waf Archives | Penta Security Systems Inc.

Posts

The Limitations of Website Security Plugins

2017-09-05/in Blog /by Penta Security

website security plugins limitations If you’re a website owner, you’re probably using a myriad of plugins either to add additional functionalities to your website or simply enhance its aesthetics. You might even be using a security plugin on your site. However, though affordable and convenient, website security plugins may cause complications and may not even be protecting your site as well as you’d desire them to.

As the most popular CMS, WordPress’ depository is filled with hundreds of security plugins. Many users assume that simply installing a security plugin will prevent their sites from getting hacked. While we don’t intend to discourage the use of security plugins, users should be aware of the possible downsides associated with the plugins. The following are potential issues you may come across:

1. Login inaccessibility

For any CMS, the admin login page is undoubtedly the most highly targeted by hackers since it can allow them unauthorized access to your website. That is why a plugin that limits the number of login attempts can be useful to many website owners. However, certain security plugins have the potential to lock admins out of their own site, and as a webmaster or admin, nothing is worse than being unable to access your website.

Though they can help prevent brute force attacks or even denial of service (DoS) attacks at times when the high traffic is aimed at the admin login page, these security plugins have their setbacks. If you forget your password and attempt to login multiple times or if multiple logins are happening at once, this might trigger an issue with the plugin.

2. Customer support issues

For most CMS platforms, there is rarely a specialized technical support team that handles inquiries in real time to deal with issues you may face with these security plugins. Typically, customer support comes in the form of support threads and forums or something similar. WordPress for example has one that like looks like this. Because users are utilizing different themes and using a combination of different plugins, each situation is unique. This makes it difficult to get a clear cut answer most of the time, which also means your ability to respond promptly to hacking incidents is restricted. Oftentimes, you’ll already be too late.

Another major downside with security plugins is not having a platform to report a security issue. Security these days is offered as a service, either paid or unpaid. And because it’s a service, it typically comes with quality technical or customer support, guiding users each step along the way, unlike with security plugins.

3. The “untrustworthiness” factor of security plugins

While there are a number of plugins available, not all come from a trusted entity. These days it’s easy for anyone to develop a plugin and make it available for anyone to download online.

As a website owner, it is up to you to evaluate the plugin and decide if it’s reliable. When a plugin has not been updated in months or years and has been left in the wild, so to speak, it opens up the possibility of it messing with your current CMS version or exposing you to potential risks and threats that come with the outdated plugin. Just because a plugin was highly commented and reviewed in the past doesn’t mean it will be a good fit for your current website.

4. Inability to handle zero day vulnerabilities or modified attacks

Security is never perfect, but relying solely on security plugins exposes you to certain kinds of attacks that can’t be thwarted with a mere plugin. There is no straightforward way to address zero day attacks for example, because the hacker has already exploited a vulnerability before the security vendor even takes notice.

This means that even if your security plugin updates automatically, you won’t be entirely protected. Even a highly rated Web Application Firewall (WAF) plugin would not be able to capture the full scope of potential attacks. In addition, false positives, which refer to legitimate traffic mistakenly identified as malicious, may cause you to lose precious site visitors among other things.

Perhaps the fact that a security plugin is free is appealing to many, but sometimes that can do more bad than good, especially when you care about securing your website. Plugins are great if you are a casual blogger, but if you have a huge following or run an ecommerce site, security plugins may not be adequate. Luckily there are other ways to secure your site which offer amplified protection at little to no cost at all. We are not suggesting to take a passive approach to security but are in fact encouraging the adoption of other security alternatives. For more on what you can do to actively protect your website, check out this blog post on a guide to the three layers of website protection.

Data Protection Laws and Cybersecurity: Mitigating the GDPR Challenge

2017-07-03/in Blog /by Penta Security

It looks like data privacy has and will continue to be a topic of hot debate, especially when industry standards and written law regulations require compliance across the board. On May 28, 2018 the GDPR (General Data Protection Regulation), which will replace the EU Data Protection Directive, will go into effect. Banks, and other public and private organizations in Europe are preparing for the changes to come with this updated regulation.

