In the 1980s, computer viruses passed around on floppy disks were the main security risks. How things have changed! Now, we have bot nets, advanced persistent threats, social engineering, and phishing to worry about. Kate Craig-Wood, MD of hosting provider, Memset has provided this overview on what you can do to keep your site safe.
Evidence is everywhere that the number of cybercriminals remains a serious issue. From hackers, script kiddies and DoSers, we as hosting providers are fighting them all.
The Evolving Threat
On a consumer level there are the phishing sites, out to steal your credit card or online banking details by pretending to be a trusted brand, and at a business level there are threats and extortion.
dDOS attacks are typically launched from “bot nets”, or collections of compromised personal computers and servers. While alone any one of those machines, usually on the end of a home ADSL connection, cannot do much damage, if thousands of them flood a Web site with bogus requests then unfortunately the only real defense against such is to have more bandwidth than an attacker. Thankfully with more companies moving to cloud providers with massive pipes like us, that means that the attacker would need a bot net of many thousands of machines to cause damage.
There has also been a marked increase in criminals attacking popular sites and advertising engines to steal information and disable websites for political reasons. The recent wave of ‘hacktivists’ presents new issues for web hosts, as many traditional organisations are now having their sites hacked.
Steps for Protection
So what can you do to protect your website & online network?
The first stage in solving the security problem starts with the development and design stage. If developers neglect to address all security issues, a future hacker will very likely exploit the flaw to extract confidential information from the website. To fix this problem, you must ensure scripts are very well planned and tested, especially those parts that deal with private information.
Using a Digital Certificate (Digital ID) from a trusted certificate authority in conjunction with SSL encryption provides a very high grade of security for all parties involved in a transaction. Keeping Content Management Systems (CMS) up to date is also crucial and ensures other security aspects of the site are updated. It’s worth noting that WordPress is notorious for being vulnerable without updates.
Choose A Good Password
A majority of hacks are caused by bad passwords. It’s not just a simple matter of changing ‘l’s’ to 1′s either, as these are still easy to hack.
We have performed rigorous mathematical analysis on how good a password needs to be for an encrypted file system, and determined that a 10 character random string formed from a-z, A-Z and 0-9 is effectively unbreakable. A 10 character password will cost $13m to crack, and quite frankly there are easier ways for hackers to get your information.
Tight Controls on Accessing Data
We allow all staff to access from anywhere using a laptop and a browser, using HTTPS for the security. Our business administration systems included, are accessed over the public internet via HTTPS, and we trust it entirely. VPNs are unnecessary and burdensome in today’s world of cloud. However, we do not allow access from just any laptop; it must be a company one, and the browser must used must have a password-protected, encrypted password safe (for saved passwords).
We also have tight, and regularly tested, procedures for revoking user access quickly. In the event of a lost laptop or compromised user password (or SSH key) we can rapidly change that user’s access credentials.
Further, any laptop that is used to store company data (most just access it remotely) must have an encrypted hard drive.
Therefore, if one of our laptops becomes lost all that is lost is the hardware – no data can be retrieved (we require password screen locks as well). We get all staff to choose an auto-generated password created by the open source software PWgen. This approach is much better than making them choose their own (often guessable) one and changing it periodically (which means they need to write it down to remember it).
Personnel / ‘Purchase Key’ Attacks
The biggest security weak-point for any organisation is its people. A determined attacker will not bother with trying to steal servers, nor hack into them, but will attempt to gain leverage over key members of staff; the “purchase key attack”. To protect yourself and your data, you should look to take the following steps:
1. All staff with access to company data should be CRB & background checked.
2. Access to servers should be gained via personal keys, and all access is logged.
3. Logs and activity should be routinely checked by head of security.
Choose Your Hosting Provider Carefully
The only thing one can do about bot nets is to have more bandwidth than the attacker (ie. an army of hijacked home computers), which is yet another reason why companies should be giving up owning and managing their own data centres and moving to the cloud where providers like us have gigabits of connectivity so can withstand such attacks, which happen frequently.
We also have firewall technology to dynamically detect and block attacking IPs in real time. This sort of cyber warfare is not new though, but has only recently made the news. We have been fighting off such attacks for as long as I have been in the hosting industry (12 years). All that has changed is the scale of the weaponry.
Make sure your web host is upfront about security and also holds ISO 27001 certification as a minimum.