Basic security principles

The article "Ensuring a website safety" is provided by Sophos Plc and SophosLabs.

December 2007.

At the first stage of the designing, creating or using a secure site you have to ensure maximum security of the hosting server.

A web server is formed by several layers of software, each of them is subject to different kinds of attacks, as shown on the diagram below. Remember: any block can become a target for an attack.

The basis of each server is operating system. Securing it is rather easy. You just have to install the updates timely. This doesn't take a lot of effort. Microsoft [1] and many representatives of the Linux family allow organizations to install bug fixes automatically and launch them with one click.

Note that hackers are bound to automate their attacks. For this, they use malware that checks out the servers and searches for the one where the update isn't installed. It is important to install updates timely and correctly. Any server without recent updates can be a target for an attack.

Also, you should timely update all software running on the web server. Turn off or remove any software that is not necessary (for example, the DNS server or remote administration tools like VNC or remote desktop services). If remote administration tools are still needed, ensure that they don't use default passwords or passwords that are easy to guess [2]. This applies not only to the remote administration tools, but also to the user accounts, switches and routers.

The next important point is the antivirus software. Its use is a mandatory requirement for any web server, regardless of the platform it uses. Combined with flexible firewall, anti-virus software is becoming one of the most effective ways to protect against security threats. When the web server becomes a target of the attack, the hacker tries to load the hacking tools and malware as soon as possible to use the vulnerability in the security system before it is fixed. If there is no quality antivirus package, the vulnerability in the security system can stay unnoticed for a long time.

Multilayer approach is best in terms of protection. Network firewall and operation system at the front, with antivirus behind them ready to close any security gaps.

To sum up:

  • Don't install unnecessary components. Each component is a threat. The more of them, the higher the overall risk.

  • Install security updates for the operating system and applications timely.

  • Use antivirus, turn on autoupdates and check regularly if they are installed correctly.

Some of these tasks may seem difficult, but remember that one gap in security is enough for attack. Potential risks is data and traffic theft, adding the server IP address to blacklists, damage the organization's reputation and the instability of the site.

The next important software component is HTTP server itself. The most popular alternatives are IIS and Apache.