Service and ownership location can be fundamental selection factors for online users. The importance of confidence in the UK's digital economy was highlighted in the Digital Britain Report (2009) and more recently in the Cabinet Office's Cyber Security Strategy of the United Kingdom/Fact Sheet on Cyber Security and EURIM's Can Society Afford to Rely on Security by Afterthought Not Design?. Building trust in the .UK brand is a necessary part of a healthy competitive economy.

Hand-in-hand with creating "the best place to do online business", the UK needs to increase visibility of the geographical properties of its online organisations. I wonder if in time, we will have more "country of origin" information, like the security labelling mentioned on Friday, to help users (employees, customers, clients, and citizens) make informed choices about who they will share information with and buy products & services from.

A ruling last week by the EU Court of Justice suggests that companies directing their activities at foreign consumers, will affect where they can take legal action, or have legal action taken against them. "Directing" may include using a domain name of another country, using a .com domain name, quoting international contact details, mentioning country names (e.g. delivery rates) or offering country/lanuague options.

We have already seen moves to ensure .uk domains are not used for criminal activities, but is the domain name enough? No. Without getting jingoistic, as the ruling indicates, there are all sorts of additional geographical properties that affect users' rights and the ability for governments to enforce legislation. An equivalent to the "Security Facts" label might be "Location Facts":

where "GB" is the ISO 3166-1-alpha-2 code for the United Kingdom. In the example on the left, the application is hosted in Germany and has some data transfers to the United States because of web analytics, SSL verification and inline advertisement code hosted there. Of course, the situation can be complex, and in a single label it can be difficult to describe all the important geographical properties, but let's at least try. Knowing the locations of each element of the supply chain is less relevant to the end user than the details above.

These two examples are just made up to emphasize the possibilities and are not meant to be xenophobic in any way. Consumers, and other web product users, should be able to find out who they may be interacting with and the scope for redress in the event of a problem, so they can make their own choice? This is no different to having the place of origin on food product labelling.

This quotation from the forward by James Paice, Minister of State for Agriculture and Food, to the British Retail Consortium's new guide on Principles on Country of Origin Information couldn't explain it better:

It would seem to be as appropriate for web products too. Of course, there are many other issues that affect user trust—jurisdiction being just one.

Can we trust self-labelling? Well for consumers, the Advertising Standards Authority's remit will include digital assets like web sites from 1st March 2011. Honesty plays a big part too, but consumer groups (e.g. the Confidence Code for energy comparison web sites) have some punch, and trade associations could develop standards for their members. Ultimately, the power of markets and groups of individuals would hopefully keep other organisations in check.

Sometimes when I'm out socially and people ask what I do, the conversation progresses to concerns about their own web site. They may have a hobby site, run a micro-business or be a manager or director of a small and medium-sized enterprise (SME)—there's all sorts of great entrepreneurial activity going on.

It is very common for SMEs not to have much time or budget for information security, and the available information can be poor or inappropriate (ISSA-UK, under the guidance of their Director of Research David Lacey, is trying to improve this). But what can SMEs do about their web presence—and it is very unusual not to have a web site, whatever the size of business.

Last week I was asked "Is using <company> okay for taking online payments?" and then "what else should I be doing?". Remember we are discussing protection of the SME's own web site, not protecting its employees from using other sites. If I had no information about the business or any existing web security issues, this is what I recommend checking and doing before anything else:

