COMMON WEBSITE SECURITY MEASURES | The Complete E-Commerce Book, Second Edition: Design, Build & Maintain a Successful Web-based Business

Now let’s examine in detail some of the more common security measures you can take to protect your website from attack by hackers, vandals or other trespassers.

Routers

Be sure that your router is appropriately configured. A router is an electronic device or, in some cases, software in a computer, that forwards traffic (i.e. data) between networks. The forwarding is based on network layer information and routing tables. A router is designed to route packets efficiently and reliably, but not securely, thus although it is a layer in your security package, a router should not be used alone as a method for implementing a security policy.

DENIAL OF SERVICE ATTACK

One of the most common types of security attack is what is called a “denial-of-service” attack, i.e. an attacker or attackers use various means to prevent legitimate website users from accessing a site. The problem is that the latest forms of denial of service attacks are difficult to counter since they can happen at any given time and, at the moment, there is no solution to the problem. A website operator must address each attack as it occurs.

Examples include:

The “Ping of Death” uses a test packet larger than allowed, which can cause a system crash or problems with network programs running on the targeted computer. Ping is the acronym for Packet Internet Groper, a program that tests a TCP network by sending a packet with an echo request to a designated host’s IP address and then waiting for a reply.
Attempts to “flood” a network, thereby preventing legitimate network traffic, and attempts to disrupt connections between two machines, thereby preventing access to a service.
The Mail Bomb that sends a flood of mail to a mail server, sometimes overloading it, thus causing legitimate users not only to be denied service but also to lose mail that had been sent to their mailbox.
Host System Hogging, where a program is actually run on the system of the website that is under attack causing a domino effect. It ties up the system’s CPUs, the operating system crashes, the site goes down and, finally, customers can’t access the site.

Not all service outages are outright denial-of-service attacks. For example, some denial of service attacks might be controlled so as only to cause degradation in network traffic. This, in turn, slows down the website, but does not block it completely. Your website could also be the victim of other types of attack such as an attacker using your anonymous FTP storage area as a place to store illegal copies of commercial software, which consumes disk space, and generates more network traffic.

Routers spend all their time looking at the destination addresses of the packets passing through them and deciding which route to send them on. A router is like a trip planner. Tell the planner where you want to go and it directs you via the shortest route.

If you are a brick-and-mortar business running a network of computers, you probably already have routers for your network, but know that the considerations are different when designing router configuration for your new website. Mainly, you must configure your router so that it can help to control per-user access from the public side (the Internet) to your web service and still protect your private network assets.

Firewalls

Install a firewall. A firewall is a device that controls the flow of communication between internal networks and external networks, such as the Internet. It controls “port-level” access to a network and a website. A “port” is like a doorway into a server. For example, your Internet request isn’t just immediately sent to a server; instead there is a port number on the server that is the actual destination of a request. It’s like sending a message to the server on Main Street in Elmville, New York, USA but forgetting to provide the specific “building” number. For example, http://www.yourname.com by default uses port 80 (the building number) on the www.yourname.com server. If a request arrives at the wrong server or the wrong port, the service handling requests on that port will ignore the request.

When looking at firewall solutions, you should understand that all firewalls are technically software — some just come with their own server. You also need to know that firewall solutions run the gamut from software designed to protect a personal PC to products that provide a wide range of security, flexibility, and protection. Costs can range from $50 or less from the personal PC solution (don’t buy this type of software), to a $10,000 firewall/router solution, to a $100,000+ system that consists of firewall software, routers, and proxy servers. To ensure you get the right firewall system to fit your website’s needs, hire an expert in data security (if your budget allows).

Since firewalls are an important component of network security, some established businesses take the position of “we already have a firewall therefore we are adequately protected.” But, it’s more complicated than that. A firewall must be correctly configured to provide effective protection. For instance, if your business already has in place a router running firewall software, that solution will probably not provide the security that a website needs — of course, the site’s actual security needs depend on the website and the applications it is running.

Here are some examples of firewall configurations you might want to implement.

Close off the possibility of unnecessary or unauthorized traffic accessing your servers.
Configure the firewall so that only wanted traffic gets through.
Encrypt most or all traffic between servers.
Limit the points of access.

A properly configured firewall also can act as a filter to prevent suspicious requests from ever arriving at the server or can be configured to drop any request that tries to address a server or server port that has not been specifically enabled by the policy of the firewall. More importantly, firewalls can verify that the request matches the kind of protocol (e.g., HTTP, FTP) that is expected on a particular port.

