Security risks and countermeasures of ESET web servers

This article re -edites "What is the security risk of the website server and its countermeasures" published in the "Malware Information Bureau" provided by Canon Marketing Japan?

Websites, which have been attracted to customers and sales, are becoming the key to business operations following the flow of corona and digital shifts.On the other hand, as websites increase, web servers are being targeted as cyber attacks.In this article, we will discuss the mechanism of the website again, and explain the security risks of the web server and its countermeasures.

Cyber attacks aiming for websites are on the rise

While face -to -face business is becoming more difficult due to the catasis, marketing and sales activities via websites are being strengthened.Under the influence of self -restraint, sales of EC sites are also increasing.According to the "Market Survey on Electronic Commercial Transactions in 2nd year" conducted by the Ministry of Economy, Trade and Industry, the EC market for consumers in the product sales field 21 year -on -year..It was reported that it had reached 71%to ¥ 12,233.3 billion.

As websites increase, cyber attacks targeting it are increasing.Consultation on unauthorized login sent to the IPA (Information Processing Promotion Organization) in the third quarter of 2020 has been consulted to 59 from the quarter..It increased by 4%.The total number of consultations, including cases such as malware, is 83.It is increasing rapidly to 3%.

When taking security measures for websites, it is necessary to broadly divide the following four viewpoints.

1) Application

The application plays a role in displaying content when accessed from a web browser.As in the search function, it also includes the function of dynamically changing the content and executing business logic according to the user input.Many websites have an account and log in.Insufficient data, authentication and approval may lead to unauthorized access and information leakage.

2) Server

Computers responding to access from web browsers, software, or hardware that are responsible for processing on their computer.Vulnerability in the OS or middleware that operates on the server may be targeted by the attacker.The detailed mechanism of the server will be described later.

3) Network

It is a communication path for exchanging data between web browsers and servers.Equipment such as firewalls, IPS / IDS, and routers are used to block the communications and illegal communications brought by irregular large packets.

4) Other infrastructure elements

The environment in which websites operate, such as using on -premises and cloud environments, or using multiple cloud environments, are also complicated in line with internal and external purposes.After clarifying the range of responsibilities with the cloud businesses, it is necessary to consider security measures for the entire network.

What are the necessary security measures to operate the website?https: // ESET-INFO.Canon-ITS.JP/Malware_info/Special/Detail/210511.html

The importance of enhancing server security

As mentioned earlier, website security requires comprehensive measures from multiple perspectives.In this article, we will explain the security of the server.If the server encounters cyber attacks, the damage tends to grow.For example, if the server is unauthorized access, the content of the website may be tampered with or a stepping stone, and may be involved in attacking other servers.

Also, since the application is stored on the server, if the server does not operate, the function of the website will be lost.And the network, which plays the role of sending and receiving data on the server, will not be able to fulfill its use if the server has a problem.

Server mechanism that supports websites

The server is divided into multiple types according to its functions and roles.The following is a typical website operation.The names differ depending on the type of middleware installed.

1) Web server

When requested by a web browser, it is responsible for sending data that constitutes websites, such as HTML data and images, CSS for decoration, and JavaScript, which operate on the screen, which are the materials for page generation.In some cases, communication data is encrypted or access control.Generally, middleware such as Apache and NGINX is used as web servers.Sometimes called an HTTP server.

2) Application server

In response to access to web browsers, it generates a dynamic website in programs such as Java.A server that operates a program that implements business logic, and uses middleware such as Tomcat.Depending on the server, it may be used as a web server that transmits and receives static data alone.

3) DB (database) server

Store the data used in the application.In response to requests from web browsers, it provides data search and edit functions in cooperation with application servers.Database management systems such as MySQL and PostgreSQL are widely used.

Recently, there are websites that build the server role in a more subdivided configuration.Assuming a large amount of access, there are cases where CDN (Content Delivery Network) server and API (Application Programming Interface) are highly frequently requested to reduce server loads, and API servers to be processed dedicatedly.。

Previously, one physical server could play one role for each physical server.Recently, however, changes in the environment, such as enhanced server specifications and spreading virtualization, have become commonplace for the interior of the server to be virtually separated and installed multiple middleware.However, even if virtualization becomes common, it is still based on these compositions, so I would like to properly understand the type and mechanism of the server.

Server -related security risk

As websites in business increased, more and more cases are targeted for servers.Specifically, there is a tendency to attack the server using the following tricks.

1) Family website

The content of the website is rewritten by piercing applications and server vulnerabilities.Malware may be embedded and damage the website visitors.

2) Port scan

A connection port for the server to communicate with an external computer is called a port.The attacker explores the ports that the owner will intend to do, and attempts to destroy and stolen data, taking over the server, hijacking servers.

3) SQL injection

SQL is a language used for reading and writing databases.Enter an unauthorized SQL command in the website input form, destroy and steal data, and falsify websites.

