Website Security In 2021
Prior to the COVID-19 pandemic, there was a colossal rise in the number, size, and sophistication of ransomware attacks of 147 percent. With the demand for ransomware payments increasing at an alarming rate as the world moves swiftly through 2021, 2020 has been the best year yet for hackers.
As many as 30,000 to 50,000 websites get hacked every single day. It is also reported that fifty-six percent of all internet traffic traces back to automated sources such as hacking tools, scrapers, spammers, impersonators, and bots. Most institutions don’t even realize that they’ve been hacked or compromised until after the damage has been done. The worst part is that libraries are amongst the top-targeted institutions in the world because their resources to invest in cyber protection are limited. Protect your library from hackers by reading background information on the history of security, common site vulnerabilities, key tactics you can enforce, as well as ways that LocalHop can keep your sensitive information protected and hacker proof.
What Is Website Security?
The formal definition of website security is the act or practice of protecting websites from unauthorized access, use, modification, destruction, or disruption. It includes any action or application taken to ensure website data is not exposed to cybercriminals, or any steps taken to prevent exploitation of websites in any way. So, why is it so important? Mainly, web security is needed to keep hackers and cyber-thieves from accessing sensitive information of both a personal and organizational nature. Without a protective strategy, businesses risk the spread and escalation of malware, attacks on other websites, other networks, and other IT infrastructures.
After speaking with some of our team members, Cynerge Consulting‘s Chief Technology Officer, Mike Laney, stressed the importance of having solid website security, particularly with libraries. “Unfortunately, [hacks] happen every day all across the world, and libraries are typically one of the most targeted organizations for hackers and website security threats simply because they don’t have the IT experience.” He went on to discuss the necessity of updated systems, and how current systems could be the difference between safe software and permanent hacks.
“There’s been a history of large fortune 500 companies that were running old versions of Windows SQL servers 2008 where they lost billions of dollars because hackers got in due to how outdated everything was.” The result? Devastation. “Windows didn’t even support the 2008 SQL server anymore, so hackers got in and they put ransomware into the system. What this means is that you literally can’t do anything on any of the computers that were connected to any of those servers without paying the ransom.”
Hackers not only target your customers and clients, but they also cause a loss of favorable reputation and potential drops in revenue for businesses. Websites and companies that have digital facets can also be blacklisted, driving any potential customers or clients away from your business. The bottom line is this: for many companies, it isn’t until after a security breach has occured that website security becomes top priority, and the damage has already been done. The good news, on the other hand, is that by being proactive, consistent, and using effective tactics that work, your library can be as secure as Fort Knox!
Who Uses Website Security?
The simple (but accurate) answer to this question is: EVERYONE. If your business or organization has any sort of online presence or digital platform or software, then absolutely you should be maintaining website security. Owning a website comes with responsibilities and obligations, so don’t let your system become a victim to vulnerability! While there are ways that institutions can organically protect themselves from any sort of cyberattack, it is highly recommended that a professional do it for you. This is why LocalHop is here to help! But first, let’s check out a bit of historical context.
A Historic Timeline of Website Security: Worms, Hacktivists, Information Leaks, Oh My!
While technology has developed significantly and taken off in the past decade, cybersecurity history actually dates all the way back to the seventies, before most people even had a computer (retro, right?). Specifically, in 1971 it all began with an experiment involving researcher Bob Thomas. He created a program that has been widely referred to as the very first computer worm, more commonly known as a virus. Bouncing between computers, the worm would display a message on any infected screen that would read, “I’m the creeper: catch me if you can.” Of course, this worm was not malicious in any way as it was created for research purposes, but at the time, it was groundbreaking. Creepy, but groundbreaking.
It wasn’t until 1988 that Robert Morris created a different worm that slowed the internet down drastically and resulted in the first DoS attack in history. Ironically, the Morris Worm wasn’t made to cause actual damage, but rather to highlight security flaws and vulnerabilities such as Unix sendmail and weak passwords. However, the coding that was associated with the Morris Worm made it replicate excessively, causing over ten million dollars worth of damages.
Unfortunately for us, the malicious software didn’t end there. Just one year after the Morris Worm ran rampant across computers everywhere, Joseph Popp created the first ever ransomware attack called the AIDS Trojan. By inserting a floppy disk to a hard drive, Popp’s goal was to extort money from anyone who came into contact with the program. Thankfully, the AIDS Trojan was of poor design, and could be removed from programs quite easily.
As a result of Morris and Popp’s attacks, the United Kingdom passed one of the first ever pieces of legislation in history revolving around cybersecurity called The Computer Misuse Act. Established in 1990, this legislation effectively made any sort of unauthorized attempts to access computer software illegal. Over the years, the UK Parliament has amended the law to modernize and keep the legislation relevant. SImilarly, following the UK’s lead, President Geroge W. Bush filed a bill in 2002 which forged the Department of Homeland Security. This cabinet-level office now specifically handles IT infrastructure and includes a separate facet dedicated to cybersecurity.
