Web servers have become a favorite target for network hackers, but there are steps you can take to minimize your vulnerability to break-ins.
Companies might best protect their networks by isolating public Web servers as much as possible, accepting the fact that each of these servers could be "a sacrificial lamb" to predators on the Web, said Lincoln Stein, director of information systems at biotechnology firm CuraGen Corp.
"No matter who you are, there is probably someone who doesn't like you," said Stein, who has written a new book called Web Security, published by Addison Wesley Longman, Inc.
Well-known victims of Webjackings include Yahoo, Inc., the U.S. Air Force and the Department of Justice.
The book provides a useful list of steps companies can follow to reduce their organization's security risks.
For example, Stein recommends cleaning up buggy Common Gateway Interface scripts or JavaScript code, which can let hackers remotely execute commands or overwrite files on a Web server.
To keep hackers from using a Web server as a springboard to critical internal resources such as databases, companies should keep e-mail and FTP services off the machine running the Web server software.
If a company has the ability to isolate its Web servers, it can place a firewall behind them. At the same time it can run only the most recent versions of Web server software from the likes of Microsoft Corp. and Netscape Communications Corp.
In his book, Stein documents security holes in all of the major commercial and freeware Web servers, noting "some of the holes were discovered within weeks of the time this chapter was written, and the pace of discovery doesn't seem to be slackening."
In any case, one key defensive measure is to turn off every feature not required on a Web server, such as automatic directory listings that make Web servers browsable.
"Don't ever run a server with 'superuser' privileges or root, even if the vendor says it's OK to do that," Stein said.
While the emergence of corporate Web servers has placed yet another burden on systems administrators and security professionals, there is a silver lining. According to a recent survey by SANS Institute, managers with security responsibilities enjoyed a 14.1% pay hike last year because their expertise is sorely needed.
