|How Well are Internet Websites Protected from Attack? |
|By Itzik Aharon, Vice-President, Quality-Bytes Software Ltd.
The Internet has become a way of life. Many people spend long hours surfing Internet websites to get information, share knowledge, or conduct routine activities such as paying bills, checking their bank balance, or enrolling in educational institutions. Organizations protect critical information and guard the privacy of their clients, but forget another equally important issue of demanding full protection from the common server on which their website is stored.
For some reason, people assume that from the moment a website is stored on an external main server, there is no longer any need to worry about protecting it, because only external web pages are stored on the server and there is no access to the organization's critical information. This assumption is essentially wrong, because hostile attacks on the web site are likely to result in tremendous financial damage.
Lists of clients and the organizations' business information are well-guarded on the company servers and protected by a security shield. However, the web pages that are saved on an external main server do not always receive the necessary protection to which the hosting company obligates itself.
Why, then, do organizations choose to store their website on an external server? The main answer to this question is the cost. Purchasing a broad bandwidth internet line for the organization in order to maintain an Internet site, is significantly more expansive than hosting the site on a common hosting server. Investing in a broad Internet line can amount to hundreds of dollars or more each month, while maintaining the site through a hosting company costs only a few tens of dollars each month. Installing a designated server with the addition of an IPS/FW server to protect the WEB server is an expensive option, and many organizations prefer to rely on the security system offered by the hosting company.
In addition, one of the marketing claims made by hosting companies is that using hosting services (either on a common server or a designated server) provides secure access, since a break-in on the host server does not allow penetration into the organization's network. This claim is correct, but the decision on the part of the organization is wrong. Why? Because in actuality, the organization must pay twice – once for the organizational security package that it purchased at a considerable sum, and once for the hosting service - which does not ensure full protection.
If this is so, how can the organization ensure that it receives the best possible hosting service? The best way is to check by ordering a risk survey to be performed by a security company, which will deliberately attack the hosting server. The report will provide an exact picture of the situation regarding the level of security on the main server.
Many organizations that conduct business abroad also need an international site that can be accessed from any country they define. For this purpose they need to examine whether or not the main server provides peering service – several Internet lines that are divided among the target audience that allow the site to be "duplicated" to destinations abroad.
If the organization still prefers to maintain its own website, it must ensure that its bandwidth is broad enough. Maintaining an Israeli site requires a bandwidth of at least two megabytes, while an additional site abroad requires an even broader bandwidth.
Recently there has been an increase in attempts of hostile factors to harm Israel via the Internet. The latest attacks on Israeli Internet websites by Palestinian hackers - known as defacement - brings us back to a painful issue that, unfortunately, has not earned sufficient awareness – How secure is the hosting service on which the website is stored?
What is defacement? Defacement is an attack that allows a hacker to change the appearance of a website and to implant pictures or slogans with the intention of transmitting a message. Sometimes this message takes the form of revenge on the defaced website, and other times the message is simple and flamboyant, such as "X is the biggest group of hackers in the world." This type of attack implants significant changes in the web pages that are liable to cause tremendous damage to the company's image and finances. Defacement attacks can be divided into two main types: attacks that change the homepage of the website, and those that implant a message in the dynamic content of the website (the later are possible mainly in websites that use portal programs such as PHPNuke).
I have often sat on forums of companies who ordered expensive, comprehensive risk surveys. When the question "What about the company website?" was raised, the answer was: "The survey didn't deal with it." Or "It's not on our server". The damage that is liable to be caused by defacement of the main page on the company website can cause financial damage to almost any company - not just security companies. For example, a cosmetics company could suffer tremendous financial damage if hackers change the main page of its Internet website to show pictures of experimental animals. We are not only talking about damage that stems from the first wave of surfers who enter the website. Additional damage can also result from newspaper publications and/or email chain letters containing screenshots.
There are three actions that can be taken against this kind of attack, which will decrease the motivation on the part of hackers to attack the website, and improve the reaction time after an attack:
1. Including the Internet website in a risk survey that will include an experimental attack on the hosting server (with their consent) using a suitable tool. The hosting server should be informed of any problems that arise.
2. Assessing penetrability on the application level (if relevant) can locate possibilities of penetrating content by SQL injection.
3. Website contents should not be relied upon as the original contents, but only as a copy. For example, Express Server systems know are capable of formatting a system disk during each operation, re-installing the product, and importing the definitions from a special directory to prevent a situation in which one of the services offered by the system (such as SSL-VPN) is broken into or changed by hackers. This situation can be imitated easily on Internet websites by uploading the site (or at least the dynamic portion) including the ASP/PHP pages) each day.