Website security is an ongoing concern for businesses.
Compromised security communications have resulted in large amounts of revenue
loss and damaged reputations of small and large companies.
While extremely important, because of its technical
complexities, many companies running websites ignore or fail to keep themselves
informed about the latest developments and the practical ways to protect their
websites and their customers’ information.
In this article we will provide you with some information
about how to ensure your sites remain secure for you and your customers.
High-Profile Security
Vulnerabilities
High-profile vulnerabilities of the last 18 months include
Beast, Poodle, Freak and Heartbleed, all of which enable attackers in one way
or another to intercept and decode pieces of a secure communication under the
appropriate circumstances. Probably the most memorable of these was Heartbleed.
This threat allowed the stealing of the information protected, under normal
conditions, by the SSL/TLS encryption used to secure the Internet. This threat
from 2014 made major headlines and could possibly have affected anyone as it
affected the software in the services that we all use. The fix for this bug was
to update and protect the OpenSSL being used by those sites and for users to
change their passwords. Those who failed to update were likely to stop being
used, as people feared the security threat.
Vulnerabilities are
Specific
The vulnerabilities are specific to various client and
server configurations. The presence or absence of these vulnerabilities depend
on the software that runs the website, on the server side, and the browser that
communicates to the server, on the client side. The Heartbleed vulnerability,
for instance, was specific to systems using the OpenSSL cryptographic software
library such as Apache and Linux servers but was not present in Windows-based
IIS servers.
Beware of RC4 and
SHA-1
A highly popular and widespread encryption algorithm (or
cipher) – RC4 has been demonstrated to allow an attacker to recover parts of
the original HTTP message, such as cookie values in a “secure” transmission.
Disabling the RC4 ciphers on your server is essential to protecting you and/or
your customers’ information.
SHA-1 security certificates are being discontinued. The
computational power cost required to break their security is on track to
becoming too affordable for major security experts to consider it safe for the
public. When renewing your secure certificate, be sure to acquire one that
supports the SHA-2 (SHA-256) cryptographic hash algorithm.
6 Big Takeaways if
Your Website Uses a Secure Connection:
1. Make sure that you keep your browser(s) updated.
All latest versions of Chrome, Firefox, Safari, Internet Explorer, and
Microsoft Edge already have support for the most secure protocols and ciphers.
2. If your site is on Apache, make sure that the
proper OpenSSL patch has been applied to the server to prevent the Heartbleed
vulnerability.
3. Disable the SSL 3 and SSL 2 protocols on the
server.
4. Disable the RC4 ciphers on the server
5. Enable TLS 1.2 if your server does not have it
currently enabled
6. or your next secure certificate renewal, be
sure to acquire one that supports the SHA-2 (SHA-256) cryptographic hash
algorithm.
How Sales &
Marketing Technologies Can Help with Security Issues
While some companies might treat these issues with apathy
and detachment, Sales & Marketing Technologies (SMT) is constantly
evaluating the various security threats and exploits confronting website
operators worldwide. The headlines tell us that no system is impervious to
attack or compromise. We understand that 100% security is ultimately
unachievable; however, throughout the release of the various security bulletins
informing the public about these evolving issues, SMT has conducted the
appropriate reviews within our hosting operation and implemented the industry
best practices discussed here.
To learn more about SMT or how we can help, contact us online
or call (407) 682-2222.