`

VOICES FROM THE INDUSTRY: Be vigilant of cyber risks to protect your company

November 26, 2007

Remember when securing an enterprise meant investing in an alarm system to protect your inventory and a fireproof cabinet to keep your documents safe?

In today's expanding cyber world, threats to security extend far beyond walls and paper trails. With facilities, employees and customers all over the world, companies offer unprecedented access-but behind that convenience lurks vulnerability.

Unless, of course, the corporation has truly managed to secure the confidential information stored online and throughout file-sharing networks.

Unfortunately a lot of companies haven't made that investment. It is a misperception that a security plan constitutes running a virus-scan or spyware program. Although scanning for viruses and spyware is important, it's not the only security tool.

A critical first step toward developing a comprehensive security program is to do a risk assessment. The evaluation can be done internally with the help of software or templates, or by seeking external assistance from a third party with a security specialization.

Either model should attempt to answer questions such as: What security programs are already in place? What sensitive information is held that could be exposed? How could someone breech the site?

Once the threats are identified, it's time to prioritize. Ask questions such as: How likely is it that someone will compromise exposed sites? If the site is compromised, how costly will the financial and reputation damages be?

Finally, think about how much money is available to spend on addressing the site's identified weaknesses.

Here are five Web security ideas to consider during a risk assessment:

1. Encrypt data

When sensitive data is collected, it should be encrypted immediately and stored in an encrypted format. It's a lowcost way to ensure that your top-secret information stays secret.

Regrettably, not encrypting data is one of the most common online mistakes companies make. And it's a costly one-replacing stolen data is often more expensive than replacing stolen inventory.

Data can be encrypted a number of ways. Companies can purchase software, speak with the vendor who hosts the site or talk with the internal team that developed it.

A store owner wouldn't leave valuable inventory on the street, unlocked and unguarded-so why do the same with data?

2. Protect online information

Keeping up with technology-like encrypting data programs-is imperative for companies engaging in e-commerce. So is being aware of fraud techniques that involve duping computer users into divulging confidential information.

For example, eBay users received an e-mail message requesting that they provide additional (and confidential) information, under the guise that eBay needed to verify each person's account. However, it wasn't an eBay-approved message. It was, in fact, "phishing," a fraud technique.

To combat this, companies can inform subscribers and customers of the communications they can expect from the company, thus diminishing the chances of fraud.

3. Validate user input

One of the first lines of defense against hackers is validation of user input. Stopping malicious data from being processed or entering the system makes an application more difficult to attack.

Set limits for all input fields. For example, a simple validation technique is imposing a 50-character limit for lastname entries.

When using a Web-based application, hold the server accountable for validation as well. Attackers will easily bypass the client-side validation and hit the server if they see the opportunity.

If user input is not validated, at best, companies will get inconsistent or invalid information. At worst, it leaves the program open to hackers who could maliciously extract or alter the data structure.

4. Block IP addresses

Another way to stop malicious attacks is to block the addresses of suspicious users. Each computer connected to the Internet has a unique Internet Protocol address, and each visitor to a Web site leaves its IP address behind, much like a footprint.

By monitoring activity on the Web site of valid or invalid data, frequent credit card hits, IP addresses providing various credit card numbers, etc., experts can identify patterns. Blocking a malicious user's IP address will prevent that person from accessing and harming the site.

5. Keep scanning

Thorough security scans should be done during the development of the Web site-not after it's live-but to keep a Web site secure, it's imperative to be proactive. Especially if site content is user-generated or has continuous improvements.

Ideally, the site should be scanned daily to produce reports about security threats and upgrades. In addition, more in-depth analysis-done quarterly or after any significant change to the site-should address new vulnerabilities.

It's true that companies face greater vulnerability as access increases, but that doesn't mean it's impossible to be both secure and accessible.

By undertaking the above techniques, a company can lower its risk for security breeches and protect itself from litigation, fines and immeasurable reputation risks.



Strawmyer is an executive in the performance group with the Indianapolis office of Crowe Chizek and Co. LLC. He specializes in Microsoft-based solutions. Views expressed here are the writer's.
Source: XMLAr02400.xml
ADVERTISEMENT
Comments powered by Disqus