Corporate security vulnerabilities in e-business
Corporate Security Vulnerabilities in E-Business
The Internet has profoundly changed the way companies do business.
Online shopping is something consumers now take for granted, and it is unusual to find any merchant with a product for sale that does not provide customers with the opportunity to shop and buy online. But these relatively new marketing opportunities have come with a new set of risks that did not apply to other methods of merchandising. In a computerized environment, computer-based threats are a factor that must be considered, and some of these have a particular effect on electronic commerce.
Viruses and worms such as Melissa, Code Red and Nimda have caused
billons of dollars worth of damage. While viruses and worms are designed to spread indiscriminately and infect as many machines as possible, a worm’s end goal is sometimes to mobilize an attack against a particular target, so they can cause damage on two separate levels. Other threats include attacks such as DDoS (Distributed Denial of Service), exploits targeting interactive page code and non-technical attacks such as social engineering.
Just as there are various categories of threats, defenses have been
designed to combat them. User education and crafting page code that is as secure as possible are ongoing battles. Antivirus software, firewalls and constant software and operating system updates are part of a company’s defensive arsenal, along with alert and knowledgeable network analysts. The education process for anyone concerned with computer security is unending, because for each attack that someone fashions an effective defense against, another one is developed or discovered to replace it. It is a seemingly endless chess game between attackers and defenders.
People tend to speak of certain types of malicious code as if they were in
fact living organisms, and while this is of course not the case, in some ways they can imitate life. They are programmed to spread and reproduce, and in some cases exhibit adaptive behavior that seems to mimic intelligence.
The precise difference between a virus and a worm can be slippery. One
common conception is that a virus is designed to infect files and can spread only through human intervention, such as choosing to open a file, whereas a worm will move across networks—including the Internet itself—under its own power (Cooper, n.d.). Another definition has it that “a computer virus is delivered by e-mail messages. but a computer worm spreads through the internet” (Infotap, n.d.). However, the distinction between the two grows fuzzy when discussing a threat such as the Nimda virus released in 2001. Using multiple methods of spreading itself, Nimda has been described as “a complex virus with a mass mailing worm component” (Tocheva, 2001). Like the classical definition of a
virus, Nimda infects files (executables, specifically), and propagates by e-mailing itself to other users. Perhaps that is why it is most commonly referred to as a virus rather than a worm. However, it also exhibits wormlike behavior. It seeks out web servers and “once a web server is found, the worm tries to infect it by using several known security holes” (Tocheva, 2001)—much closer to the definition of a worm.
The overall cost of Nimda has been estimated at “$635 million in clean-up
and lost productivity” (Delio, 2002). The Code Red worm, in 2001, cost companies approximately two billion dollars (Krebs, 2003). Whatever we call them and however we define them, these malicious pests can be a major expense for businesses and other organizations.
Virus protection software is a must-have in today’s network environment.
Several vendors make anti-virus products for both home and corporate environments, and for an anti-virus solution to be truly suitable for use on a large network, it must be suitably scaleable. Virus definition updates often take place on a daily basis, and for hundreds of computers to request this update individually can tie up network bandwidth and cause unacceptable delays in throughput for other traffic. Norton Antivirus is capable of updating from a centralized server maintained by the administrator of the corporate network, allowing the updated definitions to be downloaded once across the public internet and then distributed to individual computers across the private network, which generally has much higher bandwidth than the outside connection.
DENIAL OF SERVICE
A denial of service attack is a traffic jam which prevents legitimate traffic
from getting through. There are various forms of this type of attack. DDoS, or Distributed Denial of Service, involves an attack on a particular host executed by multiple attackers. Often the machines actually carrying out the attack are “owned” or infected through the use of a virus or worm.
Another form of DoS attack is the Smurf attack, in which ICMP requests
(such as the familiar PING command) are sent to multiple targets with a false value in the ‘from’ header—the IP address of the victim. When the unwitting accomplice receives the request (assuming it is configured to respond to a PING), these machines will combine their efforts to overwhelm the target address with a surfeit of traffic. In a sense this is a DDoS attack as well, since multiple intermediaries are used to implement it.