In 2003, the hacktivist group called Anonymous became recognized around the world for various cyber attacks against several global governments and organizations. Known then as the most iconic hacking group in the world, Anonymous they most certainly put IT infrastructure and cybersecurity to the test.
Years later in 2016, one of the most notorious data leaks in the world’s history came to be known as the Wikileaks scandal. Wikileaks published confidential documents from the 2016 National Committee email leak. The culprits responsible for this leak were Russian intelligence agency hackers, which ended up vastly affecting how American citizens perceived the 2016 national election. Cybersecurity thus became a turbulent and ever-present concern throughout the world, but cyber attacks continued to follow close behind.
What We've Learned
The year 2018 is now reputed to include some of the most reputable for some of the largest and most culturally high-profile attacks in history, teaching both federal agencies and private entities who use technology quite a bit. For example, we learn from the Marriott Hotel chain incident that security breaches can be silent for years until someone takes notice; we have learned from Dunkin’ that personal information is everyone’s business; and we have also learned from Facebook that social media is selling our data, and will continue to do so.
Since the 1970s, cyber security threats as well as Artificial Intelligence (AI) have come a long way, which may be a double-edged sword. While website development tactics and security methods have strengthened significantly, hacktivists and malicious software have also become much more sophisticated. Malware, ransomware, phishing scams, and crypto-mining malware alone are predicted to result in global losses of up to one trillion dollars per year. With the world quickly transitioning to an immersive digital reality, cybercriminals and their malicious software are relentlessly seeking to take advantage of institutions of all kinds, including libraries. Cybercriminals are crafty, swift, and diligent, which means your software should be too. Luckily, Mike gave us some great advice when thinking about website security, tactics to keep in mind, and questions you should be asking yourself in regard to keeping your platforms (and patrons) secure.
Before we get to that, though, the Open Web Application Security Project, otherwise known as OWASP, has developed a top ten list of the most common website vulnerabilities for institutions such as libraries and other organizations, which we have included below. If you aren’t familiar with OWASP, it is a nonprofit foundation that works diligently to improve the security of software for users worldwide. OWASP is used as a resource for developers and technologists (like LocalHop!) to secure the web.
Common Website Security Vulnerabilities
When it comes to common website vulnerabilities, Developers’ Gergely Kalman lists ten of the most common website vulnerabilities that digital facets face, according to the Open Web Application Security Project (OWASP):
1. Injection Flaws
- What is it: Injection flaws constitute a common security vulnerability which allows a user to gain access to your backend database, shell command, or operating system if the web takes user input. When this occurs, the hacker can easily modify information within these input boxes as well as create, read, update, or permanently erase data from your system.
- How it happens: If any unfiltered data has been passed to the SQL (Structured Query Language) server, which then goes to the browser (XSS) and passes through to the LDAP (Lightweight Directory Access Protocol) server, the hacker can inject commands and coding to these facets. The end result? Loss of data and the hijacking of clients’ browsers.
- How to prevent: Any time your application receives anything from untrusted or unsecured sources, they must be filtered. Refrain from using a backlist and filter your input properly by relying on your framework’s filtering functions.
2. Broken Authentication
- What is it: Broken Authentication refers to hackers’ ability to compromise passwords, keys, user account information, or other sensitive details that can be used to assume user identities.
- How it happens: Unfortunately, broken authentication happens quite easily. It can be due to poor design and implementation of identity and access control systems. It can also result from missing or ineffective multi-factor authentication, even if user sessions aren’t properly validated after a logout or during a period of inactivity. All these (and more) are enough to allow a hacker to get in, do irreversible damage, and get out without leaving a trace.
- How to prevent: The main thing to consider is to always use a framework or have experts build your system for you rather than implementing it yourself. Wherever possible, add in multi-factor authentication to prevent automated, credential stuffing, brute force, and stolen credential reuse hacks. Refrain from deploying any sort of default credentials, and take advantage of weak password checks! These alone can be the difference between security and crippling vulnerability.
3. Cross Site Scripting (XSS)
- What is it: Cross Site Scripting (otherwise known as XSS), is a client–side code injection attack. It means that the hacker plans on inserting malicious scripting into your web browser by including malicious code into a legitimate web page or app.
- How it happens: Once the user (in this case, victim), visits the infected web page or application, the code the hacker implemented into the site becomes active, thus delivering the malicious code to the user’s browser. Common platforms for XSS attacks include forums, message boards, and web pages that allow comments.
- How to prevent: The easiest thing to do in order to avoid Cross Site Scripting is to refrain from returning any HTML (Hypertext Markup Language) tags to your clients or others who use your online systems. This not only will defend against HTML injection, but will protect your initial coding as well, so hackers cannot modify the markup language.
