Frontier Home Business Week Home Contact Us Business Week Archive

Advice and Columns

Keeping the Barbarians Off Your Web Site
Hackers like to hone their skills on small-business sites, FBI experts say

Bill Myers had grand plans to make the Web site of the tiny credit union that he runs into a virtual bank for its members. Then an E-mail-borne virus invaded one computer.

It became a network nightmare. "We tried to clean the computer with the network up -- so we could continue to conduct business -- but it was a robust virus and kept re-infecting the network," says Myers, manager of the 27-employee Alternatives Federal Credit Union in Ithaca, N.Y.

Now, Myers has put his virtual banking dream on hold. The only online transactions members can do is order checks. And he has become maniacal about Web security. Myers even has a programmer whose sole mission is to periodically try to hack into his systems to test the site's vulnerability.

Is Myers overreacting? Wouldn't tens of thousands of other businesses on the Web be more alluring to cybervandals than a little credit union? No, says the U.S. Federal Bureau of Investigation, small-business executives such as Myers have every reason to worry.

"It is not paranoid at all to obsess about Web security breaches," says Dr. Bill Hancock, a forensic expert for the FBI and the chief technology officer for Network-1 Security Solutions Inc., a firewall manufacturer and security consultancy in Texas. Small-business Web stores, in particular, are targets because "hackers use them to test things out, to see what works and what does not before they go after the bigger fish. There may be less to steal at the small companies -- but they're also an easy mark," says Hancock.

That's what worries Chalu Kim, a security-savvy vice-president for technology at Big Star Entertainment in New York, a 14-employee online video rental store. He's afraid hackers will post porn videos on his Web site. "Aside from vandals, ...I know that online people can find out information about our company," Kim says.

"INSIDE JOBS." Fortunately, small companies don't have to roll over and play dead to cybervandals. Basic security goes a long way toward protecting a small-business Web site. Charles Neal, supervisor of the FBI's White Collar Crime Squad in Los Angeles, suggests "maintaining passwords, encrypting and password-protecting the data that's critical to the business, [and] monitoring everyone and everything that comes in and out of the office." That's because more than 80% of all network hacks are inside jobs, according to the FBI. The "perps" may be disgruntled employees or ex-employees, but also visiting acquaintances of perfectly happy employees who surreptitiously tamper with an open screen.

Companies that let customers track orders and shipments online need not worry about giving them access. The trick, says Hancock, is to keep clients on a separate local area network from the rest of your business. "You just isolate the Web server, with all the databases you want to allow access to, from the rest of your network," says Hancock. "Then you connect that Web server to the site and to the ISP [Internet service provider]."

Still, no Web site is 100% secure, says Hancock, "but you can make it tough enough so that [hackers] try someone else." Here are eight Web security strategies that the experts recommend. Some of these measures are cheap, others are expensive. But you won't get the safe-site nod from the FBI unless you follow them all.

1. If you have your own server, put your site's pages on CD-ROM. Have your CD-ROM driver -- not your hard drive -- send material to your Web site. It'll be slow, but it will be safe. That's because it's much easier for hackers to penetrate a hard drive than a CD-ROM. CD-ROM readers are cheap (about $20 at Fry's Electronics or CompUSA). And a CD burner, which lets you record your own disks, are about $400. Blanks are around $2 each.

2. Avoid putting Web content in your site's administrative account, a file folder that holds operating keys to the network. That's because hackers look here first to see how much access they can get in one fell swoop.

3. Protect your access-control lists -- the inner workings of the Web site -- with a password. Once hackers break into the list, they can add themselves to it. With that, they can roam the system at will.

4. Set up your Web site scripts properly. Errors in "CGI scripts," the program language commonly used to create Web site features, are notorious points of illicit entry. Consult with a security expert on how to accurately set up your scripts.

5. Take precaution when using JavaScript. This program language is full of places where hackers can get in and change your Web site. Programmers prefer JavaScript, because it's an easy language for designing Web commerce features. But there are few ways to protect code written in JavaScript. Ask your programmers what they're doing to safeguard the JavaScript features they create for your site.

6. Use Secure Socket Layer (SSL), which keeps hackers from detecting credit-card transactions and passwords traveling from your Web store to your server. Although SSL is part of most commerce software programs, some people turn the feature off because it slows the server. Resist this temptation.

7. Install a firewall and a router. Firewalls are software that block access to a server or particular database without a password and ID. A router is a box that receives all communication and decides how to route it on your network. You can program a router to look for and deflect suspicious traffic. Firewalls and routers cost anywhere from $1,000 to $10,000.

8. If you use an ISP or an outsourcing company to host and design your Web site, make sure that it offers adequate security -- and that you understand it. Keep ISP contact lists handy in case of a breach.

By Rivka Tadjer in New York



A Blueprint for Building Your Own Webstore

Cut Through the Techno-Babble of Web Hosting Services

Another Legal Issue Affecting Computer Users -- Software Piracy

Digital Manager Archives

Business Week Logo

Copyright 1998 Bloomberg L.P.
Terms of Use