Website Security Checklist

Website Security Checklist:6 Critical Items

Your website security remains a priority now especially if your website represents your business. After a DDOS scare that brought many websites down few years ago, it brought to knowledge the importance of putting security precautionary measures in place on your website.

Your customers will put their trust in you and your brand by accepting to pay online. If hackers gain access to their credit card details because of failure to secure your website, that is a bridge of trust. This can destroy your brand and crash your business.

Website Security Checklist

What is the value of a hacked website? Any website can be hacked small or big websites like British Airways website hack.

Maintaining strong Cyber Security remain an extremely complex task. You may be unable to resist every threat as hackers are often savvy and constantly working on ways to outsmart every security detail.

But you can protect your website from becoming the next victims by implementing some security measures.

Here are the 6 critical checklists to avoid website hack.

Website Security SSL

Get an SSL Certificate

You may be unable to resist every threat as hackers are often savvy and always working on ways to outsmart every security detail. You want to keep your entire website secure and still prepare for unforeseen circumstances.

Every website requires security but most importantly if you operate online businesses that either accepts payments or requires a form submission. An SSL Certificate represent a profitable investment and gives your customer confidence to hand over sensitive information.

With an SSL Certificate, a green locked icon with HTTPS shows at the left side of the address bar which consumers look for to see the website is protected. It ensures information is encrypted and cannot easily be stolen by hackers.

Backup your website Regularly

To stay safe in case of any eventuality, backup is your fallback.You want to keep your entire website secure and still prepare for unforeseen circumstances. To avoid designing your entire website from ground zero up, make sure to backup your website and save yourself that stress and resources.

If you back up your computer then your website is as important as your computer.Check your hosting provider for backup details. Most hosting platforms provide backup option maybe at a fee. With automated backup system, you don’t have to concern about the safety of your websites.It is completely effortlessly and automated. There are other add-ons you can purchase to automate your backup.

Website Checklist detector


Get Malware detector

Investing in Malware detector represents another significant way of securing your website. Malware is common and can be used by Hackers to infect your website. When hackers fill your website with malware, it becomes effortless to infect your customers computers or devices.

Cornerstone says your website can run faster if you block malicious traffics. Getting a malware detector will save you the risk of loosing your website.

Installing anti-malware programs can spot malware and halt them from causing damage to your website. You cannot compare the cost against the risk posed by malware on your website.

Website Security Checklist password


Secure Password and Frequent Update

Are you among the tons of people who use basic and insecure passwords like “123456”, “your date of birth” or passwords that are easy to come by with? You run the risk of loosing your website.

To generate a secure password for your website – use a mix of letters, numbers and symbols, special characters. Avoid using generic names or numbers that your acquaintance or anyone can easily predict. Being creative will aid you in generating a secure password, and the same applies to anyone in your organization that has access to your website.

Being creative will aid you in generating a secure password, and the same applies to anyone in your organization that has access to your website. It’s fun and easy using a password generator. You will also need updating your password periodically to keep your access safe. Setting a calendar can also aid you know when you need to update your login.

Stay Up-to-date with your software plugins

Software developers and Cyber Security experts are in constant battle with hackers to overcome every effort put in place by them. This is the reason why software updates are created to reduce security vulnerabilities. Staying updated helps you to stay secured.

Each time you receive an update reminder, it is part of the battle to keep your website safe and secure against attacks that maybe launched by hackers. Checking for updates on your plugins, CMS and entire website even if it feels annoying are steps towards reducing vulnerabilities.

Permissions, be careful with it.

Granting permission to your website is inevitable as you might require someone to effect a few changes here and there.Like most businesses, access to your website is granted to people who make updates. Bigger businesses often have more people while medium sized and small businesses has fewer people.

But the more number of people who has access to your website, the more vulnerable your website will become.Not everyone on your website needs the same access level. To stay safe, reduce vulnerabilities and damage, you must use your permission wisely.

Even when you apply these tips presented here, it’s critical that you still read up best practices and new security threats. Hackers are working to develop modern methods to walk around these security measures.

Do well to treat your website security with maximum priority as the stakes are high.

Website Security Cert

FIXED:Problem with Website Security Certificate

Everyone transmitting information over the internet is skeptical for just one fundamental reason – security of their details. They require the assurance that whatever information they are sending over the internet – credentials, location, contact or even account information is secured.

No one wants hackers and identity thieves to have access to their details. They are frightened of abuse, misuse, alterations or stealing of their information.

Different online business activities like the personal and professional, advertisement of shopping, dating, banking, and other social activities has continued despite the failures from the owners to these exposures and security failures.

For every secured site, a padlock icon on the left side gives people the confidence even though they do not understand how it works. This icon notifies the user that the link on the browser is secured and safe to interact with.

