Threats and Impacted Parties

Anyone who watches the news or has any exposure to the web knows that computer security is a major issue these days. Whether it's the latest email attack, defacing and crashing websites , or identity theft, these items make the news. However, more often than not, hacking is an inside job and it doesn't make the national news, but nevertheless, a security comprise has happened and data has been changed, deleted, or copied . Statistically speaking, most security compromises happen internally and are never reported to the police. Reasons typically are because either the organization doesn't know it has been hacked or if it does find out it's "easier" to hide the crime than to report it.

Threats

Here's a list of items that really do happen every day, and as a web administrator you'll likely encounter them at some point.

• Nosy or disgruntled employee or customer uses her inside knowledge and access of the system to attempt to cause damage or corrupt or steal data. These are tough to defend against and often you never know you've been compromised.

• A computer criminal accesses your system and gets credit card information about the customers, customer identity information, or bank account numbers . Companies and individuals have lost large amounts of money as a result of these data compromises.

• Computer virus of some sort gets into your system and causes damage. This is most common with email systems.

• A scripted attack scans your machines and attempts to access it via known vulnerabilities and security holes. Your system may not have been targeted specifically , but if a vulnerability is exposed it will attract the attention of those responsible. Even if a patch or work-around for the vulnerability is available, it's useless if you didn't apply it.

• A competitor or group opposed to your organization or business wants to access your system to gain and corrupt data. Corporate espionage is a reality.

• The same competitor or group opposed to your organization or business decides they don't care about your data, and that they just want to crash your site and drive customers away. So they launch a Denial of Service (DoS) attack against your system.

• The traditional "hacker" who just wants to see if he can break into your system. Or if you're less fortunate, it's a "cracker," who, after she breaks into your system, decides to cause damage. This can be the stereotypical teenage "computer nerd" breaking into systems for fun. And once she has broken into your system undetected, she will tell her friends how to get into it, too.

• Some systems, both government and commercial, are the targets of terrorists and foreign powers. These types of hackers are not just in the movies and they really do exist. If you manage important systems, you're obligated to take appropriate actions to guard against these threats.

• Internal security audits and intrusion tests by your own organization can make you look bad if your system fails a test. This is common in many organizations and it theoretically helps your system become more secure, but no one wants to look bad in front of her boss or colleagues.

Finally, if the preceding items didn't convince you that security was important, keep in mind that if you're the administrator and it was your system compromised, it can easily cost you your job if it comes out that you didn't take reasonable security precautions .

Everyone Is Impacted

There are so many ways to compromise a system that you have to guard against it at every level. You cannot just say, "I'm the web administrator so I don't care about operating system or application security issues." From an administration perspective, everyone's fate is tied together and everyone is impacted if a security breach occurs. For example, if a hacker exploits an operating system vulnerability because an unneeded port or service was left open , the following people are impacted:

• System administrators. Your server has been compromised. How far did the hacker get and did he access other servers, too, from this one? How long has he been on the system and what did he change or do?

• Web administrators. Did she change anything on the website and did she use the machine to hack into other systems? Was there any critical data on the web server, even in the form of cached content that could have been accessed?

• Database administrators. The database may be on another server, but all the JDBC database connection (usernames and passwords) information and Oracle Net Services (SQL*Net) software was on the web server. Did the hacker get access into the database and if so, what did he see or change?

• Network administrators. You know the compromised server was on X network. From that location, what other servers and system were accessible to the hacker? What was she able to see from that machine?

• Application developers. Are there any security holes within the system or data that the hacker now has access to?

• Management. You know there was an intrusion, but how bad was it? Did he do any damage or collect any data? The system holds personal information about thousands of customers including credit card information. What is the legal liability if the information was compromised? Are you, as a company, obligated to notify the customers that there may be a problem and incur the customer backlash ? Is it appropriate to contact the police and will the press find out about this?

As you can see, many people in your organization will be impacted if a hack is even suspected. Given this wide- ranging impact, prevention and risk reduction is your best approach.

Unfortunately, a complete discussion of computer security is outside the scope of this book and the topic itself could fill several books. Indeed, computer security represents a full-time job for many people and an entire, thriving industry.

In this chapter I'll show you the fundamentals so you won't be an easy target and become a hacker's dream come true.