Having good security is important but an organisation needs to be proactive, not simply relying on alerts from anti-virus software or other security solutions. At Lake Solutions, we can support your organisation by carrying out a security audit on your website. In addition, here’s a checklist of things you should consider.
Check your architectural security
What does your security look like from an architectural and hosting perspective? There are a number of questions you need to ask yourself, such as are your firewalls in place? Are your internal servers exposed to the web in any way and thus at risk? How is your web infrastructure segmented from the rest of your network?
Man in the middle attacks
Is your internal process communication secure and is your website encrypted and protected from so-called ‘man in the middle’ attacks? In these instances, rather than communicating with who you think you’re communicating with online, it’s actually a ‘man in the middle’. For example, you might be browsing a shop site you think you trust but the shop is being generated by an attacker rather than the proper owner. You’ve now given your details to the attacker…
Look at your data flows
Take the time to review your data flows – where does data come from and where does it go across your website and your back office tools? Are you storing data that you don’t need to store? When it comes to any sensitive data within a company, it is super important to be careful about where the data ‘at rest’ is held. The more locations it sits, the more difficult it is to protect it. If a company has lots of silos of data, that’s not good.
Can you survive an SQL injection?
Is your site coded well against SQL (Structured Query Language) injection? This is a code injection technique, used to attack data-driven applications in which malicious SQL statements are inserted into an entry field. To do this, the SQL injection must exploit an existing security vulnerability in an application’s software. SQL injection attacks allow attackers to spoof identity, tamper with existing data, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable.
Follow the rules
Have you got good security policies and rules in place and, more importantly, do you and your team follow them? For instance, are your passwords as complex and strong as they can be? Make sure your team has regular cyber security training sessions and updates to remind them of their responsibilities and the importance of remaining vigilant.
Are you protected against a brute force attack? This is when an attacker simply uses brute force to access private accounts. It simply uses trial and error to guess log-in information, encryption keys or find a hidden web page. Hackers work through all the possible combinations in the hope that they will stumble upon the correct one. In theory, this could take a matter of seconds, or many years, depending on the complexity of your password. It is possible to mitigate against these attacks by activating a log-out after, say, three failed attempts. While this might be inconvenient if it’s a genuine mistake, it will stop repeated attempts to get in during such an attack.
How prepared are you for a denial of service attack?
Denial of service (DoS) attacks are becoming more common, with cyber criminals on the look-out for machines to infect with a virus and weaponise as ‘robot soldiers’ in their evil army. An attack happens in one of two ways, by either flooding the target with traffic or sending it information that triggers a crash.
How secure is your website’s front end?
Make sure that the front end of your website is up to the latest best practice against ‘cross domain scripting’. This happens when third party scripts such as adverts or plug-ins contain malicious code which interferes with the integrity of your site allowing for data exfiltration.
Take a proactive approach
Don’t sit there and wait for a data breach to happen – instead be proactive. Look for signs of any intrusions, such as gigs of data suddenly flowing into an unusual IP or domain. Introduce some good security auditing, so you know where the weak spots are. Also, if there was a data breach, you’d want to know it has happened.
Here at Lake Solutions we can support you to be cyber safe, as well as giving your website a security audit. Get in touch today.