Security Basics mailing list archives
Re: Web Hosting / and Site Security Question
From: Miles Stevenson <miles () mstevenson org>
Date: Sun, 10 Oct 2004 02:53:38 -0400
Salutations, I could write a book answering your questions. Unfortunately for my checking account, those books have already been written. =) So you'll have to settle for a rather lengthy email response...
My question is does it make sense / is it necessary to incorporate SSL onto our web page. Specifically I am concerned with the page that contains the link to the third party website. My thought is that the page that..
First and foremost, I applaud you for taking security seriously and beginning to ask questions BEFORE you have an actual security problem. This kind of proactive attitude is essential for sound security in any field, not just computers, and demonstrates that you are off to a good start. Now about your question on if you should integrate SSL onto your corporate webpage: It sounds to me like you might be headed down the wrong path, in that you are starting with the technology. I can assure you that any IT Security professional worth a salt will tell you that this is not where you want to start. Specifically, you don't want to start by picking out security technologies and trying to find ways to apply them in order to provide security for your organization. This is a common problem, and will end up costing you a lot of money down the road, as well as a security plan that doesn't match your situation (which has a huge impact on the effectiveness of your organizations security). First, you have to start by identifying what it is you are trying to protect. This is the most essential question you have to answer. Note that there might be more than one answer here. You may have an entire list of things that you are trying to protect, such as trade secrets, proprietary processes, financial data, public image, etc. You mention website defancements, so public image would definitely encompass that. What else? After you have a good idea of what it is that you are trying to protect, comes the often difficult task of trying to quantify the value of what it is you are trying to protect. This can often be very difficult if not impossible to do accurately. The key here, is that you don't want the amount you spend on security to be greater than the value of what it is you are trying to protect. For example, if you estimate that your corporate website is responsible for approximately 3% of your revenue, which comes out to about 50k dollars a year, then you don't want to spend 60k on website security. On the same token though, if that figure comes out to be more like 300k, and you are only spending about 200 dollars to protect it, then you probably are not investing enough. These kinds of estimates are much more art than science though, so please don't take my examples literally. Lots of books and papers have been written about this subject that I can't possibly hope to encompass in a paragraph. Now its time to figure out what you are trying to protect this asset from. Who is going to be attacking you? How are they going to be attacking you? These are very important questions you have to ask yourself before you are ready to start looking at technology solutions. After this kind of research and planning, will you be in a position to make a good choice on what exactly it is that you need to provide for a rational security solution for your organization. At the time that I am writing this response, I have yet to see anyone else respond to your post, but I am almost certain you will ellicit responses specifically dealing with SSL: what it is, what it is used for, how it can properly be used to protect assests, and what kind of assests it can protect, etc. So, I won't spend too much time on this part unless my predictions turn out to be wrong. In short, I think you are trying to use SSL for authentication. You want to prove to visitors that your site is the "real McCoy" and not an impostor. Digital certificates can in fact help you with this, and SSL would be the way to go as far as a web-friendly protocol that provides for certificate-based authentication. However, there are a ton of things to consider here as well: -Are visitors to your website actually going to bother to check the digital certificate and signature to make sure they are valid and signed by someone they trust before they click on any of your links? This is almost NEVER the case as far as websites go for the general public. -Is it more important to prove that your website which provides the link is the real thing? Or is it more important to prove that what you are actually linking to (the 3rd party page you mention) is actually the real thing? What exactly is it that needs to be authenticated? -Is authentication the only thing you need? Do you need the confidentiality and/or integrity provided by encryption? Are you trying to protect any sensitive information from theft or corruption? ...etc, etc etc. As you can see, there is a whole lot to consider here. I hope that at the very least, I've pointed you towards asking the right questions. And now for the second part:
Secondly, this company has been using a mom and pop shop for web and email hosting since its inception. Now that the web page is going to be used more actively for promotional use and the company is growing in size I believe there is a need to start being more security minded about the hosting of the site.(i.e. potential for defacement, et al) I would like to find a company that can host the website and email that does annual security assessments and penetration testing, and can provides us with SAS70 Type II or similar documentation. Any recommendations about companies that you have used or worked with would be greatly appreciated. Thanks in advance for your responses!