A SYN flood attack refers to the first part of the typical TCP/IP connection
process, sometimes known as a handshake. The party initiating the conversation normally begins this three-part dialogue with a SYN (synchronize) message. The server responds with a SYN-ACK, followed by an ACK (acknowledgement) from the client. In the SYN flood, the attacker sends the initial SYN packet to the victim (again from a spoofed address). The target sends the expected SYN-ACK and then waits for an ACK that will never arrive, holding open a connection and therefore tying up resources for a brief time—very brief,
by human standards, but an effective form of DoS or DDoS when repeated a sufficient number of times in very rapid sequence.
A teardrop attack involves a packet too large to be transmitted normally,
and which is therefore broken into fragments. Reassembling such a packet is accomplished through use of an offset value, but when apparently fragmentary packets are sent with offset values which are not legitimate, it can confuse the server and even crash it altogether (Techtarget.com, n.d.). LAND attacks have a particularly elegant construction, in that they cause the target system to continuously reply to itself.
Defense against denial of service attacks is not a simple matter, in part
because these attacks take so many different forms. At its most basic, denial of service consists of overloading the available bandwidth in some manner, and in some cases these events do not even involve any malicious intent. If a site experiences an unexpected surge of interest from the browsing public so that the number of requests to view content exceeds the available bandwidth, this actually constitutes a denial of service as many of those who want to view the pages experience long delays or timeouts. But in terms of network security, of course, we wish to focus on those attacks that are deliberate.
Many of the defenses against these attacks involve proper configuration of
routers, firewalls or servers. A defense against SYN floods has been developed at the server level and is known as SYN cookies. Native to many versions of Linux, although not generally enabled by default, this technique allows the operating system to behave as though the SYN queue is larger than it actually is, and rather than dropping legitimate connections in response to excessive traffic, it will keep all connections open and reply to those that follow the normal TCP/IP protocol and complete the 3-way handshake (Bernstein, n.d.).
THE TARGETED ATTACK
Perhaps the most frightening type of attack consists of the focused efforts
of one or more hackers on a particular network, and this can take many forms. A virus, worm or DoS attack can cause great damage, and yet does not have the flexibility of a skilled hacker, who will often use multiple methods of compromising the security of the target network. They will use various tools and techniques to probe at the network, learning its characteristics and weaknesses in an information-gathering process known as footprinting.
One important weapon in the hacker’s arsenal is knowledge of known
weaknesses or holes in various operating system versions, software, routers and so on. In some cases these are known as zero-day vulnerabilities—ones for which no patch has been released by the vendor of the affected product. But many of the vulnerabilities being exploited have patches available to repair them—patches that have not been applied by all networks running the affected software. This is why it is so important to promptly apply all security-related patches and hot fixes, even if this might sometimes feel like a desperate effort to keep a leaky boat afloat.
Marcus Ranum, on his web site, takes issue with this “Patch Tuesday”
approach to security. He compares it to “polishing turds” (Ranum, 2005) and argues that software needs to be designed with security as an important factor from the ground up, rather than being added as an afterthought. While it’s hard to argue against this idea, we know that this does not always happen in the real world. There are sometimes unavoidable reasons why we must use software with known vulnerabilities—because it is all that is available, or because our company already paid for it or needs its compatibility with other systems, or simply because the decision has been taken out of the administrator’s hands by someone who may have less knowledge but more authority. And even the best-designed software might need occasional updates for security reasons.
Bruce Schneier relates a story of one large corporation that was “molested
by unknown hackers who wandered unchallenged through their network, accessing intellectual property, for weeks or months. According to reports, the attackers would not have been able to break in if Microsoft patches had been up to date” (Schneier, 2001). The name of the company? Microsoft.
Although the security of software and operating systems is very important,
it is also vital not to lose sight of other factors such as physical security and social engineering. If someone can gain physical access to servers, routers and other physical components of the network, much of the work they would have to do to hack in remotely has been circumvented. And if they can get unwitting users (or more embarrassingly, administrators) to give them proprietary information, they have also saved themselves a lot of work and possibly gained a foothold that might have been difficult or impossible otherwise.
Social engineering involves exploiting human weaknesses rather than
those found in machinery or software. An attacker might call the help desk posing as a user in need of assistance, or might call a user and claim to be with the company’s IT department. Kevin Mitnick is probably the best-known practitioner of social engineering. Although skilled in the higher-tech aspects of hacking, Mitnick attributed most of his dubious success (which ultimately landed him in prison before launching his career as a computer security expert) to simple human trickery. “You could spend a fortune purchasing technology and services. and your network infrastructure could still remain vulnerable to old-fashioned manipulation” (Mitnick, 2001).
