Last week Sony announced that it believed there had been unauthorized access to their PSN servers and an individual (or group of individuals) obtained PSN user information, including members’ full names, addresses, birthdays, and passwords. According to Sony, their was no evidence that credit card information was also taken, but they could not definatively rule this out.
We thought it would be a good opportunity to share with the community some of the tools we use to to try and mitigate similar breaches.
Intrusion Detection System
OSSEC is a piece of open source software which sits on a server monitoring file integrity. It will detect any unexpected changes to specified files and immediately alert the administraor to the problems. We use OSSEC to meet some of the PCI requirements when developing e-commerce websites.
Web Application Attack and Audit Framework
W3AF is an open source application which allows you to run vulnerability tests against your web application. The application comes with an incredibly usefull and easy to use set of plugins which enable you to quickly identify any issues with your applications and get them resolved.
Open Web Application Security Project
OWASP provide a series of best practice guidelines and documentation on web application security, auditing and testing procedures and up to date details on common application vulnerabilities and threats.
Two Factor Authentication
TFA is an approach to authentication which requires a user to present two forms of evidence to prove that they are, who they say they are. Generally something you know and something they have (such as a password and a unique token generator). As a rule of thumb, we’ll always look to implement TFA on our dedicated servers or implement it on cloud servers such as AWS MFA