Websites are without a doubt a very – if not the most – attractive target for hackers. And when it comes to attack vectors, there’s no shortage of vulnerabilities in websites for malicious hackers to exploit.
Very recently, the Qatar National Bank fell victim to a data breach that exposed 1.4 gigabytes of sensitive customer information including personal data and credit card information. The bank itself suspects a SQL Injection vulnerability to be responsible for the success of the attack. And The QNB is not the only firm to fall victim to website hacks in the past months.
There’s no shortage of data breaches involving websites and web applications. A short search on Google will crop up more than a dozen website hacks in the current year alone. And that’s only the tip of the iceberg; what you see in the news only accounts for major cases that were discovered and disclosed. As security research firms have stated time and again, it takes several months for firms to discover data breaches – if they discover them at all.
But all of this doesn’t mean that we shouldn’t take the necessary measures to protect our websites against malicious actors. In fact, many of the successful data breaches are staged by taking advantage of website administrators neglecting to implement the most basic practices and guidelines to secure their websites.
In this post, I will share a few tips that will help you get a better high-level grasp of website security. Aside from the technicalities, these guidelines helped me changed my mindset toward web security. Maybe it will help you as well.
Prepare for the when, not the if
Many small businesses and firms believe they will not become the target of data breaches, because their online assets do not offer much value to hackers. After all, in the news, you mostly see news about the likes of Ashley Madison, V-Tech and Anthem being hacked.
But as a recent report from security firm Imperva shows, you don’t have to be a very popular brand or a big government agency such as the OPM to become the victim of a data breach. And while monetization and valuable information are important driving factors, they don’t account for the motif behind every data breach. There are many devious ways hackers can put your compromised website to use such as carrying out blackhat SEO campaigns, distributing malware to unfortunate visitors, or using them as a stepping stone to gain access to your crown jewels.
And you don’t need a huge online presence to be noticed by hackers. Their botnets are tirelessly scanning the web and finding new victims for their evil deeds. Sometimes, a less-noticed website will prove to be more suitable for the purposes of cybercriminals than a high-profile one.
So instead of keeping your fingers crossed and hoping against hope that they won’t come after you, get your gear on and ready yourself to face them head-on.
Know what you have
You need to make a complete inventory of all of your web applications. This accounts for websites, applications such as CRM and ERP that you use internally, RESTfull web services with no visible browser access, and even static websites with no programming and database behind them. Often, companies get hacked via abandoned web servers and websites that have been forgotten and are no longer maintained.
Once you have a full list of your web assets, shrink your attack surface. This can be done by following the following two guidelines:
- Minimizing access
- Minimizing features
Minimizing access involves making sure your assets are only available to the relevant persons and network nodes. If a web application or web service is designed for internal usage only, make sure your firewall prevents outsider access altogether. If it is meant to be accessed by employees while they’re traveling or when they’re at home, then you can designate and whitelist VPN IPs or deploy two-factor authentication (2FA) and client SSL certificates to minimize the risk of unwanted parties accessing the web application. Setting up a minimal access control lists is also a necessary step to secure assets against intruders.
Web server settings should also be examined for features that have been left turned on unnecessarily. Scripting and CGI engines that will not be used should definitely be turned off as they can become juicy attack vectors for savvy hackers. Other features such as directory listing and WebDAV are also things that are often times carelessly left on, which effectively gives hackers access to a wealth of information and functionality to your servers.
Keeping every server you have updated with the latest patches is also necessary to prevent your websites from being hacked through other vulnerabilities that might be found in your system.
What if you’re writing your own code?
One of the biggest mistakes developers make is to focus mainly on functionality while coding their applications and dealing with security as an afterthought. Pushing security testing to the later stages of the Software Development Lifecycle (SDLC) often leads to hasty and improper testing due to fast closing deadlines. The cost and the time required to fix bugs also increases as you gradually inch toward the end of the development process.
The right approach is to integrate security testing within the development process itself through the implementation of a Secure Software Development Lifecycle (S-SDLC). One of the best ways to test your web application for security flaws as-you-code is to deploy a Static Application Security Testing (SAST) solution. SASTs are tools that integrate with IDEs, bug-tracking software and other software that you use in your SDLC, and constantly scan the code of your application for known flaws and bad practices as you develop it.
Investing in an SAST solution can help you minimize the cost of finding and fixing bugs and will also help your developers to learn and adopt secure coding practices for future projects.
What if you’re not?
If you’re not coding your own website and rely CMS and blog engines such as WordPress, Joomla and Magento to power up your company’s website, here are two tips to harden your website’s security:
- Updates, updates, updates: The first rule for avoiding security bugs from being exploited is to make sure every piece of software, plugin and extension you’re using is up-to-date. There are a lot of stories about hackers finding a clever zero-day vulnerability on a software running on a server and exploiting it to gain access to critical information. But the truth is that most data breaches are made possible through known vulnerabilities in unpatched systems.
- Don’t trust extensions from unknown sources: Be very careful with plugins you install on your website, especially if you’re using a popular open-source platform like WordPress, which allows anyone and everyone to develop and publish extensions. Vulnerable plugins are one of the most popular attack vectors for website engines. Always scan a plugin for its background and known vulnerabilities before installing it.
Prepare yourself for the unknown
No matter how cautious you are, unknown vulnerabilities will eventually pop up on your web application, whether it’s a SQLi vulnerability or a URL parameter that enables hackers to send arbitrary commands to your server.
Security tools such as Web Application Firewalls (WAF) are a good solution to deal with unknown threats in web applications. WAFs deal with website traffic at the application level, monitoring HTTP requests and responses as they are exchanged between servers and clients, and examining them for malicious patterns such as SQLi or Cross-Site Scripting (XSS) attacks. WAFs have a good understanding of how web applications work, and can be much more effective than traditional security tools in detecting and blocking the exploitation of vulnerabilities that haven’t been discovered yet. Other features of WAFs such as black- and white-listing will enable you to act quickly and plug newly-discovered security holes while your developers are busy fixing them.
Being prepared for the inevitable can also help you minimize risks when data breaches finally come to pass. Good security practices such as encrypting sensitive information, not storing the keys next to the encrypted data, distributing data across several nodes (not placing all your eggs in one basket), and reducing the file and system resource access level of web applications can go a long way toward reducing damage on occasions that data breaches do happen.
Today, websites and web applications are ubiquitous and nearly every company has one or more integrated into its business core. Therefore everyone can become a victim of website hack and everyone should take website security seriously. So instead of waiting to get hacked and thinking in retrospect about what you should’ve done to prevent the breach, act now and protect yourself against the inevitable day when hackers come knocking at the door.
Do you have website protection guidelines to add to these tips? Please share with us in the comments section.