People have been running con games on each other since long before
computers became a part of our daily lives. In the classic 1973 movie “Paper Moon”, a young girl and her father keep themselves in ready cash with strategies such as confusing store clerks into giving them more in change than they’d paid for their purchases. Such games have probably been going on since humans began to communicate via speech, so it is not too surprising that this same technique is used to compromise network security.
A now-famous survey in 2004 showed that many office workers will give
away their passwords in exchange for a candy bar, and the survey was repeated more recently with similar results. Sixty-four percent of those surveyed were willing to reveal their passwords. Other survey questions by Infosecurity Europe researchers revealed that almost a third of computer users knew the passwords of at least one other user, and that many of them used their corporate passwords for other accounts such as personal e-mail (Kelly, 2007). We’ve all seen it. Passwords on post-it notes concealed under keyboards (or posted more openly on cubicle walls). Users who tell IT personnel their passwords without being asked, often loudly enough for co-workers to overhear. The senior manager who complained bitterly, at one of the author’s former jobs, about the hassle of changing his password on a regular basis—because it was so much trouble to advise all his people of the new one.
One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises. For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them (Granger, 2001). What’s related above is a true, cautionary tale—which turned out to be an
authorized security check by a white-hat consultant firm. It could just as easily have been actual data thieves. As well as relying on employees’ trust and desire to be helpful, they took items from the company trash (sometimes known as dumpster diving) and impersonated an executive over the phone after learning that he was out of town.
Combating this is problematic. Marcus Ranum takes a dim view of user
education as a security solution, stating that “if it was going to work, it would have worked by now” (Ranum, 2005), and adding, “the Anna Kournikova worm showed us that nearly 1/2 of humanity will click on anything purporting to contain nude pictures of semi-famous females”. But even after expressing this pessimism, Mr. Ranum concedes that user education must remain a factor in computer security, although he also advocates locking down systems so that dangerous attachments never arrive in a user’s mailbox at all. But we’ve all seen the dangers of keeping the system too locked down, when users begin to complain that they cannot do their jobs due to being unable to access legitimate and vital attachments, web sites, or programs. That’s when someone high in the corporate hierarchy generally tells IT that the tail is about to stop wagging the dog. As much as we might wish otherwise, network security is not always the top priority for a business or even for non-profit organizations.
Physical security is another topic that is sometimes neglected. It is one of
the less glamorous aspects of computer security, but one that needs to be addressed. Most organizations maintain excellent security around their server room, with precautions such as video cameras and access logs. But as in the example above, trash cans can yield a great deal of proprietary information. Maintaining shred bins for any potentially damaging information, and encouraging everyone to use them, is an area where user education and physical security overlap. Backup tapes and laptop computers are another weak point. The laptop belonging to the network administrator could prove a real treasure trove of information in a very portable form. One can hope that this would be encrypted in such a way as to require a high degree of skill for anyone but the legitimate user to access it. But in many cases, one would be disappointed in this hope.
In 2005, a contractor working for Time Warner Cable lost unencrypted
backup tapes containing the names and social security numbers of over half a million current and former employees and their dependents. Time Warner offered these potential victims a free year of credit monitoring… and promised to encrypt such data in the future (Zeller, 2005). This is the kind of vulnerability that, often, nobody thinks of—until something happens, at which point it may be too late.
One essential defense for any business is an effective firewall. Various
types of firewalls are available, both software and hardware-based. Some network administrators use the built-in packet filtering capabilities of their routers as a simple firewall, and in fact, the first firewalls were basically packet filters (Avolio, 1999). These filters permit traffic to be permitted or denied based on factors such as port number and protocol, and are stateless, meaning each packet is considered separately without regard to anything that has gone before. stateful packet inspection was the next development in firewall technology, and allowed packets to be evaluated as parts of a larger message. In this instance, it is the communication as a whole that is being accepted or rejected, rather than the individual packets.
