WOT logo

WOT’s Complete Guide to Website Security

What is web security?

Web security is also known as cybersecurity and its definition is; the ability to protect a website or web application through detecting, preventing and responding to any online threats.

Regularly using the Internet in our everyday lives exposes us to various online attacks, in a range of formats and complexities. Therefore, by having web security – a system of protective measures and protocols in place, we are able to more easily ‘secure’ our online surroundings from being attacked and hacked.

Common web security vulnerabilities

Web security vulnerabilities and attacks can be anything from stolen data – where online thieves hack your data that is stored online, to phishing schemes – where hackers can trick you into giving them sensitive information to SEO spam which consists of unusual links and pages to drive traffic to malicious websites and everything in between.

What do we mean by anything in between? Well, attacks against websites and apps range from targeted database manipulation to large scale business and enterprise disruption.

Some examples of web security vulnerabilities include;

  • DoS/DDoS Attacks

Otherwise known as Denial of Service. This is where through a range of mediums, attackers are able to overload their targeted server or surrounding infrastructure which in turn makes the server slow down and reduce acceptance of incoming requests from legitimate traffic sources.

  • Data Breaches

A data breach is a general term when referring to the release of confidential information. These breaches can often be mistakes as well as attacks and can contain anything from highly valuable information to millions of user accounts being exposed.

  • Memory Corruption

This type of attack occurs when a location within a memory is changed which results in unexpected behavior in the software.

Web security scanners

In order to mitigate web security breaches and attacks you need to perform routine scans to check for threats and vulnerabilities. You can run these scans with something called an Open Source Vulnerability Scanner.

This is a tool that assists organizations in identifying and fixing any risks associated with open source software. Once an open source vulnerability scanner finds open source software vulnerabilities, it will be able to help reduce these risks by suggesting fixes through a patch or update.

The importance of web application security

Let’s explain this with an easy to understand example. An organization has a website that’s based on WordPress and thinks that they have all their ‘ducks in line’ when it comes to web application security. However this organization hasn’t checked security vulnerabilities within their online security, meaning that there could be some issues making it easy to hack.

As we already know, content management systems such as WordPress are easy targets and with glitches in the security that this organization may have, they make it easy for cybercriminals to gain access to sensitive and private data and steal.

Therefore, the importance of web application security is paramount in protecting websites and online services against a vast range of online threats that can exploit vulnerabilities and sensitive information.

So, what can you, or your organization do to make sure you’re protected? You’ll need to have some security tests in place to make sure you’re covered from attacks.

Different types of security tests

Web security testing aims to find security vulnerabilities in web applications and their configuration. These security tests often involve sending different types of input to initiate errors and make certain systems behave in a certain way, in order to see any security issues that the specific system may, or may not have. The main goal? To ensure that everything within a web application is totally secure.

So how can you test?

  1. DAST Test – A dynamic application security test is an automated application security test that is mainly used for internally facing, low-risk web applications.
  2. Penetration Test – This is a manual web application security test that involves business logic and adversary-based testing, to discover advanced style attacks and is designed for critical applications undergoing major changes.
  3. RASP Test – Runtime application self protection tests involve a range of technological techniques so that attacks can be monitored as they are conducted and be blocked in real time.
  4. SAST Test – The static application security test offers both automated and manual testing techniques and is designed to identify bugs without the need to for apps to be ‘in production’ whilst doing so. Developers are also able to scan source code and systematically find and eliminate software security vulnerabilities with this type of test.

Web application security best practices

While nobody can guarantee 100% security due to very clever tactics and unforeseen circumstances that arise, there are many methods organizations can implement to help reduce the chance of web application issues and problems arising.

We’ve rounded up the best practices to keep in mind when implementing your web application security.

  1. Web Application Inventory

Many businesses are organized when it comes to knowing what applications they have. However, most probably don’t have a clear idea about which applications they rely on, on a daily basis. Many also have ‘rogue’ applications running all the time and don’t notice them as they are in the background – until something goes wrong.

However, a business cannot maintain an effective web application security without knowing exactly which applications they use.

Therefore performing an inventory and asking questions such as how many applications are there? Where they are located and so on, is important although time consuming. Organizations will also find that many applications are not in use and pointless to keep around.

