Posts

db database encryption

Debunking 5 DB Encryption Misconceptions

 

db database encryption

Businesses handle an enormous amount of data. All of this data is stored in hundreds or even thousands of databases, so it’s impractical for a database administrator to oversee the security of these databases with only basic access control functions. Instead, businesses are realizing that data encryption is a must-have component to their existing cyber security strategies. DB encryption ensures that a database is being protected even if hackers somehow replicate the database or move it to another location.

While critical to a business’s cyber security strategy, DB encryption isn’t always deployed by businesses. But thankfully, there is a positive trend occurring: in the past few years database encryption usage among businesses in the US has risen from 42% to 61%. This blog post will address five misconceptions that put to rest some concerns businesses may have before implementing DB encryption.

1. I use SSL so I don’t need DB encryption

SSL involves encrypting communication between a web user and web browser, but does not take into account data that is at “rest,” or data that is stored in a database. In other words, SSL ensures secure connection for the data that is in motion (at the time that requests are being made to the web browser). SSL is important for encrypting web traffic but there is also unprotected data that is being stored either on a disk or database which SSL does not take into account and therefore needs added protection.

2. If I use DB encryption, database performance will degrade

The performance of a database is determined by multiple factors such as excessive indexing and inefficient memory allocation. While businesses may be reluctant to incorporate database encryption into their existing security deployments due to performance or latency concerns, businesses should be reminded that it really depends on the type of DB encryption solution a business decides to utilize, whether that be file-level or column-level encryption. Typically, file-level encryption is the least resource intensive and has the least effect on the overall performance of a database.

3. Encrypting the database is enough protection for my website

Even if the security of a database is compromised, the database will be protected if the information inside is encrypted. But this doesn’t mean that the website itself will be safe  should it come under attack. Thankfully, with no access to the decryption key, a hacker cannot read files that are encrypted in a stored database. Businesses can rest assured that their most sensitive data is being protected. However, the website can still be brought down by attacks. In order to protect web applications (i.e. websites) an additional security solution will be needed.

4. DB encryption and key management requires hardware appliances, which is inconvenient

These days it’s pretty common for key management solutions to be available in a variety of both hardware and cloud platforms. But it mostly depends on where a business may be storing company data or what kind of needs they have. Not all businesses have their own data center. Instead, many rely on some kind of Software-as-a-service (SaaS) solution, removing the need to rely on hardware appliances. Therefore, it’s less likely that the traditional key management solution is implemented internally.

5. DB encryption is too complicated and requires modifications to my current operating system

Once a business answers basic questions like what kind of data needs to be encrypted and who should have authorized access to it, database encryption should not be complicated. Encryption is made easy thanks to the readily available tools in the market that cater to the needs of each business. There are plenty of DB encryption solutions that reside beneath the application layer, thereby eliminating the need to make modifications to a business’s operating system or storage. If an encryption engine is supplied for example, then no source code changes to the database environment or application are required.

Businesses should not shy away from using DB encryption due to these common misconceptions. DB encryption is not so much of a trend than it is a security necessity for all businesses. The drivers for using database encryption come down to compliance requirements and businesses recognizing the need to protect specific data types. So whether it’s to meet industry standards or to safeguard sensitive information, DB encryption is here to stay.

blog-cover-image

Tax Season: Cyber Security Defenses to Make (and Keep) Your Returns

tax season cyber security tips

It’s that time of year again the time of the year where winter coats are abandoned, flowers are in full bloom… and everyone starts to rack their brains for how to deal with their taxes from the last fiscal year. Tax season is a stressful time for most and, whether you hire an accountant or decide to tackle the numbers yourself, it’s no time for haphazard calculations. Every single cent counts in order to get the best return possible. But could your hard work go down the drain with a single click? According to a report from the Federal Trade Commission, of the half a million complaints registered in 2015, nearly half were tax fraud-related, and these frauds are increasingly conducted online.

Cybersecurity and tax fraud are two ideas that people don’t usually look at side-by-side. After all, the IRS will never send out an email to contact you (if they do, it’s probably a scam), but with the rise of the digital age, many accounting firms have seen the benefits of having taxpayers fill out necessary forms online, facilitating the process for both the taxpayer and the agency. However, digitizing the process has opened up a Pandora’s Box in the realm of cybersecurity.

Now, by no means does this mean that taxpayers absolutely need to revert to the pen-and-paper method of tax filing. Electronic forms are an enormous load off everyone’s burden during tax season, but here are some tips to keep in mind as you file your taxes so that at the end, you do make returns and keep them. Here are our top five tips for making your tax season a little more secure:

Get it out of the way

Did you know that employers are by law required to provide W-2 forms to their employees by the end of January? Some may give their forms out earlier, and the IRS officially began accepting 2016 tax returns on January 23, 2017.

While it may be tempting to push it off until April, there are benefits to being an early bird. Not only do you get to be stress-free for Spring, but filling early means you 1) give the IRS time to immediately process and check your return, 2) avoid the peak period when hackers fish for victims in March and April. The latter part of tax season is when potential victims tend to be a little more scatterbrained, not utilizing as much discernment as they should in their securing their tax returns. Hackers are less likely to be looking for prey in January or February.

Watch out for phishing scams and links

As mentioned before, the IRS will never, under any circumstances contact you via emails, texts, or phone to demand money. They will always send a postmarked notice to “kindly” remind you to pay your dues. However, because this is a rather unknown fact, many fall prey to the phishing and pharming scams that hackers love to execute.

Especially in emails or text messages, be careful not to click on any links or attachments. Although it may be tempting to see what the IRS could want, these seemingly harmless links could trigger malware, and viruses could get installed on your devices to infect entire systems. The IRS encourages users to forward any emails you suspect of being fraudulent to phishing@irs.gov and delete it permanently from your inbox.

Keep your devices and connections clean

Updates are cumbersome and might take more time than you are willing to put in. However, an update could be the difference between a vulnerability and a strong defense against a loophole. Software, browsers, and applications should have the latest updates and any unnecessary software is best deleted to avoid cluttering your system.

Additionally, when filing your taxes, make sure to use a secure wireless connection. Public Wi-Fi is not your safest bet (read about our research on public Wi-Fi networks here), and hackers may be able to take a clear look at your sensitive data if they intercept your wireless connection.

Use Encryption

When sharing information with your accountant, make sure that your information is well-encrypted to ensure that a hacker will not be able to see the contents even if they do succeed in interception. Along those lines, double-check to make sure your online tax-filing agency is using SSL, which applies encryption to sites. Look for “HTTPS” in the URL, with a lock icon signifying a secure SSL connection. While an agency may claim to be “easy filing,” you don’t want that to mean “easy access” to your financial information.

Be careful of your… social media???

While social media may seem to be the furthest platform from your tax returns, many hackers have been utilizing a social engineering method called “social sleuthing,” where they will stalk a high-level executive to see if and when they go away on holiday or travel during these chillier months. Then, impersonating the executive, they may reach out to a lower-level employee back at the office, asking for help with paying taxes, or for sensitive information that they conveniently “forgot.”

Although hackers work year-around to try accessing our data, tax season is ripe for harvest when it comes to getting sensitive information, making it much more lucrative for hackers. The sad reality is that though the IRS may do their best to put preventative measures in place in terms of your W-2 or through public service announcements warning of fraud, the consequences that you may potentially encounter are solely your responsibility. At the end of the day, taxes are owed to the IRS, regardless of the situation.

But remember, many prevention tips are simple to implement it just takes a bit of awareness and effort. Remember, no one enjoys tax season (except hackers), especially if there are any heavy consequences that may await in case of any loss, damage of data, fraud or scam.

cloudbric website protection

Your Guide to the 3 Layers of Website Protection

Of course, it’s difficult to talk about completeness when it comes to information security. Even the professionals need serious resources for comprehensive protection, from architecture to operation, and even then, perfection still isn’t guaranteed. There are no standard web security measures, so every individual builds security depending on their own unique situation. Web security solutions need to fit each company’s IT system. This begins with understanding how a company’s IT system is structured.

