Posts

website security plugins limitations

The Limitations of Website Security Plugins

website security plugins limitationsIf you’re a website owner, you’re probably using a myriad of plugins either to add additional functionalities to your website or simply enhance its aesthetics. You might even be using a security plugin on your site. However, though affordable and convenient, website security plugins may cause complications and may not even be protecting your site as well as you’d desire them to.

As the most popular CMS, WordPress’ depository is filled with hundreds of security plugins. Many users assume that simply installing a security plugin will prevent their sites from getting hacked. While we don’t intend to discourage the use of security plugins, users should be aware of the possible downsides associated with the plugins. The following are potential issues you may come across:

1. Login inaccessibility

For any CMS, the admin login page is undoubtedly the most highly targeted by hackers since it can allow them unauthorized access to your website. That is why a plugin that limits the number of login attempts can be useful to many website owners. However, certain security plugins have the potential to lock admins out of their own site, and as a webmaster or admin, nothing is worse than being unable to access your website.

Though they can help prevent brute force attacks or even denial of service (DoS) attacks at times when the high traffic is aimed at the admin login page, these security plugins have their setbacks. If you forget your password and attempt to login multiple times or if multiple logins are happening at once, this might trigger an issue with the plugin.

2. Customer support issues

For most CMS platforms, there is rarely a specialized technical support team that handles inquiries in real time to deal with issues you may face with these security plugins. Typically, customer support comes in the form of support threads and forums or something similar. WordPress for example has one that like looks like this. Because users are utilizing different themes and using a combination of different plugins, each situation is unique. This makes it difficult to get a clear cut answer most of the time, which also means your ability to respond promptly to hacking incidents is restricted. Oftentimes, you’ll already be too late.

Another major downside with security plugins is not having a platform to report a security issue. Security these days is offered as a service, either paid or unpaid. And because it’s a service, it typically comes with quality technical or customer support, guiding users each step along the way, unlike with security plugins.

3. The “untrustworthiness” factor of security plugins

While there are a number of plugins available, not all come from a trusted entity. These days it’s easy for anyone to develop a plugin and make it available for anyone to download online.

As a website owner, it is up to you to evaluate the plugin and decide if it’s reliable. When a plugin has not been updated in months or years and has been left in the wild, so to speak, it opens up the possibility of it messing with your current CMS version or exposing you to potential risks and threats that come with the outdated plugin. Just because a plugin was highly commented and reviewed in the past doesn’t mean it will be a good fit for your current website.

4. Inability to handle zero day vulnerabilities or modified attacks

Security is never perfect, but relying solely on security plugins exposes you to certain kinds of attacks that can’t be thwarted with a mere plugin. There is no straightforward way to address zero day attacks for example, because the hacker has already exploited a vulnerability before the security vendor even takes notice.

This means that even if your security plugin updates automatically, you won’t be entirely protected. Even a highly rated Web Application Firewall (WAF) plugin would not be able to capture the full scope of potential attacks. In addition, false positives, which refer to legitimate traffic mistakenly identified as malicious, may cause you to lose precious site visitors among other things.

Perhaps the fact that a security plugin is free is appealing to many, but sometimes that can do more bad than good, especially when you care about securing your website. Plugins are great if you are a casual blogger, but if you have a huge following or run an ecommerce site, security plugins may not be adequate. Luckily there are other ways to secure your site which offer amplified protection at little to no cost at all. We are not suggesting to take a passive approach to security but are in fact encouraging the adoption of other security alternatives. For more on what you can do to actively protect your website, check out this blog post on a guide to the three layers of website protection.

detect and respond cybersecurity

The Flaws with Detect and Respond

detect and respond cybersecurity

There has been a lot of discussion around Detect and Respond but there remains a number of misconceptions and misunderstandings about this particular cyber security framework. Many companies hold the notion that perfect security isn’t achievable, and perhaps they’ve given up hope on blocking cyber attacks through preventive measures. Therefore, most flock to Detect and Respond instead. But Detect and Respond has its own pitfalls, which we’ll cover in this blog piece.

