Beyond providing a fluid user experience, intuitive navigation, search engine friendly source and a secure transactional environment, website operators also need to concern themselves with preventing the unimaginable - hacking. Every day, new vulnerabilities in server operating systems and software are found - and used, to compromise commercial websites. Although your ISP should provide daily security scans and frequent audits on all of your servers, it behooves every e-commerce company to put its best foot forward by ensuring the security, uptime and redundancy of it’s servers.

Hacking attempts generally fall into three broad categories: DDOS (dedicated denial of service), destructive and data compromising. In a DDOS attack, a hacker or hackers will compromise a group of machines (sometimes numbering in the hundreds) and use them to flood a server with data. The massive amount of data sent to the victim server results in a server load spike and ultimately, the server going offline. Unless a DNS redundancy scheme is set in place, the only resolution for a DDOS attack is to wait until the attack subsides. The purpose of a destructive attack is essentially to bring down a single server or website and destroy the information on the server. Often, the responsible party in such attacks is a hacker vying for bragging rights or a young person just ‘having fun’. Unfortunately, such antics often result in the destruction of irreplaceable data. The third type of attack, data compromising, refers to a breach that is caused in order to gain access to sensitive information (passwords, credit card data, or other personal data). With respect to the latter two types of security breaches, vulnerability scanning can go a long way in ensuring that these attacks do not occur.

Regardless of the purpose of the attack, it is important to understand the nature of the beast and what can and should be done to prevent it. Server vulnerability scanning; that is, the comparison of your server(s) software updates and configuration against a list of known vulnerabilities, is the single best preventative measure that can be taken. Although your ISP may provide such services, I suggest finding another vendor, which deals specifically with vulnerability scanning and offers daily updated vulnerability profiles. Such providers can automatically scan your servers on a daily (or a more frequent interval) basis to ensure that they are updated with the latest software patches.

Unfortunately, many executives and companies have a rather adolescent view of vulnerabilities; let’s call it the “it won’t happen to me” syndrome. As an 11 veteran of the hosting and web development segments, I can say that I’ve seen many, many companies succumb to this mentality and suffer the inevitable - downtime and loss of revenue. Learn from their mistakes. Be proactive and ensure the security of your customers’ data and the future of your business.

This entry was posted on Thursday, August 16th, 2007 at 11:55 pm and is filed under E-Business, Internet Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.