Understanding the potential vectors of attack
Security is an ever-present concern for businesses – whether that’s physical security of an office or warehouse, information security for sensitive customer data, or cybersecurity for devices, services, and your website.
Any physical location or digital presence a company has can become a vector for attack – just like having door locks, access control systems, and proper employee training is vital to keeping your business’s physical location secure, having security policies and best practices in place can help keep your website secure and minimize potential security incidents.
Over an on-going series of posts, we’ll break down the various potential vectors of attack in further detail and provide best practices for dealing with each.
- User Accounts
- Data Transmission
- Application Software
- Database and Filesystem Access
- Backups
- Web Server Software
- Server Management Software
- Physical Server Hardware
User Accounts
The first line of defense for your website is your users. If an admin user gets duped by a clever social engineering attack, their password is easily guessable, or they re-use a password that was involved in some outside security breach, then attackers can gain immediate access to your website. Depending on the level of access that user has, the attacker could take any number of actions, including downloading and/or destroying sensitive data, defacing content, installing malware, or using it as a jumping off point to access other company systems.
Here are a few best practices for securing user accounts on your website:
Only give access to those who need it
The fewer accounts with access to a system, the easier it is to manage and secure. In the case of an e-commerce store or other site where users can create their own accounts, ensure your application enforces proper permissions so users can only access the information they are entitled to.
Enforce strong passwords
Password cracking tools are increasingly powerful and easy to use, so a strong password that is not easily guessed is very important. Short passwords using common dictionary words are trivial to crack, so either use a long password consisting of a phrase you can remember (spaces in passwords are usually okay to use!) or use a password generator. Password managers like LastPass or 1Password are great for generating and securely storing these passwords.
Use unique passwords
Password re-use is a major vulnerability – databases of previous data breaches are readily available, so anyone can look through them and start testing usernames and passwords to see if they work on other sites. However, if every password you use is unique, the potential damage can be limited to that single account. The password managers listed above are great tools to manage all these unique passwords. You can also utilize the free service Have I Been Pwned?, which collects information on data breaches and can notify you if your email address or phone number has been exposed in one.
Do not share credentials over email
Email is not a secure way to share login credentials or really any sensitive data. Instead, utilize more secure mechanisms, like a password manager, or file sharing system. Read our post, How to Send Sensitive Content & Files Securely Over Email for more information.
Next in the series: Data transmission
For our next post in the series, we’ll dig into securing the data in transit between a user’s device and your server.
