-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                    National Cyber Alert System

              Technical Cyber Security Alert TA11-200A


Security Recommendations to Prevent Cyber Intrusions

   Original release date: July 19, 2011
   Last revised: --
   Source: US-CERT


Overview

   US-CERT is providing this Technical Security Alert in response to
   recent, well-publicized intrusions into several government and
   private sector computer networks. Cyber thieves, hacktivists,
   pranksters, nation-states, and malicious coders for hire all pose
   serious threats to the security of both government and private
   sector networks. A comprehensive security program provides the best
   defense against the full spectrum of threats that our computer
   networks face today. Network administrators and technical managers
   should not only follow the recommended security controls
   information systems outlined in NIST 800-53 but also consider the
   following measures. These measures include both tactical and
   strategic mitigations and are intended to enhance existing security
   programs.


Recommendations

   * Deploy a Host Intrusion Detection System (HIDS) to help block and
     identify common attacks.

   * Use an application proxy in front of web servers to filter out
     malicious requests.

   * Ensure that the "allow URL_fopen" is disabled on the web server
     to help limit PHP vulnerabilities from remote file inclusion
     attacks.

   * Limit the use of dynamic SQL code by using prepared statements,
     queries with parameters, or stored procedures whenever possible.
     Information on SQL injections is available at
     <http://www.us-cert.gov/reading_room/sql200901.pdf>.

   * Follow the best practices for secure coding and input validation;
     use the secure coding guidelines available at:
     <https://www.owasp.org/index.php/Top_10_2010> and
     <https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/305-BSI.html>.

   * Review US-CERT documentation regarding distributed
     denial-of-service attacks:
     <http://www.us-cert.gov/cas/tips/ST04-015.html> and
     <http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf>.

   * Disable active scripting support in email attachments unless
     required to perform daily duties.

   * Consider adding the following measures to your password and
     account protection plan.* Use a two factor authentication method
     for accessing privileged root level accounts.

   * Use minimum password length of 15 characters for administrator
     accounts.

   * Require the use of alphanumeric passwords and symbols.

   * Enable password history limits to prevent the reuse of previous
     passwords.

   * Prevent the use of personal information as password such as phone
     numbers and dates of birth.

   * Require recurring password changes every 60-90 days.

   * Deploy NTLMv2 as the minimum authentication method and disable
     the use of LAN Managed passwords.

   * Use minimum password length of 8 characters for standard users.

   * Disable local machine credential caching if not required through
     the use of Group Policy Object (GPO). For more information on this
     topic see Microsoft Support articles 306992 and 555631.

   * Deploy a secure password storage policy that provides password
     encryption.

   * If an administrator account is compromised, change the password
     immediately to prevent continued exploitation. Changes to
     administrator account passwords should only be made from systems
     that are verified to be clean and free from malware.

   * Implement guidance and policy to restrict the use of personal
     equipment for processing or accessing official data or systems
     (e.g., working from home or using a personal device while at the
     office).

   * Develop policies to carefully limit the use of all removable
     media devices, except where there is a documented valid business
     case for its use. These business cases should be approved by the
     organization with guidelines for there use.

   * Implement guidance and policies to limit the use of social
     networking services at work, such as personal email, instant
     messaging, Facebook, Twitter, etc., except where there is a valid
     approved business case for its use.

   * Adhere to network security best practices. See
     <http://www.cert.org/governance/> for more information.

   * Implement recurrent training to educate users about the dangers
     involved in opening unsolicited emails and clicking on links or
     attachments from unknown sources. Refer to NIST SP 800-50 for
     additional guidance.

   * Require users to complete the agency's "acceptable use
     policy" training course (to include social engineering sites and
     non-work related uses) on a recurring basis.

   * Ensure that all systems have up-to-date patches from reliable
     sources. Remember to scan or hash validate for viruses or
     modifications as part of the update process.

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA11-200A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA11-200A Feedback INFO#706140" in
   the subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2011 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History

  July 19, 2011: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTiXz1j6pPKYJORa3AQKUOwf+Ij8XMOYEWhPi6aZz+/Ke7DJ/e0oF3DGb
06j7yl5y6pobCu5p80W+gDN6V0A3j2Z0OddFqiqV/TnBQWiyv8Bxx5okcfE01dDk
mNAuFZWqELD3l4sgeNwbZp56z5LLi8NB40Bwgquama9u/98gYHSN5xTQBqBVlV2i
HMDlU2KCqXCN9XIbxpE/z3By4ADvRh6uIulRjJUnGnTWFMBQpc/YmPy+j4WZRpJz
AjVY6V/V2Qe9DGM/A+K0CURqYUtaXOtB9t8OtC4WeyPIZ6GjKAjj3MQ0n8KI+YFW
gBVFbTWmSwRnsX/+LWgAUGPKOrgYQnAKo0Hf4K0vsW4T1039w1sewA==
=Iaax
-----END PGP SIGNATURE-----