Everyone – including the experts – makes mistakes when it comes to information security. Whether it’s failing to properly secure your website for customers, or not implementing effective password managers, minor cybersecurity gaps can rapidly evolve into a much more serious security incident.
As security experts from around the globe gather for the annual RSA Conference in San Francisco, Distil Networks has compiled a list of tips and things you should NEVER do.
Brian Krebs, Investigative Journalist at KrebsOnSecurity.com
Update. Update. Update
A former Washington Post reporter, Brian Krebs, runs and operates the world’s leading blog devoted to in-depth cybersecurity news and investigation. Krebs is also the author of the New York Times bestseller, “Spam Nation: The Inside Story of Organized Cybercrime-from Global Epidemic to Your Front Door.”
New vulnerabilities and flaws are exposed every day, so to keep up with the bad guys Krebs recommends a simple yet effective tactic: “subscribe to notifications by any vendors you rely upon.” He adds, “never install add-ons without first learning the product’s reputation and longevity. Update asap.”
When discussing what never to do, Krebs airs on the side of caution. He advised to keep track of where you’re clicking and to never “click before hovering over a link.”
Conrad Jaeger, Author of Deep Web Secrecy and Security
Make sure you know who you’re communicating with
Problems can arise when you think your communications are being sent in a certain direction, but in fact they are being intercepted. Conrad Jaeger, author of the popular series “A Deep Web Guide,” wants to give all webmasters one simple piece of advice: “introduce HTTPS.” According to Jaeger, HTTPS “provides a reasonable guarantee that you are communicating with the intended website and not an imposter, plus ensuring that communications between the user and site cannot be read or forged by a third party.”
As for what never to do, Jaeger takes on the issue of the open Internet, adding you should “never believe any arguments for limiting Internet access.”
Kelly Jackson Higgins, Executive Editor at Dark Reading
Always assume you’ve been compromised
Spending much of her time reading up on the latest reports, speaking with cybersecurity executives and thought leaders and overseeing coverage for a top security-focused publication, Kelly Jackson Higgins, Senior editor of Dark Reading, might have a more well-rounded view of the security landscape than most.
Higgin’s advice: “Use a VPN connection. SSL may not be bulletproof, but it raises the bar for an attacker.” Higgins also believes in being extra paranoid about your website security. As such, she suggests “never believe you’re not compromised, even if your AV scan and other tools tell you otherwise.”
Mike Rothman, Analyst and President at Securosis
You can’t secure what you don’t know about
As an analyst and president of the information security analyst firm, Securosis, Mike Rothman has spent more than 20 years in the security space, holding both consulting and executive gigs at various companies over the years.
Rothman’s top recommendation is to know what properties you own. “Understand what websites you have. Big companies have a lot of public facing information that security teams many times don’t even know about. There are a lot of configurations and patches you need to know about and you have to be aware and have a plan to keep these things up to date and optimized. If you don’t have a real good feel for the application or logic flaws then you’re in big trouble because hackers are testing your application flaws everyday,” explains Rothman.
Rothman also recommends taking the paranoid approach as well when considering what not to do. “Never assume your visitors have your best intentions in mind. It could be fraud or hacking, but when you’re building and maintaining websites and not thinking about these things you’re going to get killed. You need to be paranoid,“ Rothman said.
Robert Westervelt, Analyst at IDC
Never share your password. EVER
Former senior cybersecurity reporter at CRN and current research manager for the information security team at analyst firm IDC, Robert Westervelt, has kept his thumb securely on the pulse of all of the latest attacks and security trends.
Westervelt’s top tip for website security is to closely monitor anyone that has any access to your systems. “Ensure that your content management system and third-party components are always up to date. Assign role-based privileges to other site managers who need access and actively monitor/manage their accounts,” said Westervelt. He also recommends some more basic protections, such as always using a “secure connection, a strong password and multifactor authentication, if available.”
What never to do? Westervelt explains, “never share passwords to access a website’s CMS. Never share passwords PERIOD.”
Paul Roberts, Editor-In-Chief at The Security Ledger and Contributor to CSM: Passcode
Beware of your third-party partners
As the founder and editor-in-chief at the Security Ledger, Paul Roberts has been writing about hacks, cyber attacks and the security industry in general, for over a decade.
