Life at the edge part 4: When things go wrong

by Michael Cobb

When things go wrong

Survivability depends as much upon the risk management skills of an organization as it does upon the technical expertise of its computer security experts. Any compromise of your Web-based services could have a severe impact on your organization's ability to survive, and the effects will be more important than the causes. Even with a highly protected system you must have contingency and risk-mitigation strategies in place in order to protect the organization in the days after a compromise. Contingency planning requires that your executive management @11265 make risk-management decisions and economic tradeoffs, with guidance from relevant departments based on "what-if" analyses of survival scenarios. A review of potential threats and possible countermeasures should be completed, with reference to comparable projects and current best practices. This will help everyone make the right decisions about security as you work towards meeting these challenges. By documenting this work you create a document that performs business, legal and practical functions -- the Standard of Due Care.

Standard of Due Care
The Standard of Due Care (SDC) provides a consistent and agreed upon basis for information security decisions. Survivability and resistance to failure should be designed into your system in the context of this document, as it determines many of the variables in the security approach, reflecting the type of business, the level of threats, the organization's risk tolerance and so on. The organization that has a standard of due care for its system is much better placed to demonstrate the logic behind its security decisions, and thus justify them in the face of criticism or prosecution. It will have a solid defense against any claims that the organization failed to adequately protect the system and the data it handles.

IIS SSL deployment preparation checklist

Decide upon your trust policy and authentication method for digital certificates.
Choose a commercial CA or install a self-managed certificate server.
Create a public-key pair in IIS Internet Services Manager by creating a certificate signing request that will be submitted to a CA when you request a certificate.
Request a server certificate from your CA by visiting the certificate request URL and filling out the certificate request application.
Install the certificate on your Web server by following the instructions included in the response you get from the CA.
Configure the directories and pages that you want to secure by following these steps:

• Set the Web Site Properties to use port 443 (or another port of your choice) for SSL/TLS.
• From the Directory Security tab, access the Secure Communications window and configure the settings so that 128-bit SSL is required.
• Decide whether you want to require client authentication by digital certificates, and make the appropriate selections in the Secure Communications window.