Not every company has the resources to maintain a full-time connection to the Internet. In those cases, most companies contract with an ISP to set up what’s known as a virtual server—space on an ISP’s Web server. Through software configuration, the outside world sees your site as its own machine; hence, the virtual in virtual server.

The security of your data on a virtual server is only as good as the security the ISP has in place for the
entire system. Here are some questions to ask an ISP system administrator in this regard:
1. What security measures have they taken against unauthorized access to Web documents?
2. Do they allow users to run command-line tasks from CGI scripts or Server Side Includes? (Doing so opens a potential security hole, though it isn’t always indicative of immediate danger.)
3. Who in the ISP’s organization has access to your data? Is it only the Webmaster and system administrator, or can anyone in the company get into the server?
4. Will their access logs be available to you?
5. Will they assist you in dealing with any attempted breaches to the system?
6. Do they subscribe to the CIAC-Bulletin, distributed by the U.S. Department of Energy’s Computer Incident Advisory Capability group? If not, how do they keep abreast of new developments in Internet security?

On your end, you can take several steps to protect your virtual Web server:
1. Don’t share your account with anyone: neither the dial-up access nor your Web server space. Internet access accounts are available for as little as $5.00 a month, so no economic benefit offsets the risk. In fact, most ISP contracts
prohibit sharing an account.
2. Don’t use the same password for multiple accounts or services, such as your dial-up password and your FTP access password. If one is compromised, all others will be.
3. Test all CGI scripts for security before uploading them to your live site. If you aren’t comfortable judging this, consider hiring a professional programmer to review them.