The single most important feature a web hosting plan can have is a good encryption service. Without proper data encryption, all of the information sent to and from your website can be intercepted by hackers and other cyber criminals. If you run an online business, this can prove to be especially dangerous, as there is important information being transferred on your web server daily, including credit card numbers, bank account numbers, addresses, phone numbers and other information that your customers entrust to you. If this information is intercepted you may be held liable, and ultimately your business could be dismantled.

What is Encryption?

Encryption is the transformation of plain information into encrypted information which cannot be viewed by an outsider without a special key that unlocks the encryption. When data transfers through an encryption service it is scrambled in a seemingly arbitrary fashion. By the time it reaches the other side of the portal, the data is completely unrecognizable and cannot be used by any third party without the key that is custom generated during the encryption process. The encryption services uses a computer algorithm to create a random cipher which prevents hackers from accessing the encrypted information. Many people also use the term decryption to refer to the process of deciphering the information for the end users usability. Over the years the standards for encryption has changed notably.

WEP

WEP – (Wired Equivalent Privacy)  is an algorithm that has been deprecated to effectively secure all IEEE 802.11 wireless networks. Since wireless networks broadcast their messages utilizing radio waves, they are susceptible to intruders, even more than conventional networks with wires attached.  When it was first released, WEP  proposed to provide  completely confidentiality similar to that of a conventional wired network. However, in 200 various crucial weaknesses were noticed by professional   cryptanalysts, and it is now a widely accepted fact that a  WEP connection can be hacked easily obtainable software in a very short time period.

WPA

In response to the aforementioned weaknesses of WEP, WPA was created.

WPA/WPA2 – (Wi-Fi Protected Access)  is a program that provides certification, developed by the Wi-Fi Alliance to represent complete compliance with all security protocol instilled by the Wi-Fi Alliance. These protocols are specifically designed to maintain safety in all wireless networks. The WPA protocol enables safe functionality of IEEE 802.11i standard, but was initially meant to an intermediate security measure to temporarily substitute WEP while 802.11i was being prepared. The later developed WPA2 established an advanced protocol that is now seen as the full standard in data encryption.

Conclusion

Having the proper encryption services to protect your online website is absolutely imperative, especially when running an online business. Knowing the nature for encryption services and what the industry standard is will help you make the right decision without having to experience costly trial and error mishaps. Using only thee best encryption services will keep your business from suffering, and will prevent you and your customers from being victimized.

The internet is teeming with thousands of hackers that are constantly searching for any weaknesses that they can exploit. Aside from monetary motivation, these hackers may also want to defame your website, just for fun! Any online business owner should be aware of the practices of these hackers, especially if they engage in ecommerce practices directly through their website. Protecting the privacy of your customers is of the utmost importance and most webmasters realize this and take the necessary precautions to do so. However, many webmasters and online business owners don’t realize that protecting the privacy of their business is just as important. The information found in this article could save you form a lot of financial and personal distress ion the future.

Protecting More than Your Assets

I am sure by now you are aware of the financial risks that are so common on the internet. However many people overlook the villains that are not seeking your money, but are driven by a darker motivation. These people are called online predators, and they seek to exploit and take advantage of any private information they can. Many of them socialize in chat rooms, looking for vulnerable and gullible people that they can take advantage of. In fact there are many crimes each year committed by people that met and seduced their victims online. The problem is, these predators can find you and your family a lot easier than you think ,and they don’t have to do it in a chat room!

Should This Information Be Public?

If you have never heard  of the WHOIS database, then now is the time to become familiar with it. When you register your domain, all of the information about your domain such as the name of the domain owner, and the address, are recorded in the WHOIS database. This information can be researched for free by anyone whom so desires. That means that anyone can find your address whether it be business or home, which obviously presents a real threat, especially if you have known enemies. Even if you don’t have enemies now, it is all to easy to find them online. If you run an online business, it would not be unrealistic for a dissatisfied customer to look up your information to slander or harass you, as this has occurred in the past. Some advertising agencies will use information to place annoying marketing calls to your registered number. Do you really want this kind of information to be public?

