With over 100 million registered domain names out there and the low cost of entry, the World Wide Web has entered into its massive operation. For example, billions of email messages are exchanged every day. No barriers to entry and low switching costs have made the cyber arena a lucrative spot for destructive behaviors. Specifically, spammers, hackers, and “spiders” are growing concerns for all online businesses. There are lots of technical and fragmented information regarding cyber security, yet few (if any) has viewed it in a systematic way. Thus, this article is to introduce the essentials of cyber security to the business owners:
1. Networks Matter
Intra-office and extra-office networking among computers and servers are hot spots for attackers. Make sure you tie up your network security since any minor network security leak can compromise your whole company data.
2. Physical Security
As obvious as it sounds, many companies still operate with old physical security systems and inadequate staff training programs.
3. Database Hacking
It is of absolute importance to monitor the people who maintain and manage your database. It is better to set different roles, each of which gives staffs special database access privileges.
4. Application Server Attacks
There are five things you can do to protect your servers:
Make sure to setup and test the redundancy servers properly
Make routine backups as a second habit
Define different roles and server access privileges if you have your servers
Check your server log periodically for any unusual activities
Make sure the server firewalls and server load balancers (if you have one) are setup properly.
5. Mail Server Hacking
Sometimes attackers can hack your mail server and spam, or impersonate others, as though the emails would be sent from you. For instance, a hacker can send fake emails to all your users and ask them to change their username and password to hijack their account credentials. Since users receive emails allegedly on behalf of your company, they will be willing to trust it and share their info.
6. DNS Attacks
Although Domain Name Server (DNS) attacks are not common, their magnitude of damages is profound. Can you imagine, for example, for one hour, your users will not have access to your website, or worse, they are redirected to the attacker phishing WebPages.
7. Admin Account Protections
Many serious applications, or big websites, come with an admin portal where the company staffs can log in and manage the website and mobile App contents. To have admin account protections, you need to have:
Different layer of admin access privileges based on organizational ranks and experiences
Secure admin authentications where all of the company staffs should contact the chief IT administer if they forgot their password
Secure registrations where all teams must be registered to the system as securely as possible. In other words, it is preposterous to see team registration form or signup in the online search results
Restrictions against search engines where all admin pages must not be crawled and indexed by search engines, which can easily be done by adding admin to your disallowed directory lists in your robots .txt file
Staff activity surveillance where for very sensitive admin platforms, it is better to monitor staff activities as to what pages they visited, in what frequencies, etc
Valid IP/MAC address verifications where you verify the IP or MAC addresses before showing the login form to the company staffs. This simple approach will make the job of hackers much difficult.
8. Forgot Password Compromises
Sometimes the attackers try to penetrate to your system via fake forgot password attempts. Here are four remedies:
Count the total attempts and lock the user account after a certain number of attempts
Utilize multiple password retrieval options, like the combination of cell phone and email address verifications
Make sure your forgot password form could detect “spiders” or robot submissions
Once a user password is successfully reset, email the user reminding them to change the reset-password immediately after the first login.
Brutal-force attacks are mainly many login attempts by attackers to break into a victim account and steal their identity and data often time in a way that is impossible for the victim to notice. The only remedy I know of is to limit the maximum login attempts (to for instance five) while saving each attempt in the database. After it reaches the limit, you will lock the user account, and have the user contact the system administrators for the account reactivations.
10. Session Hijackings
Session hijacking is an attack of which many programmers and business owners should be aware. After the user successfully logs into your system, they are assigned with one unique session ID for the ease of tracking. However, if the attackers take hold of a user’s session IDs, they can hijack the user’s accounts and make transactions on behalf of the user, especially via the shopping carts. Therefore, it is a good practice to log out users after a certain time of inactivity and destroys their sessions data correctly.
What was discussed are first, yet the main areas of cyber security that are going to alarm many businesses within the next five years. Last but not least, the full implementation of cyber security initiatives requires a thorough understanding of the firm processes and overarching the master plans. Indeed, as always, the strength of a chain is measured by its weakest link, so make sure to strengthen all of your system vulnerabilities and draft an updated contingency plans for catastrophic incidences.