Be Informed

8/5/2010

I got my start early on in software (namely DOS 5.0) when I was around 13. I've always "tweaked" things to make them do what I wanted them to do, whether they were meant to or not. I was an "ethical" hacker. It never entered my mind that there were those like me who did the same thing but on darker, malicious levels. Due to my highly analytical nature (sometimes over-analytical), its only natural that I'd have a penchant for the Security Industry.

I've worked on both sides of the industry in hosting and in corporate environments. The two worlds are vastly different in terms of security and operations. Truthfully, managed hosting provides much more in terms of security as colocated and unmanaged dedicated servers are more often compromised due to lack of experience in maintaining secure code/applications/software/passwords/etc by the server's administrators who are generally not very informed on security practices. Other times, they are simply lazy. Whichever your poison, it can land you in some very uncomfortable positions.

With technology progressing at light speed, it's possible to do anything you imagine with the right tools. The progression of security doesn't end. It will never end unless all the people in the world are wholly the same person with the same knowledge and same goals and ideas. Makes for a boring reality, doesn't it? I digress, my point is that businesses and individuals with a web presence, and web site administrators/developers need to invest more in security, and develop an understanding of how security protects them and their customers.

Many will argue that security through obscurity isn't security at all. In it's behalf, however, I would have to argue that it certainly has helped. The reason it has worked is because of simple human nature to overcomplicate things or to trust that something will always remain the same. However, with technology advancements and tools becoming more robust, it's going to be quite a bit harder to hide something in plain site. It's like hiding in the dark from an attacker who owns infrared goggles. So changing the port particular services listen on isn't going to be enough, securing something with a password you believe to be hard to guess isn't going to be enough either, especially if your site if full of vulnerabilities due to outdated code and package flaws.

10 Steps to becoming more secure:

       1. Keep your Operating System software up to date

    • Apply patches or upgrade as needed as often as monthly.

       2. Keep your site software up to date

    • Same as before, apply patches or upgrade - this means checking the vendor's site periodically for security update releases.

        3. Install an Anti-Virus software on your system

    • Enable auto-protect if it has that, if it doesn't you are using the wrong AV Software.
    • Enable auto-update and set it to update definition files weekly.

        4. Get a Web Application Vulnerability Scan done against your site.

    • It's best to run these against a non-production or staged version of your site.
    • These scans can pinpoint vulnerabilities within your code so that you can correct them.
    • If you don't have a staged version of your site and must run them against a production site, do it during off-peak hours.

        5. Ensure your OS is hardened

    • Hardening your OS helps defend in a layered approach.
    • If you don't know how to harden your server, contact a security professional who can customize a hardening design that will still provide you with functionality but minimize risks.

        6. Utilize a firewall

    • A firewall can allow you to be selective of who can access vital services on your server.
    • Ensure you implement egress filtering as well, in case you do end up compromized, you won't end up being the source of an attack on other servers.

        7. Utilize an application firewall

    • An application firewall can detect particular parameters in requests to your server and block them from actually doing any harm.
    • Sometimes you may need to custom formulate rules for your app firewall to be really effective.

        8. Do quarterly audits of your servers users and directories

    • Auditing who and what has access to your resources is vital to running a top notch system.
    • Use this audit to also poll permissions that users have and permissions applied to directories in your webroot.

        9. Do quarterly audits of your firewall rules

    • Firewall rules may need to be modified from time to time. Be sure to check that they are always providing the maximum amount of protection to your environment.

       10. Shut down unnecessary services

    • Many servers are often provisioned with services you won't ever need. For instance Linux servers may have cups enabled, for a simple site this is often unneccessary.
    • Be sure to remove services from startup on reboot or you may find them running.

Of course if you find all of this overwhelming, or aren't positive you are capable of performing each of these steps, look into finding a managed hosting provider like FireHost, Inc. which can provide either some or all of these services and options to you.

Comments

Leave a Reply



(Your email will not be publicly displayed.)


Captcha Code

Click the image to see another captcha.