The internet has definitely made our lives comfortable by facilitating numerous online operations. But on the flipside, it has also made us vulnerable to internet based attacks-“cyber crime.” In the light of growing cyber attacks, it has become mandatory that we ensure that our network/sites are protected from them. This security is referred to as cyber security.
What is cyber security?
Cyber security consists of technologies, processes, and practices designed for protecting networks, devices, programs, etc. from attack, damage or unauthorized access.
Importance of cyber security-
Organizations such as government, military, corporate, financial and medical, etc. collect, process and store a large quantum of data. This data can be confidential such as intellectual property, financial data, or personal information. The data is also transmitted to networks and other devices. It is prone to unauthorized access and exposure. Cyber security establishes systems for protecting the data and systems processing it.
An effective cyber security system provides a comprehensive security of the entire information system of the organization.
Various parts of the system that need to be secured include:
- Identity management
- Database and infrastructure
- Disaster recovery/business continuity planning
- End-user education
Earlier the cyber security measures focused on perimeter security which ensured the protection of critical systems against known threats. However, this approach does not hold good anymore as the security threats are evolving at a fast pace.
A website or network is susceptible to internal and external threats.Internal threats are those that are caused intentionally or unintentionally by employees themselves. Or, they could result when a company does not take sufficient security measures.
On the other hand, external threats are those caused by external sources such as hackers, etc. who intentionally attack the website/network/systems.
Some common sources that are becoming rampant in the cyber attack in recent times are:
SQL injections attacks are those where malicious SQL commands are sent to the database through web requests. These commands can be sent through any input channel. They are very dangerous as they can cause grave damage to a business. It is generally used to target well-known organizations.
Steps that can be taken to ensure user input safety:
Verify all user inputs –
All user inputs including text areas and text boxes as well as all others such as hidden inputs, query string parameters, cookies and file uploads should be verified.
Input strings on the server side should be validated –
Validation is a means of ensuring that the right type of input is provided by the users. It helps neutralize any potential malicious commands in the input string. You can add a client-side validation as well for further security.
Use command parameters –
Command parameters can be defined through the addition of placeholder names in SQL commands. These can be replaced by user input.
Administrative privileges should be avoided-
The admin account should be secure because any lapse in security can provide hackers access to the entire system. Even the non-admin accounts which have access to all databases can be unsafe.
The account being used should ideally have simple read-write permissions to a specific database that sits on your website.
Sensitive data should be encrypted-
Sensitive data such as passwords, security questions, financial data that might be useful to malicious actors should be encrypted. In this case, even if the data falls into wrong hands, it can’t be exploited immediately. This gives you sufficient time to discover the breach, plug the hole, and take other measures. This ensures that the stolen data loses its value before being deciphered by the hacker.
Malware, adware and viruses
Malware is a combination of “malicious” and “software”. It includes all threats such as viruses, spyware, adware and any other software that is installed without a user’s consent.
Some common sources of Malware are infected email attachments, or storage media such as portable thumbnail drives, downloaded software, links in email, social media websites, instant messages, etc.
How to secure your system from Malware:
Most web viruses and malware are elusive in nature. Hence, they go unnoticed. They can be easily implemented by injecting a one-line script in the website’s code.
You can scan your website for existing Malware and other harmful codes using a website scanning software. This notifies you of any threats. There are tools available that not only detect the treats but also rectify them.
Web Application Firewalls- Web Application Firewalls (WAF)
These prevent hackers from visiting your site. A firewall based on certain predefined criteria allows only the legitimate traffic while blocking the malicious traffic such as spam, bots, hackers. If used alongside Website scanning it ensures 24/7 hands free security to the business website.
One of the methods for businesses that accept major credit cards to ensure security is becoming PCI compliant. PCI is Payment Card Industry Data Security Standard. This compliance ensures the protection of your business and customers from cyber attacks and fraud.
Use strong Passwords-
The importance of a strong password that is hard to guess cannot be stressed enough. Ideally, it should be 8 characters including small and upper case letters, digits and special characters. This provides protection from cyber attacks.
Many a time viruses attach themselves to a drive and install themselves on any other media connected to the system. This makes any network drive, external hard disk or thumb drive to automatically propagate these threats.
