Worried about hackers

[focus]

I want to launch a business website and promote it online and offline but I am scared that from too much exposure it will attract hackers which will then ruin the website and it's credibility.
As the business is really new there is currently no income and I cannot afford to have a Security Specialist monitor the site on a fulltime basis. I'm also assuming they are very expensive to hire....

How do people usually deal with situations like this?

I thought of the possibility of kinda employing a security person as a 'standby' who i contact if the website is hacked and they fix it right away and I only pay them then? Do people do jobs like that?

Any other idea's?

Many Thanks in advanced.

 

[descalzo]

Use quality software. Google the software's security reputation. Make sure it stores sensitive information securely.

If it is not free (and there is good free software), pay for it. Using hacked software will get you hacked. That goes for things like FTP clients too.

Read up on the software's site about "hardening" your site. Use secure usernames/passwords, not "admin" and "ninja". The same goes for the username/password for your hosting. Use a dedicated email (gmail, hotmail, yahoo) account for correspondence.

Make backups. Store them on your computer, not on your site.

Don't give you username/passwords to anybody.

 

[gflash76]

I agree, make backups, but account names and passwords of the like should be stored on a USB flash drive with a hard copy printed and stored within yourself. Security goes a long way. Always use a mix of Capital and lowercase letters with at least two symbols (when applicable) and 3 digits.

 

[misson]

Hard copy printouts are a potential security breach. Instead, passwords should be stored in an encrypted keychain, which then can be copied to that flash drive. For Windows, two good keychain programs are Password Safe (Bruce Schneier approved) and KeePass. Macs come with a built-in keychain app, Keychain Access. For Linux, KeePass branched awhile back to the cross-platform KeePassX, and there are a number of programs that support the Password Safe keychain format.

 

[grimfusi]

Nobody has mentioned that you should probably change your admin login credentials every thirty days or so. Used in conjunction with KeePass or PasswordSafe as mentioned earlier, I'd also recommend creating strong passwords that have little or nothing to do with your personal information.

On another note, ensure you not only make a public_html file backup of your site, but also include backups of MySQL databases. There's nothing more frustrating than restoring or moving a site backup and realizing you just lost entire MySQL databases and all the information they contained.

If you do get hacked, ensure that you update any CMS or forum software you're running after restoring backups. Updating may be enough to patch exploits the hacker used to gain access to your account, and unless you're familiar with PHP, MySQL, and server security, it's probably about all you can do.

You should understand how hackers operate, too. They usually don't just pick a site at random and hack it. They're either after client information or a personal vendetta. If you don't want to be a victim of a hacking attempt, keep all of your client information elsewhere. Use paypal or some other reputable third-party service to complete credit card transactions and make it known that no credit card information is either stored or saved locally. Keep user registration data to a bare minimum; addresses and telephone numbers shouldn't be required fields for user registration. In other words, you can lessen the chance that you'll get hacked by keeping unnecessary personal information out of your local MySQL databases.

By "personal vendetta", I mean many script kiddies and some hackers will purposely attack your webhost if you've crossed them online. If you have a website, it's probably not a great idea to trash talk other players in MMORPGs, online games, users in chat rooms, or forums. Sore losers often turn to script kiddy antics to get even, and although most hackers operate by ethical standards that prevent them from attacking people over petty online squabbles, black hats don't really follow rules.

Hope that helped?

 

[misson]

You should understand how hackers operate, too. They usually don't just pick a site at random and hack it. They're either after client information or a personal vendetta.

Some hackers will also target vulnerable sites (as identified by e.g. google searches) as an exercise, or as a platform to launch further attacks.

 

[rajdeep01]

I agree, make backups, but account names and passwords of the like should be stored on a USB flash drive with a hard copy printed and stored within yourself.

 

[jayanta1]

There are six big hacking threats facing IT today. Hackers are a problem for nearly all organizations. To stay ahead of the hackers, we have to move beyond securing network perimeters and physical devices to securing data. TO save your sites from hackers use encryption software. Indeed, encryption is one of the most important keys to neutralizing the hacker problem. But even encrypted data can leak. You have take some steps to solve this hacking problems, like:-

1. Ensure both your site and database are backed up on your server and remotely. You need to be equipped to grab those backups and have them restored quickly.
2. Make sure the password you use is different everywhere. This is very important so don’t get lazy here.
3. Ensure your user’s passwords or any highly sensitive information be encrypted in the database.
4. Make sure your hosting provider has some type of firewall software running.
5. Make sure your programmers are preventing against SQL injection, the most common type of attack.

 

[essellar]

3. Ensure your user’s passwords or any highly sensitive information be encrypted in the database.

Encrypt sensitive information, yes, but never encrypt user passwords for storage on your server(s).¹ If you can determine what the password is without looking at what the user is entering while it's being entered, you're doing it wrong. The problem with password encryption is that all of the secrets required for decryption are available. (Always assume that if your site is cracked, they've gotten everything.) With a proper hashing or key-generation scheme, even you don't know all of the secrets—all you have is a way to determine whether or not the user possesses the piece you're missing. I've written about this several times here before, including in this thread and this one. I'd actually suggest using a pepper as well as a salt². But that's outside of the scope of this question; the main worries seem to be defacement, script injection and that sort of thing.

___________________________________________________________________________________
¹ Of course, that doesn't mean "don't encrypt drives/databases containing password hashes", just that encryption is the wrong paradigm for password security at the server level.

² The "salt" being a unique-per-user value stored in the database along with the hash and the "pepper" being a high-entropy server secret stored elsewhere. In the event that the database goes astray but the code remains secure, brute-forcing the passwords is still impossible until the pepper has been cracked.