Perhaps the most difficult challenge IT crews face today is making sure their organization is protected from hackers. There are more connected devices today than ever before, and therefore more points of access that need to be defended against cyber-attacks. Not every company can field its own cyber-security team, and not every IT guy is a PKI expert, nor should they have to be. The most common attacks are actually pretty simple to execute, and so are their countermeasures.
The following sections describe three of the most common cyber-attacks a website will encounter, how to protect against them, and some industry best practices that even the newest IT guy working for the smallest company can put into practice.
Common Cyber Attacks
SQL Injection Attacks
SQL injection attacks are when a user slips an SQL query or command into submission forms on your website. This allows them to bypass the website and manipulate, alter, or interact with the database directly. In a worst-case scenario, a hacker might use SQL commands to get the database to reply with stored login and password information of your organization’s users, or to elevate their own user privileges.
The countermeasure here is to always use parameterized queries so that a hacker can’t simply slip a SQL command into a normal database query. It’s a fairly straightforward fix, and most languages provide for its implementation.
File Upload Attacks
Similar to the previous two examples, file upload attacks try to sneak in executable code, or overwrite an existing file with the same name, by uploading a file and submitting it. Overwriting a file can disrupt the functionality of your website, or vandalize it. Uploading an image that contains PHP commands can be even worse.
Defending against these attacks requires several different tactics and best practices, all of which seek to vet the incoming files and images to check for anything malicious. None are foolproof, but following these guidelines drastically reduces the risk to your organization.
Industry Best Practices
It goes without saying that you should be using secure passwords, and while every security expert will recommend it, there’s no real agreement as to how to achieve them (though some compelling arguments have been made). But as an organization with users who likely have profiles on your site, you also have the other half of the equation to worry about; what you do to protect the information of your users also matters. Here are some password best practices:
- Encrypt all stored user passwords, preferably with a secure hash algorithm (SHA) to make them irretrievable; for maximum security, use unique salts and peppers.
- Don’t store the user’s login and password, or other sensitive information, in the cookies.
- Don’t enforce password requirements on your users, as this only makes guessing the password easier by eliminating choices from a dictionary attack.
- Recommend the use of a password manager (with a secure master password) to your organization to minimize the risk of password cracking.
HTTP is on the way out, especially since Google is taking steps to eliminate it. Hosting your entire site on HTTPS is one of the best ways to protect your organization, your users, and your reputation from hackers. Implement it using TLS v1.2 for the strongest security.
If you’re already on HTTPS, you need to double-check that you’re implementing it effectively to avoid problems like the external use of test certificates. Many organizations are using HTTPS in ways or with protocols that are easy to defeat. Make sure yours isn’t one of them.
More best practices
- Use a web application firewall to help fend off attacks via the many web applications your organization uses.
- Use both browser-side and server-side validation of forms, inputs, uploads, etc.
- Avoid giving too much information away in error messages; keep the detailed error logs to yourself and only give the user what they need.
With just a little bit of effort and industry know-how, you can implement these essential practices and significantly increase your website’s security.
For an invaluable look into how the Best-in-Class successfully protect their email and websites against phishing attacks, check out this comprehensive research report by Aberdeen’s Derek Brink.
Danielle Adams is a freelance writer who writes for a variety of publications, including Venafi.