4. Insecure Direct Object References
- What is it: A direct object reference means that an internal body such as a database key or file is exposed to the user. Without an access control check or other protective methods, attackers can easily manipulate these exposures and access unauthorized data.
- How it happens: This particular vulnerability can occur when a name or key of an object is used during the development process of a web page. For example, if an authorized user tries to access information not intended for that user (such as a database record, specific file, or URL), an insecure direct object reference flaw can occur if the application fails to verify the user’s access to that specific object.
- How to prevent: Each location where a user can supply input and which points to reference objects, needs to be tested. Perform user authorization properly and routinely. More often than not, the entire problem can usually be avoided by storing data internally instead of passing information from the client via CGI (Common Gateway Interface) parameters.
5. Security Misconfiguration
- What is it: Coming in as number five on the list, security misconfiguration is the failure to successfully implement all security controls for a server or application, or doing so with errors. This ultimately leaves your library open to risks.
- How it happens: Security misconfiguration is actually very common, and without the right level of visibility, this particular vulnerability can be really dangerous for libraries and other institutions. Some examples of risks include:
- Unnecessary administration ports that are open for an application.
- Having outbound connections to various internet services reveals unwanted behavior of the application in a critical environment, so try to avoid this as much as possible!
- How to prevent: Have a solid, preferably automated, “build and deploy” process, which essentially prevents your coding from going out with default passwords! Visibility will also be your new bestie. Learning the behavior of your applications is crucial, and this can be done by having a real-time map of your entire digital ecosystem (your communication, flow paths across your data center environment, etc.). Visibility will not only help you learn more about your application behaviors, but it will help you to be able to identify potential misconfigurations at first glance.
6. Sensitive Data Exposure
- What is it: Sensitive data exposure can happen when an application, company, or other entity accidentally reveals personal data to which a hacker can gain access. If you aren’t adequately protecting a database where personal information is stored, then sensitive data exposure is bound to happen to your library!
- How it happens: Sensitive data exposure may be a result of a plethora of things, such as: weak encryption, no encryption at all, software flaws, or accidental uploads of information onto the wrong database. Data exposure can be traced back to how a company handles certain information that is sensitive, and it can be identified by understanding whether websites use SSL (Secure Sockets Layer), or whether they have HTTPS (Hypertext Transfer Protocol Secure) security on the web pages that store their information. If your website is lacking on this end, your data is at risk of being exposed. Additionally, if you store your data in a database that is subjected to potential SQL injection, or has weak cryptographic algorithms or keys, and you fail to implement hashed and saltword practices, it will be easier for a hacker to get into your site and steal your information.
- How to prevent: Always use HTTPS with a proper certificate and PFS (Perfect Forward Secrecy). This will definitely keep your information more secure and less vulnerable to potential threats. You can also lower exposure when it comes to storage. If you don’t absolutely need sensitive data in your system, shred it. Try to avoid storing credit card information or anything else that could be traced back to personal banking accounts. In fact, some institutions use payment processors such as Stripe or Braintree, both of which completely eliminate the possibility of hackers gaining access.
7. Missing Function-Level Access Control
- What is it: All this means is that server authorization failed because access was not requested properly.
- How to prevent: The way to rectify this is simple: always make sure your authorization is set up correctly and is maintained, otherwise, serious problems could occur.
8. Cross Site Request Forgery (CSRF)
- What is it: CSRF is a malicious attack that ensues when an ill-intentioned website, email, blog, instant message, or program causes a user’s web browser to perform forced actions on a trusted site once the user (victim) is authenticated.
- How it happens: A CSRF attack happens because browser requests are automatically required to include all cookies, including session cookies. What this means is that if the user (victim) is authenticated to the site, then the site cannot distinguish between legitimate requests and forged (hacked) requests. To put it plainly, if a CSRF attacker succeeds in getting onto a web browser either through your platform or through a user that is supposed to be there, the hacker can do anything desired because the site recognizes the hacker as an authenticated user. A CSRF attack can allow the hacker to transfer funds, change passcodes, and make purchases with the authenticated user’s credentials.
- How to prevent: While there are a lot of ways you can defend yourself and your library’s technology, the main thing is to ensure your framework has built-in CSRF protection. This validates any requests that cause site actions on the backend, which makes it very difficult for a hacker to even attempt CSRF. Lastly, any sort of Cross-Site Scripting (XSS), can be used to defend against all CSRF mitigation capabilities. Not sure what this means? Check out OWASP’S XSS Prevention Cheat Sheet for some additional guidance.
9. Using Components with Known Vulnerabilities
- What is it: According to security services provider Siemba, new cyber vulnerabilities are emerging each day, particularly when software dependencies from libraries and frameworks (which are previously known to be vulnerable from unpatched software fixes) are not implemented in time. Let us explain.