What classifies as Detect and Respond?

The Detect and Respond framework, in the realm of cyber security, refers to the ability to discover cybersecurity incidents in a timely manner (“detect”) and develop as well as implement the appropriate actions to take against such cybersecurity incidents (“respond”).

As a result, the “detect” aspect of the framework includes security approaches and technologies that support continuous security monitoring, and the “response” aspect includes response planning and mitigation. It’s false to assume that solely implementing Detect and Respond capabilities can make up for a weak implementation of preventive measures (vulnerability management systems, intrusion prevention systems, WAF) against cyber threats.This is a particularly dangerous mindset.  

Detect and Respond Pitfalls

The major flaw with Detect and Respond is that once a cyber attack is in full effect, for example a malware infestation that has taken over a system, then it becomes really hard to tell the immediate impact of such an attack. This makes detecting and responding even more difficult. Consider the following analogy: Detect and Respond is like monitoring the activity within your brick and mortar shop through security cameras…but without someone behind the seats monitoring those security cameras 24/7 and with no installed alarms to notify you.

To find out if you’ve been robbed, you’ll have to personally check the footage in the next few hours or the following morning. Moreover, if a burglar did manage to break inside and steal something, then it becomes harder to respond to the situation since: A) the burglar might be unidentifiable, having probably worn a mask, thus making it challenging for police to track down and B) the likelihood of retrieving those stolen items is almost close to zero.

Preventive methods

One thing’s for sure: no company would implement the above security strategy if Detect and Respond were explained through that analogy. This is not to say that Detect and Respond does not or should not play an important role in your security strategy. However, once a company comes under attack, just having Detect and Respond capabilities does not suffice and it is predicted the company will likely suffer monetary losses, too. Solely relying on preventive measures does not work either as that simply presents a false sense of security.

Take for example the different cases with data breaches. The cause of the breach may have been the result of weak or stolen passwords. But that doesn’t equate to the same thing, as weak passwords are not the same as stolen passwords. Preventive measures would protect against weak passwords by ensuring that passwords are not set to its default (e.g. password, admin), and Detect and Respond would deal with monitoring the stolen passwords and the respective accounts. As exemplified, the best cyber security strategy for any business should always include both, Detect and Respond as well as preventive measures.

startup CEOs

3 Web Security Services for Startup CEOs

startup CEO

Startup CEOs should secure their business

In 2013, Target, a massive retailer in the US, suffered a major web hacking incident that stole thousands of customers’ credit card information. After the event, Target was negatively affected as news leaked and company shares dropped by 1.5% the following year. These kinds of web attacks prove that nobody is completely safe from web hacking.

Now, we know that web security is not a hot topic that drives a conversation every day. However, as a startup CEO, it is imperative to have a basic knowledge of what web security options are available, so that you can do your best to protect your clients’ private information. Here are 3 options to help you better protect your company’s sensitive data.

Web Application Firewall (WAF)

Web Application Firewalls help monitor your incoming and outgoing HTTP/HTTPS traffic to your website. You can almost think of a WAF as a security scanner that we see at the airport. People with the right credentials will get past through the gates, but any visitor that may have malicious intents will be barred from entering your network. WAFs use specialized rules or patterns to help identify whether a web visitor or traffic is dangerous. WAFs can be the essential first line defense for any website owner to help protect your website from the network perimeter.

Malware Scanners

Having a WAF is a great way to protect for your web security. However, it won’t help your business much if you are already infected. Therefore, it will also be helpful to help you search for malicious programs already residing in your servers.

Infected sites can be a major turn off for customers, especially if it can infect their computers. This is a double edged sword because not only can you affect your customers, but once Google gets wind of this then you can also be SEO blacklisted. It can detect websites that have been infected by malware and warn customers away. So having a protected and clean website is not only good for the customer but also for business. Using a malware scanner for your internal network can help keep your website safe. For optimal security, one should always maintain a routine scan on servers. Better to be safe than sorry.