 

Cloudbric free website protection

What’s the shortcut to website security?

The Three Layers of an IT System: Network, System, Application

Generally, an IT system consists of networks, systems, and applications. Each of these three layers need their own unique level of protection. The networks layer at the bottom of this stack deals with data transfer, while the systems layer (what we know as operating systems such as Windows or Linux) works as a platform that enables the applications layer to operate. The applications layer itself offer protocols and services with many features. Many kinds of server systems are just like this structure, so securing the server means all these three layers are safe.

IT system layer structure

IT system layer structure

Don’t Overlook Web Application Security

Despite the importance of web application security, most companies spend 10 percent on web application security compared to network security. The reason is simple: companies don’t know what to do about web application security. The application layer is technically more complicated and the kinds of applications also vary.

Most security professionals find it difficult to set up a security policy and apply security measures. What we think of as the ‘web’ actually consists of applications. Websites and mobile apps are all applications, and attacks on these also take advantage of the vulnerabilities of applications.

Web attacks such as SQL injection or XSS also target the vulnerabilities of website applications. Malicious code called a ‘web shell’ also consists of a type of web application. The Open Web Application Security Project (OWASP), famous in the web security industry, named 10 web vulnerabilities, all of which are web application attacks.

More than 90% of web attacks target web applications. A web application firewall (WAF) is what protects your website from unwanted visitors. Its role is like a fence. It monitors traffic, detects web attacks and protects your website. What’s important is that it prevents vulnerabilities from being exposed. From the outside shell, it limits access from malicious traffic. Also, it hinders malicious code from being uploaded to your web server.

 

cloudbric website protection

A Web Application Firewall blocks all sorts of web attacks

If you look into web application firewall solutions, there is a comprehensive yet free solution called Cloudbric. Cloudbric is the most advanced web application firewall, with algorithms that progressively learn from past experience. Go to the top of this page and click to get started with Cloudbric protection for your website!

startup CEOs

3 Web Security Services for Startup CEOs

startup CEO

Startup CEOs should secure their business

In 2013, Target, a massive retailer in the US, suffered a major web hacking incident that stole thousands of customers’ credit card information. After the event, Target was negatively affected as news leaked and company shares dropped by 1.5% the following year. These kinds of web attacks prove that nobody is completely safe from web hacking.

Now, we know that web security is not a hot topic that drives a conversation every day. However, as a startup CEO, it is imperative to have a basic knowledge of what web security options are available, so that you can do your best to protect your clients’ private information. Here are 3 options to help you better protect your company’s sensitive data.

Web Application Firewall (WAF)

Web Application Firewalls help monitor your incoming and outgoing HTTP/HTTPS traffic to your website. You can almost think of a WAF as a security scanner that we see at the airport. People with the right credentials will get past through the gates, but any visitor that may have malicious intents will be barred from entering your network. WAFs use specialized rules or patterns to help identify whether a web visitor or traffic is dangerous. WAFs can be the essential first line defense for any website owner to help protect your website from the network perimeter.

Malware Scanners

Having a WAF is a great way to protect for your web security. However, it won’t help your business much if you are already infected. Therefore, it will also be helpful to help you search for malicious programs already residing in your servers.

Infected sites can be a major turn off for customers, especially if it can infect their computers. This is a double edged sword because not only can you affect your customers, but once Google gets wind of this then you can also be SEO blacklisted. It can detect websites that have been infected by malware and warn customers away. So having a protected and clean website is not only good for the customer but also for business. Using a malware scanner for your internal network can help keep your website safe. For optimal security, one should always maintain a routine scan on servers. Better to be safe than sorry.

Database Encryption

Encryption is the process of transforming the data in a database into undecipherable data. An encryption program uses a series of complex algorithms and possesses a master key to turn the data back into its original form. Your database is where all the data of your business, such as specific customer banking information, is stored. It is one of the core elements of any online business; therefore, malicious hackers are always looking for a way to get their hands on it.

