Question 1 - Have you guys been hacked?

A customer calls inquiring "Why does our web site say 'Hacked by Chinese' on it? Have you guys been hacked?"

The site is actually running on the customer's premises. The customer had purchased the full nine yards of software from Microsoft and a consultant installed it. Over time, nobody remembers any of this.

Some Lessons I picked Up

Know what is running on your network.

All allowable traffic, in and out, should be in your firewall rules explicitly.

Really know what services are running on your network.

You should really be aware of any incoming IP packets. Each externally addressable (and accessible) service provides a means for someone to get into your site.

Make sure you really need to run that externally accessible service on your network.

Is it really worth running IIS to display your companies online brochure? There is a machine cost, a cost of maintaining the software, a cost of installing upgrades (someone's time), and the cost of potentially getting hacked.

If your company runs a web server (almost never necessary) in order to make some internally accessible data available (maybe the web site is hooked up to a database) consider running the site at an ISP or Hosting Server, then only allow that database accesses in. Or export your database periodically and update a web database at an ISP. Consider the safety record of the web server and the database engine. Decide which one you feel would be more secure and make that one available to the outside.

If you really, really, really need to run that externally accessible service on your network, make sure that someone is keeping the software up to date.

It has to be someone's job to be aware of what is going on with each "service software" that you are running. They need to know when there are security problems. They need to apply updates.

If you really, really, really need to run that externally accessible service on your network, make sure that you are using the best OS and Application Software to get the job done.

All OSs and Service Software does not have the same security record. In particular the Windows NT and IIS combination has a rather poor record. Don't be afraid to stray from Microsoft.

Some of our choices: Good Choices for externally accessible machines are OpenBSD and FreeBSD. These guys turn around security problems extremely fast.

www.freebsd.org - great for services

www.openbsd.org - great firewall

We also use SGI's IRIX, but they can be a bit slow to release patches for security related problems and you need to turn off extra services. The SGI boxes are very reliable though. And we have been running them for over 7 years. So long as you have a firewall in front of it, or you are careful with what services are running, you won't have security issues. OpenBSD is the best out of the box. FreeBSD is good, and will run on dual processor boxes. IRIX will run on 256 processors, which give you huge potential scalability.