Database Encryption

Encryption is the process of transforming the data in a database into undecipherable data. An encryption program uses a series of complex algorithms and possesses a master key to turn the data back into its original form. Your database is where all the data of your business, such as specific customer banking information, is stored. It is one of the core elements of any online business; therefore, malicious hackers are always looking for a way to get their hands on it.

One of the world’s most popular database management systems called MySQL is open source, so it can be highly vulnerable to attacks. Many CMS frameworks like Drupal, Joomla, and WordPress all use MySQL as their default database. It is critical that you take every precaution to protect yourself from any would be attackers. One way to do this is to utilize a database encryption software. This can bring a third layer of protection in case any savvy web hackers get into your internal system.

The recent increasing number of startups has made these businesses attractive targets to hackers to exploit. Customers entrust their information to businesses and they should feel obligated to keep that information safe from hackers with malicious intents. One can’t be too careful when it comes to security. Get more in tune with your website and its security by installing these 3 great security solutions!

Cloud based WAF

Using a Cloud-Based WAF as a Service for Better Web Security

Before the advent of the cloud-based WAF, Web Application Firewalls (WAF) usually came in the form of hardware. These WAF appliances were great for big businesses and enterprises. They provided flexibility, fast accessibility to the device and  did not depend on external connections for functionality. However, they also had a few disadvantages.

Hardware WAFs were very difficult to install and deploy since they are heavy and take up a lot of space. They can be hard to maintain, and lastly they’re on the costly side. Only large enterprises can actually afford hardware WAFs. Meanwhile, small and medium companies were left to fend for themselves.

The Birth of the Cloud-Based WAF

Thankfully, this has changed rapidly over time. Since the birth of the cloud, many innovative WAF vendors have turned these same enterprise level security features into a cloud-based WAF as a service specifically aimed at SMBs. The shift from hardware to cloud based WAF as a service have proven to be beneficial for three reasons.

1. Fully Managed Security

WAF as a service doesn’t require any hardware to operate. All one needs to do is configure their DNS information to start securing a website. This provides great accessibility for small and medium sized businesses. It also reduces any resources needed to setup and customize a traditional enterprise solution.

2. No Technical Knowledge Needed

A cloud-based WAF as a service also handles and manages all of your HTTP and HTTPS traffic. WAF vendors have detection technologies in place that can automatically detect and filter malicious attacks. This means you can focus on what’s most important for your business—gaining customers. The need for specialized security staff or technical experts is unnecessary when using a WAF as a service.

3. Easy to Understand Analytics

We make providing web security to SMBs our top priority. That being said, many WAF as a service vendors want to cater to the SMB market by providing easy to understand web traffic analytics. There is absolutely zero need to have a specialist scrub your web traffic data to look for any inconsistencies and how many attacks were actually blocked. These days, almost all security vendors provide great metrics and analytics that can help any business owner see the impact of their WAF.

most cloud-based waf solutions will give analytics

Cloud-based WAF as a service solution has made it possible for more people to secure their websites with zero hassle and at a much lower cost. Implement a WAF today so you can focus on growing your business while we take care of the rest.

Boy Programming On Computer With Multiple Monitors And Laptop On Desk

7 Ways to Expose Your Website to Hackers

So you want to serve up your website for any hacker to break into. Sure, weirdo…who am I to judge?

Here are 7 things you should not do unless you want your website hacked:

Once again, if you’re a sensible human being you really should never find yourself doing any of these things.

1. Ignore Security Updates

They may be a nuisance, but updates patch up newly discovered bugs in software. Not installing updates and patches makes it a lot easier for hackers to compromise your device or web app. If you want your website hacked, ignore all security patches, plugin updates, and updates for CMS services such as WordPress or Drupal.

