Hacking is hackneyed for the hacker, but is a serious issue for corporates whose websites happen to be the face of the company to the external world. Corporate websites are also the point of sale for ecommerce activities.
US.gov websites are the most highly targeted web sites when it comes to hacking. Others are not an exception. A lot of security centric companies invest resources towards ethical hacking to understand a hackers mindset and counter measures thereon.
With hosting service providers being the de facto standard for most of the SME’s web site needs, some amount of control or total control is provided to the customer which might vary as per the contract.
Consider a situation wherein your house was burgled and you lost something which is very priceless such as an old photo album or a bottle of wine that was aged for 15 years and of course cash and expensive jewellery that were the main items of concern. You were procrastinating to get a security system installed or get the Rottweiler or the Doberman to guard your house.
The analogy can be applied to corporate websites as well which if gets hacked could lose price less information as well as information having monetary value. On the priceless front, it could be a prospective partner trying to access your site for potential tie up and on the monetary front : source code, prospective customer visits or any other internal assets. Denial of Service is one side of the story followed by revenue impact and angry users who may never re-visit the site.
Certain fundamental steps shall insure and safe guard your internet site from a potential hacker. These are in addition to what you could insure after using a threat modelling tool coupled with SQL Injection, Cross Site Scripting verification amongst other things.
1) Have a strong password policy for the root user. This should not be limited to special characters, combination of upper and lower case. It is more of a pass phrase. Avoid predictable names such as companyName123, companyName123$, companyName~1. These are easy to crack
2) Disable all unwanted ports such as FTP, Telnet as these could make your site vulnerable for data siphoning
3) Have captcha mechanism where user is expected to fill in information to circumvent automated spam programs
4) Have logic built into your code to identify suspicious IP Addresses OR use a fire wall mechanism by the service provider
5) Make sure, there are no executable links available from the view source option. Media Files that could make a call to the server is one such example
6) Optimize the code to insure media files are not calling the server for content every now and then
7) If using a Linux environment, make sure to have the upper limit of numprocesses, numfiles set to a higher and a realistic value after looking at the lsof output to counter spam hits
8) Peer review of the code OR use a code analysis tool
Application Development Services
No comments:
Post a Comment