Security: Your Site Is At Risk
08/04/06 10:02:24 AM (Edited 08/28/06 12:08:14 PM)
Posted by Joel Learner,
Be Paranoid
Your site is on a huge network, whose users include some of the most cunning, most intelligent, and, in some cases, most malicious people in the world. You might think (and you wouldn’t be the first person to do so) that your site is of no interest to bad people. You’d be wrong. Assume your site is a target. If you’re wrong, no harm done. If you’re right, you’ll be glad you did.
Your web developer has worked hard to ensure that your site is, at the moment, as secure as it can be. Now that your developer’s job is done, it is up to you to keep your site secure.
Warnings and Email
There are a great many developers on the web who are aware of wecurity concerns, and if they spot a security problem on your site, there is a good chance they will email the contact address on your site – and that could very well mean you receive an occasional email from someone telling you there is a problem on your site.
Some of these emails will be part of a sales tactic. Some people will think there is a problem but will not have sufficient knowledge of realize that they are wrong. Some people might be right, and there might be a risk. If you receive an email about a security problem, do not ignore it – forward it to your developer and ask them about it. If there is a problem, your developer will fix it, and if not they will tell you. Either way, they are the only one in a position to determine whether or not the problem in the email is a genuine one.
Making Changes
If you want changes made, you should contact the person who built your site. Would you take an Aston Martin DB9 to a Skoda dealer to have work done? No, you’d take it to the place that will ensure you get the best job done, even if it is a little more expensive. It is the same with a website – your developemr knows his way around the site. He knows every little detail about it. He, most importantly, knows how to make changes while keeping your site secure. Another, cheaper developer may not – and in the long run may cost you far more as a result.
Social Engineering
“Good morning, XYZ Trading.”
“Hi. I’m calling from ABC Web Design. We designed your site, but we’ve lost your FTP details. Do you have them handy?”
“Sure. Give me a minute.”
Congratulations, you’ve just given your FTP details to a random stranger, who now has access to your files, your database – maybe even your customers’ credit card numbers. This is called “social engineering”, and it is very common and very dangerous. Should anyone call asking for site details, you should always, without fail, call the company back at the number you have on file. Never, ever, give any details to anyone unless you are absolutely certain of who you are speaking to. Even then, be cautious.
The above article is reprinted by permission from Dave Child. Back to Blog