Protecting Yourself With Private Domain Registration

If you have come to the conclusion that you would lie all of this information to be hidden form the public, then you may want to register your domain as a private domain. Private domains will still receive all of the publicity and popularity of a regular domain, except the only difference is that your information is not put in the WHOIS database. Once you have made the decision to do so, registering a private domain is actually quite simple, simply check the option at checkout when you;re buying your domain name. If you’re having trouble locating this option, then you may want to contact customer service for assistance.

Most people never go through the experience of dealing with a cyber attack, so they assume that it is not something they should worry about when setting up their online business. If you’ve been operating a personal computer, then this is probably the reason why you’ve never been targeted. Hackers tend to attack networks and computers that are of value to them, so don’t be surprised if your “longstanding immunity” to attacks suddenly diminished after your online business begins to thrive. One attack in particular that you should be aware of is the infamous inference attack. In an inference attack, also known as a SQL injection, the perpetrator inserts an SQL code into a form to gain access to crucial information that is stored in on of your website’s databases. While this may sound like something that only happens to small business owners, it actually happens to large corporations as well. In fact, in recent years this kind of attack has resulted din millions of dollar in fraud. To protect yourself from an inference attack, heed the following tips.

Encrypt All of Your Site’s Data

If your website frequently exchanges sensitive date such as credit card numbers or bank information, then you’ll want to make sure all of your website’s data is encrypted with SSL or TSL. Keeping your data encrypted ensures that in the event of a security breach, the intruder will not be able to use the encrypted information to their advantage.

Use Secure Web Applications and Forms

Although there are many useful web applications available, many of these tools represent the biggest security risks for companies.  This is because hackers use these applications to gain access to the back-end of your website. Therefore, you should be very cautious about which web applications you use in the administration of your website. Make sure all applications and forms used are designed with secure code.  You should also make sure your website’s users do not have the capability of sending SQL queries, as this is how most hackers execute inference attacks. Avoiding malicious code input from hackers is the first line of defense in preventing an inference attack. You should also avoid using dynamic queries. Dynamic queries allow hackers to send and receive SQL information over the internet in plain text, therefore these queries present a substantial security risk. Many experts recommend avoiding the use of dynamic queries altogether.

Execute Updates Regularly

Keeping your operating system and website updated is an important part in maintaining the security of your online business. Many people don’t realize that maintaining the security of their website is a full time job that needs to be tended to daily. For this reason most security companies update their software as soon as a vulnerability is recognized.  To avoid an inference attack, or any other attack, you should keep you website and operating system updated, and make sure you are ware of any new developments.

As an online business owner, the security of your website should be at the top of your priority list. Web hosting security is a field that is constantly evolving, with new threats developing every day. Just as you work hard on a daily basis to improve the quality of your website, hackers work just as diligently to circumvent the security measures put in place by your web hosting service provider. The detrimental effects of compromised security can range from minor to major. You may simply experience a short downtime/data loss, or you may even be the victim of fraud. One of the worst scenarios that occurs regularly is when a webmaster is blamed for fraud due to their website being hacked.

When the security of your website is compromised and an intruder gains access to your administrative interface, there is often no way for the defrauded client to distinguish between the actions of you and the hacker. This can result in the loss of your website, your business, lawsuits,  and in some cases even unjustified incarceration!

Fighting an Infinite Yet Invisible Threat

When you think of a hacker, you probably envision a young kid sitting in his mother’s basement typing extremely fast, trying to hack into databases manually. Unfortunately, this is not how hacking works in reality. Real hackers do not do tons of work manually, they use networks of “drones” to do their dirty work for them. These drones are personal computers that have been “hi-jacked” and are being used to carry out small individual tasks that ultimately compromise the security of a server or a network of servers. A single hacker can have as many as 20,000 drones, or more, carrying out pre-set functions at any time. In fact, your personal computer at home may be a drone! If your computer’s RAM is being consumed by a hidden application or “virus” then there is a small chance that your computer’s resources are being used by a hacker!

Resistant Viruses

Online viruses are similar to biological viruses, as they are constantly mutating and becoming stronger and more resistant to treatment. To prevent your personal computer from becoming the victim of a new virus, it is important to keep your anti-virus software updated.  Choosing a web hosting company that updates their security measures regularly will prevent your website from becoming a victim as well. This bring us to our next segment.

