Think about the website's security policy like a "Leader"

Careful consideration

Sandy Sherizen, president of Natick's data security system, suggested that the administrator in charge of the company's website content should learn "think like a hacker", the hacker referred to here, hackers or commercial spies who attempt to steal company information or collect trade secrets. Some seemingly unimportant pieces of information on the company's website. Once stolen, they are collected and summarized, the consequences may lead to leakage of important information such as internal organization setup, strategic partnership, and core customers.

Sherizen pointed out that maintaining the security of the company's website is not only the responsibility of the website administrator and the Public Relations Department. Before posting any information on the website, the company's IT security personnel should review the information from the security perspective. After all, they are responsible for checking the technical weaknesses and taking appropriate measures to prevent damages. In other words, professional IT security personnel have been trained to "think like thieves.

Sense of Responsibility

With the implementation of new liability laws, such as the Sarbanes-Oxley Act (Sarbanes-Oxley Act) and the Financial Service Modernization Act (Gramm-leaching Bliley Act), Sherizen warned: neglected security issues on the website may cause the company to assume corresponding legal responsibilities. Especially when security issues involve supply chain and commercial partners that are closely related to the company, or customer information collected by the company's website.

Sherizen cited a legal case for clarification. When A person logs on to Company A's website, the website lacks adequate security protection, so that he can use Company A's website to intrude into company B's information system, and may take further destructive activities. Company B sued Company A for damages and won the case, although the specific intrusion activity was A third party hacker.

"Minimum privilege principle"

Nick Brigman, vice president of product strategy at internet security enterprise RedSiren, recommends that the company's website actively adopt the "minimum privilege principle" rule of least-privilege ). On the one hand, users must be given "essential" functions, and on the other hand, they must be vigilant against the implementation of IT security management. He pointed out: first, we should determine the target and permission for the company's website. If the company wants to set up a website to attract more customers and direct them to the sales team, it does not need to publish the company's internal information on the website. Brigman further explained that too much information may leak the company's trade secrets.

RedSiren provides customers with a service named "public information reconnaissance" public information reconnaissance), which can search the Internet for any public information found and related to customers. Brigman said: "generally, it takes more time to get the desired information. Even some webpages for internal reference only may be searched because these webpages are inadvertently uploaded. Even if the company website does not provide these webpage links, you only need to use the powerful indexing function of Google or other search engines to search and use relevant information ".

Brigman stressed that some information should never be posted on the global information network, even if the company believes that adequate security measures have been taken and that user access is restricted to a very small privilege. Such information as strategic plans, future sales strategies, and negotiations with partners should be strictly protected.

Ray Donahue, Director of the Information Technology and Engineering Service Company Anteon in charge of Fairfax's local security, believes that while reviewing its website content, the company should pay attention to the websites of its main suppliers, learn how they describe your company. From the perspective of your business partners, they may think that the announcement of their new strategic cooperation through the website may have an excellent advertising effect. However, if your business partner's website lacks adequate security protection, hackers may exploit the information transmitted over the Internet. Once hackers know which software system or network device your company is using, they will try to attack the company by exploiting system or network security vulnerabilities.

Barry Stein, a partner and intellectual property law attorney at Caesar, Rivise, Bernstein, Cohen & Pokotilow, pointed out that if the company's website content lacks strict review, the company will face legal consequences and potential property losses. Therefore, it is necessary to avoid disclosure of company trade secrets as much as possible and consider patent rights. He stressed that, because the Internet has a global nature, the details of a solution that can apply for invention patents may be leaked. If no patent is applied for before, the solution may lose the opportunity to obtain foreign patent rights.

Avoid leakage of important information from email addresses

The most common and dangerous situation when a company posts information on a website is the use of an email address "contact someone for details. Nick Brigman warned: You can easily obtain the information you want by directly using the email name published on the website. Generally, Malicious spam manufacturers use the email addresses and mask addresses published on these websites for SPAM distribution. These addresses and names may also be exploited by malicious hackers to spread worms or other viruses by forging emails.

Brigman also suggested that one way to avoid this potential danger is to use Web form to replace direct contact information between users and the company's internal email system.

Ray Donahue recommends that the company test other contact information posted on their website. For example, if the company publishes a phone number on its website to answer users' questions, the staff responsible for answering the phone line should know which information is used for sharing. Be alert to malicious inquiries and expect this opportunity To Steal important information and customer information within the company or engage in other destructive activities.

Prevent leakage of infrastructure-related information

Ray Velez, Technical Director of Razorfish, a IT consultant, pointed out that some companies mistakenly publish URLs on their websites, which may result in leakage of related application server types or host information. For example, the old Sun One Application Server URL contains a standard directory named NASAPP in the URL. Velez recommends removing this directory.

In addition, Nick Brigman points out that a regular error operation by the Web maker, that is, retrieving an icon or document from the company's network and placing them on a webpage. "This incorrect operation method may expose important information such as file name, system name, and file structure through data. Once attackers capture information that is considered useful, they will use tools and mesh functions to perform further intrusion and obtain more information. "

Delete technical comments from original html/asp/jsp/php files

Ray Velez explains this practice by considering that the technical comments related to the program developer may leak some important information, such as the type of technology you are running and the path to cracking. These technical comments may appear in the browser of the end user. Velez warned that hackers generally like to browse message boards or related posts, so they are very clear about the vulnerabilities that the latest security patches are used to fix. The existence of such risks means that companies or individuals without the latest patch upgrade will face the possibility of being attacked. Therefore, hackers must be vigilant against using these "Developer" technical comments as a guide to cracking website security protection.

In addition, error messages that appear to be caused by technical faults should not be exposed. Because these error messages will show vulnerabilities in the code, and may leak the basic technical information. To address this problem, Velez recommends replacing the 404 status code and other 40x error messages with an error prompt page that makes it easier for users to understand and does not disclose basic technical information.

Use non-editable documents and icons on the website

Glenn Widener, product manager of SwiftView, pointed out that improper information publishing methods on the website may also be attacked. This is because documents or icons stored in the original format such as Word, Visio, and AutoCAD are not protected by data tampering verification tamper-proof). In addition, any user of Adobe Acrobat writing can tamper with or edit PDF files. Considering that security measures to prevent data tampering may be complicated and time-consuming, Glenn Widener recommends that documents or icons published on the website use common formats such as PCL, HPGL, TIFF, and JPG as much as possible, this prevents malicious tampering or editing.

For the PCL format, Widener recommends that the company allow business partners to extract the text of a business plan, but not edit the information in any form. Business partners can use any form of reader such as SwiftView's to view, select, and print texts.

Because of the high security of the PCL format, it is widely used in the financial field. For example, mortgage banks generally use the PCL format to transmit confidential documents.

Establish security awareness

"This is a concept we hear from our customers. Now we apply it to our own market strategy," Nick Brigman said. After the 911 incident, people gradually established a stronger security awareness. Note that information that may be used on the website should be strictly reviewed. Some important information does not appear directly on the website, but does not indicate that the information will not be stolen. Websites may be exposed to critical information. Therefore, review of website content is crucial. If the company's IT department cannot provide professional security protection for website content, IT is necessary to hire a professional third party to fulfill this security responsibility.