Orange County Security SIG

This time we had a round table discussion about security and peoples concerns and I showed a new spyware test site. One person in the audience was setting-up a new ecommerce site and was nervous about security. While he was definitely wise to learn what needs to be done before he did anything, it sounded like he was try to do too much and would just end up overwhelmed by all the details. I tried to switch his focus to securing his personal network and leaving the enterprise network for others. After getting through the idea of what routers, firewalls, and IDS to use we discovered that he would be using another site's resources and didn't even have to worry about all those mundane things. This just illustrates how a shared web hosting can help security. Let them worry about security. While he does need to make sure the hosting site is on it's toes and doing things properly, let them do their job. Make sure backups are properly done, any important sections (logon, credit card numbers, etc) are encrypted by using SSL, and that the ability to change the site is secured also. Since whoever hosts the site also provides the application he doesn't even have to worry about securing the application either. They have written the site and have complete control of it. They are there to make sure vulnerabilities like SQL injections don't let someone subvert the site itself. He can now focus on the business side and how to maximize his profits. Then we looked a Spyware testing site that was just put up last Thursday. I found out about it on the SANS diary/blog. It is immature and still has some rough spots. Considering the reputation of the programmers (Tom Lisper, Ed Souko, and Michael Price) I'm confident that it will improve over time. I want to mention that I would not go to this site (CARSPY.COM) unless it was refered to me by someone I trusted and was authored by people with a good reputation. Just because the site claims they won't do bad things doesn't mean much. But I explicitly decided to trust them. I have the same feeling for Steve Gibson and GRC.COM. I would not let a site do to my computer/network what it does if it wasn't for his presentations at the computer club. The idea of trust being important was stated thousands of years ago by Sun Tsu in THE ART OF WAR: " If you know neither the enemy ... , you will succumb in every battle.". I want to add that knowing your enemies implies that you know who your friends are also. Who can you trust and who are you skeptical about?