hwg-techniques archives Nov 2003 new search results previous next

Security was Re: Guidance with PHP form to email script

by Kathy Wheeler <kathyw(at)home.albury.net.au>

 Date:  Thu, 20 Nov 2003 15:11:39 +1100
 To:  Mamie <seller(at)sellerdoor.com>,
hwg-techniques <hwg-techniques(at)hwg.org>
 References:  awebresource net sellerdoor
  todo: View Thread, Original 
On Thursday 20 November 2003 12:57, you wrote:
> But how secure is it, Kathy, if it weren't on their own server,
> assuming that the info is extremely sensitive?

I'm no security expert, but my other half is almost a doom-and-gloom advocate 
when it comes to computer security. He is of the school of thought that holds 
that to completely secure data, you should not keep it on any computer, in 
fact, put it in a fire-proof-safe and loose the keys ;-)

Seriously, it's all a matter of risk, and deciding what is an acceptable risk.

Your own network is only as secure as you make it. Machines outside your 
network are beyond your control. Not only can they be compromised if their 
security and admin is not good, but data going between networks can be 
intercepted. Just try a traceroute from your own server to your clients and 
see how many places data has to bounce to-and-from to get between you.

You can make it harder for sniffers by using secure servers and encryption, 
but that won't stop someone who is really determined, just slow them down.

It basically boils down to how sensitive your data is, and how worth-while 
would it be for someone to try intercept it. For most businesses, their own 
internal staff have proven to be the weakest link (disgruntled or 
light-fingered current or ex-employee, or just plain carelessness).

There are some commensense things we can do thou. SSL should be used on 
anything even slightly sensitive (credit cards etc) but it's not infallible. 
Monitor your netowrk for security exploits or unusual activity constantly and 
keep it patched. Encourage your clients to do the same. 

Use caution and vigilance with sensitive data. Always monitor and double check 
any credit card you use yourself whether it's on the net or not. If you 
collect really sensitive data on other people, do not keep it on a networked 
server unless absolutely necessary. Make sure any machine holding sensitive 
data is firewalled at the very least. (no network card is a fairly good 
firewall ;-)

It's a risk, I think most of us realise that, and we do what we can and 
otherwise live with it.

Mind you, I'm no security expert. If you need security advice, you should go 
and get a security audit and a professional opinion.

Cheers,
KathyW.

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA