Home > Articles > Security > Network Security

Daily Security Tips from Ed Skoudis - Week of August 26, 2002

  • Print
  • + Share This
Take a tip from Ed Skoudis, one of InformIT's most popular writers, as he shares a daily nugget of his knowledge of information security. Invest a few minutes of your day to learn something new about protecting your information assets.
Like this article? We recommend

Security Tip for Friday, August 30th, 2002

To prevent SQL Injection attacks against your web applications, filter user input to remove sensitive characters that may be meaningful to back-end databases. Characters such as ', ", ´, ;, *, _, %, and others (&\|*?~<>^()[]{}$\n\r ) should be removed from any user input. Your best bet is to define which characters are allowed (such as alphanumeric characters), and remove everything else. Most applications don't really require these unusual characters for user input anyway. Because a malicious user can easily bypass filters on the browser side (e.g., using Javascript), filtering of user input must occur on the server side.

Security Tip for Thursday, August 29th, 2002

Design web applications so that critical data is not stored on the web server machine itself. The web server should gather sensitive data from the user and quickly move it to a back-end transaction server or database. The longer that the data, such as credit card numbers, financial transactions, or medical information, sits on the web server, the more likely an attacker will be able to compromise it. Keep sensitive data on a web server for no more than thirty minutes, and even less if possible.

Security Tip for Wednesday, August 28th , 2002

One of the major problems plaguing the security of wireless LANs involves the Wired Equivalent Privacy (WEP) protocol. WEP has been broken using a variety of mechanisms that allow an attacker to retrieve the encryption/authentication key. If you are deploying wireless LANs in a network infrastructure that carries sensitive data, consider using a Virtual Private Network (VPN) to strongly authenticate and encrypt traffic sent across the wireless hop. Think about it – when you send arbitrary data to your protected intranet across the big, scary Internet, you use a VPN. The radio spectrum around your facilities is also a big, scary network, so you should use a VPN to protect your data there as well.

Security Tip for Tuesday, August 27th, 2002

When handling computer incidents, use pre-printed forms for recording the details of the incident in writing. Such forms help to ensure that you do not miss any details during the excitement of an incident. Not only do such forms help you follow a clearly defined incident handling process, they can also be very useful if your case ever goes to court. You can find incident handling forms available for free at http://www.incidents.org/Incident_forms/

Security Tip for Monday, August 26th, 2002

For computer incident handling and forensics activities, prepare a jump-bag that includes software and hardware you may need in a crisis situation. Keep this jump bag with you, so that you are ready to go whenever an incident occurs. Store the following in your jump bag: spare IDE and SCSI drives, CDs and floppies with critical system binaries (Tripwire, AIDE, ls, ps, netstat, cp, etc.), extra notebooks for taking detailed notes, and other critical items. When not handling an incident, never "borrow" from your own jump bag, despite how tempting it may be!

Check back here every weekday for another security tip!

  • + Share This
  • 🔖 Save To Your Account