Disable image previews in Outlook-
An infected Outlook e-mail message with graphics code results in virus infection. Disabling image previews in Outlook protect it from infection.
Don’t click on email links or attachments-
Users should be wary of email links and attachments, however trustworthy the source is. Clicking on an email link or attachment can corrupt Windows and destroy critical data. Therefore, all email attachments should be scanned using a business-class anti-malware application.
Measures that can be taken for securing your website:
1. Keep yourself updated-
Keep yourself updated with the latest hacking threats. This will enable you to take measures to protect your website against it.
2. Take measures to make access difficult-
Ensure that you use user names and passwords that cannot be guessed. Change the default database prefix to a random one. Multiple login attempts even with password reset should be limited. This provides security to an e-mail account. In order to prevent unauthorized users from accessing the account, avoid sending login details by email.
3. Regularly install Updates –
Most software companies avoid installing regular updates as they are expensive. But this could be a costly mistake. This is because delaying an update makes you vulnerable to attack by hackers. Hackers scan websites at a tremendous speed looking for vulnerabilities to break in.
4. Secure your network-
In order to ensure that computer users in your office do not provide an easy access route to your website servers you can follow these steps:
- Short periods of inactivity should cause logins to expire.
- Users change their password frequently.
- Strong passwords are used and they should NOT be written down.
- Scan all devices for malware each time they are plugged.
5. A web application firewall should be installed-
A Web Application Firewall (WAF) is a software or hardware-based firewall that separates your website server and data connection. It reads every bit of data that passes through it. After installation, this firewall blocks all hacking attempts and filters out other types of unwanted traffic such as spams or malicious bots.
6. Admin pages should not be visible to hackers-
If you use the robots_txt file, search engines cannot list them. Pages that are not indexed cannot be found by hackers.
7. File uploads should be limited-
However thoroughly a file upload is checked by the system, bugs get through allowing unlimited access to hackers. In order to prevent a direct access to any uploaded file, store it outside the root directory. A script should be used for accessing it as per need.
8. Use SSL-
One way to prevent information being read in transit and access without authority is using SSL encryption.
9. Avoid the use of auto-fill in forms-
Auto-fill enabled forms on your website make it prone to attacks from a user’s stolen phone or computer. Therefore, auto-fill should be avoided.
10. Back-up frequently-
Backing up everything is recommended so that you don’t lose data if your hard drive fails. You will need to back up on-site, off-site, multiple times a day at multiple locations.
11. Choose a Web Host carefully to sign up for-
There different types of Web hosts available with their unique features. It is recommended that you select a Host with security features that can protect your uploaded website data. Opt for a web host that offers Secure File Transfer Protocol (SFTP) which ensures safe uploading. Many hosts also allow for file backup services. Hosts also have a public security policy showing that they are updated on security upgrades.
12. Cross-site scripting (XSS)-
13. Validate the Server side/form validation-
The server and the browser side should both be validated. The browser detects failures such as empty mandatory fields or entering text into a numbers only field.
Using complex passwords is necessary not only for the admin area but also for users accounts to ensure security.
It is a protocol that provides security over the Internet. It ensures that the users are talking to the server they expect. It also secures the content in transit from interception
16. Website security tools-
Website security tools or penetration testing is one of the most effective ways of ensuring cyber security.
Various third party plugins/tools to make websites secure-
2. BulletProof Security
3. Sucuri Security
4. iThemes Security (formerly Better WP Security)
5. Acunetix WP SecurityScan
6. All In One WP Security & Firewall
7. 6Scan Security
How to secure a mobile application-
1. Build a Secure Mobile App:
Mobile Malware attacks the loopholes in the design and coding of mobile Apps. Before exploiting the vulnerability, the attackers acquire a public copy of the App and reverse engineer it. “Rogue apps” comprising malicious code are embedded in popular Apps. Unsuspecting users install them and compromise their devices.
2. Ensure Security of the Device:
In order to ensure the security of the device, the mobile app sandbox must be intact. These devices should be restricted from accessing enterprise data.
3. Data should be secured by prevented data leakage and theft:
When mobile Apps access enterprise data, a lot of unstructured information and documents get stored in the device. Loss of the device or sharing of data with non-enterprise applications increases the potential for data loss.
