October 8th, 2019
Hackers are everywhere and are constantly a thorn in everyone’s foot. Ensuring that your online presence is secure is one of your top priorities. Here are a few tips to help you in your fight against hackers.
Trusted Hosting Provider’s Responsibility
Your hosting provider is responsible in maintaining updates to the server operating system to ensure its security. If you notice something out of date, you should contact them. If for some reason they are not able to do so (i.e. updating something like php universally could break website code) then you should move your website to an updated server.
Update Your Software
Maintaining current software and plugins is vital in keeping your site secure. You are responsible to ensure that any software you may be running on your website such as a CMS (don’t forget plugins!) or forum is up to date. You should be doing your due diligence to ensure that these things are always up to date. When website security holes are found in software, hackers are quick to attempt to abuse them.
If you are using a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors and your trusted hosting provider may have a mailing list, RSS feed or server notification detailing any website update and/or security issues. Many CMS software also notify you of available system updates when you log in. Again, always do your due diligence to ensure that this is always up to date.
Don’t Always Depend On Developers
Developers may use tools to manage their software dependencies, and security vulnerabilities appearing in a package you depend on. However, if they are not paying any attention (and more than likely, they are not contracted to do so), it is one of the most easiest ways to get caught unprepared. You need to keep your dependencies up to date, and use tools to get automatic notifications when a vulnerability is announced in one of your components. Don’t depend on your developer.
Validation should always be done on the browser and server side. Browsers can catch simple failures like fields that are empty and when you enter text into a numbers field. However this can be bypassed. You should ensure that you check for this validation and deeper validation on the server side. Failing to do so will more than likely lead to malicious code or scripting code inserted into the database which more often than not will lead to undesirable results in your website.
SQL Injection Deflection
SQL injection attacks are when an attacker uses a form field or URL parameter to gain access to or manipulate your database. When you use standard T-SQL (Transact-SQL) (programming extensions from Sybase and Microsoft that add several features to the Structured Query Language (SQL), including transaction control, exception and error handling, row processing and declared variables) it is easy to insert rogue code into your query that could be used to change tables, get information and delete data. You can easily prevent this by always using parameterized queries (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks), most web languages have this feature and it is easy to implement.
The more complex the password is, the better it is for everyone. Everyone knows they should use complex passwords. However more often than not, people are lazy and they don't always do what needs to be done. It is important to insist (i.e. do not give your users the choice) on good password practices for your users to protect the security of their accounts. Passwords should always be stored encrypted, preferably using a one way hashing algorithm such as SHA2 or better.
Several CMS software provides a lot of these website security features built in. There are some instances however where extra modules might be required (pre Drupal 7) to set the minimum password strength. If you are using .Net then it's worth using membership providers as they are very configurable, provide inbuilt website security and include ready made controls for login and password reset.
To prevent this from happening, you can either escape user input (taking the data received and ensuring it’s secure before rendering it for the end user; key characters in the data received by a web page will be prevented from being interpreted in any malicious way; you are censoring the data your web page receives in a way that will disallow the characters from being rendered, which otherwise could cause harm to the application and/or users), validate any input (ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users; whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS; blacklist, or disallow certain predetermined characters in user input, which disallows only known bad characters; whitelisting only allows known good characters and is a better method for preventing XSS attacks as well as others) or sanitize user input (checking user input before storing it in a database or using it for any other purpose to prevent malicious code injection).
Revealing Error Messages
Do not reveal information in your error messages. Provide minimal errors to your users. This will prevent leaks (i.e. API keys or database passwords). Don't provide full exception details either, as these can make complex attacks like SQL injection easier. Keep detailed errors in your server logs, and show users only the information they need.
Allowing users to upload files to your website can be a big website security risk. The risk is that any file uploaded could contain a script that when executed on your server, completely opens up your website. Treat all file uploads with suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not foolproof. Most images formats allow storing a comment section that could contain PHP code that could be executed by the server.
To prevent this you need to stop users from being able to execute any file they upload or even delete the file. You will need to run a security script that will check the content of the file. If it is not the file type it is supposed to be, simply change the file name completely or have your script delete the file all together.
HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees that users are talking to the server they expect, and that nobody else can intercept or change the content they're seeing in transit. Whether you have anything that your users might want private or not, it is strongly recommended to use HTTPS (Let’s Encrypt is now an included feature with some hosting providers) for encrypting credit card and login pages (including URLs they submit to) was well as your entire website.
Login forms will often set a cookie, which is sent with every other request to your site and is used to authenticate those requests. Using HTTPS for your entire website will prevent an attacker stealing this information that would allow the attacker to imitate a user and take over their login session. Most importantly, Google announced that they will boost you up in the search rankings if you use HTTPS. This provides an SEO benefit. Insecure HTTP is on its way out, and now's the time to upgrade. You should also consider utilizing HTTP Strict Transport Security (HSTS). This is a header you can add to your server responses to disallow insecure HTTP for your entire domain.
Once you think you have done all you can then it's time to test your website security via the use of some website security tools. There are many commercial and free products to assist you with this that on the similar basis to scripts that hackers utilize in testing all known exploits that attempt to compromise your site using some of the previous mentioned methods such as SQL Injection.
As stated at the beginning, ensuring that your online presence is secure is one of your top priorities. You can ill afford to have your online presence going offline or even worse, being damaged due to hackers. Following the above will help secure your online presence. If you have any questions concerning this, please contact Sectorlink today and allow us to help you to secure your site.