-1

According to information I've gathered on this site, no perfect defense is possible in the area of webserver security. The underlying software and / or maintainers of the system can be exploited to ultimately gain access to any system on Earth connected to the Web.

So the answer to server security becomes a dynamic battle plan.

  • "Early" detection of the threat.
  • Detailed analysis of the "chink" in the defense which has been exploited.
  • Rapid and aggressive adaptation to halt data theft and repair defense, preferably without shutting the application down for millions of users throughout the globe.

I'm aware that some large companies have or at least had at some point a policy of zero down-time (Facebook) so taking the system offline while the defense is repaired is not always an option.

So what strategies are used to stop a data theft attack without shutting down the server completely?

J.Todd
  • 1,310
  • 1
  • 11
  • 20
  • 3
    Since the average time to detection is measured in months, you really should rethink any plan that assumes "a near instant detection of the breach." The mean (188 days) and median (86 days) days to detection Trustwave documented are pretty dismal. – gowenfawr Aug 25 '15 at 20:14
  • @gowenfawr I reworded my question. Its more broad but thats the best way I can think to ask considering slow detection. – J.Todd Aug 25 '15 at 20:19
  • Just an FYI, "exfiltration" is one term used to describe the data theft portion of an attack, you may get some benefit using that term when searching. Defending against exfiltration usually consists of blocking all unnecessary outbound connectivity and using keyword/content filtering on established channels. – gowenfawr Aug 25 '15 at 20:39
  • 3
    I think this question is too broad. It depends a lot on the kind of attack, how good your experts are, if you need outside help, if law enforcement needs to be involved and what it wants to do, if you want to watch the attackers to better track them, how big the breach is, how big the danger is that more harm will be done if you leave the systems online etc. – Steffen Ullrich Aug 25 '15 at 21:04
  • 1
    @SteffenUllrich might you suggest a subset of this question that I can condense to? – J.Todd Aug 25 '15 at 21:08
  • any system on Earth connected to the Web - FYI: Air-gapped computers are also vulnerable to attacks (tho the attacker needs to be really motivated) http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ – Neil Smithline Aug 25 '15 at 21:18
  • 1
    @ColorQuestor: you might try to describe the very specific and realistic setup of the environment your are working in and the specific problems you have there. If you don't have such specific setup yourself but want to learn how to deal with such setups I would recommend first that you learn how such setups look like in detail. There is a wide range between maintaining some private blog which inadvertently serves malicious ads and something like health care or AshleyMadison. – Steffen Ullrich Aug 25 '15 at 21:19
  • This question needs better definition, IMO. What kind of attack or data theft? What data? SQL dumps, log dumps, public data scraping, and private data export (source code or similar) are all very different but could easily be called 'data theft'. – Nathan V Aug 25 '15 at 23:52
  • @gowenfawr thanks for the link, it's really insightful. – Nic Barker Aug 26 '15 at 02:49

2 Answers2

2

If I can pull this in a slightly different direction, the situation that you're describing is the reason that many security minded developers and sysadmins have adopted a more preventative rather than reactive approach to vulnerable data. If someone smart enough really really wants to break into your servers, they probably will. After they do that though, the damage they can do is up to how well you've prepared.

Some strategies can include:

  • Keeping sensitive data encrypted in a way that is not feasible to decrypt en-masse. This means that in the event of a breach, you can have some degree of confidence that even if data is stolen, the cost of the breach is reduced.

  • Seperating authentication used across applications, nodes and clusters to prevent escape from an exploited environment into a clean one

  • Implementing a proper intrusion detection system that can include automatic revocation of keys and login roles

Nic Barker
  • 1,180
  • 7
  • 11
1

Remember companies that want near zero down time will have multiple servers at multiple data centers. So shutting down a server or a data center will always be an option for any company hoping to get more then 99.90% uptime.

As for how to respond to an attack, it will depend on the nature and stage of attack. If you have a SQLi vulnerability that is being exploited, but has not yet led to a OS shell, disabling the vulnerable feature maybe enough to stop the attack. If an attacker has gained root on a server you will need to take that server offline and re-image the OS and potentially the BIOS.

So in short you will need to build an incident response plan, think about possible stages of attack and predetermine your best way of recovering. This will include shutting down servers in some situations, so if you need the uptime build in redundancy.

David Waters
  • 2,801
  • 2
  • 15
  • 14
  • 1
    FYI If you're interested in moving away from a "single point of failure" architecture into something that can tolerate arbitrary machine failures, check out Netflix's Chaos Monkey – Nic Barker Aug 26 '15 at 02:50