According to the 2015 Sophos Security Threat Report, on average 30,000 websites are hacked every day. Cyber hackers look at multiple channels and ways of stealing information from your website by infiltrating your infrastructure or even getting information through social channels.
Protecting your site is a complex challenge. From building a secure platform, to ensuring that all contributors and content editors are aware of risks – and following controls to minimise risk.
When it comes to making your website as secure as possible we recommend you establish a good foundation of policies, processes, applications, tools, infrastructure, awareness, and training. Sound complicated? Each of these fall into one of the key areas of
Lets see below each one of these areas
As infrastructure grows, more organizations adopt cloud computing, and multiple integration points are introduced there are many aspects to manage. While building your security framework, examine the infrastructure for each of the below and review/write policies for each.
This means that, if your company is using or building their own application – in particular an ‘agile’ or minimum viable product (MVP) – your whole web infrastructure could be exposed. As hackers often target application vulnerabilities.
The OWASP (Organization for Web Application Security) rates the Top 10 Vulnerabilities as :
We’ve broken down each of these threats with an explanation of the risks involved and how you can mitigate them.
a) Cross Site Scripting (XSS)
The main threat of XSS is that cyber hackers could steal user sessions, deface websites, or even introduce worms, etc. This flaw is due to improper validation of data supplied by user. If an application takes data and sends it to a browser without validating or encrypting the data, content security could be breached.
b) Malicious File Execution
Code that is vulnerable to Remote File Inclusion (RFI) could allow attackers to add hostile data and code to your website. This would result in any number of attacks. These attacks can affect XML, PHP or any framework that accepts files or filenames from users.
c) Injection Flaws
The potential threat with this flaw is that an attacker could change the application into executing unrequired commands or changed system data.
Flaws, particularly SQL injection, are very common in web applications. Injection occurs when user data is send as part of a command or query.
d) IDOR-Insecure Direct Object Reference
Flaws, particularly SQL injection, are common in web applications. Injection occurs when user data is send as part of a command or query. The threat with this particular flaw is that an attacker could change the application to start executing alternative commands or even change system data.
e) CSRF -Cross Site Request Forgery
CSRF can be as powerful as the web application that it attacks. This flaw might force a logged-in victim's browser to send already authenticated request to a vulnerable application. This then forces the victim's browser to perform a hostile action for the benefit of the attacker.
f) ILIEH-Information Leakage and Improper Error Handling
With an ILIEH flaw attackers can steal sensitive data or conduct more serious attacks on a web application. Applications can unintentionally provide information about their configuration, about internal workings, or can violate privacy through a number of application problems.
g) BASM-Broken Authentication and Session Management
This happens when session tokens and account credentials are not protected. Once in, attackers can compromise keys passwords or authentication tokens to find and exploit other users.
h) ICS-Insecure Cryptographic Storage
This defect is due to web applications not using cryptographic functions to protect credentials and data. The threat comes when attackers use poorly protected data to conduct identity theft and other crimes, like credit card fraud.
i) IC-Insecure Communications
This is due to a failure to encrypt network traffic to protect all sensitive communications. It's then possible for sensitive information to leak out over the network communication infrastructure.
j) FRUA-Failure to Restrict URL Access
This occurs when applications only protect sensitive functionalities when preventing the display of links or URLs to unauthorized users. It gives attackers the opportunity to perform unauthorized operations by accessing URLs directly without common flow.
Word “encryption” is used as a synonym for secure solutions, still the amount of stolen and deciphered credit card numbers are growing every year. Thus, an important question is which encryption technique to use and rather how to implement it properly.
Use SSL security protocol over an HTTP connection to reduce the risk of data being intercepted during online transfer.
The input validation performed by developers have taken in consideration for constraints and validated for type, length, format and range. Code has been managed to ensure unmanaged APIs are validated.
Cracking passwords is the easiest way for hackers to get into any system. Use strong passwords with a complex mix of upper and lower case letters, symbols and numbers. And update these regularly. Implement a rigorous policy to prevent people saving passwords on browsers and applications.
This is one of the most important aspects to website security. There is standard encryption used to store sensitive data in configuration files and databases. The role based security should process low to high privileges.
At the end of the day, the biggest risk in any organization is not technology weakness. It’s people. The IT department can build a robust security framework but if other employees – in particular editors, publishers, marketers etc. - are not aware of the vulnerabilities then they can inadvertently leave you exposed.
For example, cyber hackers typically work to get one user’s credentials, then work through the organization’s infrastructure to gain control. You may have a rigorous policy in place to prevent this but you will need to communicate and raise awareness via training.
The typical content of this training could include
For more details check out our ebook on Website Security