How do you secure a website? From a small one page website promoting the sale of your e-book to a national tax database, no website is 100 percent secure against a security breach or hack. Site security has never been more important as techniques become bolder and more sophisticated. So how do you keep a website secure? And what types of things do you need to look out for?
Let’s start with some of the threats that website administrators should be aware of.
Phishing Attacks (Social Engineering)
Phishing is an attempt to gain privileged information such as passwords or personally identifiable information through deception. A classic example is an email that appears to be from a person the victim knows or a service the victim may use. The email will ask for the information, or direct the victim to a malicious website which will then trick them into divulging the personal information.
Whaling or Spear-phishing
These are variations on phishing attacks. Spear-phishing is targeted at a particular individual. It may be from someone the victim knows or works with and may leverage personal information to gain the victim's trust. Whaling is spear-phishing targeted at a high level person within an organization such as a CEO or president.
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Server Side Ransomware
Ransomware is a specialized malware which uses strong encryption to encrypt the contents of the victim's drive and then holds the key to that encrypted data for ransom. The victim will then have to pay the attacker to decrypt the data. Ransomware is usually distributed by malicious websites and/or phishing emails. However, recently there have been a number of instances of hackers using website vulnerabilities to install server side ransomware. So far, these attempts have been rather poor and skilled security specialist have been able to recover the systems without paying, but you can expect that these hackers have learned from the experience and will eventually create a server side ransomware that rivals the ransomware being found on desktops.
Identity theft has always been a problem. To make it worse, recent trends in identity theft have shown a rise in the theft of children's identities. These are often not noticed until the child becomes older and tries to open a line of credit. Review this great infographic from PBS about online identity theft for younger children and students.
The Internet of Things is coming our way, and many of them are bringing new and old vulnerabilities. Since these devices already exist on our home and office networks, they could easily be used as a pivot point to gain access to personal computers, monitor your home or office network traffic or even act as a Man-In-the-Middle to perform more serious attacks.
Cyber espionage has been around since the Internet started, but has been on the rise in recent years. (Think State sponsored hackers, like China.) The attribution of the Sony attacks to North Korea was one of the largest and most well known of these, but you can be sure that there are probably thousands of smaller, similar attacks every month that never make the news either because the victim does not want anyone to know, or the victim is unaware.
The Totally Unexpected
So far in 2016, we have already had one such case. The discovery of a previously unknown backdoor in Juniper software. Hackers are constantly looking for new ways to exploit either systems or people.
Ten tips on how to secure a website in 2016 as a developer
With the amount of threats and hacks faced by the online community noted above, implementing a strong support and maintenance process within your organization to protect your website is an imperative. If you have limited resources or budget, below is a list of tasks to help protect your site from potential risks and help to keep your site secure.
- If you're using an open-source content management system like Drupal, always keep your core files up to date. These projects release regular updates to address bugs and potential vulnerabilities, which should be applied to your system as they are released.
- Keep up to date on the latest news for security and support updates. There are even newsletters for staying up to date.
- Apply the security updates required for any modules that have been added to the system. If you're using Drupal, you can list updates with the “drush up” command.
- Be careful about your custom code, as many hacks or injections are caused by carelessly written custom code. If your code is using Ajax, be aware of potential Ajax security issues.
- Be thoughtful about roles and permissions. For example, in Drupal, be careful about menu items in your custom modules, and make sure each URL only can be visited by the right roles.
- Sanitize your inputs. Never put values directly in SQL queries, this way, you can reduce the risk of SQL injections.
- Make sure that roles that are granted to users actually are needed. For example, make sure only true administrators have access to administration capabilities. Similarly, make sure that you don’t give wrong roles to run PHP code on your side, and remove PHP filter input format all together if it is not necessary.
- Keep your folders with right permissions. For example, no folder should be fully writable except for the file directory.
- Be skeptical about using Drupal sandbox modules. These are not tested nor reviewed by the community, so make sure that you review the code before you use it on your live environment.
- Don’t print out errors on production. Any information about your server or environment could be useful to a bad intentioned person.
- BONUS TIP: Check your status reports page regularly, to look for irregular activity. If you are worried about your site’s security, review your updates, review your site’s analytics and reports daily if possible, or engage with a team who can monitor and support your website to protect yourself from any threat.
Securing a website isn't a checkbox, it's an ongoing process. With the right support in place, there’s much you can do to prevent or minimize an attack.