For example, in anticipation of the new regulations, European financial organizations are preparing to lend €4.7 billion to organizations as part of a breach response readiness initiative. But preparing to comply with the GDPR isn’t a task undertaken only by European companies. but any company conducting business in the EU or affecting EU citizens. So what will the GDPR mean for US-based companies? And what will it focus on?

What does the GDPR focus on?

The GDPR will shift how the legalities work when it comes to data use. This means both controllers (the party ensuring the protection of data) and processors (the party who processes the data on behalf of the controller) may be jointly liable for data breaches and other types of unauthorized use of personal data.

Differing from the previous EU Data Protection Directive, the GDPR will also focus on personally identifiable information, or PII. PII is any kind of information that is collected by a business through any means. This includes credit card numbers, Social Security numbers (or similar), birth dates, among various other types of data”. When data is collected by an organization, a decision must be made about the data storage process for PII which may involve assistance from a third party. This further complicates the steps needed to meet all the GDPR requirements.

How will the new GDPR affect US-based companies?

If this private information is leaked or breached in any way or fashion, then organizations must be prepared to face the consequences, and US companies are no exception. In fact, they may even face greater fines if they chose not to play by the rules. Noncompliance fines can range between 2-5% of global turnovers.

Once there is an understanding of where data such as PII resides within an organization, defining where the risks could arise from can become clearer. Because the GDPR stipulates that organizations must take “reasonable” steps to safeguard private information, it means US companies that handle data from European customers must not only keep track of US data regulations but also ensure that they are fully compliant with the GDPR.

What are organizations doing to protect PII?

It’s obvious security management will play a vital role once the GDPR comes into effect. Encryption in particular will play a major role. Encryption ensures that even if data is retrieved, hackers will have no way of decrypting it or making use of it. Besides having their internal systems and data safeguarded, CIOs and CISOs must also ensure that any of the organization’s cloud service providers are also adhering to the GDPR.

With cloud services becoming increasingly popular, organizations using any Infrastructure as a service (IaaS), Software as a service (SaaS), or Security as a service (SECaaS) must ensure data protection follows the guidelines provided by the GDPR. In the SECaaS model, this includes data loss prevention (DLP), network security, vulnerability scanning, and web security, which widens the scope of where data might be processed or stored. The GDPR explicitly mandates that an organization’s network or information system must be able to resist malicious actions that compromise “the integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems.”

For this reason we should expect organizations to start taking cyber security a lot more seriously and begin implementing defenses such as DDoS protection to their networks if they haven’t already. Not only that, but organizations are more likely to invest in high quality security that is reliable and trustworthy — as the last thing these organizations want is to pay huge fines for causing data breaches. A cloud WAF, for example, is responsible for monitoring, filtering, and blocking traffic to and from a web application, especially data exchange involving PII. Because they are also responsible for protecting against data leakage, organizations should only invest in advanced WAFs that filter traffic with high precision.

Currently, Gartner predicts that by the end of 2018, more than 50% of companies that will be affected by the GDPR will not yet be in full compliance with its requirements. This means a grand majority of businesses do not fully understand the impact the GDPR will have on them. The GDPR is not simply about allocating budgets to accommodate privacy and data compliance regulations. It means organizations must remain informed about the current cyber security threat landscape. With the GDPR affecting more than just Europe, countries around the world doing business in Europe need to stay informed about the best security and business practices to ensure the protection of a single organization’s most sensitive asset: data.

Majority of Companies Are Not Disclosing Their Data Breaches

2017-02-27/in Blog /by Penta Security

It is a common misconception to think that companies absolutely must disclose details of any internal breaches they may have suffered. In reality, the majority of data breaches go unreported, and details of the leak are rarely revealed to the public. Recently in the media, Yahoo came under fire and heavy scrutiny for late disclosure of two major data breaches of user account data. The Internet service company suffered two massive breaches in both 2013 and 2014 – resulting in the largest discovered data breaches in the history of the Internet – but this situation was only made public during the latter part of 2016.

This begs the question, should companies be forced to disclose data breaches? As we shall soon see being PCI compliant is only the beginning to assessing the security practices of a company.

