On the Internet, as it is with power tools, the stronger the tool, the greater the potential damage when misused. The Internet is still in its infancy, so is the abuse.
The more important the Internet is to your company, the more important it is that your security policy works. However, just because you “only have a web site” on the Internet, doesn’t mean security isn’t an issue. The big sites that came crashing down just a couple years ago were victims of other compromised sites. Many compromised sites were just those business who said they, “only have a web site”.
Remember, your little old web site can be commandeered to do lots of evil things without your knowledge. The industry and the courts still have not completely decided how much responsibility belongs to the owners of the little web sites that have neglected their security.
The least expensive and most effective security policy is the one that is implemented BEFORE an attack occurs. Don’t wait until an attack has occurred to decide what you should have done. Every business has specific needs when it comes to Internet security. This means that a cookie-cutter approach won’t work. You must evaluate your needs on the Internet and use that knowledge to balance the risk you can afford. Any machine connected to the Internet has some risks.
Your security policy should contain a detailed list of the known risks and a list of tested safeguards that minimize those risks. How will you know if your network or Internet site has been broken into without good intrusion detection? It could be months or even years before the attacker uses the many sites he has compromised.
A good security policy also has a detailed incident response defined so recovery can be as fast as possible while keeping costs to a minimum. The word “costs” means different things to different people. Your site could be turned into a pornographic site within an hour of break-in. Even if you say it’s “just a web site”, it could be your worst enemy, especially if you can’t get back in to fix it.
Responding to the incident means recovering your site, recovering your data, and recovering your sanity. If recovery is accomplished fast enough, you might be able to avoid having to recover your reputation as well.
Even the best security policy will be worthless to you if it just sits on a bookshelf and no one reads it. It is important that your entire company be involved in the security policy. An easy way to break into a site is to call someone inside the company and pretend to be “your Internet Service Provider” or the new developer who needs a temporary account. This means everyone in your company should know what things to look for and what to avoid.
Your security policy should include details on how you will test your network or Internet site. You need to do more than just a penetration test. You need someone who knows where the holes are and how to help you get those holes plugged. Once the initial security audit is finished and the deficiencies are fixed, your security policy should detail how you will ensure that new weaknesses aren’t introduced. This generally means regular security audits. Even if the site is never changed once the initial audit is finished, new vulnerabilities are being discovered every day and the attackers find out about them quickly. Even a static site or network need periodic auditing.
Those companies with more than just a web site need to test all their online services. This includes any web applications that they offer through the CGI interface. If you use CGI, your attackers can too.
Other web applications and tools that are prone to attack include ASP, PHP, Flash, and Coldfusion. If your company uses any of these technologies, you should be sure they are hardened against attack.
We Can Help
Keeping up on the latest security news and testing and fixing the vulnerabilities is a full time job. Few companies are willing to cover the expenses of hiring, training, and retaining a good security expert.
This is where we can help you. We offer expert services for the entire security process from defining a security policy, training, auditing, and fixing detected flaws. We also offer Incident Response assistance. You shouldn’t wonder what to do “if” you get attacked, but what to do “when” it happens. If you’re connected to the Internet long enough, you’re bound to be a target. Many of the new tools the attackers use these days contain a network-range scan. This tests basically EVERY Internet address on the Internet, whether you’ve told your address to anyone or not.
We read of Internet fraud and attacks almost daily. Improve your security before you end up in the headlines, too. Call us at 775/741-8278.
Access Technologies. is a Nevada based corporation located in the Reno Nevada area and offering experienced services in many kinds of Internet related security. Call us at 775/741-8278