Report on Web site hack: This is what not to do

The privately funded Intranet Institute late last month released a lessons-learned report based on an incident involving hackers breaking into a Justice Department World Wide Web site a year ago last month.

Intruders broke in electronically to DOJ's Web site Aug. 16 1996 and supplanted Attorney General Janet Reno's photo with Adolf Hitler's changed the agency's name to the Department of Injustice and replaced its seal with the Nazi flag. DOJ officials said the intrusion convinced DOJ officials to make the site more secure.

In so doing the agency learned a dozen lessons which the Intranet Institute put in a report called "Twelve Mistakes to Avoid in Managing Security for the Web" - lessons that DOJ officials hope will help other federal agencies to avoid the same mistakes.

"We are trying to share information with other agencies " said Mark Boster deputy assistant attorney general for information resources management. "What we are not doing is we are not giving any organization any specifics on how we are doing security. Every organization has to develop their own security and security plans."

The pamphlet-size report should be of great use to other agencies because federal Web sites are easier to hack than many private-sector sites said Marcus Ranum a firewall pioneer and chief executive officer of Network Flight Recorder Inc. Woodbine Md. "Government Web sites tend to be much more hackable " he said adding that agencies usually do not spend enough money on security.

The lessons-learned report is a mix of mistakes that are new and well-known in information security circles. Most surprising among the mistakes according to Alan Paller the Intranet Institute director of research who compiled the report is believing that a Web site can be removed from a network quickly.

Boster and other DOJ staff members discovered this a year ago after they pulled the plug on the server that hackers attacked yet continued to get calls from journalists who said they were still able to view the site. People could still access the site because large service providers often create replicas of popular sites. The solution the report said: Have a separate server as a backup. If the site on the original server is hacked switching to the backup server will force replicated sites to change too.

Other mistakes include allowing outside organizations to set priorities distributing Web site authority and placing on the Web server administration tools that hackers can use.

To request a copy of the report visit the Intranet Institute's Web page at www.escal.com.

Featured

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

  • Management
    workflow (Urupong Phunkoed/Shutterstock.com)

    House Dems oppose White House reorg plan

    The White House's proposal to reorganize and shutter the Office of Personnel Management hit a major snag, with House Oversight Democrats opposing any funding of the plan.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.