How safe is your website?
Seriously, how secure is your website? Most of the time people build websites and assume the jungle nature of the internet. Ignoring security and especially ignoring this post just shows your little concern for your websites security. Apart from the obvious measures one must take to ensure that his or her website is safe, there are tools/applications that can help you monitor your website and advice you appropriately on how to handle the situation if it is not too late.
If you are not familiar with standard website security measures. The following tips should help you ensure that you are not compromised by malicious hackers.
- Using certificates and TSL/SSL: when running an e-commerce site or you pass confidential information to and from your users, you need to ensure that you encrypt this content before you pass it through the internet jungle. So in case someone purportedly gets access to your data, then they will not be able to use it because of the encryption. There are two types of security protocols that secure communication between a client computer and the server. We have Transport Layer Security and Secure Socket Security, there is much about these protocols but that is beyond the scope of this post. Simply put to ensure that your website is secure you need to ensure that your hosts server provides for security protocols and you can then purchase an SSL certificate and use it to encrypt your content flow to and from your server.
- Most host servers come with standard security tools that help you secure your data from virus and other malicious code attacks. In as much as this is good, you need to increase the security by certifying your website with third party security experts and acquiring their security solutions for instance: McAfee Secure, Thawte Security and VeriSign. These are security companies with solutions to ensure that your web site is safe.
- Dealing with security loop holes such as robot files, securing your FTP connections to your server and index managing. Search engine bots usually respect rules and policies but hackers, cyber criminals will not. They will take advantage of the insecurity of your robots.txt file and gain access to your files. Writing secure robot files includes, ensuring that access is only granted to folders that will increase your sites friendliness. All other folders should be disallowed. FTP connections can be compromised, especially if you use the standard FTP, to secure FTP connection one should use FTPS when transferring files to and from your server. Index managing, denies directory structure to folders within your site that do not contain the files that run your site. More often, you will find that you have your web files in a specific sub-folder yet your server has some other folders in its directory structure. When a malicious user directs his browser to these other folders without web files or an index file. The browser lists the entire directory structure which poses a risk to your website. You can prevent this by managing your indexes for these folders so that access is denied for such attempts.
- Then we have cross site scripting and securing your code: Your website is built with input boxes and a web programming language such as PHP. If your website is not securely programmed a hacker can do some SQL Injection to your server and implant some malicious code or worse, mess up your entire database. Good programmers know how to write secure code and ensure that input boxes are safe from malicious code injections.
- Lastly, we have e-mail, e-mail is mostly used to channel malicious code through messages that will either install malware on your computer or just create an exploit that the attacker could use to damage your system. E-mail is managed by mail servers which are responsible for routing the e-mail message from your e-mail client to through the server, the internet and finally to the recipients mail client or mail application. If the mail server is not properly secured, an attacker can write a malicious piece of code send it to you on e-mail and once you click it, and POW! he has access to the mail server. To defend your mail server you must first ensure that it is up to date with patch releases, put off unnecessary services, put the server behind a firewall and install content screening systems. When connecting remotely, you should ensure that the connections is encrypted through TLS.
Apart from giving you a few pointers on web security this article also encourages to download Acunetix 7. Acunetix 7 is the latest version web vulnerability scanner. Acunetix is one of the leading web vulnerability application developers and recently they released Acunetix 7 which makes it easier to check whether your website is vulnerable to hackers or cross site scripting. Accunetix automatically checks your web applications for coding errors or vulnerabilities to XSS (Cross Site Scripting). Acunetix also finds files that are vulnerable to attack and alerts you to fix them before a hacker finds them. You can head over to the Acunetix blog and read this article on how Accunetix 7 can make web application security easier and more cost effective.
15th February 2011
23rd December 2009
3rd December 2009