Print page

Protect your business: web security top five


AusCERT Co-ordination Centre team information security analyst Ananda Garin-Michaud spoke to Digital Brisbane about the top five things to consider when it comes to ensuring adequate web security.

AusCERT is Australia's leading computer emergency response team and is based at The University of Queensland.

1. Use complex and unique passwords

Change the default administrator usernames for your website's server applications and content management systems to something different from the generic administrator, admin or root.

Choose a unique password that is sufficiently complex and hasn’t been used somewhere else. There are many guides on the internet to help you create such passwords.

Alternatively, you may use password vaults such as KeePass or LastPass, which  create a cryptographically secure database of all your passwords and randomly generate strong passwords for you.

You will still need to create a very strong vault password if you do use these solutions, because if anyone discovered your password they would have full access to all passwords stored within the vault.

2. Keep all software up to date

Whether you are hosting your website(s) on your own infrastructure or using the services of a hosting provider, you should always be sure you are running the latest versions of any software loaded on your website.

Having a website, even if it is just a static page, is not just a “once-off, put this online and forget about it”.

Many of the compromised webpages that AusCERT sees are due to fraudsters leveraging security vulnerabilities in un-patched content management systems or web server applications.

You should be aware of what software is running your website and subscribe to any relevant vendor mail-lists to ensure you are notified of any new updates.

AusCERT feels it is so important that it aggregates information about popular software and has been releasing security bulletins through its website since 1993.

These can be found here

Do not forget that you also need to update any additional modules/themes/plug-ins you add to your website.

3. Properly manage back-ups

Keep reliable back-ups of all your valuable data, and keep some copies disconnected from a computer and the internet.

Large capacity data storage is quite inexpensive and easy to get from places like Officeworks.

Don't just keep your back-ups on one external hard drive that's always connected to the computer or internet. This is too risky, as attackers are known to encrypt or delete such back-ups.

Buy at least four external hard drives, or similar, and keep multiple copies of your back-up data using a back-up rotation scheme like Grandfather-father-son or Tower of Hanoi.

All but one of the external hard drives should be disconnected from your computer, and stored in a physically safe and secure location. Periodically test the restoration of your back-ups to confirm that the data is good.

4. Be aware of any remote administration tools and what is running on your web servers

If you are hosting your website on your own network, check what services are open to the world. Usually only the HTTP (port 80) and HTTPS (port 443) should be open – you can check this by looking at your firewall rules or by using a tool such as Shields Up!
If other services such as remote administration tools are used, consider using the service on non-standard ports, and yet again be sure to use non-default usernames for the accounts, combined with secure passwords.

You could possibly also use public key authentication or one-time passwords in addition to just using the usual username/password authentication method.

5. Use secure web development programming practices

Make sure your website developers are aware of OWASP’s (Open Web application security project) Top Ten project.
OWASP  is a not-for-profit security organisation that focuses on improving web application security.

Every year it publishes a list of the top 10 most critical security vulnerabilities found within web applications.

Developers should know about these and make sure their code does not contain any of these vulnerabilities.

Blue background