A Web security policy can save you money and embarrassment

The moment you install a  Web server at your
The moment you install a Web server at your office, you’ve opened a window into your local network that the entire Internet can peer through. 

In the last one month, I have come across about 11 local sites that have been hacked and defaced.

Out of these, 50 per cent were government or government agency websites.

The other 50 per cent was among corporates and some reputable IT companies in the country. This is a trend that is now common and we should expect more hackers as we open up to the large digital arteries that the fibre optic cables will provide.

According to a recent report by the Web Application Security Consortium, 24 per cent of website hackers aim at defacing a site rather than financial gain.

The report found the majority of defacements were of a political nature, targeting political parties, candidates and government departments, often with a very specific message related to a campaign.

The second most popular motivation was stealing sensitive information, which scored 19 per cent.

That was followed by planting malicious code, scoring 16 per cent, and causing monetary loss, at 13 per cent.

The remaining attacks cause downtime or denial of service for a website, planted viruses and linked spam and information warfare.Whatever the motivation, website hacks are costly to organisations and are not that complicated.

Organisations need to use professional web developers who understand the security implications of the sites they build.

How they do it
Hackers normally use the soft under bellies of buggy web applications to launch their attacks. This can happen at two levels, at the web application server level or at the web browser level.

For instance, the moment you install a web server at your office, you’ve opened a window into your local network that the entire world can peer through.
Most visitors are content to window shop, but a few will try to peek at things you don’t intend for public consumption.

Others, not content with looking without touching, will attempt to force the window open and crawl in. The results can range from the merely embarrassing, for instance, the discovery one morning that your site’s home page has been replaced by an obscene picture, to the damaging, such as the theft of your entire database of customer information.

So, there are impending risks for moving your business online. These include buggy software or mis-configuration problems in the web server that allow unauthorised users to steal confidential documents not intended for their eyes, execute commands on the server, allowing them to modify the system.

Some of the applications are developed by amateur programmers who have no consideration for security risks in their application design.

These risks can, however, be mitigated.

First, there is need to tighten the Web applications and get rid of holes in the software design. Seek professional assistance on this.

Also, the single most important step that an organisation can take to increase its site’s security is to create a written security policy.

Granting access
The security policy should lay out the organisation’s policies with regard to who uses the system, when they are allowed to use it, what they are allowed to do, procedures for granting access to the system, system monitoring procedures and protocols for responding to suspected security breaches.

This policy needs not to be anything fancy. What is important is it must be an explicit summary of how the information system works, reflecting your organisation’s technological realities.

There are several benefits to having a written security policy. First, the organisation will understand what is and is not permitted on the system.
If you don’t have a clear picture of what is permitted, you can never be sure when a violation has occurred.

It will also guide people within the organisation to understand what the security policy is.

The written policy raises the level of security consciousness, and provides a focal point for discussion.

The policy may also help build a good legal case should the organisation ever need to prosecute for a security violation.

Hare is a director at African eDevelopment Resource Centre.