This section is about the security risks that impact a website as well as other aspects, such as the protection of data stored on the website and complying with the data protection act. This article will be divided into two main sub-sections; The Data Protection Act 1998 and the Misuse of Computers Act 1990.
The Data Protection Act is “An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information”. This is a statutory act which covers data about living people stored in a computer or organised filing system. It includes an outline of rules that people have to follow, and has an Information Commissioner to enforce them. The Data Protection Act can be divided up into three main roles; the Information Commissioner, the Data Controller and the Data Subject.
The Information Commissioner. The job of the Information Commissioner, and their office is to regulate and enforce the act. All data controllers, be that individuals or companies, wishing to store information about individuals are required to register with the Information Commissioner and they must declare what data they intend to store and how the data will be used. Every time a data controller enters an entry to the registrar, the entry must contain the following;
The data controllers name and address.
A brief description of what data is to be stored.
The intended use for the data.
Whether or not the data controller intends to share the data gathered with third parties.
Whether or not the data controller will transfer the data to locations outside the United Kingdom.
An outline of how the data controller will keep the data safe and secure.
The data subject is the individual who will have data about them stored by the data controller. For example to sign up for an account with Google, you must give them information about yourself, be that names, addresses, phone numbers etc. Personal data is data which is confidential to the individual, and therefore proper countermeasures must b e taken by the data controller to prevent unauthorised access. There are two types of personal data; personal, and sensitive personal data. Personal data could include the data subjects name, or address, or even medical/banking details. Sensitive personal data includes religion, racial or ethnic origin, criminal record, health etc. Normally there are fewer safeguards in place to protect personal data then there are to protect sensitive personal data, however all personal data is protected.
There are eight principles that the data controllers must abide by, for the personal data that is stored and processed.
All data must be collected fairly, with respect to all local and national laws.
The data must only be used and held for the specific reasons given to the data controller.
It can only be used for the purposed registered in the register entry and only disclosed to the people in the entry. Data must not be given away or sold, unless it was collected for that purpose and both the Information Commissioner and the Data Subject are aware.
The information must be relevant to the purpose outlined in the register, and not ask for excessive amounts of data.
The data must be kept correct and up to date.
The data must not be kept longer than necessary and when the data subject requests that the data is removed, it should be deleted. Data about subjects should not be kept indefinitely.
The information must be kept secure and safe from unauthorised access, such as hackers. This also includes keeping data backed up to prevent data loss.
Finally, data must not be transferred to places outside of the European Economic Area, unless the country the data is being transferred to has suitable data protection laws.
The data subject has numerous rights which protect them from the data collectors, and missuse of their personal data. The rights listed below are only valid/exist if you know who has the data stored about you, and some data controllers are exempt from the act.
- Right of Subject access
The data subject has a right to see all data stored about them, however the data controller has the right to charge for this service, usually about £10 GBP.
- Right of Correction
The data subject may force a data controller to rectify any/all mistakes in the data held against them, such as a change of name or address etc.
- Right to Prevent Distress
The data subject has the right to halt and prevent the use of their data if it would be likely to cause them distress.
- Right to Prevent Direct Marketing
The data subject has the right to stopping their data being used when it’s used to attempt to sell them things directly, through the means of cold calling or junk mail
- Right to Prevent Automatic Decisions
A data subject has the right to prevent the data controller to make automatic decisions for them, through a computer system or otherwise, such automatically opting the subject into services they do not want.
- Right of Complaint to the Information Commissioner
The data subject has the right to complain about the practices used by the data collector, and to have the use of their personal data reviewed by the Information commissioner, who can enforce ruling using the DPA. The Information Commissioner has the right to inspect the computers of the data collector if it aids in the investigation.
- Right to Compensation
The data subject has the right to use the law to get compensation for damages caused to them if their data is lost, inaccurate, stolen, or shared with other parties without their permission.
There are a few exemptions to the data protection act, which comprise of complete exemptions and partial exemptions, where the data subjects data is not covered by the DPA. Complete Exemptions are exemptions where any data held for a national security reason is not covered. Essentially MI5 and MI6 do not have to cover the rules, however they do require a Government Minister to certify that they are exempt. Similarly personal data held for domestic purposes, such as a list of friends birthdays, is exempt from the DPA, and doesn’t have to comply with the act. Partial Exemptions is where personal data has partial exemption from the DPA. For instance, criminals cannot see their criminal record, or a school pupil has no right to view their personal files or exam results before publication.
The Misuse of Computers Act 1990 is a statutory act concerning the misuse of computers, namely hacking, or cracking as some people prefer. The Misuse of Computers act has the following offences;
Unauthorised access to computer material.
Unauthorised access with intent to commit or facilitate (another) crime.
Unauthorised modification of computer material.
Making, supplying or obtaining anything which can be used in computer misuse offences.
