Think of the security policy of the website like "The Thief"

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

When people surf the Internet, do they get confidential information from the information on the Web? IT security experts warn companies to be cautious about posting information on their websites, or they might be able to exploit hackers or business spies. The experts provided some suggestions for the safety of the corporate web site.

Careful consideration
Natick, the president of the company responsible for data security, said that the administrator responsible for the content of the company's Web site should learn to "think Like a Thief", where the thief referred to is a hacker or commercial spy who tries to steal company information or collect trade secrets. Some of the seemingly unimportant pieces of information on the company's web site, once assembled and summed up by the thieves, may result in the disclosure of important information such as internal organization, strategic partnerships, and core customers.

Sherizen said: Maintaining the safety of the company's website is not only the responsibility of webmasters and public relations departments. The company's IT security personnel should review the content of the information from a security standpoint before any information is posted on the site. After all, it is their duty to examine what technical weaknesses exist and to use appropriate means to prevent damage. In other words, professional IT security personnel have been trained to "Think Like thieves".

Sense of responsibility
With the implementation of new liability laws (e.g. Sarbanes-Oxley Act), the Modernization of Financial Services Act (Gramm-leach Bliley Act), Oxley Sherizen warned that the safety problems on the Web site may cause the company to assume the corresponding legal responsibility. Security concerns, in particular, involve supply chains and business partners that are closely linked to the company, or that involve customer information gathered by the company's Web site.

Sherizen cited a legal case to illustrate. When someone logs on to a company website, because the site lacks adequate security protection, so that he can take advantage of a company's web site to invade B Company's information system, and possible further damage activities. Company B sued company A for damage and won, although the invasion was carried out as a third party hacker.

The principle of least privilege
Nick Brigman, vice president of product strategy at Redsiren, the Internet Security Enterprise, recommends that the company's website should actively adopt the principle of least privilege (rule of least-privilege). On the one hand, it is necessary to ensure that the user "essential" functional operations, on the other hand to be vigilant to the implementation of IT security management. First, you should set goals and permissions for your company's Web site, he said. If the company's goal is simply to attract more customer attention and lead them to the sales team, there is no need to publish the company's internal information on the site. Brigman further explained that too much information could reveal the company's trade secrets.

Redsiren provides customers with a service called Public Information Reconnaissance (information Reconnaissance), which can search the Internet for any publicly available information about customers. "Generally speaking, it takes a little more time to get the information you want," Brigman said. Even some Web pages that are for internal reference are also likely to be seized, as these pages are inadvertently uploaded. Even if the company's Web site does not provide these links, the use of Google or other search engine powerful indexing function, you can make the relevant information to find and use.

Brigman stressed that certain information should never be posted on the global information network, even if the company believes that adequate security precautions have been taken and that access to users is limited to minimal privileges. Information such as strategic plans, future sales strategies, and negotiations with partners should be subject to strict security protection.

The information technology and engineering services company Anteon is responsible for Fairfax Local security director Ray Donahue believes that when the company reviews its website content, it needs to pay attention to its major suppliers ' websites and see how they describe your company. From your business partner's point of view, they may think that announcing their new strategic partnership through the Web site could create an excellent advertising effect; However, if the business partner's website lacks adequate security, the information disseminated through the Internet is likely to be exploited by hackers. Once the hacker understands what kind of software system or network device your company is using, they will try to exploit the system or network security vulnerabilities to attack the company.

Caesar, partner and intellectual property Law lawyer at Rivise,bernstein,cohen & Pokotilow law firm, said Barry Stein that the company would face legal consequences and potential property losses if the company's website content lacked rigorous scrutiny. Therefore, it is necessary to be as careful as possible to avoid the disclosure of company trade secrets and to consider patent issues. He stressed that because the Internet has a global, can apply for the Invention Patent program its details if the leak, if not previously applied for a patent, then the program may lose the opportunity to obtain foreign patent.

