Past Articles - Computer Security

« back

Security Important for Firm's Web Operations

by Tom Simondi, President
Computer Knowledge, Inc.
Santa Maria, CA

Some Security Considerations. Do you run a web site or control any security assets? If so, you should periodically run a basic security check on these assets. Some of the things to look for are actually basic issues from physical security. Consider:

• Human risks are probably still the most significant challenge a security manager has to consider. When you consider that threats can come from the inside or outside you should also consider that insiders have a head start.
• Further consider security training. Social engineering threats are common. You'd be surprised how many passwords are given out by employees just by someone saying they are from the computer shop and asking for the password over the phone.
• Web sites can provide information for attacks or social engineering. Contact information is often posted and sometimes system information is put into the headers on web pages; and, these headers can be read as part of the page source code.
• Make certain all software is properly installed and all security patches obtained and installed. Even with this, there are common errors that are often not caught. Look in copies of CK Now for "buffer overflow" for the most obvious example.
• Completely test, particularly for security problems, all software written in-house. Make certain you understand everything it does; particularly when data is input in the wrong locations and/or in the wrong form. For example, if you truncate long IDs you might allow the wrong user to access data (SmithJohn might also be allowed for SmithJohnathan).
• If you update underlying software, consider retesting everything. It's not uncommon for operating system changes to introduce new holes that might now become available for exploitation.
• Know what others are doing with your site. There are many services that exchange links and/or place ads on your site. While not necessarily a direct threat you might not want some of the advertisers your site is being served. Check to see if you can limit the type of advertising fed to your web site.
• Consider having backup sites customers can use if you have a business-intensive site. Down time is noticed and customers don't care if it's caused by systems being down or denial-of-service attacks. On a similar line make certain your provider has the bandwidth and machine capability to serve your needs; particularly directly after an advertising campaign.
• Privacy is important to users. Keep that in mind. Consider not just having an enforced policy but helping the users by not allowing them to have easy-to-guess passwords, as one example. This will also help stem the tide of identity theft.
• Be aware of who is looking at your web site(s). Get a good log analysis program and use it. Maybe you can spot trends before they become problems.
  

[Webmaster's Note: Originally written for CK News, November, 2000. © Copyright 2000 Computer Knowledge, All Rights Reserved. Posted with permission of the copyright holder.]