2. Use as Many Different Features and Plugins On Your Site As Possible

Plugins introduce many new potential vulnerabilities to your website, similar to how adding more windows makes your submarine less seaworthy. Be sure to load up on file uploaders, video players, ad managers, analytics, and whatever else you can cram in, even if you don’t need any of it.

3. Set a Really Dumb Password

Setting your password as something easy like “123456,” the always-clever “password,” or matching your password to your username saves hackers a lot of time. You can also help by using the same password for your computer, e-mail, FTP access, and Ashley Madison account, so that once one is compromised, all of them exposed.

setting a password to protect website security

4. Mismanage Your Website and Its Contributors

Just let security be someone else’s job, and don’t take any notice. Be sure to give your employees or contributors full admin access to your website, and make sure not to update your passwords after they leave. Sooner or later, something bad will happen.

5. Don’t Put Together a Security Incident Response Plan

No need to prepare for the worst when you’re counting on it. What if your site gets disabled, or deleted, or information is leaked? How do you detect it, how do you respond, and how do you disclose it? Those are questions that should be considered by anyone who doesn’t want to get hacked.

6. Don’t Bother Securing Your Domain With SSL

SSL encrypts communication between a website’s server and a user’s browser, especially useful in protecting online transactions and payments. But it thwarts man-in-the-middle attacks in which a hacker gets between server and browser and can monitor or alter communication. So if you want to endanger your customers’ privacy, forget about HTTPS — HTTP is the way to go!

7. Don’t Use a Web Application Firewall

A web application firewall can protect your site against the worst online threats, including DDoS attack, SQL injection, and cross-site scripting (XSS), so if you want to make it easier for hackers to overrun your website, the last thing you should do is secure it with a web app firewall like Cloudbric, Imperva, or Cloudflare.


 

This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

office-96107_1920

“Website” Meaning for Startup CEOs?

You might hear a lot of CEOs saying, “My website is powered by WordPress”, “My website is everything”, or “My website is my entire business!” These are the most common answers from CEOs. Almost all startups operate their own websites. Many startup CEOs build their websites with CMS tools such as WordPress, Joomla, or Drupal. Those that depend on these tools really need to pay attention to what these are, if they have any hope to do business online.

Well, the actual definition of a website is a connected group of pages on the Internet that use unique addresses and network routes, which are based on Internet protocols. But who can actually understand this kind of explanation? A website is web data, with web pages and contents. To get a better understanding of what a website really is, we can start by knowing more about CMS. A ‘web content management system,’ CMS is a tool that processes many raw contents into useful resources in this content-filled world. This is the leading solution to building a website without any difficulties. Methods of protecting a website can differ completely depending on the beliefs of the startup CEO. One CEO may want to protect a site one way, and another CEO may think differently and protect a site another way. It all depends on their definition of what a website is to them. Here is a closer look at common assumptions CEOs have about websites.

1. ‘My website is powered by CMS’

CMS and all related plugin modules are website building and operating tools. Building security with an application can be done by secure coding. However, secure coding may not be perfect. That’s why CMS services release security patches and updates. Users need to constantly update. Still, a website can get ‘zero-day attacks,’ that brief period of vulnerability when the hacker can attack before the CMS vendor finds out.

The point here is that, not limited to CMS services themselves, users also need to pay attention and double-check every module to see whether it is really safe or not. Modules should only be downloaded from reliable, trustworthy websites. It can be quite bothersome to constantly update and still be vulnerable to attacks.

startup ceos think that CMS protect thier websites

2. ‘My website is all the data stored in the data center’

Technically, this is a pretty close answer. A website is data, and website data is stored at an Internet data center, IDC for short. To keep data safe, the data center administrator manages an application firewall and network security tools such as IDS/IPS to prevent hackers, viruses, and malicious codes from entering the data center.