- How it happens: Libraries and frameworks used within an application are executed with full privileges most of the time. Because of this, hackers can easily make use of automated scan tools or perform a manual analysis of the application to search for flaws and exploit that vulnerability. Ransomware attackers can also use fingerprinting methods such as checking for known HTML elements, triggering eros, and employing forced browsing to find the dependencies. Using components with known vulnerabilities can bring a large risk to your library because of how easy they are to exploit. If hackers can locate the vulnerable components that a specific application is using, they can be exploited with ease. This methodology is already on the internet, so hackers only have to make use of it in order to cause a significant compromise to your data. Unfortunately, these vulnerabilities can be easily missed by the application security defence, and they also act as pivoting points to enable other potential attacks. For example, hackers can manipulate a web service using full permissions but without authorization, while focusing on vulnerable components such as SQL injection, XSS, and broken access control.
- How to prevent: The main reason this happens is most development teams fail to ensure these components and library sites are up to date. So, here is a list of preventative measures you can take to avoid using components with known vulnerabilities.
- Know your application and prepare adequate documentation of all OS, web server, library, and network components, including current versions used by the application, to ensure the app is well maintained.
- Implement regular monitoring and security assessments testing.
- Perform periodic vulnerability assessments to confirm the security of your application(s).
- Deploy a web application firewall for providing a defensive posture.
10. Unvalidated Redirects and Forwards
- What: Unvalidated redirects and forwards are the direct result of a web application’s accepting of an untrustworthy input which, in turn, causes the app to redirect the request to a URL containing malicious input. Basically, when an unsecure URL is modified and directly input to a malicious site, an attacker can successfully launch a phishing scam and steal the user’s credentials.
- How does this happen: The server name in these modified links are identical to the original site that is the victim of the cyber-attack, so phishing attempts provide a much more trustworthy appearance. If a redirect and forward isn’t validated, a hacker can also craft a URL that would pass the application’s access control check (because it looks identical to the authorized site/user), which would then give hackers privileged functionality to which they normally wouldn’t be able to access.
- How to prevent: One way to completely avoid this vulnerability is to not use redirects and forwards altogether. But, if you or your library does use redirects and forwards, do not allow the URL as user input for the destination. Wherever possible, input an access point in which the user has to provide a short name, ID, or token which is mapped server-side to a full target URL. This provides the highest possible degree of protection against any hacker or cyber-attack that is tampering with your URL. In the event user input cannot be avoided, ensure the supplied value is valid, meant for the application, and authorized for the user. You can also create a list of trusted URLs, as well as force all redirects through a page notifying users that they are leaving your site first, in which they can click a link to confirm the new destination which would be clearly displayed.
Seven Major Threats to be Aware of As Companies Move Forward Into 2021
It’s very clear that the progressive advancement of technology and the widespread use of digital media is making hackers smarter by the minute. In addition, 2020 brought an entirely different ball game of cyberthreats to light. The Computer Society published a report by Threat Horizon, which reveals three key themes interwoven with these new cyber threats:
- Disruption: Over-dependence of fragile connectivity will increase the risk of premeditated internet outages that compromise business operations. Cybercriminals will use ransomware to hijack the Internet of Things.
- Distortion: Spread of misinformation by bots and automated sources will compromise trust in the integrity of information.
- Deterioration: Rapid advances in smart technologies and conflicting demands posed by evolving national security policies will negatively affect an enterprise’s ability to control information.
The Computer Society also points out that cybersecurity is all about staying ahead of problems before they even arise, a concept with which we completely agree. In addition to OWASP’s list, we have included the Computer Society’s list of top seven security threats many organizations have faced in 2020, and will continue to face as we move through 2021:
1. Cloud Vulnerability
According to the Oracle and the KPMG Cloud Threat Report of 2019, cloud vulnerability is one of the biggest web threats that many organizations face. The main reason for this is companies using cloud applications as their primary data storage space for their employees and business operations. While the cloud concept is great, it’s also creating new data security challenges and intensifying worsening current issues. Forbes magazine had predicted that eighty-three percent of enterprise workload would be stored on the cloud by 2020. In fact, as we approach the end of June 2021, that percentage already has climbed to ninety-two percent. Data breaches, misconfiguration, hijacking, malicious malware, and DoS attacks are amongst the top cloud security threats that will not slow down, so caution is paramount.
2. AI-Enhanced Cyberthreats
AI (Artificial Intelligence) and machine learning have completely upturned every industry outlet, inserting itself into the mainstream business of cybersecurity issues. But, positive growth also bears negative consequences. AI is proving to be useful for hackers as well. With this more advanced technology comes much more sophisticated cyber attacks in the form of complex and adaptive malicious software. This is why AI Fuzzing (AIF) and machine learning (ML) poisoning are all deemed to contribute to the next prominent set of cyber threats worldwide.
