Internet & Web development (2)/Course materials/Web Site Issues/Security/Managing
|Internet & Web development (2)|
|Web Site Issues||Security ( Managing ) | Legal ( Privacy | Confidentiality | Integrity | Copyright and Fair Dealing | Contracts) | Accessibility ( Managing ) | Culture and Netiquette|
- If your business is connected to the Internet, it is essential to ensure that your business data, including customer information, is safe and that your transactions are carried out securely. Otherwise, there is a risk of transactions being intercepted, privacy codes being breached, company information being stolen and loss of money.
- As the use of technology increases so does the risk of threats to information and systems.
- For electronic mail within your business or simple customer communications, secure electronic mail may not be necessary. However, if you deal regularly with confidential documents or want to take orders via email, then you should consider introducing a secure email system.
- Email is a key form of business communication, but standard email software offers very poor security.
- Options for increasing the security of your email include:
- secure Web-based email
- dedicated email encryption software
- secure email gateways.
Network Security, Remote Access
To protect your organisation’s resources while providing employee access ensure you have the following policies and procedures in place:
- Remote access policy should be clearly documented, communicated, implemented and enforced.
- In/outbound communication via external modem must be approved and validated.
- Leave all dial-up modems disconnected unless actually in use.
- Enforce proper authentication of all external users.
- Each user must have an individual password and user ID.
- All dial-up and remote access activities should be recorded and reviewed on a periodic basis.
- Dial-up should be validated by a secured process to restrict the number of users of dial-up access communication.
<<image of virus protection>>
- The best protection against computer viruses is to use anti-virus software.
- The anti-virus software should be updated regularly.
- To protect your information and systems from virus attack:
- A virus scanning procedure should be documented, published communicated to all employees and enforced within the company.
- All desktop, laptop and notebook computers should have licensed and up-to-date anti-virus software installed.
- All internet email gateways and server points of access should have anti-virus scanning software installed.
- Documented processes and procedures should be available to all staff on what to do when a virus is detected or identified.
- System administrators must be alerted immediately to the presence of a virus in the system. All infected files must be deleted or quarantined pending investigation of their source.
Some free antivirus checkers
- Microsoft Security essentials
- Managing legal risk on your website necessitates implementing security measures for you and your website and for users of your website.
- You should implement security measures, both in relation to hardware and software, to protect confidentiality and ensure authentication and verification of parties to contracts.
- This includes implementing quality technical and business solutions, such as the use of public key infrastructure to identify parties to contracts, setting out relevant disclaimers in your terms and conditions and maintaining accurate electronic transaction records.
Backup & Recovery
- In case of a natural disaster, denial of service attack, virus infection or hardware theft, ensure that you have a well-documented and communicated back-up and recovery plan.
- This could include a plan to take manual orders over the phone if access to your website has been denied to users for any reason.
- An effective plan should include:
- information about the critical applications and functions that are needed during a disaster
- information about emergency communications
- contingencies for office space and workstations
- data communications and telephone service
- processing hardware
- computers and network architecture
- application software
- data and physical infrastructure.
Incident response is a process by which you can identify, evaluate and address negative computer-related security events. It is the process you go through when:
- your website is hacked and unauthorised data changes made
- employee data falls into the wrong hands
- a virus spreads through your computer system.
Top ten e-security tips
The following security tips have been prepared by the US-based National Cyber Security Alliance and can be found online at: http://www.staysafeonline.info/sectips.adp
- Use protection software “anti-virus software” and keep it up to date.
- Don’t open email from unknown sources.
- Use hard-to-guess passwords.
- Protect your computer from Internet intruders – use “firewalls”.
- Don’t share access to your computers with strangers.
- Disconnect from the Internet when not in use.
- Back up your computer data.
- Regularly download security protection update “patches”.
- Check your security on a regular basis.
- Make sure your family members and/or your employees know what to do if your computer becomes infected.
Software and Application Security
How as a programmer do you keep up with security threats. There are web sites dedicated to providing information about exploits and vulnerabilities, for example: http://www.1337day.com/
<<Image - Firewall>>
- Firewalls are used to keep a network secure from intruders.
- Firewalls can be implemented as software only, but for larger businesses, they may also include dedicated hardware for faster processing.
- Firewalls are widely used to give users secure access to the Internet as well as to separate a company’s public Web server from its internal network.
- A good firewall will be able to detect Trojans, stop entry by hackers and prevent unauthorised network access.Unfortunately, firewalls are not entirely effective in preventing port scanning.