Wednesday, September 16, 2009





The Basics of Site Security Again

You log on to your site and notice that, from your administrator’s console, things don’t look right. So you search the site access log and discover the worst. You’ve been hacked. You’ve got a bogus IP address listed in the search log and when you try to access the intruder, all you get is a 404 error message – Site Not Found.

Now what do you do? What did the hacker do? Is there a digital ticking time bomb buried in your site’s code? A Trojan horse, perhaps? And what about that sensitive personal data stored on your site’s database? You know that’s been copied, even though a quick check of MySQL reveals the database is still in tact. Even so, that sensitive data has been compromised.

Any site is vulnerable to hackers, crackers, script-kiddies and other black hats regardless of how many layers of security you have in place. Remember, hackers never sleep and they’re always looking for web site vulnerabilities. These guys could have gained entry to your site in lots of different ways. By placing an order or opting in for your newsletter. Once contact is made, security is more easily breached.

You’ve got a problem. So, never let it get this far.

Keeping the Bad Guys at Bay

Once a site has been hacked, getting it scrubbed clean and back online can be an arduous, time-consuming-money-losing proposition. Better to keep those evil-doers out from the start.

Check your host server’s configuration. Ooops, forgot to do that.

Revisit your server configuration. You can buy the best, locked-down-tight site security but if it isn’t properly configured with server side software it may provide a false sense of security, as in you aren’t getting what you paid for.

Synch up for safety.

Keep security software and hardware current.

We all know that the hacker community doesn’t have much else to do except sit around devising new ways to circumvent the latest patches from Microsoft or security software developers like MacAfee. The security software programmers know it all-too-well so 24/7, there’s a battle going on between security programmers and hackers looking for a trophy and web creds from other hackers.

Update in-place security regularly. Log on for patches and fixes.

Keep meticulous records of all software. (Keep the box.)

Maintain a record of all software in use to support your business including edition number, i.e. XYZ 2.0. Also user key codes and other information that’ll come in handy if a hacker does get through. An online security company needs to know as much about your software as the hacker did. Make it easy for that company by providing make, model and serial number.

Review log files.

At least once a day, check your back office logs to make sure no one has dropped by unnoticed.

Good time to bring up permissions. A lot of small companies maintain a network of computers. One in customer service. One in accounting and so on. A network is a must for even small businesses today, small businesses that rely on the office network to access business data and records of activity.

This requires the company owner to develop a permissions log – a directory of which employees have access to what company data. All departments and employees should not have access to all data. Only that information required to do the job.

Limit the number of permissions. Limit access to data. And train employees in safe and secure online practices, i.e., email scans, daily virus scans across the network and so on.

And worth another mention, keep access logs up to date. Close out all ex-employees and others who have no business looking at order tracking data.

Stay current on viral epidemics.

First, always keep site security in mind. Consider it a key part of your job as online business owner. That requires a pro-active approach to security. And that requires a knowledge of the latest in frauds, scams, schemes and viruses.

A new virus, once discovered, is almost instantly identified on webmaster sites, on security software sites and, of course, on the Microsoft download page. That’s good. It prevents a local epidemic from becoming a pandemic. Keep up with the latest in hacker tactics and the cures offered on the web. If you wait, your site is vulnerable to a viral injection.

Bulk up your passwords.

This is a simple step, it doesn’t cost a penny yet many site owners still insist on using their pet’s name as the administrator log on. Anyone who knows the site owner will be able to hack the site in, oh, about 10 minutes.

Limit access and create undefeatable passwords. Dictionary software is easily available on hacker sites. These programs go though millions of letter and number strings a day until they generate the actual password. So, extend your passwords, use letters, numbers and symbols, and change them often.

Change all passwords whenever an employee leaves the company.

Run a check of all content generated by third parties.

You might download a FREE counter and pick up a dose of key-logger software – software that logs every key stroke made by you and other members of the office network.

Evaluate the source of the content. For example, sites that syndicate content via RSS feed should be Googled and checked by you, the web business owner. Any third party content can be booby-trapped so be careful. As mom used to say, “You don’t know where it’s been!”

Check your links. Check their ads.

Links are important to building connectivity within a small market. But a link is also an access point for a black hat so always consider the company you keep. Inbound links can be used to inject malware.

Same with paid advertising. Some “company” may be pay you $50 a month to advertise on your site, build a shell site or mirror site and steal your sales. You might not notice it for a couple of days – and by then, your legitimate business could be out $1,000s in sales and you’re facing a boggy mess of customer complaints that are only going to cost more to repair.

Just because an advertiser “sounds nice on the phone” doesn’t mean that she’s running a legitimate business. Know what’s on your pages. Know who’s on your pages. If it looks funny, or your instincts tell you something’s not right, do you really need that extra $50 a month? Take care with those who reach out to touch you. They may be picking your pocket.

When you grow, hire a pro.

When you’re just starting out with a new site, money is always tight, always a consideration. In this case, go with a reputable web host that maintains high levels of server security, including security against cross-server (X-server) attacks. And if this is all gibberish, call the tech support team at your hosting company.

However, at some point, when that online business has grown from a part-time hobby to your sole source of income, congratulations. Now hire a pro.

Site security is no longer a priority. It’s become the priority once you’ve quit your day job and now rely on web traffic to pay the bills. Have a security pro check your system and, if merited, hire a security service that tracks attacks on your site, providing higher levels of safety for your “hand-built” digital business.

Yep, despite the fact that the web has been gussied up in recent years, it’s still a lawless frontier in which you have to protect yourself. The web police don’t exist so forget the 911 call. It won’t help.

The secret to a secure site is constant vigilance and automated convenience. Buy good security ware. Properly configure with server security. Update regularly and keep track of who comes and goes, whether an employee, a link-in or a paid advertiser.

Keep security front and center. It will keep what’s yours – yours!

Site security is serious business. If you're serious about your web-based biz, drop me line. You can bet that some hacker, cracker or script-kiddie is working on ways to do you wrong.

No comments: