Security
1 December 2021
There are frequent headlines about companies experiencing a security breach through their website. These threats come in many forms. Hackers exploit weaknesses in code or human nature to gain data to sell or to disrupt the company's online presence as much as possible.
The sign above the doorway you want is performance, not vulnerability.
The costs can come from lost trade, refunding customers, and loss of trust. The latter can be the hardest to recover from, with affected customers likely to spread the word that your website isn't a safe place to transact on.
To avoid and mitigate these risks, you need to assess the impacts of problems, internal and external, with plans for prevention, mitigation and recovery.
Ideally, you make a strong door, with a good lock that works, from the beginning of your website. But some vendors don't talk about security because it's awkward if someone gets caught out. Only security companies get in-depth about security because it's a specialised field. Pride or ignorance shouldn't govern your webspace or how you structure the wall and tools you need to keep the scanners out. New threats and vulnerabilities arise all the time. What TrikeWeb does is stop what is known and try to mitigate against possible new ones.
Most problems result from user error (falling for a phishing scam) or third-party vendor holes. The good news here is that TrikeWeb avoids the latter while helping you ensure you don't goof up the former.
TrikeWeb doesn't use third-party software vendors such as WordPress or Wix. These need constant supervision for updates and patches - they are big targets with colossal client bases, and that's their reality.
Most attempted intrusions are automated bots searching for vulnerabilities in the world's 1.9 billion websites. Think of the phrase "low hanging fruit". Once it finds a vulnerability, the bot can replicate the attack across all sites made with the same code. Any data scraped is correlated with other data and gets auctioned on the 'dark web'.
Blog spamming has been a problem with WP as well. Even hosting providers get hacked because of WP vulnerabilities - losing client email data. TrikeWeb closes the door on all of that by avoiding third-party scripts or vendors. This approach is a big saving for admin time and subsequently money.
The Triad
Information Security is known as the AIC or CIA Triad. The triad looks at threats to Confidentiality, Integrity and Availability, measuring each against their ability to compromise the rest. It is vital to mitigate threats to ensure your brand's and your client's security. Intrusions can affect your Site and your Social Media. And, because you're active on both, they are targets for malpractice.
- Confidentiality:
- is protecting sensitive data by:
- using strong passwords
- using two factor authentication
- to prevent data exposure by:
- email phishing
- spoofing
- man in the middle attacks
- human error
- is protecting sensitive data by:
- Integrity
- is tainted or inaccurate data resulting from external actors or human error and is prevented by:
- encryption
- digital signatures
- intruson detection systems
- access denial
- is tainted or inaccurate data resulting from external actors or human error and is prevented by:
- Availability
- is access to data in the event of:
- power failure
- software failure
- hardware failure
- failures are mitigated by:
- a response sequence or service
- local and offsite backups for data, system and apps
- is access to data in the event of:
Defence in Depth
If you want to include a third party vendor (and that's always possible with IoT), you need a Risk Assessment Plan. Covid has shown the need for you or your clients to have remote access. When necessary, you can implement software like Suricata (Intrusion Detection System) or Authy (Two-Factor Security App).
Credit Cards
This area is known as PCI DSS Compliance. You will usually use a vendor for credit transactions because they're the experts in this field. All banks have PCI DSS Compliance rules. Like health providers, regulations require financial services to secure sensitive information. The financial vendor (such as PayPal) must have this compliance too. Choosing a respected vendor with software that does not reintroduce known weaknesses is vital.
TrikeWeb's Security
- HTTPS with SSL on the Site (SSL is encryption)
- Operating System Firewall and a Web Application Firewall learning as it goes
- Nginx Security Policy blocking common and specific threats
- Antivirus scanner on the Server scanning for threats
- Inclusion in Google's Preload List - closing a small door
- Database (Mongo) with SSL and layering of access restriction
Remember the sign above the doorway you want is performance, not vulnerability.
Allow TrikeWeb to build the website properly from the beginning.
