The 5th BEYOND study session "[Use it today!] What you don't know is bad! Threats and countermeasures for cyberattacks targeting web content. ~ BEYOND Study Session #5 Powered by IIJ GIO + Scutum ~" was held!

My name is Ito and I am an infrastructure engineer.
As I mentioned in the announcement, we held our 5th study session!
[5th] Beyond study session will be held! | Beyond
Doorkeeper Co., Ltd.: [You can use it from today! ] It's bad if you don't know! Threats and countermeasures for cyberattacks targeting web content. ~ Beyond Study Group #5 Powered by IIJ GIO + Scutum ~ - Beyond Study Group | Doorkeeper

This time, we had Internet Initiative and Secure Sky Technology on stage
to talk about security. Also, from our company, I introduced Nessus, a vulnerability detection scanning tool.

I would like to introduce you to just a little bit of what it looks like!

IIJ's thoughts on web server security & Introducing the optimal solution for web server security [IIJ Website Unauthorized Access Blocking Solution]

IIJ introduced us as "IIJ Website Unauthorized Access Blocking Solution".

Regarding "blocking unauthorized access," it seems that installing an appliance (actual device)
does not provide any cost benefits.

It's true that you have to think about ``depreciation of the equipment,'' or ``Who is going to operate it?'' or ``
I have the equipment,'' and it becomes necessary for my company to operate it, and if
the equipment breaks down, It costs money in a lot of different ways, such as time and money.

Also, the disadvantage of having an appliance is that
in the case of a DDOS attack, a large number of packets are thrown.
The packets are received by the appliance, but
there is a possibility that the packets can no longer be received at the DMZ entrance.

It is said that the above disadvantages will be resolved by moving the "unauthorized access countermeasures" to the cloud.

just think about the definition of unauthorized access and
not have to think about the equipment, there would be cost benefits.

Since a large amount of packets will be received first at the IIJ backbone,
it will no longer be possible to receive them at the entrance of the DMZ of the internal system.

So, what solutions are there to block unauthorized website access?
To briefly introduce...

CDN service

A CDN that caches content and returns the cache when accessed.
You can limit access to your server by limiting access to only the CDN.

I also like how easy it is to set it up just by switching DNS.

packet filter

A packet filter that prevents unnecessary packets from passing through.

If you block inappropriate ports and IP addresses at each stage and
only allow truly necessary access, you can expect to significantly reduce unauthorized access.

SSL certificate

SSL is used to encrypt http communication.

we purposely set up a server with weak security
called a honeypod, we wondered what kind of attacks would occur. It is said that they are analyzing the issue and taking countermeasures.

This seems safe! !

Implemented on over 1,500 sites! What is “Scutum” that changed the common sense of WAF?

In the second session, Secure Sky Technology introduced Scutum.
The difference between Scutum and conventional WAF (Web Application Firewall) is as follows.

• low price
• Low hurdles for introduction
• Operation is carried out by Secure Sky Technology

it is a wonderful service that
will block all access that is deemed to be an attack However, there are many things that need to be done, such as updating and updating signatures, but
you can rest assured that it is operated by Secure Sky Technology.
Since it's cloud-based, everything on the device side will be taken care of.

When it comes to security, it is ideal to implement a PDCA cycle, but this is quite difficult.
The question of "Who? What?" always follows.
Scutum seems to solve this problem as well.

Speaking of security,
he also mentioned that CMSs are easily targeted.
CMS has many users and many are open source.

There are many people who attack using
extensions such as plugins and themes, and Wordpress has a particularly large number of users, so it is easy to be targeted.

Is the Config backup in an unintentionally visible location? So be careful! !

How to diagnose web content vulnerabilities for free using the open source Nessus.

Lastly, I would like to talk about Nessus. It's leaning. .

When talking about security, the term "vulnerability countermeasures" often comes up.
Vulnerabilities in httpproxy and Openssl are making headlines.

Reference:
JVNVU#91485132: CGI web server sets the value of the header Proxy to the environment variable HTTP_PROXY
Multiple vulnerabilities in OpenSSL (CVE-2016-2107, CVE-2016-2108, etc.) — | SIOS OSS | SIOS Technology

if vulnerabilities could be found in this way, but
are the server settings okay in the first place? A tool called a ``vulnerability detection scan'', typified by Nessus, which we introduced this time, can find these.

By performing pseudo-attacks, they can find "holes in the server."

Nessus requires a license fee for commercial use, but it can be used free of charge for personal use only.

Nessus is installed on the server, but if you use the AWS marketplace, you can use Nessus just by starting it.
Nessus Enterprise for AWS (Manager) on AWS Marketplace

Nessus is very convenient because you just enter your IP address and scan it to find if there are any holes.
It is possible to perform various types of scans, but this is where the large number backfires and makes you wonder, "Which scan should I do?"

It would be great if security was firmly established within the company, but the reality is that we don't have that much control.
Beyond scans using a security standard called "PCI DSS".

What is PCIDSS? Japan Card Information Security Council

This is a security standard set by credit card companies, and it is quite strict. In the United States, this standard is often used even by companies not related to credit cards
, and Beyond also uses this standard.

However, if you don't use the server much, it will be difficult to deal with it if you scan Nessus and it says "It's time to change the SSL encryption strength." . .
I think it will be. In such cases, leave it to Beyond! ! !

summary

There are many ways to be attacked, so you need to know many ways to protect yourself.

It might be a CDN or a WAF, but if you still don't know what's going on,
it's a good idea to use a vulnerability detection scanning tool such as Nessus to find out the status.

I'll have to deal with this problem for the rest of my life, so I'd like to get as much information as possible!

Thank you again, IIJ and Secure Sky Technology!