The U.S. Department of Justice has confessed. In designing and running its Web site, it made at least 12 mistakes that left it open to a hacker attack almost exactly one year ago.
The August 16, 1996 hack was more annoying than damaging but embarassingly public: hackers relabeled 'Department of Justice' as 'Department of Injustice, added a swatiska to the Department's seal and so on. The attack could have been much worse. The hackers eventually could have reached email files and case records and, because the Justice site is considered secure or trusted, through it reached federal science, law enforcement or defense sites.
The attack spurred an indepth rexamination of Justice's Web security, led by Deputy Attorney General Mark Boster. The findings formed the basis for widespread new changes in the way Justice 'does the Web.'
Boster shared these lessons with the Intranet Institute, a Bethesda, Maryland, educational organization that sponsors yearly conferences on Intranet technologies and issues. The Institute took Boster's findings and shared them with some 1,000 security professionals worldwide to find out whether they agreed these were pervasive problems.
They agreed.
Some of the lessons are common sense. Some are surprising. Some are technical. Some are organizational and political. Overall, they make it clear that Web security is not a problem that is solved once and for all.
"It's almost a daily quest," said Alan Paller, the Institute's director of research and the principal author of the "Twelve Mistakes to avoid in managing security for the Web," a brochure published by the Institute and being made available starting this week. "If you ever let down your guard, the field is moving so quickly that yesterday's defenses will start to atrophy almost immediately. That's a frightening thought."
The Department now regards security as a full-time job that needs a lot of warm bodies. "I was fascinated by the level of effort (Boster) now thinks is necessary, just to stay even with security threats," Paller said. That was Lesson 3.
Justice also learned to rely more on itself when it comes to security. No longer does it let what other organizations are doing with their Web sites determine what Justice should be doing, without regard for the security implications of some new-fangled feature (Lesson 1). It is also much more wary about participating in multi-site networks where some sites may be careless about security, creating a weak link that can puts the other sites at risk (Lesson 12).
And the IS group puts much less faith in systems integrators, who rarely have an end-to-end view of all aspects of security (Lesson 2).
"Justice now likes to hire individuals, instead of big systems integrators, because it's much easier to put them through a five-year background (security) check," said John Cilio, president of the Intranet Institute.
Clarifying and centralizing Website authority was Lesson 5. When authority is decentralized, it's harder to see the overall security picture and harder to respond quickly and decisively to threats.
There were several technical lessons that the Department learned. One of the more suprising (Lesson 8) was that even if you unplug the main Web site, users can still access the compromised information...through caches that are routinely created at other Websites. Although Justice shut down its defaced Website within forty minutes of being alerted to the attack by the FBI, Websurfers could still access caches around the globe for the next three days. Now, Justice uses a backup Web server. By switching to the backup, Justice forces the cache sites to replicate the uncontaminate information at the new address.
Justice also learned (Lesson 7) to put much less faith in firewall software and much more effort in making certain the firewalls have been configured properly and securely, Cilio said.
Other lessons were administrative. The Department now stores all logs and incident data on remote servers, safe from deletion by hackers, who routinely find the logs on the Web server and deftly erase any trace of their having been there at all (Lesson 9). The IS group also now makes sure it leaves no administration or Web authoring tools on the Web server: hackers were able to use these once they'd reached the site.
"These are the issues that our security professionals say are happening all the time," Cilio said. "These are the real world issues."
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
