The web’s gotten complicated

So you have a website, how many third-party organizations are involved in making it run? It’s easy to forget about them, but third-party agencies are ultimately going to be supporting your site.

Most organizations can track down who they use for what, but it is often something that people set it and forget it. As long as the accounting department keeps paying the renewal charges, nobody in IT or communications tends to think about it.

Every computer on the Internet has an IP address, but most people use a domain name for simplicity. This has to be provided by a Registrar who is ultimately responsible for relaying it to the the Internet Corporation for Assigned Names and Numbers (ICANN).

These Registrars sometimes bundle Domain Name System (DNS) hosting in with their services, but this is optional. There are a number of services that provide DNS either alone or associated with things like DDoS attack mitigation. Other times this can be covered by the web hosting company with the price of their services.

You might have set up an arrangement with a Content Delivery Network (CDN) for better performance and SEO. Many sites are now have close integration with various social network sites.

This really is just touching the surface of the relationships that many organizations have with third party web services.

If the protocol for communicating with these agencies isn’t clear and well documented (on both sides) there is an opening for a “social engineering” hack to compromise your site. This recently happened to the City of Ottawa’s website that was redirected to an image of a dancing banana.

Hackers didn’t find a technical hole, but rather were able to leverage human vulnerability, to gain control of critical infrastructure.

Properly documented procedures are important, as third-party services can often be manipulated by fraudulent email or telephone requests. Document the relationship with organizations you use to run your site and keep it in a central place.

Train your staff so that they are more cautious about what they share with others, particularly over email. Many organizations have passwords stored in email archives, this is less secure than most people think.

Be cautious about emails, messages and calls from your service providers. Make sure to verify the source before giving out any information. Default to calling them back at the number or email listed in your records (or the website).

Email attachments from unknown senders can easily contain viruses which can compromise your computer. Pay close attention to website URL, often cracker may either use an HTML link to hide that they are sending you to a different URL than you think.

The need for organizations to understand security has never been higher, unfortunately bad assumptions have lead to many sites being left very vulnerable to attack.

Mike Gifford
Mike Gifford
Mike Gifford is the founder of OpenConcept Consulting Inc, which he started in 1999. Since then, he has been particularly active in developing and extending open source content management systems to allow people to get closer to their content. Before starting OpenConcept, Mike had worked for a number of national NGOs including Oxfam Canada and Friends of the Earth. As a techie at heart, Mike likes to get into the code when he gets the chance. Being ultimately concerned about the implementation and implications of the technology, he is able to envision how your website can become a much more powerful communications tool for your organization. Mike has been involved with accessibility issues since the early 1990's and is a strong advocate for standards based design.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.