We are an IT provider that believes in your mission & measures our success by your impact

Information Security (InfoSec) for Websites

In today's online world, security is a major concern. The ease in which we are able to share information also means that there are ample opportunities for someone to get “hacked”. {C}

While we can't guarantee that it won't happen, we can take several steps to reduce the chances of being hacked. Many of the attacks out there are automated scripts that are left to scour the internet looking for victims. Forbes online estimates about 30,000 sites are hacked per day. Often, when these sites are hacked, it is not because they were somebody's direct target, it's because they crossed a site's path and found vulnerabilities in the software.

One question that I hear often is: “Why would someone want to hack my web site?” Since web sites started turning into web applications, such as Content Management Systems (CMSs), people realized that they could attack these sites and install various types of viruses, malware, phishing pages, etc... on the victim's server. People are then tricked (usually by email) to visit the hacked page where they are either infected or unsuspectingly divulge some confidential information. You've probably seen emails from your banking institution asking you to click a link and verify your account information, or some variant of that. That link is likely pointing to a page buried deep in a legitimate web site.

So, really, what is Information Security?

Wikipedia defines it as the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take (electronic, physical, etc...).

Essentially, this means that you take an active role in securing your sites resources that are under your control. This can be achieved through a combination of various techniques. Because information security is such a large topic, we'll discuss some security tips in a general sense. In future posts I'll go into more details.

Secure Passwords

I know many are rolling their eyes because they've heard this repeatedly before. However, the simple fact is that many accounts are compromised because they've used poor passwords. In my opinion, this is because it is very difficult to remember. Especially when you have many different passwords to remember. For more information on secure passwords and how to remember them, see our blog article "The Weakest Link: Password Security."

Limiting Access to Your Protected Site

You want to limit who has access to the non public portions of your site. This can be the administrative interface, Web server control panel, FTP, Web application directories, etc... If someone who had access is no longer with the company, or no longer needs access, then the account should be modified appropriately (deleted, suspended, admin roles removed, etc...).

File and Directory Permissions

Each file and directory has access permission information applied to it.  If these permissions are not set correctly, they can be problematic.  Some users are event tempted to open them up to the world to get around these issues (777). The correct permissions for files should be 644, and 755 for directories. If these numbers don't mean much to you, you can contact your hosting provider and they should be more than happy to help you set them correctly.

Update software regularly (web, server and your computer)

Chances are your hosting provider already handles and applies web server software updates. However, this does not include your website or its content. This is your responsibility to keep your web server software up to date. Content Management Software like Drupal or WordPress (or any other software or library) will have fixes and updates periodically released that fixes bugs and security flaws. A site that is not up to date has a greater risk of being compromised.

Backups

When all else fails and your site has been compromised, you turn to your backups. You have backups right? As stated before, there's no silver bullet to ensure that you'll never be hacked, so it's important to have a Plan B. Ensuring that you have daily backups working means that you can quickly get up and running again. But is a daily backup enough? What if your site was actually compromised a few days ago? How far back do you keep backups for? You may want to have a discussion with your web hosting provider to discuss what options they have for extended backups.  Feel free to refer to our blogs on backups: "PeaceWorks Online Backup" and "When Backups are not Enough: Failover Server Design".

Most hosting providers take backups, but that's often for their own disaster recovery purposes and may not suit your needs. They may have other options available at a reasonable cost. Believe me when I say it's worth the cost. I've seen far too often what happens when people don't have proper backups in place.

Multiple Websites? Don't Share Databases.

A common feature for web software is to allow users to share one database among various sites. Security wise, this is not a good idea. If one of those sites were to become compromised then it could affect the operation of all the other sites connected to it.

Monitoring Log Files.

Your WebServer has much to tell you. Listen to what it has to say. Log files are critical to understanding what is happening on your server. Not only do they provide usage statistics, they can also help you determine if your site is/was attacked. The web server provides two main log files -- access log and an error log. In addition, your web software may provide additional logging and accounting.

In summary, keeping backups, applying security updates promptly, and using secure passwords, are among just some of the things you can do to take proactive action toward Information Security. In my future posts we'll dive into these sub topics in more detail.

Content Type: 

At PeaceWorks, we know how to set up your organization with technology that drives your mission. Together, we define a technology vision for your organization and recommend the best ways to support that vision.

Find Out More →

We provide effective and affordable migrations, installations and upgrades that better manage your infrastructure. We focus on solutions that meet your needs, not solutions that are unnecessary or outside of your budget.

Find Out More →

We will design and create a new or enhanced on-line presence. We work with you through the entire process to ensure you get exactly what you need for the present, as well as the future. We build our websites with Search Engine Optimization (SEO) and accessibility practices, customizing as required.

Find Out More →

We collaborate with you to create solutions that turn ideas and data into information that you can use, analyze and distribute.  We build the technology solutions that equip you to better engage and manage your staff, your clients, your volunteers, and your donors.  We simplify data collection, intelligence and management.

Find Out More →

PeaceWorks provides the management and sale of hardware and software solutions. We always discuss your needs and provide you with the most preferable options.

Find Out More →

About PeaceWorks

PeaceWorks provides first-rate technology solutions that enable organizations to achieve their mission with increased ease and efficiency. We focus on genuine client-focused relationships, connecting client needs with sustainable and reliable technology solutions.
Learn More

Waterloo

101-554 Parkside Drive
Waterloo, Ontario
Canada
N2L 5Z4

Phone: 519.725.7875
Fax: 519.725.4220
Toll Free: 888.817.3048

Email Us

Winnipeg

100-62 Hargrave Street
Winnipeg, Manitoba
Canada
R3C 1N1

Phone: 204.480.0314
Fax: 204.415.2051
Toll Free: 888.817.3048

Email Us

Connect With Us

Sign Up For Our Newsletter: