I live on the edge – the edge of the woods, anyway. Deer eating my landscaping is a constant problem. Since I can’t put a giant fence around my entire property, I have to use a mixture of DMZs (deer fencing around areas where I can put a fence), hardening (spraying anti-deer solutions onto plants) and smart design (choosing plants that deer don’t like to eat.) On that last point, it turns out plants deer don’t like to eat do not exist when deer are hungry, which is always. The only thing they don’t seem to eat are dandelions or crabgrass.
At the slightest lapse in my security, the deer get in and eat everything. If a branch knocks down the deer netting, the deer notice it before I do – whammo, the day lillies are gone. If plants grow too close to the DMZ edge, they reach over the netting – bam, the tomatoes are gone. If rain washes off the smelly stuff – pow, the camellias are toast. Just when I think they won’t eat nandina – zap, only Heavenly Bamboo stumps are left.
Yup – exactly like web server security. The attacks are constant; one little slip and your web server is toast; hackers seem to have “flavor of the month” vulnerabilities they swarm on, but they always come back to old weaknesses, too; and the suckers are always hungry. Even worse, these days there are financially motivated deer attackers that pound really hard on your deer fencing web security. Those targeted attacks don’t get the publicity that good old worms used to give us – management doesn’t read about them in Deer Hunting Times the Wall Street Journal.
This week there are more reports of Adobe and Microsoft vulnerabilities being exploited this week and lots more compromised web servers being used for “drive by” attacks. Not only high profile sites are hit – I came across an interesting account of a ham radio web site getting hacked and what it took to restore. Many of the attacks are simple, taking advantage of bad practices in web site management. Some of the attacks are complex, first using compromised internal PCs (usually laptops that got hit on the road) to compromise Internet facing servers (and internal servers) from the inside.
Back in 2001, I put out a Gartner research note on web security best practices based on the types of attacks back then. Last year we updated that note (Web Server Security Hierarchy), but it was kinda sad to see how much of the advice hadn’t really changed. The tools (application vulnerability testing, web application firewalls, better default configurations for operating system and web server software) have all gotten better but the IT operations discipline has gone backwards in recent years – more new interactive features being pushed out too quickly, budget issues slowing patching, etc. Time to check the netting around your web servers.
Category: Uncategorized Tags: