© 2011 by Nick B. Nicholaou, all rights reserved President, Ministry Business Services, Inc. Reprinted from Christian Computing Magazine
While at a conference recently I met a specialist in system security. He works in that role for one of the largest enterprise-class computer manufacturers. As we talked about security issues, I was surprised to learn how vulnerable many systems are! We met again by phone and video conference, and he shared some specifics with me.
Why Should We Care?
Most malware today is spread via websites— many even by legitimate websites! The Finjan Malicious Code Research Center’s Cybercrime Intelligence Report, Issue #3, 2009 states it this way:
“…It doesn’t take much for today’s cybercriminals to infect website visitors with a Trojan. Using commercial software (crimeware toolkit) available for $100-$300 on hacking forums, the cybercriminal can easily launch a massive attack. It allows him to insert exploiting code to vulnerable websites (legitimate or fake ones). Once a visitor visits one of the infected websites, an exploit code, served by the crimeware toolkit, installs a Trojan on the PC in use.”
Websites that aren’t secure can become distributors of malicious code that hurts many. When Steve Hewitt, CCMag Editor- in-Chief was researching church websites a couple of years ago, his computer got infected by malware from a ministry website!
Authenticity in this area includes being reliable, dependable, and trustworthy. The care we take in protecting those visiting our websites means our guests will not regret having trusted us.
Some Common Vulnerabilities
Does securing your website cost a lot of money? Does it require contracting with a black ops unit? Fortunately not. Here are some common vulnerabilities to talk about with your web designer.
- SQL Statements. Many websites can process SQL (Structured Query Language) query statements. These are statements that can download your site’s data or can insert malicious code or change your website! The easiest way to run a query statement is in your search field and other input fields. A simple way to protect your website is to limit the length of your search field. You may want to consider limiting your search field to twenty characters and making sure your other input fields are not longer than they need to be.
Another good friend, Ross Gile with www.digical.com, recommends that if your website uses a SQL database, the database should be locked down behind a firewall.
- Webserver Path. When viewing a web page in a browser, an option in most browsers makes it possible to lift the hood and look at the engine, so to speak, by simply viewing the page source code. Make certain your website paths are not fully listed in the page source, because doing so makes your website more vulnerable. Any paths listed should be relative and not give the full tree or folder structure.
- Security Algorithm. Also while viewing your page source, make certain the security algorithm used to encrypt usernames and passwords is not named. Doing so makes breaking your website security much easier than you want it to be.
- Website Login. Any online login page should be secure. Two ways to tell if it is are:
- Look at the website address, or URL. If it begins with https://, that means it’s connecting to a secure server, and that’s good.
- Look for your browser’s secure page icon; usually a lock. If the lock is open or broken, it is not a secure page; if the lock is locked or closed, it is a secure page. I sometimes check the owner of the security certificate on the page if the organization is one with which I am unfamiliar to be certain the certificate is owned by who I think it should be— the organization whose site I’m visiting. Clicking on the lock will link you to the security certificate.
- You might also want to use a Captcha, which is a type of challenge response to make sure the person attempting to login is human.
- Website Admin Login. Avoid default login page addresses like www.yourwebsite.com/admin.html and default login names like admin. Avoiding them helps to frustrate hackers and automated hacker programs.
- Website Server Security. Inexpensive and free websites given to churches are often hosted on out-of-date systems, which makes them more vulnerable to crimeware toolkits. Have a conversation with your webhost about your concern in this area and find out if your server is up-to-date.
Password Strength
We like short and easy-to-remember passwords. My security friend shared with me a chart showing the time it takes to break a password, and it really surprised me! From www.lockdown.co.uk, here are some sample password ‘recovery’ times using a brute force method (btw… this is a site worth checking out):
- Any 4 digit combination: instant!
- 8 digits, numeric: instant!
- 8 digits, upper & lowercase alphabetic: 35 minutes
- 8 digits, upper & lowercase alphanumeric: 25¼ days
- 8 digits, upper & lowercase alphanumeric w/common symbol: 2¼ years
A quote by Bruce Schnier, internationally renowned security technologist and author, that’s linked on their website says, “As computers have become faster, the guessers have got better, sometimes being able to test hundreds of thousands of passwords per second.”
An additional step you can take to protect your systems is to lock an account for a period of time after a reasonable number of failed login attempts.
My security friend said that about 40% of church websites are vulnerable! The items in this article can go a long ways towards securing your website and even your data network.