Firewalls can be used in various places. For example:

Between the Internet and the web server to limit the number of ports and protocols open for use by outsiders.
Between the website and the web-based business’s internal network to protect backend servers and data by isolating public servers from the rest of the internal network, somewhat like a high fence.
To isolate sensitive website data from other servers through a configuration that allows access only from the website application servers. This type of set-up is used to safeguard critical data such as credit card numbers.

Disable Nonessential Services

Although you should use firewalls as the first line of defense, they are only part of a good comprehensive security solution. You must also shut down all nonessential ports and services on production servers. Some of the services, like FTP, are inherently insecure because they send their password without encryption. Other services such as netstat and systat actually put forth information that can assist cybervandals with certain types of attacks on your website.

Some of the services you should disable on your website’s servers include, but are not limited to:

Mail (SMTP).
Finger.
Netstat, systat.
Chargen, echo.
FTP.
Telnet.
Berkeley UNIX”r” commands such as rlogin,rsh, rdist etc.
SNMP.

User Account Security

A common method hackers use to gain access to a web server is to steal an authorized user’s account. Restricting a user’s access to only the needed resources limits the amount of damage hackers can do to your website. Authentication and authorization are the two best general ways to restrict access.

Authentication. This verifies that you are who you claim to be. An authentication system can use login-passwords, digital signatures, and a one-time password (single sign-on). An example of usage is the need to authenticate a user in order to login to a web server from a web browser.

Authorization. This defines what a user is allowed to do. It typically is used with an access control list service (ACLS) or a policy that restricts access to computer resources. Authorization may be attributed to users, user groups, or user profiles.

User IDs and passwords are the most common means of providing authentication services with authorization to access specific resources such as file directories, read/write permission, database access. User IDs are usually easy to figure out, since many are based on a user’s name. So, make the passwords harder to guess. Still, this won’t solve all of your problems because there are a number of tools and techniques available that can be used to decipher a password.

Here are some steps you can take to improve password security:

Never transmit user IDs and passwords in the clear — use encryption techniques.
Make the passwords a combination of mixed-case letters and numbers.
Test your passwords by using a tool like password+ or Password Appraiser v3.20.
Keep the number of accounts on production servers to a minimum.
Use techniques for encrypting transmissions and certificates for authentication such as Kerberos (a security system that authenticates users but doesn’t provide authorization to services or databases, although it does establish identity at log-on) and SSL for the administrator accounts.
Never grant more access to resources than is needed. For example, if an application server running your product catalog needs to read its information from a database, it will need a database user account, but this account must not be authorized to read from other parts of the database (where credit cards are stored), or be allowed write privileges.

Data Confidentiality

Confidentiality ensures that only authorized people can view data transferred in networks or stored in databases. Protecting sensitive data like credit card numbers, inventory, etc. is a difficult problem for web-based businesses. To protect your data, you first need to identify the information that is sensitive. Once identified you can then take the necessary steps to make the data harder to retrieve; that can be done by using any or all of the following methods:

Put the data on a separate server behind a firewall.
Separate the data. For example, give a database its own security subsystem and user authentication process.
Restrict the number of user accounts that can read/write the data.
Separate write access from read access.
Encrypt the data and control access to the encryption key.

Software Security

Internet applications often require security services such as authentication, data confidentiality, data integrity, and nonrepudiation. The major web server applications install their own security implementations on top of the operating system.

Any application that processes requests from a user is seen as a separate component in a website’s architecture. Applications do handle incoming requests and therefore need to ensure that requests stay within permitted boundaries. The first step in providing some kind of security for these applications is not to trust the correctness of user input — whenever input is received it is validated. Why? Because it is possible to “piggyback” a second command onto an input request to a Unix shell by separating the two commands by an ampersand (&) or semicolon (;). Therefore, every input request should be parsed for validity or filtered for suspect content. A second step is to use separate security subsystems to control access to an application’s resources where users are authorized and authenticated. This way, the application administrator, not the system administrator, controls the application’s security system. As such, normally there is no one person who can control all of the information relating to a website. Also, e-commerce packages usually come with security subsystems to control their particular resources.

Nevertheless, a web-based business’s security methods should be centralized to the largest degree possible. This allows you to limit accessibility to security information and eliminates the need to extend trust to many administrators. Finally, every application running on a website must consistently apply a clear security architecture (and must consistently fit within your site’s overall security architecture), making explicit its operational requirements.

