Recent events in the security world, which were published widely in the general media, with examples such as Sony’s servers paralysis or establishing a biometric database, put the data protection into a question by the general public.
I have decided to write a brief guide to help you maintain your site and data and protect it against penetrations. How to do it right, from at the organizational level to the technical level.
What is a security breach, basically?
Perhaps the best way to explain is to just demonstrate a widespread hacking method called SQL Injection.
Well, let’s create an imaginary site…
This is of course a very simple site with one text field.
The text in the example contains the letter ‘C’ and in addition what is known in the developers world as a ‘special character’ (‘#’).
What happens next?
Clicking ENTER will check whether the text data exists in the database, which immediately will be throwing the following error page:
Why is that?
The site is written poorly and the special character breaks the query by which is trying to access the database. After several number of trial and error, this could lead a hacker to the following string “union select password from users;<password>”. Now the database password is exposed. This is of course only one loophole from thousands of known vulnerabilities today. Such breaches could allow a hacker to gain access to our database, and even bring down the site and even the physical machine.
What can be done?
On the organizational level, make sure you have all the necessary security products, such as firewall (with only the necessary ports opened and all anti-penetration monitors enabled), anti-virus (updated) and make sure to auto-update all installed applications.
On the technical level, make sure you have proper checking of text fields and other input methods. Some service providers do not allow any special characters at all, but this could be an issue for users trying to type in special characters for legit reasons, such as typing in foreign language. Make sure your sensitive data (i.e. passwords) is encrypted, and…always perform backups.
Leave a reply