4. Maintain Transaction Security:
The risk tolerance for transactions varies according to the transaction. While some transactions may be sensitive others maybe a relatively low risk.
Organizations should follow an approach where the client-side functionality should be based on mobile risk factors. These factors are device security, user location, network security, etc.
Website Security testing can be done by-
1. Access to Application:
Roles and Rights Management is implemented for checking access to the application for both desktop application and websites. It is done implicitly covering functionality. It warrants thorough testing of all roles and rights.
Steps for this type of testing:
- Tester creates several user accounts with various multiple roles.
- He uses the application with the help of these accounts to verify whether each role has access to its own modules, screens, forms and menus only.
- If there is any kind of conflict the tester should log a security issue.
So, essentially, this test verifies ‘who you are’ and ‘what you can do’ for distinct users.
There authentication tests for checking password quality rules, tests for default logins, password recovery, testing Captcha, etc. Additionally, there are other authentication tests such as path traversal, test for authorization, etc.
2. Data Protection:
For protecting data, the following measures are taken:
- The tester queries the database for ‘passwords’ of the user account, billing information of the client, etc. All such sensitive data is verified and saved in an encrypted form in DB.
- Data should be transmitted between different forms or screens only after encryption.
- The tester should make sure that the encrypted data is decrypted at the destination.
- Different submit actions should be given special attention.
- The tester must ensure that the information being transmitted between the client and server is not displayed in an understandable form in the address bar.
If any of the verifications in this checklist fail it indicates a security flaw.
3. Brute-Force Attack:
Brute force attack is accomplished using software tools. In this case, a valid user ID is used and repeated login attempts are made by guessing the associated password.
In order to ensure protection against Brute Force Attack, the tester must devise a mechanism for account suspension. For this, he can attempt logins with invalid user IDs and Passwords alternatively to ensure that the software application blocks the account for invalid credentials.
An application that accomplishes this is secure against the brute-force attack, else it is vulnerable to it.
4. SQL Injection and XSS (cross site scripting):
In both these hacking attempts, a malicious script is used to manipulate the website. There are several ways to protect against this type of attack. One of them is the field length should be small so that it cannot accommodate any script.
The tester must define the maximum lengths of input fields and implement them. He should ensure that this length prevents script input or tag input.
5. Session management:
A sequence of HTTP request and response transactions linked with the same user is termed as a web session. Session management tests are carried out to verify how a session management is handled in the web app.
The tester can test session termination after maximum lifetime, session expiry after idle time, test if a single user can have multiple simultaneous sessions, etc.
6. Error handling:
Testing for error handling includes
1. Check for error codes:
There are certain error codes such as test 408 request time-out, 400 bad requests, etc. In order to test these, you need to make requests to the page so that these error codes are returned. These error codes contain a detailed message. You need to ensure that this message doesn’t contain information that can be used for hacking.
2. Check for stack traces:
It entails providing exceptional input to the application such that the returned error message contains stack traces which provide information for hackers.
7. Specific Risky functionalities:
Two risky functionalities are payments and file uploads.
Testing for payments entails testing for injection vulnerabilities, insecure cryptographic storage, buffer overflows, password guessing etc.
Testing for file uploads implies ensuring that any malicious file upload is restricted
Subscribe us to keep yourself updated
Methods to test the Hosting server security-
Uploading files to your hosting account is accomplished by File Transfer Protocol (FTP). Ftp is a vulnerable protocol. It can be intercepted. In order to close this vulnerability, SFTP which is Secure File Transfer Protocol should be used.
SSL(Secure Sockets Layer) helps provide encryption between the browser and web server. Using SSL certificate for personal, sensitive information ensures security. It is essential for an E-commerce site as it protects the personal details of the customer.
Performing backups on a regular basis helps protect your site in case of a disaster or problem. However, you should not rely on your host for backups. There are some hosts who provide a tool to backup your site. You should be aware of the backup process of the host and location of the backup storage.
Server maintenance –
To limit the attacks, the host should ensure that the server is adequately maintained. A published security protocol by the host is a good indication that they are updated with upgrades and patches.
Although not exhaustive, these are some ways of ensuring cyber security of your systems, network and data. It is clear that maintaining a system that is safe from cyber attacks is vital for your business and your customers.
Do you want cyber security on your website