Subscribe to Entrepreneur for $5

Internet Security Expert Mark S. Merkow

Prevent intruders from hacking into your site.

Opinions expressed by Entrepreneur contributors are their own.

The Complete Guide To Internet Security With all the news about viruses and hackers destroying company networks and crashing computer systems, many small-business owners are left wondering when their business will be affected. Fortunately, there are precautions that can be taken. In The Complete Guide To Internet Security by Mark S. Merkow and James Breithaupt, you'll find everything you need to know to create a solid security plan and protect against no-good hackers and infectious viruses. Read on as Merkow discusses approaches to Internet security, tips on protective measures and how exactly a hacker attempts to wreak havoc on your site. What kind of a security policy should an online business set up?

Mark S. Merkow: There are two approaches to security: Prohibit everything that isn't expressly allowed or permit everything that isn't expressly denied. Universities and other types of academic organizations adopt the latter one because it's more reflective of an open network. But a business absolutely must adopt the first one-prohibit everything that is not expressly allowed. What that means is [you have to] look at the entire operation, wherever there's Internet traffic coming in, and carefully decide what services you want to make available on network devices.

"What you're protecting against are people looking for vulnerabilities. They're looking for ways to attack where the corporate jewels reside-that's typically in the database systems."

For example, file transfer protocol has a lot of known vulnerabilities and if it's not needed or it's only needed rarely, it should be turned off. The same goes with other services like network file system (NFS), which has a lot of known problems. If it's not being used throughout a particular area of the network, then turn it off. Carefully review everything, business-processwise, to determine what's safe to do and what's risky. Once you decide on that, you can look at protective measures. Where's the best place to start? What's the first thing you should probably address when setting up your security policy?

Merkow: Start with a review of all the major components of the work that you do. This will vary by type of business. For example, let's say you're a wholesaler of goods that are purchased and resold. Then you would look at the order entry process very carefully to see what kind of traffic is permissive for that type of requirement through the Internet-the shopping and buying aspects. Then you need to look at where that payment data is going as well as the data moving into shipping systems, accounting systems, accounts payable systems and so on. Basically, it's end-to-end. Start at the beginning, and look very carefully at every step along the way where data is flowing. What kinds of things should business owners protect against and how do they do this? What tools would they use?

Merkow: What you're protecting against are people looking for vulnerabilities. They're looking for ways to attack where the corporate jewels reside-that's typically in the database systems. A hacker will look around for the publicly accessible Web areas, and then start poking holes to see what else is happening on the network behind it. As they find interesting things to do with that or interesting places to search, they'll start to take over a box and raise their privileges until they get to the point where they're system administrator on that particular server. Once they gain control of that, they basically have access to everything on that network, and everything on that network becomes vulnerable. What they're really looking for are credit card records or other valuable data that they could use to exploit, sell or to simply prove they were able to do it.

To avoid this, you must first understand what those threats are. A lot of people are unaware of or ignorant to the fact that there are a lot of nasty people out there looking to do bad things. So it begins with an awareness of that, and then there's several ways to use technology and network architecture to prevent most problems from occurring-basically nipping them in the bud at the firewall so nothing that is not permitted can come into the network. How do small-business owners put these things up on their site? Usually the typical small-business owner doesn't know much about this, so where would they go to find help?

Merkow: Typically, the systems and architectures needed to do this safely are too expensive for most small businesses until they become a medium-sized business, and then the volume makes it worthwhile. Their best bet is to work their way into a commerce service provider (CSP), such as IBM Global Services, UUNET and Exodus, that does this for many different companies and does it very well. Is there a central listing for CSPs?

Merkow: There's a whole library of commerce service providers at How do you protect against potential threats to your system?

Merkow: There are common ways to protect against them using up-to-date intrusion detection systems, for example. They record signatures or patterns of known threats and vulnerabilities, and any time they come in through the routers they're detected by the system. The system either notifies somebody that they're under attack or simply shuns those network packets coming in from the source and prevents that particular attacker from doing any damage because it kills their connection as soon as they try to do it.

Virus protection is also crucial. With the Internet, a lot of times people are finding different ways of delivering payloads for viruses. Through JavaScript, you can force somebody to download something or convince them that they absolutely have to have this particular program and it turns out to be Trojan horse.

Some companies route their e-mail through a value-added network; IBM Global Services and Worldtalk provide this option. They'll scan incoming messages for you before they get into your mail servers and quarantine questionable messages.

Entrepreneur Editors' Picks