Website security
1 Nov 2011Securing computers has always been a challenge even before the Internet was born, in those days security was mainly controlled by physical access and passwords. In other words, if you did not have physical access to the computer in question nor have the password then access was almost impossible.
These days securing a server online is more challenging and the problem with servers online is by definition they have to be open in order for users and visitors to access them. Common sense rules still apply in terms of passwords and restricted Admin or Root access to the server, however, things are more complicated now in terms of software exploits and keeping the system patched and up to date. If you taking card payments then you will need to be PCI compliant (something we work with a partner company to help people achieve) and any card details for customers are best kept encrypted on the server or kept on a server separate to the main machine.
Another good plan if budget allows is to have a minimum of two servers with one machine running as a web server and a second machine running as a database server. The reasons for this is not for a hosting company to make more money but on top of allowing better performance, it also allows the database server to be secured and sit behind the web server thus it is much harder to access any of the data directly. Your most important commodity is your customers and if this data is either stolen or compromised then at best you lose business and at worst you lose your reputation.
How do I know if my server is open to any exploits or that the software I am running is both secure and up to date? These are questions that a lot of businesses ask and one that is often hard to answer based on the high levels of complexity involved. A good starting point for this is to have some form of vulnerability assessment scan in place which will regularly scan the server against a large database of known exploits and issue a report based on its finding which can then be acted on. Memset offers a scanning service based on a service called Nessus which will provide monthly scans of your server/s with a detailed report mailed to you every month. Another consideration if you are running Windows is that the server has a licensed and up to date Anti-Virus software on it and we can provide a licensed version of Sophos Anti-Virus if you do not have any licenses yourself.
Another interesting point of consideration is that if your customer base is purely from the UK market for instance then certain software solutions are available that will only allow UK based IP addresses to access your website. If you are receiving fraudulent orders online or are having suspicious scans or attempted hacks from foreign countries this can help you greatly. This is a solution that the BBC employ to stop access overseas to certain content including their streaming services offered by iPlayer.
A lot of malicious attacks or DOS attacks to a server hosted with us are targeted and rarely random and mostly are the result of disgruntled ex-employees or an unscrupulous competitor or perhaps just a previous supplier that you fell out with. In other words, most of these types of attacks are not random and have a purpose or a reason.
In short, no website or server is going to be 100% secure however it is often the small things that make a difference and can be the difference between disruption, compromise or a smooth running site with little or no issues.