Welcome to the SecAware blog

I spy with my beady eye ...

17 Sept 2018

NBlog Sept 17 - fragility

In preparation for a forthcoming NoticeBored security awareness module, I'm researching business continuity.  Today, by sheer coincidence, I've stumbled into a business discontinuity: specifically, the website for a commercial company advertising/sponsoring a popular multi-week New Zealand radio show promotion is currently unavailable. It seems to have been so fragile that it broke.

This is how the web page looks right now:

Mostly white space. 502 is the standard error message number indicating a 'bad gateway', meaning that the company's website cannot be contacted by some intermediate network system. It appears to be dead. Resting maybe.

The HTML code for the sparse error page is almost as sparse - just these 14 lines, half of which are comments:

DownForEveryoneOrJustMe.com tells me its not just my Internet connection playing up.  The website really is unreachable.

That's the NZ website. The company's Australian website is also unavailable, whereas its US site is up and running. 

nginx is the name of a webserver front-end load-balancer utility/application/system.  Given the radio promotion, it is possible the company is using nginx as a cache to reduce an anticipated heavy load on the webserver, or to balance the load across several webservers, but either way evidently it isn't working out right now.  

Summing up the situation:
  • The company has planned and paid for a radio promotion including links to its website: management must have known this was coming;
  • Management appears (at some point) to have made technical arrangements to cope with a heavy load on the webserver: presumably, it anticipated the risk of the website being overloaded;
  • The technical arrangements appear to have failed: the website is currently unavailable;
  • Either management doesn't know the corporate website is down (due to the lack of effective monitoring) or it knows but hasn't reacted effectively (maybe nginx was the response: it hasn't worked for me, today);
  • The company has fallen off the web, making it hard for potential customers to make contact and do business;
  • That, in turn, has implications for its public image: its brand is becoming somewhat tarnished by this incident. It's not a good look.
This is a classic information security (availability and integrity) incident with business implications. The website evidently wasn't sufficiently resilient, and the incident does not appear to have been handled effectively. 

Of course, we can only guess at some of this in the absence of further information. Perhaps my assumptions are wrong. Maybe the fault lies elsewhere and/or the situation is more complex than it appears. Conceivably, the site might even have been taken down deliberately as a response to some other incident. We just don't know.

But we do have a little case study for the awareness module. I'll continue checking the site to see what happens next - how the situation resolves and perhaps gleaning further information about the incident.

[I haven't named the company because it isn't necessary to do so, and I don't want to make the incident any worse for them than it already is by prompting YOU to go check out their website as well!]

UPDATE: by 9am the following day, both the NZ and Australian websites were back on the air.

No comments:

Post a Comment