10 Website Security Best Practices You Can Implement Today
According to a recent Global Security Study from Citrix conducted by the Ponemon Institute, 69 percent of respondents believe some of their organization’s existing security solutions are outdated and inadequate. This is particularly problematic when looking at the state of cybersecurity where many vulnerabilities could be fairly easily eliminated. In order to help businesses strengthen their security profile and reduce vulnerabilities, here are 10 website security best practices that can be implemented today.
BEST PRACTICE #1: ENCRYPTION VIA HTTPS IMPLEMENTATION
While HTTP was conceived as a means to transfer information on the internet, HTTPS provides some important security aspects for businesses and their end users. Overall, the HTTPS authentication spec defines a series of mechanisms to identify users and parties (via credentials).
The main benefit of HTTPS is that it makes your site more secure for your users when they provide any sort of information such as PCI via encryption. Because attackers don’t have the encryption key, it prevents “man in the middle” attacks. HTTPS implementation provides a number of website security benefits, including ensuring to site visitors that:
- The site they are on is actually the site the URL says it is
- The content on the site has not been changed in any way by anybody other than the site owner
- Any information shared between the visitor and the site through a contact form or reservation signup will not end up in the hands of a third party
- The visitor’s browser history is not being tracked by some unauthorized third party
- Any payment gateways on the site are secure
BEST PRACTICE #2: SECURE SOCKET LAYER (SSL) CERTIFICATES
Secure socket layer (SSL) is the protocol that HTTPS uses so that the installation of an SSL certificate on your site enables the use of HTTPS. Obviously, all SSL certificates will encrypt data that are sent from a customer’s browser to a company’s server. Encryption ranges anywhere from 128-bit to the recommended 256-bit. In today’s increasingly treacherous online world, the higher the encryption, the better.
BEST PRACTICE #3: MULTIFACTOR AUTHENTICATION (MFA) WITH SINGLE SIGN-ON (SSO)
Multifactor authentication (MFA) is a security practice that goes beyond the basic requirement of website users to provide an additional form of authentication to log in along with their standard user name and password. This is normally accomplished through SMS message, voice message, or a one-time code generated via an application on a user’s mobile phone.
MFA also can and should include more advanced website security methods, such as biometrics, GPS location, or a hardware token, but those can take more time and effort to implement. There are numerous MFA solutions available that can be incorporated into website security for customer and end-user access to a variety of services or applications. The addition of single sign-on (SSO) enables web users who need access to cloud applications, networks, and other business systems via the web to use a single sign-on rather than multiple sign-on steps as they access other connected systems.
BEST PRACTICE #4: UPDATE PLATFORMS AND SCRIPTS
Keep installed platforms and scripts up to date to eliminate security loopholes that allow malicious hackers to take control of the website. Without regular maintenance to all components of a platform, urgent fixes for major user-facing problems can become a large undertaking very quickly. System administrators must subscribe to manufacturer support and product announcements to be aware of current available patches and have a protocol in place to implement them immediately.
BEST PRACTICE #5: INSTALL SECURITY PLUG-INS
According to the most recent survey, WordPress CMS is used by 59 percent of websites with a CMS, from those of individuals to those of the largest enterprises. The most common way that hackers enter a WordPress site is through outdated plug-ins or an outdated WordPress install. Consequently, it’s imperative to install security plug-ins, wherever and whenever possible to actively prevent hacking attempts.
BEST PRACTICE #6: DILIGENCE, POLICIES, AND FIREWALLS FOR XSS ATTACK PREVENTION
While diligence in the coding process is the most important preventive measure, web application firewalls (WAFs) also play an important role in mitigating reflected XSS attacks. In addition, a robust Content Security Policy (CSP) allows specification of the domains that a browser should consider valid sources of executable scripts when on your page.
BEST PRACTICE #7: IMPLEMENT PASSWORD MANAGERS
More than just having password generators, businesses should implement password managers that can provide a wealth of important features, including:
- Password generator
- Local-only key encryption with AES-256
- Automatic cloud credential backup
- Master key only visible to administrator
- Active Directory, LDAP, federated ID management, SIEM, and ticketing system integration
- Compliance report generation
- Employee provisioning and deprovisioning
- Key self-destruct settings
- FISMA, FIPS, HIPAA, PCI, compliance; SOC-2 certification
- Security audit capabilities
- 128-bit SSL for server communication
- SHA-512 hashing
While all of these features may not be included in a single password manager solution, most are available in the more robust offerings.
BEST PRACTICE #8: LOCK DOWN DIRECTORY AND FILE PERMISSIONS
Locking down your directory and file permissions can be somewhat involved depending on the size of your business and whether or not you have a qualified systems administrator. While file server resource managers (FSRMs) are designed to enable administrators to perform these functions, there are automated tools available that simplify the process in large organizations.
BEST PRACTICE #9: IMPLEMENT MOBILE DEVICE AND MOBILE APPLICATION MANAGEMENT
Solutions to manage access to corporate applications and data where BYOD (“bring your own device”) policies are in place require mobile device management (MDM) and mobile application management (MAM) tools to control approved application installation lists, as well as approved Wi-Fi access points. IT can also require users to employ PINs to access their devices.
BEST PRACTICE #10: IMPLEMENT BACKUP AND DISASTER RECOVERY MEASURES
Perform frequent backups, keep a copy of recent backup data off premises, and test backups by restoring your system to make sure the process works.
Best practice standards and adherence for website security and mobile applications is only the beginning of an enterprise cybersecurity strategy. It’s important to remember that effective website security is an ongoing and evolving process that requires diligence, as well as the use of integrated forward-thinking tools that protect data, users, and customers.