HOME » Growth
Tuesday, 07 February 2012

Sustainable 60 Awards Sustainable 60 Awards

Unlimited Investment ChallengeUnlimited Investment Challenge

  • Starting from scratch: Would you put it all on the line to build a new life in business?
  • How a sleepy town north of Auckland became a centre of marine innovation
  • Deal maker Sebastian Stapleton's bootstrapping success story
Subscribe

A hacker’s lucky dip

In last month’s Toolkit, you learned about the risks of email communication. Perhaps your website’s security may have crossed your mind as well?

Monday, November 24 2003 || BY Stephan Spencer

Opportunistic hackers and malcontents constantly scour the Web for easy targets. Hopefully your website is not among their marked prey — but you should assume that it is. With the holiday shopping season already upon us, e-commerce sites must be especially vigilant.

Cybercrime, in all its facets — hacking, online fraud, security breaches, information theft, defacements, electronic espionage, and service interruption — seems to be at an all-time high. If the threat doesn’t seem real enough, peruse some of the thousands of defaced home pages immortalised at Zone-H’s Digital Attacks Archive, including those of Canon.co.nz, Microsoft.co.nz and countless others.

How do hackers manage to slip inside? Their tactics are too many to recount here, but their weapons include point-and-click Windows-based graphical software like password crackers and port scanners written by other hackers. They also “sniff” for passwords in unencrypted data streams as they traverse the Internet, spoof IP addresses of trusted machines, and launch “Denial of Service” attacks using hijacked servers.

What is a website manager to do?
• Don’t store credit card numbers on your server, even temporarily. If you must, at least store them encrypted.

• If you collect credit cards or sensitive information use a secure certificate with 128-bit encryption, not the cheaper, less secure 40-bit.

• When emailing sensitive information from your web server to an employee’s inbox, encrypt the email with PGP.

• Hire a security consultancy to conduct a website security audit. If you want to do it on the cheap, have your web server administrator download Nessus and run a vulnerability scan on your web server and network.

• Make sure server passwords aren’t based on a birth date, a word in the dictionary, or the name of a pet, child or spouse. A good password is a combination of letters, numbers, and punctuation, and is at least eight characters in length. Change passwords regularly.

• Disable all unneeded services like FTP (file transfer protocol). The fewer services running on your server, the fewer the potential soft spots.

• Stay vigilant. Monitor the server’s log files — use LogWatch or similar. Subscribe to a service that alerts you to security holes as they are discovered, such as BugTraq. Install the latest security patches as they become available.

• Purchase insurance that covers against cybercrime. Traditional business liability insurance usually excludes such losses.

• Do not have a guest book that allows unchecked submissions to be posted. Search engine spammers vandalise them with links and messages about herbal Viagra and other scams.

• Run daily backups and cycle them so that past “snapshots” are archived and stored offsite.


Stephan Spencer is Managing Director of web agency Netconcepts