| What are the threats and can you prevent unauthorized access? How much knowledge do you need to understand security issues? |
Website SecurityNo company producing a product intended for use on the web can claim it is secure because users who have access can always find ways to misuse it to make it insecure or to make layers on which it depends insecure. Let's be honest, all systems have user names and passwords. There are dozens of ways to harvest passwords and dozens of dumb ways that people remember their passwords (or should I say write them or store them somewhere). Obviously then the users with login permissions are the biggest security hole in any site. There are actually good arguments to be made for hiding a sensitive administration site and having no security at all other than telling trusted people where it is. In addition, your PC is under constant threat of being hacked into by someone on the internet. Low-lifes are scanning machines for open ports and other weaknesses they can exploit. These days they are interested in identity theft and credit card information and turning your computer into a zombie for a botnet, they do not have time to waste trashing your PC. They want to accomplish the above without you noticing anything different on your machine. Keystroke recorders and remote access worms are the most common threats. Microsoft, Apple and the Linux community are constantly releasing updates to their operating systems to deal with these threats and vulnerabilities. But your website runs on a server that is out there on the internet 24x7, that server is likely very similar to your home PC. Server vulnerabilities are revealed everyday for hackers to exploit. I am not going to talk about specific website security threats and vulnerabilities because there are thousands. Let's just talk common sense. There are thousands of programs that run on web servers, each needs to be accessed so obviously has its own security issues. Most of these programs run on multiple levels of software, one calling the other for things it wants done or needs to get. For example, the nervous system of an entire site is the computer scripting language it employs. There are an infinite number of scripts that can be written to execute, each will have its own security issues in addition to the language itself. When multiple scripts talk to each other these security issues compound. The biggest reason for PC and website vulnerabilities is simple: complexity. Thus: Rule 1: Complexity is the enemy of security. Adding features to an operating system also adds vulnerabilities. Installing a new program that uses the web adds new vulnerabilities. Installing a window or door in a home introduces additional security risks, does it not? A new phone line brings a host of added vulnerabilities. Inviting old Aunt Mable (who is getting Alzheimers) to come and stay could also be a big security risk. There are so many things to think about. The doorways into computers are called Ports. Programs talk through these virtual doorways. The messages flying around the internet have the port number in their header, that is how a computer knows which program to send an incoming message to. The foundation of most security systems is to minimize the number of open ports (the ones being watched by the operating system). There are thousands of ports. There are likely dozens of programs on your computer that use ports and many of these want to use a specific port number that the computer world has agreed on. While web servers also talks on ports, this aspect of security is not as important since the server has only a limited number of programs that use them and the manner in which they communicate is focused and has been closely scrutinized by thousands or people to make them secure. Of course, website designers can figure out ways to make them insecure! However, security on a website is much more abstract. It is much like neighborhood security. Houses have many weaknesses that can be exploited by would-be criminals. Often things about houses actually invite invaders (e.g. an open gate, a window obscured from street view by a bush, an unlocked car, etc). Most of the recommendations of a security consultant are going to be simple common-sense things. It is the same with a website. Would you say it would be smart to install a very complex electronic security system at your house if you had not taken care of the simple things? Would it be smart to have a system that you do not even understand? Such a thing may actually be an impediment and a weakness. A website is the same, you need to understand it before you can protect it. Consider this analogy: The idea of sending oil tankers through the northwest passage it absolute insanity, right? It is just a matter of time until one would get frozen in the ice and spill its oil into the fragile arctic ecosystem. What will happen? Oil companies will hire environmental experts to watch every detail of the shipping oil through the arctic in supertankers. They will tell the media that they have the best experts. But the bottom line is still that the whole idea of shipping oil in super tankers in the northwest passage is complete craziness. Now, if you hire a bunch of network and website experts to build a complex web presence, they are going to build it on maze of interconnected levels and complicated protocols. And they are going to tell you everything is fine. The more you pay them the more they will tell you how secure it is. But the bottom line is that complexity is impossible to manage, that is common sense, but they are just being paid to manage it anyway, right? Rule 2: If you do not understand how your website works, then it is not secure! There is no question about it, people who know the least about computers get the most viruses by far and they get hacked the most. Think about this again. If you hired a security consultant, would you not have to explain to him/her how the site works? Can someone sell you a house and tell you that it is secure? No. YOU ARE THE WEBSITE SECURITY, what you do or do not do is what makes it secure. If you are not constantly learning about new security threats, then it is not secure. But you do need to study general residential security and be alert to new techniques being used by criminals. Thus, the philosophy promoted for other aspects of a dreamsite holds true again. It is better to have something simple on a website that you control and understand than have something complicated that you do not. By starting simple you can think about the threats and vulnerabilities and shape the site development accordingly. If you always go down roads that you understand then you will also understand or reason out the associated threats and how they relate to existing threats. So parallel growth in knowledge about the way a web site works with growth of the site itself. You might think that knowledge needs to be ahead of web site development, but this is not really the case. They grow together, development of a new feature on a site is actually part of the education. If you create something specifically adapted to yourbusiness.com on the web, then there is no security expert trained in what you have made, you are the expert. You are the dreamer. So you need to dream about security also. |
Only custom-written web components can go down any road you choose! |
|
Suite 407, 1595 Southview Drive SE, Medicine Hat, AB T1B 0A1 | CCBot/1.0 (+http://www.commoncrawl.org/b (3) |