Security Capabilities of Your Hosting Provider

If you are like 90 percent of webmasters, then chances are your website is hosted by a third-party hosting service.  It is important to realize that many of these hosting companies are losing employees regularly due to the falling economy, and simply do not have the resources necessary to combat the ever-growing security threats in modern cyber-space. Since the security of your website is in the hands of a third-party company, it is important to make the necessary inquiries regarding their manpower, server capabilities and support staff. Choosing a cheap web host is not recommended for a serious online business owner.

An Example of a Serious Security Threat

Some hackers engage in the practice of “click stealing.” Click stealing is when a hacker places a redirect link over a button on your website, causing the information to be secretly sent to a third-party website. This is especially dangerous when the information is private financial information. An example would be an order form submit button. The hacker “steals” the click from the submit button, and the information is redirected to a phony web page that mimics the check out page of your website. This is a serious threat, and if you are using a third-party host it is important to make sure they are aware of this.

Resentful Employees

If you run a large online business, with tech savvy employees, it is important to change your site’s passwords and security configuration every time you fire an employee. Some employee’s may attempt to seek revenge if they are resentful towards your decision to terminate them.

Securing your web site may be one of the most important things you can do to ensure your data is safe from hackers.  Any hole left open is an invitation to nefarious attacks and these attacks can lead to not only leaking or usage of your private information but information that belongs to your customers.  Proper security measures effectively put into place can deter attacks and give you and your customers peace of mind.

How hackers work

First, exactly how do hackers get into your site and gather information?  Above all else, hackers are patient as much of their work involves guessing.  After carefully watching your web site for a time, the hacker will peruse cookies that are created and see if changes to the cookies garners success, explore the source code of each of your site’s pages and often will create an account to view the authorization process.  Hackers spend a great deal of time processing the information they gather to enable them to see where the holes are and how they can exploit these areas.

Update your CMS

One of the very first and simplest things to help secure your web site is to ensure you have the most current update of your CMS (content management system).  Software such as Drupal, Joomla, WordPress and many other mainstream CMS programs are constantly tested and updated to close up any unsecured areas.  Each day you let an update slide is another day a hacker has to get to your secure information.

Change the defaults

CMS programs often are automatically setup with default information.  After installing your CMS program, ensure you are not using the default administrator user name (often simply admin) and you have changed any default passwords.  You can be sure a hacker will know all the default information with regard to the particular CMS software your site is running on.

PHP error reporting

PHP is a very handy bit of web site programming but unfortunately can tell a hacker a lot about your system and your site if the error reporting level is set to show too much information in error messages.  You can greatly reduce this risk by completely turning off PHP error reporting and setting your configuration to not display errors should one occur.  If you are unable to do this yourself, request it of your system administrator or from support at your web hosting company.

The htaccess file

By properly setting up your htaccess file, you can also keep hackers out of secure files.  First, you should ensure no one can access the actual htaccess file itself accidentally by including the following within the htaccess file:

<files .htaccess>

order allow, deny

deny from all

</files>

If there are any other files you wish to keep private, you can use the same coding and replace .htaccess with the name of your secure file.

Secure passwords

Lastly, it almost goes without saying but always use very strong and secure passwords.  It is very unwise to use your birth date or passwords that are very easy to remember.  If you can remember it easily, it’s a safe bet that a hacker will figure it out in a matter of seconds.  There are many sites online that can help you create a good, solid and secure password.

Conclusion

Being diligent with the security of your web site will not only benefit you but will also benefit your customers.  Take a few moments to go over the tips listed above and don’t give a hacker a chance.

Organizations in online industries such as e-commerce, banking and healthcare collect and provide access to data that can be classified as highly confidential.  This extremely sensitive information makes a rather tempting target for hackers looking to make their fame by compromising corporate systems and thieving critical data.  For the past three years, vulnerable web applications have lead to a number of dangerous exploits such as XSS (cross site scripting) and SQL injection, which count for a substantial amount of reported intrusions.  While security begins with proper implementation and configuration, one tool that can help put your organization on a secure path is a software technology known as web application scanning.

What is a Web Application Scanner?

A web application scanner is a type of software program with the ability to crawl an entire website and thoroughly analyze each essential component to access the overall level of security.

More advanced systems even combine testing with simulated attacks during the scanning process.  The average system is vulnerable to thousands of know security risks.  A web application scanner identifies these risks and compares them against a continuously updated database.

Web Application Scanning Features

The market for web application scanning solutions is expanding fast.  While the features vary depending on the product, below are qualities found in almost all web application scanners:

Vulnerability Detection – The main goal a web application scanner is to mitigate the most common threats to web application security.  This includes exploits such as cross site scripting that result in data theft and the execution of malicious code as well as techniques like SQL injection that lead to execution of unauthorized commands and tampering.  Even the simplest of applications are susceptible to exploit when not properly secured and a web application scanner can help you quickly identify them before disaster strikes.

Vulnerability Prioritizing – Time is of the essence when it comes to protecting your system against sophisticated attacks.  A web application scanner with the ability to identify security holes and prioritize the severity of those vulnerabilities can save precious time for researching and mitigating the problem.  Today’s smaller IT environments usually leave one individual to perform the duties of several.  Automated assessment scans can serve benefits to the smallest IT team while reducing the costs and complexities of network security.

Analyze Web Application Infrastructure – Web applications are the most targeted components of a website.  However, scanning traditional web applications alone is not enough.  The applications of the underlying infrastructure must also be taken into account.  A reliable web application scanner will perform critical assessment of vital components such as the operating system, web server, web services and neighboring systems as well.

Summary

Traditionally, the most common solution has been to test applications during the development stage.  However, a large majority of these applications are developed by third-parities, not the organizations that are actually use them.  This isn’t all corporations must worry about as the underlying operating system platform, desktop applications and the databases that interact with those web applications all serve as entry points and potential security risks.  Where the traditional testing methods fail, web application scanners offer a more robust and full testing measure.

It seems as if everyday, a handful of new companies emerge onto the web hosting scene.  These newcomers have many challenges on their hands.  Not only must they find ways to provide customers with a quality service, but also keep them protected against the wide ranging list of security threats.   Any personal or business website is susceptible to being compromised by hackers seeking confidential information such as login credentials, account numbers, employee records, personal data and other valuable details.  Because all it takes is one successful breach to open up the doors of chaos, it is vital that website owners employ the most efficient security mechanisms and practices on a regular basis.

What Makes Web Hosting Such a Big Target?

Several reports reveal that the web hosting industry is among the biggest targets of internet hackers.  Why?  The answer is quite simple – the potential of a substantial payday.  The market is compromised of thousands of companies that provide services to millions of customers.  The hosting industry is at the forefront of e-commerce with monetary transactions being made everyday.  The robust networks and high-powered web servers used to enable internet access handle massive amounts of sensitive financial and personal information.  Naturally, these infrastructures are a prime target of criminals looking to thieve riches off the efforts of someone else.  If your website deals in mission-critical functions, meaning it is the way you survive and make a living, then security should be of paramount importance.  And while there are several measures you can take to keep your site protected, investing in a secure hosting solution is imperative as the host is in much better position to ensure security.

In recent times, a large number of companies have ramped up their efforts to help keep the hosting business protected from malware, DDoS attacks, SQL injection and other methods hackers use to perform their malicious deeds.  Numerous vendors who distribute the open-source Linux operating system are working in conjunction with other software and hardware companies to ensure their OS is protected against security threats.  Likewise, Microsoft, Apple and companies who distribute proprietary solutions are working diligently to support similar efforts.

Even though the number of security solutions providers seems to be increasing as well, hosting providers need to be aware that not all of these vendors can be trusted.  More and more, we are seeing rogue companies run by hackers and internet criminals who claim to have the solution for a great price, but are doing nothing but contributing to the problem.  Because of this, new hosts must be overly cautious in regard to what vendors are actually supplying.

Obtaining a Comfortably Secure Environment

Some website owners have many specialities but for most, security is not one of them.  While this is understandable, there is absolutely no excuse for a professional web hosting provider, new or established, to slack off in security to the point where all parties involved are left vulnerable.  Your hosting provider should indeed be an expert in this field, equipped with the knowledge and manpower needed to stay on top of security procedures and ensure the protection of your data.  If you have concerns regarding your current hosting arrangement, it might be time to consider a more secure solution.

All websites reside on a web server, which makes them available to internet users for browsing.  However, thanks to the web hosting industry, people don’t have worry about the complexities of setting up and maintaining their own.  In fact, most website owners lease their web server space and associated resources from either an Internet Service Provider or web hosting provider at a very reasonable price.  These companies offer a wide range of services that facilitate the hosting, development, design and promotion of your online presence.

