February 28, 2000
 Printer ready |
continued...page 3 of 3
 |
| Related links from our sister publications: |
|
|
 Send Us Your Feedback |
Entertain the idea of using E-mail aliases for contacts in your company. For instance, suppose the IT manager's user name on the system is "joe54," and your Web site contains an E-mail link so visitors can contact the IT manager with certain questions. Although you could simply create a link that points to "joe54@yourco.com," that information could reveal the existence of a joe54 account on the system--perhaps enough leverage to get a hacker started. Better yet, require the system administrator to create internal aliases, such as "ITman," that can be used on the public Web page but will internally direct messages to the correct user in your system.
On a more technical bent, there are issues of Web-page coding to keep in mind. How a page is coded can sometimes provide clues to a malcontent--seemingly functional pages could be coded in a different manner.
Although dynamic pages produced using the "get" method can be locally cached, and therefore faster for the viewer to revisit, this method typically reveals parameters and values that are passed to your CGI scripts as part of the viewable URL. Such information may be all a hacker needs to start prodding at your CGI scripts.
|
The Internet makes digital trespassing incredibly convenient. Figure that a car thief in a crowded parking lot at a large mall, working alone, wandering around in search of weak targets, can cover only so much ground per hour--and, at best, get away with only one or two cars. But in that same hour, a single Pentium computer in a garage can sniff out thousands of servers, creating an inventory of weak targets for its owner to pursue at leisure.
The lesson here is that all servers on the Internet are poked and prodded for holes. One of the first steps to take in improving the security of your machines is to poke and prod them yourself and tighten up your bottom tier, the operating system. A number of software packages on the market can help you.
For Unix systems, some popular general-purpose security scanning tools are Satan and its newer sibling, Saint, as well as the ever-popular Nessus. These "scanners"--as they are known--are especially well-suited to finding known configuration holes in your operating system. In Unix environments, many of these suites are expanding to probe for holes in the application-tier layer as well.
The Windows market is awash in commercial security enhancements, with niche focuses from authentication and access logging to hostile code and intrusion detection. Some of these products address weaknesses in Windows operating systems, while most target vulnerabilities at the application development level. With so many products on the market, it's impossible to endorse any particular one, since installed systems vary so widely from one organization to another. However, consider spending a great deal of time shopping around at SecurityFocus. com's Web site, especially the well-organized vendor products area.
Ultimately, security can never be guaranteed. This is no excuse not to use the weapons you have--attention and know-how.
return to page 1, 2
Illustration by Ken Orvidas
Back to This Week's Issue
Send Us Your Feedback
Top of the Page
This Week's Issue
Technology Whitepapers
- Mobile BI: Actionable Intelligence for the Agile Enterprise
- Creating the Enterprise-Class Tablet Environment - by Yankee Group
- How To Regain IT Control In An Increasingly Mobile World - by BlackBerry
- Red Alert: Why Tablet Security Matters - by BlackBerry
- New Visual and Wizard-Driven Paradigms for Exploring Data and Developing Analytic Workflows
