Putting your business on the Internet is a great way to help your customers find you, but it also opens you up to possible attacks from the steadily-growing online criminal element. Whether your website is a mission-critical e-commerce portal that hosts live transactions, or just an online brochure providing information about your business, the last thing you want is for hackers to compromise your website, potentially vandalizing your public pages or stealing customer information.
Hacked servers are responsible for billions of dollars per year lost to identity theft. Just recently the Montana Dept. of Health was hacked exposing 1.3 million patients data. Hackers may also use compromised systems as jumping-off points for further online criminal activity, exposing the operator of the server to liability for damages. As a responsible online businessperson, below is a simple server security checklist you can follow to harden your box.
Thanks to automated password guessing tools, hackers can now try literally millions of password attempts in minutes or hours when trying to break into a server. Norton has a great tool to generate random passwords of varying length and special characters. To protect your website and data from these attacks, be sure to follow these rules when setting up passwords for any user account that has access to your data:
Many hackers and attackers use forced browsing to find unlinked content, configuration files, or backup files that may give them that 1 piece of info they need to crack your server. Make sure you remove unwanted or sensitive files you don't need from your server, especially old install files. Also secure unlinked URLs by protected them. Run daily scans of your server to see what files have been accessed, downloaded, or changed. Two great resources to help in securing your site and server are Pentest Tools and Acunetix.
The more people who have access to log in to your server and view data, the greater the odds that someone’s account will be compromised through data theft, weak passwords, or other mishaps. You can improve your server security by allowing server access only to people who must have it in order to keep the website running. It is also a good idea to avoid having multiple people use the same username or know the same password.
This type of server attack usually involves some type of web application or form that allows user to input data. The attacker will try to submit malicious code into the application in order to trick the interpreter into executing the code. This will give the hacker a way into your site or server if successful most often from poorly written code.
A favorite staple for hackers to do this is through old and outdated wordpress versions or poorly written plugins and web applications. How to prevent this from happening is to first validate all data to ensure there is no malicious intent before accepting it. Also, make sure you minimize privileges to accounts for all of your databases that you use and do a proper code review before any application on your website goes live. There are a handful of tools online to help protect your server, one great tool for a server security test is Scan my Server, which tests for malware, SQL injections, XSS, and other vulnerabilities.
If you fail to secure sensitive data or network traffic can leave it exposed for hackers to access. Data such as email, social security, bank account, and credit card info can all be vulnerable if not encrypted. Credit card and bank info must be encrypted according to PCI standards. One simple way to prevent this from happening is to make sure all sensitive data pages use SSL connections. You can also use an extra buffer layer of security between your web server and the database to ensure the traffic is not exposed.
Another favorite trick of cyber-criminals is to exploit security holes in software installed on target servers, in order to fool the server into thinking they have legitimate access. If you or someone on your staff are tempted to try out a free download of a new product, or install a handy new app, just remember that fewer software products on the server means fewer potential backdoors for hackers. For this same reason, servers should not be used for casual web browsing.
Servers, like cars, must be periodically tuned and maintained by trained professionals in order to keep them working at full capacity and prevent problems from developing. The best way to ensure that appropriate security measures are being taken is to hire a computer technician with proven server administration and information security experience, or to purchase technical support services from your dedicated server hosting company. Odesk is a great place to find qualified server technicians to secure and audit your server. Essential steps to improve security, such as setting up hardware and software firewalls, managing user accounts, applying software updates, and regularly auditing security logs, require trained expertise to ensure that all appropriate industry security standards are being followed.
By following these seven steps, you can protect your server from malicious intrusion, and protect your business data from destruction, misuse, or theft. Many data compromise and server hacking incidents happen due to no security measures being taken at all. By exercising due diligence with regard to computer security, you can greatly reduce the odds of your server being identified as a potential target by cyber-criminals.