False sense of security protection

Just because a company is internationally known it doesn’t automatically mean that your data is safe. Many users have a false sense of protection, simply because they trust the brand. But when it comes to these companies’ cybersecurity practices, quality security measures may not be a top priority since most are typically sales-driven. For example, besides the recent Yahoo breach, there have been numerous cyberattacks that have made headlines like Dropbox’s 68 million users’ data leakage that remains engraved in the minds of the public.

Part of that reason that so many attacks go unreported is because most companies simply do not need to disclose that sort of information in the first place. There is no current law requiring corporations to reveal when customer data has been compromised, so it makes sense that data breaches go unreported. A hacking incident could tarnish the reputation of the brand and instill mistrust among customers, which is never something corporations want. Even if large corporations choose to disclose data breaches, the extent to which data has been compromised are probably not revealed in full and downplayed.

For instance in the case of credit card breaches, customers will simply receive email reminders to change their account passwords or the bank will issue new cards to mask the data breach. Cases like this provide a sense that nothing is wrong and it is simply “routine procedure.” So, what can you as the customer do?

PCI Compliance?

If you are engaging in online transactions, ensure that the company is PCI-DSS (Payment Card Industry Data Security Standard) compliant.

Below is a clear definition of this industry standard:

The Payment Card Industry Data Security Standard, or simply PCI DSS, is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

With most brands moving their businesses online, there is a growing concern for the security implications of online transactions. When a corporation is not PCI compliant, there is a higher chance of data leakage – but even this industry standard is purely a minimal requirement. Just like how it is not a law for corporations to reveal internal data breaches, PCI compliance is just a security standard for online transactions – but not the law. That means businesses can continue to sell products online without the proper security standards intact. Furthermore, research by Verizon has shown that seven in ten businesses who achieve PCI compliance fail to maintain this compliance for a minimum period of one year.

Because corporations do not differentiate between what it means to “be validated” and to “be compliant,” this finding is extremely daunting especially in the light of recent data breaches. To be validated specifies a precise point in time when a business chooses to be assessed for compliance. This assessment is therefore a snapshot in time and says virtually nothing about the business during the rest of the year. For example, a company that suffered a data breach may reveal to its customers that they were validated for PCI compliance within the past year, but it doesn’t necessarily mean they were compliant at the time of the actual data breach.

In fact, according to one of the authors of the Verizon report, “…data from the past 10 years shows, that not a single company that suffered a data breach was compliant with PCI requirements at the time of the incident.” PCI standards set a strong baseline protection for any business but at the end of the day it is just the “minimum bar” to entice competitors to reach that same level of security simply because customers expect at least that much.

But is it enough? In many cases, no.

For example, Home Depot, who was PCI compliant, suffered a massive data breach in 2014. Many questioned how this breach could have occurred to such a huge retailer especially when it was supposedly certified to the security standards associated with credit card transactions. However, according to CIO, Home Depot’s data breach stemmed from using outdated Symantec antivirus software, not monitoring the network continuously for suspicious behavior, and performing vulnerability scans irregularly at only a few of its stores. Stolen customer information also went unnoticed for several months. This is a perfect example that demonstrates that there is more to being secure than being PCI compliant.

Security beyond PCI compliance

A larger company like Home Depot can certainly afford to hire a security team but because security was not prioritized, it was too little too late when they were struck with a massive data breach. Adhering to the PCI standards sets the minimum bar but there is more to security – to start off, companies should be incorporating a Web Application Firewall (WAF) to their security platforms. Not only does a good WAF do much more to protect your website against external threats including DDoS and data leakages, the best part is that they also do not require a special security team to operate and manage the system.

With the rise of cloud services, WAF-as-a-service has also become popular since it doesn’t require additional hardware.Only minimal technical knowledge is needed involving a simple DNS configuration to register websites under WAF protection. Cloud WAFs manage all inbound and outbound traffic and are able to automatically detect and filter malicious attacks. This is huge for businesses who may still be starting out and cannot necessarily afford specialized security teams. For example, Cloudbric, a cloud-based WAF service, offers easy to understand web traffic analytics and allows users with little to no IT-security knowledge to manually look at their web traffic data in search of any inconsistencies.

The reality is that hackers can gain access to confidential information with relative ease so data leaks will likely continue to prevail. It’s important to keep in mind that just because it doesn’t make news headlines doesn’t mean that data breaches are not a common occurrence. We can have a false sense of security believing that entrusting our sites to well-known and successful companies can keep our information secure. But while following standards like PCI DSS is a great start, when thinking about the best security practices it’s best to think about the long-term and how to implement a solution that has you covered any time and anywhere.

Your Guide to the 3 Layers of Website Protection

2016-12-16/in Blog /by 박 지원

Of course, it’s difficult to talk about completeness when it comes to information security. Even the professionals need serious resources for comprehensive protection, from architecture to operation, and even then, perfection still isn’t guaranteed. There are no standard web security measures, so every individual builds security depending on their own unique situation. Web security solutions need to fit each company’s IT system. This begins with understanding how a company’s IT system is structured.

What’s the shortcut to website security?

The Three Layers of an IT System: Network, System, Application

Generally, an IT system consists of networks, systems, and applications. Each of these three layers need their own unique level of protection. The networks layer at the bottom of this stack deals with data transfer, while the systems layer (what we know as operating systems such as Windows or Linux) works as a platform that enables the applications layer to operate. The applications layer itself offer protocols and services with many features. Many kinds of server systems are just like this structure, so securing the server means all these three layers are safe.

IT system layer structure

Don’t Overlook Web Application Security

Despite the importance of web application security, most companies spend 10 percent on web application security compared to network security. The reason is simple: companies don’t know what to do about web application security. The application layer is technically more complicated and the kinds of applications also vary.

Most security professionals find it difficult to set up a security policy and apply security measures. What we think of as the ‘web’ actually consists of applications. Websites and mobile apps are all applications, and attacks on these also take advantage of the vulnerabilities of applications.

Web attacks such as SQL injection or XSS also target the vulnerabilities of website applications. Malicious code called a ‘web shell’ also consists of a type of web application. The Open Web Application Security Project (OWASP), famous in the web security industry, named 10 web vulnerabilities, all of which are web application attacks.

More than 90% of web attacks target web applications. A web application firewall (WAF) is what protects your website from unwanted visitors. Its role is like a fence. It monitors traffic, detects web attacks and protects your website. What’s important is that it prevents vulnerabilities from being exposed. From the outside shell, it limits access from malicious traffic. Also, it hinders malicious code from being uploaded to your web server.

A Web Application Firewall blocks all sorts of web attacks

If you look into web application firewall solutions, there is a comprehensive yet free solution called Cloudbric. Cloudbric is the most advanced web application firewall, with algorithms that progressively learn from past experience. Go to the top of this page and click to get started with Cloudbric protection for your website!

3 Web Security Services for Startup CEOs

2016-12-09/in Blog /by 박 지원

Startup CEOs should secure their business

In 2013, Target, a massive retailer in the US, suffered a major web hacking incident that stole thousands of customers’ credit card information. After the event, Target was negatively affected as news leaked and company shares dropped by 1.5% the following year. These kinds of web attacks prove that nobody is completely safe from web hacking.

Now, we know that web security is not a hot topic that drives a conversation every day. However, as a startup CEO, it is imperative to have a basic knowledge of what web security options are available, so that you can do your best to protect your clients’ private information. Here are 3 options to help you better protect your company’s sensitive data.

Web Application Firewall (WAF)

Web Application Firewalls help monitor your incoming and outgoing HTTP/HTTPS traffic to your website. You can almost think of a WAF as a security scanner that we see at the airport. People with the right credentials will get past through the gates, but any visitor that may have malicious intents will be barred from entering your network. WAFs use specialized rules or patterns to help identify whether a web visitor or traffic is dangerous. WAFs can be the essential first line defense for any website owner to help protect your website from the network perimeter.

Malware Scanners

Having a WAF is a great way to protect for your web security. However, it won’t help your business much if you are already infected. Therefore, it will also be helpful to help you search for malicious programs already residing in your servers.

