With all the talk about password and database breaches lately, it may seem impossible to do anything to prevent eventually becoming a victim of an attack. There are, however, some common sense practices you can take to lessen your chances of becoming a victim, especially if you host your own server.
1. Stop reusing passwords.
This singlehandedly is one of the most effective techniques on a personal level you can do. It doesn’t need to be painful either, password manager tools are easily available at low or no cost depending upon your needs and desired features. Currently two of the most commonly used tools include Keepass and LastPass.
2. Manage user permissions effectively.
This is especially important the larger your team gets. The same log in used to manage your server back end should not be the same to manage your storefront or blog. If you have multiple users that have different roles, differentiate permissions based upon what the roles require. If the person who pays the bills is not the same as the person who manages your clients, typically they do not both need access to the same information. Yottaa makes this easy on our platform through our role definitions within the Yottaa portal so that your team gets exactly the level of access they need.
3. Firewall your administration page.
This prevents brute force attacks from sending a constant attack stream attempting to brute force your password. Brute forcing is using a library of passwords and combinations of characters to attempt to guess your password. This can and should be set up locally to only allow access to whitelisted or approved IPs. This may mean that your team has to VPN into a central location, or that your home address is whitelisted. Yottaa can provide coverage in this respect by preventing direct access through DNS, which may leave your site vulnerable via IP based attacks, or through our Origin Shield technology which can prevent access except through Yottaa allowing us to block the traffic via IP as well.
4. Review your traffic logs.
Traffic logs are extremely useful, if a bit dense. Reviewing your logs can tell you where your users are accessing your site from and specifically what they are requesting. While not all requests that look suspicious are from bad actors, some are quite obviously bad. (For example if you see “password” or “login” in the request, or attempts to access internal site databases). Reviewing logs can also give you an overview of your requests including if your requests are inadvertently sharing client information in clear text.
Managing traffic logs, especially on a site with a large traffic load can be a monstrous task that requires the use of tools. Yottaa, for one, offers a client dashboard as well as Traffic Analytics on requests to your site. This gives you an overview of what’s being requested, and if you find something wrong you can act on it, either through redirecting old links, firewall rules that can limit your traffic from known bad actors, and even redirect customers to targetted location specific sites based upon where in the world they access your site from.
5. Security is a marathon not a sprint.
There is no finish line when it comes to keeping your site secure. It’s been said that you can never be too paranoid about security, especially when it comes to online security. Attackers can make a lot of money stealing your data, damaging your site, or injecting malware. All of this can damage your brand and your bank account. It’s important now more than ever that you make sure you have a team committed to helping you stay secure.
There’s a great variety of companies that provide different flavors of security service. Some provide penetration testing to find vulnerable points before they are exploited, some provide security through following best practices when building out a web application, and some work around the clock on the infrastructure level making sure your site stays secure and functioning.
Ultimately the most important thing you can do is to stay vigilant, and find and hire competent security professionals who care as much about your site’s success as you do.
For more on web security, download our whitepaper: Web Application Security Requires Context Intelligence