The bad guys figured it out. Web sites are an easy mark. Once compromised, a Web site can be an entry point to back-end servers. At the same time, it can be a platform to download malware.

Just plug “compromised Web sites” into any search engine and you will see how successful this venture is. Top slot on Google was an SC Magazine article talking about a Websense study:

“Of the top 100 most popular sites on the web, 70 percent are either hosting malicious content or contain a hidden redirect.”

If that isn’t bad enough:

“The number of legitimate websites compromised with malicious content exceeds the amount of sites specifically created by cybercriminals to carry out their exploits.”

Why?

What I did not understand was, why? Then I came across the report, “Vulnerabilities Highlight the need for More Effective Web Security Management” (PDF). The title says it all. It’s what Department of Homeland Security (DHS) Inspector General Richard Skinner and his team found after assessing the nine most-popular Web sites run by the DHS:

Those are definitely important Web sites and need to be secure as possible. I was especially interested in the National Protection and Programs Directorate’s (NPPD) Web site. You may recognize NPPD as US-CERT or the United States Computer Emergency Readiness Team.

Fortunately, US-CERT’s Web site along with those controlled by USCG and FEMA contained no critical vulnerabilities and all security patches were applied. Mr. Skinner mentioned that:

“These components’ (Web sites) security practices, through periodic assessments, patch and update policies, and documented procedures, set the example of an effective defense-in-depth approach to good IT systems security.”


What was tested

Part of the assessment was to check the Web servers. The inspectors found the equipment and operating system software to be more than adequate security-wise. That’s not what I expected. Then Mr. Skinner made the following comment:

“Component IT security personnel regularly performed these tests on operating systems, but only a few had the tools or experience testing web applications for security vulnerabilities. As website content is updated or changed, existing vulnerabilities may remain or new vulnerabilities can be introduced, putting the system and data at risk.”

The actual vulnerabilities are in the report, but were redacted along with other sensitive information. Even so, things were starting to make sense. Could this be the case with other Web sites?

Recommendations

The Inspector General made the following recommendations:

  • Require periodic security vulnerability assessments of all public-facing Web sites.
  • Require prompt application of security patches to servers supporting public-facing Web sites.
  • Clarify the department’s vulnerability-assessment policy, making sure to address threats specifically associated with its Web site.
  • Create an inventory of all major applications and support systems used by public-facing Web sites.

I asked a friend of mine, who is a Web-site designer, about the recommendations. She felt they were good, mentioning that more of her clients need to implement them.

Final thoughts

The report answered my question. We need to focus as much attention on the Web-site application as the Web server hosting it. Reports like the DHS Inspector Generals should get us moving in the right direction. As, there is a lot of money riding on consumers being able to trust Web sites.