Security is a very important part of ensuring your business is overall in good health. Yep, you need good employees. Yep, you need to market your products well. Yep, you need to excel at customer service. Yep – you need to do so many other things.
However, in regard to security, while many small business owners surely know they need to prevent viruses and malware, their is so much more to security.
David Maman is CTO & Founder of GreenSQL shares that ensuring your WEBSITE is secure is also very important. Often times hackers won’t even bother trying to email you a virus or hack your network – they’ll just look for vulnerabilities in your web site and steal customer information or simply deface your web site.
David says, “So, for security, check all four: Network, application, operating system and database. To make sure your information assets are protected, your best bet is to use an integrated database security solution that is non-disruptive to existing software and databases, is easy to install and use, and provides extensive management reporting and audit trails, all without degrading responsiveness to users.”
Here’s his full insight on how to best secure your network and web site from attack:
A web environment has four layers that need protection: The network level, the application level, the operating system level and the database level. Most people think of these layers as being one within the other, like concentric circles. They reason that if they protect the outermost level, the inner levels are automatically protected.
However, hackers can attack a Web environment at each level independently, and security issues at each level need to be addressed.
At the network level, a simple network level firewall does protect the infrastructure (access to which IP addresses, using which ports, and sometime using which protocols) but provides very limited protection, if any, to stop attacks at the application and database level.
You may have heard of bank websites having their links or text or pictures changed. Website defacement and other application level attacks take place because someone, at some point in time, wrote sloppy software with security holes. Hackers specialize in using exploits, XSS attacks, SQL injection, and other techniques to attack these vulnerabilities at the code level.
One approach to prevent vulnerabilities is to have a professional code review of the software in use in the Web environment to identify and address coding security issues. Many times, legacy applications are being used, so it’s almost impossible to change anything. Of course, reviews are only as good as the reviewers, and no one should ever review their own code. It’s much too easy to overlook one’s own mistakes.
An additional and important approach is to update all the applications in use and to harden your web and database servers. For example, one Oracle update release included 78(!!) security updates.
Another option is to use a signature-based approach to spot and then quarantine this kind of attacks. Each application level attack has a “signature” or typical way of operating that identifies it. A comparison of web application firewalls (WAF) shows that some are more effective than others, but none is perfect.
The database level, the fourth essential layer in a web environment, needs protection from attacks directed at the database. In the end, most of today’s common attacks are aimed at retrieving sensitive information from the database via website attacks exploiting database vulnerabilities. This makes the fourth layer the most crucial one.