Enterprises can usually afford to directly manage their own web server in the data center. But most startups can’t do this, so they rely on their hosting services to manage it for them with a lease of a partial web server in the data center. Cloud hosting services are popular among both small and medium businesses and larger enterprises. But if users use a cloud hosting service such as AWS, there is nothing the user can do about data center security. The data center will probably be safe, but the security is built around the server, and not the individual websites.

3. ‘My website is my own private data with web pages’

This is how startup CEOs should perceive their website. Understanding this concept is important because among security attacks on information, 90% of attacks are aimed at contents, through contents. Compared to the vulnerability of CMS and physical data storage, content vulnerability is a more serious matter. Website attacks are directed at the contents of a website. The contents are not necessarily images or files, but may include account information and administrative authority.

So, how can startup CEOs with CMS protect their websites?

Websites to a business can take on a completely different meaning from the average user. Startup CEOs might view a website as their gateway to the outside world. It is their vehicle to communicate their business and sell products. In essence, a website is a business. Most websites are powered by CMS systems and since there’s no way to know how secure CMS apps have been coded, they just need to constantly update the security patches provided by CMS to avoid attacks like SQL injections. Still not completely safe, CEOs need a web application firewall that covers all the vulnerabilities of CMS’s own security measures.

Even if a cloud-hosting service protects the web server or its data center, it does not protect the contents of individual websites. Basically, the data center manages the antivirus role and the network security role, but it does not take the web contents security role. Technical and privacy issues restrict it from securing web content.

A web application firewall (WAF), on the other hand, can fully protect website content. The cloud-based web application firewall Cloudbric can protect your website. Even if your data is stored safely on an IDC, or if you update security patches constantly on CMS, you still need a WAF to fully protect your website.


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

employee using laptop and coding injection

6 Steps to Create a Secure Website

There are roughly one billion active websites online, or one for every seven people alive right now. How about yours? Is it a secure website?

Every single second, a couple new websites are born into this world. That’s a lot of websites, so how are they being created, and how do you make one? And also, how do you keep your website secure from all the cyber threats out there?

A Secure Website in 6 Steps?

The steps needed for making a website, from registration to design, coding, operation and growth, can be a very long and complex process. Each step has a lot more nuance to it than fits here, but this guide should point you down the right path to setting up a secure website.

1. Choose Your CMS

How are you going to build your site? These days you don’t need to be a computer programmer to put together your own fully functioning website thanks to Content Management Systems (CMS). With CMS solutions like WordPress, Joomla, and Drupal, putting together a website is about as easy as building a house out of Lego. No matter what CMS you choose, there are new exploits that are uncovered almost on a weekly basis. This means you need to stay on top of software updates and patches to keep your site secure.

making a secure website with lego blocks like a house

2. Sign Up for a Web Host

Your domain name is like the street address and the CMS is like the materials you build your site with, but the web host is the actual plot of real estate where your website exists online. Some are free and come with bandwidth limitations or embedded ads, and there are commercial options that run much better. Many hosts also provide server security features which can better protect your uploaded website data. Check if a web host offers Secure File Transfer Protocol (SFTP) which makes uploading files much safer. Many good hosts should also allow for file backup services and have a public security policy showing how well they keep up to date on security upgrades.

3. Design Your Website With Security in Mind

What’s your website going to look like? Hiring a designer is usually worth the money you pay, but if your site is straightforward enough then you don’t need to do anything fancy. These days, simplicity is the golden rule, and minimizing add-ons and plug-ins is recommended for aesthetic, operational, and security concerns. The main thrust of your site should be text-based and presenting your product clearly, with images and design flourishes playing in the backup band. Basically you should focus more on avoiding bad design than embracing great design.

4. Apply a Web Application Firewall (WAF) to Protect Your Site

As soon as your website is online, it is exposed to a rogue’s gallery of cyber threats. Automated bots are out there scanning for vulnerable websites, and newly created sites are an especially tempting target. Adding a web application firewall (WAF) such as Cloudbric, Incapsula, or Cloudflare, will ensure that you have a secure website before the attacks start.