Indeed, getting a website is easier and more affordable than it has ever been before.  When considering all the features and services that can help to make your site successful, you should never forget about one of the most important aspects – security.  If your plans involve creating a site that collectives sensitive information from visitors or customers, you need to know that this information is at great risk unless it is secured during the transmission phase.  The internet provides anyone who has a method of connectivity with access to the World Wide Web, hackers and other cyber criminals included.  Aware of all the scams and security breaches, customers are increasingly searching for signs of security before they decide to share sensitive data with a website.  If you want to instill trust within your visitors to the point where they feel comfortable handing over their user names, passwords, contact details and credit card numbers and other confidential information, it is a must that you make sure your website transactions are secure.  The solution – SSL encryption.

Why Verisign?

An SSL certificate is a security mechanism that provides website visitors with the ability to confirm that a particular site belongs to the organization or individual they intend to communicate with.  Most importantly, it provides exceptional protection for the sensitive data they transmit over the internet.  While there are a number of Certificate Authorities to choose from, Verisign is a leading provider and among the most reliable.  Certificates produced by this internet security firm offer a strong level of encryption and its VeriSign Secured Seal has become the must trusted mark on the World Wide Web.

VeriSign Products

VeriSign offers a number of products to ensure the security of your website transactions.  Two of its most popular offerings include:

Secure Site Pro with EV – You can give your customers the confidence they need to make purchases with VeriSign Secure Site Pro with EV, VeriSign’s most popular SSL product.  EV (Extended Validation) displays a green address bar in the web browser indicating the legitimacy of the site while true 128-bit ensures that their personal information is completely secure.

Secure Site Pro SSL Certificates – With this VeriSign product, you can transmit sensitive data with protection from the strongest SSL encryption possible.  Secure Site Pro SSL Certificates offers the option of 128 and 256-bit encryption to provide your customers with the utmost security.

You can get yourself an SSL certificate directly from VeriSign or request one from your web hosting provider.  Either way, you will be rewarded with the most rigorous authentication and security methodology in the industry.

CSRF is one of the latest weapons website hackers have added to their arsenal.  Short for cross site request forging, CSRF is an exploit that basically works by abusing the trust of your website users.  Let’s go over a few examples of this attack so you can better understand what it is and how to  prevent it.

Manipulating the Client-Server Model

In the average scenario, the communications between a client web browser and web server go something like this:

- The client makes a request to the server

- The server sends back a response

- The client accepts the response and displays content to the user

Let’s say you have a thriving blog community and other users are allowed to post to your site.  To create a new blog entry, a user would have to visit your site, sign in, post their content, click the “add entry” link and submit the resulting form.  Now think about what would happen if a malicious user were to copy that same blog form and host it on their own site.  They could easily hide the fields, modify the wording and much more to disguise it.  Unfortunately, there isn’t much to stop them from taking your form, changing it, placing the modified version on their site  serving it to other users.  Now this is where the cross-site aspect comes into play.  If the attacker can persuade or trick a user logged onto your site to submit the form, the request will be processed utilizing their credentials stored in the cache.  Since they are trusted on the site and  logged in, the request would be processed and the unknowing user would have posted a new blog entry they didn’t write or no nothing about.

CSRF in Action

Here is a step by step example how cross site request forging works:

- An attacker copies a form from your site.

- The attacker then persuades or tricks a user with login credentials to your site to submit the form.

- The server hosting your site receives the form request and processes it, unaware that the submission was made by a malicious remote source.  In the eyes of the server, the logged in user has authorization, allowing the attacker to easily bypass authentication.

- When it is all said and done, the unknowing user has contributed to the attack and appears to be the source of the problem.

Solution to CSRF

The best solution to the problem of cross site request forgery is potentially invasive but quite simple.  Instead of serving forms to clients and processing them without regard to source of submission, add a session token to the form .  By doing so, when a form is submitted, the token will be analyzed.  If it matches the token sent with the form, processing occurs.  If not, you will know and should become immediately suspicious.  This move prevents a CSRF attack because the remote server no longer has a way to serve a valid form.  Since it cannot predict the secret session token, request for submissions will always fail.