Mo-Fr: 8am-8pm
Sat: 10am-7pm
Sun: 11am-4pm

Beyond the Moat: Network Security Outside Your Intranet

at 2011.05.16

As we talked about briefly in the last security-related post, most of the top-5 security breaches occur in the office through carelessness and inattention. Most of these issues can be resolved with a good employee computer policy, but what about those network assets that live outside of your companies local area network?

Things like your web page, any remote access software or tunnels you use, your blog, and your social media are all mostly outside of your control. Unless you have a dedicated server in-house that you run your website from, or you have a special relationship with Mark Zukerberg and he lets you personally test the security on your FB, you are pretty much stuck with whatever security features your web vendors provide you with, right?

Well, not entirely, there are still things that you can and SHOULD do to make sure that ALL of your networking assets are safe and secure. Let’s take a look at steps you can take by asset:

Web Page –

Yes, it’s true that most of the time your company will be renting space on a shared server, which means what you can and can’t control is limited. That doesn’t mean you need to throw your website to the digital wolves: there are easy, concrete steps you can take to make sure you’re safe from external attacks. The best part is since the server is managed by someone else, usually you just have to worry about these things once.

  • Newer is Better: Before signing on with any hosting provider, check to make sure that they are up to date on the bits that matter. For web security, this means they should have the latest version of PHP and SQL running. Also, browse through their support forums and check to see if anyone is having issues waiting for the hosting company to update it’s servers. If it seems like they are slow to update, this could be a sign of potential future headache.
  • Data Storage: At some point early in the web design process, you need to decide what kind of data you will need to have available on your web-facing pages. Generally, you do not want to store any sensitive information on your web-site’s server, but sometimes (like for an e-commerce site) you have no choice. If you DO have a choice, don’t put anything sensitive on your web server. Store it locally.
  • If There’s No Other Way: If you absolutely MUST store personal or sensitive information, make sure that your hosting company supports encryption for all data transmissions and build your web-site appropriately. Use SSL and HTTPS whenever any delicate details need to be transmitted, and make sure your data is locked down tight on the server.
  • Lock The Door: There are a lot of ways to access data on the web. Make sure you shut down and password protect all of them. A lot of hosts will, for example, provide an open, anonymous FTP login for your account. Turn it off. Make sure all your FTP accounts are protected by strong passwords that are not similar to your other passwords. Also make sure that any databases are password-protected and that the password is not hard-coded into any of the pages that a customer might see. If any directories contain personal or delicate information, make sure they are also locked down with individual passwords, and make sure you have all your access and CHMOD settings set appropriately.

Social Media –

With social media, we have even less control than with remote servers. Unfortunately, they have become a way of life, and it looks like they’re here to stay. Since most of the privacy setting and security features on these networks are entirely in the hands of their owners, there is little you can do about the physical security of the information on them. So, the obvious solution is: control what information you expose to these networks. ¬†Even with Facebook’s updated privacy settings, you have to stop and ask yourself: if something happened at Facebook and a hacker got a hold of this information, would I want people I know and work with to see it? The best security policy for all social media sites is:

  1. Do not reuse your password!
  2. Do not post anything (even hidden, even if you don’t let any work contacts or clients or customers to see your wall) EVER that might come back to reflect negatively on you as a person, as a business owner, or as a trusted member of the community. The risk is simply not worth it. Basically, before you hit enter to post that update, think to yourself: “Would I be ok posting that on a sign in the front window of my business?” If you answer no, don’t do it on Facebook.

If you follow the simple steps outlined in this and the previous security article, you should have nothing to worry about. Just remember: security doesn’t begin and end at your router. It’s a process that needs to be maintained. Stay on top of it and stay alert, and you’ll have no problems.