  1. Create a Blueprint

Once you have completed your inventory, you need to start staying on top of your web application security. How best to do this? You need to gather your IT security team and develop an in depth, actionable plan that outlines your organization’s goals.

If your organization’s main goal for example is to enhance overall compliance then you need to prioritize which applications need to be secured first and how you will go about testing them. Each security blueprint for each organization will differ depending on the organization’s infrastructure; however, it should be created down to the smallest details including naming individuals within the organization who are responsible for maintaining web application security best practices on an ongoing basis.

  1. Prioritize Web Applications

Now that you have your organization’s inventory and detailed blueprint in place you’ll need to start prioritizing web applications. This is the next, and most logical step to make sure your organization knows what to focus on first and in order to make progress within the process.

One idea may be to sort the applications into 3 categories;

  1. Critical – Applications that are primarily externally facing and contain user information.
  2. Serious – Internal or external applications that may contain sensitive information.
  3. Normal – Less exposed applications.

Critical applications are the ones that are most likely to be targeted and exploited by cybercriminals which is why it is paramount to manage these first, and then follow on with the rest in order as listed above.

By segmenting applications in this order, you can effectively manage your time and resources by extensively testing critical applications first and use less intensive testing for the serious and normal application categories.

  1. Prioritize Vulnerabilities

Prior to testing your web applications, your organization needs to make a decision as to which vulnerabilities are worth eliminating and which are not that vulnerable right now.

Most web applications have lots of vulnerabilities however eliminating them all isn’t really possible and to be honest? Isn’t really worth the work. This is because even after the organization categorizes all their applications according to importance, it will take a lot of time to test them all.

Regarding how to determine which vulnerabilities are the most important to focus on, it depends on the applications your organization is using and then you’ll need to research and analyze each application to work out the correct security measures to take.

This is why you need to limit testing to only those applications with the most harmful vulnerabilities, as you will be able to save valuable time and work quicker.

  1. Restrict Access

Once your web applications have been assessed, tested and the organization has been able to purge the most problematic vulnerabilities, you’re not entirely in the clear. Every web application has specific privileges and these privileges should be adjusted to enhance overall security.

This means that web applications should only be accessed by authorized employees who have been cleared to make system changes, otherwise all other employees can accomplish what they need with the permissive settings on most web applications.

  1. Implement Interim Security

Whether your organization is large or small, it may take weeks or even months to make the necessary changes in your web application security. It’s at precisely this time that your organization may be even more vulnerable to attacks and therefore, it’s important to have other protections in place to reduce the risk of attacks.

One option is to remove some functionality from specific applications as functionality makes applications easier to attack. Another, would be to use a web application firewall to protect your organization against the most dangerous types of attacks.

Throughout the web security best practice process, existing web applications should be continually monitored to ensure that there are no breaches or attacks from hackers or cybercriminals. If your organization or website suffers an attack during this time, identify how it happened, the main cause and then address it before continuing with the process. You should also carefully document such vulnerabilities on a regular basis and see how they are handled so that future occurrences can be dealt with accordingly.

  1. Protect Cookies

When addressing an organization’s web application security, it’s important to also consider the use of cookies within best practices.

Cookies are useful for organizations and users alike as they allow users to be remembered by sites that they visit so that future visits are faster and more personalized. However, cookies also make easy targets for hackers in gaining access to sensitive information.

Therefore, it’s important to make sure you don’t use cookies to store sensitive or critical information such as users passwords. An organization’s cookies settings should also have expiration dates to avoid security risks. Additionally you should also consider encrypting information stored in cookies that you use to help with security measures.

  1. Other Web Security Options

Some immediate web application security  “immediate” web application security options that you can implement as a website or business owner are;

  • HTTPS – redirect all HTTP traffic to HTTPS
  • Install a content security policy within your organization.
  • Public key pins
  • Strong passwords that include lower and uppercase letters, numbers and symbols
  1. Web Application Security Training

If you own an organization, chances are you have employees that understand the importance of web application security and how it works. However, other employees may only have basic knowledge which could lead to careless mishaps.

