The following information has been compiled thanks to the help of The Australian Communications and Media Authority (ACMA).

Got your own server? Make sure it is secure…

The Internet can offer your business many benefits – but it can also expose you to increased security risks. This section of our web site helps you understand the basics of good computer and Internet security.

Many small businesses rely on the Internet to communicate with customers, suppliers and business partners. Other businesses go a step further: instead of using general email accounts provided by Internet Service Providers (ISPs), they choose instead to run their own web and email servers.

While running your own server can cut costs and bring greater flexibility, it can also expose you to bigger security risks.

If your business runs an email or web server, you probably rely on it to send and receive email and to present your online presence to the world. Inadequate security practices can disrupt your business, expose sensitive information, cost you money and put your computers at risk of being hi-jacked by spammers.

Most spam is sent out via spammers who take control of computers just like yours: don’t let security lapses allow these people to take advantage of you.

Why care about security? What’s the connection with spam?

Information held in IT systems is crucial for the operation of many businesses. Good security policies and practices help preserve the confidentiality, integrity and availability of data and services.

Spammers actively hunt for computers with security vulnerabilities. Spammers use these compromised computers both as a platform from which to attack other computers, and as a conduit for sending vast amounts of illegal spam.

If your business networks have been compromised, this can result in the disclosure of sensitive information, corruption of data, business downtime, damage to your reputation and the hassle of removing your business from spam ‘blacklists’. You are also financially liable for the excess ISP data charges that accrue when your computer is used to send spam.

Like all forms of security, computer security costs money. A security policy outlines the chosen balance between risks, possible consequences and cost. Developing and following a security policy requires management support, skills and input and is not simply an issue of technology.

Top ten security tips

This section presents 10 ways you can improve the security of your server (that is, ensure it is not compromised) and build a strong security policy. You can learn more about any of these security tips by browsing in a computer bookshop or by using your favourite Internet search engine.

1. Use a firewall

A firewall is your computer network’s first line of defence against intruders. Firewalls can block all traffic between your network and the Internet that is not explicitly allowed. Firewall software is built into modern operating systems and can also be purchased as special-purpose hardware. Basic firewall settings to help get you started are readily available from your vendor or the internet.

2. Keep up to date with security patches

Most operating systems are supported by automatic updates (‘security patches’) that fix vulnerabilities found in important software components. You should either use the ‘automatic update’ option, or subscribe to a security-related mailing list and install these patches when necessary.

3. Protect yourself against viruses

Viruses and other malicious software, such as worms and Trojan horses, can alter or erase data on your computers; allow spammers and other intruders to use your computer and network; and may replicate and spread to others.

If you run an email server, you can install anti-virus software at the server to filter out email viruses before they reach users.

Each individual computer should also have up-to-date anti-virus software. Viruses and worms spread fast, so your anti-virus software must be updated regularly.

4. Use hard-to-guess passwords

Passwords are surprisingly easy to guess. Read the simple rules described in AusCERT’s ‘Choosing Good Passwords’ guide (see ‘General Security’, below).

5. Check and alter default settings

After installing software, check the configuration / setting options – you may find the software has extra features you don’t need or want. Turning off unnecessary services is a good security precaution.

6. Back up your software

Back up your data regularly. Verify your backups from time to time.

7. Monitor your servers

Your servers can be compromised without your knowledge. Monitoring your servers can alert you to intrusions as they occur, as well as allowing you to check the servers are working properly. Turn on the ‘logging’ function as a first step. Ask your vendor or an expert about the best way to monitor your network.

8. Join security-related mailing lists

Reputable organisations such as AusCERT offer free mailing lists that allow subscribers to keep an eye on the latest security risks and tips.

9. Secure your mail server: Close open relays!

Mail servers are very attractive targets to hackers and spammers because they exchange data between external users and internal users.

‘Relaying’ is a feature in mail servers that allows the server to forward mail from one external domain to another. If you run an ‘open relay’, spammers will quickly find your computer and use it to send spam, which may result in your server being blacklisted – which will stop you from being able to send legitimate emails.

10. Secure your web server: Close open proxies!

Web servers are large, complex, and highly configurable (that is, they can be fine-tuned to suit your needs). As such, they are often targeted by hackers and spammers. Make sure you know what you are doing if you are setting up such a server. If in doubt consult an expert,

The two most popular web servers are Apache and Microsoft Internet Information Server (IIS). The default installations of both servers are often adjusted to improve security (see the links below).

