Most Websites of any size at all contain both public data and private data, but we're not worried about public data. The concern is the private data that is stored on a hidden backend page or in a backend database and is not intended to be seen by the public. For example, most often, the really dangerous private data consists of information about customers who have placed orders over the company's Web site, like addresses or credit card numbers. But the concept of private data extends beyond a virtual storefront, your site's private data is anything that resides on your Web site or that is connected to your Web site (through a backend application) that you do not wish to be disclosed to the public.
You need to make a determination as to what on your Web site might be considered private. For the sake of example, I will assume that your site contains an online ordering system and that your customer information needs to remain private. I will therefore focus the rest of this article around sniffing out and protecting customer information. If your site has some other type of private information that needs to be protected, then you can adapt these same techniques to your own individual situation.
If customer information is what you want to protect, then you need to have some specific information on hand that you can search for. I recommend going through your customer database and pulling out a few names, phone numbers, addresses etc. See my previous article on Google hack Honeypots for how to search credit card number ranges.
I recommend using data from older orders if possible because Google does not index Web sites in real time, and if your site does contain a design flaw, Google may not have indexed the data from newer orders yet. You will never find the problem if you are searching for data that hasn't been indexed.
Google hacking to test your security
Home: Introduction
Step 1: Identify what could be Google hacked
Step 2: Understand your Web applications
Step 3: Queries to Google hack your site -- Simple stuff
Step 4: More complicated Google queries
Step 5: Harden your Web site against Google hacks
More information from SearchWindowsSecurity.com
Learning Center: Google hack Windows servers
Tip: Google your Windows security vulnerabilities
| ABOUT THE AUTHOR: |
|
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
Copyright 2005 TechTarget
|
|
