Black Box Explains...What is security?
What you don’t know can—and will—hurt you. Know your security risks and keep your site safe from harm.
Security risks affect every computer, whether the machine is connected to a network or not. There are basically four types of risk, and some often overlap the other.
• Bugs or misconfiguration problems in the Web server that enable unauthorized remote users (hackers or crackers) to access the system to steal data and/or cause greater harm.
• Active content (say a virus) on the browser side that crashes the browser, damages the user’s system, or breaches the user’s privacy.
• Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdropping can occur at any point along the pathway between the browser and server. These points include the network on the browser’s side of the connection, the network on the server’s side of the connection (including intranets), the end-user’s ISP, the server’s ISP, and either ISP’s regional access provider—quite a lot of points. So-called “secure“ browsers and servers are only designed to protect confidential information against network eavesdropping. If system security isn’t available on both the browser and server sides, confidential documents could be compromised.
• Viruses installed via software onto network or standalone computers.
So which operating systems are more susceptible to attack? In general, the ones which are touted as more powerful and flexible. UNIX® systems are a prime example. They come with a large number of built-in servers, services, and scripting languages which provide hackers multiple portals of entry to exploit. By contrast, less capable operating systems (apologies in advance) like Windows® and Macintosh® are tougher to exploit. In short, what you trade away in security you make up for in capability and vice versa.
The same logic extends to Web servers. The more features that are offered, the more likely hackers can find inroads. One classic case involved a UNIX® server that featured a security hole. The hole that enabled outsiders to execute arbitrary commands on the server host—and that was a proverbial barrel of monkeys for Web administrators.
Common Gateway Interface (CGI) scripts are also a major source of security risks. Although the CGI protocol isn’t inherently insecure, the scripts must be written with the same kind of care accorded to the server itself. However, some scripts aren’t created with finesse, and trusting Web administrators often install them without knowing any better.
Server-side includes, which are snippets of server directives embedded in HTML documents, are another potential source of problems. A subset of their directives instruct the server to execute arbitrary system commands and CGI scripts, and unintentional side effects can be introduced.
So what can you do to keep on top of the latest security holes? Call Black Box Tech Support at 724-746-5500.
You can also implement some common sense procedures that go a long way to keeping data-communication assets safe from harm.
• Encourage employees to choose passwords that aren’t obvious.
• Require employees to change passwords every 90 days.
• Keep your virus-protection subscriptions current.
• Educate employees about the risks of e-mail attachments.
• Implement a comprehensive network security plan.
• Assess your security plan and levels of security.
• Remove network access immediately for all former employees.
• Provide a secure, centrally managed server for telecommuters.
• Update your Web server software.
• Don’t run any unnecessary network services.