Is your site waiting to be hacked? It is time to address with proactive security and stay ahead of hack.
In the age of internet, it is absolutely necessary to have a online presence and keeping the website secure is a top priority. About 30,000 sites get hacked everyday, which is a huge concern for many businesses and cyber security spending is only going to increase in the coming years. Unfortunately, security is a reactive process for most websites. Despite reading several news and articles of thousands of accounts hacked/leaked, one believes that it will not happen to them. Just human pshycology - "it will not happen to me".
It is often too late, when site owners decide to go for web security services. Site gets hacked and few days later the site gets blacklisted, and site owner starts receiving complaints that their site opens with a warning that the site is Dangerous in browser. The site owner has no clue and contacts hosting provider, and instead of expecting a remedy, Hosting Provider shuts down the site. We have already talked about this here. Site owner then decides to restore his site with another Hosting provider and get site back online and subscribes for a website security service. Site owner looses site traffic, business, time and money. Proactive Security measures could have helped avoid all this hassle.
What can the site owner do to ensure proactive security?
Having online presence is only a start. Maintaining is the key. Its like a business owner buying a product, has to consider the OPEX, and not just CAPEX. Sites have to be maintained by someone who is technically aware or can manage hosting.
If website is using open source CMS like Wordpress, Joomla, Drupal etc, it is absolutely necessary to keep the services updated to the latest security updated versions. This is a huge starting point. This thwarts most common attacks. This also applies to all plugins installed along with it.
Check with Hosting Provider, if website is protected from neighbour website hacks. If neighbour website is hacked, in some cases, the infection can spread to other websites hosted on the same server.
It has become a must to never use same password for all login accounts. Often the case, one of the login platforms has been compromised, leading to cracked and leaked password. Hackers constantly harvest and use this data to gain access to multiple other platforms. It is better to create separate password for every login account and store the passwords in password manager like lastpass, keepassx etc. Try to opt for two factor authentication.
File Change monitoring with alerting of website files can help detect attacks quickly, allowing site owners to do a quick revert back, and perform root cause analysis. This gives a chance to fix without the site getting blacklisted. This can detect zero day hacks.
Often, it may not be possible to stay updated with latest security upates for various reasons. In such, cases a system automation which can detect vulnerable code, with notification warning, can be used as reminder to perform upgrade.
Always find a solution that solves security issues at the root level. I am not a big fan of WAF. WAF does not protect the site's actual contents. A malware could still be hosted on your site, but WAF protects(or rather offers layers of protection) that malware from rendering to a browser, and hence mitigates malware spreading.
Site owners should focus on preventing that malware to reach the site. That is solving the problem at its root.
If site owners are building their own application, the following can be a good proactive start
- SQL injection - Test your code thoroughly for SQL injections. There are several open source tools available, which do not require steep learning curve.
- XSS - Cross Site Scripting attacks can redirect your users to malicious websites or hijack a session or run malicious code on browser.
- Avoid uploading files or if you have to upload, ensure that they cannot be executed by the web server. For eg, php/traversing could be disabled for a folder using htaccess, or storing files outside document root. Also look out for file inclusions in your scripts
- Error message - Avoid disclosing information while printing error message. Log the messages elsewhere outside docroot or show error message only for specific public IP address; eg IP of your Company
- Storing passwords - Ensure strong passwords, with salting and one way hashes.
- Validation - Have client side validation, but never trust it. Always have server side validations in place.
- SSL - Use https to secure confidential transit(protect against MITM attack) of information. Set Cookies httponly and secure to avoid hijacking of session cookies.
- In most cases, custom sites are targetted by specific group/competitor/hacktivists or disgruntled employees. Insider plays a key role.
Site owners should also understand that security is not only a technology, but a process. As the saying goes "People Process Technology" implies user awareness, defining processes and having system technology, is the need to ensure security, not only with respect to site, but also within your personal desktops and IT environment. If opting for security services, check what is being offered, before sign up. Dont buy out of fear.
Proactive Security is very cost effective approach, and it saves precious time and money. So, dont be reactive, and start being proactive.