As the owner/operator of a Web-based business, website security is, if not persistently top-of-mind, at least continually at the back of it - or at least it should be. It's time to get serious about security and limiting your website's digital vulnerabilities.
There have been numerous high-profile attacks on 'Net enterprises over the years, but they are seemingly increasing in both quantity and severity. In 2013 alone, companies including Apple, Twitter, Facebook, Evernote, Tumblr, Burger King, Jeep and The New York Times have been hacked. If their website security measures were lax, couldn't yours be too?
Ecommerce websites in particular (as well as those enterprises that store user information such as digital publishers) are, obviously, at the greatest risk. While putting users' personal information in jeopardy is one problem (and a big one at that) there's also the little issue of reputation, which, if you've spent any time at all in the realm of Internet marketing, you know is fundamental to Web success.
Last year (June 2012), Google reported that 12-14 million search queries per day returned warnings that at least one of the results was compromised. At the time, Google was finding nearly 9,500 new malicious websites every day.
Anyone responsible for a website knows, or should know, the absolute basics of website security. Yet hackers still do what they do because enterprises somehow still fail to follow even the most basic recommendations for digital security.
Wordpress Security :: Secure your blog with these 10 WordPress security tips
One of the easiest ways to ensure your enterprise website is not the victim of an attack is to insist that deployed software is routinely updated to ensure that the most recent version is running. Hackers look for opportunities, exploits if you will, and if it's too difficult to crack your digital presence, they will move on to the next potential victim.
Another rather significant threat stems from the use of administrative passwords. If there were a way to see passwords you might be surprised at how very basic they are - even though we all know better. In 2013, there's no reason for key personnel to be lax or lazy about choosing/remembering passwords - particularly when it comes to sensitive accounts. Select strong passwords at least 10 characters in length and include letters, numbers and special characters. Use different passwords for email, control panels and FTP accounts and make sure they are stored securely. Another method for enterprises to consider is the use two-factor authentication, which requires two types of evidence from users that they are who they claim to be.
File permissions should also be an area of focus for Internet professionals. Some applications require permissions to be set at the open '777' (read, write, execute for all - owners and users) to install and then are not changed back to '755' for folders or '644' for files. Make sure to follow the guidance for specific applications and perform periodic audits to ensure files and folders are not vulnerable.
Those are some of the basics - but only the basics. There's a lot more that goes into an operating a secure website.
It's not always a company's employees (programmers, designers, etc.) that are to blame for security issues however - sometimes (not all the time, though) you can point the digital finger directly at the Web hosting service. Enterprises that want or need more security for their customers' personal data and want to ensure that applications aren't woefully exposed, should consider moving immediately beyond shared hosting toward Virtual Private Servers (VPS) hosting. A VPS is, for the most part, more secure, as custom security firewalls can be deployed and other security measures, often disallowed by shared hosting providers, can be installed. It's akin to moving to a safer neighborhood, perhaps a gated community. Not that breaches can't occur there, but they'll likely occur far less often and that's reason enough to make this suggestion a consideration.
Enterprises with more to lose need to take additional precautions to prevent or reduce the risk that websites and internal systems are the targets of an attack. Here's a short list to keep in mind to prevent some of the more malicious everyday hacks from occurring:
SOFTWARE: Anti-virus software and intrusion detection systems should always be incorporated within an infrastructure. For example, border routers should be configured to only route traffic to and from a company's public IP address. Firewalls should be deployed which restrict traffic only to and from the necessary services. Intrusion detection and prevention systems should be properly configured to monitor for suspicious activity.
PATCH EXPLOITS: Recent Websense research revealed that 74 percent of active computers were still susceptible to Java exploits that were discovered in 2012, and almost 94 percent were susceptible to the latest patched Java exploits. That's just downright unacceptable. By patching security holes quicker, potential server vulnerabilities are reduced dramatically, particularly if users have access to FTP.
BE PROACTIVE: Consider the use of a "honeypot," a computer software or device that exists for the sole purpose to be attacked. Honeypots essentially serve as early warning system, detecting malicious activity from outsiders and insiders, turning up exploits that some tools might miss. Some of the best include Glastopf, Specter, Chost USB and KFSensor.
Website security is about protecting important virtual assets. The information shared here should serve as an opportunity to get your enterprise thinking about ways it might be vulnerable and the opportunities available to make your website a less attractive target. There are numerous factors that go into running a secure website. But take even these modest precautions and your business and its customers will be better off.
Website Security Checklist :: Ensure your enterprise is covering its digital bases by reviewing Website Magazine's Quick Website Security Checklist.