Инструменты пользователя

Инструменты сайта


security_tz

Различия

Здесь показаны различия между двумя версиями данной страницы.

Ссылка на это сравнение

Both sides previous revision Предыдущая версия
security_tz [2016/11/10 12:37]
Павел Кульков [How to protect yourself]
security_tz [2016/11/10 15:58] (текущий)
Павел Кульков [How to protect yourself]
Строка 60: Строка 60:
   * Has a delay between the user submitting the credential and a success or failure is reported. A delay of three seconds can make automated brute force attacks almost infeasible. A progressive delay (3 seconds then 15 then 30 then disconnect) can make casual brute force attacks completely ineffective   * Has a delay between the user submitting the credential and a success or failure is reported. A delay of three seconds can make automated brute force attacks almost infeasible. A progressive delay (3 seconds then 15 then 30 then disconnect) can make casual brute force attacks completely ineffective
   * warns the user with a suitable error message that does not disclose which part of the application credentials are incorrect by using a common authentication error page:    * warns the user with a suitable error message that does not disclose which part of the application credentials are incorrect by using a common authentication error page: 
-  ​* logs failed authentication attempts (in fact, a good application logs all authentication attempts) +    ​* logs failed authentication attempts (in fact, a good application logs all authentication attempts) 
-  * for applications requiring stronger controls, blocking access from abusive IP addresses (ie accessing more than three accounts from the same IP address, or attempting to lock out more than one account) +    * for applications requiring stronger controls, blocking access from abusive IP addresses (ie accessing more than three accounts from the same IP address, or attempting to lock out more than one account) 
-  * destroys the session after too many retries. In such a scenario, log analysis might reveal multiple accesses to the same page from the same IP address within a short period of time. Event correlation software such as Simple Event Correlator (SEC) can be used to define rules to parse through the logs and generate alerts based on aggregated events. This could also be done by adding a Snort rule for alerting on HTTP Authorization Failed error messages going out from your web server to the user, and SEC can then be used to aggregate and correlate these alerts.+    * destroys the session after too many retries. In such a scenario, log analysis might reveal multiple accesses to the same page from the same IP address within a short period of time. Event correlation software such as Simple Event Correlator (SEC) can be used to define rules to parse through the logs and generate alerts based on aggregated events. This could also be done by adding a Snort rule for alerting on HTTP Authorization Failed error messages going out from your web server to the user, and SEC can then be used to aggregate and correlate these alerts.
   * If your application deals with high value transactions,​ it should not have “Remember Me” functionality. ​   * If your application deals with high value transactions,​ it should not have “Remember Me” functionality. ​
   * If the risk is minimal, it is enough to warn users of the dangers before allowing them to tick the box.   * If the risk is minimal, it is enough to warn users of the dangers before allowing them to tick the box.
Строка 80: Строка 80:
   * Ensure the process to maximize the features of an account is simple and transparent. ​   * Ensure the process to maximize the features of an account is simple and transparent. ​
   * When accounts are modified, ensure that a reasonable trace or audit of activity is maintained. Do not use CAPTCHA tags. They are illegal if you are required to be accessible to all users (often the case for government sites, health, banking, and nationally protected infrastructure,​ particularly if there is no other method of interacting with that organization). If you have to:    * When accounts are modified, ensure that a reasonable trace or audit of activity is maintained. Do not use CAPTCHA tags. They are illegal if you are required to be accessible to all users (often the case for government sites, health, banking, and nationally protected infrastructure,​ particularly if there is no other method of interacting with that organization). If you have to: 
-  ​* always provide a method by which a user may sign up or register for your web site offline or via another method +    ​* always provide a method by which a user may sign up or register for your web site offline or via another method 
-  * deter the use of automated sign ups by using the “no follow” tag (see section TODO) . Search engines will ignore hyperlinks and pages with this tag set, immensely devaluing the use of link spamming+    * deter the use of automated sign ups by using the “no follow” tag (see section TODO) . Search engines will ignore hyperlinks and pages with this tag set, immensely devaluing the use of link spamming
   * Limit the privileges of newly signed up accounts or similar until a positive validation has occurred. This can be as simple as including a unique reference ID to a registered credit card, or requiring a certain amount of time before certain features are unlocked, such as public posting rights or unfettered access to all features ​   * Limit the privileges of newly signed up accounts or similar until a positive validation has occurred. This can be as simple as including a unique reference ID to a registered credit card, or requiring a certain amount of time before certain features are unlocked, such as public posting rights or unfettered access to all features ​
  
security_tz.txt · Последние изменения: 2016/11/10 15:58 — Павел Кульков