Security Primer: Keep Out The Bad Guys

Internet and Web security is a very complex topic. In fact, volumes have been written about the subject. The challenge is to reduce the subject of security to those aspects that are most relevant to the website owner. Outlining the process in a clear and concise manner while introducing or providing a review of some security basics is a good place to start.

Security Life-Cycle:
Risk assessment, the first phase of the security life-cycle, cannot be over emphasized. The purpose of a risk assessment is to help determine what assets need to be protected, why they need to be protected and what the risks are if they are not protected. An assessment also helps focus attention and resources on those aspects of security that will most effectively mitigate risks — notice the use of “mitigate” rather than “eliminate.” One of the goals of security is to balance access and usability with security. But as long as a system can be accessed, it can be exploited. The same risk exists for the website owner who installs and configures tools and applications on their Web server from unknown sources. In fact, the most often overlooked element of security can typically be found between the keyboard and the chair.

Analysis Risk Assessment:
For an example of how this works in practice, we will use a mythical company and apply the various elements of the security life-cycle to their hosted application. Your particular situation may differ by a few details, but overall you should be able to get a general idea of what comprises a security life-cycle. Our company will be XYZ Corp.

1. Assessment - An inventory of what you have and how it is to be used. XYZ Corp. has 25 servers that are hosted in a data center that will be used to store sensitive customer information. The information is then uploaded via FTP and accessed by the customer via a Web portal that also runs on the hosted servers. The administration of the portal database is done remotely from the home office of XYZ Corp. The assessment portion basically defines the scope of your security focus.

2. Risk Identification - An inventory of known and potential risks based on the environment to be evaluated. This information is directly related to and relies on your initial assessment. Here, establish what needs to be protected, why, and the risk of it not being protected. XYZ Corp.’s most valued asset is the integrity of the customer’s data which must be protected from interception and unauthorized access by third parties. Failure to achieve any of these goals will result in lost customer confidence and a direct impact on the viability of the company’s future.

3. Risk Management - A plan for mitigating the identified risks. Develop policies that will outline the protection of assets identified, including reference to technology selections and deployment as well as plans on how to audit and validate the integrity of your systems. XYZ Corp. does not control the data center so servers installed and configured by third-parties can not be trusted. Therefore, we will install and configure all software in-house before shipping our servers to the data center. We have established encryption schemes to protect data in transit and data stored on the servers and deployed a system which indicates which files on the remote server have been changed or copied and by whom.

4. Implementation - Putting your plans into action. The XYZ website rolls out its new and improved customer portal site.

5. Review/Update - Reviewing the initial assessment, lessons learned and identifying new and emerging threats. This information will be used to make necessary modifications. XYZ Corp. experienced one successful system compromise — a user accessing her account information from a compromised machine. The bad guys used her account information to access her data from another country. The new version of our system will include a feature providing additional challenges to users attempting to access data when the connection doesn’t fit the typical connection profile.

The effectiveness of your risk assessment will depend on the types of questions asked and their answers. The XYZ example above is a simplified version of the process, but should provide a good start to your security life-cycle.

(article continues below)

Securing your Website:

1. Knowing your environment - This requires asking some important questions. Do you control every aspect of your hosting, such as hardware and software configuration? If not, what security features are offered by your provider? Do you have the expertise to secure your website or service? If not, do you have access to resources that could help you? What kind of site are you running — personal or e-commerce? What assets do you need to protect? What technologies are you employing to deliver your service —Web server, FTP server, email server, database server application or proxy server? Finally, are these Windows-based, *nixed-based systems, or both?

2. Getting Started - Each environment is different. The best place to start is to make sure the components of your site or service are patched against known vulnerabilities. Most product vendors maintain information on known software- and security-related problems and provide patches/fixes and information on how to configure the product’s security. There are also sites that aggregate this information into one place:

• Web Servers: Apache, IIS
• Web Application Servers: Websphere, Weblogic, Tomcat and Resin
• Database Servers: Oracle, MySQL, Microsoft SQL

Check information on Proxy servers if you use them as well as Web Application Security for any Web applications written in ASP, ASP.NET/.NET, Perl, PHP, Phython, JSP and Java (this includes SOAP and Web Services).

3. Selecting the tools - After you have answered the above questions, verified that you are running on stable versions of the software and aware of the risks associated with each choice, you can begin focusing on selecting tools that will help you achieve the desired state of security. The following are some common tools and their primary uses:

3.1. Firewalls — Can be software or hardware based. Softwarebased firewalls almost always run on the host they are protecting, whereas hardware firewalls are generally used to protect several hosts. The basic function of a firewall is to filter traffic flowing to or from a host.

3.2. Encryption — As it is related to Web traffic, https is used to ensure that data between your Web servers and your users cannot be read by someone eavesdropping on your connection. Encryption can also be used to protect the contents of email messages, FTP traffic and file level data.

3.3. VPNs — Virtual Private Networks. VPN’s are generally used to securely connect remote systems together over an unsecured network. Employing a similar concept to https, a VPN creates an encrypted “tunnel” that is transparent to the end devices. Any information passed across the link, whether encrypted or not, will do so via a secure link. For example: Https is akin to two people having a telephone conversation while speaking in code to encrypt their message — an eavesdropper will not understand what is being said. A VPN is similar to two people having a conversation on a secure line — the two people can speak freely because the line itself employs the protection (encryption) needed to protect their messages.

3.4. Intrusion Detection System/Intrusion Prevention System (IDS/IPS) and Anti-virus — This collection of tools can help maintain the integrity of your systems. IDS typically comes with pre-defined rules for detecting and reporting common attempts to exploit a system. The system can automatically generate reports while recording the tactics used by the bad guys to access your system. An IDS is like a security camera passively monitoring your entry points. IPS is the natural successor to the IDS system, providing the same functions but has the additional benefit of taking action on suspect activities. An IPS
system is like having an actual security guard. Anti-virus is a layer of security that checks and validates that system applications, or binaries as they are called on *nixed-based systems, are free from viruses or unwanted programs.

All of the aforementioned tools require regular updates in order to detect new threats.

3.5. Backups/Redundant Array of Inexpensive Disks (RAID) In addition to protecting the integrity of your data you also need to protect its availability. Even if you have all of the protection in the world in place, it does little good if you lose all of that information due to human error or hardware malfunction. RAID is a technology that allows you to take multiple hard drives and configure them in ways to increase availability, performance or both. It is important to note that RAID is not a substitute for backups, which act only as an insurance policy and provides something to go back to when all else
is lost. Of the various RAID levels there are essentially two that provide data-protection.

RAID 1 — Disk Mirroring, or having two active copies of your data, will protect you when a single disk in your RAID set fails.

RAID 5 — Striping With Parity, the data from each transaction is spread across three disks, while one of the three disks always contains a parity bit. This bit is used to rebuild data from the missing disk.

Internet and Web security are of great importance — not only to your site but to every user who visits your site. Security is an essential component of Web success on every level and should be considered the responsibility of each and every website owner. Proper planning and vigilant attention to your security risks will help ensure a prosperous future for your website and peace of mind to your visitors and customers.

Lee Evans owns and operates LeeWare.com, a premier provider of unmanaged virtual dedicated Linux servers.