Online Security Basics for Small Business Websites
- 04 December, 2012 14:00
Online security is, of course, critical if you are running a small business website. It's essential to have antivirus and spyware protection software in place to protect your computer, at home and on the road.
Popular antivirus, antimalware and registry programs that will keep your machine safe and running well include AVG Free, Spybot Search & Destroy, Microsoft Security Essentials, Malwarebytes Anti-Malware and ( Piriform CCleaner.
The Microsoft and AVG programs work equally well, but the former is free of ads and update nags, and the latter is not. Both are also good for spyware protection, though Malwarebytes is better at deep search for malware. Meanwhile, CCleaner is the most stable of the registry cleaners I researched. All of these programs are free, though AVG and other are also available by paid subscription.
VPN, SFTP Enhances Hosting Security
Another important area of security to address is your hosting service provider, as this is where many breaches begin. WordPress is a great content management system, but it's prone to hacker attacks.
One way to secure your WordPress installation is to make use of a Virtual Private Network (VPN) with a hosting service such as Turnkey Internet. A VPN offers many ways to protect your installation, though you'll need to check with each hosting provider to see what's available. As an example, make sure they offer cPanel, which makes it easy to do database backups.
When you upload files to the server, use the Secure File Transfer Protocol (SFTP). One good freeware program for doing this is WinSCP.
It's important to use strong passwords and change them regularly. If your SFTP programs allow for it, use all the available characters on your keyboard and use password combinations of 16 characters or more-Y(^&)/E%#V^(!d+dk for example.
Use Password Protection Programs
A big challenge these days is keeping track of all the passwords you use on a daily basis. Sooner or later, you'll have too many to manage. This is where password protection programs come into play. Roboform and LastPass are two programs that I use on my computer.
An alternative to storing passwords on your computer is using a Flash drive and storing the passwords in a text file. When you need to use a password, simply highlight it and copy it as needed. Roboform2go for USB is one of many programs that will do this for you.
One upside to this method of storing passwords is that copying and pasting won't be picked up by keylogging malware. On the other hand, if you use a cybercafe or other location with shared computers, know that they can be infected with malware. If you have to use one of the computers, virus scan your flash drive immediately after you use it.
Stay Away From Rogue Software
One of the fastest growing online scams is fake anti-malware software, sometimes referred to as "rogue software." It's marketed by ads that simulate genuine software programs. You'll encounter seemingly legitimate names, such as DriveCleaner, AdvancedPCTweaker and PC Cleaner 2008.
When you visit one of these sites, you're encouraged to run a scan on your computer for spyware. The scan will inevitably find that your computer is infected with spyware and will try to scare you into paying for the software to remove it.
Rogue software can slow down your computer. In addition, you could be charged for additional services or software you didn't purchase. Obtaining a refund is next to impossible; these companies frequently change name and URLs. To make matters worse, you could become a victim of identity theft.
Rogue software should be avoided at all costs. Here's a partial list of fake anti-malware programs. Bear in mind that the list keeps growing. Ultimately, if you think a program or company might be questionable, it probably is.
Protect Yourself From Spam, Email Scams
The same piece of advice applies to links within emails from senders you don't recognize. If it looks suspicious, don't click on the link. At best, clicking on the link will verify your address to the spammer, and you'll get even more spam. At worst, you'll end up downloading a virus, malware or something else you don't want.
This hexadecimal notation will encrypt your email address, making it harder for spammers to scrape your email from your website.
Another email scam is the infamous Nigerian scam, which gets its name from emails that were purportedly from officials from that country who need your help getting their money out of the country. In return for helping them, they offer you a sizable fee.
The Nigerian scam promises you millions of dollars if you send thousands of dollars first. The millions never arrive.
If you respond, you get more information and documents. If you pay them, they may continue the scam, enticing to you send more money for additional "expenses" that may arise. The longer you're willing to pay, the longer they'll keep bilking you. Some of the messages might even entice you to travel abroad to complete the transaction. If you respond, the U.S. State Department says you run the risk of being beaten, threatened or even murdered.
A final type of email scan to watch for is phishing. This comes in the form of email messages that appear to be legitimate requests for financial account information from institutions you may (or may not) bank with. Take the following steps to avoid the scam:
- Never respond to an email, text or pop-up message that asks for your financial information.
- Don't click on any of the links in such messages.
- Don't copy and paste the URL into your browser either. You might get redirected to the scammer's site without your knowledge.
- If in doubt, type the URL directly into your browser window or, better yet, contact your financial institution by phone.
- Don't call the phone number in the message. Only use the numbers that your financial institution has given you.
- Read the privacy policies of the companies you deal with to see how they handle and protect your personal information. What your banks say they will never ask you to do and what the scammers ask you to do will be quite different.
