|
|
Maintaining security of your web site is extremely important and getting more difficult to accomplish with each new web application or feature introduced on the market. Today’s technological advances mean that you continuously need to learn and understand even more information to protect your site from vulnerabilities. Any time your system is exposed to people, you risk attack. Security involves identifying, prioritizing, and mitigating that risk. This chapter discusses the methodology behind securing your system.
The Internet was not designed to be secure; it was invented by computer techies for use by computer techies. Because the concept of having to secure the environment wasn’t considered at the time, no security is built into the Internet Protocol version 4 (IPv4) stack. Since the Internet’s creation, an increasing number of attacks have occurred on systems every year. With all the worms, viruses, Trojan horses, hacking, cracking, and just plain sabotage going on, it seems that no end to security issues is in sight. Diligently keeping on top of these issues is the only way to protect yourself and your system, especially if you manage high-profile servers and applications.
Vulnerabilities can be generated from a variety of places for a variety of reasons, including the following:
Patch level installed on the application is insufficient for the level of protection required
Application is misconfigured
Virus detection software is out of date or missing
No firewall is present
Administrators are too trusting of personnel and permissions are set loosely
Physical security is lacking
Sensitive data is not encrypted
Interestingly enough, from a pure security perspective, the most effective attacks occur as a result of human vulnerabilities. Although worms and viruses can be destructive and can take down your system, the worst type of security problem can occur when an attacker from outside the system gains access to sensitive data by making privileged personnel believe the attacker is to be trusted. Here’s an example of how that can occur:
Joe: Hello?
Hacker: Hi, this is Bob from the help desk. We’re having an issue with the network, and we’ve traced it to your user ID.
Joe: Oh, no.
Hacker: Yes. Can you please verify your user ID for me?
Joe: Sure; it’s JoeUser99.
Hacker: Yes, that’s what I have here. Can I also verify your password?
Joe: Why, sure. It’s Nancy, my wife’s name.
Hacker: Alrighty then. Let me take care of this network issue. Thanks for all your help.
Joe: No problem.
Now the hacker has access to anything on the system to which Joe can access. The best software patching procedure in the world won’t help you in such cases.
First, you must have a good security methodology. While the methodology created is unique for each business, several key elements should be included:
Identification of the types of attacks you are likely to face
Identification of where those attacks may occur
Identification of potential vulnerabilities
Remediation procedures for attacks
Implementation of an intrusion detection system (IDS)
|
|