Category: Web Security

How To Get Powerful Website Protection – SSL Certificate

How To Get Powerful Website Protection – SSL Certificate by Natasha Miranda.  Available from <http://www.valuewalk.com/2016/12/ssl-certificate-tips/> []

As a website owner or manager, knowing the advantages of using an SSL/TLS certificate will be essential. It will also be important to understand that this is just one part of a full range of cyber security technology options that will keep your website safe from hackers and from a breach of data security to your system.

Before going any further, it will be important to address a simple factor that is often overlooked. The purpose of an SSL certificate is to have an approved third-party, a recognized Certificate Authority (CA) to verify the website is authentic and trustworthy. This means choosing a recognized and trusted Certificate Authority. A good example of this is the Comodo SSL products that are recognized worldwide and can be found on websites of large multinational and global companies as well as smaller local ecommerce businesses.

There are two other options in SSL certificates that can be found on the market through any quick online search. While these will both be available at no-cost, there are risks associated with these certificates that should be carefully considered if website protection and protection of transmitted data is ultimately your major consideration and concern.

Free Certificates

You may have heard the term “you get what you pay for” and this is certainly the case with many of the free SSL certificates out there. The recognized CAs offer very cheap SSL certificates at the domain and organization validation levels that are far superior in customer service, support and security.

Remember, with a certificate, as with any information technology security tool; it needs to be recognized by the different systems it interacts with. The recognized CAs have their root certificates embedded with all major browsers and devices, ensuring that the certificates they issue will be accepted as trusted sources.

Unfortunately, the free SSL certificates are often not recognized by the different browsers and devices. From a 99.9% recognition rate with an SSL/TLS certificate from a trusted Certificate Authority, you may find that the majority of your customers either have to manually add your certificate to the device or browser trusted list or they will see the security warning displayed every time they try to access the site using a free SSL product. This is because there is no root certificate embedded in the device or browser, meaning the certificates they issue are also not trusted.

Self-Signed Certificates

These types of SSL products are even more problematic and less trusted by browsers and devices. As suggested by the name, the self-signed certificate is created by the website owner and basics is a case of vouching for yourself.

This creates trust issues for browsers and devices as there is simply no root certificate and no recognized Certificate Authority that is verifying the information. It would be possible for anyone to set up a website and create a self-signed certificate, even if the information on the certificate was invalid and the website was a spoof site.

The good news for legitimate website owners is that if you have an SSL certificate from a recognized Certificate Authority, there is no way that this type of situation can occur. The hacker cannot access the private key to your site or your certificate, which means your website is the only entity that the key and the certificate will work with. The private key is always kept secured on your server. Only through
authenticating the certificate and the public key with the private key can data be decrypted for use.

No Eavesdropping or Hacking Risks

If your website uses a login and password combination, which is true for social media sites and many types of paid subscriptions or memberships to blogs or forums, using an SSL certificate protects your site from hacking through eavesdropping.

Without the customer, client or user’s login and password data being encrypted, it could be easily intercepted and read. This could include if an employee or customer used a public Wi-Fi hotspot or even used a connection at home that lacked basic wireless network security features.

Once the hacker had that information, he or she could then go into your data through a legitimate login using that stolen information. It would be virtually impossible for you to detect the data breach as it would appear to come from an actual, valid customer.

Through the use of encryption to send the data, all the hacker will see is a random string of code that is illegible and unreadable. With full 256 bit encryption, which is considered the internet cyber security standard, it is virtually impossible for the hacker ever to be able to break the encryption.

It is important to carefully consider how much of your website needs to be secured through the use of SSL technology. Any web page collecting information or transmitting what is considered sensitive information needs to have this level of protection.

Logins, passwords and even email may also need to be protected depending on the type of use, the data transmitted and if the information is considered sensitive. Determining which level of SSL technology is required and which pages should be secured starts with assessing your cyber security risks and then providing the right types of protection.

