The FBI's Internet Crime Complaint Center (IC3) has published a list of preventative measures that organizations can take to stem Website attacks, such as SQL injection.
"Over the past year, there has been a considerable spike in cyberattacks against the financial services and the online retail industry," according to the IC3's posting. "There are a number of actions a firm can take in order to prevent or thwart the specific attacks and techniques used by these intruders. The following steps can be taken to reduce the likelihood of a similar compromise while improving an organization's ability to detect and respond to similar incidents quickly and thoroughly."
Here are the IC3's recommendations for protecting your Website:
- Disable potentially harmful SQL stored procedure calls
- Deny extended URLs
- Implement specific approaches to secure dynamic Web content
- Install and run authorized Microsoft SQL Server and IIS services under a nonprivileged account
- Apply the principle of "least privilege" on SQL machine accounts
- Require passwords on Microsoft SQL Server administrator, user, and machine accounts
- Lock out accounts on your mainframes after multiple unsuccessful logon attempts
- Run the minimum required applications and services on servers needed to perform their intended function
- Deny access to the Internet except through proxies for store and enterprise servers and workstations
- Implement firewall rules to block or restrict Internet and intranet access for database systems
- Implement firewall rules to block known malicious IP addresses
- Ensure that your systems that verify and generate PIN numbers, for instance, do not respond to commands that generate encrypted PIN blocks
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message