Avoid leaking important information from e-mail addresses
The most common and most dangerous situation when companies post information on a Web site is to use the email address "Please contact someone for details." Nick Brigman warns that unscrupulous people can easily get the information they want by using the name of the e-mail that is publicly available on the site. Often, it is the malicious spammers who use the mailing addresses and mask addresses posted on these sites to spread spam. These address and name information can also be exploited by malicious hackers to spread worms or other viruses by forging e-mail messages.

Brigman also suggests that one way to avoid this potential risk is to take advantage of Web Forms (Web form) to replace direct contact between users and the company's internal e-mail system.

Ray Donahue suggests that companies need to test other contact forms posted on their websites. For example, if a company publishes a phone number on a Web site to answer a user's question, it needs to be certain that the staff responsible for answering the phone line should be aware of what information is shared. Beware of those who have malicious inquiries, hoping to take this opportunity to steal important information and customer information within the company, or to engage in other disruptive activities.

Avoid leaking information about infrastructure
"Some companies mistakenly advertise URLs on their web sites, which could cause the application server type or host information associated with them to be compromised," said Ray Velez, technology director at Razorfish, an IT technology consultancy. For example, the URL for an older Sun one application server contains a standard directory named Nasapp in the URL. Velez recommends that you remove this directory.

In addition, Nick Brigman also points out that web makers have a recurring error of retrieving an icon or document directly from a corporate network and placing them on a Web page. "This wrong way of doing this makes it possible for important information such as file names, system names, and even file structures to be compromised through data." Once the wrongdoer captures the information that is deemed useful, they will use the tools and network functions to implement further intrusions and obtain more information. "

Remove technical comments from html/asp/jsp/php original files
Ray Velez explains this by taking into account that the technical comments of a program developer may reveal some important information, such as the type of technology you are running and the way it is cracked. These technical comments may appear in the end user's browser. Velez cautioned that hackers usually like to browse message boards or related texts, so they know exactly what vulnerabilities the latest release of security patches fixes. The existence of this vulnerability, regardless of the latest patch upgrade of the company or individuals, it means that will face the possibility of being attacked. Therefore, you must be wary of hackers trying to use these "developer" technical comments as a guide to cracking Web site security.

In addition, error messages that appear to be just a technical failure should avoid exposure. Because these error messages will show weaknesses in the code and will reveal information about the technology base. To address this issue, Velez recommends replacing the 404 status Code and other 40x error messages with an error prompt that makes it easier for users to understand and does not disclose underlying technical information.

Documents and icons that use non-edit mode on a Web site
Glenn Widener, Swiftview's product manager, pointed out that inappropriate information disclosure on the site could also be attacked. This is because documents or icons stored in the original format (such as Word, Visio, AutoCAD) are not protected by data tampering verification (tamper-proof), and any user of Adobe Acrobat writing software can tamper with or edit the PDF file. Considering that security measures to prevent data tampering can be complex and time-consuming, Glenn Widener recommends that documents or icons published on the Web site use the common formats of PCL, HPGL, TIFF, JPG, and so on, so as to avoid malicious tampering or editing.

For PCL format, Widener recommends that the company allow business partners to extract the text of a business plan, but not to edit the information in any way. Business partners can view, select, and print text in any form of reader (e.g., Swiftview ' s).

Because of its good security, the PCL format is widely used in the financial field, such as: The mortgage bank usually adopts the PCL format for the transmission of confidential documents.

Establish a sense of safety
"This is a concept that we hear from customers and now we're applying it to our marketing strategy," says Nick Brigman. After the 911 incident, people gradually set up a stronger sense of security. It is to be remembered that the information that may be used on the website should be scrutinized. Some important information does not appear directly on the site, but does not indicate that the information will not be stolen. The site may be a loophole in which important information is leaked. Therefore, it is essential to review the content of the Web site. If the company's IT department does not provide professional security for the content of the site, then it is necessary to hire a professional third party to fulfill this security responsibility.