Roberts can sum up his top security tip in just three characters “2FA (two factor authentication).” Roberts describes this as “the most effective, lowest cost way to protect your web site against compromise.” He went on to explain, “despite the media’s fixation on sophisticated, super stealthy hacks, most successful cyber attacks on websites and Web applications go through the front door. It’s not perfect, but it raises the bar significantly for would be attackers – and that may be enough to get them to look elsewhere and leave your site alone.”
Having owned and operated his own security news and analysis website for the last several years, Roberts believes the biggest mistake website owners make is “allowing third parties access to their site or their customers without first vetting the company, its technology and its business model. Malicious (or just suspicious) ad networks abound and can easily turn your site into a malware spewing mess, putting your readers and your reputation at risk.’ He adds, “you are your site. Treat it accordingly. ”
Richard Stiennon, Chief Research Analyst at IT-Harvest
Look to the cloud!
A veteran in the security industry and chief research analyst at the firm IT-Harvest, Richard Stiennon has been providing advisory services to startups and established players in the information security arena for many years.
When it comes to protecting your website, Stiennon’s advice is simple – look toward the cloud! “Host in the cloud and hide behind a cloud firewall service,” said Stiennon.
Stiennon recommends to “never assume you have nothing worth stealing.” When protecting yourself you can’t just think of your own assets, but those of your customers, partners, advertisers etc. “You are a window into your customers’ lives and livelihood. An attacker may target those customers,” Stiennon advised.
Troy Hunt, Software Architect and Microsoft MVP for Developer Security
Lookout for wearables and beware of excessive sharing
A rock star Web security specialist and a five-time Microsoft MVP for developer security, Troy Hunt has been building Web applications for almost 20 years.
As the attack surfaces available to hackers only grow, more vulnerabilities will inevitably appear. Hunt focused in on one new topic that corporate networks will have to account for soon enough: wearables. “As wearables take off in 2015, the volume and sensitivity of data transiting the web will increase dramatically. This will present new attack vectors as online services look to integrate the data and consumers inevitably opt into excessive sharing,” explained Hunt.
Hunt would also advise consumers to think a little more before opting into “excessive sharing.” Hunt mentioned the “increasing ease with which this can now be done (particularly via the likes of Periscope and Meerkat) make it all too easy to expose deeply personal aspects of our lives, especially for kids who are yet to appreciate the real world ramifications.”
Jarno Limnell, Professor of Cyber Security at Aalto University
Be responsible for your own behavior
Jarno Limnell is a professor of cybersecurity at Aalto university and has an incredible breadth of knowledge and insight regarding cybersecurity issues having held executive security positions at Accenture and McAfee as well as holding a doctorate of Military Science from the National Defense University.
Limnell does not mince words when it comes to Web security. “Stay alert all the time. Like you (hopefully) do in the traffic. And then – enjoy websites,” he explained.
Limnell recommends monitoring yourself beyond all else, and to “not do anything in the digital world that you would not do in the physical world. Especially be aware of your own responsibility of your behaviour. If you ignore that, it is the worst thing you could do.”
Katie Moussouris, Chief Policy Officer at HackerOne
Let the good hackers in in order to keep the bad hackers out
As an ex-hacker and former Senior Security Strategist Lead at Microsoft, Katie Moussouris is currently the chief policy officer at HackerOne.
Moussouris is a firm believer of inviting friendly hackers in in order to keep bad hackers out. “If you have confidence in your security efforts and want to ensure you hear about the vulnerabilities you missed before the bad guys exploit them, then consider running a bug bounty to reward friendly hackers for coming to you with issues they uncover,” Moussouris said.
She believes the biggest mistake is to banish all hackers. In fact, having a hacker on your side could become one of your biggest assets. “Never seek legal recourse against a hacker who is trying to inform you about a security issue. Doing so means that in the future, there is a good chance you’ll learn about vulnerabilities in your website only because of an attack. One must embrace friendly hackers as part of your extended security team to help keep your assets safe,” said Moussouris.
Rami Essaid, Co-founder and CEO at Distil Networks
Make sure you build in redundancies
Rami Essaid is the co-founder and CEO of bot-blocking company, Distil Networks.
Essaid recommends utilizing subject matter experts and purpose-built tools to best protect your website, instead of depending on one person or finite team. “Consider the fact that you have to protect a larger surface area than ever before. Then add the fact that you now have less control over the people that are connected to and dependent on your technology,” said Essaid. “Instead, leverage your team to take inventory of the risks in order to find the best purpose-built tools and subject matter experts to tackle the most glaring issues.”