3. AI Fuzzing
As mentioned above, AI fuzzing uses machine learning and similar techniques to find vulnerabilities in an application or system. While this is great for businesses and organizations in detecting and fixing exploitable vulnerabilities within their systems, it can also be used by hackers to start, automate, and accelerate zero-day attacks.
4. Machine Learning Poisoning
If a hacker targets a machine learning model and injects malicious software into it, the system becomes incredibly vulnerable to attacks. Machine learning models normally use data that is crowd-sourced or taken from social media, and exploit user-generated information such as satisfaction ratings, purchasing histories, or web traffic. Hackers involved with MI poisoning can deploy malicious software and even introduce backdoors to enable the poison training sets all of which ultimately compromise businesses’ IT systems and the sensitive information they contain.
5. Smart Contract Hacking
Despite being a newer piece of software, businesses and organizations are still using smart contract hacking to execute some form of digital asset exchange. Essentially, smart contracts are software programs that self-execute their own coding. Wild, right? This self-executed code then enables developers to create the rules and guidelines that construct blockchain-based applications. Unfortunately, smart contracts are a primary target of cyber hackers. Furthermore, because smart contracts are a relatively recent development and, therefore, not yet fully secured, it’s easy for hackers to access them and propagate malicious activity.
6. Social Engineering Attacks
Social engineering attacks can be compared to phishing attacks that trick users into giving up sensitive information. This includes, among other items, login credentials and credit card information. Despite most organizations’ efforts to enhance email security for blocking these attacks, cybercriminals are figuring out ways to cheat the system with sophisticated phishing kits that assist in creating data breaches, and perpetrating financial fraud.
We must hand it to hackers: when done well, phishing scams are an effective, high-reward, and minimal-investment strategy to gain access to sensitive credentials. This is precisely why social engineering attacks are such a threat moving into 2021.
No, you haven’t been punk’d— you’ve been deepfaked! This term was first coined in 2017 by Reddit users and is used in reference to a fake video or audio recording used by cyber criminals for malicious purposes. For example, amateur hackers and more sophisticated cyber groups have created deepfakes by swapping people’s faces in videos, as well as altering their audio track. This AI-based technology steadily has made improvements because algorithms are now better able to process data, and as technology further matures, cybercriminals can be expected to use it to foster chaos and malevolent enterprise. While this article is geared towards our library folks and other local organizations, it’s important to note the severity of deepfaked damage, particularly with large businesses.
These fake videos can be used to impersonate CEO’s, steal millions from enterprises, spread horrible and fake information, interrupt business operations, and cause mass hysteria, if done correctly. In the coming years, deepfakes will evolve into one of the most sophisticated and convincing methods of malicious forgery the world has ever seen, which is why it is a huge cybersecurity threat that all organizations must take steps to prevent.
Check out these deepfakes videos that look eerily real.
Full Testimonial from Chief Technology Officer Mike Laney: LocalHop Has You Covered
Who better to ask about website security and site development than our very own CTO? Mike has been with LocalHop’s parent company, Cynerge, since 2017, and has identified two schools of thought when it comes to website security. What he refers to as the older school of thought, is manually checking for updates that could have vulnerabilities in packages that libraries and other organizations are using. These packages can include everything from database layer to your PHP to java, anything in which an objection response can be received. “If it’s not the current version, if it’s not updated, there is more than likely going to be a vulnerability for hackers to latch on to.” So, how does LocalHop do things? Don’t worry, Mike gave us the rundown.
“LocalHop does automated testing for just about everything, and when we start writing our code we use test-driven development. What this means is as we write our first line of code, it’s not code that will actually do anything active.” At first I wasn’t sure what Mike meant, but he immediately continued with his process analysis. “This code that I’m referring to is actually a test; and the goal for this test is to fail right out of the gate. This way, we then know how to create the code around the test to get it to pass successfully.” Using Amazon as an example, Mike delved into testing a bit further. “With a simple website such as Amazon, let’s say a developer creates a test with the idea in mind that they expect the header to say Amazon. If the developer hasn’t written that header yet, the code will fail the test until the header is created.”
Mike also told me that the team may have up to one thousand different tests per website, and what that does from a code standpoint is it allows everyone working on that particular project to run those automated tests. “If a member of the team changes something that I may not be aware of, and it ultimately affects a piece of my code, it will fail the test and that team member will then realize that it will affect other aspects of my coding. That’s how it all starts.” Automated testing comes in a variety of testing tools. According to Mike, they only use tools that have been vetted by government standards. “[LocalHop] uses Sonarqube, which looks for vulnerabilities within every package of the project we are working on. For example, if we are building a node application, Sonarqube would check all of the node packages to ensure that nothing is outdated or flagged.” Another tool Mike mentioned is Snyk, which has the same functionality as Sonarqube, but with a bit more efficiency in regard to reporting issues.