MINIMAL WEB SECURITY FOR YOUR WEBSITE

All websites are targets for hackers, but these troublemakers especially like to pick on the small e-commerce site, because many of such sites don’t have robust security measures in place. Fortunately, even a small web business can implement relatively inexpensive security against cybervandals. Basic security such as maintaining passwords, encrypting and password-protecting your business’s data, and monitoring all website visitors is a good start. Although it is virtually impossible to make any website 100% secure, you can implement security features that so discourage the would-be hacker, that he or she takes their vandalism someplace else.

Here are some minimal web security strategies that website owners could take to help ensure their website is uninviting to cybervandals. While some of these suggestions are inexpensive to implement, others can cost a bundle. It’s up to the reader to decide how proactive he or she wants to be when it comes to protecting their e-commerce business.

First, let’s address the minimal security needed for a self-hosted website.

Install a firewall and a router. The cost for this solution can range anywhere from $1,000 to $10,000, depending on the size of your website and the type of protection you want to install.
Put your web pages on a CD-ROM and then have your CD-ROM drive — not your hard drive — feed the website. While it is relatively easy for some unauthorized individual to access a server’s hard drive, it is very difficult to penetrate a CD-ROM drive. Note, however, that while this security method will slow down your website; it is still a good, viable option for small web businesses. Read/write CD-ROM cost less than $200 and blank disks are dirt cheap.
Although it may be tempting for the novice website owner, don’t put website content in your server’s administrative account (a file folder that holds operating keys to the network). This is the first place that hackers look.
Protect all server access-control lists with a password and monitor the list regularly to ensure only authorized users are listed. If a hacker can break into the list, they will add themselves to it — allowing them to roam your website’s systems at will.
Be pedantic about scripting. Errors in CGI scripts (the program language commonly used to create website features) are notorious as cybervandals most popular point of entry. Use precaution with JavaScripting because this program language is full of places where hackers can get in and change your website. Set up your website scripts properly. Ask your programmers how they are safeguarding the JavaScript features created for your website. Finally, if feasible, consult with a security expert on how to set up your scripts.
Use Secure Socket Layer (SSL). This will help to prevent hackers from detecting both passwords and credit card transactions as they travel the cyber byways. SSL is part of most e-commerce software programs, but some website owners turn SSL off to speed up their customers’ web experience. Accept that although SSL may slow down your server a bit, it is necessary for the success of your website.
Do you allow your customers to track orders and shipments online or want to provide them with this amenity? If so, separate the customer-accessible data on a separate network from the rest of your business. The best way to do this is to isolate the customer-accessible web server with its databases from your other data assets.

If you use a web-hosting service, security steps three through seven apply. But also add to your security to-do list the following:

Keep an ISP contact list handy in case of a breach.
Be proactive in determining the service’s security quotient. (Later in Chapter 14, we discuss how to determine if a web-hosting service offers adequate security for your website.)

Another step is to keep abreast of all security alerts for threats against your type of systems. Once alerted to a new technique for breaking into your type of system, counterattack with a plug and keep repeating the scenario — plug a leak, the hackers come up with a new way to break in, plug it, the hackers formulate a new break in, plug it, and on and on.

It isn’t easy to make an operating system secure, but it can be done if you know where all the leaks are so you can plug them. Keep on top of your operating system’s weaknesses, i.e. what is being exploited by hackers — this will allow you to keep (hopefully) one step ahead of them.

Firewall applications remove unnecessary, resource-hogging services and at the same time plug potential security holes. This is easier to do with Unix-based firewalls than with Windows-based systems since developers have easier access to the Unix code. Microsoft is much more protective of its code and therefore is not as cooperative with developers.

Content Security

The most commonly reported website security problem is website defacement and sabotage. In fact, cybervandal-based site defacement is an ever-present and increasing threat to website owners worldwide. To illustrate this troublesome trend, according to London security consultancy mi2g Ltd., website defacements totaled 20,371 in the first half of 2002, up 27 percent from the 16,007 recorded in the same period the year before.

NOTE
According to mi2g Ltd., over the last seven years, the worldwide economic damage estimate for all forms of digital attack is at between $118.8 and $145.1 billion (as of August 2003).

