Top website security posts by Sucuri – October 2019

A monthly round-up of website security topics

Our Malware Research and Incident Response teams work around the clock to identify and stay ahead of attackers — and we’re proud to share our knowledge and findings with the community.

We’ve gathered a few of our most popular posts and discoveries from October to educate you about the latest trends in website and personal security.


Top 10 website hardening tips

There are a number of protective layers you can add to help reduce the risk of an attack on your website. We’ve curated a list of the top ten virtual hardening recommendations to get you started.

1. Maintain frequent website updates

Website vulnerabilities come in all shapes and sizes. To prevent an exploit, ensure that each piece of software on your site is kept up-to-date with the latest patches and security updates.

Regularly patching must include your CMS along with any third-party components you’ve installed like plugins, themes, and extensions.

Don’t neglect patching your server, Apache, and PHP.

2. Reduce the attack surface

Only allow public access when it makes sense, and deny access to everything else by default. You can search and harden your website’s access points with server configuration rules, file and folder permissions, or with a firewall.

3. Use input sanitization

While it may sound a bit harsh, you should never trust all users on your website. You can prevent malicious activity by accurately restricting and filtering what’s sent during input.

Specify exactly what kind of data you expect from the user.

4. Remove unnecessary extensions

Each additional piece of code on your website is a potential gateway for an attack. Keep only what’s being actively used and completely uninstall remaining extensions to reduce the risk.

Disabling a plugin or theme is not the same as removing it.

 

Don’t install anything suspicious, unsupported, and – like tip #1 says – keep extensions up to date with security patches.

5. Maintain permission controls

Restrict what each user can do on your website and make sure they don’t have more privileges than absolutely necessary.

For example, if you have an author or editor contributing to content on your website, they definitely don’t need admin privileges.

6. Use multi-factor authentication

Activate 2FA/MFA wherever possible to add an extra layer of authentication to your accounts.

7. Create and maintain secure passwords

Use minimum strength requirements to enforce secure passwords. You can use a password manager to simplify creating and managing secure, unique passwords on your accounts.

8. Only allow secure access

Create restricted access to your website by enforcing the use of secure channels like VPNs or proxies. Make sure all administrators are accessing it from a safe device.

All access should be over HTTPS to ensure encrypted data transfer.

9. Reduce exposure of information

Lessen the chances of a successful brute force attack by reducing the information provided during login attempt failure.

For example, instead of Your password is incorrect send the message Login credentials invalid. Don’t let the attacker know the username was correct!

You shouldn’t write sensitive data to application logs or keep them publicly accessible, either.

10. Monitor your website and log activity

Check for any anomalies in your website logs to detect indicators of compromise. Keep an eye out for configuration errors, user activity, attack attempts, malfunctions, and other important status updates.

Audit logs are mandatory for ecommerce PCI compliance.

 

Read more from the original post by Northon Torga.

 


Personal online privacy and connecting online

Online privacy is a discussion that every user who connects to the internet needs to participate in.

When considering your online privacy, take a personal inventory of the following questions:

  • How are you connecting online?
  • How can you stay safe and keep your data private?
  • How much of a digital footprint are you leaving behind?

Best practices for online privacy

The first step is to consider the devices you’re using to connect to the internet every day, then implement these risk reduction best practices.

Secure your WiFi router

Most routers have a default admin and password which you should consider changing as soon as you set it up. You can also select a network name that doesn’t personally identify you or draw unnecessary attention — especially in apartment buildings.

Another important consideration is to limit access to your router when you’re away. Finally, you’ll also want to keep your router’s firmware up to date. These updates include important security patches for known threats to your internet-connected devices.

Implementing these precautionary measures can help mitigate the risk of an exploit and prevent attackers from adding your router to a botnet or worse.

Secure your desktop and mobile devices

You can prevent unauthorized access to your internet-connected devices with these recommendations.

Remove unused programs and applications

This practice doesn’t just extend to third-party components on websites.

https://twitter.com/Kahillinsights/status/1179132484245708802

By removing unused applications, you can reduce the potential for an attacker to exploit a vulnerability on your device.

If you don’t use it, lose it.

Set a screen timeout

Consider setting a screen timeout on your desktop and mobile devices to prevent unauthorized access or snooping.

https://twitter.com/LazBlazter/status/1179135405859495939

Cover up your webcam 

This recommendation applies mostly to tablets or laptops. By covering your webcam, you can help prevent malware from unauthorized recording or photography.

Update your software

Just like updating the software on your website, the same principle applies to your desktop and mobile devices. Maintain important updates and security releases, and apply patches as soon as a release is available.

In our recent webinar “Security Beyond Your Website: Personal Online Privacy” we tackled exactly these questions to help users like yourself focus on online privacy.

 

Read more from the original post by Victor Santoyo.

 


The cost of cybercrimes and attacks

Cybercrimes can target any business or website owner. Even average users who think they’re safe because they don’t operate a large business can become a cybercrime victim.

So, what is a cybercrime?

Classified as any illegal or unethical activity through the use of the internet or a computer, cybercrimes can affect websites big and small. Cybercriminals use vulnerabilities to exploit holes in networks or websites to extract valuable information.

These attacks can target the general public along with national and corporate organizations, and can steal sensitive personal or institutional information.

Cybercriminals may use a variety of methods to carry out their attacks, including:

  • Distributing malicious programs
  • Unauthorized web access
  • Creation and maintenance of fake websites
  • Compromised websites

What is the average cost of a cybercrime?

Last year alone, there were 2.3 billion data breaches—and the fact that you might have a small website won’t make you immune to this statistic.

Worldwide cybercrime costs an estimated $600 billion USD a year.

 

Small and medium-sized websites typically underestimate the costs of a cyberattack, which can significantly impact trust, rankings, and ultimately revenue.

The reality is that any website that doesn’t implement proper security measures makes an attractive target to attackers, who often leverage automation to find and exploit vulnerable sites.

How to protect your business from cyberattacks

There are a number of ways you can protect your business from cybercriminals.

  • Implement procedures for encrypting sensitive information
  • Practice strong password security measures
  • Never leave computers and devices unlocked
  • Don’t open email attachments from unknown senders
  • Educate employees on cybersecurity best practices
  • Use a web application firewall to protect your web assets

Read more from the original post by John Booker.