Best Practice Steps to Improve your Website Security
We hear every day in the media about the latest hacking attack or theft of data from websites. According to the FBI there has been a quantum increase in the frequency and virulence of attacks on corporate websites over the last two years or so.
The main target of hack attacks is obviously financial data, but other actors are becoming more prominent. Intellectual property theft, commercial and government-sponsored espionage, interference in government processes and general mischievous defacement of websites are on the increase.
It’s no surprise that website security lies heavy on the mind of the Head of IT.
Here are some best practice steps to improve your website security.
SSL Security
The prime anti-hacking feature of SSL is to encrypt the data transmitted between the site and browser. This stops anyone from reading or using the information passed between them. This is especially important for sites that store financial data or use it when making sales.
A website secured by the SSL protocols is recognized by the padlock in the browser information bar and by https:// replacing http:// in front of the domain name in the site’s URL.
Make sure that your website has an SSL certificate.
Secure Web Hosting
Complete security has many layers of protection, and secure web hosting is a key component. The server hosting your website must be protected against hack attacks and other malware issues.
In addition to software protections, continuous monitoring, 24/7, is needed to be able to monitor the server and network infrastructure to enable early detection of any threats. For example, early detection of a DDoS attack is essential to minimize its effects.
The various international standards, for example, GDPR, relating to online security and privacy provide guidelines for good practice.
User Management and Education
The FBI think that most malware threats and hack attacks start with actions between the keyboard and the chairback. Users make errors, unconsciously or deliberately, or try to get around security restrictions, such as bringing in malware from home on flash drives or by responding to phishing emails.
There are also procedural failings such as not removing the user credentials of ex-employees or managing user security levels as they move through the organization.
Users need to be educated about security when they join and have regular re-education through updates. They need to know how to recognize a threat and what to do and who to contact if they suspect they recognize a threat.
Users, especially IT staff, need to have their privileges revoked when they resign and if they are the subject of disciplinary action.
The organizational security policy must reflect password management, download management and access to potentially harmful websites. Blocking access to online storage such as DropBox will cut down on the theft of confidential information.
Hardware Security
Two aspects to this. The first is to limit physical access to the equipment. This is easy if the equipment is in an access-controlled data center, but less so for equipment housed outside it. Network equipment such as switches Should have secure storage in a locked room or network cabinet.
The second is that most IT hardware comes with a default management profile and access credentials that must be changed before the equipment is configured and deployed. This makes it more difficult for hackers to understand your infrastructure and systems and reduces the areas of vulnerability. Bots also launch automated attacks using the default credentials. Changing them makes it more difficult for them.
Keep Up To Date
New threats arise every day. It is absolutely vital to ensure that both systems and desktop anti-malware software are kept up to date.
Desktop systems are best maintained centrally, with updates distributed over the network. Default user profiles must prevent users from switching updates and upgrades off.
Network security staff need to keep on top of new threats through interaction with their peers, media updates and general awareness.
Site Security Backups
The only safe site is one that hasn’t been hacked yet. It will happen, and the best approach to a speedy recovery is to have comprehensive, complete and usable backups.
The level of backup depends on the effect a loss will have on the organization. Some will need immediate switch-over to a hot-standby site. Others might be able to cope with a limited period of loss while restoring systems and data.
The prime need is to have a business continuity plan, setting out the backup and recovery procedures. A plan understood by all, and one that is regularly tested.
Conclusion
Website security is not negotiable. Users will not use a site they think is unsafe. It is also a changing landscape. New threats appear daily, and the focus of attacks changes regularly. The price of security is eternal vigilance.