5. Do Business Online Secured by Secure Sockets Layer (SSL)ssl is like a handshake for a secure website coming out of a computer

If you’re going to have users registering on your website, and especially if there will be any kind of transaction, you need to encrypt that connection. Using SSL certificates creates a secure handshake between your website and clients’ devices, ensuring that no third party can covertly slip in between and monitor, hijack, or shut down any transactions taking place. GlobalSign is one good example of a widely available SSL certificate that pairs well with almost every website.

6. Grow as a Responsible, Respected Member of the World Wide Web

So you have a functioning. secure website protected from security threats, and you are engaged in commerce for your business. Now the main duty is to grow and reach more people! Reach out through SNS, set up your site so it can be indexed by search engines, and take advantage of SEO opportunities. The Internet is your oyster. But never lose track of your security needs, and focus on maintaining a reputation characterized by responsibility for cyber security matters.

Once you’ve finished these steps, your website is ready to make its mark on the Internet!


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

profile

DDoS Attacks: Top 5 Industry Targets

If you take a look in any online hacking forum, you’ll find the buzz term “DDoS attack.” Since 2014 alone, the occurrences of DDoS attacks have increased by +132.4%. To normal people, DDoS attacks seem to work like magic—sending a flood of zombie bots that can overwhelm a web app and shut it down.

With so much power and chaos, if a website is caught off guard without proper defenses, it is shut down in seconds. In fact, DDoS attacks are so popular in the cracking community (the correct term for hackers who use their skills to wreak havoc), that in 2013, the group Anonymous petitioned the U.S government to legalize DDoS attacks as a legal form of petitioning.

So, who are some of DDoS attackers’ favorite targets?  Check out our list of their Top 5 Favorites below.

1. News Sites and Media Publications

This attack was the largest DDoS attack to date. Web crackers against the Hong Kong pro-democracy protesters hacked multiple independent Hong Kong news sites supporting Hong Kong suffrage rights. Every time these sites were trying to organize mock executive elections, their websites were attacked with bigger and bigger DDoS attacks.

2. Universities

Some universities lose their internet connection due to the DDoS Attacks.

You might have heard about the controversy about Rutgers University with thousands of students losing internet connection due to multiple DDoS attacks. Apparently, the cracker who rendered the Rutgers networks to useless was hired by someone who had a vendetta against the school. Some attribute the reason to the attacks was the university’s rise of tuition for the 2015-2016 school year.

3. Online Services

This attack is the one that many news outlets declared “the attack that almost broke the internet.” This attack was against Spamhaus, a website that tracks Internet’s spam operations and sources. Spamhaus maintains real-time, spam-blocking databases that help Internet networks weed out bogus email. A service company with a noble goal; however, once it blacklisted a website called CyberBunker, it was targeted for the attack. Journalists declared that the DDoS attack was so large that its affects could be felt outside of the attacked web app. Whether that is really true is still up for debate.

4. Online Gambling Industry

Compared to 2014, there has been a +350% increase in DDoS attacks in the online gambling industry alone. For the crackers who want to get quick access to money, the online gambling industry seems like an easy target. Because the industry is very competitive, crackers will often work for a competitor site. A cracker will attack a site and cause latency—pushing users to want to use a competitor’s service instead of the attacked service.

5. Politics

Just like the group Anonymous, crackers often hack into web apps for political views. In early October, crackers attacked the Thai government’s websites to protest government’s plan to limit access to sites deemed inappropriate. The hack was a part of a petition against the government. Tens of thousands of people declared the government’s plan as the “Great Firewall of Thailand.”

Preventing DDoS attacks?

So how do you protect yourself against a DDoS attack? Dave Larson, CTO and VP, product, of Corero shares that in order to prevent DDoS attacks, companies need to mitigate all of their web traffic targeting their networks.

