Project Management

Don?t let Web security slip through the cracks

Worried about Web security? You should be. John McCormick has a few tips for Web administrators.

You've gone along for years battling the same old security problems and gotten pretty good at it. Every new employee gets a quiet session describing the penalty for bringing any floppy disk into the company and explaining that the Draconian rules are important to prevent introducing a virus from home.

You have secure e-mail and a strong firewall well configured and updated to keep people from sneaking in through that big T-1 pipe.

Eventually, though, you realized top executives would never get it, and you gave up trying to explain security to them. Instead, you sanitized their systems by quietly removing any critical files from their computers and making a game of changing passwords by telling them the new software they approved has an unexpected bug that deletes passwords after 30 days.

Sure, you can fix the bug, you tell them, but you'll have to shut down the system for two weeks or so, until there is a real lull in business. In the interim, the only option is to change everyone's password monthly.

As for explaining to the CFO why that change is on a creeping date, never just on the first business day of the month (so crackers can plan ahead), I'll leave that as an exercise for you, the reader. Maybe you can tell them it has something to do with astrology or stock market option expirations—it doesn't need to make sense, just so you get those passwords changed regularly.

Web challenge
Then, just as you're getting really comfortable, management wakes up to the fact that if it doesn’t move the business onto the Internet, they will soon be out of business. Now you're faced with an entirely new set of challenges: How do you protect a Web page? Even tougher, how do you protect a catalog Web page that takes orders?

Bulletproofing a company's Web-presence page isn't that difficult. It doesn't need updating too often and doesn't contain any secure data; it's a display window, a billboard, not a cash register on a store counter.

Of course, you don't want crackers to sneak offensive links into your page or commit similar vandalism, but that's a relatively simple job. The real challenge comes when you start taking orders—especially credit card numbers—online.

But the absolute worst part will come when you try to explain to management why you need to double the size of your MIS staff. When they decided in that executive meeting that they wanted to become a B2B or B2C player, they figured they would need new software, and they probably expected you would have to buy some new hardware. Perhaps they also realized they would either need to pay for a chunk of cyberspace on an ISP or for a new, probably wider, data pipe if they wanted an in-house server.

But I guarantee that if someone brought up the cost of personnel, someone else said something like, "No problem. We already have people managing our e-mail and Internet connection; how hard can it be to put a catalog online? After all, we already do some purchasing online. All we need to do is pay some temps to key in the data. Then our present staff can just take over management of the Web site."

However, you know that securing e-mail and building a strong firewall for a company that only goes out onto the Internet to conduct research and exchange files is incredibly easier than protecting confidential customer data when you are actually taking orders on a Web server. So what to do?

Start by explaining that the support of additional systems requires additional resources. Document the hours each IT staff member devotes to tasks and consider building a spreadsheet that breaks down IT staff members’ workdays by function.

Armed with such quantifiable data, you’re more likely to convince others that your resources are stressed. I don’t need to tell you that upper management always loves to hear solutions, so be prepared to recommend another head to manage the Web security effort. You also might want to list all the tasks, and attribute appropriate timeframes in man hours, that the individual would oversee using another spreadsheet.

Giving credit where it's due
If you're in retail (B2C), you’ve got an additional challenge. From a customer trust standpoint, the protection of credit card information is a monster issue. It doesn't matter that the credit card companies protect the consumer already.

During the last holiday shopping season, many people learned just how vulnerable data is when kept on a Web server. My question to that now-infamous CD Web site is, "Just why were 250,000 credit card numbers left on a server connected to the Internet?"

The solution is simple. Get credit card numbers off Web servers and into a separate secure system. Do so on a daily or even hourly basis.

This is more than a question of embarrassment. It could eventually save you a ton of money.

Right now, banks are changing credit card numbers when large blocks of them are hacked. And they’re keeping relatively quiet about it. But does anyone think that banks, which have fees for everything else, will always be this accommodating? Even if there were no fraudulent charges involved, merely changing 250,000 customer numbers costs money.

I can easily foresee the day when a company's poor security results in hundreds of thousands of credit card numbers being stolen and the company getting a gigantic bill from Visa, MasterCard, or America Express for the costs of issuing new card numbers to all those customers.

John McCormick is a security consultant and technical writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.

Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.


Editor's Picks

Free Newsletters, In your Inbox