There seems to be no end to the threats that menace your online business. It might be a hacker vandalizing your home page, a competitor prying into your marketing plans, a thief stealing your credit-card files, a disgruntled employee sabotaging your customer database, or a malicious kid sending you a virus.

It is important to realize that the very nature of the internet will always make your business vulnerable. The medium's accessibility and openness are what make it such a powerful new place to conduct business. Unfortunately, accessibility and openness often conflict with your need to secure your money, your sensitive customer information, and your other important business data. The threats are real, but they can be thwarted. Just as you protect your data by backing it up, you can protect your site's integrity by establishing security procedures. There are three basic things you can do to secure your site:

Limit Access

Authenticate Users

Encrypt Sensitive Data

Limit Access

The first way to secure your site is to restrict access to it. Obviously, you don't want to restrict access to your web pages, but you do need to prevent malicious intruders from getting access to your databases, your programs, your CGI or ASP scripts, etc. Your first line of defense is password protection of the directories and files where your sensitive data and programs are stored. Your ISP's technical support staff or your systems administrator can help you 1) decide which files and directories you should restrict access to and 2) implement your password protection. You will certainly want to password protect your programs, scripts, databases, and log files, but you may also want to restrict access to some of your web pages ("members only" pages, e.g.). For an example of how to do this on a UNIX server, see's Password Please article.
Ken Longcrier, our webmaster here, offers these tips for password security:

Use at least 1 non-alphanumeric character (like ";" or "=") in your password
Change your password frequently
Don't share your password (if someone legitimately needs access, then they need their own password
Another kind of web site security is provided by a firewall. A firewall is a suite of programs (along with a set of procedures) that a private network (an intranet or LAN, as opposed to a public network like the internet) can use to control access to and from its computers. If your site is hosted by an ISP, you probably aren't a candidate for using a firewall, but if you want to learn more about them see's definition or the Internet Firewalls Frequently Asked Questions page.

An important but often overlooked aspect of web site security is controlling physical access to your web server and its programs and data. For a determined saboteur or thief it is often easier to simply abscond with a floppy disk or, worse yet, with your whole computer with the data your password system protects so well. As Eric Swanson, a long-time UNIX and NT systems administrator says, "In the end, your critical data is only as secure as the lock on the door to the machine room." So it might be worth your while to pay a visit to your ISP to ensure that they have good physical security measures in place.

None of the above practices can guarantee that virus-infected files won't show up on your system, so you should always augment your security procedures with a good virus checker.

Authenticate Users

In addition to what your users access, which you can control with the measures above, you may want to verify who is accessing your site. This is especially crucial for e-commerce sites or sites that handle sensitive information like medical or financial records.

Firms like Thawte and issue certificates that serve as shoppers' and merchants' virtual identification cards. These certificate-issuing authorities take measures to insure that an online shopper or merchant is actually who they say they are and then issue a digital ID they can use to securely interact with one another.

If you conduct e-commerce at your site, your virtual storefront software likely includes some sort of authentication mechanism. If you need to verify identity at your site for some other reason, you will need to install certificate software on your server.

The issue of identity in cyberspace raises some interesting philosophical and legal questions, which a columnist explores in The Other Side of Web Security.

Encrypt Sensitive Data

Secret decoder rings rarely show up in your Cracker Jacks box anymore, but encryption is alive and well on the internet.

Many of the security schemes above rely on public-key encryption schemes like Pretty Good Privacy. Public-key encryption is an ingenious method of securing sensitive information. It uses public and private keys to lock and unlock sensitive files. For example, if you wanted to have a secure e-mail exchange with someone, you would give them your public key with which they would encrypt their message to you. You would then open their e-mail with your private key, which only you have access to and which is the only way to get at information that has been encrypted with your public key. For instructions on how to use PGP, see CNET's article on how to Protect Your Privacy with PGP.

Perhaps the most common public-key encryption method in use on the internet is Netscape's Secure Sockets Layer. SSL uses encryption to create a private, secure way to transmit documents over the internet. Many e-commerce programs rely on SSL to secure the transmission of credit-card information and other sensitive data. For a detailed (if occasionally mind-bending) look at the logic that underlies SSL, see Netscape's page on How SSL Works.

Keep Up with the Bad Guys

One final note. There is no area more dynamic and fluid than internet security. Every week there is another story about an e-mail program with a security flaw or a teenage hacker cracking an "uncrackable" encryption scheme. So make sure that you and your ISP or your systems administrator are staying on top of this area. Read the technology section in your local newspaper, and check out sites like Web Developer's security page on a regular basis.