Tips for Having a More Secure Online Business

Having a more secure online business will allow you to protect yourself against break-ins, takedowns, data theft and other types of internet security threats. Developing good security habits takes some effort in the beginning, but once they’re in place you won’t have to think about them much.

Every online business, no matter how big or how small, should spend a decent amount of time thinking about security. If you don’t have great security in place, a single break-in could cost you your whole business.

Here are a few tips for having a more secure online business.

Don’t Use Unprotected Emails

Your email inbox is one of the most important security hubs in your business. Because most online services allow you to recover your password to your mailbox, a breach in your mailbox essentially means a breach in every online service you use.

More specifically, you never want to use an unsecured email with the email address that you use for domain registrations or the email you use as your hosting account’s administrator.

One of the best ways to secure an email account is with 2-step verification. This is when the email provider has to actually call or send you a text before you can log in. This more or less eliminates the risk of hackers stealing your password and hijacking your account.

Tips for Securing Your Passwords

Your passwords should ideally be 8 characters or longer. They should contain a good mix of numbers and letters, as well as capital letters and lower case letters. A password like “teddybear” is extremely easy to crack, whereas a password like “T8ghO34Lb” is extremely difficult to crack.

Update your passwords regularly. Your passwords should be in place for no more than 180 days or half a year at a time.

Use different passwords for different online services. That way even if an intruder manages to get a hold of one password, they won’t have access to all the services you use.

Anti-Virus and Anti-Trojans

Viruses and trojans are a big problem for businesses as well as consumers. You hear all the time about viruses that are targeted at the masses. But did you know that trojans are often written specifically to target corporations?

These trojans are sent to employees, disguised as emails from co-workers. Whenever an employee opens the executable file, they get infected with the trojan. The trojan can then pass sensitive data to the intruder, as well as give them access to computers.

There are a few things you can do to prevent this from happening.

First, educate your staff about the dangers of opening executables in email. In fact, employees should never open an executable file they receive via email without confirming its validity with a phone call first. Let staff know that it’s quite possible for hackers to fake an email’s sender.

Next, make it company policy to protect all computers with an anti-virus software and/or with anti-malware. Common applications include Ad-Aware, Norton Anti-Virus, MacAfee and Spybot Search & Destroy.

These two policies will help keep out 99% of the trojans out there. The 1% that hackers manage to write that circumvent trojan detection systems will still have to pass your strenuous in-office policy about executable files.

Protect Yourself by Patching and Updating

Patching and updating your software is one of the most crucial security habits you could develop.

Patches often fix old security holes that a program’s developers are aware of. If a new security vulnerability is discovered, the first thing a program’s development team does is figure out a way to fix it then release a patch.

Not installing patches is incredibly dangerous. It’s not just that there’s a security hole in your software. It’s that you have a known security hole in your software. That means thousands of hackers on the internet already know how to hack your system, without having to do any hard work.

Protecting yourself by patching and updating is quite simple. Most programs have some sort of mechanism to notify you of new patches. Whenever you see a patch, install it. Also sign up for the mailing list of the software systems that you’re using.

Firewalls: What They Are and Why You Should Use Them

Firewalls allow you to selectively open and close ports. Ports are like entry points on your system. Of course you want to let certain types of data in – Data like browser requests, orders, emails and so on. But you also want to keep certain types of data out. For example, intrusion attempts, attempts to flood your server and so on should be kept out.

The way you selectively choose which kinds of traffic to let in and out is through firewalls. A firewall system can be either software based or hardware based or both.

Your firewalls should be configured to only let in the types of traffic that you need to operate your business. All other ports should be closed. If you ever need to open a port in your firewall to run a special application, make sure that port gets closed after the application is finished running.

Protecting Against “Scripts Against the Server” Attacks

Scripts against the server attacks are very dangerous and hard to spot. One of the most common type is the dreaded MySQL injection, though this kind of attack works against all kinds of databases, not just MySQL.

Basically the way it works is that the intruder uses a number of probing commands and tools to figure out how your software is written and how your database is configured. They then use either your URL bar or your web forms to insert commands that then get executed in your database.

This kind of attack has worked against even huge companies like Petco. The intruder, who was merely 20 years old, was able to get credit card information, address information and more from Petco’s database merely by entering the right kinds of commands in the URL bar.

