|
Is YOUR Network Secure?
Ben Greenberg
NFSG.org for OSAll
Scenario
As the Senior Executive of a major business, you know one thing that has to be accomplished now -- your company needs to get on the Internet. You do not know why, you just know that if you do not get online you will miss something. Everyone else has jumped on the bandwagon, now it is your turn.
Being the good executive that you are, you screen hundreds of Web site designers and hosters. After days of exhaustive searching you come upon the perfect, or what seems to be, the perfect company. This company will produce a snazzy site full of eye popping graphics and special effects. Shockwave entrance, dynamic content and user interactivity to the hilt are all part of your company's new Internet presence.
The site is ready to be released in a month and you have more then prepared yourself. Your marketing division has gone into overdrive with campaigns on radio, television and print. The site will have special give-aways and contests. The hype is certainly there.
Release day has finally come. After pacing the floor for weeks, double-checking everything you can possibly think of, the site opens. It is amazing! Within one hour more then twenty thousand people have visited and sales is reporting a 2% increase in purchases. Self-assuredly patting yourself on the back, you make your way to the CEO's office, who also happens to be your father to report the good news.
While reporting the good news to your father, who by now is practically jumping up and down at the report of increased profits, a manager bursts into the office. The CEO being interrupted unannounced, this is certainly a brash young man! After catching his breath, he bursts out, "WE'VE BEEN HACKED!". You ask him to repeat himself and he tells you and you father, that one minute their beautiful site was there, the next it was replaced with "H0 H0 H0 S4NT4 H4S C0M3 T0 T0WN". What did you do wrong?
Introduction
This story, albeit fictional characters, is reality for hundreds of companies who make a home on the Internet. What did all of them do wrong? The problem can be traced to their criteria for picking a Web site hosting and design company. The person responsible for doing the screening will be given, or has to create, a guideline of what a certain Web site design and hosting company has to meet. How many of these guidelines have security in mind? Take a minute to look at the Attrition (1), web defacement mirror to find out. The number of web defacements of commercial Web sites reported to Attrition is approaching sixteen hundred.
Sixteen hundred Web sites is a large number, especially since that is just the commercial sites. How about 163 educational institution sites or 153 government sites and 97 military sites? Again, developing a guideline with security in mind can assist in assuring a secure network.
The Guidelines
To fully understand the guidelines for choosing a Web site design and hosting company, let us examine a fictional one:
Company XYZ Internet Guidelines
Company XYZ, a leading distributor of ABC in North America, has after exhaustive studies in the marketplace has come to the following conclusion; that to guarantee the success of our company in the 21st century, a presence on the Internet is necessary. In order to facilitate such a need we have decided to out source to a Web site design and hosting company. Following is the guidelines we will stringently adhere to in our search of such a company.
Above all else, we understand the absolute need of a secure network in order to avoid loss of consumer trust and revenue. The company that we choose must provide upon request:
1) A report of the current state of their networks, included in which is:
- The number of servers versus the number of clients they currently possess.
- The operating system they choose to utilize on their servers and how they came to the decision to use that operating system.
- The hardware stats of their servers.
- Average uptime of servers.
- How often and when do they do maintenance?
2) The company's security guidelines, included in which is:
- What kind of firewall setup do they have (1-point, 2-point, etc)?
- When they do security checks and what they do during them.
- The checklist they use when installing a new server on the network.
- How do they deal with an intruder?
- What actions by a potential intruder rouse attention?
3) Data integrity guidelines, included in which is:
- How often do they backup their servers?
- What is included in the backups?
- Where do they store backups?
- Do they have a secondary site for storage?
- Protocols for a power outage.
- Protocols for a natural disaster.
4) Educational profiles of senior system administrators
5) Criteria for hiring new employees
6) Any other documents we deem necessary
Conclusion
As you can see, this is a good start for the guidelines. The rest of the guidelines will of course be filled with experience in Web site design and the such. But as we already learned in the scenario, a beautiful site on an insecure network will not remain beautiful for long. Company XYZ understands that, and that is why they decided to make security their top priority.
Using these sample guidelines will of course help in assuring the integrity of your Internet presence but they are not the final step. Words on paper that a Web site hosting company writes, does not guarantee that they are truth. The next step, after finding a company that fits these criteria is to ask for a tour of their facilities. On the tour bring along your own systems administrator and an outside security consultant. If the hosting company is hesitant to let your administrator and consultant examine the networks, that is not a good sign.
This paper applies to companies who choose to outsource for their hosting needs rather then do it inhouse. If you are considering hosting the Web site in-house, peruse through my other article, "Implementing a Secure Network" (2). This article explains the steps necessary to implement and maintain a network that is both secure and efficient.
Author Bio
Greenberg is chairman of San Diego's only comprehensive computer security convention, TooRcon Computer Security Expo. He is also a partner of Nightfall Security Group, a San Diego based computer security thinktank that does hardware and software research as well as product certification, network auditing and intelligence research.
|
