Re: Web Hosting / and Site Security Question

[Miles Stevenson <miles () mstevenson org>]

Salutations,

I could write a book answering your questions. Unfortunately for my checking 
account, those books have already been written. =) So you'll have to settle 
for a rather lengthy email response...

> My question is
> does it make sense / is it necessary to incorporate SSL onto our web
> page.  Specifically I am concerned with the page that contains the
> link to the third party website.  My thought is that the page that..

First and foremost, I applaud you for taking security seriously and beginning 
to ask questions BEFORE you have an actual security problem. This kind of 
proactive attitude is essential for sound security in any field, not just 
computers, and demonstrates that you are off to a good start.

Now about your question on if you should integrate SSL onto your corporate 
webpage:

It sounds to me like you might be headed down the wrong path, in that you are 
starting with the technology. I can assure you that any IT Security 
professional worth a salt will tell you that this is not where you want to 
start. Specifically, you don't want to start by picking out security 
technologies and trying to find ways to apply them in order to provide 
security for your organization. This is a common problem, and will end up 
costing you a lot of money down the road, as well as a security plan that 
doesn't match your situation (which has a huge impact on the effectiveness of 
your organizations security).

First, you have to start by identifying what it is you are trying to protect. 
This is the most essential question you have to answer. Note that there might 
be more than one answer here. You may have an entire list of things that you 
are trying to protect, such as trade secrets, proprietary processes, 
financial data, public image, etc. You mention website defancements, so 
public image would definitely encompass that. What else?

After you have a good idea of what it is that you are trying to protect, comes 
the often difficult task of trying to quantify the value of what it is you 
are trying to protect. This can often be very difficult if not impossible to 
do accurately. The key here, is that you don't want the amount you spend on 
security to be greater than the value of what it is you are trying to 
protect. For example, if you estimate that your corporate website is 
responsible for approximately 3% of your revenue, which comes out to about 
50k dollars a year, then you don't want to spend 60k on website security. On 
the same token though, if that figure comes out to be more like 300k, and you 
are only spending about 200 dollars to protect it, then you probably are not 
investing enough.  These kinds of estimates are much more art than science 
though, so please don't take my examples literally. Lots of books and papers 
have been written about this subject that I can't possibly hope to encompass 
in a paragraph.

Now its time to figure out what you are trying to protect this asset from. Who 
is going to be attacking you? How are they going to be attacking you? These 
are very important questions you have to ask yourself before you are ready to 
start looking at technology solutions. After this kind of research and 
planning, will you be in a position to make a good choice on what exactly it 
is that you need to provide for a rational security solution for your 
organization. 

At the time that I am writing this response, I have yet to see anyone else 
respond to your post, but I am almost certain you will ellicit responses 
specifically dealing with SSL: what it is, what it is used for, how it can 
properly be used to protect assests, and what kind of assests it can protect, 
etc. So, I won't spend too much time on this part unless my predictions turn 
out to be wrong.

In short, I think you are trying to use SSL for authentication. You want to 
prove to visitors that your site is the "real McCoy" and not an impostor. 
Digital certificates can in fact help you with this, and SSL would be the way 
to go as far as a web-friendly protocol that provides for certificate-based 
authentication. However, there are a ton of things to consider here as well: 

-Are visitors to your website actually going to bother to check the digital 
certificate and signature to make sure they are valid and signed by someone 
they trust before they click on any of your links? This is almost NEVER the 
case as far as websites go for the general public.

-Is it more important to prove that your website which provides the link is 
the real thing? Or is it more important to prove that what you are actually 
linking to (the 3rd party page you mention) is actually the real thing? What 
exactly is it that needs to be authenticated? 

-Is authentication the only thing you need? Do you need the confidentiality 
and/or integrity provided by encryption? Are you trying to protect any 
sensitive information from theft or corruption?

...etc, etc etc.

As you can see, there is a whole lot to consider here. I hope that at the very 
least, I've pointed you towards asking the right questions. 

And now for the second part:

> Secondly, this company has been using a mom and pop shop for web and
> email hosting since its inception.  Now that the web page is going to
> be used more actively for promotional use and the company is growing
> in size I believe there is a need to start being more security minded
> about the hosting of the site.(i.e. potential for defacement, et al)
> I would like to find a company that can host the website and email
> that does annual security assessments and penetration testing, and can
> provides us with SAS70 Type II or similar documentation.  Any
> recommendations about companies that you have used or worked with
> would be greatly appreciated.
>
> Thanks in advance for your responses!