By educating all employees regarding this matter, they are more likely to sort vulnerabilities themselves and prevent attacks by doing so. Therefore by training employees regarding this matter you can strengthen an organization’s overall web application process whilst maintaining the best security best practices. 

WiFi Security

In this day and age, the need for a WiFi connection has become a real necessity for both our work and personal lives. All the devices we use on a daily basis such as our phones, computers and tablets need to be connected to the internet for us to be productive and get things done.

However, when not connected in a safe and secure way, the internet can be a dangerous place that can give cybercriminals access to the most sensitive information.

What is a wireless network?

When the Internet first landed, most households and businesses used a lot of cables to connect to the internet. The process was very different from the one we know today, consisting of phone lines, cables and usually only one oversized computer.

As the world advanced, so did technology and it became a basic necessity to have internet access.Wireless networking became the easiest and most affordable way to connect to the world wide web. No cables, no dial up, just one connection that many devices can connect to with a password in a matter of seconds.

These Wireless networks, otherwise known as WiFi networks are computer networks that use wireless connections to connect our devices to the internet. However, with millions of people connecting to millions of networks all over the world, comes millions of security threats. So what can we do, especially at home to keep our network safe?

Wireless security protocols

There have been many wireless security protocols developed to protect home wireless networks, including WEP, WPA, and WPA2. Each one has both strengths and weaknesses of their own however all of them help with preventing hackers and cybercriminals from connecting to your wireless network as they encrypt your private data in real time over the airwaves.

So what are the differences?

  • WPA – Otherwise known as wireless protected access, uses a preshared key (PSK), usually referred to as WPA Personal, and the Temporal Key Integrity Protocol (TKIP) for encryption. 
  • (WPA2) – This is wireless protected access 2 which is similar to WPA however, the most significant difference to WPA2 over WPA is the use of the Advanced Encryption Standard (AES) for encryption. The security provided by AES is sufficient (and approved) for use by the U.S. government to encrypt information classified as top secret which means it’s probably good enough for you too…
  • WEP – Stands for wired equivalent privacy, which was the original encryption protocol developed for wireless networks. It provides, as its name suggests, the same level of security as a wired network would.

How to keep your home WiFi safe

Most people only use one measure to keep their home network safe, and that is to set up a password so that neighbors and other people can’t gain access to it.

However, today we need to take our home WiFi security much more seriously as there are continued risks that cybercriminals could exploit your data and gain access to sensitive information by taking advantage of your network through malicious attacks.

By following these 5 simple steps you’ll be able to increase your home WiFi security and make sure that your network is secure as can be.

  1. Change the name of your network

The initial step in making your home WiFi security safer is to change the service set identifier (SSID). Many WiFi manufacturers give their wireless routers a default SSID, usually the company’s name. Then, when a computer or mobile device with a wireless connection searches for a nearby network, the SSID becomes public, giving hackers and cybercriminals an easier way to break into your network.

In order to throw hackers off their mission and avoid security threats, It is better to change the network’s SSID to something that does not disclose any personal information.

  1. Enable network encryption

There is an encryption feature in the majority of wireless routers that by default, come turned off. Turning on your router’s encryption setting is another way to help with securing your network.

Once you receive your router, make sure you turn this feature on immediately. The most recent and effective encryption feature available, and the most efficient is WPA2.

WPA2 is short for WiFi protected Access 2 and provides stronger data protection and network access control for your router, meaning that you can rely on this feature to ensure that only authorized users can access your wireless network.

  1. Choose a strong password

This may sound like an obvious one but some mistake it. Every wireless router comes with an already pre-set username and password which is necessary for the initial installation of your router. However, it is very easy for cybercriminals to guess these details especially when they know which manufacturer has provided it.

Therefore, once installed, be sure to change both the username and password immediately. A good wireless password should be around 20 characters long and a mix between upper and lower case letters, symbols and numbers – making it hard for cybercriminals to guess.

  1. Disable remote access

Most of the routers provided for home use allow users to only access their interface from a connected device, however there are some that also allow access from remote systems.

Once this remote system is turned off, malicious cyber criminals won’t be able to access your router’s privacy settings from a device that isn’t connected to your wireless network.

To enable these changes, you need to access the web interface and search for ‘remote access’ or ‘remote administration.’

