Having web security vulnerabilities can make or break your ecommerce business. Verizon’s 2021 DBIR shows that misconfigurations were involved in more than 50% of data breaches in 2020. We’ll break down the most common website security mistakes companies make so you can learn from them
Whether it’s misconfiguring your site’s security settings or not using adequate security measures for your web apps, web security vulnerabilities are a big issue for businesses. They lead to many issues like cyber attacks and data breaches — the latter of which IBM reports costs businesses globally an average of $4.24 million a year.
In this article, we’ll break down seven of the most common website and web app security mistakes organizations make and what you can do to avoid them.
Web Security Mistake #1: Having Poor Access Management Policies & Procedures
Image: A screenshot of Admin dashboard updates tab in WordPress
Broken access control ranks as the top web application security risk in the Open Web Application Security Project’s (OWASP) Top 10 list for 2021 (which is under peer review). Carefully managing who has access to what resources, and how they access them, plays a central role in your organization’s overall security posture.
Say, an admin-level user’s website credentials get compromised in a phishing scam. The threat actor who stole their username and password now has access to your website’s dashboard and can cause immeasurable damage. They can use their newfound access to:
- Alter, steal or delete information,
- Upload malicious files and software,
- Change links to redirect users to other malicious sites, or
- Cause unspeakable damage to your brand name and reputation.
How to Mitigate Access Control-Related Issues
Let’s state this plainly for the record: If someone doesn’t need privileged access to your website to do their job, don’t give it to them. This applies to not just your website but to your organization’s IT systems and other resources in general.
The more privileged users you have, the more your organization’s attack surface expands. Giving access to people who don’t need it increases your exposure risk when (not “if”) something goes wrong. This is why it’s crucial to create and enforce access control policies and procedures. Having these documents in place provides guidance relating to:
- Who gets access and why,
- How that access is given and to what systems,
- What security measures are in place to ensure secure access,
- How users’ identities are verified,
- Who manages users’ access, and
- How and when access should be revoked (such as when employees leave the company).
Web Security Mistake #2: Allowing Untrained Employees to Access Your Site
Access should only be granted to users who need it to perform their jobs and are familiar with cyber security best practices. This is particularly an issue for small businesses where employees often wear multiple hats. Your office manager also might be someone who is responsible for updating the content on your website. But if they don’t know website security and general cyber security best practices, how can they implement them?
How to Increase Cyber Security Awareness
Although cyber awareness training is something that all employees should receive, you can provide additional, specialized security training for website users within your organization. This includes anyone who has access to your website and other sensitive systems, such as marketing and sales personnel.
Cyber awareness training should cover:
- Real-world examples of common cyber attacks (including phishing scams and social engineering techniques).
- Best practices for account security and general cyber security.
- Your organization’s internal security policies and procedures.
- How employees can report security issues (and who to report them to).
Cyber awareness training shouldn’t be a one-and-done thing. It’s something you should offer regularly and require all employees, regardless of their rank within your organization, to complete. Using phishing tests and other similar methods is a great way to enhance that training because it allows you to see how your employees apply what they learn and helps you identify security knowledge gaps that you can address in future training sessions.
Web Security Mistake #3: Not Properly Securing Your Site or Web App’s Data
In business, data is everything. The data you store likely includes everything from intellectual property to your customers’ sensitive personal and financial information. If that data falls into the wrong hands, it can spell disaster both from business and compliance standpoints — which is why you need to do everything within your power to keep it secure.
Data security often boils down to protecting data both while transmitting across the internet (in-transit data) and when it’s sitting on your servers (at-rest data). The difference between these types of data encryption boils down to what is being secured and how:
- For at-rest data encryption, you’re securing the message itself — it’s the equivalent of speaking in code over an insecure phone line. This method of encryption, known as symmetric encryption, involves the use of a single key that both encrypts and decrypts data.
- With in-transit data encryption, you’re actually encrypting the communication channel instead of the message itself — it’s like speaking normally over a secure phone line. This type of encryption, known as asymmetric encryption, involves the use of two separate but related keys (i.e., a public-private key pair) that uses one key to encrypt data (public key) and the other to decrypt it (private key).
