Perform Your Own Web Site Checkup

Broad-based attacks are down this year; surgical attacks against specific targets are up. We can thank the press departments of government judicial systems for their PR efforts every time a malicious hacker soul is sentenced to a few years in jail. Hackers seem to be catching on that prison is a high price to pay for not a lot of benefit.

However, the smart and greedy hackers have moved on to surgical attacks where it is harder to get caught and where the financial benefits are clearer. The professional hackers can use publicly available information to focus activity and to reduce the risk of detection, and build in an exit strategy to sell the information gathered. This may be the only place in security where an ROI analysis makes sense! Hackers are implementing their own form of security risk management, too! It is easy to mimic the basic steps. While there are many neat tools that anybody can use. I'll just touch on two for Web sites:

1. Netcraft (www.netcraft.com) scans the Internet for Web servers. A simple dialog box titled "What's That Site Running?…" asks for the site you are interested in. There you can find lots of interesting information such as the web server vendor and version deployed, operating system, and date of last software upgrade.
2. Our national vulnerability database (nvd.nist.gov) is the next step. Just plug in the web server information from step 1 and you get all of the known vulnerabilities for that web server. (You can also get CVEs for operating systems, databases, mail systems, and other applications.) This information can be used to launch a surgical strike based on known vulnerabilities and known host environments, with a reasonable hope of finding an unpatched system.

Try it on your own corporate site just to get a feel for how easy this is. ESG research shows that 30% of corporations believe they are most vulnerable to Web traffic attacks so it is well worth understanding this. (E-mail leads at 45% for those that like numbers). It is almost trivial for outsiders to find out what you are running and what vulnerabilities may be exploited.

Perform your own Web site checkup. There are two vendors that will help you do this for free. Watchfire AppScan (www.watchfire.com) and SPI Dynamics Webinspect (www.spidynamics.com) are two good products that can both be downloaded for a free one week evaluation. Netclarity (www.netclarity.com) is also one vendor that can help you go a step further to permanently audit your network for CVE-defined vulnerabilities. Give your Web presence a healthy check-up with the free tools. This is especially critical if you haven't done this before, or it has been more than 6 months since your last audit. You'll feel better!