Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/1/2011
10:45 AM
50%
50%

4 Tips: Make Your SMB Website More Secure

Consider this expert advice on how small and midsize businesses can build websites that are well-protected from attacks--and keep them safe.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
There are many facets of a complete security plan, but smaller businesses that rely heavily on their websites for revenue need to pay particular attention to protecting them.

You need look no further than recent hacking headlines to understand why. Alan Wlasuk, CEO of 403 Web Security, offers four key areas for SMBs to consider when building and maintaining secure websites.

Make Security Part of Web Development

If you're now building a site, include security as a part of the project plan. In an interview, Wlasuk recommended doing an automated vulnerability scan of your site before it launches to identify potential holes. He distinguishes this from antivirus or other types of security software. Instead, it's like launching a simulated attack--thousands of them--on your site to see if any of them work. (There are security firms like Wlasuk's that offer free versions of these scans.)

"They don't cover the entire world of security for the website, but they'll give you a clear indication of whether you've got a relatively solid site or if you're in deep trouble to start off with," Wlasuk said. "It's a must for anybody putting together a new site."

Wlasuk advises SMBs that are planning to hire an outside Web development firm to make security part of the selection process; interview potential vendors on their security approach in the same way that you'd ask about design or functionality.

If you've already launched? It's not too late--you should still run a vulnerability scan to check for leaky code. If you find problems, Wlasuk said, resolve the biggest ones first and work your way down the list.

"Make sure that you're not opening yourself up for the kiddie scripters to just walk in and have a good time because they can," Wlasuk said. "Make it hard for someone to get into the site--if you're not the low-hanging fruit, they'll go after someone else."

Keep Employees in the Know

Time and again, human beings are the most volatile threat vector, whether it's a social engineering scam, a phishing attack, or simply an employee who thinks they're doing the right thing--when in fact they're turning over the keys to the corporate castle.

Invest in educating employees on current security threats and best practices; you can't completely eliminate human error, but you can mitigate it. In terms of website security, Wlasuk recommends the "trust but verify" approach with employees--don't be paranoid or undermine your company culture, but ensure that your trust is well-placed. To that end, if some staffers don't need access to your content management system or other databases, don't give it to them. Treat website administrative credentials like valuable company assets.

"Minimally, gather up your staff and tell them what social engineering's all about," Wlasuk said, adding that there are plenty of examples that function as entertaining cautionary tales for presentation purposes. "Have a casual conversation, do a lunch-and-learn--do something so that people aren't totally unaware."

Treat Your Physical Office Like an "Attack Surface"

Much like your website itself can have backdoors beckoning to the bad guys, so too can your physical office. Wlasuk advises to treat your physical office as an entry point to your website--and, of course, to your entire corporate network. No Post-it notes with passwords; no lonely LAN cables inviting just any laptop to plug in and take a digital stroll through the network.

"We all know our offices are often in disarray," Wlasuk. This makes SMBs particularly prone to social engineering attacks. "The cleaning people are going to let anybody with a tie in that says they work for the company, and those people are going to sit down and try to figure out where your vulnerabilities are."

Wlasuk poses a question for SMB owners and managers to ask themselves: "Is silly stuff just hanging out there for anybody to pick up on and use against you within your office?"

Have a Long-Term, Calendared Plan

Website security isn't a set-it-and-forget-it proposition; the threats change on a regular basis. Automated vulnerability scans should be a part of an ongoing security plan, according to Wlasuk; he advises running checks at least every three to six months.

"The world will change," he said. "The hackers get more clever, or your website changes."

Like other security pros, Wlasuk is adamant that SMBs stay on top of security patches for their operating system and other business-critical applications; if you use a commercial (or even free) content management system to administer your website, don't fall behind on software updates.

Periodically review employee authorization for website management, too.

"Make sure the people who have access are the people who really need it," Wlasuk said. "You do not want your entire staff to have the ability to update your website because they can unknowingly introduce all sorts of flaws--or sometimes, unfortunately, knowingly can. Only allow your most trusted people into places where they can cause security risks."

Small and midsize businesses are falling prey to cyberattacks that cost them sensitive data, productivity, and corporate accounts cleaned out by sophisticated banking Trojans. In this report, we explain what makes these threats so menacing, and share best practices to defend against them. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ambreen11
50%
50%
ambreen11,
User Rank: Apprentice
12/26/2012 | 7:05:56 AM
re: 4 Tips: Make Your SMB Website More Secure
Sometimes no matter how much time you spend securing and policing your site, hackers find a way in. So backup your site regularly and keep those backups off your server. Then, if your site is hacked, you can return to normal operations quickly by restoring files and site content. Thanks
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18575
PUBLISHED: 2019-12-06
Dell Command Configure versions prior to 4.2.1 contain an uncontrolled search path vulnerability. A locally authenticated malicious user could exploit this vulnerability by creating a symlink to a target file, allowing the attacker to overwrite or corrupt a specified file on the system.
CVE-2019-11293
PUBLISHED: 2019-12-06
Cloud Foundry UAA Release, versions prior to v74.10.0, when set to logging level DEBUG, logs client_secret credentials when sent as a query parameter. A remote authenticated malicious user could gain access to user credentials via the uaa.log file if authentication is provided via query parameters.
CVE-2019-16771
PUBLISHED: 2019-12-06
Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized data is used to populate the headers of an HTTP response. This vulnerability has been patched in 0.97....
CVE-2019-1551
PUBLISHED: 2019-12-06
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are n...
CVE-2019-16671
PUBLISHED: 2019-12-06
An issue was discovered on Weidmueller IE-SW-VL05M 3.6.6 Build 16102415, IE-SW-VL08MT 3.5.2 Build 16102415, and IE-SW-PL10M 3.3.16 Build 16102416 devices. Remote authenticated users can crash a device with a special packet because of Uncontrolled Resource Consumption.