In the first half of 2009, security researchers detected that 77% of Web sites with malicious code such as viruses and data-stealing worms were actually legitimate sites hackers had infected. Additionally, 61% of the top 100 sites either hosted malicious content or lured unsuspecting victims from legitimate sites to malicious sites. But the big sites aren’t the only ones bad guys are targeting. The major attacks of the year, including Gumblar, Beladen, and Nine Ball, infected more than 160,000 Web sites altogether, and often targeted smaller Web sites.
Attackers target smaller sites because there is a perceived lack of security and lack of dedicated IT support to protect them from malicious intrusion. This often leaves small businesses defending against a disproportionate number of attacks. The danger for small businesses is that if your site is compromised with malicious code, you can be blocked by such browsing tools as Google Safe Search. This could prevent customers from being able to reach you, potentially interrupting Web revenue and dimming visibility. Few businesses can function with this type of interruption of Web services. Fortunately, there are a few easy steps small business owners can take to prevent their Web sites from being compromised by hackers.
1. Make sure your computers and systems are fully patched. Routinely check to ensure you have all software updates in place. For example, recent research shows that as many as 80% of users do not have the most up-to-date versions of Flash and Acrobat installed.
2. If you use forms or a database on your site, make sure you are not vulnerable to injections. This can be done through penetration testing, security tools, or security services that are now relatively commodified and inexpensive.
3. If you allow user-generated content on your Web site—such as allowing visitors to post comments, upload content, and so forth—make sure you scan what users are posting with real-time scanning tools and products that check for malicious links or spam. An example of a free tool that scans blog comments for spam is Defensio.
Dan Hubbard CTO Websense San Diego