Regarding what not to do, Essaid emphasizes to never build your systems with just a single point of failure. “It’s IT 101 to build in redundancy in everything you do but somehow we continue to see this as an issue,” said Essaid. “Some are glaring like single data center deployments, but the most common example is having email alerts and reports go to a single user instead of an email-alias. Even if Bob handles all the vulnerability scans every day, what happens when he is sick one day? It could mean that the latest zero day threat goes unnoticed.”
James Kaplan, Principal at McKinsey and Author of Beyond Cybersecurity + Website: Protecting Your Digital Business
Know what assets are the most important
James Kaplan is a principal at McKinsey, where he leads its IT infrastructure and is a co-lead on cybersecurity initiatives. Kaplan is also a co-author of the book “Risk and responsibility in a hyperconnected world: Implications for enterprises.”
When discussing website security, Kaplan puts his focus on the user experience. “Apply ‘design thinking’ to your Web presence’s security features so you can manage the impact on customer experience,” he said.
According to Kaplan, one thing that you should never do is to “build a security plan without understanding which information assets are most important.”
Matt Suiche, CEO at MoonSols
Don’t assume anything
Matt Suiche is a hacker, entrepreneur and the CEO of MoonSols, which specializes in detecting and responding to advanced cybersecurity threats.
Suiche only has one piece of advice for companies. He explained, “never assume your website is secure and always consider it as it has been compromised – instead of considering it ‘secure’ or ‘safe.’”
Dafydd Stuttard, Author of The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws
Protect yourself against the man-in-the-middle
Creator of the Burp Suite, the leading toolkit for Web application security testing, and founder of PortSwigger Web Security, Dafydd Stuttard is an expert in Web security and is also the author of the popular book, “The Web Application Hacker’s Handbook.”
Stuttard believes an extra step in security is necessary for all communications. “Use Strict Transport Security. This helps protect against some SSL man-in-the-middle attacks,” said Stuttard.
When discussing one thing never to do, Stuttard jokes to never “assume a vulnerability isn’t dangerous because it doesn’t have a logo.”
Vic Winkler, CTO at Covata
Zero day exploits are only the tip of the danger iceberg
Author of “Securing the Cloud,” Vic Winkler has over 30 years of experience in cyber security and IT operations.
For companies looking to amp up their website security in 2015, Winkler’s number one tip is to utilize an independent security testing service in order to continuously check the security and integrity of your site. “This will help your staff by validating their work, and it can also provide your staff with an experience that transcends theirs,” explained Winkler.
As for what to avoid? Assuming that you know everything about the security of your website infrastructure. “You should never assume that what you knew about vulnerabilities or exploits hasn’t changed since the day before,” said Winkler. “Your infrastructure will change in subtle ways as you upgrade, patch or otherwise make changes. Some of these may eventually prove to create an infrastructure/configuration-based vulnerability.”
Bob Tarzy, Analyst and Director at Quocirca
DON’T store payment details on your server!
Prior to joining the analyst firm Quocirca, Bob Tarzy spent 16 years working for leading technology companies such as DEC (now HP), Sybase, Gupta, Merant (now Serena), eGain and webMethods.
Tarzy recommends starting by protecting “against DDoS attacks, as they are increasing in size and number.“ He warns, “don’t think you are not a target, not all attacks are designed to be noticed, many are distraction attacks, designed to go unnoticed and create a window of opportunity for the bad actors.”
As for what not to do, Tarzy takes aim at a very convenient, yet dangerous practice: storing “payment card details on your web server.” Tarzy adds, “In fact don’t store them anywhere, take your organization out of scope for PCI/DSS by using a payment gateway.”
As illustrated from the experts above, there is no ONE way to keep your website secure from cyber attacks, but vigilance, education, and awareness are the first steps.
About the Author
Elias Terman is VP of Marketing and is responsible for all aspects of the global marketing and communications strategy. Elias started his career as an entrepreneur, and now enjoys helping grow Silicon Valley startups into industry leaders. He built out the marketing and business development organizations at OneLogin leading to explosive growth, helped establish SnapLogic as the leading independent integration company, and led MindFire Studio to the Inc 500.Follow on Twitter More Content by Elias Terman