Timeline for Non-Sensitive/Non-Critical Database and Web server protections?
Current License: CC BY-SA 3.0
6 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Oct 5, 2015 at 13:09 | comment | added | k1DBLITZ | "People confirmers" are commonly referred to as Captchas. :) As for the webserver, ideally there would be a WAF (web application firewall) or HIDS (host based IDS) in place to help prevent and detect attacks. In this case though, it seems the cost to implement would be higher than the data worth protecting. It would serve the security posture well if the developers are following OWASP and SANS SWAT guidelines for secure coding. | |
| Oct 1, 2015 at 15:04 | comment | added | Angie | Anything else I might need to look for? Sorry for the dumb-sounding answers, I'm security for an access database system that is entirely internal and was just assigned this web application that is public facing. I am kinda out of my element. | |
| Oct 1, 2015 at 15:03 | comment | added | Angie | I checked for HTML injections and the possibility of a DOS attack on the page. I confirmed each field has business rules and proper statements for bad input. I'm in process of requesting they add one of those people confirmers (forgot the name) where they enter a word to confirm they're not a robot and also implementing monitoring of the traffic on the page to ensure that if the baseline changes (up or down) by a certain percentage the team is notified. | |
| Oct 1, 2015 at 14:47 | comment | added | Angie | The users enter their account number on the webpage, the web server connects to the db server to access a table and a message just says something like 'Your bill is due in 10 days and is $55. If you have questions about your bill please contact customer service' The only info that is sent from the critical systems is the amount, account number and due date. The rest of the info - name, ssn, address, etc. is stored in the critical system. | |
| Oct 1, 2015 at 14:43 | comment | added | Angie | Thanks for the response. The communication is one way from the critical systems to the database. I'm concerned about the ODBC connection because as far as I understand it's unsecure. The database contains the code for the web page. Could a hacker conceivably change the web page to ask for PII or other info from users or something worse? Also can a hacker use the database server as a conduit somehow to get to the critical systems on the LAN? The database server connects with the critical systems because the application is essentially a way for users to check status on their bills or retirement. | |
| Oct 1, 2015 at 14:01 | history | answered | k1DBLITZ | CC BY-SA 3.0 |