An A-Z of web hosting security best practice
Davey Winder shares an alphabet soup of tips that will help keep your website safe from attacks
Davey Winder speaks to industry experts with real-world experience to compile a handy alphabet soup of tips for web hosting security best practice.
“It’s good practice to disable user root access and to limit the number of login attempts, adding 2FA for additional security”
Online breaches are big news and have big impacts on big business. But what about the small business operators? The ones who can’t afford to outsource their web security, let alone to fund in-house security teams? More often than not, these businesses rely upon their hosting provider to have systems and processes in place to provide adequate protection. It’s a reliance that can prove problematic when the cyber hits the fan.
The truth is that security issues reach way beyond the headline data breaches you read about online. It’s a fallacy that all, or even a majority, of web attacks are highly targeted: the vast majority are truly random, the result of automated scripts and scans throwing a net across the web to catch sites with security weaknesses.
“Web hosting can be a minefield for small businesses. Eye-catching offers for lowest cost web hosting and fast connection speeds pay lip service to the complexities of finding, hosting and securing your web presence,” Nick Emanuel, senior director of product at Webroot, told PC Pro. He revealed that Webroot threat research discovered 25% of malicious URLs were hosted on otherwise nonmalicious sites, legitimate businesses that had been compromised and turned into criminal conduits.
“Taking ownership and responsibility for your site’s security will pay dividends,” Emanuel said. “The good news being that security is available and hosted/managed offerings remove the need for time-consuming deployments and lessen the burden of management.” Central to your getting to grips with hosting security for your business is to know what the challenges are, where the biggest threats sit and what the best-practice mitigation is.
We’ve asked these questions of industry experts with real-world experience and compiled an abridged A-Z of web hosting security best practice for businesses.
Ais for access
Privilege escalation, whereby an attacker can gain elevated access to resources they should be protected from using, isn’t just an operating system or network problem: it’s a prime target for web hackers. “Administrative access to a web resource is the key to the kingdom for any cyberattacker,” said Emanuel. He advises that businesses should strictly control the number of admin users, as well as creating “user level access appropriate to their role”.
This limited access should be provisioned for and authorised by technical personnel according to Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University: “Logging into the host should be done using Secure Socket Shell (SSH) in addition to password-protected secure data transmission (RSA) keys.” Curran points out that it’s also possible to restrict access to predefined IP addresses for an added layer of security. “It’s good practice to disable user root access and to limit the number of login attempts, adding two factor authentication (2FA) for additional security.”
Bis for bot denial
Automated attacks come in many forms, and forms are literally a favoured target of the script-driven menace. “Use a reCAPTCHA on your contact forms and other site submissions as this will protect your site against such automated bots,” said Ben Angus, a web developer at FSE Digital. Just one of the attack methodologies that can be mitigated by such a defence would be a simple denial-of-service attack attempting to overload your web server.
Dis for DDoS defence
While a reCAPTCHA might help fight the distributed denial-of-service (DDoS) menace at a
very simple level, the threat has a much longer reach. If your business relies on site availability, as most do now, mitigating against DDoS has to be a priority.
Don’t wait until an attack hits – the damage will have already been done. Matt Aldridge, principal solutions architect at Webroot, points out that secure hosting vendors will often offer attack protection and such dedicated defences “should be considered a fundamental element of security”.
“D” should also, therefore, be for domain proxying. “Cloudflare offers this for free alongside some paid packages,” Angus said, “and will ensure the security of your personal server against DDoS attacks and other low-level cyberattacks.”
Eis for encryption
“Access should be encrypted end-to-end through use of TLS (Transport Layer Security) to ensure no man-in-the-middle attacks can be conducted,” said Curran. “Most networks are now built on the Internet Protocol Security (IPsec), which secures traffic within the network from end-to-end.”
This service is similar to HTTPS (Hypertext Transfer Protocol Secure) or TLS (Transport Layer Security), which adds an extra layer of security to network infrastructure but isn’t necessarily foolproof.
“Ensuring data is encrypted is a base requirement and an essential security ask,” Emanuel added. “Many hosting services offer free SSL certification but note that, depending on the expected traffic and the objective of your website, you may want to consider paid-for SSL certifications as there are key differences on what each can do, expiry dates, management and so on.”
For the smallest businesses, however, the use of the Let’s Encrypt service is likely to be sufficient as it’s free and fully automated, meaning that the danger of SSL certificate expiration is removed.
Iis for information security policy
Denis Koloshko, CTO at IDS Group, reminds PC Pro readers that the weakest point in any system is almost always the human element. Best practice, therefore, demands a company policy to clearly define how employees manage passwords, how access to live systems is protected, what protocols should run to revoke access for past employees and so on.
“As a result of increasing cybercrime, passwords have had to become more complex over time,” Koloshko said. “But, with the best will in the world, without an encrypted database to store them in the risk remains. Implementing an internal security policy for all staff to follow will massively reduce your exposure.” That includes your online hosted resources as much as any other, if not o.mores
Mis for minimising your attack surface
It sounds such an obvious place to start, yet minimising your attack surface in simple ways can reap great rewards in terms of better web security. “Simply hiding your internal systems and admin panels away from public view via the use of a VPN should be your first line of defence,” Koloshko said.
Ois for owning it
“Owning it” is another concept that’s often overlooked when it comes to web security, passing that responsibility to the web host and then forgetting all about it. “Often a website only gets the attention that it deserves during a major update or rewrite,” Aldridge said. “Once it is published and stable, a website can often be neglected.”
