|
Web servers are unfortunately prone to security risks. And so are any networks to which those servers are connected. Setting aside risks created by employee use or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk.
Web servers by design open a window between your network and the world. The care taken with server maintenance, web application updates and your web site coding will define the size of that window, limit the kind of information that can pass through it and thus establish the degree of web security you will have.
"Web security" is relative and has two components, one internal and one public. Your relative security is high if your company or site has few resources of value or interest and your network is set up with accurate, tight permissions, your web server is up to date and has all settings done correctly, your applications on the web server are all patched and updated, and your web site code is done to high normal standards.
Your web security is relatively lower if your company has large data assets or your web site content is controversial, your servers, applications and site code are complex or old and are maintained by an underfunded or outsourced IT department. All IT departments are budget challenged and tight staffing often creates deferred maintenance issues that play into the hands of any who want to challenge your web security.
A Quick Note Regarding a Web Security Solution
We are going to present an elegant, permanent solution to web security that fits your budget, will be well received by IT and will make unauthorized access to your network via the web so difficult that, when compared to unauthorized access by your own staff, it will become effectively negligible. Read on, or just jump to the end!
Web Security Risk - Should You Be Worried?
If you have assets of importance or if anything about your site puts you in the public spotlight then your web security will be tested. We hope that the information provided here will prevent you and your company from being embarrassed - or worse.
It's well known that poorly written software creates security issues. Even with well written code, the number of bugs that could create web security issues is directly proportional to the number and complexity of your web applications and the number of services provided on your web server. Basically, all complex programs either have bugs or at the very least weaknesses. Web servers are inherently complex programs and more than ever before web sites are themselves complex and intentionaly invite ever greater interaction with the public. And so the opportunities for security holes are many, nearly unavoidable and growing.
Technically, the very same programming that increases the value of a web site, namely interaction with visitors, also allows CGI scripts or SQL commands to be executed on your web and database servers in response to visitor requests. Any web-based form or script installed at your site may have weaknesses or outright bugs and every such issue presents a web security risk.
Contrary to 'common knowledge' the balance between allowing web site visitors some access to your corporate resources through a web site and keeping unwanted visitors out of your private information and internal network is a delicate one. There is no one setting, no single switch to throw that sets the security hurdle at the proper level. There are dozens if not hundreds of settings in a web server alone and then each service, application and open port on the server adds another layer of settings. And then the web site code adds yet another layer... you get the picture.
Add to that the different permissions you will want to grant visitors, prospects, customers, partners and employees. The number of variables regarding web security rapidly escalates.
A web security issue is faced by site visitors as well. A common web site attack involves the silent and concealed installation of code that will exploit the browsers of visitors. The site is not the end target at all. There are at this time many thousands of web sites out there that have been compromised and which have such code installed. The owners have no idea that anything has been added to their sites and that their visitors are at risk. In the meantime visitors are being subject to attack and successful attacks are installing nasty code onto the visitor's computer.
Web Server Security
The world's most secure web server is the one that is turned off. Simple, bare-bones web servers that have few open ports and few services on those ports are the next best thing. This just isn't an option for most site owners. Powerful and flexible operating systems are required to run complex sites and these are naturally more subject to web security issues.
Any system with multiple open ports, multiple services and multiple scripting languages is vulnerable simply because it has so many points of entry to defend.
If your server has been correctly configured and your IT staff has been very punctual about applying security patches and updates then your risks at the server level are mitigated. But then there is the matter of the third party applications you are running. These too require frequent updates. And last there is the web site code itself.
Web Site Code and Web Security
Your site undoubtedly provides some means of communication with its visitors. In every circumstance that interaction is possible you have a potential web security vulnerability. Web sites often invite visitors to:
- Load a new page containing dynamic content
- Search for a product or location
- Fill out a contact form
- Search the site content
- Use a shopping cart
- Create an account
- Logon to an account
In each case noted above your web site visitor is effectively sending a command to or through your web server - very likely to a database. In each opportunity to communicate, such as a form field, correctly written code will allow only a very narrow range of commands or information type to pass - in or out. This is ideal web security. However, these limits are not native to the languages in which the forms are written. It takes well trained programmers a good deal of time to write code that allows all expected and needed data to pass and disallows all unexpected or potentially harmful data.
And there lies the problem. Code on your site has come from a variety of programmers, some of whom work for third party vendors. Some of that code is old, perhaps very old. Your site may be running software from half a dozen sources, and then your own site designer and your webmaster has each produced more code of their own, or made revisions to another's code that may have altered or eliminated the required web security limitations.
Add to that the software that may have been purchased and used years ago and which is not in current use. Many servers have accumulated applications and code that is no longer in use and with which nobody on your current staff is familiar. This code is not easy to find, is about as valuable as an appendix and has not been patched or updated - but it may be exactly what a hacker is looking for!
