Beyond held its 5th study session, "Start using it today! It's bad if you don't know! Threats and countermeasures to cyber attacks targeting web content. ~ Beyond Study Session #5 Powered by IIJ GIO + Scutum ~"

I'm Ito, an infrastructure engineer.
As I mentioned in the announcement, we held our 5th study session!
[5th] Beyond Study Session! | Beyond
Doorkeeper, Inc.: [Start using it today!] You're in trouble if you don't know! Cyber-attack threats and countermeasures targeting web content. ~ Beyond Study Session #5 Powered by IIJ GIO + Scutum ~ - Beyond Study Session | Doorkeeper

This time, Internet Initiative Japan and Secure Sky Technology took to the stage
to talk about security, and I introduced Nessus, a vulnerability detection scanning tool, from our company.

I would like to give you a little glimpse into what happened!

IIJ's thoughts on web server security & Introducing the optimal solution for web server security [IIJ Website Unauthorized Access Blocking Solution]

IIJ introduced it as the "IIJ Website Unauthorized Access Blocking Solution."

it seems that there is no cost benefit to installing an appliance (actual equipment)

Certainly, there are considerations such as "depreciation of equipment," "who will operate it," and
since you "own the equipment," you will need to operate it within your own company, and
there will be costs when the equipment breaks, so there will be money involved in various areas.

Another disadvantage of having an appliance is that
in the case of a DDoS attack, a large number of packets are thrown at it.
The appliance receives these packets, but
there is a possibility that the DMZ entrance before that cannot receive all the packets.

It is said that the above disadvantages will be eliminated by moving ``unauthorized access prevention measures'' to the cloud

you only had to think about the definition of unauthorized access and
didn't have to think about equipment, there would likely be cost benefits.

Large volumes of packets will first be received by the IIJ backbone, so
it will no longer be the case that they cannot be received at the entrance to the DMZ of the internal system.

So, what kind of solutions are there to block unauthorized website access?
Here's a quick introduction...

CDN services

A CDN caches content and returns it when accessed.
You can limit access to your server by limiting it to only from the CDN.

Another great thing is that it's easy to set up, just by switching the DNS

Packet Filter

A packet filter that blocks unwanted packets

If we can block inappropriate ports and IP addresses at each stage and
only allow access that is truly necessary, we can expect to significantly reduce unauthorized access.

SSL Certificates

It's SSL, which encrypts HTTP communications

deliberately placing servers with weak security
, known as honeypods, to analyze what types of attacks might be coming and then take measures to deal with them.

This seems reassuring!!

With over 1,500 sites installed! What is "Scutum" that has changed the conventional wisdom of WAF?

In the second session, Secure Sky Technology introduced Scutum,
which explains the differences between Scutum and traditional WAFs (Web Application Firewalls).

• Low price
• Low barrier to entry
• Operation is carried out by Secure Sky Technology

Using a WAF is a great service because it blocks all access that it deems to be an attack
.
However, there are many things to do, such as updating signatures, but
you can rest assured that it is operated by Secure Sky Technology.
Because it is cloud-based, they handle everything on the device side.

Ideally, security would be implemented using the PDCA cycle, but this is not easy.
The question of "Who? What?" always comes up.
Scutum seems to be able to solve these problems as well.

Speaking of security, he
also mentioned that CMSs are common targets.
CMSs have many users and many are open source.

Many attackers use
extensions such as plugins and themes, or WordPress is particularly popular, making it a common target.

Be careful not to accidentally leave your config backup in a visible location!

How to diagnose web content vulnerabilities for free using the open source Nessus

Finally, I spoke about Nessus. It's leaning..

When talking about security, the topic of "vulnerability response" often comes up.
Vulnerabilities in http proxy and OpenSSL are making waves.

Reference:
JVNVU#91485132: Vulnerability where CGI web server sets the value of the Proxy header to the HTTP_PROXY environment variable
Multiple vulnerabilities in OpenSSL (CVE-2016-2107, CVE-2016-2108, etc.) — | SIOS OSS | SIOS Technology

It's great if vulnerabilities can be found in this way, but
then you might wonder if the server configuration was okay to begin with? This can be found by tools known as "vulnerability detection scans," such as Nessus, which we introduced here.

By conducting simulated attacks, it can find "holes in the server."

Nessus requires a license fee for commercial use, but is free for personal use

You install it on a server, but if you use the AWS Marketplace, you can use Nessus just by launching it
.

Nessus is very useful because it can find holes by simply entering an IP address and scanning it.
There are many types of scans available, but the large number of options can be a drawback, leaving you wondering, "Which scan should I run?"

It would be great if security was clearly defined within the company, but the reality is that we don't have the resources to do that.
At Beyond, we scan using a security standard called "PCI DSS."

What is PCI DSS? | Japan Card Information Security Council

These are security standards set by credit card companies, and are quite strict. In the United States,
these standards are often used even by companies that are not related to credit cards, and Beyond also uses them.

However, if you don't use your server often, it can be difficult to deal with the problem when you run a Nessus scan and it tells you to change the SSL encryption strength.
In that case, leave it to Beyond!!!

summary

There are many ways to be attacked, so I think it's important to know many ways to defend yourself

This could be a CDN or WAF, but if you still don't know what's going on,
it's a good idea to use a vulnerability detection scanning tool such as Nessus to find out the status.

I'll have to deal with this issue for the rest of my life, so I'd like to gather as much information as possible!

Thank you again to IIJ and Secure Sky Technology!