Google Hacking: Why being a Google dork is hurting your company


This article can also be found in the Premium Editorial Download "Information Security magazine: Captive to SOX compliance? A compliance guide for managers."

Download it now to read this article plus other related content.

Weathering the Storm
Type "weather" into a Google search and The Weather Channel's site is the first returned result. From a marketing perspective, director of network architecture John Penrod loves the top ranking. From a security perspective, he realizes the depth of danger that a malicious query against the site,

    Requires Free Membership to View

www.weather.com, could bring.

Penrod says his group has a clean track record fending off hackers, due in large part to an efficient QA process, and stringent security and code reviews applied against The Weather Channel's Web development. Experts say those are an enterprise's best defenses against Google hacking.

"The big thing for us is brand name protection," Penrod says. "The worst thing that could happen is for our site to be attacked or brought down."

Part of any risk assessment is examining liability and risk of information exposure, what your company is willing to share with the rest of the world and what it's willing to lose. It's imperative that companies understand which assets are Web-facing and if they're secure. This is a difficult issue to contend with for enterprises whose Web presence grows quickly. Strict corporate policies must address what it takes to put an application on the Web, and those edicts must be signed by managers, administrators and developers alike. The process must be policed regularly.

When a new version of The Weather Channel site goes into QA, it's reviewed internally by a team that verifies that established security processes were followed before the site is launched into production. On the back end, the administrative side is kept off the Internet. That's solid strategy. Search engines are indiscriminate and are likely to find a file on the Web that is unprotected or reveals too much.

"[QA teams] look at every file, every directory accessible by the public. Don't assume because you don't see it in browsing that it can't be found," Penrod says. "It's about ensuring the OS is secure, ensuring the Web server application is secure, and the dynamic-content-building process is secure from the ground up."

Protection mechanisms include simple things like dropping into a root directory a text file like robot.txt, a standard file for robot exclusion, which keeps Google's spiders from caching directories. Using meta tags like NOARCHIVE and NOSNIPPET prevents Google from caching specific pages. Applying password protection to applications also keeps Google away.

"Everyone we show Google hacking results to can't believe it," says Dave Shackleford, solution engineering manager with consultancy Vigilar. "They're used to using Google every day; it's an objective tool you can use for innocuous queries. But it's used to find information you'd never want to see as well. That's what takes them aback."

Companies should also dedicate staff time to Google hacking. Run queries against your company and seek out dangerous nuggets before a hacker beats you to it. If sensitive pages are found online, companies should remove the pages from directories or password-protect them. It's also imperative to request via an online form that Google take down such pages from its search results and its cache.

The Catch-22 for sites like The Weather Channel that want strong Google returns is that using exclusionary techniques will damage a site's search engine ranking.

"We definitely want Google to look at our site--it's good for business," Penrod says. "Not looking at our site is better for security. We just have to put everything on a scale and weigh the risks."

This was first published in March 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: