Use open-source tools to build a secure website SANJAY KUMAR SINGH
Business owners who run their own websites are at high risk of having them hacked. According to a written recent submission made to Parliament by minister of state for electronics and IT K J Alphons, altogether 22,207 Indian websites, including 114 belonging to the government, were hacked between April 2017 and January 2018, according to data provided by the Indian Computer Emergency Response Team (CERT-In). These numbers underline the need for business owners to grow more aware about security issues and put in place systems and practices that will make their websites less vulnerable.
Many website owners believe it doesn’t matter if their sites get hacked, since they don’t have any valuable data on them. But, hacking can have other negative consequences. The hacker could, for instance, put up something undesirable on your website. He could also use the processing power of your web server to mine cryptocurrencies, which means he would hijack the resources you pay for to make money for himself. "The biggest risk arising from a hacking incident is the harm it does to your reputation. People will trust your firm less if your website has been hacked," says Sunil Abraham, executive director, The Centre for Internet and Society.
The silver lining is that you can take a number of steps to make it harder for hackers to have a go at your website. Experts suggest that you use a popular, free and open-source stack (combination of technologies) to build your website. "Free and open-source technologies tend to have a better security record. Each of those technologies has been audited and their codes verified by a large number of people, so they are more trustworthy," says Abraham. Similarly, you should use free and popular content management systems (CMS). For instance, you could use Free BSD or Debian as your operating system, Apache as your web server, Python or PHP as your programming language, Maria DB as your database server, and Typo3 or MediaWiki as your CMS.
Next, pay a third party — a cyber security firm or your web server administrator — to monitor the software applications that are part of your stack, and also your CMS, extensions and plug-ins. Besides monitoring for vulnerabilities, this third party should also regularly install patches and upgrades whenever they are released by the vendor or the research community.
Also, commission periodic security audits by a cybersecurity company and address issues that come up during it. Have a recovery plan in place — a plan of action for what you will do if, despite all your precautions, your website does get hacked. This will include things like how to deal with customers' queries after a hacking, how to resecure their data (you could issue new passwords), how much backup to maintain, and so on.
Experts also suggest that you should “harden” your server before putting it online. "A server has an open architecture. Enable only those features that you require and disable the rest. This is referred to as hardening," says Shomiron Das Gupta of NetMonastery, a
threat management provider.
Ensure that the applications written for you are secure. "Most attacks happen because the code that has been written is vulnerable. These vulnerabilities get exploited and data gets hacked. Your programmers must know how to do secure coding," says Das Gupta. Before an application goes online, have it tested for security flaws by security experts. Your website should also be SSL (secure sockets layer) encrypted. This will ensure that any data that passes between your web server and browser remains secure.