Are you working with a Web Agency? Is your company responsible for the websites of other businesses?
In this webinar we covered the implications of a security breach and why security should be important to your Web Agency.
After seeing this material you will be able to answer the question: “What can I do to reduce the risk to our business and our clients” by exploring a 3 tiered approach to web security:
Prevention, Detection, Response
Fredericton, New Brunswick, Canada
Security is a part of who I am
1 – We can only scratch the surface today. This is a big conversation.
2 – This information is general and may not fit or apply to you. Everyone has different needs.
The agency is the trusted party by the website owner
Much of what the client learns about web technology will be from you
The agency has the ability to drastically effect the state of website security
Provide advocacy in not only core services but security
The sites contribute to the overall issues
Responsibility to Educate them on providing a safe experience
We do not have the ability to turn a blind eye -
Communicate
- Open us a dialogue with your clients, employees, coworkers, stakeholders
Educate on the risks, implications, and the value of implementing your recommended Security approach
As GI Joe used to say: “Now you know, and knowing is half the battle”
When?
Example Project Life Cycle
Security is often introduced at the end of the cycle
Should be part of the discussion from the beginning and throughout the process.
Brand Reputation-
Your brand is made up of the unique user experience you offer through your design, content, product offering and service
Your website, and the experience your audience has plays a critical part in the reputation of that brand
Tolerance is the highest it’s ever been around website compromises, so reputation is recoverable
Loss of trust in your brand can drive your audience to look for alternatives to your brand
Economic
Our research has shown a little over 90% drop in traffic immediately following a compromise, that number goes up if a website gets blacklisted
Whether your website leverages ads, static content, or sells product, it directly or indirectly helps your business generate some form of revenue / exposure
Costs associated with post-compromise services, to include time / money spent on tools, education and consultation
Emotional Distress
Anxiety – nothing ever goes fast enough
Confusion – unclear what steps to take, who to talk to, where to start
Anger – you want to reach across the matrix and shake someone
Sadness – a general feeling of feeling overwhelmed, exhausted..
Distrust – an erosion of trust in technology, internet, people
Website Blacklisting
The most impactful in that it has the ability deter people from reaching your website and it’s content / product / services
SEO
The ability to control or manipulate what Search Engines see when they crawl your website, leading to dirty Search Engine Result Pages (SERP), impacts to your Domain Authority and Value
Directly tied to the creditability of the website, and potentially affects the blacklisting of your website with search engines like Google, Bing, and others.
Visitor Compromise
Malware distribution can include various forms of “Drive by Download” attempts that look to install nefarious applications on your visitors machines (i.e., rogue AntiVirus systems)
So, here we are. We understand the risks, we are going communicate with our clients and prospects and educate them on Security…. Now, how to I approach security.
Drawing from Tony Perez’s article on perezbox.com – “basic website security framework”
Principle of Least Priviledged User
This principle is about:
- Using the minimal set of privileges on a system in order to perform an action.
- Granting those privileges only for the time the action is necessary.
Passwords –
Complex + Long + Random
Leverage Password Management tools
User Authentication
2FA
Captcha
Shared hosting has a bad rep due to the earlier days when there were major exploitations due to poor sys admin
VPS, requires more advance sys admin skills
The issue is more with the number of sites associated to a hosting account - Cross contamination
Cross-site contamination is when a site is negatively affected by neighboring sites within the same server due to poor isolation on the server or account configuration. This phenomenon is one of the greatest contributors to the VPS/Dedicated/Shared hosting secure or insecure debate.
The greatest contributor to cross-site contamination is what I call soup-kitchen servers. Soup-kitchen servers are those environments riddled with every installation and configuration known to man. It might include 10’s or 100’s of different sites or different platforms (i.e., Drupal, Joomla, WordPress, etc.). The problem isn’t the quantity. They might also include sites in different phases of their lives – development, staging, production.
The biggest culprits of these configurations are agencies, freelance developers, and aspiring hosts.
1 – If you are using an external FW, use it on all sites and be sure direct access to the server (hosting IP) is restricted
2 -
Shared hosting has a bad rep due to the earlier days when there were major exploitations due to poor sys admin
VPS, requires more advance sys admin skills
The issue is more with the number of sites associated to a hosting account - Cross contamination
Cross-site contamination is when a site is negatively affected by neighboring sites within the same server due to poor isolation on the server or account configuration. This phenomenon is one of the greatest contributors to the VPS/Dedicated/Shared hosting secure or insecure debate.
The greatest contributor to cross-site contamination is what I call soup-kitchen servers. Soup-kitchen servers are those environments riddled with every installation and configuration known to man. It might include 10’s or 100’s of different sites or different platforms (i.e., Drupal, Joomla, WordPress, etc.). The problem isn’t the quantity. They might also include sites in different phases of their lives – development, staging, production.
The biggest culprits of these configurations are agencies, freelance developers, and aspiring hosts.
1 – If you are using an external FW, use it on all sites and be sure direct access to the server (hosting IP) is restricted
2 -