As such, the connections between site users and your web server need to be secure, and your at-rest data — including your site backup files — should be stored in an encrypted format.
How to Secure Data At Rest
Before you upload any sensitive data to your server or the cloud (i.e., credit card information or customer information), be sure to encrypt that data first to provide an added layer of security. This makes it so that even if an unauthorized user manages to get their hands on your encrypted files, they can’t see, change, or use your data without having access to the corresponding decryption key.
Furthermore, all databases should be secured with a password. We saw what happens when companies store unencrypted data without a password on public servers in the January 2021 Socialarks data leak. More than 400GB of personal data from at least 214 million users was left exposed on an ElasticSearch database. Even if you’re not storing sensitive data, per se, hackers can still go in and inject malicious code into your website.
Use a firewall to keep tabs on inbound and outbound traffic and a web application firewall to prevent cyber attacks. Another good rule of thumb is to keep your website and other public-facing assets on a dedicated server. Keeping your internal assets, resources, and data separate helps to mitigate risk and limit exposure.
How to Secure Data In Transit
The internet is innately insecure and transmits information via the insecure hypertext transfer protocol (HTTP). When data transmits from your customers’ browsers to your web server(s), it doesn’t travel in a straight line. Rather, the information bounces back and forth between various touchpoints — gateways, routers, etc. — while trying to find its way until it finds the right destination. And without the use of encryption, that data would transmit in plaintext format, meaning that bad guys can intercept and read, alter, or steal that data while it’s in transit.
An SSL/TLS certificate is a digital file that enables you to serve your website or web app via the secure HTTPS protocol. Also known as a website security certificate, it benefits your website both in terms of security and search engine rankings. It makes it for users who connect to your website to share their sensitive data via secure, encrypted channels.
Web Security Mistake #4: Improperly Managing Your SSL/TLS Certificates
However, all of the benefits of encrypting your data in transit go out with the window if you fail to properly manage your certificates and their corresponding private keys. Needless to say, using expired SSL/TLS certificates or compromised keys spells bad news for you and your customers:
- Your customers’ data transmits via insecure channels. When you don’t use encryption, or if that certificate’s security is compromised because a bad guy gets their hands on your private keys, man-in-the-middle attackers can intercept your customers’ data while it’s in transit.
- You’ll experience service outages in your web apps. Another big issue with using expired certificates is that it causes service outages. We recently saw examples of this with Google Voice and the Microsoft Exchange admin portal.
How to Manage Your Certificates and Keys
The best way to avoid these issues is to follow certificate management best practices for managing your certificates’ lifecycles. And the easiest way to ensure that you don’t have any expired or revoked certificates in use on your public (and private) domain and network is to use a certificate management tool that gives you complete visibility of your network.
A good certificate manager helps you know:
- Which certificates and keys are valid,
- Where they’re deployed,
- When they’re set to expire, and
- Who’s responsible for managing them.
Web Security Mistake #5: Ignoring Vulnerabilities in Your Site or Web Apps
Vulnerabilities are the weak points in your web security defenses that cybercriminals seek out to target. If you don’t take steps to address the vulnerabilities that exist within your defenses, it’s like adding heavy-duty locks to your front door while ignoring the gaping holes that exist in the walls surrounding it.
How to Mitigate Vulnerabilities Within Your Website and Web Apps
One of the best ways to secure your online resources is to check them regularly for weaknesses. This includes:
- Performing regular website vulnerability testing,
- Running vulnerability and malware scans (and blocking cybercriminals from running those scans on your site), and
- Checking your code and web apps for client- and server-side weaknesses that leave you vulnerable to SQL injections and cross-site scripting (XSS) attacks.
By taking steps to mitigate these vulnerabilities immediately, you’re decreasing the chances of a cybercriminal finding and exploiting them first.
Web Security Mistake #6: Practicing Poor Password Security
Strong password security is something that both website admins and their authorized users are responsible for. But good password security involves more than just users creating unique, strong passwords — it’s also about how you save password-related data on the backend.
Let’s quickly explore what both parties can do to help keep user accounts secure.