Again, we do want to offer a simple solution, so take a deep breath!
Known Web Security Vulnerabilities and Unknown Vulnerabilities
As you know there are a lot of people out there who call themselves hackers. You can also easily guess that they are not all equally skilled at their 'sport'. As a matter of fact, the vast majority of them are simply copycats. They find out about a technique that was devised by someone else and they use it to break into a site that is interesting to them, often just to see if they can do it. These copycats use techniques that were discovered months, if not years ago and which have been widely discussed in security literature and for which there are well established solutions or patches which prevent them. These are called KNOWN vulnerabilities.
Only a very small number of hackers are actually capable of discovering a brand new way to overcome a web security obstacle. Given the work being done by tens of thousands of people worldwide to improve security, it is not easy to discover a brand new method of attack. Hundreds, sometimes thousands of man-hours might be put into developing a new exploit. Rarely does someone just happen upon some new exploit. Until their new technique is actually used the first time and is discovered, it is considered an UNKNOWN vulnerability.
Countering and attempting to eliminate any return on this hacking investment you have a multitude of web security entities. These public and private groups watch for and share information about newly discovered exploits so that an alarm can be raised and defense against them can be put in place quickly. The broad announcement of a new, previously UNKNOWN exploit makes it a KNOWN one.
The outcome of this contest of wills, so to speak, is that exploits become known and widely documented very soon after they are first used and discovered. So at any one time there are thousands (perhaps tens of thousands) of known exploits and only a very few unknown. And those few unknown exploits are initially usually used on one, or at most just a very few highly valuable targets so as to reap the greatest return before discovery. Because once discovered and known their usefulness and value is greatly diminished.
Your Greatest Web Security Risks: Known or Unknown?
Your site is 10,000 times more likely to be attacked with a known exploit than an unknown one. And the reason behind this is simple: There are so many known exploits, and the complexity of web servers and web sites is so great that the chances are good that at least one of these already known vulnerabilities is currently present on your site and server and will allow an attacker some degree of unwanted access.
The number of sites worldwide is so great and the number of new, as of yet undocumented and thus unknown exploits so small that your chances of being attacked with an unknown one is nearly zero.
Web Security Defense Strategies
A successful strategy for the defense of your web site and the assets that support it from a web-based attack should include a balance between offense and defensive.
At one extreme you might assign all of the resources needed to maintain constant alert to new security issues, see that all patches and updates are done at once, have all of your existing code reviewed for correct security, ensure that only correctly qualified programmers do work on your site and have their work checked carefully by security professionals. This is pure defense and as most empires have discovered just building bigger walls doesn't keep the hordes out very well.
On the other hand, you might test your existing equipment, applications and web site code to see if a KNOWN vulnerability actually exists. It is easier to correct for an actual, existing risk than it is to do the dozens (if not hundreds) of updates and patches specified by vendors, most of which are not needed in a particular server. Testing is a viable strategy to the degree that such testing is done frequently against a complete database of vulnerabilities that is also being updated as fast as new exploits are being discovered.
If one had to employ just one of these strategies, complete diligence in wall building, or complete testing, it has been seen that good and complete testing will produce a higher level of web security. This is proven by the number of perfectly patched servers and well defended web sites which get hacked every month and the much lower number of properly tested web sites which have been successfully compromised.
Web Security Using a Web Site Security Audit
Your best defense against a web-based attack is to rigorously test a competently set up server that is running current application versions and whose web site code was done well.
Web site testing, also known as scanning or auditing, is a service provided by Beyond Security which we call WSSA - Web Site Security Audit. This service requires no installation of software or hardware and is done without any interruption of web services.
Beyond Security staff has been accumulating known issues for many years and has complied what is arguably the world's most complete database of security vulnerabilities. Each attack has a known combination of web site weaknesses that must be present for the exploit to be accomplished. Thus by examining a server for the weaknesses, the open port, out of date service and/or poorly written code that each known exploit requires, it is a simple matter to determine if a server is open to attack using that method.
In a matter of hours, WSSA can run through its entire database of tens of thousands of vulnerabilities and can report on which few are present. With that data in hand you and your staff can address your actual web security vulnerabilities and when they are handled be certain that your site is completely free of known issues. Regardless of what updates and patches may have been done, what condition your code is in or what unused code may reside, hidden, on your site or web server you can document that your site has been properly secured.
WSSA is designed to be run daily so that your site will be tested against new vulnerabilities as they become known, providing you with solid data as to whether any exist and their relative severity. You will also be alerted if new code has been added to the site that is insecure, a new port has been opened that was unexpected, or a new service started that may present a hacker the opportunity to break in.
In complex, large systems it may be that daily testing is the ONLY way to ensure that none of the many changes made by any one of many people on many applications may have opened a hole in your carefully established security perimeter!
|
beSTORM