Modern web servers can also run as ‘proxy servers’, a feature which allows users to forward web requests through your servers. If you run an ‘open proxy’, allowing open access to your proxy, spammers will quickly find your server and misuse your generosity, which could harm your reputation and result in your business being placed on spam blacklists.

Need more help? Options and more useful links

Seek expertise: Talk to friends or hire a technical consultant who can provide help through training, setup, ongoing administration and/or security.

Outsource: ISPs and other service providers offer IT solutions that include security management. ‘Bundled’ services cost may more than a one-off equipment purchase, but the comfort of knowing someone is on your side when it comes to IT security and support may be worth it.

General Security

The AusCERT National Information Technology Alert Service offers a free mailing list notifying subscribers of the latest threats and vulnerabilities affecting computer systems http://national.auscert.org.au

AusCERT publishes useful security-related papers, including: ‘Steps for Recovering from a UNIX or NT System Compromise’ and ‘UNIX Security Checklist’
http://www.auscert.org.au/Information/Auscert_info/papers.html

The SANS Top 20 Internet Security Vulnerabilities, list is regularly updated, and is organised into two top-10 lists – one each for Microsoft and UNIX systemshttp://www.sans.org/top20

Dozens of sample security policies, ranging from anti-virus processes to VPN access http://www.sans.org/resources/policies

Microsoft security

The ‘Microsoft Baseline Security Analyser’ is software that scans your Microsoft Windows systems and suggests changes to settings to improve security
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

The ‘Microsoft e-Security Guide for Small Business’ has tips, tricks, and do-it-yourself security information
http://www.microsoft.com/smallbusiness/gtm/desktopsecurity/pdf.mspx

‘Recovering from an Incident’ security guide from the CERT/CC
http://www.cert.org/nav/recovering.html

UNIX security

‘UNIX Configuration Guidelines’ from the CERT/CC
http://www.cert.org/tech_tips/unix_configuration_guidelines.html

Mail Server security

‘Security Resources for Exchange Server’ 2003
http://www.microsoft.com/exchange/techinfo/security

‘Sendmail Secure Install’
http://www.sendmail.org/secure-install.html

Web Server Security

Securing Apache
see http://httpd.apache.org/docs-2.0/misc/security_tips.html
or
http://www.securityfocus.com/infocus/1694

IIS lockdown tool
http://www.microsoft.com/downloads/details.aspx?FamilyID=DDE9EFC0-BB30-47EB-9A61-FD755D23CDEC

Installing and securing IIS servers
http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1.html

The ‘Windows 2000 Web Services’ page has links to a range of IIS security articles http://www.microsoft.com/windows2000/technologies/web

The following information has been compiled thanks to the help of The Australian Communications and Media Authority (ACMA).

Industry Codes of Practice: to complement the Spam Act 2003, ACMA has worked with the ISP and e-marketing industries to develop draft codes of practice to reduce the amount of spam entering and propagating across the Internet, and to curtail the illegal activities of Australian spammers.

The ISP Code of Practice is under development by the Internet Industry Association (IIA), in conjunction with its sister organisations in Western Australia and South Australia (WAIA and SAIA).  The ISP Code of Practice will cover internet and email service providers and is expected to be presented to ACMA for registration in the near future.

The eMarketing Code of Practice was registered by the ACA on 16 March 2005.  The eMarketing Code of Practice sets out the practices that must be followed by e-marketers when sending promotional messages by email or non-voice mobile channels, to distinguish legitimate e-marketers from illegitimate spammers.

The eMarketing Code of Practice was developed by a committee of industry, consumer and Government bodies and organisations representing the eMarketing industry; the group was chaired by the Australian Direct Marketing Association (ADMA).

Click here to read more about the eMarketing Code of Practice.

The Australian Government’s anti-spam strategy: as a government body, ACMA is directly enforcing the Spam Act, monitoring spamming activities, promoting public education, developing technological solutions and working internationally to combat spam. To read more about ACMA’s five-way strategy for combating spam, see Spam – General Information.

Unfortunately, much of the spam that affects Australians comes from overseas. Efforts to combat spam on a national level are necessary, but significant long term gains will only come about through cooperative arrangements with other countries and relevant international bodies; the Australian government is at the forefront of establishing and strengthening these international arrangements.

