Recently, a new security issue with Linux came to light (https://nvd.nist.gov/vuln/detail/CVE-2021-3156), which could allow a user to gain root access of a server. This is using the “sudoedit” command, which is used to give users elevated privileges (but not root access) in some cases.

The first question a website / server owner should ask here is “Is my server vulnerable to this?” – if so, the next question is “who needs to fix it and how?”. In this particular case, only servers which allow normal “user” access need to be immediately concerned.

If you run / own a dedicated server with only trusted user accounts, the urgency to get patched is not as high. For sure, you should get it done, but it’s unlikely someone could exploit this bug.

If, however, you run a multi-user system with many untrusted users logging in, you probably need to act quickly. Once these bugs are revealed publicly, hackers will look to exploit them. Many hosting companies run jailed-shells, or otherwise restricted shells, so they may not be vulnerable. If you have a more vanilla Linux installation with multiple user accounts, you should get this patched.

Late last year, Target Corp. revealed a massive data breach of its systems, resulting in 70 million customer records being compromised.

Recently, they revealed that the hackers got in initially through credentials stolen from a Target vendor.  There are some lessons here for the small business owner, regarding security:

1. Many successful data breaches are accomplished through “social engineering”.  This means using non-technical means to gather sensitive data or passwords.  For instance, calling technical support and impersonating the real account holder – convincing the rep to reveal information about the account.
2. Your security is only as strong as its weakest link.  This may be your web software, your hosting provider’s security, employees, your smartphone, or the filing cabinet where you store customer information.
3. You should monitor your security regularly to prevent breaches, or catch a problem early on.

Here are a few points for reviewing your data security:

• Who has passwords to your website?  Any time an employee or consultant leaves your business, you should change passwords.
• Where / how is sensitive data handled?  Do you clean out unnecessary information (like credit card info), etc.  on a regular basis?  Have you reviewed PCI guidelines if you are an online vendor?
• Do you proactively update your web software to make sure any security issues are addressed?  Do you have someone who understands web security who can review your site occasionally?

A data breach can literally wipe out a small business.  Customers lose confidence in you, they may sue you, and your credit card company may cancel your merchant account.  So it’s important to pay attention to the threats out there, and be proactive about security.