One of the world’s most popular database management systems called MySQL is open source, so it can be highly vulnerable to attacks. Many CMS frameworks like Drupal, Joomla, and WordPress all use MySQL as their default database. It is critical that you take every precaution to protect yourself from any would be attackers. One way to do this is to utilize a database encryption software. This can bring a third layer of protection in case any savvy web hackers get into your internal system.

The recent increasing number of startups has made these businesses attractive targets to hackers to exploit. Customers entrust their information to businesses and they should feel obligated to keep that information safe from hackers with malicious intents. One can’t be too careful when it comes to security. Get more in tune with your website and its security by installing these 3 great security solutions!

Cloud based WAF

Using a Cloud-Based WAF as a Service for Better Web Security

Before the advent of the cloud-based WAF, Web Application Firewalls (WAF) usually came in the form of hardware. These WAF appliances were great for big businesses and enterprises. They provided flexibility, fast accessibility to the device and  did not depend on external connections for functionality. However, they also had a few disadvantages.

Hardware WAFs were very difficult to install and deploy since they are heavy and take up a lot of space. They can be hard to maintain, and lastly they’re on the costly side. Only large enterprises can actually afford hardware WAFs. Meanwhile, small and medium companies were left to fend for themselves.

The Birth of the Cloud-Based WAF

Thankfully, this has changed rapidly over time. Since the birth of the cloud, many innovative WAF vendors have turned these same enterprise level security features into a cloud-based WAF as a service specifically aimed at SMBs. The shift from hardware to cloud based WAF as a service have proven to be beneficial for three reasons.

1. Fully Managed Security

WAF as a service doesn’t require any hardware to operate. All one needs to do is configure their DNS information to start securing a website. This provides great accessibility for small and medium sized businesses. It also reduces any resources needed to setup and customize a traditional enterprise solution.

2. No Technical Knowledge Needed

A cloud-based WAF as a service also handles and manages all of your HTTP and HTTPS traffic. WAF vendors have detection technologies in place that can automatically detect and filter malicious attacks. This means you can focus on what’s most important for your business—gaining customers. The need for specialized security staff or technical experts is unnecessary when using a WAF as a service.

3. Easy to Understand Analytics

We make providing web security to SMBs our top priority. That being said, many WAF as a service vendors want to cater to the SMB market by providing easy to understand web traffic analytics. There is absolutely zero need to have a specialist scrub your web traffic data to look for any inconsistencies and how many attacks were actually blocked. These days, almost all security vendors provide great metrics and analytics that can help any business owner see the impact of their WAF.

most cloud-based waf solutions will give analytics

Cloud-based WAF as a service solution has made it possible for more people to secure their websites with zero hassle and at a much lower cost. Implement a WAF today so you can focus on growing your business while we take care of the rest.

zeroes and ones with a person looking at the web security misunderstandings

Top 3 Web Security Misunderstandings by Small Businesses

Web security seems to be the buzzword in the news the past couple of years with stories of legendary hacks hitting companies like Target, Home Depot, J.P. Morgan, and Sony—just to name a few. However, because we always hear about these hacks happening to big and established companies, we often  think that these kinds of attacks will never happen to us. After all, why would a hacker want to attack a small business when they can attack the Sony’s of the world? Unfortunately, although many people think that, it couldn’t be farther from the truth. And, there are even more web security misunderstandings.

So, here are small businesses’ top 3 web security misunderstandings:

1. I already have minimum web security.

A lot of people think that their Content Management System (i.e. WordPress, Godaddy, etc) offer website protection. However, you couldn’t be farther from the truth. According to Security Week, WordPress is the most attacked Content Management System (CMS)—being hacked 24.1% more than other CMS systems.

CMS services are just created to publish and maintain your website—it isn’t created to protect it. So, just like a museum needs a security system to protect its priceless treasures, so does your website to protect all your precious data. Web protection doesn’t have to be overwhelming.