But, you don’t need to be a company to be attacked by a DDoS attack. DDoS attacks can hit anyone, so it’s best to take measures to protect your website. A web application firewall such as Cloudbric blocks botnet traffic. It disarms attacks by filtering them on the server level, so that they never make it to your website. If your website isn’t already secured against DDoS attack, it’s time to start now, because the threat is only getting stronger with time.


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com

clouds

Protect Sensitive Data within the Cloud

It’s pretty clear by now that the next frontier for online businesses is to move to the cloud. However, the term ‘cloud’ is still a relatively new idea that can help businesses greatly improve their productivity, efficiency, and save on resource costs. However, this overly anticipated rush to the cloud isn’t without its limitation. One such drawback of the cloud is the possibility for increased web attacks and infrastructure vulnerabilities. Today, we will explore the various ways to help safeguard any confidential information or sensitive data that is stored in the cloud.

Current Cyber Security Landscape

In today’s computing environment, there are an abundance of network and cloud infrastructure providers. But, the question we need to ask ourselves is, “who is managing and tracking all of the inbound/outbound traffic?” In other words, organizations are eager to provide incredibly cost effective and efficient cloud infrastructure, but there hasn’t been much thought or planning surrounding the protection of this cloud infrastructure.

The market is slowly starting to see the effects of improper web protection, however. According to Gartner, by 2020, more than 60% of web applications will be protected by cloud service Web Application Firewalls. Just as fast as people are looking to upgrade to the cloud, there is a growing interest on how to protect these next generation infrastructure solutions. In essence, companies and online website owners are starting to become more proactive, but the job doesn’t end there.

How Do We Protect Ourselves?

The very nature of the internet is to be open, but this could ultimately leave one to be vulnerable to web attacks if not careful. This is the ultimate cloud fallacy. As much as we want to move towards sharing resources, infrastructure, or testing new innovative solutions, this can only be done to a certain degree. Until recently, most companies have been looking to fortify their internal networks and systems to prevent any attacks. The issue is that the internet was designed to freely share and communicate information with the open world. The best way to work around this predicament is not to block ourselves in by building higher walls, but to build smarter gateways. Two ways that we can achieve this is to utilize a perimeter based Web Application Firewall and Database Encryption technology.

diagram showing WAF protecting a website or sensitive data from hackers and bots

 Web Application Firewalls (WAF)

WAFs can help protect all inbound and outbound traffic that flows through the web/application layer (OSI Layer 7). These days, as more and more websites rely on dynamic web applications to power their sites, the vulnerabilities of these applications continue to persist. WAFs are perimeter based web security solutions, which means that they look to monitor all HTTP/HTTPS traffic to sift for any malicious or suspicious web behavior. Once detected, WAFs can automatically block any web hacking attempts that target a web application and ultimately intend to steal sensitive data on a web server/backend database. WAFs can be your first line defense to protect your online business from web attacks when you least expect it.

There are various benefits to implementing a WAF solution into your cloud web security profile, such as:

  • Cleaner & safer network – mitigate major hacking incidents
  • Peace of mind – always active security that works on the perimeter
  • Performance – security that doesn’t affect performance or incur latency issues
  • Compliance – satisfy PCI-DSS requirement 6.6

silver lockpad over data and series of 1s and 0s safeguarding sensitive data

 Database Encryption to protect sensitive data

Database encryption software transforms data stored in a backend database into “cipher text”, which can make the data incomprehensible without first being decrypted. In the event that a web hacker was able to bypass your first line of defense (in very rare instances or caused by rogue insiders), a high performance database encryption software could be your savior. DB encryption software not only prevents sensitive data leakage, but even if data is stolen, encrypted data will be deemed useless since web hackers will be unable to decrypt the information. As an added measure of security, database encryption companies, such asMyDiamo, can separately store database keys into third party key management servers to eliminate any possibility of a data breach.

