Web site security: An Introduction

On a fine and sunny day, what better way to pass the time than thinking about the security of your website. Here at The Cyber Security Expert we think of little else, even at the weekends. It makes us popular at parties. In todays post we offer some guidance on ensuring the security (and as always we mean the confidentiality, integrity and importantly availability) of your website.

Why should I worry about my website?

Pretty much every organisation has a website, and protecting them is important. Even if you’re not selling anything through your website it is the window into your company for customers. If they can’t access it, or the information on there is inaccurate, they will lost confidence in you and move onto a competitor. Hackers also target websites to misuse their computing resource – perhaps to relay spam email or to host a phishing website (a fake bank login page for instance). The final point to make, and we will do a post on this in the near future. is that pretty much anything publicly available on the internet is scanned by hackers using automated tools to hunt for vulnerabilities frequently. Our honeynet (computers on the internet set up deliberately to attract hackers) see’s scans and attack attempts minutes after a new machine is set up. So your website will be targeted by someone, and often.

How do these scans work?

Website hackers regularly employ automated bots and scripts to identify web servers with vulnerabilities. These scans typically look at:

• the host platform such as Plesk
• the content management system (CMS) such as WordPress, Drupal or Joomla

The scans will identify old versions of software, weak or common passwords and for vulnerabilities that can be exploited such as SQL injection and cross-site scripting (both common vulnerabilities in website implementations). Social media accounts such Twitter, Facebook and LinkedIn are often linked to websites, and website administrators may reuse passwords between accounts.

So what can I do to protect my website?

There are a number of steps you can take to make the lives of hackers that much harder, including:

• Use strong passwords
• Keep software up to date
• Back up your website
• Use tools to scan for vulnerabilities and any other security problems
• Actively monitor for malicious behaviour

You might think that all cyber security experts do is bang on about passwords. If so you’d be right. We do. But they are vital. We have explored why previously:

• Is Cyber Security Hard?
• What is two factor authentication?
• Why securing social media matters

Keeping software up to date is also extremely important. Most vendors release security patches frequently, and people are used to regular updates for the desktop computers. Website software is no different, and must be kept up to date.

 

Any practical tips for installing and managing my website?

Using something like Plesk makes correctly installing and maintaining websites simple. These scripted installs include the correct file and folder permissions. Just remember to use a strong password!

 

Plesk will also manage software updates:

And backups:

Backup Manager can schedule a weekly backup and transfer it elsewhere for safe keeping. If you’re backing up to the cloud make sure you have followed our helpful guidance.

What about looking for vulnerabilities in my website?

There are free online services you can use to help check the integrity of your website.

• VirusTotal – will check a URL against ~60 URL scanning and reputation servers
• Google Safe Browsing – check if Google has listed your site as suspicious
• Sucuri – checks for out of date software and known malware
• UrlQuery – checks for web based malicious software
• MxToolbox – conducts a range of checks on your domain

Additionally there are many commercial and open-source vulnerability scanners (http://sectools.org/tag/vuln-scanners/). Installing, operating and maintaining a Vulnerability Management solution can require a significant commitment in money, time and resource. For those reasons they are typically used by large organisations who have hundreds of servers to check and maintain. A second option is to subscribe to a service, however these can be as expensive – your mileage may vary!

There are a few drawbacks to all of the scanning solutions:

• They are a snapshot in time. Website or server changes may expose the server and those won’t show up until the next scan.
• They can only find known issues and vulnerabilities. They will not be able to discover or detect new vulnerabilities or malicious behaviour.

In this article we have described why all website owners need to be wary of the barrage of online scans directed at their servers. We have looked at the typical things these scans look for and some steps you can take to protect your website In a future blog post we shall discuss the topic of real-time monitoring of web servers, which provide a higher level of detection against hacks!

As always, if you have questions please get in touch! Find us on twitter, or use the contact form.

The Cyber Security Expert