  1. Install a firewall

An internet firewall is designed to protect your computers from harmful attacks. Wireless routers usually have built-in firewalls but these may be turned off when you first receive the router. 

Make sure you check that your wireless router’s firewall is turned on, or if your router doesn’t have a firewall installed, make sure you install one on your system to watch out for malicious attacks and to keep your network secure.

Cyber Security Threats

As we mentioned previously all of us are subject to cyber security threats as long as we use the internet. Hackers and cybercriminals live among us and through the internet can impose their malicious attacks to gain access to our data, information and other personal details.

These can often be anything from small level or very high level attacks and we need to be as secure as we can be against them both personally and professionally.

Why is it necessary to protect from cyber threats?

Protection against cyber threats is vital to us all. In our personal lives, if we’re attacked online cyber criminals can steal our information and in our business lives, these attacks can often cripple businesses.

Cyber threats can result in the theft of valuable and sensitive information, data breaches and can affect how we function, which is why we always need to be protected from them. Question is, what are the main security threats we need to be aware of in order to protect ourselves?

Top 5 network security threats

  1. Viruses

The majority of us all know what a computer virus is. Some of us may have even experienced them, as for the everyday Internet user – the virus is the most common threat. So much so that statistics show that almost 33% of household computers are affected by some type of virus.

Viruses are forms of software that are designed to spread from one computer to another. They are often received by users in email attachments or download links, that once clicked on infect your computer through the systems on your network. Viruses are known to have a range of impacts including sending spam, disabling security settings, corrupting and stealing data from computers including personal information such as passwords, and even going as far as to delete everything on a hard drive.

  1. Trojan Horse

This security threat is named after the Trojan Horse of ancient Greek History, as it refers to tricking someone into inviting an attacker into a protected area. In technology, this is a type of malware that infiltrates a user’s system looking like a standard piece of software which then lets out harmful code onto the user’s system.

Often spread through emails that may appear to be from someone you know, Trojan attacks contain clickable links in the attachments sent that one clicked, and begin downloading malware onto your device. They also come in the form of false advertisements and once inside your system they can retrieve your passwords, hijack your webcam and steal sensitive data.

  1. Spyware/Adware

Spyware and/or adware is designed to track your browsing habit data and based on your searches, show you advertisements and pop-ups.

However there are differences between the two. Spyware is installed on your computer without your knowledge. It can contain keyloggers that record personal and sensitive information making it dangerous because of the high risk of identity theft.

Whereas, Adware collects data with your consent and a legitimate source of income for companies that allow users to try their software for free, but with advertisements showing while using their service. However, when adware is downloaded without consent, it is considered malicious.

  1. Phishing

Phishing attacks are those sent in emails. The email involved tricking the recipient into disclosing personal information or downloading malware via a link with a goal of obtaining sensitive data such as passwords, usernames or financial information.

Over time, these types of attacks have become more prominent and harder to spot, as they look like they come from very legitimate sources. Therefore, if the recipient doesn’t check in detail the email address that the email has been sent from to spot any typos or bizarre addresses, as well as the actual email itself, they will fall victim to such an attack.

  1. Malware

Malware attacks are designed to target networks or devices to corrupt or ‘take over’ specific systems.

Cybercriminals create harmful software that’s installed on someone else’s device without their knowledge to gain access to personal information or to damage the device, usually for financial gain. 

Mobile ransomware attacks increased by a third in 2018 from the previous year. Most of those attacks occurred in the United States.

Online security tips

Making your online experience a safe one doesn’t take too much effort. The majority of these tips will help keep you and your privacy safe online and are pretty much common sense.

Tips for protecting your privacy

  1. Secure browsers

Most of us use browsers such as Chrome, Safari, Firefox or Microsoft Edge on a regular basis. Whilst these browsers are secure there are more ways to improve your security and further protect your privacy, without major changes to your browsing habits.

One idea is to make sure you clear out your cookie caches and browser history to prevent ad networks from collecting too much information about you. You can do this by going to ‘clear cache’ in your browser’s settings.

Additionally, when you visit a specific website, it will either begin with HTTP or HTTPS. The latter option uses a layer of encryption to enable secure communication between a browser and a server. While HTTPS is best used by default in general browsing, when it comes to online purchases it is crucial to protecting your payment details from eavesdropping and theft.

