OpenHack 1: Attacked and Hacked! - Page 2

: No Code Stone Unturned">

No code stone unturned

All code must be rigorously audited, even simple scripts that run on a Web site. In fact, for sites to be secure, administrators must have intimate knowledge of every application, every API and every part of the network infrastructure.

This comes at a cost that rises quickly relative to presence online. For any site to be considered secure, PC Week Labs estimates that a company must dedicate at least 8 hours per week. Assuming a 40-hour work week (OK, we know thats low-balling the average IT managers week, but we have to figure the math somehow), this equates to at least one person dedicating 20 percent or more of his or her time to Web security. With the base salary of a decent administrator starting at around $65,000, this amounts to a little more than $1,000 per month for a base-package site to remain securely online. For sites with more servers, more software and more connections to the Internet, the costs rise quickly.

The site also showed us that some simple security measures, such as complex passwords, are great in theory but nearly impossible in practice. The hackpcweek site comprised six servers. Imagine how difficult it was to remember passwords such as [Athl!g. We couldnt and had to rely on a list of log-ins and passwords stored on a laptop. If this laptop had been compromised, our entire site would have been vulnerable.

After going through these tests, we cannot understate the importance of a good firewall. We used Axent Technologies Inc.s Raptor firewall and blocked every port except Port 80 for regular HTTP traffic. This configuration is about as simple-and safe-as it can get.

Proxying firewalls require more processing power than stateful inspection firewalls. The Raptor firewall provides a circuit-level proxy. We chose this because it terminates both ends of a connection and acts as an arbitrator. A stateful inspection firewall, in contrast, is basically souped-up packet filtering.

Administrators must also be sure to dedicate enough horsepower to their firewalls. We installed the Raptor firewall on a Hewlett-Packard Co. LPR server with two Pentium IIs running at 450MHz. This level of horsepower is necessary because every session going in and out of the servers has to be monitored. This is not an area where you want to skimp.

Opening new doors

Many companies are outsourcing portions of their Web development, which presents the need for administrators to audit code produced by third parties. Companies should make technology transfer a major part of any outsourcing agreement and should add in extra time to train internal staff on the new code. The concept of open source adds a new twist to the problem of security. While having access to source code should make code more secure through peer review, this is not always the case. Often, security holes can be the result of specific configuration options, not necessarily bad code.

The bottom line is daunting: Dont let your guard down--ever.