Security Primer: Keep Out The Bad Guys








![]() |
Internet and Web security is a very complex topic. In fact, volumes have been written about the subject. The challenge is to reduce the subject of security to those aspects that are most relevant to the website owner. Outlining the process in a clear and concise manner while
introducing or providing a review of some security basics is a good
place to start. |
Security Life-Cycle:
Risk assessment, the first phase of the security life-cycle, cannot be over
emphasized. The purpose of a risk assessment is to help determine what assets
need to be protected, why they need to be protected and what the risks are if
they are not protected. An assessment also helps focus attention and resources
on those aspects of security that will most effectively mitigate risks — notice
the use of “mitigate” rather than “eliminate.” One of the goals of security is
to balance access and usability with security. But as long as a system can be
accessed, it can be exploited. The same risk exists for the website owner who
installs and configures tools and applications on their Web server from unknown
sources. In fact, the most often overlooked element of security can typically be
found between the keyboard and the chair.
Analysis Risk Assessment:
For an example of how this works in practice, we will use a mythical company and
apply the various elements of the security life-cycle to their hosted
application. Your particular situation may differ by a few details, but overall
you should be able to get a general idea of what comprises a security
life-cycle. Our company will be XYZ Corp.
1. Assessment - An inventory of what you have and how it is to be used.
XYZ Corp. has 25 servers that are hosted in a data center that will be used to
store sensitive customer information. The information is then uploaded via FTP
and accessed by the customer via a Web portal that also runs on the hosted
servers. The administration of the portal database is done remotely from the
home office of XYZ Corp. The assessment portion basically defines the scope of
your security focus.
2. Risk Identification - An inventory of known and potential risks based
on the environment to be evaluated. This information is directly related to and
relies on your initial assessment. Here, establish what needs to be protected,
why, and the risk of it not being protected. XYZ Corp.’s most valued asset is
the integrity of the customer’s data which must be protected from interception
and unauthorized access by third parties. Failure to achieve any of these goals
will result in lost customer confidence and a direct impact on the viability of
the company’s future.
3. Risk Management - A plan for mitigating the identified risks. Develop
policies that will outline the protection of assets identified, including
reference to technology selections and deployment as well as plans on how to
audit and validate the integrity of your systems. XYZ Corp. does not control the
data center so servers installed and configured by third-parties can not be
trusted. Therefore, we will install and configure all software in-house before
shipping our servers to the data center. We have established encryption schemes
to protect data in transit and data stored on the servers and deployed a system
which indicates which files on the remote server have been changed or copied and
by whom.
4. Implementation - Putting your plans into action. The XYZ website rolls
out its new and improved customer portal site.
5. Review/Update - Reviewing the initial assessment, lessons learned and
identifying new and emerging threats. This information will be used to make
necessary modifications. XYZ Corp. experienced one successful system compromise
— a user accessing her account information from a compromised machine. The bad
guys used her account information to access her data from another country. The
new version of our system will include a feature providing additional challenges
to users attempting to access data when the connection doesn’t fit the typical
connection profile.
The effectiveness of your risk assessment will depend on the types of questions
asked and their answers. The XYZ example above is a simplified version of the
process, but should provide a good start to your security life-cycle.
(article continues below)

Securing your Website:
1. Knowing your environment - This requires asking some important
questions. Do you control every aspect of your hosting, such as hardware and
software configuration? If not, what security features are offered by your
provider? Do you have the expertise to secure your website or service? If not,
do you have access to resources that could help you? What kind of site are you
running — personal or e-commerce? What assets do you need to protect? What
technologies are you employing to deliver your service —Web server, FTP server,
email server, database server application or proxy server? Finally, are these
Windows-based, *nixed-based systems, or both?
2. Getting Started - Each environment is different. The best place to
start is to make sure the components of your site or service are patched against
known vulnerabilities. Most product vendors maintain information on known
software- and security-related problems and provide patches/fixes and
information on how to configure the product’s security. There are also sites
that aggregate this information into one place:
• Web Servers: Apache, IIS
• Web Application Servers:
Websphere, Weblogic, Tomcat and Resin
• Database Servers: Oracle,
MySQL, Microsoft SQL
Check information on Proxy servers if you use them as well as Web Application
Security for any Web applications written in ASP, ASP.NET/.NET, Perl, PHP,
Phython, JSP and Java (this includes SOAP and Web Services).
3. Selecting the tools - After you have answered the above questions,
verified that you are running on stable versions of the software and aware of
the risks associated with each choice, you can begin focusing on selecting tools
that will help you achieve the desired state of security. The following are some
common tools and their primary uses:
3.1. Firewalls — Can be software or hardware based.
Softwarebased firewalls almost always run on the host they are protecting,
whereas hardware firewalls are generally used to protect several hosts. The
basic function of a firewall is to filter traffic flowing to or from a host.
3.2. Encryption — As it is related to Web traffic,
https is used to ensure that data between your Web servers and your users cannot
be read by someone eavesdropping on your connection. Encryption can also be used
to protect the contents of email messages, FTP traffic and file level data.
3.3. VPNs — Virtual Private Networks. VPN’s are
generally used to securely connect remote systems together over an unsecured
network. Employing a similar concept to https, a VPN creates an encrypted
“tunnel” that is transparent to the end devices. Any information passed across
the link, whether encrypted or not, will do so via a secure link. For example:
Https is akin to two people having a telephone conversation while speaking in
code to encrypt their message — an eavesdropper will not understand what is
being said. A VPN is similar to two people having a conversation on a secure
line — the two people can speak freely because the line itself employs the
protection (encryption) needed to protect their messages.
3.4. Intrusion Detection System/Intrusion Prevention
System (IDS/IPS) and Anti-virus — This collection of tools can help
maintain the integrity of your systems. IDS typically comes with pre-defined
rules for detecting and reporting common attempts to exploit a system. The
system can automatically generate reports while recording the tactics used by
the bad guys to access your system. An IDS is like a security camera passively
monitoring your entry points. IPS is the natural successor to the IDS system,
providing the same functions but has the additional benefit of taking action on
suspect activities. An IPS
system is like having an actual security guard. Anti-virus is a layer of
security that checks and validates that system applications, or binaries as they
are called on *nixed-based systems, are free from viruses or unwanted programs.
All of the aforementioned tools require regular updates in order to detect new
threats.
3.5. Backups/Redundant Array of Inexpensive Disks (RAID)
In addition to protecting the integrity of your data you also need to
protect its availability. Even if you have all of the protection in the world in
place, it does little good if you lose all of that information due to human
error or hardware malfunction. RAID is a technology that allows you to take
multiple hard drives and configure them in ways to increase availability,
performance or both. It is important to note that RAID is not a substitute for
backups, which act only as an insurance policy and provides something to go back
to when all else
is lost. Of the various RAID levels there are essentially two that provide
data-protection.
RAID 1 — Disk Mirroring, or having two active copies of your data, will
protect you when a single disk in your RAID set fails.
RAID 5 — Striping With Parity, the data from each transaction is spread
across three disks, while one of the three disks always contains a parity bit.
This bit is used to rebuild data from the missing disk.
Internet and Web security are of great importance — not only to your site but to
every user who visits your site. Security is an essential component of Web
success on every level and should be considered the responsibility of each and
every website owner. Proper planning and vigilant attention to your security
risks will help ensure a prosperous future for your website and peace of mind to
your visitors and customers.
Lee Evans owns and operates LeeWare.com,
a premier provider of unmanaged virtual dedicated Linux servers.










Leave Your Comment
Login to CommentBecome a Member
Not already a part of our community?
Sign UpSign up to participate in the discussion. It's free and quick.