Safeguarding Websites – Is it Possible?

Websites do not exist in a vacuum – they are simply the visual image resulting out of a complex mesh of systems, software, and hardware that make them up. As these pieces exist, there are risks – security risks, especially.

Website Security?

Should my website be hacked, what could happen?

• User or company data could be stolen.
• An attacker could completely take control.
• The site could be used as a malware/virus distribution point via hidden code.
• Content (text and images) could be changed.

Hacking attacks aren’t the only risks, though. Denial of Service (DoS) attacks have grown in popularity exponentially. These attacks flush abnormal amounts of user traffic against a site to fulfill the end goal of overwhelming and crashing the victim’s servers – taking their website offline.

What are Some Go-To Security Tips for My Organization?

Taking steps to secure your business’ IT infrastructure isn’t as difficult or scary as it sounds. Most issues can be prevented by utilizing due diligence and a thorough security plan.

Here are some general tips for security maintenance:

1. Maintain data backups.

The best offense is to keep up a good defense, but also keep reinforcements on speed-dial, for those especially bad days.

• Keep a dual system of physical (external hard drive) and cloud solutions to prevent total loss in the event of an outage.
• Deploy an organization-wide system of automatic backups to ensure minimal loss of data in a catastrophic event.

2. Keep an eye out for vulnerabilities.

For hardware, systems, drivers, and software:

• Continuously replace and update pieces as patches and updates come available. If one of the above has reached the end of life, it is advisable to have them switched out with a product currently in support.
• Ensure all passwords meet basic security standards. This includes reverting all passwords from factory defaults.
• Enable automatic updates and monitor them to ensure that they are installed properly.
• Regularly scan for vulnerabilities – this includes configurations and software.
• Patch, reconfigure, or quarantine all discovered vulnerabilities immediately.
• Upgrade resource availability and tweak load balancing to ensure systems can weather denial of service (DoS) attacks – this will ensure the unexpected high flow of traffic will not overwhelm the servers.

• Properly secure your website and applications.

While your website seems to operate in a vacuum as a page on the internet, that couldn’t be further from the truth.

• Regularly audit for security gaps and have them resolved immediately.
• Enable logging and regularly audit them to scan for security abnormalities.
• Audit new third-party code to check for security and functionality loopholes.
• Regularly scan for embedded viruses and malware.
• Deploy a web application firewall.

4. Secure user accounts.

Having a wealth of employees is an indicator of business success, but that number of network users can also present challenges.

• Ensure all usernames and passwords meet basic security standards. This includes reverting all passwords and usernames from factory defaults.
• As individuals leave your organization, promptly secure their accounts with a new password.
• Disable unused accounts and privileges.
• For online accounts such as email (Outlook, Gmail, Zoho), services (utilities, alarms), and creative production (Youtube, Canva, Adobe Creative Suite) – enable two or multi-factor authentication to prevent account theft.

• Control security gaps in website domains.

Domain maintenance isn’t only an annoying yearly bill for re-registration.

• Change all usernames and passwords that were default on the purchase of the domain.
• Enable and monitor automatic site logs for discrepancies.
• Review the DNS records for domains regularly.
• Enable two or multi-factor authentication for domain administrators.
• Require sanitized text on all ends, both staff, and client.

• Lockdown web servers.

Just because your servers are out of sight does not mean that they should be out of mind.

• Maintain a system of security checklists to be followed.
• Disable unused plugins, features, and software.
• Whitelist important accounts and plugins.
• Monitor the location of assets for removal if they are unused or placed in the wrong location.
• Monitor the addition of new plugins, files, accounts, and features to ensure they are being used properly or require removal.
• Audit each application (Apache, MySQL) on the system for security gaps.
• Segment and segregate the network and servers. Should an attacker enter your system, these roadblocks will severely hamper their ability to move within the network.

• Secure data as it is in transit.

You’d get involved immediately if someone was stealing and reading your business’ mail – so why stand the risk of someone stealing and reading your digital data?

• Disable unused and weak ciphers such as 3DES, SSLv2, SSlv3, and RC4.
• Always enforce HTTPS and HSTS to protect site users’ data in transfer.
• Turn off lackluster protocols such as HTTP (Hypertext Transfer Protocol), HTTPS (Hypertext Transfer Protocol Secure), and HSTS (Strict Transport Security) in favor of securer protocols.
• Enable cross-site scripting (XSS) and cross-site request forgery (XSRF) protection to protect site users.
• Use a content delivery network/policy to prevent an attacker from loading in malicious scripts to attack a site user’s machine.

Recap:

Discuss your IT needs with a well-qualified IT service provider. If your business is in a niche category such as healthcare, insurance, or production, ensure that the service provider carries all necessary qualifications or experience to handle your organization’s legally sensitive information.