Get The Newsletter

The latest in business, marketing and technology, delivered to your inbox!

Your Name:

Email Address:

Business Type:

WorkZ Email Marketing

BizTOOLS

WorkZ Sites
Build a web site yourself for Under $30 or have a designer build one for you.

iPrint.com
The leading source of high quality online business card printing, letterhead printing, custom envelope printing, and more.

Web Site Security

By WorkZ Staff

There seems to be no end to the threats that menace your online business. It might be a hacker vandalizing your home page, a competitor prying into your marketing plans, a thief stealing your credit-card files, a disgruntled employee sabotaging your customer database, or a malicious kid sending you a virus.

It is important to realize that the very nature of the Internet will always make your business vulnerable. The medium's accessibility and openness are what make it such a powerful new place to conduct business. Unfortunately, accessibility and openness often conflict with your need to secure your money, your sensitive customer information, and your other important business data.

The threats are real, but they can be thwarted. Just as you protect your data by backing it up, you can protect your site's integrity by establishing security procedures.

Limit Access

The first way to secure your site is to restrict access to it. Obviously, you don't want to restrict access to your Web pages, but you do need to prevent malicious intruders from getting access to your databases, your programs, your Common Gateway Interface (CGI) or Active Server Pages (ASP) scripts, and so on.

Passwords

Your first line of defense is password protection of the directories and files where your sensitive data and programs are stored. Your Internet service provider's (ISP) technical support staff or your systems administrator can help you decide which files and directories you should restrict access to, and implement your password protection. You will certainly want to password protect your programs, scripts, databases, and log files, but you may also want to restrict access to some of your Web pages (for example, "members only" pages). For an example of how to do this on a UNIX server, see Builder.com's Password Please article.

Here are some tips for password security:
  • Use at least 1 non-alphanumeric character(such as ";" or "=") in your password
  • Change your password frequently
  • Don't share your password (if someone legitimately needs access, then they need their own password)

Firewalls

Another kind of web site security is provided by a firewall. A firewall is a suite of programs (along with a set of procedures) that a private network (an intranet or local area network [LAN], as opposed to a public network like the internet) can use to control access to and from its computers. If your site is hosted by an ISP, you probably aren't a candidate for using a firewall. But if you want to learn more about firewalls, see whatis.com'sdefinitionor the Internet Firewalls Frequently Asked Questions page.

Physical Access

An important but often overlooked aspect of Web site security is controlling physical access to your Web server and its programs and data. For a determined saboteur or thief, it is often easier to simply abscond with a floppy disk — or, worse yet, with your whole computer — which holds the data your password system protects so well. As Eric Swanson, a long-time UNIX and NT systems administrator says, "In the end, your critical data is only as secure as the lock on the door to the machine room." So it might be worth your while to pay a visit to your ISP to ensure that they have good physical security measures in place.

None of the above practices can guarantee that virus-infected files won't show up on your system, so you should always augment your security procedures with a good virus checker.

Authenticate Users

In addition to what your users access, which you can control with the measures above, you may want to verify who is accessing your site. This is especially crucial for e-commerce sites or sites that handle sensitive information like medical or financial records.

Firms like Thawte and VeriSign issue certificates that serve as shoppers' and merchants' virtual identification cards. These certificate-issuing authorities take measures to confirm that online shoppers or merchants are actually who they say they are, and then issue a digital ID they can use to securely interact with each other.

If you conduct e-commerce at your site, your virtual storefront software likely includes some sort of authentication mechanism. If you need to verify identity at your site for some other reason, you will need to install certificate software on your server. For more information on how to do this, see this book excerpt on Creating and Installing Web Server Certificates.

The issue of identity in cyberspace raises some interesting philosophical and legal questions. A Builder.com columnist explores this in The Other Side of Web Security.

Encrypt Sensitive Data

Secret decoder rings rarely show up in your Cracker Jacks box anymore, but encryption is alive and well on the Internet.

Many of the security schemes above rely on public-key encryption schemes. See Pretty Good Privacy (PGP) for an example. Public-key encryption is an ingenious method of securing sensitive information. It uses public and private keys to lock and unlock sensitive files. For example, if you wanted to have a secure e-mail exchange with someone, you would give him or her your public key, with which he or she would encrypt the message to you. You would then open his or her e-mail with your private key, which only you have access to, and which is the only way to get at information encrypted with your public key.

Perhaps the most common public-key encryption method in use on the internet is Netscape's Secure Sockets Layer (SSL). SSL uses encryption to create a private, secure way to transmit documents over the internet. Many e-commerce programs rely on SSL to secure the transmission of credit card information and other sensitive data. For a detailed (if occasionally mind-bending) look at the logic that underlies SSL, see Netscape's page on How SSL Works.

Keep Up with the Bad Guys

One final note. There is no area more dynamic and fluid than Internet security. Every week there is another story about an e-mail program with a security flaw or a teenage hacker cracking an "uncrackable" encryption scheme. So make sure that you and your ISP or your systems administrator stay current with emerging security issues. Read the technology section in your local newspaper, and check out sites like Web Developer's security page on a regular basis.

About the Author:
The WorkZ staff is made up of gurus in many areas of expertise including Sales, Marketing, all aspects of the Internet, Technology, even starting and running businesses.

Click here for more info from this author...