2. My business is too small to be attacked.

No website or business is too small to be attacked. In fact, according to Symantec, three out of five businesses hacked are small businesses. Hackers actually prefer to hack small businesses as they often have no web security, so their websites can be hacked in minutes. Also, small businesses have no way of fighting back. This way, they can hack dozens of websites in a few hours and probably never get caught.

3. It’s too troublesome and expensive to get web security.

You’re a busy person—you have to manage a business both online and offline. So, the last thing you want to do it figure out what the heck a SSL certificate> is or what a DDoS attack is. Also, adding another expense to your costs doesn’t sound that appealing. However, just like going to the dentist, although you don’t want to do it, it’s something that is necessary to the health of your business.

But there is good news– web protection isn’t actually that hard to figure out or expensive.  Cloudbric is a cloud-based web app firewall (WAF) that blocks malicious web traffic coming to your website and is free to websites with less than 4 GB of monthly web traffic. We take care of all your web protection, so all you have to do is register your domain.

So, take control of your business and fight those web security misunderstandings! Because a cyber-attack can actually happen to anyone, so it’s better to protect yourself before it’s too late.

cafe using public wifi on a laptop

Public Wi-Fi: Stranger Danger

Progress in the IT world have led to a good amount of changes in the past decade. Nowadays, we’re surrounded by technology and it’s a part of our everyday lives. One of these technologies that we don’t even give much thought to anymore is public Wi-Fi.

It certainly has made life a lot easier. We don’t have to consistently rely on the quickly-disappearing amounts of cellular data we have on our mobile phones. Especially in Korea, one of the most connected countries in the world in terms of network infrastructure and #1 in terms of internet speed, free public Wi-Fi is thought of as a given. It’s a win-win situation: Businesses will get more foot traffic from tourists or residents who are seeking a location with a Wi-Fi connection and entertainment, and customers will be connected to the Internet for free without the need to use their precious cellular data.

But the issue here is this: is public Wi-Fi really safe?

Cafes are often a popular place for students and freelancers alike because they provide nice ambiance, open spaces, and most of the time – free Wi-Fi. Many cafes have their Wi-Fi passwords on display at the counter, or written on the receipt. Most of the time it’s something easy like “1234567.” However, when a simple string of characters is on display, it’s no longer fulfilling its original duty of acting as a “secret code” to access a device.

And the fact is that there has been an increase in the hacking of public wireless routers as of late. The most prevalent of these hacking methods is called “wireless sniffing.” Just as the name suggests, wireless sniffers are specifically created to “sniff out” data on wireless networks. A sniffer is a piece of software or hardware that intercepts data when it’s transmitted. This decodes data so that it’s readable for humans.  If a wireless sniffer accesses your connection, your ID or password may be found, or your device could be infected with malware.

Awareness of Public Wi-Fi Security Issues

This is all anxiety-causing information, but we started to wonder two things in terms of application to the real-world. First, how is the security at some of the well-known establishments providing Wi-Fi ? And second, were providers (at cafes, bookstores, etc.) and users aware of security (or the lack thereof) for public Wi-Fi?  

public wifi infographic regarding cafesin seoul

The Public Wi-Fi “Provider”

After surveying 20-odd establishments, we categorized them into three levels of security. In terms of “high” level, authorization and authentication was required in order to gain access. For “average,” a different password was set from the original factory settings, and for “low” – no changes had been made to the router since the point of purchase. Not surprisingly, we found that the larger chains offered higher measures of security than the domestic brands. Independent cafes rarely had the level of security necessary to secure a Wi-Fi connection.public wi-fi awareness by providers of routers

We then conducted a short interview with either the employee behind the counter or the branch manager and found that many locations don’t regularly upgrade their firmware. Upgrading your firmware regularly makes sure that your router is stable and optimized to take on the traffic. Although it can be a tedious process, it’s a necessity. And while some locations changed their password after buying the router, it was often a simple password. Additionally, none of the establishments had been changing their passwords regularly.

