262    Chapter 5 • Communication Security: Web Based Services

             Logging Activity

             Logging, auditing, or monitoring the activity on a Web server becomes more
             important as the value of the data stored on the server increases.The monitoring
             process should focus on attempts to perform actions that are atypical for a Web
             user.These actions include, among others:

                  ■   Attempting to execute scripts
                  ■   Trying to write files
                  ■   Attempting to access files outside the Web root

                 The more traffic a Web server supports, the more difficult it becomes to review
             the audit trails.An automated solution is needed when the time required to review
             log files exceeds the time administrators have available for that task. Intrusion
             detection systems (IDSes) are automated monitoring tools that look for abnormal
             or malicious activity on a system.An IDS can simply scan for problems and notify
             administrators or can actively repel attacks once they are detected. IDSes and
             Intrusion Prevention Systems (IPSes) are covered in depth in Chapter 7,
             “Infrastructure Security:Topologies and IDS.”

             Performing Backups
             Unfortunately, every administrator should assume that the Web server will be com-
             promised at some point and that the data hosted on it will be destroyed, copied, or
             corrupted.This assumption will not become a reality in all cases, but planning for
             the worst is always the best security practice.A reliable backup mechanism must be
             in place to protect the Web server from failure.This mechanism can be as complex
             as maintaining a hot spare (to which Web services will automatically failover if the
             primary Web server goes down), or as simple as a daily backup to tape. Either way,
             a backup is the only insurance available that allows a return to normal operations
             within a reasonable amount of time. If security is as much maintaining availability
             as it is maintaining confidentiality, backups should be part of any organization’s
             security policy and backups of critical information (such as Web sites) should be
             stored offsite. Backups, disaster recovery planning, and how to continue on with
             business after an attack are covered in depth in Chapter 12,“Operational and
             Organizational Security: Security Policies and Disaster Recovery.”









          www.syngress.com