The last several months we have helped several existing and new clients troubleshoot cyber security compliance and adding proper security protection. In every conversation, the Hubnest team was repeating a few best practices that must be implemented. We decided to write this blog to help everyone be aware and take action to prevent detrimental a security breaches that can severely cost an organization. While Hubnest is not a dedicated cyber security agency, we are well versed in best security practices for our web application builds. So here it is!
Buy SSL certificate
This is simple and important step because it protects those who visit your website. While purchasing an SSL certificate doesn’t prevent attacks, this is the most fundamental way to encrypt and protect your website users who may enter and provide you their information. The cost is as little as $20 per year plus installation time. If that’s not reason enough, Google Chrome also doesn’t play well with unsecured websites.
Your birthday is not a good password
This goes without saying weak passwords are highly prone to vulnerability. From our experience, these vulnerabilities are often discovered by password breaking software or internal people who have malicious intent. It’s always a good idea to have more complex passwords that hold no personal details.
Hosting server – first line of defense
Choosing a good hosting company is crucial. At Hubnest, we always choose Tier 1 dedicated hosting simply for protection integrity. Afterwards, we install all the necessary server protection and monitoring tools that aid in responding to potential risks. More affordable hosting that claim to include asset protection and back ups may seem financially feasible but often never validated these tasks are being performed. Get that piece of mind and do it right.
Third-party Plugins and Themes
In many websites, plugins and themes are utilized as part of an automation process to manage a digital business. Many plugins and themes may unintentionally possess vulnerable code. We suggest choosing plugins and themes wisely. While you may not be the person to review the integrity of the code used to create the plugin, it’s a good idea you have access to someone who can review and modify for added security before installing.
Not all spam is harmless
Spam emails are often just a nuisance. The source of how this happened can be employees unknowingly opening an phshing email and providing login credentials or downloading attachments that contain malicious viruses and bots that overwhelm a website comment section(s) causing your server to crash. A new one we caught was a client‘s email server being used as a relay for spam. As a result, countless email clients such as gmail and Microsoft Exchange blacklisted their domain. We suggest installing spam-blocking plugins like reCAPTCHA, training employees to use security precautions when opening emails with attachments.
Cross Scripting
Most small to midsize organizations aren’t aware of this security measure but a few have seen the result of this first hand. Cross scripting (XSS) is when an attack occurs by injecting malicious JavaScript into particular pages. The result of this can grant an attacker to change website content and tap into transmissions. We suggest inserting CSP (Content Security Policy) header into website code to prevent any foreign injections.
Careful with open search fields
This is probably the most direct threat of the list. SQL Injections occur when an attacker uses a form or a parameter to access a website database and inject their code. That code can essential wreak chaos on your website because it’s extremely difficult to find, perform data theft or take down website(s) for ransom. We suggest resolving this by applying parameterized query to make sure all forms and URL’s are secure.
Manage your CMS
Keep your Open Source CMS settings up to date. Many times, vulnerabilities occur because a website’s security standards are not up to date from the period of creation. We created a checklist to regularly check our client’s website(s) comment settings, visibility, user controls, and file permissions to the revised security plan. We suggest organizations that use an open source CMS do the same.
Personal Devices
This was by far the greatest security breach Hubnest had to manage. Some of our clients allow employees to BYOD (Bring Your Own Device) and while this may be convenient; this is the most vulnerable gateway to security breaches. We suggest using dedicated machines and devices using a VPN or at the very least installing antivirus software.
Limit User Access
This relates to the previous point. Hubnest has identified majority of security vulnerabilities leading to human error within the organization. Managing and providing user access levels with limitations is the best way to ensure you don’t give away the key to the entire digital castle. Having unique access also allows accountability if an error does occur.
We’re not being an alarmist saying if you don’t follow any of these tips, your website(s) or application(s) will get attacked. However, failing to properly secure your digital assets is not only dangerous to your business but irresponsible to your customer or visitor’s well being.
Contact us to learn more how you can protect your digital investment
Image by Werner Moser from Pixabay