John PescatoreI live on the edge – the edge of the woods, anyway. Deer eating my landscaping is a constant problem. Since I can’t put a giant fence around my entire property, I have to use a mixture of DMZs (deer fencing around areas where I can put a fence), hardening (spraying anti-deer solutions onto plants) and smart design (choosing plants that deer don’t like to eat.) On that last point, it turns out plants deer don’t like to eat do not exist when deer are hungry, which is always. The only thing they don’t seem to eat are dandelions or crabgrass.
At the slightest lapse in my security, the deer get in and eat everything. If a branch knocks down the deer netting, the deer notice it before I do – whammo, the day lillies are gone. If plants grow too close to the DMZ edge, they reach over the netting – bam, the tomatoes are gone. If rain washes off the smelly stuff – pow, the camellias are toast. Just when I think they won’t eat nandina – zap, only Heavenly Bamboo stumps are left.
Yup – exactly like web server security. The attacks are constant; one little slip and your web server is toast; hackers seem to have “flavor of the month” vulnerabilities they swarm on, but they always come back to old weaknesses, too; and the suckers are always hungry. Even worse, these days there are financially motivated deer attackers that pound really hard on your deer fencing web security. Those targeted attacks don’t get the publicity that good old worms used to give us – management doesn’t read about them in Deer Hunting Times the Wall Street Journal.
This week there are more reports of Adobe and Microsoft vulnerabilities being exploited this week and lots more compromised web servers being used for “drive by” attacks. Not only high profile sites are hit – I came across an interesting account of a ham radio web site getting hacked and what it took to restore. Many of the attacks are simple, taking advantage of bad practices in web site management. Some of the attacks are complex, first using compromised internal PCs (usually laptops that got hit on the road) to compromise Internet facing servers (and internal servers) from the inside.
Back in 2001, I put out a Gartner research note on web security best practices based on the types of attacks back then. Last year we updated that note (Web Server Security Hierarchy), but it was kinda sad to see how much of the advice hadn’t really changed. The tools (application vulnerability testing, web application firewalls, better default configurations for operating system and web server software) have all gotten better but the IT operations discipline has gone backwards in recent years – more new interactive features being pushed out too quickly, budget issues slowing patching, etc. Time to check the netting around your web servers.
Category: Uncategorized Tags:
3 responses so far ↓
1 Scot, K9JY July 24, 2009 at 1:55 am
My vulnerability had very little to do with servers and everything to do with poor software — none of which was in my control. Most users of software are entirely dependent on the people writing the software.
My responsibility as a user of the software is to upgrade when vulnerabilities are identified. In my case, I was upgrading within 24-hours of the notice, but that wasn’t good enough.
But was it a server issue? No. Was it my hosting company? No. It was the application software and I took 24-hours, as an individual site, to upgrade. You’d think that would be good enough, but it wasn’t.
Unfortunately, I need to trust the software gurus to do the right stuff because I understand career management, not software development.
How do we get the software companies and developers to get the security right in their software releases?
2 John Pescatore July 24, 2009 at 7:28 am
The answer to your question is we influence the software market when we stop buying crappy software and the market realizes security is a top buying criteria. Many larger vendors who sell to businesses have seen this happen – witness the changes Microsoft made and Adobe has started to make.
However, in consumer and even small business markets – still a different story. Those markets don’t keep up the pressure – demand for security leaps after an incident and then drifts downwards pretty rapidly. Think about the various scares over buying cheap toys with lead and other chemicals in them, and how quickly people go back to buying the cheapest or flashiest thing.
So, the responsibility as a software user has to be more than just patch – just as the responsibility as a car driver is to do more than just drive, you have to be a defensive driver.
3 Rob Lewis July 27, 2009 at 3:14 pm
Since perfectly secure software is an unobtainable goal, it might be wiser to choose systems that can withstand imperfect software.
I would place my bet on the top recommendation of “Web Server Security Hiearchy”-trusted operating system/appliances, especially since we have now removed the barriers of high cost of ownership non-standard OS and apps, interoperability/integration issues, and huge training requirements.
Leave a Comment