4. Update all software, operating systems and internet browsers
Cybercriminals always seek for vulnerabilities to exploit so it is important to keep all systems up-to-date. This makes sure that the latest and more secure version is used.
5. Keep all web server components up-to-date
As for all information and technology systems, updates of website components are also crucial to make sure any known vulnerabilities is remediated, giving hackers no chance to exploit them.
- The typical components for a web server include:
- The BIOS/firmware of the hardware the organisation’s server is running on;
- The operating system of the server;
- The actual web service used (e.g., Apache, nginx, IIS, etc.);
- The content management system (e.g., Drupal, Joomla, WordPress, etc.);
- Optionally, the virtualization layer.
Very few organisations build their website from scratch. They usually use third parties, which come with a great amount of plugins and themes. Make sure to also keep those up to date. The developers from the third parties are constantly looking for new vulnerabilities. Making the updates is thus crucial to have the least vulnerable version of the components used.
6. Secure the access to and update the content management system
As stated previously, one of the important steps to take to make a Content Management System secure is to keep it and its plugins up-to-date. Cybercriminals always look for new vulnerabilities to exploit but security patches are released to fix those vulnerabilities. It is thus important to make the updates as soon as they are available.
In addition, the Content Management System can be protected by not using any default configuration set up for accounts and passwords, but creating one’s own admin account with a strong enough password and in addition implementing Multi-Factor Authentication. Multi
Factor Authentication requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
Finally, a regular review of the user list must be integrated in the access management process. This applies not only to users having access to the Content Management System, but also to every other user within the organisation in general. This review allows the organisation to check that no test users are still active, and that no users that shouldn’t be there were added.
7. Implement the HTTPS protocol
The HTTPS protocol is used on the Internet for secure communication and data transfer over a computer network. It is the secured version of HTTP. Just like HTTP, HTTPS is used to send data between a web browser and a web server. The difference is that HTTPS encrypts the data to increase the security of the transfer. Through the encryption of all exchanges happening between a web browser and a web server, HTTPS ensures that no outsider can eavesdrop the ongoing communications. In fact, even if an attacker is able to intercept the data, as it is encrypted, they will not be able to understand it nor use it.
8. Encrypt, backup and control the access to the database
Data is one of the most valuable assets an organisation has. This is why it should be protected accordingly. It is important to encrypt the data at rest (i.e., when stored in a database and not used) and strictly control the access to that database.
In addition, those databases must be backed up to make sure that even if an incident occurs, the data can still be recovered. It is important to regularly test those backups to confirm that they can actually be used if needed, after an incident.
9. Disable directory browsing
Directory browsing offers the possibility for people visiting a website to access the repository content, i.e., all the files and folders.
Directory browsing must be disabled so attackers cannot randomly find an organisation’s data by simply using search engines. In addition, files must not be stored in default or publicly accessible locations.