Security was Re: Guidance with PHP form to email script
by Kathy Wheeler <kathyw(at)home.albury.net.au>
|
Date: |
Thu, 20 Nov 2003 15:11:39 +1100 |
To: |
Mamie <seller(at)sellerdoor.com>, hwg-techniques <hwg-techniques(at)hwg.org> |
References: |
awebresource net sellerdoor |
|
todo: View
Thread,
Original
|
|
On Thursday 20 November 2003 12:57, you wrote:
> But how secure is it, Kathy, if it weren't on their own server,
> assuming that the info is extremely sensitive?
I'm no security expert, but my other half is almost a doom-and-gloom advocate
when it comes to computer security. He is of the school of thought that holds
that to completely secure data, you should not keep it on any computer, in
fact, put it in a fire-proof-safe and loose the keys ;-)
Seriously, it's all a matter of risk, and deciding what is an acceptable risk.
Your own network is only as secure as you make it. Machines outside your
network are beyond your control. Not only can they be compromised if their
security and admin is not good, but data going between networks can be
intercepted. Just try a traceroute from your own server to your clients and
see how many places data has to bounce to-and-from to get between you.
You can make it harder for sniffers by using secure servers and encryption,
but that won't stop someone who is really determined, just slow them down.
It basically boils down to how sensitive your data is, and how worth-while
would it be for someone to try intercept it. For most businesses, their own
internal staff have proven to be the weakest link (disgruntled or
light-fingered current or ex-employee, or just plain carelessness).
There are some commensense things we can do thou. SSL should be used on
anything even slightly sensitive (credit cards etc) but it's not infallible.
Monitor your netowrk for security exploits or unusual activity constantly and
keep it patched. Encourage your clients to do the same.
Use caution and vigilance with sensitive data. Always monitor and double check
any credit card you use yourself whether it's on the net or not. If you
collect really sensitive data on other people, do not keep it on a networked
server unless absolutely necessary. Make sure any machine holding sensitive
data is firewalled at the very least. (no network card is a fairly good
firewall ;-)
It's a risk, I think most of us realise that, and we do what we can and
otherwise live with it.
Mind you, I'm no security expert. If you need security advice, you should go
and get a security audit and a professional opinion.
Cheers,
KathyW.
HWG hwg-techniques mailing list archives,
maintained by Webmasters @ IWA