Most cafes will have a simple password (or no password at all) because it’s more convenient. However, a few simple steps can set you on the right track to begin protecting your establishment. After all, a business needs to look at customer loyalty and long-term growth. That isn’t going to happen if you or your customers are hacked.

 4 easy steps to secure the public Wi-Fi of your establishment:

  1. Change the ID and password from the default factory settings regularly.
  2. Secure your Wi-Fi by changing settings to WPA (Wi-Fi Protected Access), rather than WEP (Wireless Encryption Protocol). WEP has issues of static encryption keys, making it easier to access..
  3. Block remote access
  4. Update firmware regularly

The Public Wi-Fi “User”

We went on to interview customers who were utilizing the public Wi-Fi at the cafes to get their views on security. However, we were surprised by the users because the knowledge of security issues was better than that of the providers. Although Wi-Fi users are sometimes aware that it may be unsafe, because it’s free and convenient, they ignore the risks and access the network anyway.

So what are the basic steps you can take that won’t take too much of your time/money?

public wi-fi awareness by users

4 Cautionary Steps for Using Public Wi-Fi

  1. Turn off sharing on your computer – make sure that remote login is not possible.
  2. Consider using a VPN (Virtual Private Network) when connecting to public Wi-Fi. Because it will encrypt your data, it can help prevent criminals from sniffing.
  3. Avoid sites that take your ID and password (i.e. banking, online shopping).
  4. Go to a cafe or public Wi-Fi hotspot where you know the security measures the provider takes.

But in all honesty, public Wi-Fi will never be “safe” in the sense that it will be void of any security risks.

And if you must…

It’s not realistic to say that all public Wi-Fi must disappear. In the digitized 21st century, connectivity is inevitable. In fact, it’s already happening. So the best thing you can do as a user and provider is to be cautious. Have these steps ready to execute. Extra steps are also possible with a firewall, anti-malware products, etc. But remember, the first step is the most important.

ddos attack net of thieves over a computer desk

DDoS Top 6: Why Hackers Attack

Lately, it seems like the companies that haven’t had their web and cyber security compromised are in the minority.

Many are hit hard by web vulnerability attacks. Specifically we see an increase in DDoS (Distributed Denial of Service) attacks. With DDoS, the attacker’s main goal is to make your website inaccessible using botnets. Botnets are basically an army of connected devices that are infected with malware. Your website’s server becomes overloaded and exhausted of its available bandwidth because of this army. Much of the time, the attack doesn’t usually even breach your data or go over any security parameters.

So if it’s not to breach your data, why would someone go through the effort to shut down your website? There are a multitude of reasons, but today we’ll look at the top 6 reasons for a Distributed Denial of Service Attack.

1. Some (not-so) friendly competition

As more and more enterprises are taking their storefronts to the cyber world – there is also competition within the cyber world.

In fact, in a recent survey nearly half the responding businesses said that they believed that their competitors were launching DDoS attacks in order to disrupt services. After all, if your competition’s website is down, all the traffic will come to your website instead. Additionally, your competition’s brand image is tarnished, giving positive associations to your company instead.

Even if an entrepreneur may not be skilled in hacking, DDoS attacks are now available for hire, and attacks can be executed for a fairly low price on the dark market.

2. DDoS for Hacktivism

As we’ve noted, DDoS attacks aren’t necessarily about taking data. It can be used to strongly voice an opinion – any opinion. Voicing your opinion on the Web can have a bigger and faster effect than if you were to attend an in-person rally or strike. DDoS is often used to show support or opposition regarding a certain topic. It could be political (see below), but also for/against businesses or banks, ethical concerns, or even an online game.

3. All about politics

A subset of reason #2, DDoS attacks can also happen between countries or governments. The Web is the newest battlefield. DDoS attack victims can be government websites. While the sites could have been attacked by apolitical hackers, many do believe that governments or political parties often attack each other using the DDoS method.

As most governments rely on the Web to communicate and run their country, this has proven to be an effective method to show political opposition.

