The National Institute of Standards and Technology has released a new publication that provides detailed tips on how to make web servers more resistant to potential attacks. Called “Guidelines on Securing Public Web Servers,” the publication covers some of the latest threats to web security, while reflecting general changes in web technology that have taken place since the first version of the guide was published 5 years ago.
Web servers are the software programs that make information available over the Internet. They are often the most frequently targeted hosts on a computer network.
Attackers gaining unauthorized access to the server may be able to change information on the site (e.g., defacing a web page), access sensitive personal information, or install malicious software to launch further attacks. Recently emerging threats include “pharming,” in which people attempting to visit a web site are redirected surreptitiously to a malicious site.
How does one thwart these attacks? The guide advocates taking basic steps such as keeping up-to-date on patches (fixes and updates) for web server software and the underlying operating system. Also, the guide recommends configuring the software in as secure a fashion as possible, for example by disabling unnecessary software services and applications, which may themselves have security holes that can provide openings for attacks.
Another key recommendation, especially for large-scale operations, is to consider the proper human-resource requirements for deploying and operating a secure web server, by staffing the appropriate complement of IT experts (such as system and network administrators) all doing their jobs to establish and promote security.
The guide advocates “defense in depth”—installing safeguards at various points of entry into the server, from the router that handles all incoming data traffic to the specific machines that house the server software. In addition, the guide recommends, organizations should monitor log files, create procedures for recovering from attacks, and regularly test the security of their systems.
The guide is designed for federal departments and agencies, but may be applicable to any web server to which the outside world has access. The guide is available free of charge at
http://csrc.nist.gov/publications/nistpubs/800-44-ver2/SP800-44v2.pdf .
Source: NIST
Related stories:
Microsoft-Yahoo: Which Products Would Win
While the chance of a Microsoft-Yahoo merger or acquisition is a remote one, it's still a possibility. In analysis compiled from several PC Magazine staff members and analysts, here's what a merger might mean to the products and technologies directly shared by each company. In each case, we've outlined the strengths and weaknesses of each, and attempted to predict what technologies would survive the backroom planning sessions, and what would be discarded. This story was written by Mark Hachman.
Google reigns as world's most powerful 10-year-old
(AP) -- When Larry Page and Sergey Brin founded Google Inc. on Sept. 7, 1998, they had little more than their ingenuity, four computers and an investor's $100,000 bet on their belief that an Internet search engine could change the world.
Home IQ: Winning technologies will make people smarter -- not their houses
Someday, we may be getting fashion advice from our mirrors. Instead of digging through our closets to find the perfect complement for a new shirt, we may hold it up to our bedroom mirror for a computer to scan. Using radio-frequency identification technology, our electronic fashion stylist will then offer suggestions based on what's in our closet or how the latest edition of Vogue or Teen Beat pairs up something similar.
New NIST publication series addresses design of earthquake-resistant structures
Where can you find some of the latest insights in designing earthquake-resistant buildings joined together with current information on building codes? As part of its support for the National Earthquake Hazards Reduction Program (NEHRP), the National Institute of Standards and Technology (NIST) has released a publication that provides guidelines for designing a special type of structural frame used in regions with high seismic activity.*
'Dream team' to tackle profound questions in computer science
Princeton University is the lead institution for a new $10 million National Science Foundation grant that will fund research on "intractability" – a concept that has profound implications for a broad range of fields, from e-commerce to quantum computing.
The 160-mile download diet: Local file-sharing drastically cuts network load
(PhysOrg.com) -- Ever since Bram Cohen invented BitTorrent, Web traffic has never been the same. Whether that's a good thing or a bad thing, however, is a matter of debate.
Internet flaw a boon to hackers (Update)
Computer security professionals crammed into a Las Vegas ballroom on Wednesday for the first public briefing on an Internet flaw that lets hackers hijack traffic on the World Wide Web.
Visualizing Open Source Software Development
(PhysOrg.com) -- A UC Davis graduate student has created short, colorful movies that show the development of open source software. With dancing points of light, rings of color and a soundtrack, the Code_swarm animations show how software such as the Python scripting language and the Apache Web server have developed from the contributions of different programmers.