Ten ways to protect your Web
Back to the main article published in Network World (2/2/98)
- Limit the number of people who have remote access to your Web site for
administration purposes and manage this process closely. Remote
administration - the equivalent of root access - gives hackers a great
opportunity to sneak in.
- Make sure your access control lists are properly configured and
constantly updated to reflect the day-to-day needs of your business, such
as adding new employees and customers and deleting old ones.
- Isolate your commerce server from as many services as possible to avoid
vulnerabilities. Harden the server by closing down all extraneous features
in the applications and operating system. If you can't do this, seriously
- Implement an intrusion detection system that immediately alerts
managers of problems that need to be corrected. After all, detecting a
hacker does nothing; stopping him is the goal.
- Make sure your intrusion detection software looks for anomalous
behavior on your servers. You can't stop the bad guys if you can't see what
- Perl and Common Gateway Interface scripts can cause security holes if
they're improperly written, configured or installed. Use these development
tools sparingly and make sure experienced developers test them.
- Passwords just aren't strong enough for some commerce sites. Consider
giving customers physical and electronic tokens that cost about $50 each.
- Likewise, you want to make sure administrators who have root authority
are who they say they are. Biometric solutions to identify voice,
fingerprints or retinas are moving to the masses at a cost of roughly $300
- Your site relies on other networks and systems to move money, whether
it accepts credit cards or uses a mainframe to complete remote banking
transactions. Use secure agents such as Secure Sockets Layer, Secure
Hypertext Transfer Protocol or Kerberos to communicate with critical
- Think about installing integrity wrappers around critical data and
related system files. Cryptographic seals around these files prevent
modification or the introduction of malicious code.
- Winn Schwartau
copyright 1998 Network World