Tag: security

  • Security Suggestions and Keeping Safe From Hackers

    Security Suggestions and Keeping Safe From Hackers

    The news is filled with stories about hackers and data theft.  Although they are not to be ignored, hackers can be avoided or thwarted with some common sense.  Let’s look at a few of these common-sense steps and some additional ways you can protect your self and site.

    Secure Passwords

    This is a common warning.  Nevertheless, the vast majority of passwords are anything but secure.  Studies have found that there are a large number of “default” passwords used.  These include tough to guess ones like “password”, “123456”, and “qwerty.”

    This password laziness is being combatted by rules applied to a lot of sites.  This is where your password is required to include things like upper and lower case letters, a number, and maybe special characters.  This is a great way to define all of your passwords.  I find converting sentences to be great.  For example, you can start with, “My three kids are Billy, Sara, and Michael” becomes “m3kaBSaM.”  Note that I just took the first character of each word in the sentence and adjusted case while throwing in a number rather than word.

    Avoid Phishing Attacks

    These attacks are prevalent, but also easy to avoid.  They typically take the form of an “important” email from a co-worker or financial institution.  Some emails ask you to call a number and then that call will be a way for the scammer to get your information.  This is solved by not calling or at least not providing private information on a phone call to someone you are not sure of.  The other approach is to include an attached file that runs a program when opened.  Do not open attached files unless you are sure of the sender.  Even in those cases, make sure you have anti-virus software installed that will scan emails.

    These attacks are more effective than one would expect.  However, they prey on our lack of patience with email and our tendency to open and click on any attachment.  If you are more intentional in how you process your inbox you will see these attacks for what they are.

    Going Deeper

    When you have a website or application to secure it requires more than avoiding hackers.  In these instances, the hackers are likely to come to you.  Thus, steps need to be taken to secure or harden your server.

    The good news is that there are a number of step-by-step guides freely available on the Internet.  There are even some great security portals like the Open Software Security Community.  While most of these tutorials are well-intentioned, take a close look at the site before embracing any of the suggestions.  The best sources are from security companies and vendor sites.  When in doubt, do some checking to make sure the site is legitimate.

    There are some general steps that all of these sites will recommend.

    • Remove identification data to make it harder for hackers to learn about your system
    • Limit ways that the site or application can be accessed
    • Use strong passwords and accounts
    • Configure security measures like firewalls and anti-virus to the recommended settings
    • Keep all software up-to-date

    These steps alone can make your site less a target.  This is important as no site is 100% secure, there are always holes.  When you make yourself less a target either by being hard for hackers to find or difficult to attack then they often will move on to easier targets.  This is the old idea of not being able to outrun a bear, just being able to outrun the other people the bear is chasing.

    Be Safe

    As we said at the top, common sense is the best approach to Internet security.  Hackers are not near as scary when you take these steps to reduce your risk.  If we all follow the steps above we would make life a lot more difficult for the typical hacker.

  • Upgrades vs Stability for Production Solutions

    Upgrades vs Stability for Production Solutions

    One of the pervasive properties of software is change.  Whether this change comes from regular enhancements or environmental updates, it is one that should be considered strategically for production software.  Thus, the balance of upgrades vs. stability needs to be considered as your solution ages.

    Easy Upgrades

    Modern software environments provide features that make upgrades easier than in the past.  A great example of this is WordPress and other “plugins supported” solutions.  The goal is to make administration of these sites easy and quick.  Thus, you often can upgrade a plugin or even the core software to the latest version with the click of a button.

    This ease extends to core environments as well.  There are a lot of automated update tools available to keep all of your software up to date.  The most well known of these is the windows update tool provided in many recent Windows OS versions.

    Impacts to Stability

    This ease of administration is excellent.  However, it is also hazardous.  An upgrade may break your entire site and lose sales.  As scary as that sounds, even worse side effects can happen.  Data may get corrupted, backups can become invalid, and fulfillment can be sent to the wrong address.  These worst-case scenarios are not exactly typical, but they can happen.  Upgrading your system can turn a steady running and reliable system into a nightmare.

    These concrete impacts are just one facet of the considerations.  Updates may change the user experience.  Something as trivial as moving a menu item can cause user headaches and negative backlash.  For some great examples of this, look at some of the Facebook changes over the years that caused a massive outcry from their user base.

    Managing Upgrades vs. Stability

    It may seem that these risks point to leaving your software in its original state as long as possible.  Fewer changes should lead to higher stability.  This is only partially true.  A stable system is more accessible to hack and may be steadily approaching a point of no return.  In the latter case, this can be a point where the system lacks the resources to support the user base or amounts of data within the system.

    There are also license considerations and support.  Older software may not be supported by vendors entirely or at all.  Thus, we need to find that balance.  Here are some high-level steps that can be taken to keep your solution up to date while minimizing risk.

    Scheduled or Periodic Updates

    Vendors do not release updates on the same schedule.  However, you can set a timetable for when you will apply updates so you can keep those updates on a plan suitable to your business.  I recommend updates on a frequency of two to four times a year.

    Test, Test, Test

    It is recommended that you have multiple environments during implementation.  This is even more important once you “go live.”  The value of these other environments is that they allow you to create an identical version of your production system for testing.  Thus, nearly all of the risk can be assumed by a “test” environment instead of production.  This is not a silver bullet, but it is pretty darn close.

    Backup, Backup, Backup

    Before any update is made, make sure the whole system is backed up.  This will allow for roll-back in case an update is not viable.

    Avoid Bleeding Edge

    When you follow the suggestions above, it should help you buy some time before implementing an update.  This should be embraced and used to allow you to pass the risk on to other customers.  They can perform the update, and their feedback will help you avoid problems and reduce risk.  In effect, waiting on an update allows others to be your guinea pig.

    The Bottom Line

    These are general suggestions, but embracing them can be very useful.  There is always going to be a challenge in finding the balance of upgrades vs. stability, but when you reduce risk, it makes success more likely.  Following the steps noted here can provide a win-win situation where you have current software and a stable experience for your customers.

  • Chip and Pin – Why Bother?

    Chip and Pin – Why Bother?

    If you work in retail or use a credit card, you have come across the latest technology: chip and pin.  In the U.S. this is a newer and less prevalent technology than it is in the rest of the world.  However, that does not diminish its importance.

    The more technical name for this technology is EMV (a shortened version of the card schemas: Europay, MasterCard, and Visa) but you can find usually find both phrases used in discussions about it.  You may wonder what good it is and why it matters.  If you are a company that accepts credit cards, this is a technology crucial to your future.  The sooner you embrace it, the better.

     

    Chip and Pin is More Secure

    Chip and pin cards are more secure than traditional card swipe solutions.  This is due to more built-in validation and verification.  Without getting too technical, the big difference is that traditional cards use only a card number and expiration date in a transaction.  The chip contains much more information that can be used to make it that much harder for hackers to fake a transaction.

    (more…)