4. Seeking their revenge

An extremely common reason for DDoS attacks, this situation could apply to businesses, individuals, as well as governments. Not necessarily to give an opinion, attacks are used to seek revenge on your enemy. There’s no need to get your hands dirty at all.

For example, there have been increasing instances of previous employees hiring DDoS attacks on the dark market to seek revenge on their former employers. We’ve previously written on internal data breaches by present or past employees, but this is yet another form of when one person holds a grudge and it affects an entire company.

5. A precursor for something bigger

On New Year’s Eve of 2015, BBC was reportedly attacked with a DDoS attack measuring over 600 Gbps, beating out the previously set record of 334 Gbps. The attackers who claimed responsibility, New World Hacking, said that it was simply “testing.” More recently, the hacking group PoodleCorp took responsibility for shutting down the trending Pokemon Go game using the DDoS attack and they claimed that they were also testing for something on a larger scale.

A hacker may be preparing for something new like the above two cases, or they may be using the attack as a distraction for a larger attack, hoping that they won’t be found out. This is one case where the attack may be used indirectly for a security breach.

6.Some plain ol’ fun?

And lastly, sometimes there’s really no rhyme or reason to why DoS or DDoS attacks happen.

There’s a misconception that there is a specific reason behind all attacks. However, this is simply not the case. Many hackers get an adrenaline rush from hacking into a system or a website, no matter how big or how small it may be.


Therefore, there’s the responsibility as the individual user or as the CIO/CTO of a company to ensure that security measures are being taken. One needs to prepare for an attack because no one is ever exempt from the chances of an attack.

So what are these security measures I speak of? In my opinion, the most essential step you can take is to protect yourself with a WAF (Web Application Firewall). By using WAF services like Cloudbric or a WAF like WAPPLES, you can make sure your website is continuously protected.

For more information on Cloudbric (full service website security provided for free if your website’s bandwidth is under 4GB/month), check out their website and find out more about WAPPLES, the WAF they use for their service.

employee using laptop and coding injection

6 Steps to Create a Secure Website

There are roughly one billion active websites online, or one for every seven people alive right now. How about yours? Is it a secure website?

Every single second, a couple new websites are born into this world. That’s a lot of websites, so how are they being created, and how do you make one? And also, how do you keep your website secure from all the cyber threats out there?

A Secure Website in 6 Steps?

The steps needed for making a website, from registration to design, coding, operation and growth, can be a very long and complex process. Each step has a lot more nuance to it than fits here, but this guide should point you down the right path to setting up a secure website.

1. Choose Your CMS

How are you going to build your site? These days you don’t need to be a computer programmer to put together your own fully functioning website thanks to Content Management Systems (CMS). With CMS solutions like WordPress, Joomla, and Drupal, putting together a website is about as easy as building a house out of Lego. No matter what CMS you choose, there are new exploits that are uncovered almost on a weekly basis. This means you need to stay on top of software updates and patches to keep your site secure.

making a secure website with lego blocks like a house

2. Sign Up for a Web Host

Your domain name is like the street address and the CMS is like the materials you build your site with, but the web host is the actual plot of real estate where your website exists online. Some are free and come with bandwidth limitations or embedded ads, and there are commercial options that run much better. Many hosts also provide server security features which can better protect your uploaded website data. Check if a web host offers Secure File Transfer Protocol (SFTP) which makes uploading files much safer. Many good hosts should also allow for file backup services and have a public security policy showing how well they keep up to date on security upgrades.

3. Design Your Website With Security in Mind

What’s your website going to look like? Hiring a designer is usually worth the money you pay, but if your site is straightforward enough then you don’t need to do anything fancy. These days, simplicity is the golden rule, and minimizing add-ons and plug-ins is recommended for aesthetic, operational, and security concerns. The main thrust of your site should be text-based and presenting your product clearly, with images and design flourishes playing in the backup band. Basically you should focus more on avoiding bad design than embracing great design.

