Ten ways to protect your Web
commerce sites

Back to the main article published in Network World (2/2/98)

  1. Limit the number of people who have remote access to your Web site for administration purposes and manage this process closely. Remote administration - the equivalent of root access - gives hackers a great opportunity to sneak in.
  2. Make sure your access control lists are properly configured and constantly updated to reflect the day-to-day needs of your business, such as adding new employees and customers and deleting old ones.
  3. Isolate your commerce server from as many services as possible to avoid vulnerabilities. Harden the server by closing down all extraneous features in the applications and operating system. If you can't do this, seriously consider outsourcing.
  4. Implement an intrusion detection system that immediately alerts managers of problems that need to be corrected. After all, detecting a hacker does nothing; stopping him is the goal.
  5. Make sure your intrusion detection software looks for anomalous behavior on your servers. You can't stop the bad guys if you can't see what they're doing.
  6. Perl and Common Gateway Interface scripts can cause security holes if they're improperly written, configured or installed. Use these development tools sparingly and make sure experienced developers test them.
  7. Passwords just aren't strong enough for some commerce sites. Consider giving customers physical and electronic tokens that cost about $50 each.
  8. Likewise, you want to make sure administrators who have root authority are who they say they are. Biometric solutions to identify voice, fingerprints or retinas are moving to the masses at a cost of roughly $300 per user.
  9. Your site relies on other networks and systems to move money, whether it accepts credit cards or uses a mainframe to complete remote banking transactions. Use secure agents such as Secure Sockets Layer, Secure Hypertext Transfer Protocol or Kerberos to communicate with critical systems.
  10. Think about installing integrity wrappers around critical data and related system files. Cryptographic seals around these files prevent modification or the introduction of malicious code.

- Winn Schwartau

copyright 1998 Network World