Protecting yourself against scripts against the server attacks requires using a lot of validation. You should have several levels of validation, designed to make sure that any input from the user is truly the input that should be there and not something that could be executed by the server.

This is largely a security habit that your developers need to develop. If your developers aren’t including a lot of validation in their input processing code, it may be time to have the brush up on their security knowledge.

Wifi: Inside and Outside the Office

Another common source of break-ins is from wireless networks that aren’t all that secure. This can happen in one of two ways.

First you have the Wifi inside your office. If you’re using low level encryption, there’s a very good chance that an outsider can break that encryption. That’s especially true if it’s well known that you’re a very successful company and that there could be financial benefits from breaking in.

The best way around this is to switch all your office Wifi signals to high level WPA encryption. These are virtually impossible to crack.

Another common method is through open Wifi signals. For example, a co-worker might be working out of a coffee shop with an open Wifi network. If they’re doing this, everything they do, whether it’s passwords, emails or websites, is plainly visible to an outsider.

Perhaps the best way around this is to use VPN tunnelling. This allows you to “funnel” data through a secure connection. Otherwise, avoid using open Wifi entirely, especially for sensitive data.

Having Good Backup Habits

Having good backup habits can save the day should something bad happen. If your database does get wiped out for example, having a backup of that database could be the difference between your company going under or the whole thing just being a hiccup in your operations.

There are a few different levels at which you should operate your backups.

First, the personal level. Systems like Google Drive or Dropbox can make backing up your data virtually effortless. If your laptop should ever crash or get stolen, all your data will be available in one place.

Next, you have the automated digital level. Any data that isn’t overly sensitive should be backed up automatically through some sort of online backup system.

Finally, you have hardcopy backups. Encrypted versions of sensitive data should be backed up to hardcopy backups every quarter or every half a year or so. This allows you to restore everything from a recent backup should something really go wrong.

The Security Mindset

Finally, adopt a security mindset. If you run a web company, it’s pretty safe to assume that people are going to regularly scan your systems for vulnerabilities.

Anytime you adopt a new system, look at it from the security perspective. Regularly talk about security habits and procedures with your technical staff.

Adopt an “always on the lookout” kind of stance. It takes time and effort, but it’s much better than the alternative.

Duo Security Illustrated Guide

Duo Security is a unique online application that allows you to lock your various online login portals with a phone login. That means that instead of just logging in with a username and password, users will also need to login by using a code sent to their phone via SMS or voice, or sent to them via smartphone app.

Duo Security is best used with applications and businesses that absolutely have to be secure. If you’re operating a multi-million dollar blog for example, it’s probably a good idea to use duo security to make sure hackers can’t sneak in unwanted posts.

The price for Duo Security is $3 per user per month. The service is free for the first ten users. This makes it easy for you to give their service a try to make sure you like it. Also, even their paid version comes with a 30 day trial.

Here’s how to get started with Duo Security.

Step 1: Getting Started

To get started, go to: http://www.duosecurity.com.

Click “Free 30 Day Trial” to get started.

Step 2: Select Plan

Choose which plan you want to sign up for. Unless you’re a multimillion dollar enterprise-level organization, you’ll want to choose one of the first two choices.

Step 3: Initial Information

Fill out your initial information. This includes your name, email, phone number and organization name. Note that your organization name can’t be changed later and is publically visible to your customers.

Step 4: Verification

You’ll need to verify your account before you can use Duo Security.

Start by entering your name and choosing a password. Then enter your phone number in the phone number box.

Duo security will then call your phone. You’ll see on the bottom the status of the call. When you receive the call, press the pound key to confirm your phone number.

Once you hit pound, Duo Security will receive the confirmation then finish creating your account.

Step 5: Create Integration

Once you’re in your account, click “Create your first integration.”

Step 6: Choose What Type of Integration

Select what type of integration you want to use.

For web applications like WordPress, you’ll want to use the Web SDK integration.

For other kinds of integrations, these are the common options.

UNIX Integration – Allows you to add phone verification for local and remote SSH access to UNIX systems.

Web SDK – WordPress, Drupal and other CMS and web apps.

SSL VPNs – Allows you secure your Virtual Private Networks (VPNs.) Select the specific type of VPN from the drop down list.

Generic RADIUS – For VPNs that aren’t on the list.

Microsoft RDP – For Microsoft Remote Desktop Protocol logins.