In short...Yes! If you are going to outsource your organizations IT 
operations, and security is a concern for you, then it will be very important 
to make sure that the company you go with practices sound, rational security 
doctrines. 

I think one of the best ways to evaluate potential vendors, is to schedule a 
walk-through of the hosting facility. Come prepared and bring a notepad. Ask  
them questions like "How do you provide for an audit trail of what happens on 
the system?" "Who is going to have access to my data?", "Do you have an 
incident response plan, and what are your procedures?" "Do you practice your 
incident response plan?", etc, etc. 
If a company is standoffish about these kinds of questions, or cannot provide 
you with complete and reasonable answers, then go somewhere else. If they are 
very up-front with these kinds of questions, and can answer them directly and 
clearly, it is a good sign that they have done their homework and that they 
are on top of things. This isn't full-proof (beware of the really good 
salesman that can talk the talk), but in my experience it is a very strong 
indicator. You definitely want to start looking elsewhere when you start 
getting vague and mysterious answers like "that is proprietary information 
which we can't share" when you ask about incident response procedures. 

The only thing I don't like about standard security assessments such as SAS70, 
is that there are SO MANY of them. There are a slew of government and 
commercial standards, certs, assessments, and everything else for an 
outsourcing company to live up to, and its just too expensive for a lot of 
organizations to get some of these, as well as being very confusing for the 
client. While these "stamps of approval" can surely help to legitemize sound 
security practices, they are NOT a substitute for asking questions and doing 
your own research on the company. Don't rule out a vendor simply because they 
don't have an SAS70 stamp of approval. But ask what they DO have, and find 
out what kind of testing they had to endure to get it. Certification & 
Accreditation (C&A) processes can be both very effective, and highly 
overrated. I've been on both sides of the coin. I see a lot of these that 
simply come down to paperwork and checkmarks, to others that take the point 
of view that there is a universal security solution that is right for 
everyone, and that everyone should adhere to it. I'm no expert on the 
subject, but I have yet to see a C&A that really impresses me.

Also, beware of a vendor that tries to suck you into too much security. 
Security is a BIG business right now, and there are a LOT of companies out 
there that want to sell you solutions that you simply don't need. Some of the 
marketing wizards can be very good at making it sound like all these 
"whiz-bang" technologies, gadgets, and other doo-hickey's are things that you 
just HAVE to have if you don't want to be hacked by every script kiddie on 
the block. For a security company, the best way into a CEO's wallet is 
through his fear. This is why it's important to have a good understanding of 
what kind of security you DO need, what is reasonable, and what is simply 
irrational. One good rule of thumb is what makes a security solution 
effective: about 45% people, 45% planning, and only 10% technology. The 
experience and  expertise of the people responsible for your security and the 
careful planning of your security is MUCH more important than the actual 
tools & technology. I find that in a very general sense, the more skilled 
people you have, the less you need to spend on fancy tools. But this is also 
at the price of paying for quality people. Again, this isn't in every case, 
but I find that most of the really talented security professionals I know and 
work with (and I know a lot of them!) prefer the more basics tools, like 
tcpdump, ethereal, nmap, nessus, snort, and other free or very low-cost 
technologies over the fancier stuff, myself included.

Finally, take heart in that if you find yourself lost in the woods when it 
comes to computer security, you are not alone! The security-basics list is a 
great place to ask questions. A resource that I love to recommend to those 
that want to learn more about computer security (but not as a professional 
interest, more as a hobby, or because you are in a management position and  
you have to make security-related descisions) is a book by Bruce Schneier 
called "Secrets & Lies". This is a wonderful, fairly non-technical 
introduction to security that covers almost all the basics, and you don't 
need to be a "techie" to read it. It would surely be of help for the kinds of 
questions you are asking. It's also quite entertaining!

If you haven't fallen asleep yet...good luck! And please keep us all updated 
about your progress!

Regards,

-- 
Miles Stevenson
miles () mstevenson org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

Attachment: _bin
Description: