Keep Hackers Out of Your Web Site
More than 300 hacked Web pages are archived at AntiOnline, an information security services and "ethical hacking" group. And these just cover the first half of last year.
Your goal is to avoid having your Web site show up in this hall of shame. Otherwise, your dot-com business could lose face, transactions or consumer confidence.
Jeff Hormann, special agent in charge at the U.S. Army Criminal Investigations computer crime agency in Fort Belvoir, Va., knows the cost of Web site breaches. His department investigated an Army Web site hack last June, after a hacker group called Global Hell exploited a well-known weakness in the Army's Web server software and plastered it with red graffiti that read, "Global Hell won't die."
The incident cost the Army dearly in terms of negative publicity and investigative work.
"The cost of these things can be astronomical, depending on the severity of the intrusion," Hormann says. "It's not uncommon for a Web page alteration to run tens of thousands of dollars to repair."
There are many layers and flavors of Web site security, all of which depend on the function of your Web site. And for each layer, you're talking more money. So, the first step in protecting your Web site is to determine the value of the data that needs protecting -- a calculation best made by the business managers, not the IT department.
"A lot of times, the technologist will go to the budget people and say we need $50,000 to secure the Web site. But they think you're just wanting a new $50,000 toy," says Ian Poynter, founding president of Jerboa Inc., a computer security consulting firm in Cambridge, Mass.
"If you truly want to look at the value of your information, you need to involve the businesspeople, because they know how much the information is worth," Poynter says. "Then the technologist can say, 'I need $50,000 to secure $3 million worth of data.' "
Part of this calculation is based on the Web site's purpose.
At the very bottom level are Web servers that house public content, much liike the Army's server. These servers should run outside the corporate firewall so they act as a stand-alone box.
With no connection to the network, the threat to the rest of the network is contained and the cost of a breach is limited to public embarrassment and downtime.
If the Web server is damaged, you're also looking at the cost of replacement and data rebuilding. For this reason, information security experts strongly recommend keeping backup CDs of the server contents to bring the site back online at minimal cost.
A dual-purpose Web server with public and some sensitive content calls for a proportionately higher investment.
"I have an area on my Web site for customers to go in and pick up job proposals and other low-classified data. For this, encrypted user names and passwords are just enough protection," Poynter explains.
Once you start involving customers interactively, data value and protection costs rise sharply. So transactional systems such as online shopping and banking sites will require the highest investment.
"Getting your Web site defaced is just a small part of the Web security package. What's really important are confidentiality, availability and integrity. It's tough, because when you're looking after security for these systems, you must plug every hole," says Richard Ford, director of technology at Englewood, Colo.-based Verio Inc., a business Web site hosting and connectivity service provider that's home to more than 6,000 e-commerce sites, half of which are transactional.
Sites like these can't afford downtime. Nor can they afford breaches in their servers that allow access to consumer data and credit-card information. Not only should this Web site security policy focus on encrypting transactions, but data on the server must also be encrypted. And such companies must practice due diligence.
Take banking, for example. Currently, there are 3,000 bank and thrift Web sites on the Internet, 855 of which are transactional, according to the Federal Deposit Insurance Corp. (FDIC) in Washington.
"If banks are going to offer an Internet banking product, they have to think about data encryption, penetration testing and internal audits that examine procedures, policies, access controls and how the site is run," says Jeff Kopchik, a senior policy analyst at the FDIC. "Banks need to sit down and plan for this during development. They need to budget for continued expenses. They'll need money to upgrade, review and resecure sites on an ongoing basis."
It's a tough task, made more complex by the very nature of the systems you're trying to secure. Attackers can violate a Web site in thousands of ways.
Crackers start by looking for common Web server flaws that often go unpatched, according to John Green, program manager for the Shadow Intrusion Detection Team at the Naval Surface Warfare Center in Vahlgren, Va.
Common problems on Web servers include overly permissive common gateway interface (CGI) bins -- a directory that administrators put executables in to help run the Web site -- that hackers can exploit to gain root control of the server. There are also holes in application server gateways that can be exploited, along with hundreds of other vulnerabilities that, if unpatched, can lead to full control of the Web server.
For best security, strip the Web server down to only those services actually needed to run the server and delete unnecessary CGI scripts, says "Weld," a nonmalicious hacker and a member of the hacker/consulting firm the l0pht in Boston. "If the code isn't running, an attacker can't exploit it," he adds.
If crackers can't get in by exploiting a Web server, they'll attack the operating system itself. The leading operating systems (Windows NT, Unix, Solaris, Linux) are also riddled with security holes, often overlooked by administrators.
A favorite attack on the operating system is a buffer overflow -- flooding a buffer with too many data streams and dazing it into allowing attackers in at root level. Another common attack method is "session hijacking," in which the hacker spoofs his IP address to take over the identity of a trusted machine. Crackers are also fond of corrupting the domain name server to assume the identity of a connected IP address.
According to "Mudge," another consultant with the l0pht, who won't use his real name, the best protection for operating system vulnerabilities is to tighten permissions and put the Web server behind a filtering device that would only allow Internet connections onto HTTP Port 80. Remote administration and connections should pass over a different network connection that isn't reachable from the Internet.
Even online shopping cart applications can be exploited. Shopping applications are often poorly coded, says Mudge. They can be manipulated to accept file uploads or be used to modify or execute commands on the system.
David Strom, an Internet and networking consultant in Port Washington, N.Y., published a new way to hack shopping cart applications in an Oct. 11 newsletter. He showed how to dupe the shopping cart application into selling a product for $0.
"The message here is, if you're going to put up a Web storefront, be careful," Strom says. "Know what you're doing and secure properly against people ripping you off in a number of ways. You have to know all possible entry points."
Thus, if security is important to you, then audit the source code of your shopping cart and Web applications running to make sure they're properly sanitized and don't have buffer overflows, Mudge adds.
But even with the best protection policies in place, bulletproof security is never attainable because of factors such as human error, new vulnerabilities and the public nature of Web sites.
"If you're making a Web page, you're inviting people in. That's what Web pages are for," the Army's Hormann explains. "Hackers are also invited guests. They just take more liberties than they should. That's why webmasters need to be smart in the way they set up their Web pages."
When looking at Web site security, you have to ask: Whatt would it cost your company if you don't get tough on security?