In studies of online security breaches, it’s been discovered that the time to detect a breach within an organization is usually over 200 days. And when these breaches are detected? It’s usually by an external party, not the organization itself.
In 2019, the total number of data breaches in the U.S. alone was 1,473, when over 164.68 million sensitive records were exposed.
Even if you aren’t concerned about the security of your data, you should be concerned about your reputation. A data breach can do serious damage to your reputation. Depending on the kind of breach, organizations see an average decline in value of 17 to 31 percent. Your brand image, earnings and reputation are all on the line.
How can you guarantee website/data security? Here’s an online security guide to help you get started:
The OWASP Top Ten
OWASP, or the Open Web Application Security Project, is a nonprofit. It’s a foundation that is dedicated to improving the security of web-based software. It has community-led, open-source software projects, local chapters across the globe, and educational and training conferences all to help developers and information technologists secure the web.
OWASP has compiled a list of the top 10 risks in web application security that enterprises and organizations face with their websites, applications and hosting environments. This list can serve as your checklist to determine how to protect your enterprise.
Here are the top 10 web application security risks according to OWASP:
- Injection: This refers to when attackers inject untrusted data and send it to an interpreter as part of a command of query. This hostile data can fool the interpreter into performing unintended commands or even access your critical data without authorization. This can happen with SQL, NoSQL, OS and LDAP systems.
- Broken Authentication: Malicious attackers can compromise your passwords, keys and session tokens, which can be used to introduce flaws that allow them to assume user identities temporarily or permanently, then gain access to your entire system.
- Sensitive Data Exposure: Numerous web applications and APIs aren’t fully equipped to protect sensitive data like financial, healthcare and personal identifiable information (PII). This information can be stolen or modified by malicious hackers to conduct credit card fraud, identity theft or other crimes.
- XML External Entities (XXE): The term “extensible markup language (XML) external entities” refers to the old and poorly configured XML processors that evaluate external entities within XML documents. External entities can be used for internal file sharing, internal port scanning, remote code execution, and to conduct denial of service attacks.
- Broken Access Control: For many enterprises, restrictions on what each user can and cannot access are not fully enforced. Malicious attackers exploit these weak points to gain access to unauthorized data and functions, including access to other users’ accounts. They can view sensitive files, modify other users’ data, change access rights, and do all kinds of destruction to your site and your servers.
- Security Misconfiguration: This common issue occurs thanks mostly to insecure default configurations, incomplete configurations, open cloud storage insecurities, misconfigured HTTP headers, and public, unedited error messages that proclaim sensitive data for all the world to see. These must all be configured, patched and updated regularly to keep hackers from finding their way in.
- Cross-Site Scripting (XSS): Flaws in XSS happen when an application incorporates untrusted data in a new web page. This data needs to be validated or updated in the newer web pages using a browser API. XSS can give attackers “keys to the castle” to execute scripts in your browser, which means they can hijack user sessions, deface your website and redirect visitors to malicious sites.
- Insecure Deserialization: Deserialization happens when data is taken from your server via a file, stream or network, and is rebuilt. If this process is not a secure one, this can lead to malicious attackers performing remote code execution. They can also perform attacks like replay attacks, injection attacks and privileges escalation attacks.
- Using Components That Have Known Vulnerabilities: Libraries, frameworks and software modules that have the same privileges as your application can be exploited. This can lead to an attack that results in serious data loss or server takeover.
- Insufficient Logging and Monitoring: When you partner insufficient logging and monitoring procedures with problematic integration with incident response, hackers can find their way further into your system and tamper extra, destroying your data from within.
Organization-Wide Online Security Training
If you want your full website, your server and your web applications to be secure, your entire organization must be clued in. Training and education must be part of your team, your vendors and your entire company culture, which is why all of your employees should go through training, not just your tech team. After all, it only takes one mistake to allow a cyber breach to happen.
