As the Senior Executive of a major business, you know one thing that has to be accomplished now; your company needs to get on the Internet. You do not know why, but you just know that if you do not get online, you will miss something. Everyone else has jumped on the bandwagon, now it is your turn.
Being the good executive that you are, you screen hundreds of website designers and hosters. After days of exhaustive searching you come upon the perfect, or what seems to be, the perfect company. This company will produce a snazzy site full of eye popping graphics and special effects. Shockwave entrance, dynamic content and user interactivity to the hilt are all part of your company’s new Internet presence.
The site is ready to be released in a month and you have more then prepared yourself. Your marketing division has gone into overdrive with campaigns on radio, television and print. The site will have special give aways and contests. The hype is certainly there.
Release day has finally come. After pacing the floor for weeks, double checking everything you can possibly think of, the site opens. It is amazing! Within one hour more then twenty thousand people have visited and sales is reporting a 2% increase in purchases. Self-assuredly patting yourself on the back, you make your way to the CEO’s office, who also happens to be your father to report the good news.
While reporting the good news to your father, who by now is practically jumping up and down at the report of increased profits, a manager bursts into the office. The CEO being interrupted unannounced, this is certainly a brash young man! After catching his breath, he bursts out, “WE’VE BEEN HACKED!”. You ask him to repeat himself and he tells you and you father, that one minute their beautiful site was there, the next it was replaced with “H0 H0 H0 S4NT4 H4S C0M3 T0 T0WN”. What did you do wrong?
This story, albeit fictional characters, is reality for hundreds of companies who make a home on the Internet. What did all of them do wrong? The problem can be traced to their criteria for picking a website hosting and design company. The person responsible for doing the screening will be given, or has to create, a guideline of what a certain website design and hosting company has to meet. How many of these guidelines have security in mind? Take a minute to look at the Attrition (1), web defacement mirror to find out. The number of web defacements of commercial websites reported to Attrition is approaching sixteen hundred.
Sixteen hundred websites is a large number, especially since that is just the commercial sites. How about 163 educational institution sites or 153 government sites and 97 military sites? Again, developing a guideline with security in mind can assist in assuring a secure network.
To fully understand the guidelines for choosing a website design and hosting company, let us examine a fictional one:
Company XYZ Internet Guidelines
Company XYZ, a leading distributor of ABC in North America, has after exhaustive studies in the marketplace has come to the following conclusion; that to guarentee the success of our company in the 21st century, a presence on the Internet is neccesary. In order to facilitate such a need we have decided to outsource to a website design and hosting company. Following is the guidelines we will stringently adhere to in our search of such a company.
Above all else, we understand the absolute need of a secure network in order to avoid loss of consumer trust and revenue. The company that we choose must provide upon request:
A report of the current state of their networks, included in which is:
> The number of servers versus the number of clients they currently possess.
> The operating system they choose to utilize on their servers and how they came to the decision to use that OS.
> The hardware stats of their servers.
> Average uptime of servers.
> How often and when do they do maintenence?
The company’s security guidelines, included in which is:
> What kind of firewall setup do they have (1-point, 2-point, etc)?
> When they do security checks and what they do during them.
> The checklist they use when installing a new server on the network.
> How do they deal with an intruder?
> What actions by a potential intruder rouse attention?
Data integrity guidelines, included in which is:
> How often do they backup their servers?
> What is included in the backups?
> Where do they store backups?
> Do they have a secondary site for storage?
> Protocols for a power outage.
> Protocols for a natural disaster.
Educational profiles of senior system administrators
Criteria for hiring new employees
Any other documents we deem necessary
As you can see, this is a good start for the guidelines. The rest of the guidelines will of course be filled with experience in website design and the such. But as we already learned in the scenario, a beautiful site on an insecure network will not remain beautiful for long. Company XYZ understands that, and that is why they decided to make security their top priority.
Using these sample guidelines will of course help in assuring the integrity of your internet presence but they are not the final step. Words on paper that a website hosting company writes, does not guarentee that they are truth. The next step, after finding a company that fits these criteria is to ask for a tour of their facilities. On the tour bring along your own systems administrator and an outside security consultant. If the hosting company is hesitant to let your administrator and consultant examine the networks, that is not a good sign.
This paper applies to companies who choose to outsource for their hosting needs rather then do it inhouse.
Binyamin Greenberg is chairman of San Diego’s only comprehensive computer security convention, ToorCon Computer Security Expo (2). He is also a partner of Nightfall Security Solutions, LLC (3), a San Diego based computer security thinktank that does hardware and software research as well as product certification, network auditing and intelligence research.
2. ToorCon Computer Security Expo
3. Nightfall Security Solutions, LLC