Keeping the Barbarians Off Your Web Site
Hackers like to hone their skills on small-business sites, FBI experts say
Bill Myers had grand plans to make the Web site of the tiny credit union
that he runs into a virtual bank for its members. Then an E-mail-borne virus
invaded one computer.
It became a network nightmare. "We tried to clean the computer with
the network up -- so we could continue to conduct business -- but it was
a robust virus and kept re-infecting the network," says Myers, manager
of the 27-employee Alternatives Federal Credit Union in Ithaca, N.Y.
Now, Myers has put his virtual banking dream on hold. The only online transactions members can do is order checks. And he has become maniacal about Web security. Myers even has a programmer whose sole mission is to periodically try to hack into his systems to test the site's vulnerability.
Is Myers overreacting? Wouldn't tens of thousands of other businesses on the Web be more alluring to cybervandals than a little credit union? No, says the U.S. Federal Bureau of Investigation, small-business executives such as Myers have every reason to worry.
"It is not paranoid at all to obsess about Web security breaches,"
says Dr. Bill Hancock, a forensic expert for the FBI and the chief technology
officer for Network-1 Security Solutions Inc., a firewall manufacturer
and security consultancy in Texas. Small-business Web stores, in particular,
are targets because "hackers use them to test things out, to see what works
and what does not before they go after the bigger fish. There may be less
to steal at the small companies -- but they're also an easy mark," says Hancock.
That's what worries Chalu Kim, a security-savvy vice-president for technology
at Big Star Entertainment in New York, a 14-employee online video rental
store. He's afraid hackers will post porn videos on his Web site. "Aside
from vandals, ...I know that online people can find out information about
our company," Kim says.
"INSIDE JOBS." Fortunately, small companies don't have to roll over and play dead to cybervandals. Basic security goes a long way toward protecting
a small-business Web site. Charles Neal, supervisor of the FBI's White Collar Crime Squad in
Los Angeles, suggests "maintaining passwords, encrypting and password-protecting the data that's critical to the business, [and]
monitoring everyone and everything that comes in and out of the office."
That's because more than 80% of all network hacks are inside
jobs, according to the FBI. The "perps" may be disgruntled employees or
ex-employees, but also visiting acquaintances of perfectly happy employees
who surreptitiously tamper with an open screen.
Companies that let customers track orders and shipments online need not worry about giving them access. The trick, says Hancock,
is to keep clients on a separate local area network from the rest of your
business. "You just isolate the Web server, with all the databases you
want to allow access to, from the rest of your network," says Hancock.
"Then you connect that Web server to the site and to the ISP [Internet
Still, no Web site is 100% secure, says Hancock, "but you can make it tough
enough so that [hackers] try someone else." Here are eight Web security strategies that the experts recommend. Some of these measures are cheap, others are expensive.
But you won't get the safe-site nod from the FBI unless you follow them
1. If you have your own server, put your site's pages on
CD-ROM. Have your CD-ROM driver -- not your hard drive -- send material
to your Web site. It'll be slow, but it will be safe. That's because it's much easier for hackers to penetrate a hard drive
than a CD-ROM. CD-ROM readers are cheap (about $20 at Fry's Electronics
or CompUSA). And a CD burner, which lets you record your own disks, are about
$400. Blanks are around $2 each.
2. Avoid putting Web content in your site's administrative
account, a file folder that holds operating keys to the network. That's
because hackers look here first to see how much access they can get in
one fell swoop.
3. Protect your access-control lists -- the
inner workings of the Web site -- with a password. Once hackers break into
the list, they can add themselves to it. With that, they can roam the system at will.
4. Set up your Web site scripts properly. Errors in "CGI scripts," the program language commonly used to create Web site features, are notorious points of illicit entry. Consult
with a security expert on how to accurately set up your scripts.
easy language for designing Web commerce features. But there are few ways
6. Use Secure Socket Layer (SSL), which keeps hackers from detecting
credit-card transactions and passwords traveling from your Web store to
your server. Although SSL is part of most commerce software programs, some
people turn the feature off because it slows the server. Resist this temptation.
7. Install a firewall and a router. Firewalls are software that block access
to a server or particular database without a password and ID. A router
is a box that receives all communication and decides how to route it on
your network. You can program a router to look for and deflect suspicious traffic.
Firewalls and routers cost anywhere from $1,000 to $10,000.
8. If you use an ISP or an outsourcing company to host and design your Web site, make sure that it offers adequate security --
and that you understand it. Keep ISP contact lists handy in case of a breach.
By Rivka Tadjer in New York