Decoding Security artwork

Securing Your Website

Decoding Security

English - October 03, 2017 19:35 - 14 minutes - 11.7 MB - ★★★★★ - 6 ratings
Technology website security cybersecurity web security online security Homepage Download Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Previous Episode: Equihax
Next Episode: Internet of Things

Website security is something we could all use a refresher on from time to time. Jessica and Michael discuss some basics that we should all be utilizing in the management of our websites.

The Basics of Website Security
In A Few Words

Website security is something we all have to think about. We may be familiar with securing our websites, but it is also incredibly easy to overlook something simple.

Recent News

Equifax CEO stepped down, but will still be testifying before a senate committee about how this breach occurred. The senate plans some tough questioning, including questions to determine if Equifax should even be allowed to continue working in the credit reporting industry.

One of the four major accounting firms, Deloitte, announced that they also experienced a data breach on their email systems. Any data that may have been sent via email, may have been compromised.

Cactus Con, a local hacker conference in Phoenix, AZ, took place this past weekend. One of the most exciting parts of the conference was the existence of Kids Con, which is providing a way for kids as young as 8 to experience the world of hacking, networking, and cybersecurity. The talks on e-commerce forensics and recycling malware were very interesting for anyone who is into cybersecurity.

Website Security Basics

HTTPS

The connection between a webserver and browser can be secured, using an SSL certificate. SSL (Secure Sockets Layer) encrypts the data being transferred, making it much more difficult for anyone listening on the wire to get anything they can use.

Traditionally, SSL certificates have only been heavily utilized on e-commerce site, but these days, everyone needs an SSL certificate on their website. Browsers are beginning to incorporate warnings when a site doesn’t have a valid SSL certificate, and a valid certificate will also improve your search rank with Google.

The major reason people use as an argument against getting an SSL certificate is cost. The certificates can be fairly expensive, but we now have Let’s Encrypt providing SSL certificates for free, eliminating this reason for securing the connection to your server. Some hosts may not allow the software that is needed to install a Let’s Encrypt certificate, however, if your host does allow it, there is no reason not to have an SSL certificate on your website.

Updates

Updates are probably the most important piece of website security. This includes both application updates, as well as server updates. The Equifax breach took place due to an outdated Apache Struts version, leaving their servers vulnerable.

Vulnerabilties are released publicly after a period called responsible disclosure, which is a period of time after a patch is released, allowing the public some time to update their servers and applications before bad actors have easy access to the details of a vulnerability.

The WordPress 4.7 and 4.7.1 REST API vulnerability allowed about 1.5 million sites to be defaced, due to the vulnerability allowing attackers to modify any post on sites that weren’t updated when the patch was released. The vulnerability wasn’t exploited until it was announced, six days after the update was released.

It is much cheaper to keep your site up to date - even if it means changing your theme or plugins, than it is to recover from a hack.

Backups

Backups are arguably second in importance when it comes to securing your website, and one of the most overlooked pieces of the puzzle. It is a good idea to follow the 3-2-1 Rule when backing up your website - 3 backups, on 2 types of media, and at least one copy off-site.

Off-site backups are important as a failsafe in the case of catastrophic failure. You should have access to your backups, but they should not be in the same location as your website files.

You also need to test your backups. Having disaster recovery drills helps to ensure you and your team are familiar with your disaster recovery procedures, as well as ensuring that your backups are not corrupted, and your methods and systems function properly during the recovery process.

Last Tips

In the security industry, we talk a lot about passwords. One thing that isn’t discussed, as much as it probably should be, is password managers. Using a reliable password manager means you don’t have to try to remember all of your passwords, which helps prevent the reuse of passwords, and allows you to use passwords that are harder to crack.

Decoding Security is hosted by Jessica Ortega and Michael Veenstra, and produced by Topher Tebow for Sitelock..
Music:
"Upbeat Forever" Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

SiteLock is the leader in Business Website Security Services.
Copyright © SiteLock 2017