Every SME should have a website, or maybe you host a number of client websites as part of your business model.
What happens when that website gets compromised? How do you restore faith in your business with your clients, or ensure confidentiality on behalf of your clients?
Tip 1: Buy the right stuff
When you purchase your domain from your registrar, fork out for the privacy option. It will help prevent unauthorised access to your personal details as the owner of the domain, which could be exploited by hackers to “fiddle” with domain transfers, password amendments and other riff-raff. Have a look at this GoDaddy link for more info on domain Privacy.
If you have built-in e-commerce functionality, you must purchase SSL certificates for your site. This adds the strongest possible encryption to all connections between your “buyers” and your website. It helps you protect all transactions through an encrypted tunnel.
The online user will also feel a greater sense of comfort seeing “Https:” in the address bar of their browser. Have a look at these links for more info on SSL stuff:
- https://www.godaddy.com/web-security/ssl-certificate
- https://www.sslshopper.com – assists with certificate verification and troubleshooting certificate errors
- https://www.ssllabs.com/ssltest – Type your website or domain name in here. This tool will analyse the configuration of the certificate and highlight any risks associated
Tip 2: Pick a reputable company to help you manage it
There are loads of web hosting companies to choose from. These guys are the pro’s when it comes to hosting your website for you, maintaining its security, managing the required renewals, and giving you ample support.
I would look at the following key criteria, but best to give them a call and discuss your requirements & their capabilities in detail:
- Price
- Relationships & track record with larger registrars
- Support structure
- Redundancy & back-up capabilities i.e. what can they guarantee you in terms of website uptime & restoration
- Peripheral services such as web design, Search Engine Optimisation (SEO), & security services.
Tip 3: Lock it down
If you host your website yourself on your own web server, here are a few tips to ensure some security:
- Keep up to date with all patching on the Operating Systems (OS) & web software
- Keep strong passwords and change them regularly – use a blend of upper and lower case alphanumeric, & special characters
- Use built-in web server security modules
- Use the built-in web server firewall
- Use SSL where possible
If you have your own physical firewall appliance/s employed to protect your network and web server/s, then here are some useful firewall tips to help further secure the website/s:
- Only allow necessary ports on the firewall/s
- Use VPN to remotely administer your servers – don’t allow RDP or SSH access from the internet
- Install an IPS in front of the server – block all known signatures
- Implement a Web Application Firewall or Reverse proxy with an IPS
Further Considerations
- Constantly scan your servers – from internal and external devices – there are a number of freeware products available for download. Go here: https://www.scanmyserver.com/ or https://pentest-tools.com/home
- Don’t install your database and web server on the same host – separate the servers and place them on different DMZ’s on your Firewall
- If FTP is used for file uploads – consider switching to SCP or SFTP.
Don’t leave your business or that of your clients’ exposed. Understand and protect your website/s, and secure your sustainability.
Pick a partner that has the expertise, and who is alert and ready for any event. Employ a network security strategy that ensures split-second reflexes. Get a security solution that enables decisive preventative and reactive action. Lock-up and grow!