What strategies should you employ for your security training? Here’s what you need to know:
- Employ ongoing and certified security training. If you struggle with finding certifications, at least be sure to document all of your ongoing security training.
- Provide training to your developers and architects. Start with the OWASP security risks, and expand from there.
- Especially if you have a large system, it may be hard to find all possible security vulnerabilities. Many corporations are finding success in incentivizing finding potential breaches to encourage help in finding these potential problems before they become a larger issue.
Utilize Available Resources
Many website content management system (CMS) platforms like Drupal, WordPress and SiteCore are now offering their own security training solutions as well. Your developers, architects and engineers can learn how to fortify their work straight from the source itself.
For Drupal, Acquia offers official certification, Sitecore has its own training program, and WordPress’s WP Engine is close to releasing its own training certifications as well.
Start With Yourself
If you’re searching for strategies on how to make a website more secure, remember that it starts with you. You can lead by example, hire security-minded professionals and make it part of your review process. By working hard to ensure that security is at the forefront of the minds of your entire organization, you’ll encourage a team that’s devoted to strengthening your entire system.
When working with your architects and developers, when you’re examining new choices for your website or your servers, anytime you are discussing your website—ask about security. Not only is it a reminder to your team, but it’s also a reiteration of your priorities. It’s a nudge in the right direction. When you make security an innate part of your company culture, you’re actively creating a stronger, more secure website.
Implement a Web Application Firewall
Do you have a web application firewall in place? A web application firewall (WAF) is a firewall specifically for HTTP applications. A WAF monitors and filters the traffic to and from your website. It blocks the dangerous attackers while letting safe traffic in, with constant updates to detect new and evolving threats.
Think of your website like a house. Everyone outside the house is your online traffic, and you want to open the doors. But? You never want to let the bad guys in. The WAF is like a bouncer or security guard, letting your welcome guests in but keeping the bad actors out. Your web application firewall keeps malicious attackers out with a defined layer of protection.
Gone are the days when just having network and local firewalls in place was enough to keep invaders out, and many management systems like CMS platforms just don’t have the right security to manage it on their own. They’re great for creating effective websites, but you need additional protections in place to keep it all protected.
How It Works
Before visitors make it to your website, your WAF will ensure that they are legitimate traffic or detect if they are a threat to your security. How does this happen? WAFs like Sucuri have these kinds of protections in place:
- Application profiling is conducted to learn more about what makes your app unique in structure and functionality.
- Unwanted attackers and viruses are identifiable based on their digital signature. When they are identified, they are added to a blacklist so viruses are deflected before they can ever enter your site.
- A correlation engine learns your application’s normal behavior and compares it to real-time behavior, looking for breaks in patterns and deviations from the norm.
- Botnets attempt to overwhelm each functionality of your app with countless requests all at once. A WAF blocks these botnets from finding their way to you so that your site can operate as it normally would
Penetration Testing
Do you know where all your website’s vulnerabilities lie? You can employ penetration testing to find them.
Penetration testing, a form of “ethical hacking,” is based on the practice of testing your web application, network and system for security vulnerabilities that an unethical hacker might want to exploit to gain access to your data. There are software applications to perform penetration testing for you, or you can do this manually.
Different kinds of penetration testing can be engaged to find issues in your website. These include:
- Network services.
- Web applications.
- Client-side vulnerabilities.
- Wireless.
- Social engineering.
Testing targets the endpoints of your system. This includes everything from your servers to your network endpoints as well as wireless networks, network security devices, and mobile and wireless devices. Software applications and code are also frequent subjects of penetration testing.
Your goal with penetration testing is to get deep within your application code and IT infrastructure to unearth any potential issues that could expose you to malicious attacks.
At Engine Room, we’re passionate about website security; it’s what we do best. If you’re building your website from scratch or you’re looking for a fix for a security issue, we’ve got you covered. You can learn more about website and content management system security by viewing our webinar here.
Are you ready to implement robust, real-world solutions to help keep your website protected? We’re ready to help. Contact us today!