FIXED: Problem With Website Security Certificate

Security Certificate Error – This can happen to your website even when you have a genuine Security Certificate attached to your website. Why does this happen? Before we dive deeper into answering this question, let’s get the basics first. Website Security Certigicate is also called Secure Socket Layer (SSL)

Website Security

Website Security Certificate, What is it?

Website Security Certificates is encryption protocols designed to protect your website from malicious site visitors who steal your data over the internet. For any website that require personal information like payment details, this is an additional security layer. It prevents access to information transmitted over any website by cyber criminals. 

Security Certificates, How to Recognize it

Visiting a website and want to be sure that it has an SSL Certificate that secures your information over the browser. This is much easier than you think to confirm if any website has one.

On the left side of your address bar, you will find a green lock icon with HTTPS instead of a HTTP starting the website address. You might also find the word – secure connection, emphasizing this detail. Once you click on the icon, the certificate details will pop-up allowing you to obtain information like the issuer and the website that possesses it depending on your browser.

Why Websites use Certificates

So many websites don’t have a Website Security Certificate (SSL) maybe because they believe it’s not critical or because they are yet to appreciate the value for it.

Website Security Certificate is operated by websites to keep users information private and here us why it is significant.

. Conduct financial transactions.
. Assume authenticity. (not entirely true)
. Utilizing forms to collect data
. For a member-only website
. Because Google added HTTPS as a ranking factor
. Require User login.

Website Security Cert

“There is a problem with this website security certificate.”

Experiencing this error message comes with your browser not recognizing the authority of the certificate or other common mismatch errors encountered by the certificate. Your device must have a root certificate for security certificates to work on it.

Every browser has root certificates for trusted certificates, and you receive an error message when a website certificate does not match any certificate authority on your browser list.

Ugetfix says that this error message is not defined by a particular web browser because people using other browsers like Google Chrome, Mozilla Firefox, Microsoft Edge, Opera Browser and other has reported this security certificate issue.

To resolve Website Security Certificates issues, there are a few things you can perform.

* Update your Browser – newer certificates cannot be recognized by outdated browser.
* Cache – Clear your browser history/cache
* Browser – Try a different browser to confirm the situation, sometimes it happens to a particular browser.
* Clock – Check your device time/time zone. Incorrect time causes error message especially for mobile devices where you can easily adjust time.
* Firewall software and Antivirus – Check if the website is being blocked by Firewall or Antivirus application.
* SSL Certificate – Check if the SSL Certificate is not expired.

Any website that does not validate its security certificate especially when you are submitting information should me avoided. It’s a sign of serious certificate issue or malicious website.

Website Security SSL

Getting an SSL Certificate

With an SSL Certificate or Website Security Certificate installed on your website, your website becomes secured to interact with and free from vulnerabilities

The confidence that any information inputted over your website remain protected and cannot be stolen by hackers or abused. When a browser using HTTPS access your website, a handling is performed with the client computer or device requesting an SSL Certificate.

Once the Certificate is validated by the trusted authority, your website visitor gets a green locked icon, proving the website to be secured. But if the trusted authority fails to verify the Certificate, a warning is displayed stating “There is a problem with this website security certificate.”

Website Security Certificate comes in different forms depending on your needs, you can choose your preferred SSL Certificate Level.

Here comprise the four levels of SSL you can choose from –
* Domain Validation
* Organization Validation
* Extended Validation
* Wildcard SSL

Domain Validation – a simple certificate that includes your domain name in the certificate (does not include the Organization or business name). It verifies the WHOIS information on your domain. It is effortless and less expensive to get but merely provides less assurance to users.

Organization Validation comes with proper documentation verification and domain ownership before issuing the certificate. Because of the natures of this certificate, manual validation is required and can take some days before the certificate is issued.

Extended Validation – This type of SSL is designed to prevent phishing attack and provides the highest level of assurance to your customers. It displays company details verified by government and independent authorities and gives your customers full assurance.

Wildcard SSL is a type of SSL that protects your main website and the subdomains. If you host multiple websites hosted across various subdomains. Your website can be hosting on the multiple servers and still be protected. Examples – etc.

No Security Certificate

A website can still function without a (SSL) Website Security Certificate. But this is unadvisable if you want to upload personal information through such websites. Website security isn’t a nice to have but an essential necessity in this information age.


eBay Security and the “Punching Bag of the Internet”

Not only has eBay security been undone by their tolerance for what  The Register referred to as “Rubbish Passwords” — now there are reports of multiple Cross Site Scripting (XSS) vulnerabilities on eBay subdomains.

As the 2014 Verizon Data Breach Investigations Report chronicled, web applications were the top attack vector for successful data breaches in 2013. The report went so far as to dub web applications “the proverbial punching bag of the Internet.”

