When people surf the net, are they finding hidden treasures on your beach? We talked to some IT security experts about the kinds of information companies should and should not post on their Web sites because they can open a Pandora’s Box of opportunities for hijackers, crackers, and industrial espionage agents. Here are their recommendations.
Think like a thief
Sandy Sherizen, President of Natick, MA-based Data Security Systems, advised that anyone responsible for corporate Web content should “learn to think like a thief, like someone who might want to steal information or get involved with competitive business intelligence gathering.” Seemingly innocuous bits of information posted on your site, when pieced together, might reveal more than you think about your internal organization, your relationship with strategic partners, and your corporate clients.
Sherizen said that corporate Web sites shouldn’t just be the responsibility of Webmasters and public relations departments. IT security personnel should review the content from a security perspective before it gets posted. After all, it’s their job to keep abreast of technological vulnerabilities and ways to prevent breaches. In other words, they’re already trained to think like a thief.
Be aware of downstream liability
With all the new accountability laws being enforced today (e.g., Sarbanes-Oxley Act, Gramm-Leach Bliley Act, etc.), Sherizen warned that lax security on your Web site might leave you open to downstream liability. This is especially true where you’ve closely aligned your information systems with those of your supply chain and business partners, or you use your Web site to collect customer information.
He cited case law where an individual went fishing on Corporation A’s Web site and, because of insufficient firewalls, found a way to use that Web site to break into Corporation B’s information system and wreak havoc. Corporate B was able to successfully sue Corporation A for damages, even though a third-party hacker (a teenager with minimal assets) actually executed the intrusion.
Employ least-privilege rule
Nick Brigman, VP of Product Strategy for Pittsburgh, PA-based RedSiren, suggested applying the "rule of least-privilege" to what you put on your Web site. “Only put out there what’s absolutely needed for a given function,” cautioned the IT security management executive. He said it starts by first determining the goals and uses for your corporate site. “If your goal is to attract prospects and transition them to a sales team, then you don’t need to put a lot of detailed information about the company up there on the Web site,” he explained. Too much information can give away the company store.
RedSiren provides clients a service it calls public information reconnaissance, going out on the Net and searching for any information it can find posted about its client. “Very often we find that if you dig long enough, you can find everything out there,” claimed Brigman. He’s even found client pages that were created internally and accidentally loaded. Even though they weren’t necessarily linked on the Web page, the programming code used by indexing firms today—like Google and other search engines—are so smart that they’re finding this information and putting it out there for everyone to see.
Brigman insisted that certain things should never be posted on the Web, even if you think that you’ve created sufficient security to limit access to only a privileged few. The “corporate family jewels” include such information as strategic plans, future marketing strategies, and anything involving negotiations with companies that are in partnership with you.
Ray Donahue, Director of Homeland Security for Fairfax, VA-based Anteon Corporation, maintained that while you’re reviewing your own Web site, turn a critical eye to those of your major suppliers as well. Find out what they’re saying about you. It might be great advertising for your business partners to announce a new strategic alliance, but that information might also be announcing to the world what kind of software systems you’re using or the kind of network you’re running—an open invitation to hackers who would delight in knowing where you’re vulnerable.
Barry Stein, an intellectual property attorney and Partner with Caesar, Rivise, Bernstein, Cohen & Pokotilow, Ltd. in Philadelphia, looked at a legal ramification—and potential lost revenue—of not reviewing your Web site content. In taking extreme care in avoiding disclosure of trade secrets and company know-how, you also have to keep patent rights in mind. Because of the Internet’s global nature, “Disclosure of details of what would otherwise be a patentable invention could result in the loss of potential foreign patent rights if no patent application had been filed before such disclosure,” he stated.
Avoid direct names on e-mail addresses
One of the most ubiquitous and dangerous pieces of information companies put on their Web sites are the for-more-information-contact-so-and-so e-mail addresses. “Direct use of e-mail names on Web sites is one of the gotchas you have to look out for,” warned Nick Brigman. Spammers commonly harvest these names from the Web site and flood the addresses. These names can also be picked up by malicious hackers and used to falsify e-mail, sending worms and viruses to unsuspecting recipients because the message is supposedly coming from your corporate executive.
Brigman advised that one way of getting around that potential hazard is to use a Web form to initiate contacts from the Web site instead of direct contact to the internal e-mail system.
Ray Donahue also recommended testing any other points of contact you post on your Web site. If you post a phone number for prospects to call for more information, make sure that the person answering that line has been briefed carefully on what information may be shared. The person making the query may be someone out to sabotage your organization, steal your clients, or engage in any number of other shady activities. Being vigilant is simply being prudent.
Avoid anything that indicates your infrastructure
“Some companies make the mistake of posting a URL that tips off what type of application server or hosted provider they are using,” said Ray Velez, Technology Lead for an NYC-based IT consulting firm, SBI.Razorfish. For example, older versions of the Sun One application server included a standard directory called NASAPP in the URL. Velez recommended deleting that directory.
Nick Brigman pointed out another common mistake Web designers make: pulling a logo or file from the company network and putting it out on the Web page. “Very often this data discloses how to get to that information—the file name, the system name, even the file structure. With that information, you’ve really armed somebody with the tools to look for information,” he stated. “Through a spidering effect, they’ll be able to learn enough to spread to the next layer and get more information.”
Delete comments from your source html/asp/jsp/php files
Ray Velez explained that developer comments could tip off what type of technology you're running and how to break it. These comments could potentially appear in the end user’s browser. “Remember,” warned Velez, “Hackers read the messages boards and postings. So they know what the latest security patches are intended to fix. This is problematic, given that many businesses or individuals are not up-to-date on the latest patch level. So these [developer] comments serve as a handbook on how to hack into a site.”
Avoid revealing the error messages that appear as a result of a technical error
Velez shared that these error messages reveal weaknesses in your code and expose information about the underlying technologies. Replace 404 and other 40x errors with pages that contain more user-friendly error messages that don’t reveal information about the underlying technologies.
Use digital rights management to protect intellectual property
Velez advised that you password-protect information that you don’t want visitors to freely reuse. Inadequate security controls are a common Web site pitfall.
Use uneditable formats to post documents and drawings
Glenn Widener, Product Manager for Portland, OR-based SwiftView, Inc., shared that how you post information on your Web site can make you vulnerable, too. Documents or drawings stored in their original formats—Word, Visio, AutoCAD, etc.—aren’t tamper-proof. And PDF files can be edited by anyone with Adobe Acrobat writing software. Security to prevent tampering can be complicated and time-consuming. He suggested that universal formats like PCL, HPGL, TIFF, and JPG simply aren’t editable. Print formats (PCL and HPGL) have certain advantages over bitmap formats: small file size, viewable when zipped, and text can be searched, indexed, and selected.
“With PCL,” explained Widener, “a company can allow a business partner to pull text out of a business plan without being able to edit that information. The company simply prints the range of pages it wants to share to a file and sends that file. The business partner can use any number of viewers (such as SwiftView’s) to view, select, and print the text.”
Widener stated that PCL is widely used by the financial community, such as mortgage banks who transmit closing documents in PCL format because of its inherent security.
Build a security-minded workforce
“It’s a concept we heard from a customer and that we use for our own marketing material,” said Nick Brigman. “In this post-911 world, you have to build this security awareness.” Don’t throw information up on the Web site without giving it serious scrutiny as to how it can be used. And just because the information isn’t sitting directly on the Web site, doesn’t mean that it isn’t accessible. “The Web site could be a way to get to that information. So it’s very important that you review it,” he insisted. If your in-house IT team doesn’t have the security expertise to protect you, engage a third party that does.