Infected sites can be a major turn off for customers, especially if it can infect their computers. This is a double edged sword because not only can you affect your customers, but once Google gets wind of this then you can also be SEO blacklisted. It can detect websites that have been infected by malware and warn customers away. So having a protected and clean website is not only good for the customer but also for business. Using a malware scanner for your internal network can help keep your website safe. For optimal security, one should always maintain a routine scan on servers. Better to be safe than sorry.

Database Encryption

Encryption is the process of transforming the data in a database into undecipherable data. An encryption program uses a series of complex algorithms and possesses a master key to turn the data back into its original form. Your database is where all the data of your business, such as specific customer banking information, is stored. It is one of the core elements of any online business; therefore, malicious hackers are always looking for a way to get their hands on it.

One of the world’s most popular database management systems called MySQL is open source, so it can be highly vulnerable to attacks. Many CMS frameworks like Drupal, Joomla, and WordPress all use MySQL as their default database. It is critical that you take every precaution to protect yourself from any would be attackers. One way to do this is to utilize a database encryption software. This can bring a third layer of protection in case any savvy web hackers get into your internal system.

The recent increasing number of startups has made these businesses attractive targets to hackers to exploit. Customers entrust their information to businesses and they should feel obligated to keep that information safe from hackers with malicious intents. One can’t be too careful when it comes to security. Get more in tune with your website and its security by installing these 3 great security solutions!

Using a Cloud-Based WAF as a Service for Better Web Security

2016-10-06/0 Comments/in Blog /by Penta Security

Before the advent of the cloud-based WAF, Web Application Firewalls (WAF) usually came in the form of hardware. These WAF appliances were great for big businesses and enterprises. They provided flexibility, fast accessibility to the device and did not depend on external connections for functionality. However, they also had a few disadvantages.

Hardware WAFs were very difficult to install and deploy since they are heavy and take up a lot of space. They can be hard to maintain, and lastly they’re on the costly side. Only large enterprises can actually afford hardware WAFs. Meanwhile, small and medium companies were left to fend for themselves.

The Birth of the Cloud-Based WAF

Thankfully, this has changed rapidly over time. Since the birth of the cloud, many innovative WAF vendors have turned these same enterprise level security features into a cloud-based WAF as a service specifically aimed at SMBs. The shift from hardware to cloud based WAF as a service have proven to be beneficial for three reasons.

1. Fully Managed Security

WAF as a service doesn’t require any hardware to operate. All one needs to do is configure their DNS information to start securing a website. This provides great accessibility for small and medium sized businesses. It also reduces any resources needed to setup and customize a traditional enterprise solution.

2. No Technical Knowledge Needed

A cloud-based WAF as a service also handles and manages all of your HTTP and HTTPS traffic. WAF vendors have detection technologies in place that can automatically detect and filter malicious attacks. This means you can focus on what’s most important for your business—gaining customers. The need for specialized security staff or technical experts is unnecessary when using a WAF as a service.

3. Easy to Understand Analytics

We make providing web security to SMBs our top priority. That being said, many WAF as a service vendors want to cater to the SMB market by providing easy to understand web traffic analytics. There is absolutely zero need to have a specialist scrub your web traffic data to look for any inconsistencies and how many attacks were actually blocked. These days, almost all security vendors provide great metrics and analytics that can help any business owner see the impact of their WAF.

Cloud-based WAF as a service solution has made it possible for more people to secure their websites with zero hassle and at a much lower cost. Implement a WAF today so you can focus on growing your business while we take care of the rest.

Boy Programming On Computer With Multiple Monitors And Laptop On Desk

7 Ways to Expose Your Website to Hackers

2016-07-28/0 Comments/in Blog /by Penta Security

So you want to serve up your website for any hacker to break into. Sure, weirdo…who am I to judge?

Here are 7 things you should not do unless you want your website hacked:

Once again, if you’re a sensible human being you really should never find yourself doing any of these things.

1. Ignore Security Updates

They may be a nuisance, but updates patch up newly discovered bugs in software. Not installing updates and patches makes it a lot easier for hackers to compromise your device or web app. If you want your website hacked, ignore all security patches, plugin updates, and updates for CMS services such as WordPress or Drupal.