However, ensuring your sites, the platforms they sit upon, the tools they use and the content they contain are kept under review and updated as necessary will hugely strengthen your
“Hiding your internal systems and admin panels away from public view via the use of a VPN should be your first line of defence”
security. For good measure, taking such ownership and responsibility will also pay dividends in terms of SEO, accessibility and compliance where appropriate.
“The good news,” said Aldridge, “is that security is available and hosted/ managed offerings remove the need for time-consuming deployments and lessen the burden of management.”
Pis for plugins
Talking of ownership, of ensuring sites aren’t neglected in such a way that will weaken your security, enter plugins stage left. WordPress is the most-used content management and web design software, and while it’s a not a weak point itself as far as web security goes, the tools and resources that plug into it most certainly are.
“Websites are hacked typically when they’re running vulnerable plugins that aren’t patched,” according to Brent Stackhouse, senior director of security, governance, risk management, compliance (GRC) and IT at WP Engine. Despite the common myth of WordPress “core” as a point of vulnerability, Stackhouse told PC Pro that it’s the third-party plugin vulnerabilities that represent 56% of the known entry points for attacks.
“The solution is simple,” said Stackhouse. “Avoid running any more plugins than you need to, and ensure the ones you do use have a good history of updates after published vulnerabilities. To tackle the burden of keeping plugins up to date and the risk of mission critical sites breaking, machine-learning and visual-testing tools can now even automate plugin updates on a nightly or weekly basis without causing unintended consequences that could result in downtime or lost traffic.”
Stuart Melling, business development director at Manchesterbased web host 34SP, told PC Pro that the number-one piece of advice it always gives to its customers is an easy one to follow: keep your software updated at all times. “We like to think of this like protecting your house from robbers: most don’t need a fancy security system, just take care of the basic home security tasks. Most would-be home invaders will try the simple things like your front door or windows. Keep them locked at all times, and they’ll move onto the next house – they aren’t looking for anything challenging!”
The same goes for would-be online invaders, who are looking for the least amount of effort possible in most cases. “Securing against this is very easy, even novices can ensure their software is up to date at all times,” Melling said. “Simply ask your hosting provider or developer how your updates are being handled at present and take it from there.”
Ben Angus suggests that avoiding the decentralisation of your code base altogether makes more sense, if your business is big enough to have in-house developers. “Whilst it may be tempting to install a bunch of plugins to provide new functionality, remember that any plugin you install is programmed and maintained by someone other than your developer. If they drop the ball and there’s an exploit or issue, then it’s up to them to fix it, which can lead to potentially huge security flaws. Remember to limit the amount of plugins used and try to only use ones that are well reviewed and with solid support.”
Ris for risk register
Koloshko says that creating a risk register to understand the potential risks posed by a security incident and the impacts on the business is a necessity. The standard formula used for risk calculation is = business impact * likelihood of incident.
“Remember to limit the amount of plugins used and try to only use ones that are well reviewed and with solid support”
The initial questions to consider when it comes to web hosting security should be, according to Koloshko:
What is the impact on the business if a particular web system is down?
What is the risk if the data in the web system is corrupted?
What happens if backups are corrupted – how can you restore data?
What threat does a sensitive data leak pose to the business?
“Each of these risks need to be defined” said Koloshko. “Once the risks are known and understood, the decision on the levels of acceptance can be made with an understanding of the impacts in terms of risk, time and cost to the business. When these are in place, a mitigation plan can be implemented.”
Sis for scale
“Scale your sites to what you and your customers need,” explained Ben Angus. “Any site that operates, especially ecommerce sites, will require constant maintenance to remain operational and secure, so going for a massive site with all the bells and whistles may be putting your site at more risk than you actually need to.”
Tis for testing
Penetration testing is an overlooked security basic for most web businesses, at least when it comes to their websites. “From our experience of providing webpenetration testing services, it’s unfortunately very commonplace for business owners to be surprised and disappointed with the found vulnerabilities and high business risks from the tech side in their web systems,” said Koloshko. “We would suggest that independent penetration tests are performed at a minimum of every 12 months.”
Hiring a third-party cybersecurity expert to perform penetration testing against the system is a very efficient way to disclose your weaknesses and business risks in advance of any attempted raids – something that applies just as much to your web property as any other. Koloshko suggests that a robust test should cover the following key points:
Gather information about the target. Locate possible entry points. Attempt to gain access.
Test the disaster recovery strategy. Collate findings on all identified weaknesses.
Devise a security roadmap.
Work with IT leaders to implement the recommendations.
Uis for updating defaults
“It is crucial to keep hosting frameworks up to date,” Curran said – not least because web-hosting platforms rely on third-party plugins. As we’ve already mentioned, these are notorious for having flaws that can compromise a host. Consequently, advises Curran, “it is important to change the default admin username, disable file editing, XML-RPC and
PHP file execution, change database prefix and scan regularly for any malware and vulnerabilities”.
Vis for vendor disaster recovery
Vendor disaster recovery can be overlooked when concentrating on your own business disaster recovery plans. That’s a natural human reaction – fix what you can see and assume the best of others – but for best security practice you need to assume the worst. “Challenge your hosting vendor with questions around their response times and security mitigations, how quickly they can recover and how they protect against attacks, large-scale DDoS attempts or a breach,” said Emanuel.
Wis for web application firewall (WAF)
Your network isn’t the only thing that a firewall can help secure: web application firewalls (WAFs) monitor the traffic between the internet and your web application, site or presence and take actions based on the defined policies and rules.
We’ll let Webroot’s Emanuel have the final word: “WAFs often include additional benefits beyond protecting against common attack methods like cookie poisoning and cross-site scripting, such as vulnerability scanning, baseline DDoS protection and reporting tools.”