Additional developments in firewall technology include application layer
filtering and deep packet inspection. An application layer firewall is equipped with a deeper understanding of the actual traffic being passed, rather than inspecting it on the packet level. It can “inspect all incoming requests -- including the actual message being exchanged -- against known vulnerabilities such as SQL injection, parameter and cookie tampering, and cross-site scripting” (F5.com, n.d.). Deep packet inspection is a similar concept and refers to evaluation of the content of a packet, rather than just the header which is all that is examined in the earlier implementations of packet inspection. The firewall in an enterprise environment is generally a hardware device, and devices suitable
for large-scale networks are available from many vendors, including Check Point and Cisco.
THE FACE OF COMMERCE
When a business interacts with the public online, through the use of a web
site, that web site is the face that the business presents to the public. For stores that do most of their business through internet orders, the site may to some extent be synonymous with the business itself in the minds of many customers. So when that web site is compromised, it can be a serious blow to the image of that business. This has happened not only to business and government web sites but also to those maintained by security experts—those who, in theory, should be best able to defend themselves against such indignities.
Earlier this year, noted security expert Marcus Ranum learned that his site
had been hacked and links had been added to his main index page. He reports, “This morning I got a very nice Email from Gavin Ayre about my most recent article. But then he asked me whether I had gone into business selling Viagra. What?
” (Ranum, 2007). He checked his site, to find that advertising code had been added without his knowledge or consent. He concludes that the links were placed there primarily to influence search engine rankings based on how many sites provide links to the page in question. Surprisingly, Mr. Ranum did not express much interest in figuring out what vulnerability had been used to access his site, or in closing the loophole to prevent its being used again. “I don't even know what operating system my site runs on, nor do I care. I don't want to care and for $9/month I don't have to care… I still don't know how it got there, but if Gavin hadn't noticed it, I would have gotten a warning from Dreamweaver next time I synchronized my site” (Ranum, 2007). This might be described as choosing one’s battles. Rather than devoting time to this issue, Ranum seems to dismiss it as an endurable nuisance.
In 2003, a hacker defaced the website of Defensive Thinking, a security
firm run by notorious former hacker Kevin Mitnick, adding rude comments and altering a photograph. Vulnerabilities in the IIS web server, built into Microsoft server operating systems, were used in the attack, and Mr. Mitnick stated that he would apply the relevant patches but would not press charges as no real harm had been done, and stated "No customer information was released nor was in danger of being compromised" (BBC News, 2003). One can wonder why Mitnick, running a security company, had not already ensured that his operating system was up to date and spared himself this unfortunate publicity. This only underscores how easy it is for even the most security-conscious organization to neglect basic and routine precautions that they would surely recommend to their customers as a matter of course.
Even more embarrassing than a visibly defaced website, is a site that can
spread electronic infection. In November of 2007, two government sites were compromised, one for the second time. The website for the California-based Marin County Transportation Authority was hacked into and links were added
which, if clicked, would direct the browser to sites hosting porn and/or malicious software. California shut down many of its government web sites in response to this, but made them available again once they felt the issue was resolved, only to have the problem recur.
Dianne Steinhauser, executive director of the Marin County Transportation Authority, said she thought the problem was fixed in mid September. "I am exceptionally apologetic for anyone that was contaminated by virtue of our name," she said (Goodin, 2007).
For a commercial enterprise, the potential economic impact would be even
WEB SERVER SECURITY & SECURE PAGE CODE
Web servers can be compromised by a variety of routes. Vulnerabilities in
the operating system, the web server software and the page code itself are the most common. The two major platforms for running a web server are IIS on a Windows Server—in this case, the web server is part of the operating system itself—or else Apache running on some variant of Linux.
Many security experts feel the Apache/Linux implementation is more
secure, in part because they feel Linux is inherently less buggy, and also due to the web server software being a separate application without as much access to the operating system as is the case with IIS. “Apache is the clear-cut winner in the Netcraft and Security Space monthly surveys, [but] Internet Information Server dominates among Fortune 1000 enterprises“ (Brown, 2003). The fact is, many administrators do not find it to be a realistic option to switch to Linux for improved security. They and their people may not be knowledgeable on the topic, and they may have inherited an organization with significant investment in a Microsoft platform.
In the examples researched for this paper, several exploits were due to
security holes in IIS. It seems to be a common problem. Information is freely available, however, for “hardening” or improving the security of both Linux-based and IIS web servers. In an article on the latter topic, Chaim Fried makes several
suggestions including using a separate physical drive for web content, using Microsoft-provided tools to lock down the server, using a software firewall on the server to limit access, moving server logs to a nonstandard location… and subscribing to mailing lists to keep current on the latest IIS vulnerabilities (Fried, 2006).
