SSL certificates are small data files that digitally bind a cryptographic key to your website details. Once purchased on a web server, it activates the green padlock and the https protocol that allows secure connections from a web server to a browser. Implementing SSL is a common practice among websites big and small, especially when the website asks for sensitive information like passwords and credit card information. SSL is an important part of your website security, but alone, it is not enough. Here are 5 reasons you need more than SSL to secure your website.
Application Level Vulnerabilities
Application level vulnerabilities are common security flaws when it comes to keeping your website secure. Often times, websites change and evolve over time and the original capabilities of the application might be compromised. This is often due to website updates, plugins, and insecure code. An application vulnerability is a system weakness that has the potential to be exploited. Having your application security tested evaluates the security of web and mobile applications to protect them from cyber-attacks. From source-code all the way up to the browser – an application security assessment measures the effectiveness of the controls you currently have in place by simulating a hack. This is something that should be done by a professional, mimicking a real-world scenario, and should be repeated annually.
Server patches are designed to keep your data centre hardened, data secure and available, but they are often missed. Most know that in order to keep your computers and software up to date, you need to stay on top of available patches and if you should use them. Yet, server maintenance is often neglected, and this leaves them open to vulnerabilities which can pose great risks to malware and viruses. The first step you can take in ensuring your server is protected is to take an inventory of all elements of the server and do a thorough analysis of all of the current patches, if any. We recommend staying away from automatic scans and opting for manual analysis instead. Automatic scans are only looking for obvious issues and they often miss crucial details.
Secure configuration or hardening is the process of securing a system or application by reduction of the attack surface area. Generally, systems are built in a highly permissive state to enable its users to leverage turn-key features. This accounts for a large percentage of vulnerabilities which is why security hardening is often a countermeasure implemented to reduce the risk of a system compromise.
Weak credentials are more common than you might think and cause major flaws in your website security. You can have all of the latest security tools and monitoring, yet weak credentials can make of those safety measures irrelevant. A new report found that 19% of businesses passwords were “easily compromised”, and the Verizon Data Breach Report found that weak/stolen credentials were a factor in 81% of the hacking-related data breaches last year. Despite high profile breaches happening in the news all the time, common passwords, password sharing and using the same password across many websites is happening all the time.
Popular content management systems like Magento, WordPress and Drupal make content management simple, but require hardening and constant maintenance to ensure they are up to date with the latest security patches. New weaknesses are discovered all the time and because of the popularity of these platforms, they are attractive targets for hackers.
Website security is only as strong as the weakest link – this means a holistic approach across multiple security domains. A cybersecurity assessment identifies controls in place within your environment, measures their effectiveness, and reviews the implemented policies and procedures to establish a maturity level at each of the core security domains. At Packetlabs, we recommend performing a cybersecurity assessment to identify gaps in your security foundation prior to commencing any objective-based penetration testing.
You can learn more about our security assessments here.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications