Securing Your Web Presence (Part I)

However, the recent high profile defacements of MSN.com, eBay.com, and CNN.com have demonstrated that anyone is vulnerable, and should take measure to ensure that their Web presence is as secure as possible.

The fact of the matter, is that you are ultimately responsible for you own security, as even the most perfect hardware and software in the world can be compromised by human error or human malice. It should be noted from the outset however, that there is no such thing as a completely secure system, and the while many companies claim to provide “silver bullet” solutions, there is in reality no such thing. In general however, there are two basic types of attacks that you should guard against.

Direct: A knowledgeable and targeted attack on your specific systems, whether from outside hackers of disgruntled insiders.

Indirect: General random attacks, usually in the form of computer viruses, worms, and Trojan horses.

While the knee-jerk reaction is to run out and purchase as much hardware and software as your budget can allow, it should be noted that it is possible to be “too secure.” Security measures inevitably extract a price, and will typically have an impact on how easy it is to use your servers.
Having to continually change and retype complex passwords for every operation, or use biometric measures such as retina, fingerprint, and voice scans can quickly bring production to a grinding halt if overdone. The key is to find the proper balance between security, price, and ease of implementation.

Plan before you purchase

It’s impossible to effectively secure a Web server, without first evaluating the entire architecture of the network, as well as the hardware and software components that reside on it. Furthermore, the day-to-day operations of your business should also be considered, as the implementation of “soft” security measures, such as eliminating “god” users etc, can be extremely effective in securing your site. Bottom line, there’s more to securing one’s Web presence than simply throwing up a firewall, and there are some questions one should keep in mind when formulating your security architecture and policies.

Why do you need security?

While this may sound like an obvious question, different security measures are designed to protect different aspects of your site:

To prevent loss of data: You don’t want someone hacking into your system and destroying your customer records or intellectual property. Even if you have excellent back-up measures in place, you will still need to identify that the data has been damaged.

To prevent corruption of data: Even if an attack doesn’t wipe out all your data, if the data is partially corrupted, this can be even harder to identify, and can lead to equally disastrous results, such as a cascade failure, where a failure on one system takes down and adjoining system and so on.

To prevent compromise of data: Sometimes the consequences can be more dire if your data is merely revealed instead of destroyed. Imagine the consequences if your financial data or other sensitive data ended up in the hands of competitors.

What do you need to protect?

It’s easy to spend a lot of money securing less-than-critical aspects of your Web presence, while mission-critical areas are left wide open to attack. Is the core of your business it’s intellectual property? Is your Web site a portal to your back-office servers, or merely a static archive of general data? Deciding which of your servers and competencies need securing in order of priority is the best way of clarifying your needs.

Top 7 Management Errors When Creating a Security Plan

1. Assuming the problem will go away if ignored.

2. Failure to realize the worth of one’s information and organizational reputation.

3. Failure to follow through on security repairs to ensure that any resolved problems stay fixed.

4. Focusing on physical security only, without considering the vulnerabilities of one’s business operations.

5. Relying primarily on a firewall.

6. Authorizing rapid, reactive, and short-terms fixes that fail to address the security of the organization as a whole - so problems re-emerge in the future.
7. Assigning untrained people to manage security, providing them with neither the training nor the time to make it possible to do the job.

What are you protecting your site from?

All Web sites are potential targets, but it’s fairly easy to gauge the group who would be most interested in damaging yours. Are random “pedestrian” attacks from script kiddies and the like your greatest danger, or is there reason to fear a well-funded and sophisticated attack? Hackers who don’t care in the least about the nature of your business will generally just “rattle the doors” of your site and move on at the first sign of resistance, while a direct, targeted assault is launched for the purpose of tampering with your data. The answers to these questions will have an impact on the nature of the security you need.

What’s the worst that could happen?

Obviously, any successful attack could result in the loss of data, but for some businesses, losing data is the least of their worries (and they all generally have back-ups anyway). Recent data from Intel indicates that the company currently makes around $275,000 per hour through their Web site, which in the event of downtime would quickly cost them millions of dollars in lost sales.

Forrester Research estimates that the average cost of site downtime in the E-commerce industry is $8,000 per hour - but large sites like eBay and Amazon would lose a lot more.

What’s the best you can afford?