Beyond held its 5th study session, "Start using it today! It's bad if you don't know! Threats and countermeasures to cyber attacks targeting web content. ~ Beyond Study Session #5 Powered by IIJ GIO + Scutum ~"

This is Ito, an infrastructure engineer.
As we announced, we held our 5th study session!
[5th] Beyond Study Session Held! | Beyond
Doorkeeper Co., Ltd.:[Practical from Today!] You Can't Afford to Ignore This! Threats and Countermeasures Against Cyberattacks Targeting Web Content. ~ Beyond Study Session #5 Powered by IIJ GIO + Scutum ~ - Beyond Study Session | Doorkeeper

This time, we had presentations from Internet Initiative Japan and SecureSky Technology
on security. I also introduced Nessus, a vulnerability detection scanning tool, from our company.

I would like to give you a little glimpse into what happened!

IIJ's thoughts on web server security & Introducing the optimal solution for web server security [IIJ Website Unauthorized Access Blocking Solution]

IIJ introduced it as the "IIJ Website Unauthorized Access Blocking Solution."

Regarding "blocking unauthorized access," it seems that installing an appliance (actual device)
does not offer any cost benefits.

Certainly, when you consider things like "depreciation of equipment," "who will operate it?", and
"owning the equipment," you have to operate it yourself, and
there are costs involved in various areas, such as the expenses when the equipment breaks down.

Another disadvantage of having an appliance is that
in the case of a DDoS attack, a large number of packets are sent.
These packets are received by the appliance, but
there is a possibility that the DMZ entry point before the appliance will not be able to receive all of them.

It is said that the above disadvantages will be eliminated by moving ``unauthorized access prevention measures'' to the cloud

If we only had to think about the "definition of unauthorized access" and
didn't need to think about the "equipment," there would likely be cost advantages.

Since large volumes of packets will first be received by the IIJ backbone,
it seems that there will no longer be any issues with the inability to receive them at the entry point of the company's DMZ.

So, what kinds of solutions are available for blocking unauthorized access to websites?
Here's a brief overview...

CDN services

A CDN caches content and returns that cached content when accessed.
By restricting access to your own server to only come from the CDN, you can limit access to your server.

Another great thing is that it's easy to set up, just by switching the DNS

Packet Filter

A packet filter that blocks unwanted packets

By blocking inappropriate ports and IP addresses at each stage, and
only allowing truly necessary access, unauthorized access can be expected to decrease significantly.

SSL Certificates

It's SSL, which encrypts HTTP communications

, known as honeypods,
intentionally placing servers with weak security
to analyze what kinds of attacks occur and then implement countermeasures.

This seems reassuring!!

With over 1,500 sites installed! What is "Scutum" that has changed the conventional wisdom of WAF?

In the second session, SecureSky Technology gave a presentation on Scutum.
Here's how Scutum differs from traditional WAFs (Web Application Firewalls).

• Low price
• Low barrier to entry
• Operation is carried out by Secure Sky Technology

Using a WAF (Web Application Firewall) is a fantastic service because it blocks all access that it deems to be an attack
.
While there's a lot to do, such as updating signatures and performing other maintenance,
you can rest assured knowing that "SecureSky Technology handles the operation."
Since it's cloud-based, they take care of everything on the device side.

Ideally, security should involve a "PDCA" cycle of operation, but that's often difficult.
The questions of "Who? What?" always come up.
Apparently, Scutum can solve these problems as well.

Speaking of security,
they also mentioned that CMSs are often targeted.
CMSs have many users and many are open source. Many attackers
extensions such as plugins and themes, as well as
use
WordPress, in particular, has many users, so it is a frequent target.

Be careful not to accidentally leave your config backup in a visible location!

How to diagnose web content vulnerabilities for free using the open source Nessus

Finally, I spoke about Nessus. It's leaning..

When discussing security, "vulnerability response" is a frequently mentioned topic.
Vulnerabilities in HTTP proxy systems and OpenSSL, for example, often make headlines.

Reference:
that allow a CGI web server to set the value of the Proxy header to the environment variable HTTP_PROXY
Multiple vulnerabilities in OpenSSL (CVE-2016-2107, CVE-2016-2108, etc.)

It's great that vulnerabilities are found in this way, but
then the question becomes: was the server configuration itself okay to begin with? That's where "vulnerability detection scans," tools like Nessus (which I introduced earlier), come in to find out.

By conducting simulated attacks, it can find "holes in the server."

Nessus requires a license fee for commercial use, but is free for personal use

While it's typically installed on a server, if you purchase it from the AWS Marketplace, you can use Nessus simply by launching it.
(Nessus Enterprise for AWS (Manager) on AWS Marketplace)

Nessus is very convenient because you just enter an IP address and it will scan for vulnerabilities.
It can perform various types of scans, but the sheer number of options can be a problem, making it difficult to know which scan to choose.

Ideally, we'd have a robust security system in place, but the reality is that we often don't have the resources to do that.
At Beyond, we use the PCI DSS security standard for our scans.

What is PCI DSS? | Japan Card Information Security Council

The security standards set by credit card companies are quite strict, and in the US, many companies unrelated to credit cards also
use these standards, and Beyond has adopted them as well.

However, for those who don't use servers very often, a Nessus scan might show a message saying "Change the SSL encryption strength," which can be difficult to address.
In such cases, leave it to Beyond!!!

summary

There are many ways to be attacked, so I think it's important to know many ways to defend yourself

That could be a CDN or a WAF, but if you're still unsure of the status,
it's a good idea to use a vulnerability detection scanning tool like Nessus to check its status.

I'll have to deal with this issue for the rest of my life, so I'd like to gather as much information as possible!

Thank you again to IIJ and Secure Sky Technology!