How To Get Powerful Website Protection – SSL Certificate by Natasha Miranda.  Available from <http://www.valuewalk.com/2016/12/ssl-certificate-tips/> []

How to Protect Yourself from Cyber Attacks

How to Protect Yourself from Cyber Attacks  by Kevin Graham  Available from <https://www.quickenloans.com/blog/protect-cyber-attacks> [ December 7, 2016]

Remember last month when hackers were briefly able to disrupt service to popular websites such as Netflix, Twitter, Spotify and Etsy for several hours? Whatever their motivations, there’s no doubt the hackers had a plan and were skilled. Still, even when something happens that affects large portions of the internet, there are things we can learn to help protect ourselves as individuals now and in the future.

As we enter a time of year when everyone’s going to be doing a lot of online shopping, we thought we would give you some tips to help you keep your information secure. Let’s start by going over exactly what happened last month and what we can learn from it.

Anatomy of an Internet Takedown

So what exactly took down so many websites last month? It was something called a distributed denial of service (DDoS) attack. The attackers picked a major internet hosting service on the East Coast and sent a bunch of traffic to the sites it hosted – so much that it overloaded the servers.

The first job of any internet server is to take your request (to go to, say, QuickenLoans.com) and translate that into a request the computer can understand. You type in your web address, and the computer turns what you typed into a series of numbers called an internet protocol (IP) address. In your web browser, when you enter QuickenLoans.com, the server goes and looks up the IP address associated with that domain, maybe 10.168.64.9, and gets you to the right place. It’s like a giant phonebook, except we don’t throw it out as soon as it arrives.

Normally, all this traffic gets routed, and everything goes smoothly. When a server gets thousands of requests to go to a particular website, though, it creates a traffic jam. The server is overloaded, and the site is unreachable until the host is able to identify the attack and take mitigating measures. But what measures did they take?

We have a thousand devices connected to the internet these days. It’s not just computers, but also DVRs, webcams and even our thermostats. The attackers were able to get into these newly internet-enabled devices and use them to send a bunch of traffic to sites and overload the servers. I don’t mean to say that the webcam in the nursery was sending a request to Netflix to watch “Zootopia.” This was unsophisticated nonsense traffic – uploads and downloads meant purely to flood the servers. There’s been lots of really good, detailed analyses of what happened in the attack, but what’s more helpful for those of us trying to protect ourselves is knowing exactly how they did it.

Tyranny of the Default

So what was the weak point in all of these devices that allowed them to be so easily taken over? No one ever changed the password.

Most of these internet-connected appliances have a default password listed in the manual so you can easily get them set up. Unfortunately, many people never think to change the password. If you find yourself in this situation, follow your device’s instructions to get back into the settings and change the password if possible.

In some instances, depending on the sophistication (or lack thereof) of a particular device, there may not be a way to change the default. In these instances, manufacturers will sometimes send updates that patch the software and help to secure the device. Always run these updates, particularly if they mention anything about fixing bugs or improving security.

As we enter the holiday season and you’re looking at getting that new flat-screen TV on Cyber Monday, make sure you’re using strong passwords. You can even get online password generators like LastPass or 1Password that will enable you to have one password that unlocks all your accounts but still maintains the security of having many different passwords.

Secure Your Wi-Fi

Securing your internet connection is key if you want to keep your internet browsing to yourself. Without a secured connection, hackers have the opportunity to get on the network and put themselves between you and your hotspot or router. Instead of going directly to your connection point, your data goes through the hacker first, and they get a peek at what you’re doing before your data goes on to its ultimate destination. Depending on how your sharing settings are configured, a nefarious actor may also be able to get malware onto your computer.

The level of encryption used can be changed, and it’s up to you. At the very least, your router should be password-protected.

Security in Public

The other thing you should know is how to take steps to secure yourself in public. When you need to check your bank account, sometimes the only available connection is the coffee shop.

When you find yourself in these situations, the most important thing to remember is that websites asking for sensitive information should be secured and encrypting your data as it’s passed through. While someone with malicious intent might still be able to see your activity, usernames, passwords and credit card numbers, it usually ends up looking like unintelligible gobbledygook unless it can be decrypted. Most hackers don’t want to take the time and effort to do this.