The complexity of many of today’s websites (with their numerous pages, images, and associated features) means that manual methods such as looking at each piece of content and repairing it, as needed, are ineffective. Thus today, a website owner may want to put in place an intermediate server. Lockstep Systems Inc. (www.lockstep.com), Tripwire Inc. (www.tripwire.com), Watchguard Technologies Inc. (www.watchguard.com) and others provide software that resides on an intermediate staging server to ensure that your site’s content is staged and preserved before deployment to the actual website. At configurable intervals, the staging server queries your website to compare files for differences. If an anomaly is found, the contents and/or files are captured and quarantined by the staging server, and the original content is restored from the intermediate server’s files. The software also logs the incident and sends an alert to the website’s administrator.

Monitoring Your Website

Finally, monitor your website’s usage and take a proactive stance on security holes. To ensure a high level of security, you should:

Monitor for break-ins. Institute a user account change report or install a sophisticated network monitoring system.
Monitor your logs after an attack, they can tell you how the attack occurred and might even provide a clue as to the identity of the attacker.
Run a security analysis program that can take a snapshot of your site and then analyze for potential weaknesses in your site.
Perform security audits with outside auditors to check for potential security holes that you might have missed.
Back up your website on a scheduled basis so that, if needed, you can recover damaged data and programs.

Security and Certification

Most web-based businesses go further than the security provided at the router and firewall level. They incorporate such features as encryption of credit card information and other personal data, digital signatures and trust of identity of network users, hosts, applications, services, and resources.

Internet trust services, including authentication, validation, and payment, are needed by websites to conduct trusted and secure electronic commerce and communications. Digital certificates provide trust of identity, which enables a website to conduct online business securely, with authentication, message privacy, and message integrity, all helping to minimize risk and win customer confidence.

As explained in detail in Chapter 3, digital certificates (DC) can be compared to a driver’s license. DCs provide an electronic method by which you can prove the identity of a specific computer’s owner/operator. For the driver’s license, a credible organization (the DMV) assures that the driver’s license is issued to the correct person. The same is true for DCs, a certification authority (CA) issues digital certificates but only after verifying the identity of the entity/person. The DC contains among other things, the name of an entity/person, the entity/person’s public key, the serial number, and the signature of CA (which was signed using the CA’s own private key).

Credit Card Security

With the proper precautions, online purchases are no more dangerous than credit card purchases made in the physical world. E-commerce systems keep credit card information secure by encrypting the information. Most online purchase transactions are encrypted using the Secure Sockets Layer (SSL). SSL is an internationally accepted standard for the secure transmission of data. Virtually all web browsers and web servers have standard SSL capabilities built into them. Thus nearly all web browsers and web servers communicate with each other using SSL.

As explained in Chapter 3, the SSL-driven process handles all of the security for most transactions by enabling the customer’s browser to confirm the identity of the server it’s dealing with, and providing an encryption system that ensures that all data is transmitted safely.

There is also a security standard called Secure Electronic Transactions (SET). SET encrypts a credit card number so that only designated banks and credit card companies can read the information. SET requires you to obtain a special certificate from your bank, and then your customers must install special software on their computer. The software is supplied by various vendors, most of whom seem to have the word “wallet” somewhere in the name. The “e-wallet” software allows your customer to input all of their purchasing information (credit card, address, shipping address, etc.) once and then move merrily through numerous websites that accept that e-wallet technology, doing “one-click” shopping and avoiding the repeated task of filling out individual websites’ purchase forms.

So far, U.S. consumers have had little incentive to use the e-wallet applications that SET requires, and because the SET systems are costly and complex to set up, the SET standard, although readily accepted outside the U.S., is not widely used by U.S. web merchants and banks. The main barrier has been that each e-wallet provider has established their own unique technical specifications, so many U.S. websites have adopted a wait and see attitude with regards to SET.

Also alternative options have emerged for handling credit card transactions over the Web that are easier and cheaper than SET. The next-generation e-wallets use a new standard — the Electronic Commerce Modeling Language (ECML). This standard works with any web security software and allows e-wallets automatically to feed customer information into the payment forms of participating websites. Visa, MasterCard, and American Express, with support from America Online, CyberCash, IBM, Microsoft and Sun, as well as numerous web-based businesses have led implementation of the ECML standard.

ECML can be used with any security protocol, including SSL, and Visa and MasterCard’s own version of SET. Therefore, ECML may change the landscape for e-wallet companies and websites — increasingly you will find e-wallet services offered by financial institutions and credit card companies.

Some of the more popular websites offering e-wallets include:

www.passport.com (.NET Passport e-wallet from Microsoft).
www.iliumsoft.com (e-wallet from Ilium Software).
www.gator.com (e-wallet from Gator Corporation).

Now let’s review how you can prevent your business and your customers from becoming victims of Internet fraud.