Consumers, organizations and businesses alike are increasingly relying on websites and online services while sometimes not considering the website’s security. This may be a sign of the trust and confidence in online security with regards to how confidential and personal information is handled, but there are indeed risks that clients need to be protected from.
Administrators and operators of websites need to be aware of risks that their clients are exposed to through their services and should place security should as a top priority. Poor security can not only lead to compromise of customer data but it can have negative long-term business impacts through loss of customers, brand tarnishing and even costly legal battles, all of which has been seen in the media in recent years.
Keeping a website secure is an ongoing process, new vulnerabilities are regularly being discovered and attackers are constantly coming up with new ways to hack their targets.
Here are 6 ways website operators can maintain their security and prevent attacks.
6. Keep platforms, systems and software up-to-date. Whether your software was created in-house or by a third-party, ensuring everything has the latest update is typically the owner’s and administrator’s responsibility. Often, organizations with the mindset that hackers will not target them that are the most at risk because they do not take the necessary steps to protect themselves. Updates are important because they do not JUST apply to the websites core platform or plugins they also apply to browsers, themes and operating systems.
5. Password Management. We hear about password hacks and compromised data that result in the news regularly, it is estimated that hackers stole 45 million passwords from over 1,100 websites in 2016 and that 81% of breaches in 2016 involved stolen or weak passwords. Proper password management should include a corporate wide password policy which outlines password strength requirements, how often passwords need to be changed and limit or prohibit the reuse of passwords. Strong passwords should consist of a random mix of upper and lower case characters, symbols, numbers and be at a minimum of 12-15 characters long. Avoid having obvious words such as the names and dates as part of the password. They should be unique and not used to access multiple accounts or applications. Change passwords often and keep them secure. Passwords should only be known to employees if access is critical to their role. Change passwords whenever there are changes in personnel and disable or remove unused access accounts. For more information on proper password management, refer to NIST’s password guidelines here.
4. Perform recurring security testing. Every day there are new vulnerabilities found to affect a large volume of applications and system components. Once your website has undergone security testing, it is critical that it be added to a recurring schedule in order to maintain constant awareness into the level of risk for each of your web properties. More often, websites or web applications undergo changes at a source-code level in order to introduce new functionality or enhance existing content which may introduce vulnerabilities into the application. While it is recommended to perform security testing after any significant code change, adopting an annual or quarterly security testing schedule will dramatically reduce exposure and provide extra runway for remediation.
3. Restrict access to management applications. Perhaps the most overlooked countermeasure for automated attacks on content management systems is to simply restrict access using a network-based access control list. CMS applications such as WordPress, Drupal and various others are subject to password guessing or brute-force attacks sometimes every hour of the day. If unauthorized access to your website is obtained through the CMS management platform, it is possible for an attacker to attempt to compromise back-end webservers and databases in order to maintain persistent access.
2. Use HTTPS. An easy way to protect your customers is to use and mandate HTTPS (i.e., SSL) which encrypts communications between the web server and clients using SSL certificates. Consumers are now looking for the green HTTPS logo in their browsers URL form anytime they will be providing sensitive information, as it indicates their traffic is encrypted. In addition to the extra security that having HTTPS offers, Google has confirmed that their algorithm considers HTTPS when ranking websites, which is their way of providing users with accurate and secure search results.
1. Security consulting. Hiring professionals to provide insight into your existing security controls is a great step in maintaining the security of your website. While these services are typically thought of as being reserved for companies that routinely store or transmit sensitive information through their website, any organization can benefit from an assessment. Web application security assessments consider the holistic approach to multiple security domains and identify controls in place within your environment, measure their effectiveness and review the implemented policies to establish a maturity level at each of the core security domains. System hardening should also be considered in an assessment- this includes evaluating the security of the underlying operating system and system configuration to identify ways to reduce the attack surface.
If you are a seasoned IT professional or you are just starting to investigate website security, there are a variety of tactics you can use to protect your own and your user’s data. To learn more about web application security risks visit the OWASP Top 10 Project to review the ten most critical security risks in web applications.
Contact us today for your free website consultation and quote.