Keeping your data secure is not only smart, it’s also the safest thing you can do from a legal point-of-view. While most online businesses try to cover themselves from liability by putting disclaimers on their website terms and conditions pages, it isn’t really effective as a protection if you are negligent about keeping data safe. Of course legal liability isn’t the only reason to protect your data, and it’s not the only thing you need to worry about if you fail, but it is certainly important to be aware of the possibility.
Even if you force your users to click a button to indicate their agreement not to hold you liable for security problems before you let them access anything on your site, it still doesn’t really give you much legal protection, and probably doesn’t give you any.
Legal liability is a big one because of the high costs involved, even when a case brought against you is entirely frivolous. It gets a lot worse if you’ve done something you shouldn’t have or haven’t done something you should have.
You can also suffer loss of business, loss of trust, theft, damage to your reputation, and other things besides. It’s not a good position to be in, so always do your best to keep your data safe and secure. Here are a few things that can potentially make your server less secure than it should be:
1. Not requiring secure connections for things that should be secure
It’s a big decision to force a secure connection because some users buried behind corporate firewalls (and sometimes over-inquisitive hotel firewalls) can’t access HTTPS secured websites. In part this is because certain types of administrators in certain types of corporations don’t want encryption getting in the way of any snooping they might want to do. That’s actually kind of silly, because they are placing the corporation and its employees at increased risk when there is extremely little to be gained.
Certain websites like Google and Wikipedia do default to HTTPS connections even though most users won’t be doing anything that needs to be encrypted. If big sites like that are pushing a HTTPS first policy, maybe your site should be too.
If you allow users to log in from an insecure HTTP connection to services that should be secured, it’s asking for trouble. Users on HTTP should have to click a link that takes them to a HTTPS version of the page before it is possible to log in.
2. Not using encryption on things that should be encrypted
If you don’t encrypt information, you lose control over it. Some kinds of information should be restricted only to people who need to see it, and there are even some kinds of information(like passwords) that nobody needs to see. Encryption helps you control who can see what, and when.
3. Putting sensitive information in areas that are open to public access
Sensitive information needs to be stored in a place where casual visitors can’t stumble upon it. Some kinds of things like connection strings should be stored at a level above the public_html folder, where it will be impossible to access them by accident and more difficult for an attacker to access them.
4. Relying on htaccess for security
The htaccess file provides some security to keep casual snoops out. It’s metaphorically more equivalent to a barbed wire fence than a concrete wall. It won’t keep out a really determined attacker, so it shouldn’t be your only line of defense.
5. Not keeping offsite backups
Your data should be backed up regularly and stored in a secure offsite location. This is not perfect protection, but it’s going to help you if something really bad happens.
6. Not making changes after an attack against you is successful
Sometimes people just restore from a backup and carry on as if nothing bad had ever happened. They probably figure that since the attacker got what they wanted, they won’t need to come back. It’s not particularly logical. You should always make changes after a successful attack, with the most obvious thing to change being the password. It’s not just that you should change the password, but you should change everything about the password (it’s length, structure, any mnemonics you used in creating it).
7. Not mirroring
This is really obvious, but frequently overlooked. Every site should be mirrored. Without an OTF mirror, you risk potential data loss in the case of a hardware failure. Backups are helpful, but they’re not real-time. You’ll lose some things if you have to restore from backup.
8. Not restricting physical access to the server
Server cabinets are lockable for a reason. The door to the server room should also be locked. Yes it will slow you down if you need to get in there to do something, but it will also slow an intruder down.
9. Failing to be aware of social engineering
The most common way to gain illegal access to a system doesn’t rely on sophisticated software, it relies on unsophisticated personnel. In other words, you and your employees are the most likely contributors to an attacker’s agenda, simply because you may not be on guard sufficiently to avoid willingly giving them every bit of information they need in order to perpetrate an attack against your site.
Social engineering is very easy and highly successful. It simply relies on basic psychology, and the fact that humans generally tend to respond to things in predictable ways. People also are not always careful about what they dispose of or how they dispose of it. The recovery of things which have been disposed of can sometimes yield valuable clues to how a system can be accessed, or it can yield sufficient clues to enable an attacker to at least have a better chance of successful social engineering.
For example, if you throw a letter from your bank manager in the trash because it has no business value (he is just trying to sell you a line of credit or something), this gives an attacker some valuable information, including which bank you do business with, the branch of the bank that you do business with, and who the manager of that branch is. They can later call your business and impersonate the bank manager, and by this means obtain more information from your employees that can be used to perpetrate an attack against you.
What you have to be aware of is that you can’t trust that anybody is who they say they are unless you can verify it. Somebody wheeling new office equipment into your building will hardly be treated with suspicion, but they should be. Normally everyone just assumes that somebody else must have ordered the equipment which is being delivered, when in reality nobody did, and it’s just a ruse to get more access to the interior of your workplace, opportunities to gossip with your staff, and things like that. The office equipment itself might be rigged up in some way to spy on you.
Other favorite social engineering attack methods include law enforcement agents, government officials, and potential lovers. None of these people might be who they say they are, and you should carefully verify their veracity to the best of your ability.
10. Hosting on an insecure OS
Systems that don’t require a password to perform any task that will have administrative effect are basically toys and only suitable for playing games on. You shouldn’t use them for business, and certainly not for hosting a website.
Perfect security is impossible, but you can tighten things up
By avoiding the errors listed above, you won’t necessarily be invulnerable to attack, but you’ll be in a better position to avoid, detect, and respond to attacks. Data is important to everyone who has a stake in it, so do your best to prevent it from falling into the wrong hands.
header image courtesy of AJ