2. Use as Many Different Features and Plugins On Your Site As Possible

Plugins introduce many new potential vulnerabilities to your website, similar to how adding more windows makes your submarine less seaworthy. Be sure to load up on file uploaders, video players, ad managers, analytics, and whatever else you can cram in, even if you don’t need any of it.

3. Set a Really Dumb Password

Setting your password as something easy like “123456,” the always-clever “password,” or matching your password to your username saves hackers a lot of time. You can also help by using the same password for your computer, e-mail, FTP access, and Ashley Madison account, so that once one is compromised, all of them exposed.

4. Mismanage Your Website and Its Contributors

Just let security be someone else’s job, and don’t take any notice. Be sure to give your employees or contributors full admin access to your website, and make sure not to update your passwords after they leave. Sooner or later, something bad will happen.

5. Don’t Put Together a Security Incident Response Plan

No need to prepare for the worst when you’re counting on it. What if your site gets disabled, or deleted, or information is leaked? How do you detect it, how do you respond, and how do you disclose it? Those are questions that should be considered by anyone who doesn’t want to get hacked.

6. Don’t Bother Securing Your Domain With SSL

SSL encrypts communication between a website’s server and a user’s browser, especially useful in protecting online transactions and payments. But it thwarts man-in-the-middle attacks in which a hacker gets between server and browser and can monitor or alter communication. So if you want to endanger your customers’ privacy, forget about HTTPS — HTTP is the way to go!

7. Don’t Use a Web Application Firewall

A web application firewall can protect your site against the worst online threats, including DDoS attack, SQL injection, and cross-site scripting (XSS), so if you want to make it easier for hackers to overrun your website, the last thing you should do is secure it with a web app firewall like Cloudbric, Imperva, or Cloudflare.

This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

Think Twice Before Donating Online

2016-07-14/0 Comments/in Blog /by Penta Security

Donating Online From a Security Perspective

Have you ever made a donation? It’s a good feeling to have when we try to help somebody out. Based on the National Philanthropic Trust Organization’s data, Americans gave $358.38 billion in 2014, and it continues to increase yearly. We usually donate physically in a store, school, or at work, but the internet has made people’s donating online a lot easier. However, we should take some precautions before we make these donations.

Although not as large as Kickstarter.com or GoFundMe.com, it’s pretty simple to make a website to receive funding. Communities can create a website to donate to schools. Families can make a site to receive donations to pay for the funeral costs for the death of a loved one. With a giving heart, we usually donate a few bucks to help them out. But, we really should think twice before donating online.

According to Bloomberg, Bank of America spent over $400 million in 2014 to protect their online customers. Large corporations have their own security team to protect their websites, but what about the smaller companies that help people? Clearly, a school does not have $400 million to protect their donation website from web attacks. A person asking for money is not likely to put money into security for their website.

Although donating online can be a simple and efficient way to help somebody out, it has some negative consequences if it is done negligently. Would you give your wallet full of cash to a bank that’s not protected? Donating money to an unprotected website can not only take away your money, but your personal information can be leaked as well. Your personal information like your name, address, and phone number, but also your credit card information and bank account information can all be consequentially leaked.

I’m not saying do not donate online completely. Donation websites are for a good cause. If you really want to donate for a certain cause, there are safety measures you can take to avoid any dangers.

1. Make Sure It Is a Trusted Organization or a Someone You Know Personally

There are many fraudulent donation campaigns to make a quick profit and run, so make sure it is genuine. Verify their address or phone number if it looks suspicious.

2. Check the URL Box and See If It Says “https”

The extra ‘s’ stands for ‘secure,’ and when you deal with money or personal information, it should always be secure. Another tip is to check if there is a “lock” icon on your browser. This lock can be located next to the URL. By clicking it, you will get more information about the security of that webpage. An advantage for Google Chrome users is that the locks have different colors. A green lock means that it has an EV certificate which can be quite expensive but well-secured, while a red lock may show that it may have failed some verification process.

3. Send a Message to the Website Administrator

Ask if the website is secured with a web application firewall. Website protection solutions like Cloudbric provide comprehensive website protection for free up to 4GB traffic usage, which makes it more than enough for donation sites to be fully protected without paying a penny.