4) Cross site scripting

It leads to a vulnerable website to a malicious website, fraudulently fraudulent and infected with malware.In some cases, a real website can be rewritten, or a phishing fraud page is displayed and involved in the attacker.

5) DDOS attack

Send a large amount of packets from multiple computers to the target website and give excessive loads to stop the website.As a website operator, we need to take into account the target risks and the risk of being used as a stepping stone to attack on other websites.

6) Brute Force attack

Decipher on the account password with a brute force.A short, easy -to -specific password increases the risk of decoding.Once the administrator password is deciphered, such as unauthorized access and information leakage, website tampering will be performed and damage will expand.

7) Zero Day attack

It refers to an attack that poses unknown vulnerabilities in programs, including OS and middleware.Defense is extremely difficult because the developers are not aware of vulnerabilities.On the premise of being invaded, a mechanism is required to detect the attack promptly and to minimize the damage.

In promoting security measures, it is necessary to consider information leakage that causes deficiencies in the management system in addition to the so -called cyber attack as described above.

Server security measures

As a countermeasure to reduce server security risks, the IPA has published "20 Articles for Safe Website Operation Management -Check Points for Security Countermeasures-".The following are excerpted from some of them.

1) Updating OS, middleware, and application on the server

The website is composed of various software.When these fixes are published, they must be applied as soon as possible and eliminated vulnerabilities.However, since the update may not work, the application that has been working so far may not work, so it requires sufficient verification before the update.

2) Delete unnecessary applications and services

If services that are not usually used on the server are still running, there is a possibility that they will be abused without noticing even if they are vulnerable.I want to stop or delete except for the minimum necessary items related to the website.

3) Proper management of account issued during development and testing

It is important to apply access authority control for each account, but on the other hand, the accounts issued during development and testing may be left alone.In order to reduce the risk of being misused, I would like to look back at the list of accounts when the development is completed, etc., and delete unnecessary items.

4) Appropriate access control to files and directory

There is a risk that third parties will be intentionally viewed or performed a program.In particular, be careful when handling the website configuration file and files that have stored personal information from the Internet.

5) Appropriate use of tools used for website operation

Utilizing tools that inspect the vulnerability of websites, you can operate a website safely and efficiently.I would like to use appropriate tools in consideration of operability and efficiency.

6) Acquisition and storage of server logs

Regarding the website, you can get logs such as access to websites, application behavior, and database operation.If you get a log, you can easily investigate the cause in the event of a security incident or a server failure.It can also be an opportunity to detect suspicious movements suspected of unauthorized access.

Recently, many companies use cloud servers and rental servers to operate websites, but in that case, it is necessary to fully confirm the security policy of the provider.

Generally, a cloud company should have sufficient security measures, such as making the server a redundant configuration.However, over -they, excessive trust, could lead to losing important data in the company when a critical problem in the cloud business.

And many companies will use WordPress, which is an open source CMS (Content Management System) for website production.WordPress also has the risk of being a target for cyber attacks, so you have to take appropriate measures.

WordPress security that I want to review once again https: // ESET-INFO.Canon-ITS.JP/Malware_info/Special/Detail/210120.html

To protect the server that is the basis of the website

In order to prevent security infringement on the server, which can be said to be the heart of the website, it is also effective to block unauthorized communication.In the following, we will explain the mechanism that performs defense and detection in different layers in the network.

1) Firewall

It is a basic security measure for networks, limiting access with IP addresses and port numbers, and prevents attacks such as port scans.Originally, it was premised on introducing hardware, but recently the number of cloud -type services has increased.

2) IPS (unauthorized intrusion prevention system), IDS (fraudulent detection system)

It is a system called IPS and IDS that mainly take security measures mainly for OS and middleware.It can respond to diversified attacks by detection of known attacks and unusual communication detection.It is effective for defense such as DOS attacks that cannot be protected by firewall.

3) WAF (web application firewall)

It is a solution that takes measures against web applications.Detects and blocks attacks such as SQL injection and cross -site scripting, which is said to be difficult to detect with firewalls, IPS, and IDS.In addition to the host type introduced on the web server, the appliance type that sets the device on the network, and the cloud type used via the Internet.

In addition, there is room to consider the use of reverse proxy as a means of strengthening security.Reverse proxy has a function to relay it without directly accessing the web server when accessed from a web browser.The advantage is that you can take security measures such as IP address restrictions and malware scans at the relay stage.In addition, there is also the advantage of improving site quality, such as load dispersion and speeding up SSL processing.

What is the difference between reverse proxy and proxy?What is the mechanism of each server?https: // ESET-INFO.Canon-ITS.JP/Malware_info/Special/Detail/201021.html

Due to digital shifts for all tasks and services to online, websites in companies are increasing.Due to the technological innovation around the cloud, the construction of the website itself has become easier.However, the difficulty of operating the website while keeping security is as high as before.To take measures to take and protect the server safely, it will be a more important issue in business continuity.