Website Security! What’s involved? Why is it important? Vulnerabilities to look for?
Why is website security important for your business or organisation?
When it comes to cybercrime, Australia claimed the 3rd spot last month as being the choice for cyber-attacks, behind the UK and the US. Cybercrime is rapidly becoming more targeted towards certain institutions for financial gains as well as Hacktivism topping the second choice of cyber-attack used to promote cyberterrorism; we saw an example of this type of attack earlier this month on the Hobart International Airport website, which was defaced.
According to popular cyber-attack/hacking statics website www.hackmageddon.com, some of the latest attacks involved targeting Tafe and Fitness institutions where student records, including payment records were accessed and deleted. A full list these attacks can be found here.
Traditional crimes being transitioned into online cyber-attacks and social engineering.
Below is a table released by ACC Australian Crime Commission, which shows such evolution.
|Traditional crime||Cyber crime equivalent|
|Fraud||Online fraud/mass marketed fraud (including auction fraud, advance fee fraud, phishing)|
|Burglary/malicious damage||Online hacking, denial of service attacks, viruses|
|Child sex offences||Online child grooming, child pornography websites|
|Money laundering||Through online payment systems, e-cash|
|Theft||Identity theft, bank website ‘phishing’ and movie, music and software piracy|
|Stalking||Cyber stalking, cyber bullying|
What’s involved when a website is compromised or hacked?
- Customer’s personal data stolen can be sold to identity thieves.
- Payment information stolen, can be used to steal more money from credit card details obtained.
- Using social engineering to fish for login and passwords of customers, by sending emails to customers requesting them to log into their account through mirror sites.
- Malware and malicious scripts can be installed and hosted on your website to steal user information.
- Infect site visitor’s computers with malware
- Use your website to host mirror sites such as duplicate bank login pages to fish for user login credentials.
- Records deleted, and if you do not have up to date backups it can incur a financial impact.
- Blacklisted from popular search engines: infected websites can be programmed to send out SPAM emails causing you to lose your website rating and listing.
- Extended periods of site down time or inaccessibility.
How to make your website safe from Hackers, limit attackers efforts and prevent your site being blacklisted?
We have complied a list of recommendations, which can implemented to help improve your website security and recover from an attack with reduced down time. These are the most common recommendations, but there are many more steps which can be taken to improve your website security.
01. Keep up to date backups.
This is an area which a lot of website owners overlook the most. Keeping an up to date backup of your website can help you recover from an attack very quickly with less downtime caused to customers and your online brand.
02. Keep up to date Software.
If you have a new modern website, it is highly likely it uses a Content Management System (CMS) to power the website. It is crucial to keep your CMS up to date with the latest versions releases, including any Plugins you have installed. This can be done by subscribing to your CMS provider mailing list or RSS Feed to know whenever a new version of Software is available.
If you have a traditional hand coded HTML website, make sure your website does not contain deprecated elements such as flash animations which have been proved to be prone to attackers over the years.
03. Choose a strong USERNAME and PASSWORD.
According to the Forbes Magazine website, 30,000 sites are identified every day as being infected and compromised by attackers. By using strong Usernames and Passwords you can help deter unauthorized access to your website. View our guide on choosing a strong password and tools you can use to test password strength.
04. Scan your website for Vulnerabilities and Malware.
Scanning your website regularly for malware and other vulnerabilities can help you stay up to date with any possible infection. There are many such tools which you can use, we tend to use Sucuri Services who provide a range of tools and services. Link to their scanner can be found here, this tool will scan and report for possible infection to your site.
Forerunner hosted websites are automatically covered for malware monitoring. We also offer this as a standalone service for sites that are not hosted by us.
05. Implement SSL / HTTPS protocol.
Adding an SSL certificate to your website can help add an extra layer of security as communication gets encrypted between your website and site visitors. There are numerous SSL certificate providers online, setting up an SSL can be a long process. At Forerunner, we can make the process simple and help organise and setup and SSL certificate for your website, if required.
06. Use a clean and Malware free PC to update your website.
Malware can sometimes copy themselves on other computers and some can copy themselves onto your website if you are using an infected PC. Regularly run a Virus and Malware scan on your PC to avoid such infections. Avoid using other peoples computer for updating your website.
07. Protect .htaccess file on your server.
If your website is hosted on an Apache Server or Linux based machine, you should have access to the .htaccess file on your server directory; most of the time this file is hidden. It is important to limit access to this file as it can be used to manipulate access to your website or even the redirection of your website to a different location.
08. Use a trustworthy hosting provider.
Choosing the right hosting provider to host your website can help save you a lot of money when it comes to website security as most of them will have a security plan in place to protect your website from potential attacks.
09. XSS – Cross Site Scripting.
XSS attacks are carried out by using a website search, contact or other online forms to inject malicious codes in an attempt to gain access to the website. XSS attack can be avoided by sanitizing results from submitted forms, and encoding characters into HTML entities before saving it into database.
10. Use a Proxy server or Firewall.
Putting your website behind a proxy or firewall server is a great alternative to protect it from a lot of cyber-attacks such as SQL injections, XSS attacks and DDOS attempts. A proxy also provides an extra layer of security by hiding your website IP and server location from attackers.
Talk to Forerunner’s Digital Media Team today about setting up a cloud proxy firewall to help protect your website and give you peace of mind.
In conclusion, there are no full proof methods or solutions to prevent cyber-attacks against your website. As the current trend show cyber-attacks are on the rise and your best bet would be to have a few of the above-mentioned procedures put in place to protect your website from potential attacks.
At Forerunner, we can recommend website security strategies that can be undertaken to help prevent attacks, and recover from an attack, with less or no downtime to your business, in the event your website is infected or attacked.
Feel free to write to us, comment below or if you found this article helpful please spread the love by sharing it to people who might find it helpful.