If our web pages contained only static images and words, the discussion
UNDER THE HOOD
Although a compromised web site can be a serious embarrassment, even
worse is a breach of a company’s sensitive financial data, including customer credit card information. In some cases, this information can be compromised without the attackers actually gaining access to the database itself. In February 2000, a company called RealNames sent out a letter informing its subscribers that its web site had been hacked and that subscribers had been redirected to a site in mainland China. RealNames sold a service that redirected a browser to a customer’s site if common keywords that did not constitute a legitimate URL were typed into the address bar, and customers attempting to subscribe or pay for this service were unknowingly putting their credit card data into an illegitimate site which harvested this information for criminal purposes (Hu, 2000). This technique is known as ‘pharming’. And although many businesses—particularly those involved with technology—do not succeed in the long run, it is worth noting that realnames.com no longer appears to be in business.
An even more serious breach of customer confidence occurred when
Guidance Software, a computer forensics company, suffered an electronic break-in which resulted in the loss of approximately 3,800 credit card records. There were a couple of reasons why this was particularly embarrassing. First, the very nature of the company’s business is computer security. In addition, they had violated a couple of best-practice rules established by the credit card industry. If
customer credit card numbers are retained by a merchant, they should be encrypted. Unfortunately Guidance Software did not encrypt this data. And the verification numbers (CVV) used as a second layer of authentication for credit card purchases should not be retained in the retailers records, but Guidance Software did retain this data and it was stolen along with the credit card numbers themselves, customer names and addresses, and expiration dates—all the information that is necessary in order to make an online purchase. Because of the type of products the company makes available, such as the EnCase security software suite, the credit card data in question included cards belonging to other computer security organizations, including agencies such as the FBI and the Secret Service. One customer, the president of a computer forensics firm, learned of the attack on the same day he got a bill that included over $20,000 in fraudulent charges (Krebs, 2005).
Clearly, these are not stories that anyone wishes to see featuring the
name of their own company. Database security is a complex subject which should be handled by someone with considerable experience. It is not an area where anyone, even someone knowledgeable in other areas of networking, should feel like an expert after reading a couple of articles. But it is good to start out with an understanding of the basics, as laid out in an article for governmentsecurity.org by Blake Wiedman. Mr. Wiedman points out:
Now part of this problem is the pressure placed on today's system admin's by the upper-crust of corporate America. The first question to every sysadmin is, "How soon can this be up?" and not "How much of a security risk is this?". In light of current events it has become painfully obvious we need to re-adjust our thinking (Wiedman, n.d.). He goes on to recommend, first and foremost, that network security be
handled by a dedicated person and not added on as an afterthought to the already-full plate of the network administrator. Specifically, in terms of database security, he stresses that database information should be on a separate machine from any web content, including dynamic content. Public websites are typically served from inside a DMZ rather than inside the core network itself, and that is no place for sensitive database information. He recommends further that the database server be configured to not return a ping and that connections only be permitted from specific, trusted IP addresses (although this will only protect the database if these trusted machines remain uncompromised and the IP in question is not spoofed). He also addresses the problem of misconfigured permissions for database tables, a situation in which someone with few hacking skills might end up seeing an embarrassing amount of privileged information input by other users (Wiedman, n.d.).
A great deal of more specific technical information is available online
relating to configuration of Oracle, MySQL, and other platforms. Encryption is considered a basic component of a secure database system, but another writer on the topic adds:
Encryption still receives too much emphasis. Most people continue to believe that database security = encryption. Yes, encryption is important but it must be accompanied by a complete security lifecycle including risk analysis, vulnerability scanning, penetration testing, and secure policies and procedures. In other words, encryption is merely one layer in a layered database defense (Oltsik, 2005).
diving and social engineering… the list goes on and on, and the number of threats can seem overwhelming. The tools and best practices used for defense can also be difficult to keep track of, as they are also numerous and subject to evolution as both sides of the ongoing battle develop new methods of working toward their opposing goals. While the complete invulnerability of any network will always be something to work toward rather than something that can ever be achieved, the knowledgeable application of best practices for network security will go far toward making both corporate and customer data as safe as possible in an e-business setting.