How to Improve Frontend Password Security (For Users)
The best way to protect the security of your accounts as a user is to use unique, long passphrases in lieu of complex, hard-to-remember passwords. The idea here is to use a passphrase like RoboExposureSequenceQuality instead of trying to remember a password like V9n*c38SV!GnQQ$we.
The idea here is that these passwords are hard for bad guys to guess and easier for you to remember than random combinations of letters, numbers, and special characters. If you can remember your password, you’re less likely to write it down or reuse it on other accounts — both of which bad password security practices leave your account open to compromise.
Here’s some useful information about creating strong passphrases from the Federal Bureau of Investigation (FBI):
How to Improve Backend Password Security (For Admins)
Password security boils down to the internal policies, procedures, and technologies you use to keep accounts secure. In addition to being integral to your organization’s web and data security, using strong passwords is also a compliance requirement for many regulations (such as the Payment Card Industry Data Security Standards, or what’s commonly known as PCI-DSS). This is why you should:
- Document and enforce internal security policies (including a password policy).
- Require users to set up strong passphrases (blacklist common passwords that can be brute-forced or used in credential stuffing attacks).
- Allow users to use password management tools.
- Give users the ability to paste passwords instead of having to type them manually.
- Avoid requiring employees to enter passwords at all by using certificate-based authentication.
Follow Password Storage Best Practices
If you want to allow site users to save their passwords in your web apps for user-friendly authentication, that’s fine. But you should only be saving their salted password hashes and not the passwords themselves. Storing passwords in plaintext is a bad idea no matter how you look at it. If someone gains access to your site’s database, then they have access to that information. This is why you should only store salted password hash values. There are two reasons why this is important:
1. Hashes are one-way functions that can’t be reversed. This means that someone can’t just reverse a hash to generate the original password input. So, the plaintext password never gets stored in the first place.
2. Proper salting generates unique password hashes (even when multiple people use the same password). A salt is an unpredictable and random value (integer). By adding a unique salt to each password prior to hashing, then no two passwords will have the same hash value. This makes it virtually impossible for bad guys to crack using hash tables or rainbow table attacks.
Web Security Mistake #7: Not Applying Updates and Patches
Image: A screenshot of Admin dashboard updates tab in WordPress
It amazes me how something so fundamental typically gets ignored. Patches and other updates are how manufacturers and developers fix bugs and other vulnerabilities within their products. Your operating systems, software, website themes and plugins aren’t immune to vulnerabilities; in fact, they’re often among the biggest security weaknesses websites have!
Running outdated software is a huge risk. Kaspersky’s Global Corporate IT Security Risks Survey (ITSRS) data shows that 65% of businesses that sustained data breaches were using outdated software. Compare this to the 29% of breached organizations that kept their systems updated. Imagine how many of these companies could have avoided being breached simply by taking the time to update their software.
In terms of WordPress-related websites, data from wpscan.com shows that 89% of plugins and 7% of themes have vulnerabilities. Hackers search for websites that use outdated software, plugins and themes because it’s an easy way in. Why should a hacker spend their time and energy trying to hack your site when they can walk through the door you’ve left open?
How to Keep Your Systems Current
You can keep your website and other systems up to date by manually applying updates yourself or by using automation tools to handle these tasks for you. Manual updates require you to remember to do them and actually take the time to apply them. This important responsibility can easily fall by the wayside when you get sidetracked or distracted. And when you finally do get around to applying the updates, it may take a while depending on the size of your organization and how many updates you have to do.
Implementing automatic updates and patching frees you up from these important (but repetitive) tasks so you can focus on other critical issues. Another advantage of this method is that your patching responsibilities won’t fall behind and wind up leaving your systems vulnerable.
Final Thoughts on How to Avoid Web Security Mistakes
The reality is that today’s world is digital. Customers turn to the internet to find solutions for their problems. Part of this involves buying products and services from their favorite ecommerce sites and service providers.
Companies use websites to build brand awareness and to sell products and services. But if you aren’t taking the appropriate steps to ensure that your online transactions and data are secure, the only reputation you’re going to make for yourself is a bad one.