The Misuse of Computers act contains the illegalities of hacking/cracking but as a website owner you need to be aware of the methods hackers use against your website. DDoS, or Distributed Denial of Service attacks is where a hacker, using a network of compromised computer systems (often referred to as botnets) attempts to undermine a network or web server by flooding it with requests, until it crashed. Granted, it depends on the company, as a large web company such as Google, would be practically impossible to knock offline, however it is possible. Over the new year PC game platform Steam felt the strain of a DDoS attack and was periodically crashing. DDoS attacks are often done as hacktivist demonstrations, such as taking down the FBI’s main website, however some hackers often hack for the fun of it, making any website subject. In the case of http://webtech.mavieson.co.uk, it resides on shared hosting, and if a hacker were to target it, or any other website on the server, or possibly even data center, then it may knock the website offline. The good thing however is DDoS attacks are normally temporary, and once it ends there is not usually any long term damage.
As the owner of a web domain you have to be aware of the fact that your details are public record, which is why it is advisable to own a PO Box address, and possibly an alias when purchasing your domain, or even use a third party agency. This is a possible vulnerability for the website owner as their name and address can be accessed using a simple whois lookup, and leads to the possibility of Identity Theft.
This website has a contact us form, and feeds into a google docs spreadsheet. All documents on Google's servers are encrypted and backed up on a regular basis. To protect this document from unauthorised use I use not only a strong password, but two-step authentication tied to my phone in order to login. Google forms automatically generates an entry such as the one below, which is only accessible by myself.
Strong passwords are passwords which are of a sufficient complexity to resist guessing and “brute-force” attacks. Strong passwords are typically over 8 characters long and contain a mix of uppercase letters, one lowercase letters, numbers and symbols. The most secure passwords are long passwords that do not form any word such as “b3Lv6EA6S8uZg” and not use common poor passwords such as “password”, “12345678”, “god”, “love”, “secret” etc.
Many web servers run a Linux server OS, which does not require any form of antivirus software, making it cheap and secure to maintain. Microsoft Servers on the other hand do require antivirus, as as all Microsoft OS’s it is plagued with the realm of viruses. This makes hosting on microsoft based servers often more expensive over its Linux counterparts. The only reason for choosing to host on a Microsoft Server over Linux is if you are using ASP .net for your website, to which I would not recommend, and instead use the free, open source, and often more powerful counterparts
A firewall is a system in place to prevent unauthorised access to a private network such as a LAN usually from a WAN such as the Internet. Firewalls are implimented in both software and hardware, but usually a combination of both. There are three main methods a firewall uses. Firstly, packet filtering is where packets are analyzed, against a set of filters provided by the firewall company’s database. All packets which don’t make it through are discarded, and all that do are sent to the requesting system, or application. A proxy service is classed as a type of firewall, and acts as a middleman. All data is routed through the firewall, all data is retrieved by the firewall, then sent to the system.
A new type of firewall is stateful inspection. Instead of scanning the entire contents of all packets, it instead compares key parts of the packet to a trusted database. Outbound traffic is scanned for specific defining characteristics, and then compared to incoming traffic. If the comparison does not come to a reasonable match, then the data is discarded, otherwise the traffic is allowed through.
Firewalls are heavily customisable, and come with many options. A firewall can be customised to refuse connection to a specific IP address and can block all traffic coming to or from a certain IP address if required. Firewalls can also be used to block protocols, for instance if a company doesn’t want their employees to be able to use FTP to transfer files, then they could block it in the firewall. A common use for a firewall is to use it to block ports. Open ports are dangerous as they are a weak spot for hackers to exploit. Servers will require ports be open for them to operate however. On Microsoft machines, to use Remote Desktop, the port 3389 must be open in the firewall. In Linux environments in order to use SSH to remote manage a computer, the port 22 must be open.
A good way to protect your users online is to encrypt all the traffic between the web server and the clients. To do this SSL and HTTPS are used. To use HTTPS (Hypertext Transfer Protocol Secure) you need to purchase a SSL certificate and have hosting which supports it. Below is a brief walkthrough as to what happens when you open a secured website in a web browser.
Firstly the webserver will send its SSL certificate to the Web Browser. The Web Browser will then compare the common name in the certificate to to the domain name of the webserver, for example a certificate with the common name of “webtech.mavieson.co.uk” must be sent from “webtech.mavieson.co.uk” or else the web browser will issue a warning saying the certificte can not be trusted.
The browser will then try to verify that it can trust the certificate. This is comparable to someone trying to make a fake ID to impersonate someone and steal their identity, as someone can forge a certificate with the same common name, so it appears that it is coming from your site, when infact its not. The browser will check to see if it was signed by any of the certificates in its collection of trusted Certificate Authorities. If the browser doesn't find this stamp of approval that matches the one on the certificate then it will display a warning message to the user saying that the website can’t be trusted. Once the certificate is verified, the browser will then encrypt all the data being sent/received using the public key in the certificate.