Consulting & Professional Service/Web Security Health Check

Common Unprofessional Practice in Hong Kong

It is important to note that the more than 90% of vulnerabilities have counter-measures. In conducting security assessment, besides vulnerabilities scanning, HiTRUST consultants encounter some “common unprofessional practice” which result in the vulnerabilities listed above when reviewing customer’s network environment and security policy.

Top 10 Vulnerabilities
“Common Insecure Practice” causing the Vulnerabilities
SSL Server Supports Weak Encryption Vulnerabilities SSL protocol is deployed for secure communication between a client and a server, but low encryption cipher is allowed.
SSL Server Has SSL v2 Enabled Vulnerabilities Non-updated version of SSL (v2) is enabled by default
Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerabilities

Patches or guideline for these vulnerabilities are readily available from vendors’ website, but they are not implemented on the servers.

No hardening before the new server is connected to the Internet.
TCP Sequence Number Approximation Based Denial of Service
WebDAV HTTP Method ‘PROFIND’ Enabled

Netscape/OpenSSL Cipher Forcing Bug
Microsoft IIS Internal IP Address/Internal Network Name Disclosure Vulnerability
ICMP Timestamp Request Firewall setting is not reviewed after installing new server or application.
Account Brute Force Possible Through ISS NTLM Authentication Scheme Only default installation setting is used, no manual configuration or checking before connecting server to Internet.
Microsoft IIS Authentication Method Disclosure Vulnerabilities (No solution from vendor yet, but can be avoided by deploying IPS or application layer security measures)

Practical Tips: What You Can Do

From the assessment project, HiTRUST consultants have identified a number of tactics to address the causes of the vulnerabilities. These tactics help mitigate risk exposed on enterprise network effectively. It is also essential to apply these tactics regularly across the entire enterprise network.

  1. Enforce High Encryption Cipher
  2. Manage Security Patch updates
  3. Harden New Server
  4. Regularly Scan for Network & Application Vulnerabilities
  5. Well-plan Web Application Development
  6. Enforce Security Policy, Guideline & Procedure for Internal and Service Provider

Next: What You Can Do #1
- Enforce High Encryption Cipher >>

 

Other Consulting and Professional Services

Enterprise Security Assessment

 Disaster Recovery Site Service
Network Architecture Assessment Security Policy & Procedure
Formulation
Network Vulnerability Assessment Regulation Compliance Assessment
Network Penetration Testing Security Training
UNIX Hardening Web Security Health Check

RELATED LINK

Data Sheets
Web Security Health Check


Sample Report
Web Security Health Check Report (Sample Only)

CONTACT US
We Welcome Your
Comments.
Tel :
(852) 2619-1200
or E-Mail Us
VeriSign Secured Seal Program

Learn more >>
Copyright © 2005 HiTRUST.COM (HK) Inc., Ltd. Privacy Policy