Know How to Ward Off Bots and Zombies
Bots and zombies also pose a threat. These scams begin with spammers searching the Internet for unprotected computers. If they find one, they can take control of that machine and use it to anonymously send spam and create a robot network, or "botnet." Another name for this is "zombie army." A botnet consists of hundreds or thousands of hijacked computers sending millions of messages.
If your computer isn't protected by security software, then it's an easy target. This allows spammers to install malware onto your machine. Sometimes, even visiting an infected site can trigger a drive by download, which will install malware on your computer and turn it into a bot. Email is a target, too-if you click on an attachment from someone you don't know, it could contain malicious code.
Malicious code can also be contained in an image. An example of this kind of infection is the Skype virus, which has been spreading like wildfire as of late. You'll see a popup and an active window from a Skype contact with the message "lol is this your new profile pic? link here." (Similar attack have spread via Facebook chats and Twitter direct messages in the last several months as well.)
Whatever you do, don't click on the link-it means your contact's account has been hacked. If you do, you'll see a popup showing you that your profile image has changed. It will also download the virus, also known as ransomware, to your computer. Among other things, it will lock you out of your computer, demand a $200 ransom, turn your machine into a "bot" and steal your passwords. It might even install a keylogger. If your machine becomes infected, here are instructions for removing the Skype virus.
Avoid Check Overpayment Scams
This particular type of scam targets people selling an item online. The scammer, typically a con artist from another country or location otherwise remote to you, poses as a buyer and offers to pay with a cashier's check, money order, personal check or corporate check. You'll also hear a story about how it will cost a lot of money to ship the item, or that there will be extra fees involved for customs, and as a result the check will be considerably more than your asking price.
Sounds good, right? In addition, you'll be told that this is a time-sensitive issue and that you need to send the item as soon as possible. That's the red flag. If you receive a check or money order, it will almost certainly bounce. If you send the item before the check has cleared, you've lost your merchandise-and you're on the hook for bank fees and shipping charges.
In another variation of this scam, the scammer asks you to wire back the difference in price after you've shipped the item. Again, if you ship the item before the check has cleared, the check will almost certainly bounce, and you'll be on the hook for the loss of your merchandise, the bank fees, shipping charges and the difference in price.
If you're selling something online and someone contact you with the above proposition, end the transaction immediately, especially if they ask you to wire back funds.
Protect Digital Assets From Online Theft
As an online retailer, you need to take numerous steps to ensure that your digital assets are protected.
You can protect yourself from customers who want to steal your downloads by using DL Guard, which stops users from sharing your download links. Among other things, you can set a time limit for the download and limit the number of times someone can download your product, which helps control software piracy. DLGuard also lets you block domains if someone has been sending fraudulent purchasers.
The only downside is that DLGuard doesn't prevent users from stealing your content after it's been downloaded.
Another issue is dealing with serial refunders who consistently buy your products and services, only to return them later. DL Guard addresses this, as does ClickBank.
One way to protect your digital documents is password protection through Adobe Acrobat. This lets you restrict how documents are used. Password protection isn't ironclad, though, and it can be broken.
Unfortunately, there's no protection for print books. I know one author whose print book was scanned, saved as a PDF and sold without her permission or knowledge. It only came to light when she received a marketing package and discovered her work had been stolen. In this case, cease and desist orders apply, but they only go so far.
As you can see, there are many security issues that can threaten your online business. Knowing what to look for and preparing for it is your best line of defense. Being suspicious and vigilant is the next step. Online, caution is a good thing.
Nathan Segal has been working as a freelance writer, photographer and artist for 14 years. He is based in British Columbia, Canada. Reach him via email or visit his website. Follow everything from CIO.com on Twitter @CIOonline, on Facebook, and on Google +.
Read more about online safety in CIO's Online safety Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Advanced Persistent Threats and Real-Time Threat Management
Businesses face a constantly evolving threat landscape. One of the greatest challenges is presented by advanced persistent threats (APTs), which are sophisticated, multi‐faceted attacks targeting a particular organisation. Mitigating the risk of APTs requires advances beyond traditional layered security to include real‐time threat management. This whitepaper describes the nature of APTs, the risks they pose to businesses, and techniques for blocking, detecting, and containing APTs and other emerging threats. Read now.
Implementing A Security Analytics Architecture
According to the 2012 Verizon Data Breach Investigations report, 99% of breaches led to data compromise within “days” or less, whereas 85% of breaches took “weeks” or more to discover. This presents a significant challenge to security teams as it grants attackers extended periods of time within a victim’s environment. More “free time” leads to more stolen data and more digital damage. Principally, this is because today’s security measures aren’t designed to counter today’s more advanced threats. Read on.
Russian Underground 101
This research paper intends to provide a brief summary of the cybercriminal underground and shed light on the basic types of hacker activity in Russia. It discusses fundamental concepts that Russian hackers follow and the information they share with their peers. It also examines prices charged for various types of services, along with how prevalent the given services are in advertisements. The primary features of each type of activity and examples of associated service offerings are discussed as well. Read this paper.