- 1
- 2
- < previous
If you're an administrator trying to protect yourself or end-users, it's important to understand and communicate that trusted Web sites can no longer be considered non-malicious. Dozens of recent research papers have reported how millions of legitimate Web sites are being infected by malicious criminal gangs.
Not that infected legitimate Web sites are anything new. I remember one of the world's most popular Web sites trying to infect my computer (unsuccessfully) with the Nimda worm in September 2001. What has changed is that infected sites are no longer an acute problem or something to be aware of only during significant malware outbreaks (Santy worm, Code Red worm, and the like). It's now systematic and a minority part of the Web all the time, 24/7.
From an end-user perspective it's important to be aware of this fact, so that no Web site is fully trusted. Next, make sure your operating system and applications are fully patched. My favorite online patch scanner is Secunia's Software Inspector. Being fully patched significantly decreases the risk of malicious compromise. Third, if unexpectedly prompted to install new software when visiting a Web site, ensure that you really are installing legitimate, needed software. If the Web site states you need a new media codec, media viewer, or Microsoft Windows patch (the most common malicious ploys), be very skeptical.
If you manage one or more Web sites, you've got to protect yourself. First, hack yourself before a malicious hacker does. If your site contains SQL, download and use any of the number of free SQL injection scanners against your site(s). Make sure the Web site is not susceptible to cross-site scripting. Use router access control lists, firewalls, and other security controls. Make sure your Web server software and its operating system are fully patched, and that administrative passwords are sufficiently strong. Refer to the OWASP Top 10 list for the most popular Web site vulnerabilities.
Finally, make sure your Web site developers follow the Security Development Lifecycle when programming. Be careful when reusing free Web gadgets and code snippets. These are often insecure, with many intentionally coded by malware authors hoping for indiscriminate use. Securing Web server software is fairly easy. Securing a Web server application is fairly hard.
Educating technical staff and users is also hard. It's important to update your company's secure computing educational material to include the growing threat of malicious modified legitimate Web sites. It's a new way of thinking, and most end-users haven't made the mental update, yet. You can help them.
- 1
- 2
- < previous
Read up on the latest ideas and technologies from companies that sell hardware, software and services. How to improve employee productivity in small and medium businesses
Taking On Demand CRM Integration to the Next Level
The state of Middleware
Solve Exchange Mailbox Storage Issues Once and for All
CRM your salespeople will love
Discover the advantages of an open architecture multi-vendor network solution
Controlling storage costs with Oracle database 11g
Data grids and service-oriented architecture
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Borderless corporate networks to shift focus to secure content management in Australia in 2009 2008-12-04 16:06:00+11
IDC Says Asia/Pacific Excluding Japan IT Market Will Remain The Bright Spot... 2008-12-04 15:04:00+11
MySpot SOS "Panic Button" Smartphone Application could save lone worker lives 2008-12-04 13:34:00+11
Charles Sturt University Commences Unified Communications Deployment With Interactive Intelligence 2008-12-04 08:30:00+11
AOC Launches 18.5” Widescreen Green 16:9 LCD Monitor in Australia and New Zealand 2008-12-03 15:30:00+11
Making the Business Case for IT Consolidation
IT executives face the need to improve service delivery with limited resource increases. Two common strategies for achieving this are network and systems management tools and datacenter consolidation. Read on to discover how you can make a strong business case for IT Consolidation.
Buying Guides
Latest Products
