Websites … the forgotten attack vector

Websites … the forgotten attack vector

by | Nov 9, 2023 | Education, News, Uncategorized

In September 2023, someone hacked Pizza Hut … Do you think they were after a few free pizzas?  Probably not.  They were looking for client data. So, what’s that got to do with your website?

Websites … the forgotten attack vector

For the moment, lets assume the best scenarios where your website doesn’t even contain client data.

What’s the risk? … 

    • A hacked website might contain code that can compromise a client (or your) computer by executing malicious code in their environment.
    • Cybercriminals take control of your website posting deceptive content which may compromise your integrity
    • Content modifications may redirect clients to inappropriate or competing sites
    • Loss of control of your own website
    • Defacing, deleting, or otherwise ruining the website
    • Using your resources and/or domain name to send illicit emails

Here’s my top 10 tips on how to protect your business by protecting your website …

 

Protection Factor #1: Website Hardening

  • Daily Security scans for infections or component vulnerabilities.
  • Daily backups and historical recovery positions.
  • Web application firewalls and global edge security
  • Regular health checks

 

Protection Factor #2 – Patching & Updates

Plugins, themes & content management core components need to be updated regularly.  No Update Available? … No, this does not mean the plugin is safe. It simply means there’s no update.
Also check that your hosters are updating database engines and scripting technologies behind the scenes.

web security issues and solutions feature 940x588 1

Protection Factor #5 – SSL Certificates are a neccesity, not a nice to have

The little lock icon !  You MUST have this.  Purchase a secure socket layer certificate. This will protect your data, protect your clients and boost your SEO rankings.  Have an expert recommend the right type of certificate for you.

Protection Factor #6 – Smart Passwords + 2 Factor Authentication

Like all passwords, your website passwords must be secure and complex.  Turn on multi-factor authentication where possible.  Change usernames from default or simple forms to something more complex.  Weak usernames can be as much a threat to your security as weak passwords.

W Backup

Protection Factor #9 – Securing submission forms

Structured query language (SQL) injection as well as Cross-Site Scripting (XSS)s are techniques used by hackers to compromise your data and your website. Validation of form fields to remove symbols capable of executing queries can limit your exposure to these attack vectors.

WebSecurity forSSLStore 1024x768 1

Protection Factor #3 – Ownership

Don’t leave your site in the wrong hands. Ensure that people who have access and control over your website are knowledgeable and experienced at site protection.  This is often not the case with marketing and designer resources.

Protection Factor #4 – Minimalistic Access Approach

Give people, even internal staff, access only to the parts and components they need.  For example, if they just add and edit content then don’t let them install plugins.  If they only write blogs then don’t let them add new pages.
Apply this theory to ALL data in your business.

goldlock

Protection Factor #7 – Web Application Firewall

Sitting between your website and the world, this additional layer reads all data passed and blocks hack attempts and filters out unwanted traffic like spammers and malicious bots.
This is a critical factor that can, and should, be provided by your hosting layer.

Protection Factor #8 – Secure Web Hosting

Check the security features offered by your hoster … 

  • Does the web host offer a Secure File Transfer Protocol (SFTP)? SFTP.
  • Is FTP Use by Unknown User disabled?
  • Does it use a Rootkit Scanner?
  • Does it offer file backup services?
  • How well do they keep up to date on security upgrades?

Protection Factor #10 – Backup Often

Give yourself a fast recovery position.  Determine if onboard backups are sufficient.  You may choose to keep a copy off the main hosting server and in your own hands (recommended).

Step #1 … Cyber Protect your Email

Step #1 … Cyber Protect your Email

by | Aug 25, 2023 | Education, News

Unveiling the benefits of DKIM, DMARC & SPF to protect YOU!