Microsoft OWA – For Microsoft Outlook Web App logins.

Step 7: Name Your Integration

Give your integration a name. This will help you remember exactly what is what if you choose to setup a few more integrations in the future.

Step 8: Generated Codes

Duo Security will then generate a set of codes for you. You’ll need these to install and use Duo Security.

Never divulge your “Secret Key” – This is like your password. If someone has it, they’ll be able to access your account.

Step 9: Final Details

Finally, select the visual style for the login, select whether there’s a voice greeting should someone call back and write down any notes you have about this specific integration.

Step 10: Install the Plugin (WordPress)

The next steps from here vary greatly depending on the system that you’re securing. Basically, you need to tie the login process of your system to Duo Security’s system. Each different type of integration does this differently.

Here, we’ll demonstrate how to do it with WordPress.

Start by finding and installing the Duo Security WordPress plugin.

Step 11: Go to Settings

Go to the “Settings” tab of the plugin you’ve installed.

Step 12: Key In Your Settings

Copy and paste in the keys that you got earlier in the process.

Then check which types of users you want to enable Duo Security for.

Step 13: The Login Screen

Once Duo Security is enabled, anytime someone tries to login or to create an account they’ll see this screen.

In other words, they’ll be required to setup their account using a phone verification system. They’ll also be invited to install the Duo Mobile app, which makes verification a bit easier. Even without the app however, you can still verify using text or voice calls.

After setting up Duo Security for the first time with that account, you’ll then be presented with the login screen that you’ll see each time you login.

The way it works is simple: Just choose which number you’re logging in with and whether you want a phone call or an SMS. Enter the code you received, then hit “Log In.”

That’s how you install Duo Security! The installation process is similar for all applications, but definitely has its differences on the back end. In general, the process looks like this: Create integration, install Duo Security on your back end systems and then create user accounts. The back end installation is what varies from system to system. Everything else is more or less the same.

Setting Up 2-Step Verification for Your Google Account

Your email is one of the most important pieces of your internet business, especially from a security perspective. It’s what you use to recover your passwords from any number of other online services. If someone manages to get into your email accounts, chances are they’ll be able to gain access to a lot of your other online services too.

Google knows this and provides an advanced layer of protection. They call it the 2-step verification process. Here’s how it works.

Whenever you log into Google, instead of just using your username and password, Google will also text you a one-time use code. This code must be sent to your phone. They can send it via text or via phone call. This way, even if someone managed to intercept your password, unless they also managed to steal your phone, they won’t be able to get into your account.

This process actually doesn’t interfere with your workflow very much. Google has the ability to trust a computer. That means that after logging in with 2-step verification once, you can choose to have Google remember that computer for future reference. You’ll only have to do the 2-step verification once every 30 days per computer.

This 2-step verification process applies to all your Google account applications, including Gmail, Google Docs, Google AdWords and more.

Here’s how to setup 2-step verification for your Google account.

Step 1: Start the Process

To get started, go to this link: http://www.google.com/accounts/SmsAuthConfig

You may have to login to your Google account. Once you’re inside, click “Start Setup.”

Step 2: Call or Text You

The next step is for Google to call your text you. Just enter your phone number in the “Phone Number” box and select whether you want a text or voice call.

Step 3: Enter Verification Code

Enter the verification code you got from the phone call or from the text.

Step 4: Trust Your Computer

Do you trust the current computer you’re on? Is it yours and yours alone? If so, check the “Trust this computer” button. This will prevent you from having to use 2-step verification for 30 days on this computer.

Step 5: Confirm

Confirm that you do indeed want to turn on 2-step verification.

Once you hit confirm, you’ll see this screen:

Congratulations! Your account is now secured by 2-step verification.

Step 6: Logging In

Next time you need to log into your Google account, you’ll be prompted for your password like usual.

However, upon entering your password, you’ll then be prompted to verify by phone if you’re or an untrusted computer.

That’s all there is to it! You now know how to turn on 2-step verification for your Google account. You’ll be able to protect your all-important email inbox, as well as your other Google services from hackers. With 2-step verification on, it’s extremely difficult for outsiders to break into your account.

Setting Up 2-Step Verification for Your Google Account

Google knows this and provides an advanced layer of protection. They call it the 2-step verification process. Here’s how it works.

This 2-step verification process applies to all your Google account applications, including Gmail, Google Docs, Google AdWords and more.

