load Balancing
505
1
Load Balancing and Security
505
4
Summary
509
1
Solutions Fast Track
510
2
Frequently Asked Questions
512
3
Incident Response, Forensics, and The Law
515
38
Introduction
516
1
Why Is an Incident Response Policy Important?
516
9
Panic or be Calm: You Decide
516
1
How Not to Handle an Incident
517
1
Proper Policy Pays Off
518
6
Incident Response Policy Recap
524
1
Establishing an Incident Response Team
525
1
Setting the Prosecution Boundaries
526
4
Attackers Crossing the Line
526
3
Understanding the Chain of Custody
529
1
Establishing an Incident Response Process
530
1
Introduction to Forensic Computing
531
7
Tracking Incidents
538
4
Resources
542
3
Legal/Government/Law Enforcement
542
1
Backup/Forensics
542
1
Incident Tracking Systems
543
1
Miscellaneous
544
1
Summary
545
1
Solutions Fast Track
546
4
Frequently Asked Questions
550
3
Appendix A Cisco Solutions for Content Delivery
553
30
Introduction
554
1
Improving Security Using Cisco LocalDirector
555
8
LocalDirector Technology Overview
555
1
LocalDirector Product Overview
556
1
LocalDirector Security Features
557
1
Filtering of Access Traffic
557
1
Using synguard to Protect against SYN Attacks
557
2
Using Network Address Translation to Hide Real Addresses
559
1
Restricting Who Is Authorized to Have Telnet Access to the LocalDirector
560
1
Password Protection
561
1
Syslog Logging
562
1
Security Geographically Dispersed Server Farms Using Cisco DistributedDirector
563
7
DistributedDirector Technology Overview
563
2
DistributedDirector Product Overview
565
1
DistributedDirector Security Features
565
1
Limiting the Source of DRP Queries
565
1
Authentication between DistributedDirector and DRP Agents
566
2
Password Protection
568
2
Syslog Logging
570
1
Improving Security Using the Cisco Content Services Switch
570
10
Content Services Switch Technology Overview
571
1
Content Services Switch Product Overview
572
1
Content Services Switch Security Features
573
1
Flow Wall Security
573
1
Using Network Address Translation to Hide Real Addresses
574
1
Firewall Load Balancing
575
1
Password Protection
576
1
Disabling Telnet Access
577
1
Syslog Logging
578
1
Known Security Vulnerabilities
578
2
Summary
580
1
Frequently Asked Questions
581
2
Appendix B Hack Proofing Your E-Commerce Site Fast Track
583
42
Index
625