January 03, 2001, 9:37 AM — More than 300 hacked Web pages are archived at AntiOnline, an information security services and "ethical hacking" group. And these just cover the first half of last year.
Your goal is to avoid having your Web site show up in this hall of shame. Otherwise, your dot-com business could lose face, transactions or consumer confidence.
Jeff Hormann, special agent in charge at the U.S. Army Criminal Investigations computer crime agency in Fort Belvoir, Va., knows the cost of Web site breaches. His department investigated an Army Web site hack last June, after a hacker group called Global Hell exploited a well-known weakness in the Army's Web server software and plastered it with red graffiti that read, "Global Hell won't die."
The incident cost the Army dearly in terms of negative publicity and investigative work.
"The cost of these things can be astronomical, depending on the severity of the intrusion," Hormann says. "It's not uncommon for a Web page alteration to run tens of thousands of dollars to repair."
There are many layers and flavors of Web site security, all of which depend on the function of your Web site. And for each layer, you're talking more money. So, the first step in protecting your Web site is to determine the value of the data that needs protecting -- a calculation best made by the business managers, not the IT department.
"A lot of times, the technologist will go to the budget people and say we need $50,000 to secure the Web site. But they think you're just wanting a new $50,000 toy," says Ian Poynter, founding president of Jerboa Inc., a computer security consulting firm in Cambridge, Mass.
"If you truly want to look at the value of your information, you need to involve the businesspeople, because they know how much the information is worth," Poynter says. "Then the technologist can say, 'I need $50,000 to secure $3 million worth of data.' "
Part of this calculation is based on the Web site's purpose.
At the very bottom level are Web servers that house public content, much liike the Army's server. These servers should run outside the corporate firewall so they act as a stand-alone box.
With no connection to the network, the threat to the rest of the network is contained and the cost of a breach is limited to public embarrassment and downtime.
If the Web server is damaged, you're also looking at the cost of replacement and data rebuilding. For this reason, information security experts strongly recommend keeping backup CDs of the server contents to bring the site back online at minimal cost.
A dual-purpose Web server with public and some sensitive content calls for a proportionately higher investment.