In a previous post, we provided information you’ll need to know immediately if your website is successfully hacked. It included recommendations on how and when to:
Step 1 Announce and assess the breach
Step 2 Conduct a deeper investigation
Step 3 Notify affected individuals and organizations and begin remediation
Step 4 Re-launch
Step 5 Communicate the resolution publicly and to affected parties
Step 6 Take steps to remediate vulnerabilities and prevent a future breach
Today’s discussion takes a deeper look into step six, preventing cyber crime at small and medium sized businesses. The truth is that security measures in place at most SMBs are “easy pickings” for hackers, and there is a booming community of C2C (criminal to criminal) interactions focused solely on stealing customer data from SMBs that conduct business online. The same way you work every day to develop new, enticing products and easier ways for your customers to shop, cyber theft “shop owners” fuel this sub economy by devising faster, easier, and more effective methods by which to steal your company’s valuable data.
Preventing data leakage takes an ongoing, concerted effort, so it’s important that you take proactive control over your immediate environment. Here’s how:
Only run software you need. Thoroughly review all third party applications before introducing them to your environment. Only install third party applications if they are absolutely necessary. Remove all inactive programs at once. Paring down your list of installed programs alleviates your susceptibility to any known or future security threats they may pose.
Stop ignoring those updates. Install every software update, and do it quickly. Addressing security vulnerabilities is a top priority of software patches, so don’t get versions behind.
S = More Secure. Traditional FTP connections are insecure. Look for “SSH” and “SFTP” connections as they are in an encrypted format and are the minimum standard for eCommerce Web site administration.
Manage change. Terminate access credentials for former website administrators and employees immediately after (and sometimes before) they exit the company. Open logins create an extremely popular data leakage point. Implementing strict, consistent, change management protocols will reduce the chances your website is compromised by a password breach.
Check configurations and permissions. Regularly check that server configurations and file permissions are set correctly, and that there are no open permissions on directories.
Cheaply outsourced labor could cost you. Do you really want to outsource your livelihood to the lowest bidder? Websites require ongoing maintenance, bug fixes, and enhancements, and working closely with a local developer that you can meet in person might be the best solution in the long run.
Hire a hacker. Hire a hacker to try and penetrate your environment to find its vulnerabilities. I’m serious.
Achieve PCI Compliance if you conduct eCommerce. The payment Card Industry has devised a succinct list of requirements to which every organization must adhere if they accept credit cards as a form of payment.
Vulnerability audits. Have professionals perform regular vulnerability audits. We recommend monthly or quarterly (at minimum). Vulnerability audits can identify weak logins, data leakage from forms, SQL injection vulnerabilities, DDoS activity, spam relaying, order manipulation, admin control panel tampering, and more.
Hackers pose a real threat to SMBs, and they find value in stealing customer records, even from the “one-man shops” out there. Give these preventative measures the same priority as the way your site looks and works. Afterall, an ounce of prevention…well, you know the saying.
A version of this article was featured in VentureBeat on December 16, 2009.
This entry was posted on Wednesday, December 16th, 2009 at 8:00 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
