bits & bytes - Ping! Zine Web Tech Magazine
bits & bytes - Ping! Zine Web Tech Magazine
bits & bytes - Ping! Zine Web Tech Magazine
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
[featured article]<br />
Major security breaches can be disastrous to a web hosting<br />
firm. Besides the obvious “black eye” that a security<br />
issue creates, you also have to consider the resulting<br />
downtime, potential exposure of customer data, customer service<br />
time (explaining the situation and helping clients repair any<br />
damage), and potential client loss that result for almost any major<br />
security breach. The total cost of these incidents is difficult to<br />
accurately calculate, and often takes weeks to fully realize.<br />
It’s thus unsurprising that security is an area of high concern<br />
for most hosting providers. Keeping a server secure, while<br />
maintaining a high level of usability with the wealth of software<br />
offered on a modern hosting server, is a delicate balance to<br />
strike. Your server may be extremely secure, but if that security<br />
negatively impacts features important to your customer, it won’t<br />
matter, because your customers will leave. Similarly, offering a<br />
“Wild West” server with no security considerations at all will<br />
result in angry customers when the downtime due to re-installs<br />
starts piling up. As your company grows, scale becomes a major<br />
concern too; spending ten minutes per day on each server for<br />
installing updates and fixing security issues may be acceptable<br />
when you only have half a dozen servers, however you will<br />
quickly find such a time commitment is not acceptable when<br />
you’re talking about three hundred servers.<br />
When making decisions about how best to secure your systems,<br />
you should first consider the nature of the beast. Security is not<br />
some sort of isolated goal that can be addressed in a vacuum;<br />
It needs to be considered in conjunction with all the other<br />
operational decisions you make on a daily basis. New flaws,<br />
exploitation methods, and software updates literally occur minute<br />
by minute. If you’re going to keep up, you need to make sure that<br />
you can quickly address potential security problems as they are<br />
discovered.<br />
One of the most critical systems to put in place is the ability to<br />
deploy updates and fixes across your fleet of servers. The most<br />
efficient method I’ve found for this is utilizing existing package<br />
management tools. Almost every major operating system offers<br />
some solution for deploying updates on a regular schedule (i.e.<br />
daily). Properly leveraging this ability is crucial. I also recommend<br />
not only subscribing your machines to trusted updated sources<br />
(such as those from your software vendors), but also creating your<br />
own means for deploying, at will, updates that you deem critical.<br />
This will enable you to deploy customized fixes and potentially<br />
release critical security updates prior to your vendor making them<br />
available for you.<br />
Another critical system to implement is one that allows you<br />
to quickly verify the integrity of the software installed on your<br />
servers. Again, most package management utilities offer the<br />
ability to verify installed packages, however you must bear in<br />
mind that if you consider a machine to be suspect, the output of<br />
any software on that machine should also be considered suspect<br />
as well. If someone has gained root (or Administrator) access to<br />
your machine, they could potentially alter any component of the<br />
system, causing it to present whatever data they wished.<br />
Monitoring baseline trends of system resource usage (such as<br />
memory usage, processor usage, and disk space) can also provide<br />
an invaluable first warning system to alert you to a potential<br />
security breach. Often, the person breaking into your system wants<br />
to utilize your system resources to further another goal (such as<br />
trading warez, sending spam, and potentially even compromising<br />
additional systems). If you notice a spike in resource usage, it<br />
may alert you to a problem before you receive any complaints, or<br />
before you notice anything has been changed.<br />
These systems are a solid asset to server security, not only<br />
because they yield tangible benefits in the form of improved<br />
www.pingzine.com 23