How do you know if you’re on a secure site? In the address bar, you should see a green HTTPS mark at the beginning of the web address. If you choose, you can also click on this mark to see who owns the security certificate and make sure you’re giving your information to the right people.

It’s always a good idea to check for the secured symbol whenever you’re putting in sensitive information like credit card numbers. Here’s what it looks like:

You should also make sure that any time you log into a public connection, you select the public option when you connect. Your operating system will put certain security protocols in place that you might not need for a home network – just to give you a little more protection. A lot of the settings have to do with your ability to share files on the network.

Device and App Permissions

While we’re on security, it’s a good time to talk about the smart phones that now hold the keys to so much of our lives. Your phone is equal parts Rolodex, wallet, health information repository and camera. If the wrong person were to get ahold of all that, it could cause you a serious headache.

With that in mind, you should take some reasonable precautions to protect your phone from prying eyes.

First, make sure you set a passcode on your phone. Not only will this prevent your little sister from getting into your phone, but on newer iPhones, setting a passcode automatically encrypts the data against anyone who doesn’t have your code or fingerprint. By default, this is a four-digit numerical password, but you have the option to switch to a longer alphanumeric key.

Since device manufacturers have much more control over the look of the Android interface, the name of your encryption setting may vary. That said, it should be with your security settings. If encryption isn’t enabled by default on your device, there are some things you should be aware of before going through with the process.

Be sure you know the permission you’re giving apps when you use them. If you’re on iOS or newer versions of Android, your phone will ask you permission before accessing something like your photos, camera or contacts. It can be tempting to answer yes to everything so the app stops bugging you. I’ve been guilty of this, too. If you’ve ever given an app access to something and later regretted it, there are ways to reverse it.

If you go into your iPhone’s privacy settings, you can control which apps have access to your location, your media library, and your health and fitness data, among other items. Android versions Marshmallow and up include the option to control the permissions under the apps tab of your settings.

In older versions of Android, the permissions were listed when you went to install the app. Unfortunately, you don’t have control over individual permissions by default.

Finally, one special note regarding Android: In addition to installing apps from the Google Play Store, you have the option of installing apps from third parties. This is OK if you know what you’re doing, but if you’re not careful, it opens your phone up to malware. You can disable this option in your security settings.

Depending on the types of things you do on your phone, you might want to limit what gets backed up to the internet and keep local control on your phone. There’s always a bit of a push-pull relationship between security and convenience. You have to decide what works for you.

These basic security measures are important because they can help you avoid the hassle and inconvenience associated with identity theft.

How to Protect Yourself from Cyber Attacks  by Kevin Graham  Available from <https://www.quickenloans.com/blog/protect-cyber-attacks> [ December 7, 2016]

FBI Tells Users to Change Passwords Frequently, Experts Say This Is Bad Advice

FBI Tells Users to Change Passwords Frequently, Experts Say This Is Bad Advice by Bogdan Popa.  Available from <http://news.softpedia.com/news/fbi-tell-users-to-change-passwords-frequently-experts-say-this-is-bad-advice-510528.shtml> [Nov 27, 2016 07:16 GMT]

You’d normally expect the FBI to provide us with the most efficient security tips, but a tweet published recently by the Bureau made many security experts raise their eyebrows and wonder who is actually behind these posts.

Specifically, the FBI tweeted on November 25 a piece of advice that’s supposed to help people stay secure during the holiday shopping season when cybercriminals are also very busy trying to steal our information.

“Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently,” the FBI posted.

And while keeping accounts secure and using strong passwords are indeed good recommendations, it’s the last part that caused controversy. Changing passwords frequently has been often described as bad practice, especially because doing this repeatedly can eventually lead to users turning to easy-to-remember passwords that can be quickly compromised by hackers.

Furthermore, it’s been proved that corporations forcing their employees to change their passwords on a frequent basis are actually more exposed because of the same reasons: workers end up using simpler passwords that are easier to remember, and this can’t lead to anything good.

Security experts: Nope

Security experts have questioned FBI’s tweets, and one of those who recommended exactly the opposite is Per Thorsheim, who founded his own password conference to discuss the importance of passwords.