“Containers are also great for transferring code from my machine to AWS (Amazon Web Services) or Google Cloud or to a physical data center somewhere. Containers can go anywhere and they’ll always be the same.” Mike also mentioned that the team always scans the containers they use to make sure there are no vulnerabilities. “If I have a base container running PHP seven-dot-one, right, it may have a vulnerability and we’re now up to seven-dot-one-dot-four.” For those of you, myself included, who have no idea what this means, it’s IT-talk for values that are used and will ultimately yield another value so that the code construction becomes an expression. Programming jargon is fun, folks. Running a container for PHP will tell Mike as soon as he tries to push the code that there is a vulnerability, and therefore the code will not be deployed. As a result, the container stops the code in the pipeline and Mike or another team member will have to update the code in order to avoid the spotted vulnerability.
LocalHop is also conducting diligent testing to make sure our services and platforms are Section 508 compliant. In our most recent blog post, LocalHop goes into detail on the ins and outs of 508 compliance; but to refresh, 508 was enacted in 2017 to ensure that all ICT (Information and Communication Technology) that is used in Federal establishments such as libraries must be developed, procured, maintained, and easily accessible to employees and individuals with disabilities. Mike stressed that it’s essential for individuals with disabilities to still be able to navigate the web in a way that’s familiar and accessible to them. “What 508 testing does is that it makes sure LocalHop has built websites for clients in a way that is easily navigated and user-friendly for all patrons.” Essentially, the testing will simulate a user, for example, that is legally blind (LocalHop uses multiple forms of these tests). The test will portray this individual using the tabs to navigate the site, and it will read what the screen is saying aloud.
Last, but certainly not least, Mike discussed the last big form of testing, which is called unit testing. “It checks every single piece of code that we have written by simulating a web user.” Back to his initial Amazon example, Mike says that this testing could mimic users adding something to their carts, as well as different payment methods, shipping methods, etc. will be tested to ensure that there are no hiccups in the program. Only after all of these tests are passed (Sonarqube, Snyk, Paly for 508 testing, unit testing, end-to-end testing) can the application then be deployed in real time.
The end result? Eliminating all possible vulnerabilities and mitigating any risks that could be a threat to your website. Consistently with LocalHop’s diligence, Mike also touched on what happens when vulnerabilities are caught on the back end rather than the front (which is common with serious hacks). “If there is somehow a vulnerability that wasn’t caught, we have all of these built in tests which allows us to just change two digits of code and re-deploy it. Then, the entire suite of tests will be run again to make sure that the risk in question has been eliminated.” With LocalHop’s testing and software, your library could have a vulnerability patch within fifteen minutes as opposed to running manual tests and finding a vulnerability after an issue already has occurred.
Common Vulnerabilities with Mike Laney and How They Can Be Prevented with LocalHop's Services
After reading through this list, I asked Mike (in his opinion), what he thought some of the most frequently seen or common web vulnerabilities were, and how they easily could be avoided with proper website security. He immediately replied that failure to update packages is the biggest vulnerability. “As technology changes, and with the way these packages are all built, they are so intertwined with each other that scanning is absolutely necessary.”
Mike went on to give an example. “Let’s say I want to build something simple such as a calendar date picker, and there’s a node package for that, right? I can go out and grab that to put into the site and use it. But, that node date picker may have fifteen, sixteen or even twenty different dependencies, so it has all of these other items that people have created which are plugged into this to make it work. Then you plug it into your site.” Sounds pretty self-explanatory, right? Well, there’s a catch. “If you’re not scanning these packages, then all twenty of those dependencies could have vulnerabilities.”
As we discussed earlier in this post, vulnerabilities are what make hackers’ jobs easy. Lucky for us, Mike had some great advice about scanning these packages and how LocalHop can help. “A lot of people don’t scan for vulnerabilities, or [if they do], they only scan once or twice every few months, when in reality scans should be run hourly. If you’re using some of these bigger packages, such as items that have a lot of open source support and are frequently updated, that’s where libraries will get those quick fixes every hour or every ten minutes or every week.” Bouncing off this topic, I asked Mike if it was possible to automatically set scans to run every so often, and if so, is it easy to do for librarians that aren’t so technologically inclined? The short answer? Absolutely.
LocalHop’s process is one of the most efficient, and Mike dove right in.
“Usually what we do is everytime there is a change in the code, a scan happens. We also set things up to where you could have a scan at eight in the morning and another scan around midnight. For folks that don’t have the technical resources, know-how, or they themselves aren’t building the application, LocalHop will add their names to our email list and scan things for them. The email would then go out and say something along the lines of ‘hey, there were two vulnerable packages just found in your eight AM scan,’ and then they’ll get another email when the code is re-deployed with no vulnerable packages found because at that point we will have gone in and fixed those vulnerabilities.”
