Guardians of your Web security

b>Who: Brian Koref

Company: Conxion Corp., Santa Clara, Calif.

Title: Web security architect project leader

Background: U.S. Air Force Office of Special Investigations, Unix systems administrator, computer crime investigator

Most recent previous job title: Senior systems analyst, security

Reports to: Director, information security

Skills for job: Security tools experience; knowledge of security vulnerabilities in major operating systems, the Web and e-commerce applications; networking; some programming; people and business skills

A Key to success: "The key to getting executive buy-in to security is to talk their talk. Show them how lack of security will hit productivity and profits."

A new information technology job title has emerged that may sound like a combination of secret agent and master builder: Web security architect. But don't let the title fool you. Web security is in-the-trenches work, says Brian Koref, who's responsible for the security of more than 100 business Web site servers cohosted at his company, Conxion Corp. Here's a look at his work and its challenges and opportunities.

Elementary Web security: "Business ISPs are a prime target for hackers, because they're looking for rich server farms," Koref explains. "When CD Universe got hacked, no one realized that it was the company's ISP that got hacked. So straight off, you've got to look at how an ISP handles the security end of the business."

Getting started: Before working on a Web security project, Koref explores the architecture -- everything from the type of operating systems to the software housed on the Web server.

If some of that software is homegrown, he examines the software code. This is an important first step to Web security, because Perl, common gateway interface scripts and Java applets created in-house are often written without security in mind. "You need to make sure these applications won't accept rogue Java applets or Perl scripts," he says.

Temperament: Attention to detail is only one part of the job. It also requires diplomacy. How do you tell corporate higher-ups that their security stinks? How do you get them to spend money on security? "I try to talk in their language," Koref explains. "For example, a firewall could be the single biggest point of failure in a company. If it breaks and it stops business, it could be very costly. And if customer information or credit cards get stolen, you're also talking reputation risk."

Tools of the trade: After reviewing a system, Web security architects secure the environment through a combination of means, including encryption, firewalls, intrusion detection tools, antivirus applications, public-key infrastructures and virtual private networks. They're also responsible for mapping the network, patching operating systems and removing vulnerable services -- like anonymous file transfer protocol (FTP).

Challenges: Patience and flexibility are also important for anyone doing this work, staffing experts say. First, according to Ian Poynter, founder and president of security consulting firm Jerboa Inc. in Boston, it's hard to deal with imperfect technologies that don't interoperate easily. Second, building secure infrastructures over insecure operating systems, applications and services isn't easy. "Combined, it's very difficult to get your hands around all the little things," he says.

Complaints: Administrators tampering with secured servers can be an issue. "Once I've secured their systems, customers depart from the baseline security structure without telling me," Koref says. "Some clients have exposed themselves by reopening anonymous FTP into their servers (a favorite means of entry for hackers), or allowing read/write on their Web server hard drives -- great for hackers to store their hacking tools or pornography onto the client's Web server."

Outlook for career: Koref says he feels pretty good about his future. With the shortage of information security professionals and the boom in e-commerce, Koref can count on work well into the future. But he says his ultimate plan is to manage people like himself.

Radcliff is a freelance writer in Santa Rosa, Calif.


Copyright © 2000 IDG Communications, Inc.

Shop Tech Products at Amazon