Implementing the Security Best Practices of 2015 on Your Website


November 10, 2015

Website security is an ongoing concern for businesses. Compromised security communications have resulted in large amounts of revenue loss and damaged reputations of small and large companies.

While extremely important, because of its technical complexities, many companies running websites ignore or fail to keep themselves informed about the latest developments and the practical ways to protect their websites and their customers’ information.

In this article we will provide you with some information about how to ensure your sites remain secure for you and your customers.

High-Profile Security Vulnerabilities

High-profile vulnerabilities of the last 18 months include Beast, Poodle, Freak and Heartbleed, all of which enable attackers in one way or another to intercept and decode pieces of a secure communication under the appropriate circumstances. Probably the most memorable of these was Heartbleed. This threat allowed the stealing of the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This threat from 2014 made major headlines and could possibly have affected anyone as it affected the software in the services that we all use. The fix for this bug was to update and protect the OpenSSL being used by those sites and for users to change their passwords. Those who failed to update were likely to stop being used, as people feared the security threat.

Vulnerabilities are Specific

The vulnerabilities are specific to various client and server configurations. The presence or absence of these vulnerabilities depend on the software that runs the website, on the server side, and the browser that communicates to the server, on the client side. The Heartbleed vulnerability, for instance, was specific to systems using the OpenSSL cryptographic software library such as Apache and Linux servers but was not present in Windows-based IIS servers.

Beware of RC4 and SHA-1

A highly popular and widespread encryption algorithm (or cipher) – RC4 has been demonstrated to allow an attacker to recover parts of the original HTTP message, such as cookie values in a “secure” transmission. Disabling the RC4 ciphers on your server is essential to protecting you and/or your customers’ information.

SHA-1 security certificates are being discontinued. The computational power cost required to break their security is on track to becoming too affordable for major security experts to consider it safe for the public. When renewing your secure certificate, be sure to acquire one that supports the SHA-2 (SHA-256) cryptographic hash algorithm.

6 Big Takeaways if Your Website Uses a Secure Connection:


 1. Make sure that you keep your browser(s) updated. All latest versions of Chrome, Firefox, Safari, Internet Explorer, and Microsoft Edge already have support for the most secure protocols and ciphers.

2. If your site is on Apache, make sure that the proper OpenSSL patch has been applied to the server to prevent the Heartbleed vulnerability.

3. Disable the SSL 3 and SSL 2 protocols on the server.

4. Disable the RC4 ciphers on the server

5. Enable TLS 1.2 if your server does not have it currently enabled

6. or your next secure certificate renewal, be sure to acquire one that supports the SHA-2 (SHA-256) cryptographic hash algorithm.

 

How Sales & Marketing Technologies Can Help with Security Issues


While some companies might treat these issues with apathy and detachment, Sales & Marketing Technologies (SMT) is constantly evaluating the various security threats and exploits confronting website operators worldwide. The headlines tell us that no system is impervious to attack or compromise. We understand that 100% security is ultimately unachievable; however, throughout the release of the various security bulletins informing the public about these evolving issues, SMT has conducted the appropriate reviews within our hosting operation and implemented the industry best practices discussed here.

To learn more about SMT or how we can help, contact us online or call (407) 682-2222. 

Did you like this post?

Sign up for our Tips and Trends list and we'll let you know each week when we have a new one.

12 Ways to Get Your Business Growing Again

Categories

Web Design (27)
Web Development (36)
Misc. Website (21)
Search Engine Optimization (97)
Social Media Marketing (111)
Local Search Marketing (24)
Content Marketing (38)
PPC Advertising (34)
Digital Marketing (128)
Marketing Automation (26)
Sales Automation (21)
Company News (10)
Other (28)

Archives

Feeds