A web site is a common software application that functions on an operating system and server software using the programming interface of the OS and other software resources.
Security threats to a web site can be classified in the following three types:
- Information environment tampering threat;
- Bitrix Site Manager tampering threat;
- Third party web applications tampering threat.
This is how your site may look after the deface:
It may be ominous…
…funny…
…or even gorgeous…
The deface result is just the company loses its face in all senses.
Information environment
Let’s consider a list of applications that form the Information environment in which the “Bitrix Site Manager” software operates:
- Operation System. Commonly UNIX-based systems( Linux, FreeBSD, SunOS, HP- UX etc.) or Windows-based systems ( Windows 2003 Server, Windows 2000 Server, Windows NT, Windows XP etc.). Operation system may have any server software installed. The latter may not be directly related to a web site or the “Bitrix Site Manager” but consideration must be given to it when making up the register of objects for the security monitoring. Commonly, these are the following resources: SMTP/ POP3/ IMAP mail server; DNS, FTP or SSH software; Telnet etc.
- Web server is a server software providing web application functioning, query processing, transferring of image files and HTML pages to a client. Apache version 1.3.ÕÕ and 2.ÕÕ or Microsoft IIS web servers are the most widely used. Sometimes proxy server SQUID, OOPS, Oracle Application Server Web Cache etc. are installed additionally. In this review, we shall consider this type of software in conjunction with web server software, as the applications have the service function. Encryption modules supporting the SSL algorithms (OpenSSL etc.) are also considered web server applications.
- Development environment is the PHP programming language and libraries, which provide for business logic functioning of the Bitrix Site Manager software and client applications. Please note that PHP is a web server module and interacts with it closely. Nevertheless, we shall consider PHP separately, taking into account its role in the web site functioning.
- Database is an information repository and a system of SQL queries processing. Commonly, these are MySQL 3.ÕÕ, 4.ÕÕ , 4.1 or Oracle 9i, 10g
The above four components provide the Information environment for the “Bitrix Site Manager” operation.
Third party web applications
Mostly the third party web applications or the scripts are not necessary to be installed for the web site functioning as the “Bitrix Site Manager” ensures solving most tasks concerned with the corporate web site management. However, if your site contains applications developed by other companies or created in other programming languages (Perl, ASP, .NET, JSP or CGI scripts in other programming languages), you have to make up the register and consider them when estimating the system security level.
Very often, the control scripts like CPanel, Plesk etc. as well as forums, log analyzers, counters etc. are installed on web servers. Sometimes these applications are no more used after the installation of the “Bitrix Site Manager”. However, scripts remain on server and can be used as a mean for the web site hack. In this document, we define them as Third party web applications.
We can single out the following three levels of threats:
• Minimum: access to non-confidential information to which the access is not allowed; the probability to cause visual defects or intervene the web site operation.
• Medium: partial access to confidential information; partial bypass of the authorization system to extend permissions.
• High: total bypass of the authorization system; unlimited access to the system or the application; the possibility to run unauthorized applications; view and modify confidential information.
Ensuring the Information environment security
The greater part of hacks is done through the vulnerabilities of the information environment in which the web server operates. For example, if a mail or FTP server etc. is not properly updated, a malicious person could gain administrator rights to the operation system and consequently to the web server, perform any operation; and what is more, pass unnoticed.
There is a number of English and Russian resources that contain the information about vulnerabilities of the server software.
System administrators of the company are responsible for the information environment security. Ensuring the information security is not as simple as it may seem since a server runs many softwares devoted to its proper operation.
There is a class of software products enabling to automate the monitoring of the information environment while helping to avoid configuration errors or prevent delays in updating the server software:
• MaxPatrol Positive Technologies
• Internet Scanner 7.0 Internet Security Systems
• LanGuard GFI
• Nessus Renaud Deraison
• NetRecon Symantec
• Retina eEye Digital Security etc.
The Bitrix company closely cooperates with the Positive Technologies company and recommends their MaxPatrol software. You can get the 10% discount for the MaxPatrol software if purchased in a bundle with the Bitrix Site Manager.
Cooperation with the qualified companies that provide constantly updated secured hosting and information environment monitoring is one of the most effective ways to ensure the information environment security. DATAFORT, Masterhost and some other providers are among such companies.
If your company provides information security services or secured hosting, please contact us to place your information in this section.