As digital threats continue to evolve, safeguarding your email infrastructure has become a top priority. The implementation of DKIM, DMARC, and SPF protocols provides multiple benefits, including increased email authenticity, protection against phishing attacks, preservation of brand reputation, and enhanced email deliverability. By adopting these robust security practices, you can ensure the integrity of your email communication, foster customer trust, and fortify your organization against cyber threats. Embrace these technologies and empower your email system with the much-needed protection it deserves.

Enhance Email Deliverability

Ensure Email Authenticity and Integrity

Implementing DKIM, DMARC, and SPF protocols not only bolsters security but also improves email
deliverability rates. Since email recipients increasingly trust messages authenticated by DKIM and
aligned with DMARC and SPF policies, your emails are more likely to land in the recipient’s inbox rather
than being flagged as suspicious or sent to the spam folder. By maintaining a positive reputation
through consistent authentication and alignment, your organization’s emails are recognized as
legitimate, reaching your intended audience effectively.

DKIM, DMARC, and SPF collectively establish a robust system for verifying the authenticity and integrity
of emails. DKIM employs cryptographic signatures, which are added to outgoing messages, to validate
the sender’s domain. Upon receipt, the recipient’s server verifies the signature with the sender’s public
key, thus ensuring that the email has not been tampered with or forged during transmission. As a result,
DKIM safeguards against malicious manipulation and impersonation.

Safeguard Brand Reputation & Customer Trust

Shields Against Phishing Attacks:

Domain spoofing, where attackers impersonate reputable organizations, can cause significant damage
to a brand’s reputation and erode customer trust. Implementing DKIM, DMARC, and SPF protocols
acts as a robust defense mechanism against these spoofing attacks. DKIM’s cryptographic signatures
authenticate the sender’s domain, making it incredibly challenging for attackers to impersonate your
brand convincingly. DMARC provides domain owners with detailed visibility into who is sending emails
claiming to be from their domain, facilitating swift action against impersonators. SPF further mitigates
domain spoofing by verifying that emails originate from authorized servers.

Phishing attacks have become increasingly sophisticated, often tricking recipients into sharing
sensitive data or clicking on malicious links. By implementing DMARC and SPF, you fortify your email
infrastructure against these fraudulent practices. DMARC allows domain owners to specify strict
policies for emails that fail authentication. It enables organizations to instruct receiving mail servers
on how to handle such messages, including quarantining, rejecting, or delivering them to the recipient’s
spam folder. Additionally, SPF ensures that only authorized email servers can send messages on behalf
of your domain, minimizing the risk of phishing attempts by unauthorized individuals.

5 Cyber Security Mistakes That Can Ruin Your Day

5 Cyber Security Mistakes That Can Ruin Your Day

by | Mar 29, 2021 | News, Education

Cyber Security should be a top priority for business leaders today. Companies are facing increased risks of their data, or that of the customers, being broadcast to the world. Along with the risk of fines, is the more pressing concern of damage to your business reputation. More now than ever, we are seeing governments around the world stepping in to create legislation to protect consumers. This increased protection increases the burden on business. With a few steps in the right direction and minimal extra cost, you can meet your duty of care. Here are some of the key cyber security mistakes that have the potential to bring your company to its knees.

Cyber Security Mistakes

Cyber Security has now entered the mainstream, and it’s time businesses make it a priority. As a matter of course, it’s time for your business to adopt an active security strategy. This strategy should consist of a couple of steps. Firstly, your organisation needs to assess the data you have on your network, and what you are exposing to the wider internet. Use strong security software and services to assess the data and to ensure that only people who should have access to that data can do so. Don’t make it easy for the wrong people to access your company information. Also, you need to understand how secure your system is.

Mistake 1 – Not Encrypting Data

Encryption of data is a vital step in protecting data from hackers. And, one of the easiest ways to prevent data loss. Let’s face it, nobody wants to think about losing their data or credit cards, so it’s important you consider encryption. But, when was the last time you read up on the ins and outs of encryption? It might take a little bit of effort to find a good encryption solution, but you should make it a priority. Don’t have the time? Ask us and our team of experts will be more than happy to assist.