Treading back to Mike’s opinion on the most common vulnerabilities, Mike stresses the importance of fixing those vulnerable packages. “Most of the big website security concerns for me are those vulnerable packages. I’m not saying that you’ll be in a situation where you receive a vulnerable message at eight AM and by noon, you know, your building’s on fire. That’s definitely not the case, but most IT departments that are in the old method of thinking will be running packages that are eight or nine or even ten years out-of-date, whereas LocalHop will keep you updated, revolutionary, and accessible.”
I then asked Mike the following question: so, for example, if we are talking about a local library that may not have the IT or experience, what would you suggest when they are considering website security and building a website? He responded immediately. “Libraries need to understand how to learn about scanning packages. If it’s something that LocalHop is building for them, then they don’t need to worry, but if it’s being built themselves, there are a wealth of resources out there. It really depends on how they are building their website, whether it’s Wix, WordPress, or testing PHP, etc. That’s really the main question: how do we protect ourselves?” Most companies usually have a free software-scanning suite that is built right into Google Chrome. The suite includes an audit feature that can give libraries something to work with if they are developing security on their own.
Another question Mike brought up which libraries should consider, is what happens if you get hacked and now your website is being held hostage by Russian or Chinese malware? What do you do then? “If you have something built with LocalHop this would never happen because we are continuously doing backups, scans, and security tests around the clock, so within ten minutes your website is restored right back to where it was before a problem arose. However, if it’s not something LocalHop has built and they are doing it on their own, then I would suggest either manually creating a backup at least one per week, or figure out a way to automate a process which backs up your site every night at midnight or during the day. Having backups is essential.”
Other Questions, Key Elements, and Fundamentals to Protect Your Information
In addition to Mike’s words of wisdom, the International Federation of Library Associations and Institutions (IFLA) blogpost on Awareness, Planning, Resilience: Thoughts on Libraries’ Cyber Defense in 2020 is worth the read. IFLA explains that the first step to boost a library’s cyber defenses is to take stock of your assets and digital systems. Once you obtain your assets, consider their vulnerabilities, risks, and priorities. Questions that you should be asking yourself are as follows:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through in order to try and prevent bad things from happening?
As Mike mentioned, if you don’t have experts such as LocalHop developing your sites for you, or if you simply want to try your hand at protecting your library, we’ve developed a list of key elements to consider when you’re creating cybersecurity. This list is based off of the Cyber Security Toolkit for Boards, which was developed by the UK National Cyber Security Center:
- Network security
- User awareness and education
- Malware defense and prevention
- Access to removable media
- Maintaining the secure configuration of all systems
- Managing and limiting user privileges
- Incident management
- Home and mobile working policy and security
*Note that an in depth explanation of these concepts can be found by reading the Cyber Security Toolkit for Boards*
Another Section, Another List
Okay, I know that this article has given you enough information and large tech words to last a lifetime, but if you’re planning on developing a security system on your own, LocalHop has developed a list of steps that you can take. Based on Mike’s testimonial, our advice, and the input from other reputable sources, here is a summarized list that your library can use to protect itself from website attacks:
1. Secure Domain Systems
Some simple ways to secure any of your domain systems are to change all of your default passwords that may have been created by your domain registrar. Default credentials are never secure and are readily available on the web. By having strong and original passwords, multi-factor authentication, and transparency logs, you can easily prevent cyber attacks.
2. Secure User Accounts
As mentioned above, something as simple as changing default usernames and passwords can help keep your accounts secure. Combine that with multi-factor authentication and you’ll be in good shape!
3. Continuously Scan for Vulnerabilities
We’ve discussed this concept thoroughly throughout this article, so we won’t bore you with additional details. But, be sure to enable automatic updates whenever possible and scan, scan, scan!
4. Secure Data In Transit
The main way to secure any sort of data that is being transmitted is to immediately disable the Hypertext Transfer protocol (HTTP), and enforce Hypertext Transfer Protocol Secure (HTTPS) instead. HTTP can easily be mimicked by malicious software, so it’s best to avoid that all together.
5. Backup Everything
By employing a backup solution that automatically and regularly backs up, critical data and system configurations will keep all your sensitive information safe. If possible, also keep your backup media in a safe and physically remote location.
6. Secure Web Applications
In addition to referring back to OWASP’s top-ten list to familiarize yourself with the most critical web application security risks, enable logging and regularly audit your website logs to look for security events and improper access. And, as usual, implement multi-factor authentication for your library’s web applications, user logins, and for the underlying website infrastructure, to eliminate possible malicious activity.
7. Secure Web Servers
One of the main things you can do to secure your web servers is to use security checklists for auditing and hardening configurations specific to each application in your system (Apache, MySQL, etc.). Implement network segmentation and segregation to make it more difficult for hackers to move through your connected networks, and most importantly, know where your assets are so you can protect them. Remove unnecessary data from your web server to protect it from public access and limit your network traffic!