In a statement for Motherboard, Thorsheim explained that changing passwords frequently is a thing that you shouldn’t do and there are other ways to remain secure online.

“I am surprised and sad to see that the FBI continues to give out bad advice when solid academic research, numerous organisations, corporations and the US government themselves have said for at least half a year now that frequently changing your passwords is a bad idea,” he said.

“While I don’t know who at the FBI is in control of their Twitter account, the people behind it do not seem to be in control of current best practices. I do expect better than that from the FBI.”

So how exactly can you protect yourself online without actually changing passwords frequently? The easiest way to do this is to use a password manager that can help generate complex passwords that are difficult to compromise. Furthermore, make sure you enable two-factor authentication whenever it’s possible, and avoid using the same password for more than a service.

FBI Tells Users to Change Passwords Frequently, Experts Say This Is Bad Advice by Bogdan Popa.  Available from <http://news.softpedia.com/news/fbi-tell-users-to-change-passwords-frequently-experts-say-this-is-bad-advice-510528.shtml> [Nov 27, 2016 07:16 GMT]

5 Website Security Tips

5 Website Security Tips.  Available from <http://www.forbes.com/sites/thesba/2016/11/29/5-website-security-tips/#17469c582ca7> [

Imagine leaving your car parked in a crime-ridden neighborhood. Would you leave your windows down and doors unlocked? Unfortunately, the internet is very much a crime-ridden neighborhood and too many of us are not even taking basic security steps to keep our websites protected.

The goal of this article is to give you some general best practices that can help you keep your website secure from many common cyber threats. Think of this as advice on “How to roll up your windows” and “How to lock your doors” – very straightforward but important steps. While a determined hacker may still be able to break into your vehicle, following these steps will substantially decrease your chances of becoming a victim of a cyber-based attack.

Keep all software updated, always

This applies not only to your website, but to every piece of software you have installed on your workstations. Hackers regularly find vulnerabilities and security flaws in software. Software vendors, on the other hand, are regularly providing software fixes to patch up vulnerabilities that are found or exploited. If you don’t update your software when updates become available, you could be leaving a wide-open door for hackers to exploit.

You need to keep all software updated on your workstations because an infected workstation could give access to other systems, including your website. If your website is powered by a content management system, such as WordPress, you will need to keep the content management software updated at all times, including any plugins you may have installed. Because content management systems, like WordPress, are so widely used, any security holes that are found can also be exploited widely.

Keep backups of your website, local and offsite

When your website has been hacked and injected with malware, the most secure way to fix the issue is to restore your website from the most recent backup prior to the hack. Make sure the sever your site is hosted on is being backed up daily, and make sure your webmaster is retaining copies of your site locally (securely, of course) as an extra precaution.

Use a reputable hosting provider

Not all hosting providers are alike. Many discount web hosting companies do not make adequate investments into security. Ask your provider how they keep your websites protected. Be sure they make regular software updates to the server operating system and other installed software. Ask if they proactively scan and address security issues. Business-focused providers, like Newtek, have invested millions into system and network security, and have adequate staff to manage and monitor systems around the clock.

Manage User Access

It is import to limit who has access to your important systems and website. This is not because you shouldn’t trust your employees – it’s because the more staff you have with access to systems, the higher the probability of someone from your business becoming victim to a cyber scam or hack, which could then lead to unauthorized access.

If you have multiple people from your business that needs access to your website, be sure they only have permission to the areas they need. For example, the content management system WordPress allows you to assign different access levels to different people.

Use an SSL Certificate

An SSL Certificate is used to establish a secure, encrypted connection between your website and a visitor’s web browser. If your website utilizes logins, processes payments, or stores personal information, an SSL certificate is not only required from most compliance standpoints, it will also give assurances to your visitors that you take their privacy and security serioiusly.

