I remember back in “the good old days” people would laugh at web defacements. It might be a way for a hacker to prove themselves or gain their fifteen minutes of fame on 2600, but it was not a gateway to sensitive or important information. The web was, after all, nothing more than an advertisement – a billboard on the information superhighway. Organizations had important information on computers, but none of it was on web servers. Web page defacements were akin to graffiti, not corporate espionage.

Fast forward to today, and it’s remarkable how everything has changed. The web has begun supplanting the other 65535 ports on the internet. Although e-commerce was the first thing to change the web from a static billboard to a method of transmitting sensitive data, it is web applications which have done the most recently. Now everything occurs over the web – companies use SOAP to transmit sensitive information between them, and back-end databases frequently hold incredibly important data. Even services which were originally designed to function over other protocols, such as remote administration, email, and file transfer, have now begun to migrate to the web. The bottom line is that the web matters. There are still the electronic graffiti artists who want nothing more than their 15 minutes of fame on zone-h.org, but serious hackers are eying the web too.

I remember some time ago I got into a long discussion with someone at work that at its essence revolved around the question of whether or not the web mattered. I essentially argues my old position, more out of habit than anything else, while he argues that the web was of paramount importance (although admittedly he had other ulterior motives for taking that position). I was ultimately proven right only because the case we were dealing with turned out to be nothing more than a simple electronic graffiti artist. Despite being right in that single instance, I am being forced to change my overall position.

In terms of practical application, it means people can no longer blithely allow in traffic to their web servers on ports 80 and 443. Traffic must be examined, either by an intermediate network device or the web server itself to ensure safety. Web applications need to be coded securely, and web servers should in general not be trusted. (Don’t run the process as root, perform system calls in a sandbox, etc.)

People frequently wonder what makes a good security system. One of the frequently overlooked aspects is transparency. Simply put, the more transparent a system is, the less it will be noticed by the users. The reason for this is simple – users are frequently the most vulnerable link in the security chain. Worse than that, if users perceive a security control to be an inconvenience, they will actively work to circumvent it.

I’ll take a simple example from my own life. The corporate laptop I use came with antivirus software installed. The software kept picking up a password cracking tool I was trying to use as a virus. (As a security analyst a password cracking tool is a legitimate part of my job). I tried to write an exception into the AV software, but I didn’t have the appropriate permissions. Eventually I had no choice but to simply disable the antivirus software entirely. There are thousands of similar stories – employees propping doors open because there is no way to re-enter through a back door, sending sensitive information in the clear when a secure method of transmission can’t be located quickly, setting up rogue wireless access points, or a programmer writing a script which contains all of his or her login information to various internal systems. The bottom line is that security which is invisible is far less likely to be circumvented by frustrated users.