• Obtain regular backup copies of all data that changes (e.g. databases, logs, uploaded files) and store these securely somewhere other than the host servers. This may typically be daily, but the frequency should be selected based on how often data changes and how much data the SME might be prepared to lose in the event of total server failure.
  • check backup data can read and restored periodically
  • don't forget to securely delete data from old backups when they are no longer required
• Use a network firewall in front of the web site to limit public (unauthenticated user) access to those ports necessary to access the web site. If other services are required remotely, use the firewall to limit from where (e.g. IP addresses) these can be used.
  • keep a record of the firewall configuration up-to-date
  • limit who can make changes to the firewall
• Ensure the host servers are fully patched (e.g. operating system, services, applications and supporting code), check all providers for software updates regularly and allow time for installing these.
  • remove or disable all unnecessary services and other software
  • delete old, unused and backup files from the host servers
• Identify all accounts (log in credentials) that provide server access (not just normal web page access), such as used for transferring files, accessing administrative interfaces (e.g. CMS admin, database and server management/configuration control panels) and using remote desktop. Change the passwords. Keep a record of who has access and remove accounts that are no longer required and enable logging for all access using these accounts.
  • restrict what each account can do as much as possible
  • add restrictions to the use of these accounts (e.g. limit access by IP address, require written approval for use, keep account disabled by default)
• Check that every agreement with third parties that are required to operate the web site are in the organisation's own name. These may include the registration of domain names, SSL certificates, hosting contracts, monitoring services, data feeds, affiliate marketing agreements and service providers such as for address look-up, credit checks and making online payments.
  • ensure the third parties have the organisation's official contact details, and not those of an employee or of the site's developers
  • make note of any renewal dates
• Obtain a copy of everything required for the web site including scripts, static files, configuration settings, source code, account details and encryption keys. Keep this updated with changes as they are made.
  • verify who legally owns the source code, designs, database, photographs, etc.
  • check what other licences affect the web site (e.g. use of open source and proprietary software libraries, database use limitations).

Do what you can, when you can. Once those are done, then:

• Verify the web site and all its components (e.g. web widgets and other third party code/content) does not include common web application vulnerabilities that can be exploited by attackers (e.g. SQL injection, cross-site scripting).
  • use resources such as the OWASP Top Ten and WASC Threat Classification
  • build security requirements into future developments
• Check what obligations the organisation is under to protect business and other people's data such as the Data Protection Act, guidance from regulators, trade organisation rules, agreements with customers and other contracts (e.g. PCI DSS via the acquiring bank).
  • impose security standards and obligations on suppliers and partner organisations
  • keep an eye open for changes to business processes that affect data
• Document (even just some short notes) the steps to rebuild the web site somewhere else, and to transfer all the data and business processes to the new site.
  • include configuration details and information about third-party services required
  • think about what else will need to be done if the web site is unavailable (does it matter, if so what exactly is important?)
• Provide information to the web site's users how to help protect themselves and their data.
  • point them to relevant help such as from GetSafeOnline, CardWatch and Think U Know
  • provide easy methods for them to contact the organisation if they think there is a security or privacy problem
• Monitor web site usage behaviour (e.g. click-through rate, session duration, shopping cart abandonment rate, conversion rate), performance (e.g. uptime, response times) and reputation (e.g. malware, phishing, suspicious applications, malicious links) to gather trend data and identify unusual activity.
  • web server logs are a start, but customised logging is better
  • use reputable online tools (some of which are free) to help.

That's just the basics. So, what would be next for an SME? If the web site is a significant sales/engagement channel, the organisation has multiple web sites, is in a more regulated sector or one that is targetted particularly by criminals (e.g. gaming, betting and financial), takes payments or does other electronic commerce, allows users to add their own content or processes data for someone else, the above is just the start. Those SMEs probably need to be more proactive.

This helps to protect the SME's business information, but also helps to protect the web site users and their information. After all, the users are existing and potential customers, clients and citizens.

Oh, the best response I had to someone when I was explaining my work: "You're an anti-hacker than?". Well, I suppose so, but it's not quite how I'd describe it.

Any comments or suggestions?

The use of particular top-level country domain names (e.g. .co.uk or .com) does add an element of trust to a visitor's impression of the site. On Thursday, the Metropolitan Police's Central e-Crime Unit (PCeU) closed 1,219 web sites selling fake designer goods.

Whilst I'm not suggesting that any readers of this blog were operating these sites, it is worth bearing in mind the sanctions that can be applied by the government for illegal trading. In this case, Nominet who maintain the register for .uk domains, were asked to take down the domain names to protect consumers and companies selling legitimate goods.

