2015 is upon us and it’s time to start acting on those resolutions we have set for ourselves in the new year. One goal we should all have on our list is to make sure our websites and networks are as secure as possible. With sources reporting as much as a 75% increase in cyber attacks this past year alone, this is the time to ensure that your company’s website and data is safe and secure. Below is a list of tasks that will help you get a jump start on hackers and ensure that your website starts the year off right.
Update Your CMS
Whether your website is running an open source content management system (e.g. WordPress, Drupal) or a proprietary one (e.g. Adobe CQ5, ExpressionEngine), it’s important that you update your install with the latest releases and patches promptly. Software providers are constantly pushing out updated features and functionality, but you will likely find new and updated security patches and safeguards sprinkled in as well. You should get in the habit of reviewing your software providers change log as new versions are released so you know what security updates are being included.
It’s important to note that updating your CMS can sometimes cause unforeseen issues and should be done on separate copies of your site first, to ensure that they don’t adversely effect your set-up, and then deployed to your live environment.
Maintain Your Server
Your CMS isn’t the only way attackers can gain access to your website. The environment your website is hosted on must also be secured to prevent attackers from gaining access to your websites raw data and files. If you are using a fully managed hosting solution like WordPress VIP or a shared hosting environment like GoDaddy then you are covered as your provider will take care of your servers updates and security for you. However, if you are hosting your site on a cloud environment or dedicated/virtual private server (VPS) then the responsibility is yours.
As with your CMS, your server should also be updated regularly. Operating system patches are constantly being released and should be made to your server on a regular basis. Firewalls (software or hardware) are another good way to protect your servers by giving you fine grained control over who can access your website or server and what they can do. And finally, you should scan your server for vulnerabilities on a regular basis. Attackers commonly scan servers looking for weak spots, like open ports, they can exploit so it’s important for you to have the intel first so you can beat them to the punch.
Hackers can only attack what they can gain access too. One of the more restrictive, but effective, steps to take is to limit access to your websites server or CMS to select IP addresses. This means that only requests coming from a certain IP (like your offices) will be able to access your websites or servers controls. While this is an effective defense it’s important to mention that most internet access comes from shared IP addresses which means your trusted users won’t be able to access your systems from home or other locations without a dedicated IP.
Create Strong Password Policies
Every user account you create in your CMS or server adds one more potential vulnerability to your infrastructure. Once a hacker has determined a username they can easily run a dictionary attack and determine simple password without much trouble. Make sure that your users are doing their part to keep things secure by creating secure passwords. Policies can be created in most content management systems and servers requiring users create passwords of a certain length, containing symbols and special characters and that don’t contain common terms found in the dictionary.
Review User Permissions
One preventative measure to take, in the event that an attacker gains access to your website posing as one of your users, is to ensure that all users have only the permissions that they need. Too often users are given more permissions than they require to complete their jobs, being assigned admin or greater permissions. While you may trust the user you have given these permissions too, an attacker who gains access to this account now has more than enough permissions to take down your site. When adding users to your system you should always follow the principle of least privilege.
Enable Dual Factor Authentication
As an added layer of protection on the user side you should also enable dual factor or two-step authentication. Enabling this requires that users not only enter a password but also provide an additional credential (typically a numerical code) which is sent to them via SMS or email before gaining access. This requires that attackers posing as recognized users must also have access to that users phone or email account in addition to their password. Many content management systems have modules or plug-ins available for this or you can use a full service provider like Duo.