For best security, strip the Web server down to only those services actually needed to run the server and delete unnecessary CGI scripts, says "Weld," a nonmalicious hacker and a member of the hacker/consulting firm the l0pht in Boston. "If the code isn't running, an attacker can't exploit it," he adds.
If crackers can't get in by exploiting a Web server, they'll attack the operating system itself. The leading operating systems (Windows NT, Unix, Solaris, Linux) are also riddled with security holes, often overlooked by administrators.
A favorite attack on the operating system is a buffer overflow -- flooding a buffer with too many data streams and dazing it into allowing attackers in at root level. Another common attack method is "session hijacking," in which the hacker spoofs his IP address to take over the identity of a trusted machine. Crackers are also fond of corrupting the domain name server to assume the identity of a connected IP address.
According to "Mudge," another consultant with the l0pht, who won't use his real name, the best protection for operating system vulnerabilities is to tighten permissions and put the Web server behind a filtering device that would only allow Internet connections onto HTTP Port 80. Remote administration and connections should pass over a different network connection that isn't reachable from the Internet.
Even online shopping cart applications can be exploited. Shopping applications are often poorly coded, says Mudge. They can be manipulated to accept file uploads or be used to modify or execute commands on the system.
David Strom, an Internet and networking consultant in Port Washington, N.Y., published a new way to hack shopping cart applications in an Oct. 11 newsletter. He showed how to dupe the shopping cart application into selling a product for $0.
"The message here is, if you're going to put up a Web storefront, be careful," Strom says. "Know what you're doing and secure properly against people ripping you off in a number of ways. You have to know all possible entry points."
Thus, if security is important to you, then audit the source code of your shopping cart and Web applications running to make sure they're properly sanitized and don't have buffer overflows, Mudge adds.
But even with the best protection policies in place, bulletproof security is never attainable because of factors such as human error, new vulnerabilities and the public nature of Web sites.
"If you're making a Web page, you're inviting people in. That's what Web pages are for," the Army's Hormann explains. "Hackers are also invited guests. They just take more liberties than they should. That's why webmasters need to be smart in the way they set up their Web pages."
When looking at Web site security, you have to ask: Whatt would it cost your company if you don't get tough on security?