If the fake sites had not been on .co.uk domain, they may have been less able to con consumers into parting with their money and not receiving anything or buying counterfeit products, and the PCeU would have had a harder time taking action. Providing sufficient evidence has been gained, it appears these measures were appropriate in the circumstances.

It seems a missing full stop brought down every web site hosted on a domain ending with .se (the top-level domain for Sweden) on Monday evening.

The .SE registry had apparently performed an incorrect software update but actually a script (program written by a human) had failed to add a terminating full stop (.) to the DNS records in the .se zone. Tested? I guess not.

It reminded me of Google's mishap in May when it flagged every site as potentially harmful by simply adding an extra forward slash (/) character to a file.

And, simple punctuation mistakes can invalidate the HTML of your web page, or stop your application's scripts from running. In July Microsoft created a security flaw in Windows by the addition of an extra ampersand (&) character.

Tim Berners-Lee is still wishing he hadn't put two forward slashes in every URL.

The mighty power of a punctuation mark.

It's common for access to some web sites to be restricted to users from particular Internet Protocol (IP) addresses. This is usually in addition to some other identification and authentication method. But other IP addresses are often added to this "allow list" and these should not necessarily be trusted in the same way.

In a typical scenario, a web site hosted on the internet that is used to administer another web application might be restricted to the company's own IP addresses. Then the developers say they need to check something on the live site, or another server needs to index the content, or someone wants to work from home for a while, or the site needs to be demonstrated at a client's location. All these additional IP addresses are added to the "allow list". These restrictions may be being applied at a network firewall, traffic management system, at the web server, in the application itself, in intrusion detection systems or in log analytical software, or in many of these. These are difficult to manage and in time there will be many IP addresses that no-one knows why they are allowed unless they are carefully documented, and subject to a fixed time limit when they are confirmed again by an appropriate person or removed. These extra addresses are quite often hard for someone else to guess.

However, there is another area where IP addresses are added to "allow lists", and this is for remote monitoring and testing services. These might be checking uptime, response times, content changes, HTML validation or security testing. The service providers publish the IP addresses of the source systems so that companies can specifically allow access to their web sites. Since the number of these services is relatively small, it's not too difficult to find which one might give access to areas of a web site or web application that the public (and malicious people) should not be able to get to. The particular danger here is that the IP addresses might be excluded from monitoring and logging, and therefore even a diligent web site manager might not realise for example the uptime monitoring service is making unusual, or excessive, requests.

Although it is not likely a malicious person is using this "trusted" address unless routing has been compromised as well, problems can go undetected, from what might seem to be a legitimate source. The IP address may have been typed incorrectly, or worse, the restrictions/exceptions may not have been implemented correctly allowing more addresses to have the privileged access than intended. Not logging a user's session is privileged access.

Allow traffic through, but be very specific what is allowed and monitor what's going on. Review all the exceptions periodically. Be especially careful about anything that bypasses authentication (such as allowing a search engine to crawl restricted-access content) on an otherwise public site.

E-consultancy.com has many excellent online marketing and e-commerce resources, and I read the blogs and forums regularly. The following posting appeared on the forum a couple of days ago:

This cry for help worried me. Although the forum replies were helpful, it did make me wonder how many other web site owners have no idea where their web site is hosted.

If this is really the case here, it probably means the owner doesn't have all the resources to rebuild the site elsewhere and possibly is without back-ups of the data. And what about the intellectual property ownership? It's something which all developers should be discussing with their customers. My first suggestion would have been to contact the development company. A cursory examination of the source code reveals:

This company even showcases the site:

Now, we have no idea of the background and cannot guess if there is anything amiss. But the site is a card payment enabled e-commerce site, and surely the owner has had to comply with the Payment Card Industry (PCI) Security Standards Council's Data Security Standard (DSS)? Knowing where your web site is hosted would be one of the earlier things to discover.

Let's hope it's sorted soon.