October 8th, 2019
Hackers are everywhere and are consistently a thorn in everyone’s foot. Ensuring that your online presence is secure is one of your top priorities. Here are a few tips to help you in your fight against hackers.
Trusted Hosting Provider’s Responsibility
Your hosting provider is responsible for maintaining updates to the server operating system to ensure its security. If you notice something out of date, you should contact them. If they are not able to perform the updates (i.e., updating something like PHP could break website code), then move your website to an upgraded server.
Update Your Software
Maintaining current software and plugins is vital in keeping your site secure. You are responsible for ensuring that any software running on your website, such as a CMS (don’t forget plugins!) or forum is up to date. You should be doing your due diligence to ensure that these things are always up to date. When hackers find website security holes, they are quick to attempt to abuse them.
If you are using a CMS or forum, you should ensure you are quick to apply any security patches. Most vendors and your trusted hosting provider may have a mailing list, RSS feed, or server notification detailing any website update and/or security issues. Many CMS software also notifies you of available system updates when you log in. Again, always do your due diligence to ensure that this is still up to date.
Don’t Always Depend On Developers
Developers may use tools to manage their software dependencies, and security vulnerabilities are appearing in a package you depend on. If they are not paying attention (and more than likely, they are not contracted to do so), it is one of the easiest ways to get caught unprepared. You need to keep your dependencies up to date and use tools to get automatic notifications when a vulnerability is announced in one of your components. Don’t depend on your developer.
Validation
Validation should always be done on the browser and server-side. Browsers can catch simple failures like fields that are empty and when you enter text into a numbers field. However, this can be bypassed. You should ensure that you check for this validation and more in-depth validation on the server-side. Failing to do so will more than likely lead to malicious code or scripting code inserted into the database, which, more often than not, will lead to undesirable results on your website.
SQL Injection Deflection
SQL injection attacks are when an attacker uses a form field or URL parameter to gain access to or manipulate your database. When you use standard T-SQL (Transact-SQL), it is easy to insert rogue code into your query. This could be used to change tables, get information, and delete data. You can prevent this by always using parameterized queries, also known as prepared statements. Pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks), most web languages have this feature, and it is easy to implement.
Passwords
The more complex the password is, the better it is for everyone. Everyone knows they should use complex passwords. However, more often than not, people are lazy, and they don't always do what needs to be done. It is crucial to insist (i.e., do not give your users a choice) on good password practices for your users to protect the security of their accounts. Passwords should always be stored encrypted, preferably using a one-way hashing algorithm such as SHA2 or better.
Several CMS software provides a lot of these website security features built-in. There are some instances where extra modules might be required (pre-Drupal 7) to set the minimum password strength. If you are using .Net, it is worth using membership providers. Membership providers are very configurable, provide inbuilt website security, and include ready-made controls for login and password reset.
XXS Attacks
Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages. This will then run in the browser of your users and can change page content or steal information to send back to the attacker. Essentially, it tricks an application into sending malicious script through the browser, which believes that the script is coming from the trusted website. Every time the end-user accesses the affected page, their browser will download and run the malicious script as if it were part of the web page.
To prevent this from happening, you can either escape user input (taking the data received and ensuring it’s secure before rendering it for the end user; key characters in the data obtained by a web page will be prevented from being interpreted in any malicious way; you are censoring the data your web page receives in a way that will disallow the characters from being rendered, which otherwise could cause harm to the application and/or users), validate any input (ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site, database, and users; whitelisting and input validation are more commonly associated with SQL injection, they can also be used as an additional method of prevention for XSS; blacklist, or disallow certain predetermined characters in user input, which forbids only known bad characters; whitelisting allows known good characters and is a better method for preventing XSS attacks as well as others) or sanitize user input (checking user input before storing it in a database or using it for any other purpose to prevent malicious code injection).
Revealing Error Messages
Do not disclose information in your error messages. Provide minimal errors to your users. This will prevent leaks (i.e., API keys or database passwords). Don't provide full exception details either, as these can make sophisticated attacks like SQL injection easier. Keep detailed errors in your server logs, and show users only the information they need.
File Uploads
Allowing users to upload files to your website can be a significant security risk. The risk is that any file uploaded could contain a script that, when executed on your server, completely opens up your website. Treat all file uploads with suspicion. When allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not foolproof. Most image formats allow storing a comment section that could contain PHP code that could be executed by the server.
To prevent this, you need to stop users from being able to execute any file they upload or even delete the file. You will need to run a security script that will check the content of the file.
HTTPS
HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees that users are talking to the server they expect and that nobody else can intercept or change the content they're seeing in transit. Whether you have anything that your users might want private or not, it is strongly recommended to use HTTPS your entire website.
Login forms will often set a cookie, which is sent with every other request to your site and is used to authenticate those requests. Using HTTPS for your entire website will prevent an attacker from stealing this information that would allow the attacker to imitate a user and take over their login session. Most importantly, Google announced that it will boost you up in the search rankings if you use HTTPS. This provides an SEO benefit. Insecure HTTP is on its way out, and now's the time to upgrade. You should also consider utilizing HTTP Strict Transport Security (HSTS). This is a header you can add to your server responses to disallow insecure HTTP for your entire domain.
Once you have done all you can, it is time to test your website security via the use of some website security tools. There are many commercial and free products to assist you on a similar basis to scripts that hackers utilize to test for all known exploits. The tests attempt to compromise your site using some of the previous mentioned methods such as SQL Injection.
Conclusion
As stated at the beginning, ensuring that your online presence is secure is one of your top priorities. You can ill afford to have your online presence going offline or even worse, being damaged due to hackers. Following the above will help secure your online presence. If you have any questions concerning this, please contact Sectorlink today and allow us to help you secure your site.