Quote:>for some research on the security of web-based medical databases, i'm
>trying to find some estimates of the likelihood of successful attacks (as
>a percentage of all attacks) by crackers (aka hackers) on various Internet
>technologies: firewalls, Unix (one or more flavors), SSL, etc.
I doubt you're goint to find much useful out there. There are enough good
tools available that intrinsically bad tools are flushed out fast, with one
gigantic and hideous counterexample of course:-).
I'd hazard a guess that most web site burglaries come from a few common
categories of error:
- using old versions of daemons, with well-known security holes that
are fixed in newer versions;
- supporting services with poor security on servers that need better
- configuration errors, e.g. allowing access to system security files
via un- or poorly-authenticated network protocols;
- programming errors, esp. CGIs doing inadequate parameter checking;
- poor design; e.g. placing something like a commercial relational
database with poor access control out directly visible to the
By and large, you can construct a site that will not be burgled by a fairly
direct a approach. (1) Be paranoid; always assume that attackers are smarter
and more knowledgeable than people publishing exploits. (2) Leave out all
services that aren't absolutely mandatory, and make sure that the mandatory
services really are. (3) If you have a mandatory service that can't be well
secured, shove it off onto a separate, sacrificial box, behind a firewall. (4)
Design your site architecture with security as the primary goal.
My favourite example of conservative web-site design in the public literature
is, interestingly enough, a medical database. Hmm. Coincidence? :-) Take a
looksie at PCASSO.