Seven Common Sense Rules For Secure Websites

As many brick-and-mortar companies move towards doing "real business" on the Internet, they are faced with the challenges of taking advantage of the "free love" aspects of the Internet, while still maintaining some sense of composure when it comes to operating their corporate networks in a secure fashion.

If MIS directors thought the Internet was a significant security risk five years ago, it is many, many times that risk today. Not only is there a larger population of crackers looking to attack your site, but also the tools for doing so are many generations ahead. Every member of the IS staff must be vigilant about assessing security, and always must push the envelope in an attempt to increase security.

In UNIX System Administration Handbook / 3rD Edition, we offer guidelines to stimulate thinking about how to continuously innovate in the security realm. Effective system security has its roots in common sense and is very much like dealing with an infestation of mice in your house. Here are seven rules you might use:

Step 1: Don't leave things that are likely to be interesting to mice lying on the kitchen table overnight. Don't put files on your system that are likely to be interesting to hackers or to nosy employees. Trade secrets, personnel files, payroll data, election results, etc., must be handled carefully if they're online. Securing such information cryptographically will provide a far higher degree of security than simply trying to prevent unauthorized users from accessing the files that contain it. Your site's security policy should specify how sensitive information is handled. See RFC2196 (the Site Security Handbook) for some suggestions.

Step 2: Plug the holes that mice are using to get into the house. If they can't get in, they won't bother you. Plug holes that hackers can use to gain access to your system. Monitor security bulletins from your vendor and the security mailing lists discussed in this chapter to learn about patches as they become available. Turn off unnecessary services.

Step 3: Don't provide places within the house for mice to build nests. Don't provide places for hackers to build nests on your system. Hackers often break into one system, then use it as a base of operations to get into others. World-writable anonymous FTP directories, group accounts and accounts with poorly chosen passwords all encourage nesting activity.

Step 4: Set traps along walls where you often see mice out of the corner of your eye. Set traps to detect intrusions and attempted intrusions. Tools such as tripwire, tcpd and crack will help keep you abreast of potential problems.

Step 5: Check the traps daily to rebait them and to dispose of squashed mice. Continually monitor the reports generated by these security tools. A minor problem that is ignored in one report may grow into a catastrophe by the time the next report is sent.

Step 6: Avoid using commercial bait-and-kill poisons to deal with the situation. These can leave you with dead mice in your walls or kill your dog. Traditional snap traps are best. Teach yourself about Unix system security. Any number of high-priced security consultants happily will come to your site and instill terror in you and your management about the insecurity of your systems. They'll explain that for only $250,000 they can make your site secure. Unfortunately, their solutions often will leave you with dead mice in your walls and kill your users' productivity. Traditional know-how and common sense are the most important parts of a site security plan.

Step 7: Get a cat! Prowl around looking for unusual activity. Investigate anything that seems unusual, such as odd log messages or changes in the activity of an account (more activity, activity at strange hours, or perhaps activity while the owner is on vacation).