For small businesses in particular a leak of data or financial information would seriously damage reputation and cause financial setbacks that it could be impossible to recover from.
Cyber security needs to be one of the highest priorities of any business as security threats are constant and hackers will attempt to breach the security of your site. For small businesses in particular a leak of data or financial information would seriously damage reputation and cause financial setbacks that it could be impossible to recover from.
It is imperative that businesses protect their sites and keep them as secure as possible, today with an SQL injection hack your site could be compromised without you even knowing. With that in mind, here are 10 tips to help you prevent your small business site from being hacked.
A lot of attacks occur because of errors in programming. Unprofessional programming can be a weak point for small and large businesses and it’s a problem that can easily be avoided by checking and improving your coding.
The practice of hardening your computer by keeping software updated and removing any unnecessary software needs to be done on every level; operating system level, applications level, sever level, network access level etc. Remember when holes are found in software security hackers will quickly move in on the opportunity.
SSL (Secure Sockets Layer) is a protocol used to provide security over the internet. The browser effectively requests the security certificate of the site and allows access to the server if the site is deemed secure. It is a good idea to use a security certificate whenever you are passing personal information between the website and web server or database.
One major weak place to check is areas where you have inserted standard Transact SQL as rogue code can easily be entered here. Always use parameters so that hackers cannot manipulate data fields. Most web languages have the parameterised queries feature and it’s easy to use.
Allowing users of your site to upload files is a massive potential security risks no matter the size and nature of the files there is always a chance that an uploaded file contains a script that when run opens up your whole website. The best way to stop this is to stop uploaded files from being executed, the best solution is to prevent direct access to any uploaded files. If you do allow uploads always use a secure transport system like SFTP or SSH.
If possible, have your database running on a different server to that of your web server. This means the database server cannot be accessed directly from the outside world, it can only be accessed via your web server which greatly minimises the risk of your data being exposed. It is important that you also think about the security of the physical server and that you have restricted access in place
Passwords need to be strong, containing a mix of numbers, letters, special characters and capital letters. The passwords you sue should be unique to your site, changed frequently and not stored in shared/online storage. Whilst you may know to keep your passwords secure it is also important to remind your customers to do the same. Make the password restrictions longer and stronger on your site, ultimately it does the customers a favour as it protects their data even if they are upset they can’t use their regular 1234!
Keep error messages as discreet as possible, not giving too much information away. This is particularly important on login checks where your site may throw up ‘incorrect password’ or ‘incorrect username’. It is more secure to use language like ‘incorrect login’ as this doesn’t reveal to the user which part of the login was wrong thereby stopping a brute force hacker finding out whether they have one part of the login correct.
The introduction of two-factor authentication is becoming more widespread as a better way of protecting logins and stopping hackers. This involves the receipt of another code or number via text for example to form the second part of the login. This helps the customer and yourselves as it protects everyone’s data and helps to ensure only legitimate customers are accessing your site.
The best way to check the security of your site is to test it using website security tools. These tools work like a hacker, attempting to exploit code problems with SQL injections etc. There are various tools on the market and we offer a full service on this which you can find out about here.
DigitalXRAID was formed to protect businesses of any size. We specialise in vulnerability management, information security and penetration testing. For help with any of these areas contact us to discuss our security packages. We would love to help you protect your website(s).