  1. Use complex passwords

We can’t help but keep repeating this because it really is that important. Use complex passwords, every single time as it’s the first line of defense you have in securing your online accounts.

Passwords such as ‘123456’ are so easily targeted and even with this in mind, researchers found that this is still 1 in every 7 passwords. We understand that such passwords are much easier to remember however, there are now so many tools to help you create and store complex passwords that will keep you more secure – that there really is no excuse.

Password managers are specialized pieces of software used to record your credentials securely so that you have easy access to your online accounts without the need of remembering passwords, as these systems keep everything in one place, accessed through one master password, and use security measures such as encryption to prevent exposure.

  1. Enable two factor authentication

Two-factor authentication (2FA) is now used by many websites and online services. It adds an extra layer of security to your accounts and services after you have submitted a password.

The most common methods are via an SMS message, a biometric marker such as a fingerprint, a PIN number or pattern. Using 2FA does create an additional step to access your accounts and data but will keep your privacy secure.

  1. Safeguard your mobile devices

Our mobile devices can act as a secondary means of protection for your online accounts through two factor authentication, but these endpoints can also be the weak link that completely breaks down your privacy and security.

If you use Android devices, the open source nature that they use has opened the gates for hackers to search for vulnerabilities in its code. While iOS systems are considered more secure – they have also been known to have security flaws on occasion.

To make sure your privacy is safe on your mobile device, the first and easiest way to do this is to accept security updates that come through to them. These patches resolve new bugs and flaws, as well as provide performance fixes, which will help keep your device from being exploited by cybercriminals.

Additionally, although it sounds simple, many of us still don’t do it – lock your phone. This will help to prevent any physical compromises too.

  1. Connect securely

As we mentioned earlier in this article, home WiFi networks can be a bit risky. However, public WiFi networks, while convenient, may include a privacy and security risk if you choose to use one while away from home.

Why? It’s simple. As you don’t need any form of authentication to access them, neither do cybercriminals, which in turn gives them the opportunity to perform what is known as Man-in-the-Middle (MiTM) attacks. These attacks enable cybercriminals to eavesdrop on your online activity and steal your information as well as send you to malicious websites.

Additionally, cybercriminals may be able to access the information you are sending through the WiFi network, including emails, financial information, and account credentials.

While It’s best not to use a public, unsecured WiFi connection at all, sometimes we need it. With WOT you can check the security of a network before you connect to it for better peace of mind.

How to protect your online security

Online security is a huge problem for us all. As we’ve made clear – making sure you are protected isn’t a want, it’s a need. Make sure you take into account all the tips and information provided within this article to keep your security online in place.

The final tips we have for you to protect your online security are;

  1. Back up important data

A backup is a copy of your digital files. A backup can protect you from losing your data and other important information you want to keep from digital devices should anything happen to them. 

There are two types of backup;

  • Sync (or cloud) services backup individual files and do not include applications or programs. Google Drive and Box are examples of a sync service.
  • Traditional backups allow for a full system restore including all programs, applications, settings, and files. Setting up an external hard drive with a backup program will backup your apps and data files, and enable a full system restore should you need it.
  1. Don’t leave devices unattended

All this talk about online and digital may make us forget that the physical security of our devices is just as important as their technical security. Therefore if you need to leave your mobile digital device or laptop somewhere out of sight for a period of time, make sure they are locked with a password or pattern so that nobody can gain access to them.

Likewise, when using a desktop computer, make sure your screen is locked or shut down when not in use or when you finish your work.

  1. Careful what you click

Due to all the security issues that come with using the internet, make sure you avoid visiting and browsing unknown websites or downloading software from sources that you may not be able to fully trust. These types of websites often host malware that will automatically install (often silently) and compromise your computer. If attachments or links in the email are unexpected or suspicious for any reason, don’t click on it.

Now that you have all the web security information you need, make sure that you stay safe while using the world wide web by implementing the tips provided, and with WOT. Join the millions of people around the world who make up the WOT community and help make the web a safer place!

Leave a Reply

Your email address will not be published. Required fields are marked *