5 Website Security Tips.  Available from <http://www.forbes.com/sites/thesba/2016/11/29/5-website-security-tips/#17469c582ca7> [

7 Cyber Security Tips for 2017

7 Cyber Security Tips for 2017 by Andrew Deen.  Available from <http://www.business2community.com/cybersecurity/7-cyber-security-tips-2017-01711398> [November 22, 2016]

You don’t have to look far to find examples of cyber security breaches – they happen every day, in nearly every industry and country. While many smaller breaches don’t make headlines, others affect millions and have lasting effects on businesses. On November 14th, 2016, millions of Americans were reminded that Internet privacy is fragile, when a breach was discovered on the adult websites of FriendFinder Networks LLC. The company estimates that 412 million records were compromised, making the security breach the biggest of 2016, just as the year draws to a close.

With so many records exposed, FriendFinder will have to do extensive damage control, and likely respond to lawsuits and investigation by the Federal Trade Commission, as Ashley Madison did last year during its much smaller breach. For businesses, the cost of a breach can be devastating. While it’s not always possible to prevent a breach, having proper cyber security protocols in place can help reduce the likelihood of a breach and make recovering from a security event much easier, should one occur. Here are 7 tips to help get your business’s cyber security ready for the threats of 2017.

Ensure employees know safe protocols for social networking sites

It’s easy to forget that the Internet is a public resource, and privacy is not guaranteed, even on social networking sites. If your employees use social networks on company devices (and many do), educating them on safety protocols for social networks is crucial to preserving cyber security. Here are just a few reminders to give your team:

  • Always assume that everything you post is public, even if your settings are set to “friends only”. You never know who will share what you post.
  • You can’t take anything back once it’s been posted. Even deleting a post won’t necessarily remove all the copies of the information available.
  • Don’t post any identifiable information, like your address or daily routines. This goes for business secrets as well.
  • Be considerate of the information you post about others.
  • Be wary of strangers. You never know the intent of someone you meet online

Establish cyber security training for all employees

You can’t blame your employees for unsafe cyber security habits if they haven’t been taught how to protect the sensitive information your company retains. Develop protocols for protecting your business’s data so that everyone can be on the same page for cyber security. Establish cyber security training for all new and existing employees. Because knowledge can fade over time, and protocols can change, offering periodic review trainings should also be a priority.

Add encryption protocols

Encryption has been used since ancient times to code messages that could only be read by authorized parties. Today, encryption technology uses advanced algorithms to make data unreadable except by those with the correct key. Encryption is a must for businesses protecting sensitive information, such as patient records or customer credit card information.

Keep software and browsers up to date

Vulnerabilities often occur when software and browsers are not updated on a regular basis. Software manufacturers periodically release updates for their programs, which often include security updates. Cyber criminals are always changing their methods for breaching security systems, and software companies are forced to keep up with them, constantly improving on their security measures. Take advantage of these updates, and don’t leave your operating systems, browsers, and anti-virus software vulnerable.

Use multi-factor authentication technology

Passwords can be compromised, and once they are, it’s easy for criminals to gain access. Multi-factor authentication requires an extra step to log in, whether that means email authentication, or a text message sent to users’ phones. While these protocols often spark protest from employees, they are a great way to ensure an additional layer of security.

Ensure the security of Wi-Fi networks

Access to your business’s Wi-Fi network is a huge benefit to cyber criminals. Keeping your network safe requires a few extra steps than setting up a home router. Use a firewall, and hide your network name from broadcasting to help protect it. Require a strong password for Wi-Fi access.

Implement protocols from the Department of Homeland Security’s Cybersecurity Framework

The U.S. government is taking cyber security seriously, and they’ve put together a framework of protocols for safe security systems. Take some time to go over the information, and see how you can implement these protocols to protect your business.

Don’t Get Complacent in 2017

Even if you’ve never fallen victim to a data breach personally or professionally (and 1 in 5 Americans have), 2017 is not the time to become complacent. As we continue to move online more and more, breaches will continue to increase. Implement these tips for your business, and move a few steps closer to optimized cyber security!

7 Cyber Security Tips for 2017 by Andrew Deen.  Available from <http://www.business2community.com/cybersecurity/7-cyber-security-tips-2017-01711398> [November 22, 2016]