bits & bytes - Ping! Zine Web Tech Magazine

[featured article]
Major security breaches can be disastrous to a web hosting
firm. Besides the obvious “black eye” that a security
issue creates, you also have to consider the resulting
downtime, potential exposure of customer data, customer service
time (explaining the situation and helping clients repair any
damage), and potential client loss that result for almost any major
security breach. The total cost of these incidents is difficult to
accurately calculate, and often takes weeks to fully realize.
It’s thus unsurprising that security is an area of high concern
for most hosting providers. Keeping a server secure, while
maintaining a high level of usability with the wealth of software
offered on a modern hosting server, is a delicate balance to
strike. Your server may be extremely secure, but if that security
negatively impacts features important to your customer, it won’t
matter, because your customers will leave. Similarly, offering a
“Wild West” server with no security considerations at all will
result in angry customers when the downtime due to re-installs
starts piling up. As your company grows, scale becomes a major
concern too; spending ten minutes per day on each server for
installing updates and fixing security issues may be acceptable
when you only have half a dozen servers, however you will
quickly find such a time commitment is not acceptable when
you’re talking about three hundred servers.
When making decisions about how best to secure your systems,
you should first consider the nature of the beast. Security is not
some sort of isolated goal that can be addressed in a vacuum;
It needs to be considered in conjunction with all the other
operational decisions you make on a daily basis. New flaws,
exploitation methods, and software updates literally occur minute
by minute. If you’re going to keep up, you need to make sure that
you can quickly address potential security problems as they are
discovered.
One of the most critical systems to put in place is the ability to
deploy updates and fixes across your fleet of servers. The most
efficient method I’ve found for this is utilizing existing package
management tools. Almost every major operating system offers
some solution for deploying updates on a regular schedule (i.e.
daily). Properly leveraging this ability is crucial. I also recommend
not only subscribing your machines to trusted updated sources
(such as those from your software vendors), but also creating your
own means for deploying, at will, updates that you deem critical.
This will enable you to deploy customized fixes and potentially
release critical security updates prior to your vendor making them
available for you.
Another critical system to implement is one that allows you
to quickly verify the integrity of the software installed on your
servers. Again, most package management utilities offer the
ability to verify installed packages, however you must bear in
mind that if you consider a machine to be suspect, the output of
any software on that machine should also be considered suspect
as well. If someone has gained root (or Administrator) access to
your machine, they could potentially alter any component of the
system, causing it to present whatever data they wished.
Monitoring baseline trends of system resource usage (such as
memory usage, processor usage, and disk space) can also provide
an invaluable first warning system to alert you to a potential
security breach. Often, the person breaking into your system wants
to utilize your system resources to further another goal (such as
trading warez, sending spam, and potentially even compromising
additional systems). If you notice a spike in resource usage, it
may alert you to a problem before you receive any complaints, or
before you notice anything has been changed.
These systems are a solid asset to server security, not only
because they yield tangible benefits in the form of improved
www.pingzine.com 23