Web Site Hackerproofing 101

In recent weeks, high-profile arrests of hackers and malware authors have trained a spotlight on the sometimes-shadowy underworld of computer crime.The Internet may seem like a more dangerous place than ever before, but Web security administrators can greatly reduce the number of vulnerabilities that allow hackers to illegally enter, deface and destroy Web sites.

In addition to the obvious steps of installing firewalls, intrusion-detection software and other security products, administrators can take several simple — and relatively inexpensive — measures to frustrate hackers’ efforts and protect their corporate data.

“When you’re doing an application hack, it’s about gathering information,” said Caleb Sima, cofounder and CTO of application security vendor SPI Dynamics, in a SANS Institute Webcast on September 10th. Therefore, administrators must reduce hackers’ ability to garner such data.

Topping the Charts

Most attacks result from just a handful of vulnerabilities. The SANS Institute, working with the FBI, comprises a list of the top 10 vulnerabilities in Windows and the top 10 in Unix. This list is designed to help often-overwhelmed security personnel patch the most common problems, thereby reducing the risk of system compromise.

Today, the top five Windows vulnerabilities are in Internet Information Services (IIS), Microsoft Data Access Components (MDAC), SQL Server, NetBios Unprotected Windows Networking Shares and Anonymous Log-In (Null) Sessions, according to the SANS Institute and FBI ranking. On the Unix front, the leading vulnerabilities are found in Remote Procedure Call (RPC), Apache Web Server, Secure Shell (SSH), Simple Network Management Protocol (SNMP) and File Transfer Protocol (FTP).

Patchwork Quilt

One way to reduce these vulnerabilities is to take advantage of developers’ patches, said Bill Hancock, vice president of security and CTO at Cable & Wireless, in an interview with the E-Commerce Times.

“Most people don’t patch correctly,” he said. “Eighty-five percent of all vulnerabilities exploited are due to lack of patches. It’s not ‘patch and forget it.’ It’s an ongoing process. If you don’t put the patches in, that’s the number one way vulnerabilities get exploited.”

Some software developers are hoping to eliminate the need for manual patching by automating the process, Harald Prokop, senior director of network intelligence at Akamai, told the E-Commerce Times. “The providers of software are trying to help make system administrators’ jobs easier by making fully automated software,” he said. “It solves one problem about software being patched.”

However, Prokop warned, this practice could create additional problems becausepatches are applied invisibly; as such, they may change the software and cause other headaches for administrators. “If I had to say one thing, I’d say patch your system,” he said. “If I had to say two things, I’d say patch your system and don’t ignore the Internet. Patching is just being diligent.”

Harden Your Heart

Web security administrators also must closely scrutinize the hardware and software that support their networks and Internet access. Many devices today have multiple capabilities, some of which are unnecessary to their role on the network, Prokop said.

“You’re not really aware of what you’re turning on,” he cautioned. “Today, most of these packages are so complex they offer a wide range of services. To consider the Internet is to harden your origin side by making sure you’re not leaving any vulnerabilities.”

Added Hancock: “In the case of a Web server, you want to turn off a whole [lot] of things you don’t need. We call that hardening the machine.”

Take the Test

Likewise, programmers need to ensure they code and configure correctly. “A lot of Web developers don’t understand how to code securely,” said Ed Skoudis, a security consultant with International Network Services.

Code should have some built-in protection, Hancock agreed. “Programmers have got to be trained to write things correctly,” he said. “[They must ask:] Did you code securely? Are you checking for infestations?”

Enterprises should proactively and regularly check their sites for vulnerabilities and insecure code. “It’s always a good idea to get an outside view of things,” Hancock said. “Every time you change … you need to go back and scan it again.” Cable & Wireless offers this service to its clients.

In addition, they should minimize the number of accounts that have access to programs and should change passwords every month, he said.

Burning CDs

Many organizations put static information on their Web sites, leaving them vulnerable to attack. However, by simply and inexpensively moving this data to a CD-ROM or DVD, they can greatly reduce their vulnerability, according to Hancock.

“All of that can be done on a CD-ROM, and if you use caching software it’s just as fast [as online],” he said. “There’s no way to hack a CD-ROM. If you don’t have a reason to make it read-write, make it read only.”

Look Outside the Box

Organizations also can choose to use a distributed architecture to distance themselves from hackers. “Akamai runs a network on top of the Internet,” said Prokop. “We can shield you from [disruption of service] attacks by making the threats come to Akamai. We don’t expose the user. There’s not a single power outage that can take it out.”

Akamai, with headquarters in Cambridge, Massachusetts, has more than 15,000 servers in 60-plus countries, which are directly connected to more than 1,100 networks. “There’s nothing you can do [to protect yourself] by being in one place,” Prokop warned.

While these approaches may be time-consuming, patching diligently, closing unnecessary holes, reducing the number of employees who have access and moving unchanging media to CD-ROM or DVD can greatly reduce a company’s chance of being attacked. The payoff? “You’d probably eliminate close to 90 percent of hackable stuff, [or] even more,” Hancock said.