Advertisment

How Secure is Your Web Site?

author-image
DQC Bureau
New Update

A news headline in a national daily recently informed readers that hackers had broken into a bank’s web site. Needless to say, a very serious issue was handled very amateurishly by the bank authorities. Let us take a look at the implications of the episode. We may treat this as a purely generalized case of what could happen to other web sites if precautions are not put in place. If one closely follows the chain of events mentioned in the report one will find several loopholes that the bank could have easily plugged with a little common sense.

The hackers claim that their sole interest was checking out how secure transactions were on the bank’s web site. If their sole interest is indeed what they claim, there are other less dubious ways of going about it. Simple business ethics demand more restraint. The report indicates that the hackers got in touch with the newspaper who in turn informed the bank authorities. The hackers could just as easily have contacted the bank authorities when they first breached the web site’s security. If their professed intention was to merely sound a warning, they could then have desisted from hacking the web site further.

A hacker can crack codes after downloading files to his computer, even if the password may be encrypted.

Unauthorized access

On the other hand, the bank appears to be unaware of simple things like server log files generated on the web site. It is a must for a web site to keep track of log files on a daily basis to prevent the possibility of any unauthorized attempts at accessing various files and directories on the web server. Hackers will always leave behind telltale evidence. According to the report, they took four working days to break into the web site – in such a situation, the bank should have realized that something was amiss on the very first day.

I have recently reviewed a web site because the owner was not happy with the services of his web design and hosting company. We had not informed the web design and hosting company about this. However, the marks left in the log files alerted them about what was afoot. Shortly after I reported the flaws in the web site to the owner, the hosting company plugged the loopholes even before the web site owner could take up the matter with them. What a small web hosting company could do, a bank needs to do in a much better way.

The bank’s response to this hacking was also very amateurish. The authorities very plainly accepted the flaws in their system but claimed that no harm was done to their clients’ accounts as no on-line transactions are allowed yet. Cyberlaws or no cyberlaws, one should protest strongly against such acts of hacking, and find out what legal action can be taken against hackers under existing criminal laws. If you have a web site, which allows e-commerce, or at least some database operations, one must take precautions to avoid such an incident.

Adequate precautions

It is nice to be able to tell everyone that you are into e-commerce and you have an e-commerce web site, but with that comes a lot of responsibility. The cost of making a web site secure is much more than you can imagine. Saving money at the wrong place may spell disaster for your site in the future. I am not implying that spending more money will get you results. You must also understand what measures are being implemented, otherwise you may just end up paying fat fees without really getting value for money. Make sure that no one can access the password file on the server. Even if the password file may be encrypted, it is possible for a hacker to crack the codes after downloading the file to his computer.

It is not always necessary for a hacker to be able to hack your main server password to reach the password file and database on the server. There is another way of getting your server password. If a hacker is able to get the password from a friend or a frustrated employee inside the company, why will he waste any energy on guessing the passwords? If an unhappy employee in your company has the password for the web server, better move that responsibility to another person. The human link is the weakest link in the security chain.

Firewalls and other security packages are costly, but if your data is valuable, it is worth spending money on high-level security measures. The Internet community the world over is vulnerable to hack attacks. An online bank in Germany registers almost one thousand hack attacks per day – all rendered ineffective due to its security measures. If you have some important data on your site – people will always try their luck. So keep track of server log files and analyze them regularly.

Check log files on a daily basis to prevent any unauthorized attempts to access files on the web server

If you have an important database on the web server, make sure to put the database files in a directory that is fully secure and no unauthorized person is able to access that directory. Use a secure server whenever required, irrespective of the high costs involved.

Advertisment