8. Sanitize All User Input
Input sanitization is a web security measure that checks, cleans, and filters data input from users, API’s, and web services of any unwanted characters and strings. This measure ultimately prevents the injection of malicious codes into your system, and is critical when such codes are imported into scripts or structured query language statements.
9. Increase Resource Availability
By configuring your website caching to optimize your resource availability, it will increase your library’s chances of withstanding unexpected high amounts of traffic during DoS (Disk Operating System) attacks.
10. Implement Cross-Site Scripting (XSS) and Cross-Site Request Forgery (XSRF)
We talked about both Cross-Site Scripting and CSRF previously in the top ten website vulnerabilities list, but we cannot stress this enough! Protect your website systems and your website visitors by implementing strong SXX and XSRF protections. In the words of Shia LaBeouf, “just do it.”
11. Implement a Content Security Policy (CSP)
If your library or local organization has a website or any sort of digital platform, please consider implementing a Content Security Policy (CSP). A CSP is a mechanism that web developers use to increase the security of a website by instructing browsers to load only resources from vetted trusted domains to enforce secure HTTPS connections, and to report policy violations that may occur. This prevents or lessens the chances of an attacker successfully loading and injecting malicious software on the end user machine, all of which potentially can lead to massive data leaks, website vandalism, and malware distribution. Yikes.
12. Audit Third-Party Codes
Third Party Codes can be considered any sort of ad, analytics services, or other elements that derive from a domain that is different from the domain of your library’s URL. Use these third party services to validate that no unexpected code is being delivered to the end user.
13. Implement Additional Security Measures
If you can, do it! Some additional preventative measures include running static and dynamic security scans against your website code, deploying web application firewalls, leveraging content delivery networks to protect your library from malicious malware, and elevating web traffic conscientiously from a security standpoint.
Whether or not you use an expert source such as LocalHop, or whether you try to implement successful website security yourself, all of the above key concepts and lists are crucial for safeguarding your data.
It’s important to remember that websites are prone to get hacked at any time, not only because of developing technology, but because cybercriminals never have a specific site in mind when they plan to execute an attack. Churches, hospitals and libraries host a wealth of personally sensitive information, which is why they are among the most targeted institutions for hackers, so having strong and resilient website security is a must. We know that technology is vast, and preventative measures are even more complex, but LocalHop is here to help you make your platforms as secure as possible. We are dedicated to providing your library with the maximizing security benefits that will not only safeguard your community and private data, but will retain your patrons trust, brand reputation, and total protection of your data.
Choose LocalHop; you won’t be disappointed.
Curious about the terminology and references that were used in this article? Check out some helpful resources that are specific to your inquiries:
*Resources are listed in the order as they appeared in the article*
- Website Security
- Cynerge Consulting
- Windows SQL Servers
- First Computer Worm
- The Morris Worm
- Unisex Sendmail
- AIDS Trojan
- The Computer Misuse Act
- Department of Homeland Security
- IT Infrastructure
- Anonymous Hacktivist Group
- Wikileaks Scandal
- Marriott Hotel Security Leak
- Dunkin’ Security Leak
- Facebook Security Leak
- Artificial Intelligence
- Phishing Scams
- Crypto-mining Malware
- Open Web Application Security Project
- Developers Engineering
- User Input
- Structured Query Language (SQL)
- Lightweight Directory Access Protocol
- Filtering Functions
- Multi-factor Authentication
- Hypertext Markup Language
- Database Key
- Common Gateway Interface (CGI)
- Digital Ecosystem
- Secure Sockets Layer (SSL)
- Hypertext Transfer Protocol Secure
- SQL Injection
- Cryptographic Algorithms
- Hashed and Saltword Practices
- Perfect Forward Secrecy (PFS)
- Session Cookies
- Cross-Site Scripting (XSS)
- XSS Prevention Cheat Sheet
- Broken Access Control
- How Phishing Scams Work
- The Computer Society
- Threat Horizon
- The Internet of Things
- Oracle Security
- KMPG Cloud Threat Report of 2019
- Forbes and Enterprises
- AI Fuzzing
- Machine Learning (ML)
- Machine Learning Models and Poisoning
- Deepfakes Video Examples
- Database Layers
- Hypertext Preprocessor (PHP)
- Test-Driven Development
- Node Packages
- Amazon Web Services
- Google Cloud
- 508 Compliance in Libraries
- Information and Communication Technology (ICT)
- Unit Testing
- End-To-End Testing
- Vulnerability Patch
- International Federation of Library Associations
- Awareness, Planning, Resilience: Thoughts on Libraries’ Cyber Defense in 2020
- Cyber Security Toolkit
- UK National Cyber Security Center
- Hypertext Transfer Protocol
- Hypertext Transfer Protocol Secure
- Website Caching
- Disk Operating System (DoS)
- Content Security Policy (CSP)
- Static and Dynamic Security Scans
- Web Application Firewalls
*Note that all listed sources are reputable and were used in the making of this article*