BBC News. (2003). Prominent hacker Mitnick hacked.
9, 2007 from http://news.bbc.co.uk/1/hi/technology/2750433.stm
Bernstein, D. (n.d.). SYN cookies.
Downloaded December 8, 2007 from
Cooper, R. (n.d.). Viruses are from Venus and Worms are from Mars.
Downloaded November 24, 2007 from http://cns.esf.edu/virusvworm.htm
Delio, M. (2002). Find the Cost of (Virus) Freedom.
Downloaded November 24,
2007 from http://www.wired.com/techbiz/it/news/2002/01/49681
F5.com. (n.d.). Application Layer Firewall.
Downloaded December 1, 2007 from
Goodin, D. (2007). California gov site invaded by smut and malware again.
Downloaded December 5, 2007 from http://www.theregister.co.uk/ 2007/12/01/government_sites_serve_malware/
Granger, S. (2001). Social Engineering Fundamentals, Part I: Hacker Tactics.
Downloaded December 7, 2007 from http://www.securityfocus.com/infocus/1527
Hu, J. (2000). RealNames' customer database hacked.
5, 2007 from http http://www.news.com/2100-1023-236815.html
Infotap. (n.d.). Virus vs. Worm – What’s the Difference?
November 24, 2007 from http://www.infotap.org/virusworminfo.asp
Kelly, M. (2007). Chocolate the key to uncovering PC passwords.
December 7, 2007 from http://www.theregister.co.uk/2007/04/17/chocolate_password_survey/
Krebs, B. (2003). A Short History of Computer Viruses and Attacks.
Downloaded November 23, 2007 from http://www.washingtonpost.com/ac2/wp-dyn/A50636-2002Jun26
Krebs, B. (2005). Hackers Break Into Computer-Security Firm's Customer
. Downloaded December 5, 2007 from http://www.washingtonpost.com/wp-dyn/content/article/2005/12/19/AR2005121900928.html
Mitnick, K. (2001). My first RSA Conference.
Downloaded December 7, 2007
Naraine, R. (2007). Super Bowl stadium site hacked, seeded with exploits.
Downloaded December 5, 2007 from Http://blogs.zdnet.com/security/?p=15
nmrc.org. (n.d.). Web Browser As Attack Tool
. Retrieved December 9, 2007
Oltsik, J. (2005).The truth about database security.
Downloaded December 5, 2007
Ranum, M. (2005). The Six Dumbest Ideas in Computer Security.
November 26, 2007 from http://www.marcusranum.com/security/computer_security/index.html
Ranum, M. (2007). Search Engine Stuffing Defacement
December 9, 2007 from http://www.marcusranum.com/
Schneier, B. (2001). The Security Patch Treadmill
. Downloaded November 26,
2007 from http://www.schneier.com/crypto-gram-0103.html
Techtarget.com. (n.d.). Teardrop Attack
. Downloaded November 25, 2007 from
Tocheva, K. et al. (2001). F-Secure Virus Descriptions: Nimda
November 24, 2007 from http://www.f-secure.com/v-descs/nimda.shtml
Wiedman, B. (n.d.). Database Security (Common-sense Principles).
Downloaded December 5, 2007 from http://www.governmentsecurity.org/articles/DatabaseSecurityCommon-sensePrinciples.php
Zeller, T. (2005). Time Warner Says Data on Employees Is Lost
December 7, 2007 from http://www.nytimes.com/2005/05/03/business/media/03warner.html?n=Top/News/Business/Companies/Time%20Warner%20Inc.
APPLICATION NOTES January 2003 Automated Analysis of Kidney Stones requires a relatively large sample. Infrared improved this process, but it was still fairly the advent of computer technology and the introduction of Fourier transform infrared constituents (like cystine, cholesterol, bile salts, hemoglobin and protein); and process required grinding a small (1-6 mg) amount
POST-TCA Peel Instructions FIRST 24 – 72 HOURS 1. Start your antibiotic ( Duricef/Keflex ) and ( Valtrex ) after you awaken the first morning after the surgery. Continue each as directed until all gone. Take the antifungal ( Diflucan ) on the first morning after surgery. 2. Antibiotic ointment ( Polysporin ) was placed copiously over the peeled areas. Gently apply this oin