At 6Scan we block millions of attempts to exploit vulnerable applications every month. Currently XSS is the 4th most prevalent attack we see. While XSS does not pose an immediate threat like an SQL injection does, the security implications are highlighted in the XSS attack definition:

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”

The significance of the attack is not only in access to the vulnerable application, but malicious access to the trusted relationship between user and a given site (like eBay).  We recently wrote about an NFL team with an active XSS vulnerability -it’s in these situations with powerful brands that XSS vulnerabilities can do the most damage. So while eBay chose to downplay the vulnerability with the comment that it’s “not a new type of web application vulnerability on sites such as eBay,” the reality is that the severity of the threat is directly related to the trust of the brand.

Stay safe.


Value of a Hacked Website

After our recent Data (In)Security post, we fielded many questions from owners of small sites and blogs that basically boiled down to one common theme – I’m not Target so why would anyone hack my site?

Thanks to news coverage there’s a common misconception that attackers are only after banks, large companies, or critical infrastructure. No doubt we live in a world where big names get big headlines. However, a more accurate account of the assault on small business websites comes from industry reports. Case in point, Verizon 2013 Security Report cited 71% of data breaches affected companies of 100 employees or fewer.

The attacks are driven, in large part, by an ever-growing number of websites. In the past 3.5 years alone, the number of active websites has doubled from 90 to 180 million (according to Netcraft). This rapid increase in the creation of individual and small business websites has produced a threat landscape that mimics that of the late 1990s and early 2000s. It was during this period that broad-band access boomed  – creating millions of new targets (PC owners) with limited time to understand the risks they faced.

In a snapshot, the above image illustrates time-tested reasons why criminals target small websites. The image is based on the infographic Value of a Hacked PC, created by Brian Krebs. If you’re not familiar with his work, check out his website, Krebs on Security. Krebs’ security coverage unwinds cyber-criminal activity in near real time and often reads like a Tom Clancy story.

Unfortunately, the number of ways criminals can monetize your company’s website is too vast to cover in one blog post. Over the coming weeks we will drill down on specific threats. For now, suffice it to say, no site is too small to be victimizied.

I’ll sign off with this friendly piece of advice:  To everyone using a cms, do yourself a favor and update to the latest version!


Automatically Blocks Shellshock Attack Vectors

Shellshock is out, and it’s exactly the type of threat that reinforces the importance of real-time, proactive, automated security.

6Scan has developed solutions to protect our customers’ websites against Shellshock attack vectors and we will continue to automatically update our active subscribers as new vectors emerge.

Through our patent-pending automated website security we are able to define common attack vectors and filter out malicious traffic designed to exploit websites that are exposed to this vulnerability. As new attack vectors emerge we will continue to update our security in real-time.

Shellshock details

The vulnerability comes from a weakness in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. Researchers discovered that if Bash is set up to be the default command line utility on these systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts, from telnet and secure shell (SSH) sessions to Web requests. The vulnerability is summarized here.

The Guardian website has a good non-jargon write up and, as usual, Krebs on Security  has good coverage including this warning:

“The bug is being compared to the recent Heartbleed vulnerability because of its ubiquity and sheer potential for causing havoc on Internet-connected systems — particularly Web sites. Worse yet, experts say the official patch for the security hole is incomplete and could still let attackers seize control over vulnerable systems.”

Stay safe.


Heartbleed’s Long Dangerous Tail

It’s been two weeks since the Heartbleed bug was disclosed, and, here at 6Scan, we’re encouraged that 99% of the sites we scan, and 100% of the sites we protect, are unaffected by this critical vulnerability.

Unfortunately, the 1% of sites we scan that are affected represents thousands of destinations with millions of monthly page views. We’ve researched these sites and grouped them by Alexa rank (see image below). The vast majority are part of the internet’s “long tail” small sites – ranking outside Alexa top 1,000,000 – that serve niche communities and special interests.

It’s tempting to marginalize these vulnerable sites because of their size, but don’t. Left unchecked, these small sites put everyone at risk.

Why? Breaching small sites is an essential part of the black-hat economy. They provide the resources for hosting phishing pages, infecting consumers, avoiding malicious IP black listing, launching DDOS attacks and many other nefarious activities. Protecting these sites, and their visitors, is critical for ongoing viability of the internet.

While Heartbleed had many of us primarily concerned with larger properties and institutions running vulnerable Open SSL versions, it’s important to remember that small sites pose a threat as well.  If you’re concerned about the smaller sites that you visit, there are a variety of tools available that claim to provide information on a website’s Open SSL status, including this one.

The chart below shows the breakdown of effected Heartbleed websites by Alexa rank. 1.3% of the vulnerable sites are within the top 100,000 most trafficked sites on the internet. As a reference point the 100,000 ranked site would average about 25,000 unique page views per month. What makes the long tail so dangerous is than over 90% of the sites still affected are outside the top 1 million.