Case Project 12-1: Web Server Security Analysis
A challenge that faces the information security community is to make sure their organizations' top decision makers understand the importance of effective security policies. Understandably, managers who are responsible for an organization's financial stability want to ensure that investments in "nonrevenue" activities are necessary and effective. In many ways, the field of information security is in its infancy; practitioners do not have a long history of research that indicates the most effective security countermeasures against specific threats. Also, the threats are constantly changing. As new generations of information security workers secure digital assets, they will also need to create a solid body of research-based evidence to support the practices they recommend. In this project, you read and summarize a research project that addresses Web server security.
Go to www.sans.org/reading_room/whitepapers/webservers/comparative-studyattacks-corporate-iis-apache-web-servers_33734. Read the entire article, including the appendices. Answer the following questions:
1. What was the purpose of the research project?
2. What did the research demonstrate about the relative security of the IIS and Apache software?
3. What do you think detracted from the credibility of the report?
4. What were the main findings of the study?
5. What did the results of the study imply about the frequency of automated attacks versus the frequency of manually controlled attacks against Web servers?
6. Based on the results of the study, what policies and procedures would you recommend for Web server security?
7. Based on this study, which operating system is easier to attack: Windows or Linux?