4. Apply a Web Application Firewall (WAF) to Protect Your Site

As soon as your website is online, it is exposed to a rogue’s gallery of cyber threats. Automated bots are out there scanning for vulnerable websites, and newly created sites are an especially tempting target. Adding a web application firewall (WAF) such as Cloudbric, Incapsula, or Cloudflare, will ensure that you have a secure website before the attacks start.

5. Do Business Online Secured by Secure Sockets Layer (SSL)ssl is like a handshake for a secure website coming out of a computer

If you’re going to have users registering on your website, and especially if there will be any kind of transaction, you need to encrypt that connection. Using SSL certificates creates a secure handshake between your website and clients’ devices, ensuring that no third party can covertly slip in between and monitor, hijack, or shut down any transactions taking place. GlobalSign is one good example of a widely available SSL certificate that pairs well with almost every website.

6. Grow as a Responsible, Respected Member of the World Wide Web

So you have a functioning. secure website protected from security threats, and you are engaged in commerce for your business. Now the main duty is to grow and reach more people! Reach out through SNS, set up your site so it can be indexed by search engines, and take advantage of SEO opportunities. The Internet is your oyster. But never lose track of your security needs, and focus on maintaining a reputation characterized by responsibility for cyber security matters.

Once you’ve finished these steps, your website is ready to make its mark on the Internet!


This blog post was originally featured on cloudbric.com. Visit their blog for more insight, news, and accessible information on web threats and trends. If you would like to learn more about Cloudbric’s logic-based WAF service, please contact info@cloudbric.com.

Award-Logo-Penta-Security

Asian Cyber Security Vendor of the Year: Honored for 2016

APAC market leader Penta Security Systems Inc. awarded by Frost & Sullivan

frost sullivan cyber security vendor awardSeoul, Korea: On June 15, Penta Security Systems Inc. was awarded the honor of Frost & Sullivan Asian Cyber Security Vendor of the Year. The award was given at this year’s 13th annual Frost & Sullivan Asia Pacific ICT Awards Banquet in Singapore.

Cyber Security Vendor

Frost & Sullivan selected Penta Security Systems after concluding evaluations with a team of 30 analysts and consultants based in the Asian-Pacific region. Analysts examined a variety of indicators including revenue growth, market share, leadership in product innovation, major customer acquisitions, and business and market strategy. Specifically, Frost & Sullivan noted that Penta Security continues to make headway into new industries with its smart car security solution, AutoCrypt. AutoCrypt detects vehicular attacks from external systems utilizing its Application Layer Firewall, and has garnered significant attention with the increase in the news of vulnerabilities in smart cars.

CEO and Founder Seokwoo Lee attended the annual ICT Awards Banquet in Singapore in order to receive the award.

Regarding reception of the award, he stated, “We are honored to receive the Asian Cyber Security Vendor of the Year award. It confirms the 19 years of hard work we have put into development in information security.” He added, “We will continue to pursue excellence and growth in web and data security – not only in APAC, but worldwide.”

Having built relationships globally among enterprises and institutions, Penta Security Systems has grown rapidly along with the rise in demand for web and data security products. In 2015, its web application firewall (WAF) WAPPLES was acknowledged by Frost & Sullivan as the leading WAF in the APAC region in terms of market share.  The top WAF in Korea for three consecutive years, WAPPLES boasts a COCEP™ (Contents Classification and Evaluation Processing) engine, rather than traditional pattern-matching methods utilized by other cyber security vendors.


About Penta Security:

Penta Security Systems Inc. was founded in 1997 by CEO Seokwoo Lee. The company is a market leading provider of web and data security products, solutions, and services in the APAC region. Penta Security protects more than 117,000 websites. Additionally, it blocks more than 108,000,000 web attacks per month. Recognized by Frost & Sullivan, Penta Security Systems is the top Web Application Firewall vendor in the APAC Region based on market share.

For more information on Penta Security, please visit www.pentasecurity.com. For potential partnership inquiries, please send an email to info@pentasecurity.com. For more details on the Asia Pacific ICT Awards, please visit http://www.ict-awards.com/.