Battening Down the Hatches: How to Secure and Defend a Web Presence

Nick Espinosa, CIO & Chief Security Fanatic, BSSi2 LLC
83
137
27

Nick Espinosa, CIO & Chief Security Fanatic, BSSi2 LLC

We live in an age of uncertainty. Sure, some things never change like death, taxes and complaining about both but many other things are often subject to change. Consider for a moment, that websites are no different. We update our sites to include more modern layouts, better graphics, optimization for performance or mobility and, of course, more content for a content driven world. So why is it, with all of these changes in web development, do so many sites lack one fundamental change that should always be included with the changing times? I’m, of course, talking about website security and it’s a major issue that only seems to be discussed when the integrity of a site is compromised. We can build masterpieces of modern technological online art but unless we’re securing them they can become a patron’s worst nightmare.

In a perfect world we would have a web development team that consisted of the designer to make the interface user friendly and flowing, the developer who will actually put together and optimize the site for performance, and a cybersecurity expert to wrap the whole thing in much needed security. With breaches rising substantially each year, security concerns can no longer be an afterthought to the design and implementation of any web development project. These attacks can deface websites, inject malicious infections and code for patrons to download or execute and, if the breach is deep enough, actually gather patrons’ sensitive data such as account and credit card information. With these issues also comes a loss of reputation and therefore possible revenue. No longer can security be reactive. It has to be proactive.

In this vein, here are some basic steps that will help secure websites and vastly mitigate their ability to be attacked.

Firewalls Aren’t Just for Local Networks Anymore

Many people simply assume that their web hosting provider is going to keep them secure. They’re not! Web hosts will give you web space and also utilities for publishing to make development easier but beyond this, unless explicitly stated, web hosts will do no more. As a result, the public IP address of the website is usually accessible to all with no real filtering options. Thus a hacker has the ability to fully scan a live website, enumerate the vulnerabilities and then attempt to exploit anything he or she can find.

  Instead of having to find the virtual needle in the technical haystack, it’s simply easier to restore from backup 

Using a cloud based firewall provider, or Web Application Firewall (WAF)(1), for the website is a much safer way to control a live website. Like a regular firewall that defends an internal network from external threats, a website firewall forces all traffic to the website through its filters so it’s able to detect, analyze and kill threats before they can actually get to the site itself. We are called in constantly to “unscrew” hacked websites and those who use website firewalls are those that fortunately never call back with this issue.

2FA is Your Best Friend

For the uninitiated, 2FA is formally known as Two Factor Authentication (2) (though some use 2SV or Two Step Verification but we won’t get into minutia here). Basically, 2FA creates a secondary method to verify that the user is who the user says he or she is. Thus, 2FA drastically mitigates a hacker’s attempt to spoof a legitimate user. In its most basic form, 2FA works like this:

1.The user logs into the website using their username and password
2.A text message, email or authenticator code is sent to the user
3.That user enters the code and the site allows the user in

This method for administrative logins to a website helps to ensure the backend control panels for the site remain highly secure.

Limiting Access is Limiting Hackers

Most websites have the ability to restrict who is able to access them, not just by username, but also by address of the remote user. If the organization that owns the website has an internet connection with a static IP (an IP address that is fixed and unchanging) then it is usually possible to configure the administrative side of the website to only allow connections from that address. This has the effect of not allowing anyone else from any other address remote access to the administrative side of the site. Of course, if the company changes its IP address make sure to update the website’s access configuration as well! Each hosting provider has its own process for achieving this so make sure to check their documentation or support.

Update Update Update

This point is so critical. The number one reason why we get called in to unscrew websites is because after publishing the site no one is doing any kind of maintenance on the framework that actually runs the website. Framework platforms like WordPress, and its plethora of plugins, are notorious for going out of date and being exploited(3). In fact, I’ve even demonstrated live to audiences just how easy it is for me break into WordPress based sites that are not updated regularly. It’s a serious issue. By keeping them up to date the website’s framework is hardened against attack.

Not Having Backups is Unforgivable

Any kind of web presence that is breached may be impacted very deeply at the code level. We’ve seen insertion of malicious code into html and JavaScript, injection of malicious code into databases(4) and a whole slew of other kinds ofnastiness all geared towards the disruption of service and redirection of users to malicious sites. Instead of having to find the virtual needle in the technical haystack, it’s simply easier to restore from backup. Most websites will offer a basic backup as part of their hosting fee however most of these solutions are not comprehensive nor do they have much longevity in terms of backup retention. For best results a periodic backup to another location, meaning to a different provider (or the same one if they offer secure replication), is the best and most effective method to ensure quick restoration of an infected site. Like limiting access, each hosting platform is different so check with your provider for available options.

Layers Aren’t Just for Winter Clothes Anymore

The best security is layered security. Everything that has been mentioned above goes a very long to ensuring that a website is secure. Implementing everything above and maintaining vigilance is about as close to a guarantee as one can get that the website will be fully protected and remain that way. There is no better security than one that incorporates multiple facets of protection while still making the experience for the patron hassle free.

Ultimately any website is only as secure as the developers and its owners make it. In this sense a little investment in configuration time and security cost goes a very long way. No wants to be known for a hacked website and no one definitely wants to lose revenue over it either. With these steps in mind no one has to.

Read Also

IoT is Changing the Paradigm of Connectivity

Simon Dale, Head of Hana Enterprise Cloud, Asia Pacific and Japan, SAP

Cybersecurity in the Era of the Internet of Things

Steve Durbin, MD, Information Security Forum

The Google Buy Button and its Impact on Mobile eCommerce

Amit Bhaiya, Co-Founder & CEO, DotcomWeavers