Archive for December, 2008

What’s Your Internet Security Risk?

Posted by Jason Shindler in newsletter on December 15, 2008

Internet security is a big issue for everyone, whether you’d like to think so or not. If your Web site does any e-commerce, or collects any data about your clients, you should take steps to protect your site. Even if your site doesn’t ask for information from users, you should still be aware of potential security risks. This article is neither meant as comprehensive advice, nor as a scare tactic. We’d just like you to start thinking about the kind of data your Web site displays and stores.
A cross-site scripting attack is a type of hacking that occurs when a malicious user is allowed to enter/insert a JavaScript command into an HTML form on your Web site and gain access to the back-end of your site. By exploiting vulnerabilities in your Web site, the hacker could embed malicious script into your site for your clients to unknowingly download. This type of hacking can result in gaining unauthorized access or stealing of sensitive information. For those who don’t know, JavaScript is a coding language that allows you to take full advantage of the functionality of any given Web site. You could turn off JavaScript on your Internet browser, but that would prevent you from utilizing the full capacity of the Internet as nearly every site uses JavaScript in some way. 

- Security -
 
JavaScript is not the only programming language that poses Internet security issues. Web sites communicate with database tables through a language called structured query language, or SQL. One common way that SQL can be turned to malicious purposes is through a SQL injection attack. If your site has a search function, or a text box to input information, a malicious user can type in any combination of letters and numbers in an attempt to receive an error message. This combination of letters and numbers, or string, may result in a specific type of error message that reveals pertinent information about your database tables. A malicious user can use the revealed information to hack into the back-end of your Web site and retrieve or remove data, and alter or delete entire database tables.
 
The above examples aren’t meant to spur you into taking any drastic action. Instead, start by taking a look at the kinds of information shown on your Web site and how it is stored. Here are a few basic questions you should be able to answer:

  • What information do your error messages display?
  • Where is your online data being stored?
  • Is your data encrypted?
  • How simple are your passwords and user names? How often are these changed?
  • If you have a change in personnel, do you immediately change your passwords?
By knowing this information, it is easier for you to speak knowledgeably to your key employees and contracted workforce. Talk to your IT department and Web developer about the information displayed in your Web site’s error messages. Speak to your billing department about how payment information is retrieved, stored, and safeguarded. Develop a system with your human resources staff to methodically address access to significant information when you have a change in personnel.
 
While security is not an absolute – unfortunately, no one can completely protect their Web site or computer system – there are significant precautions you can take to reduce the likelihood of your data being accessed by the wrong person. Simply being aware of your company’s weaknesses can go a long way in helping your Web site developer and IT personnel tackle a large portion of your company’s security risk.

,

No Comments