Website Security and Your Business Health

Any business today would consider it foolhardy not to use an antivirus program on their office machines. Practically all businesses would also have some built-in redundancy for their data storage just in case there is a hard drive crash or other catastrophic failure caused by fire or flooding. But what most business owners don't realize is that their websites are just as open to attacks by online hackers and viruses as their local machines. And especially if your websites are hosted on a "virtual server" meaning that multiple sites are hosted using the same hardware. Virtual services are attractive because of their low pricing but this form of hosting also leaves the other websites hosted on that server vulnerable to one bad apple. For example, in May of 2007, over 90,000 websites were hijacked by cybercriminals to illegally install malicious software on visitor's computers when they clicked on the Google search results. A research conducted by StopBadware found that about 10 percent of those sites were hosted by one particular hosting company. This hosting company had nearly 250,000 malicious websites. This incident is not a strike against virtual servers but to warn online merchants that you cannot depend on your web hosting company to secure your websites. This is your responsibility and you will have to accept the dire consequences if you are not proactive in securing your business sites. Now there are several different methods that hackers can use to break into your website but here we'll look at three of the main web attack mechanism. These are SQL Injection, Cross Site Scripting and CRLF injection. SQL Injection is one of the most common web attacks used today. Many web applications allow website visitors to submit and retrieve data from a database, one of the most common applications being a user forum. Every time forum members make a post this information is saved in a database to be retrieved later when the post is viewed. Databases make possible a website's ability to show payment information, company statistics, user data and a host of other types of information. The Internet as you know it would not be possible without databases. SQL Injection is a hacking technique that sends false or illegal requests to a database in an attempt to manipulate the information in some way. Such attacks can allow the hacker to view information in the database or completely delete it. If you run a website with any such features such as search pages, login forms, shopping carts, contact forms or feedback forms, your web site is a candidate for SQL Injection attacks. The same fields that your website visitors are asked to fill out are open doors hackers can use to destroy your databases and expose sensitive data. Cross Site Scripting is another very common hacking technique that takes advantage of vulnerabilities in a 'dynamic website' allowing the attacker to send malicious code to the end-user and extract data from the victim. You see, a webpage is made up of HTML code and the actual text. So-called 'static pages' are created when the browser interprets this code to show a single-option page. But in order to give the user some level of control over how the page looks, web applications are used to create 'dynamic pages'. It is in such dynamic pages that hackers can inject malicious code and trick the user into running this script on their local machine in order to steal their sensitive data. These attacks come in the form of JavaScript, VBScripts, ActiveX and Flash making many users very careful about running these scripts from their browsers. CRLF is simply the acronym for Carriage Return / Line Feed. When you use a word processor such as Microsoft Word, you can press the "Enter" key to go to a new line but no characters appear on the screen. However, if you choose to look at the hidden formatting you will see the symbols used for the CRLF. A CRLF injection attack does not come through a security hole or the software run by the server but takes advantage of the way the web application was coded. For example, a hacker can input a statement into a form including the code for the CR and LF characters and the web application can then mistakenly take this for a CRFL that was used in the original coding itself. Part of the security measure to overcome this attack will be to filter out any CRFL code that a user can input at your website. Such attacks can completely disable a website. The purpose of this article was not to make you an Internet security expert like myself, but to build your awareness that your business security shield must go beyond your local machine to your web sites. To simply bury your head in the sand hoping you will never suffer from such attacks is not only opening your business to unnecessary risk but being irresponsible owner.