All of these methods should be checked before you type in your credit card number. It’s always great to give, but make sure you are protecting your wallet as well.

“Website” Meaning for Startup CEOs?

2016-07-06/0 Comments/in Blog /by Penta Security

You might hear a lot of CEOs saying, “My website is powered by WordPress”, “My website is everything”, or “My website is my entire business!” These are the most common answers from CEOs. Almost all startups operate their own websites. Many startup CEOs build their websites with CMS tools such as WordPress, Joomla, or Drupal. Those that depend on these tools really need to pay attention to what these are, if they have any hope to do business online.

Well, the actual definition of a website is a connected group of pages on the Internet that use unique addresses and network routes, which are based on Internet protocols. But who can actually understand this kind of explanation? A website is web data, with web pages and contents. To get a better understanding of what a website really is, we can start by knowing more about CMS. A ‘web content management system,’ CMS is a tool that processes many raw contents into useful resources in this content-filled world. This is the leading solution to building a website without any difficulties. Methods of protecting a website can differ completely depending on the beliefs of the startup CEO. One CEO may want to protect a site one way, and another CEO may think differently and protect a site another way. It all depends on their definition of what a website is to them. Here is a closer look at common assumptions CEOs have about websites.

1. ‘My website is powered by CMS’

CMS and all related plugin modules are website building and operating tools. Building security with an application can be done by secure coding. However, secure coding may not be perfect. That’s why CMS services release security patches and updates. Users need to constantly update. Still, a website can get ‘zero-day attacks,’ that brief period of vulnerability when the hacker can attack before the CMS vendor finds out.

The point here is that, not limited to CMS services themselves, users also need to pay attention and double-check every module to see whether it is really safe or not. Modules should only be downloaded from reliable, trustworthy websites. It can be quite bothersome to constantly update and still be vulnerable to attacks.

2. ‘My website is all the data stored in the data center’

Technically, this is a pretty close answer. A website is data, and website data is stored at an Internet data center, IDC for short. To keep data safe, the data center administrator manages an application firewall and network security tools such as IDS/IPS to prevent hackers, viruses, and malicious codes from entering the data center.

Enterprises can usually afford to directly manage their own web server in the data center. But most startups can’t do this, so they rely on their hosting services to manage it for them with a lease of a partial web server in the data center. Cloud hosting services are popular among both small and medium businesses and larger enterprises. But if users use a cloud hosting service such as AWS, there is nothing the user can do about data center security. The data center will probably be safe, but the security is built around the server, and not the individual websites.

3. ‘My website is my own private data with web pages’

This is how startup CEOs should perceive their website. Understanding this concept is important because among security attacks on information, 90% of attacks are aimed at contents, through contents. Compared to the vulnerability of CMS and physical data storage, content vulnerability is a more serious matter. Website attacks are directed at the contents of a website. The contents are not necessarily images or files, but may include account information and administrative authority.

So, how can startup CEOs with CMS protect their websites?

Websites to a business can take on a completely different meaning from the average user. Startup CEOs might view a website as their gateway to the outside world. It is their vehicle to communicate their business and sell products. In essence, a website is a business. Most websites are powered by CMS systems and since there’s no way to know how secure CMS apps have been coded, they just need to constantly update the security patches provided by CMS to avoid attacks like SQL injections. Still not completely safe, CEOs need a web application firewall that covers all the vulnerabilities of CMS’s own security measures.

Even if a cloud-hosting service protects the web server or its data center, it does not protect the contents of individual websites. Basically, the data center manages the antivirus role and the network security role, but it does not take the web contents security role. Technical and privacy issues restrict it from securing web content.

A web application firewall (WAF), on the other hand, can fully protect website content. The cloud-based web application firewall Cloudbric can protect your website. Even if your data is stored safely on an IDC, or if you update security patches constantly on CMS, you still need a WAF to fully protect your website.

employee using laptop and coding injection

6 Steps to Create a Secure Website

2016-06-29/0 Comments/in Blog /by Penta Security

There are roughly one billion active websites online, or one for every seven people alive right now. How about yours? Is it a secure website?