Here is a short list of the benefits of using a database encryption software:

  • Protect Data Completely – encrypted data information is protected, even if it is stolen
  • Guarantee Data Integrity – easily detect whether data was manipulated/tampered
  • Compliance – satisfy legal & internal/external audit guidelines (HIPAA, SOX, PCI-DSS, etc.)

The key to protecting data stored in the cloud is to take a more perimeter based proactive approach. It’s best to secure your more sensitive data before cyber criminals ever reach your vulnerable web applications. This can be accomplished by utilizing a Web Application Firewall and Database Encryption software as an added security insurance. Get started on protecting your data in the cloud today!

 


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

Cloudbric

Finalist for the SC Magazine Awards 2016 Europe

Shortlisted for the Best SME Security solution category

Penta Security Systems Inc, a global information security company headquartered in Seoul, has been named as a finalist for the SC Awards 2016 Europe for outstanding industry leadership in information security. Cloudbric is one of five total finalists being recognized in the Best SME Security Solution category. The category acknowledges superior services that help customers address the most pressing cyber-security threats. The winners will be announced at the SC Magazine Awards Europe ceremony to be held in London on Tuesday 7th June at a stunning new central London venue on the Riverside of the Thames, Old Billingsgate.

SC Magazine Awards Europe

The SC Magazine Awards Europe is the information security industry’s most prominent recognition. Winners in the Threat Solution categories are decided by an expert panel of judges. They are hand-picked by SC Magazine UK’s editorial team. Breadth of knowledge and experience in the information security industry are crucial. The awards honor both the cyber-security professionals working in the trenches. Additionally the products and services that help protect today’s corporate world from a myriad of ever-changing threats are considered.

“Penta Security’s website protection solution represents some of the most innovative and effective security technologies on the market today,” said Tony Morbin, Editor in chief SC Magazine UK. “As attackers develop and deploy new approaches to compromising sensitive information, companies are challenged to keep pace. Cloudbric was named an SC Award finalist for its efforts to raise the bar for the security industry.”

security solution cloudbric

What is Cloudbric?

Cloudbric is an elite full service website security solution specifically designed for small to mid-sized businesses. Penta Security Systems has found most SMEs do not have the proper resources to counteract malicious web attacks. Most attacks target sensitive customer data. Therefore, Penta Security launched Cloudbric in early 2015 to better serve the SMB market. Cloudbric offers a free enterprise level security package regardless of business size. TJ Jung, VP of Product & Technology for Cloudbric, said:

“Unlike mainstream security vendors that prefer to charge website owners per premium security feature, Cloudbric provides a full suite of website security features, such as web application firewall, CDN, SSL, DDoS protection, as a set standard.”


About Penta Security Systems

Penta Security is a global information security firm headquartered in Seoul, South Korea. It specializes in web application security, database encryption, as well as access management. With over 19 years of IT security expertise, Penta Security blocks more than 108,000,000 web attacks per month. Recognized by Frost & Sullivan, Penta Security Systems is the number one Web Application Firewall vendor in the APAC Region based on market share. For more information about Penta Security and Cloudbric, please visit http://www.pentasecurity.com/en and http://www.cloudbric.com or contact Cloudbric at support@cloudbric.com.


About SC Magazine UK

SC Magazine UK provides IT security professionals with in-depth and unbiased information through timely news, comprehensive analysis, cutting-edge features, contributions from thought leaders and the best, most extensive collection of product reviews in the business. By offering a consolidated view of IT security through independent product tests and well-researched editorial content that provides the contextual backdrop for how these IT security tools will address larger demands put on businesses today, SC Magazine UK enables IT security pros to make the right security decisions for their companies. Besides the quarterly print magazine, special Spotlight editions and daily website, the brand’s portfolio includes the SC Congress and Expo series (London, Amsterdam, New York, Chicago, Toronto), SC Awards, Roundtables, Webinars and SC Magazine Newswire.