In short...Yes! If you are going to outsource your organizations IT operations, and security is a concern for you, then it will be very important to make sure that the company you go with practices sound, rational security doctrines. I think one of the best ways to evaluate potential vendors, is to schedule a walk-through of the hosting facility. Come prepared and bring a notepad. Ask them questions like "How do you provide for an audit trail of what happens on the system?" "Who is going to have access to my data?", "Do you have an incident response plan, and what are your procedures?" "Do you practice your incident response plan?", etc, etc. If a company is standoffish about these kinds of questions, or cannot provide you with complete and reasonable answers, then go somewhere else. If they are very up-front with these kinds of questions, and can answer them directly and clearly, it is a good sign that they have done their homework and that they are on top of things. This isn't full-proof (beware of the really good salesman that can talk the talk), but in my experience it is a very strong indicator. You definitely want to start looking elsewhere when you start getting vague and mysterious answers like "that is proprietary information which we can't share" when you ask about incident response procedures. The only thing I don't like about standard security assessments such as SAS70, is that there are SO MANY of them. There are a slew of government and commercial standards, certs, assessments, and everything else for an outsourcing company to live up to, and its just too expensive for a lot of organizations to get some of these, as well as being very confusing for the client. While these "stamps of approval" can surely help to legitemize sound security practices, they are NOT a substitute for asking questions and doing your own research on the company. Don't rule out a vendor simply because they don't have an SAS70 stamp of approval. But ask what they DO have, and find out what kind of testing they had to endure to get it. Certification & Accreditation (C&A) processes can be both very effective, and highly overrated. I've been on both sides of the coin. I see a lot of these that simply come down to paperwork and checkmarks, to others that take the point of view that there is a universal security solution that is right for everyone, and that everyone should adhere to it. I'm no expert on the subject, but I have yet to see a C&A that really impresses me. Also, beware of a vendor that tries to suck you into too much security. Security is a BIG business right now, and there are a LOT of companies out there that want to sell you solutions that you simply don't need. Some of the marketing wizards can be very good at making it sound like all these "whiz-bang" technologies, gadgets, and other doo-hickey's are things that you just HAVE to have if you don't want to be hacked by every script kiddie on the block. For a security company, the best way into a CEO's wallet is through his fear. This is why it's important to have a good understanding of what kind of security you DO need, what is reasonable, and what is simply irrational. One good rule of thumb is what makes a security solution effective: about 45% people, 45% planning, and only 10% technology. The experience and expertise of the people responsible for your security and the careful planning of your security is MUCH more important than the actual tools & technology. I find that in a very general sense, the more skilled people you have, the less you need to spend on fancy tools. But this is also at the price of paying for quality people. Again, this isn't in every case, but I find that most of the really talented security professionals I know and work with (and I know a lot of them!) prefer the more basics tools, like tcpdump, ethereal, nmap, nessus, snort, and other free or very low-cost technologies over the fancier stuff, myself included. Finally, take heart in that if you find yourself lost in the woods when it comes to computer security, you are not alone! The security-basics list is a great place to ask questions. A resource that I love to recommend to those that want to learn more about computer security (but not as a professional interest, more as a hobby, or because you are in a management position and you have to make security-related descisions) is a book by Bruce Schneier called "Secrets & Lies". This is a wonderful, fairly non-technical introduction to security that covers almost all the basics, and you don't need to be a "techie" to read it. It would surely be of help for the kinds of questions you are asking. It's also quite entertaining! If you haven't fallen asleep yet...good luck! And please keep us all updated about your progress! Regards, -- Miles Stevenson miles () mstevenson org PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
Attachment:
_bin
Description:
Current thread:
- Web Hosting / and Site Security Question Mailing Lists (Oct 08)
- Re: Web Hosting / and Site Security Question Steve (Oct 12)
- Re: Web Hosting / and Site Security Question Miles Stevenson (Oct 12)
- Re: Web Hosting / and Site Security Question Miles Stevenson (Oct 13)
- Re: Web Hosting / and Site Security Question Adam Jones (Oct 12)
- <Possible follow-ups>
- Re: Web Hosting / and Site Security Question Hamish Stanaway (Oct 14)