• Spam: MoU between Australia and Korea
• Spam: MoU between Australia, the UK and the USA
• Australia – Thailand Joint Statement on Telecommunications and IT
• Media Release: 30 January. Australia joins international anti-spam campaign

The following information has been compiled thanks to the help of The Australian Communications and Media Authority (ACMA).

Electronic messages from certain sources are exempted from the legislation. These include messages from:

To be exempted, the message must relate to goods or services and the sender must be the supplier of those goods or services. Purely factual messages with no commercial content are also exempted, but the sender must still include accurate identifying information.

Information for Government

The Department of Communications, Information Technology and the Arts (DCITA) has published guides that specifically address what the Spam Act 2003 means for government bodies, including nformation on the types of messages that are exempt from the Act, and those which must comply:

• Spam Act 2003: An overview for government
• Spam Act 2003: A practical guide for government

The following information has been compiled thanks to the help of The Australian Communications and Media Authority (ACMA).

To comply with Australia’s spam laws, any commercial electronic message you send must meet the following conditions. Any message sent by an Australian business that doesn’t meet all three of these conditions is defined as spam:

A spam message is not necessarily sent out in ‘bulk’ to numerous addresses – under Australian law, a single electronic message can also be considered spam.

The Act also prohibits the supply or use of address-harvesting software for the purpose of sending spam, and provides for orders for forfeiture of profits derived from spam, and payment of compensation to spam victims.

Don’t become an ‘accidental spammer’

If your business doesn’t have effective security measures in place, spammers can infect your computer with a virus and use it to send spam to other people without your knowledge. To avoid becoming an accidental spammer, learn about and adopt these good security practices:

You can learn more about security by browsing in a computer bookshop or by typing ‘good security practices’ into your favourite search engine. Anti-virus and personal firewall software is available from your ISP or computer shops, and more information about acquiring and using this software can be found on the Internet Industry Association web site: http://www.iia.net.au/.

The following information has been compiled thanks to the help of The Australian Communications and Media Authority (ACMA).

Under the Spam Act 2003 it is illegal to send, or cause to be sent, ‘unsolicited commercial electronic messages’ that have an Australian link. A message has an ‘Australian link’ if it either originates or was commissioned in Australia, or originates overseas but has been sent to an address accessed in Australia.

The Spam Act covers electronic messages – emails, mobile phone text messages (SMS), multimedia messaging (MMS) and instant messaging (iM) – of a commercial nature. However, the Act does not cover voice or fax telemarketing. The legislation sets out penalties of up to $1.1 million a day for repeat corporate offenders.

• theSpam Act 2003
• the Spam (Consequential Amendments) Act 2003
• Spam Regulations 2004

The following information has been compiled thanks to the help of The Australian Communications and Media Authority (ACMA).

Spammers flood the Internet with billions of unwanted email messages. This spam causes significant inconvenience to both individuals and businesses: it disrupts email delivery, clogs up computer systems, reduces productivity, wastes time, irritates users and raises the cost of Internet access fees. Many spam messages also contain material that is offensive or fraudulent, and spam is sometimes used to spread computer viruses.

The following information has been compiled thanks to the help of The Australian Communications and Media Authority (ACMA).

Spam is a generic term used to describe electronic ‘junk mail’ – unwanted messages sent to people’s email accounts or mobile phones. These messages vary, but are essentially commercial in nature, and from the recipient’s point of view are often annoying in their sheer volume. They may invite the person to buy a product or service, or visit a website where they can make purchases; other spam messages attempt to trick people into divulging their bank account or credit card details.

In Australia, spam is defined as ‘unsolicited commercial electronic messages’. Australian legislation relating to spam – the Spam Act 2003 – came into effect on 10 April 2004. This guide for businesses outlines the key aspects of the law. For more detailed information on the requirements the Spam Act 2003 places on businesses that send commercial electronic messages, see:

• Spam Act 2003: A practical guide for business (PDF 243 kb)
• Spam Act 2003: An overview for business (PDF 183 kb)

If you would like paper copies of these information flyers, please complete the order form and return it to ACMA.

For practical advice about how you can reduce the amount of spam your business receives, and suggestions on what to do when you receive spam, see the Spam – Consumer Information page, or download’s Business Guide – Protecting Your Business from Spam [PDF 60 kb] and [RTF (650 kb].