"I have an area on my Web site for customers to go in and pick up job proposals and other low-classified data. For this, encrypted user names and passwords are just enough protection," Poynter explains.
Once you start involving customers interactively, data value and protection costs rise sharply. So transactional systems such as online shopping and banking sites will require the highest investment.
"Getting your Web site defaced is just a small part of the Web security package. What's really important are confidentiality, availability and integrity. It's tough, because when you're looking after security for these systems, you must plug every hole," says Richard Ford, director of technology at Englewood, Colo.-based Verio Inc., a business Web site hosting and connectivity service provider that's home to more than 6,000 e-commerce sites, half of which are transactional.
Sites like these can't afford downtime. Nor can they afford breaches in their servers that allow access to consumer data and credit-card information. Not only should this Web site security policy focus on encrypting transactions, but data on the server must also be encrypted. And such companies must practice due diligence.
Take banking, for example. Currently, there are 3,000 bank and thrift Web sites on the Internet, 855 of which are transactional, according to the Federal Deposit Insurance Corp. (FDIC) in Washington.
"If banks are going to offer an Internet banking product, they have to think about data encryption, penetration testing and internal audits that examine procedures, policies, access controls and how the site is run," says Jeff Kopchik, a senior policy analyst at the FDIC. "Banks need to sit down and plan for this during development. They need to budget for continued expenses. They'll need money to upgrade, review and resecure sites on an ongoing basis."
It's a tough task, made more complex by the very nature of the systems you're trying to secure. Attackers can violate a Web site in thousands of ways.
Crackers start by looking for common Web server flaws that often go unpatched, according to John Green, program manager for the Shadow Intrusion Detection Team at the Naval Surface Warfare Center in Vahlgren, Va.
Common problems on Web servers include overly permissive common gateway interface (CGI) bins -- a directory that administrators put executables in to help run the Web site -- that hackers can exploit to gain root control of the server. There are also holes in application server gateways that can be exploited, along with hundreds of other vulnerabilities that, if unpatched, can lead to full control of the Web server.