Here’s how to setup 2-step verification for your Google account.

Step 1: Start the Process

To get started, go to this link: http://www.google.com/accounts/SmsAuthConfig

You may have to login to your Google account. Once you’re inside, click “Start Setup.”

Step 2: Call or Text You

The next step is for Google to call your text you. Just enter your phone number in the “Phone Number” box and select whether you want a text or voice call.

Step 3: Enter Verification Code

Enter the verification code you got from the phone call or from the text.

Step 4: Trust Your Computer

Step 5: Confirm

Confirm that you do indeed want to turn on 2-step verification.

Once you hit confirm, you’ll see this screen:

Congratulations! Your account is now secured by 2-step verification.

Step 6: Logging In

Next time you need to log into your Google account, you’ll be prompted for your password like usual.

However, upon entering your password, you’ll then be prompted to verify by phone if you’re or an untrusted computer.

Weekly, Monthly and Quarterly Security Checklists

Keeping your business secure isn’t something you do just once. Instead, it’s a series of habits you develop that allow you to secure your business continually against potential threats that arise.

One of the most important things for online security is constant vigilance. If you start off with really good security habits but let the slide after a few months, new vulnerabilities will appear that intruders can take advantage of.

So how do you keep your business secure? This is what you need to do – On a weekly, monthly and quarterly basis.

Weekly Checklist

Check your server logs for intrusions
Check your server log for port scans, unusual activity or logins by unauthorized users.

Update your anti-virus and anti-spyware software
Have these installed on all company PCs, including personal computers and laptops.

Scan your PCs for Trojans, malware and other viruses
Regular scanning will prevent the majority of malware and trojan related issues.

Check for patches on your server software
Your server software is one of the most important pieces of software. Update or patch it the moment any new updates are released.

Check for patches and updates on all software, including plugins & themes
Often time’s attackers get in through vulnerabilities in plugins, themes and other outside extensions. Check for updates on these to make sure they can’t get in through these back doors. Many systems, like WordPress for example, allow you to check for updates on all your plugins in one screen.

Check for OS updates on your personal computer
If Windows or Mac OS is indicating that you should update your operating system, do so.

Make a Dropbox, Google Drive or similar type of backup of your PC
These should be running in the background at all times backing up all your most important data.

Monthly Checklist

Check your customer emails for reports of phishing attempts
If you’re under a phishing attack, often time’s a large number of your customers will receive bogus emails at once. If you start hearing about such an attack, you may want to send an email out to your customers letting them know about what’s going on.

Check computer security blogs and newsgroups for updates on recent exploits
Especially check for any new worms, trojans, malware, viruses or exploits that target your specific software, server version or configuration.

Make a digital backup of your company’s most vital data
Automated services can make this backup process easy. Make sure you don’t transmit highly sensitive data unencrypted, or store unencrypted sensitive data on other people’s servers.

Remove unnecessary accounts (old customers, fired employees, etc.)
This should be done immediately after an account goes inactive. However, it’s still good to get in the habit of scanning for inactive accounts every month. If inactive accounts are left in place, they have become footholds for intruders to use to gain more information and access.

Check for updates on your browser
Browsers can get hacked too. If there are updates on Chrome, Firefox or Internet Explorer, update them as soon as possible.

Background check any new employees
Often time’s intrusions come not from the outside, but from employees. Check to make sure your employees don’t have dubious histories before allowing them access.

Check your firewalls
If any ports were opened for any applications no longer in use, close them.

Quarterly Checklist

Change your wireless passwords
This is especially important, as just about anyone who’s been in your office in the last quarter will have access to these passwords.

Change your passwords on all accounts
This includes both personal accounts and business accounts.

Check your file permissions
Check the permissions on the files on your server.

Check all forms and scripts for possible MySQL inject attacks and scripts-against-the-server attacks
This is best done when writing the scripts in the first place. However, it still pays to double check, especially if you have new scripts that interact with old ones.

Make a hard copy backup of all your most vital data
If possible, store the data off-site to protect against disasters.

Check the auto-run programs that start up every time you boot your computer
Viruses and spyware often hide out in the auto-run menus. They want to boot up every time your computer starts.

Update your Gmail or other webmail’s account recovery options
If you have an old phone number on your 2-step verification, or if your backup email address is wrong, update those settings.