Mistake 2 – Not Patching Software

As threats become more sophisticated, malware and vulnerabilities become better understood. But cyber security measures have not kept up with this rapid evolution. Even in today’s hyper-connected world, we still need security measures that are easy for a business to put in place, but still, be secure, and, work across many platforms. In addition, being able to identify emerging threats quickly and remediate them proactively is paramount. The easiest way to secure many environments at once is to keep your operating systems and software patched and up to date. When left unpatched, any small change, like a new virus or bug can cripple your entire enterprise.

Mistake 3 – Not Monitoring for Threats

Cyber Security is no longer something of the dark ages. The companies that invest the time and money to create an effective program have already become overnight successes. They have increased customer confidence, decreased risk, and hopefully averted disaster. Yet despite this, so many companies today still spend more time defending their network, than actually monitoring for new threats. As businesses, many do not consider cyber threats a priority, yet in reality, they are simply the cost of doing business. The right cyber security program should track every aspect of your business to identify the threats in your environment, proactively prevent attacks, and protect your assets from falling into the wrong hands.

Mistake 4 – Not Using Multi-Factor Authentication

This is the term given to a range of procedures which need a customer to present identification to access their account. These include SMS codes, authentication emails or even an MFA app. But, despite using the same technology, they are not always the same. This is one of the easiest and most effective solutions in protecting your customers’ data. Because you need to enter your one-time code to access a business’s accounts, this also applies to those outside of your network. When you call your bank they ask you to verify your account. This is a form of customer facing multi-factor authentication. Methods like this can protect you and your customers from ever having to worry about who can get access to their data.

Mistake 5 – Not Understanding the Risk

Technology is advancing at an incredible rate, and companies that lack an understanding of how to protect data, end up doing the complete opposite. An organisation that owns and protects its data and has planned the detection of and response to a breach will be in a far better position than those that do not. Understand that risk management is a multi-phase process. By taking the time to understand the value of your data and the data of those who interact with you, you can begin to build a comprehensive plan to protect it. There are three major elements to any plan: physical, operational and cybersecurity. Physical protection – are the physical systems that carry information. These are things like electronic filing cabinets, server rooms and communication systems. Operational protection – is the plans, processes, and procedures you have in place around your data and team. Cyber Security protection – are the tools, the software and the hardware tracking your data both inside and outside of your environment.

Data Security is Important!

Data Security is Important!

by | Mar 2, 2021 | News, Education

Equifax settle for $US700 million for their 2017 data breach!

Has IT ever told you data security is important? For more than 20 years we have been hearing how important encryption will be for data and why it will benefit companies not just from a privacy point of view, but also for a security.

Governments around the world have been slowly waking up to the ever-increasing threat, largely due to the increase in breaches of people’s personally identifiable information. These breaches have increased identity fraud and theft, they have been known to put lives in danger and sadly, in many cases, have been met with toothless threats and a punishment of “just don’t do it again!”.

Thankfully, in the last 3 years, with input from lobbying groups and industry bodies, we have seen the creation and implementation of GDPR (in Europe) and the NDB Scheme (in Australia) to combat this very real risk. These measures and guidelines have given government bodies a very real ability to deliver harsher punishments to organisations found to be handling our data in ways that would be considered risky or that put our personal information at threat.

This week the first of these cases has finally been tested in the best of ways and resulted in a big win for us all. Equifax, the global credit monitoring organisation agreed to pay a settlement of $US700 million which stemmed from a 2017 data breach that exposed the information of over 150 million people. This was one of the largest identified data breaches in history and the largest at the time by an organisation.

At Ambient iT we welcome such a heavy punishment and look forward to this new environment where our data is considered with the appropriate respect and value it deserves. If you are worried that you may not have the appropriate measures in place to protect you or your clients data, or you simply want the peace of mind knowing that you have done the best you can, get in touch with our team and we will work with you to help keep your data protected and secure.