Every single second, a couple new websites are born into this world. That’s a lot of websites, so how are they being created, and how do you make one? And also, how do you keep your website secure from all the cyber threats out there?

A Secure Website in 6 Steps?

The steps needed for making a website, from registration to design, coding, operation and growth, can be a very long and complex process. Each step has a lot more nuance to it than fits here, but this guide should point you down the right path to setting up a secure website.

1. Choose Your CMS

How are you going to build your site? These days you don’t need to be a computer programmer to put together your own fully functioning website thanks to Content Management Systems (CMS). With CMS solutions like WordPress, Joomla, and Drupal, putting together a website is about as easy as building a house out of Lego. No matter what CMS you choose, there are new exploits that are uncovered almost on a weekly basis. This means you need to stay on top of software updates and patches to keep your site secure.

2. Sign Up for a Web Host

Your domain name is like the street address and the CMS is like the materials you build your site with, but the web host is the actual plot of real estate where your website exists online. Some are free and come with bandwidth limitations or embedded ads, and there are commercial options that run much better. Many hosts also provide server security features which can better protect your uploaded website data. Check if a web host offers Secure File Transfer Protocol (SFTP) which makes uploading files much safer. Many good hosts should also allow for file backup services and have a public security policy showing how well they keep up to date on security upgrades.

3. Design Your Website With Security in Mind

What’s your website going to look like? Hiring a designer is usually worth the money you pay, but if your site is straightforward enough then you don’t need to do anything fancy. These days, simplicity is the golden rule, and minimizing add-ons and plug-ins is recommended for aesthetic, operational, and security concerns. The main thrust of your site should be text-based and presenting your product clearly, with images and design flourishes playing in the backup band. Basically you should focus more on avoiding bad design than embracing great design.

4. Apply a Web Application Firewall (WAF) to Protect Your Site

As soon as your website is online, it is exposed to a rogue’s gallery of cyber threats. Automated bots are out there scanning for vulnerable websites, and newly created sites are an especially tempting target. Adding a web application firewall (WAF) such as Cloudbric, Incapsula, or Cloudflare, will ensure that you have a secure website before the attacks start.

5. Do Business Online Secured by Secure Sockets Layer (SSL)

If you’re going to have users registering on your website, and especially if there will be any kind of transaction, you need to encrypt that connection. Using SSL certificates creates a secure handshake between your website and clients’ devices, ensuring that no third party can covertly slip in between and monitor, hijack, or shut down any transactions taking place. GlobalSign is one good example of a widely available SSL certificate that pairs well with almost every website.

6. Grow as a Responsible, Respected Member of the World Wide Web

So you have a functioning. secure website protected from security threats, and you are engaged in commerce for your business. Now the main duty is to grow and reach more people! Reach out through SNS, set up your site so it can be indexed by search engines, and take advantage of SEO opportunities. The Internet is your oyster. But never lose track of your security needs, and focus on maintaining a reputation characterized by responsibility for cyber security matters.

Once you’ve finished these steps, your website is ready to make its mark on the Internet!

Product *
name *
E-mail *
tel *
company/school *
position
Human Account
보유한 보안제품
보안제품 구입시 최우선 고려사항
이 분류의 제품 도입의사/ 필요성	yes no

Product *
name *
E-mail *
tel *
company/school *
position
Human Account
보유한 보안제품
보안제품 구입시 최우선 고려사항
이 분류의 제품 도입의사/ 필요성	yes no

Product *
name *
E-mail *
tel *
company/school *
position
Human Account
보유한 보안제품
보안제품 구입시 최우선 고려사항
이 분류의 제품 도입의사/ 필요성	yes no

Product *
name *
E-mail *
tel *
company/school *
position
Human Account
보유한 보안제품
보안제품 구입시 최우선 고려사항
이 분류의 제품 도입의사/ 필요성	yes no

Product *
name *
E-mail *
tel *
company/school *
position
Human Account
보유한 보안제품
보안제품 구입시 최우선 고려사항
이 분류의 제품 도입의사/ 필요성	yes no