For myself, I am a fairly cautious internet user. I research, consider, research some more and then consider some more, when I am looking for downloads or sites to join, or whatever. Often times this internal debate will go on for long periods of time before making a decision and acting on it ( my current personal debate is on torrents and their safety). However, I also realize that I probably make a bigger deal of decisions involving the web than does the average business owner, just my nature.
Absolutely not a bad thing, I believe. Although there are, of course, always going to be exceptions, I suspect that the vast majority of security breeches, malware, virus infections and other such things that occur throughout where the average user-base is concerned, if not for a lack of such caution, could easily be prevented. Although there is a significant pool of examples out there of far more elaborate ploys and methods for infection available, by far, there is absolutely no shortage of examples of such ploys and methods of infection whereby victims become victims due to clicking on a suspicious email link, willingly downloading an untrustworthy program, choosing to use a password for the credentials of a login for an untrustworthy website that has already used for something like the credentials for an online banking login page and other similar such things.
But I also realize that it is entirely possible for a client to try to do something through or do something with their website, and because they do not know what they are doing, they could unknowingly create access for someone on the outside to gain entry to not just their site, but their business as well.
It's always good to hear when those in the role of webdesigner and similar such roles, current or aspiring, take an active interest in the security and safety of their clients, and by far, unfortunately, I believe that there are far too many that don't.
It's difficult to know exactly where to start with suggestions outside of specific context and outside of knowing precisely what is and isn't already known, but I can certainly offer a few potential starting points for areas to research into (some are obvious and very generalised, some are more specifically dealing with your specific areas of interest).
- Effective use of passwords and securing all back-end systems: Making sure that anything on the website that's directly interactive with the website in ways that can result in modifying how that website operates (such as administration areas and the likes) and that need to be there are secured with proper login requirements, that these logins are managed effectively (a point of research would be for how to secure login pages) and that the passwords used for these logins are secure in themselves (such as making sure that clients don't use passwords like "god", "power123", their children's birthdays, their favourite colour or any other obvious choices that could be easily guessed, deduced or brute-forced; things like that). If possible, close any unrequired back-end ports, and ensure that access points for back-end systems such as FTP, cPanel and MySQL (if present), aren't left unsecured. If passwords are being stored somewhere, make sure that they're hashed or encrypted (or both), as opposed to being stored in plain-text format.
- Sanitisation, sanitisation, sanitisation: If there are any forms on websites that allow users to post data that then gets processed by the website and saved onto a database, emailed to the client or otherwise stored anywhere in some way or another, ensuring that all data entered is correctly sanised during processing and prior to being stored; A good point of research would be to look into things like "website sanitisation", "SQL injection" and "XSS vulnerabilities". Failing to ensure good sanitisation for a website is essentially a guarantee that the website in question will be hacked, defaced and compromised in a very short period of time.
- Putting yourself into the shoes of your clients, imagine one day that the websites you'll be about to create are hacked and the information contained therein stolen by the hackers responsible; Is the stealing of any of that information a critical threat to the client? If it is, if possible, do your best to make sure it never gets put up on the website in the first place. Information that doesn't exist on a particular website can't be directly obtained by hacking that particular website. Basically, if something is too dangerous to be online, then, it probably shouldn't be online. When making backups of databases or sensitive information, store that data offline, on secured hard-drives or similar; Don't keep it online where it can be potentially accessed by unwanted third parties.
- Keeping everything up to-date: Whatever you're using to power the websites you build, if you're using some CMS (Content Management System), forum software or similar, making sure that you're using the latest available versions of that software and keeping an eye out for any new security vulnerabilities, exploits or similar that are announced regarding that software.
- PCs, laptops and phones aren't the only things affected by malware and viruses; Servers and websites can become infected, too. If it's at all possible, and if you have any control over it (this can be especially difficult to manage over shared hosting environments or any similar environments where you might not always have absolute control over the environment where the website exists), try to see to installing an anti-virus and/or anti-malware solution to help protect it. If you can't, or if it isn't possible, don't worry too much, because there are ways around this problem, but, if you can and if it's possible to do, this is especially important to do if you happen to allow users other than the client to upload files to the websites in question.
- Assuming that you have some level of control over what does and doesn't exist on the back-end, removal of anything that interacts with the server or website at the back-end level that isn't actually required at all; If there's a chance something could pose a security risk, naturally, we'll want to negate that risk; In the event that it's something that doesn't need to be there.. The easiest way to secure it, of course, would be to just remove it altogether.
- Although it isn't always a viable option, where viable, hosting a website on a machine of its own, rather than in a shared hosting environment, is always going to be more secure; This is because, if a single machine is hosting thousands of different websites, if that machine isn't entirely secured and there exists some vulnerability on any one of those thousands of different websites allowing an attacker to compromise the machine, then that vulnerability will essentially pose a risk to and effect every other website on that same machine. In this case, unfortunately, you'll inevitably end up playing the game of cost weighing, because dedicated hosting on dedicated machines, although generally far more secure, tend to cost a lot more money than shared hosting on non-dedicated machines (unless, of course, you just host it yourself on a machine at home, in which case, the costs can be very cheap, but, that option also often isn't so viable for everyone for various other reasons, such as the policies set forth by the ISP managing the connections that run to and from the machine in question, potential issues with bandwidth, speed and other such things; I also feel that there's a higher learning curve for hosting at home rather than hosting with an actual hosting company, certainly, not an insurmountable learning curve, but a slightly higher one nonetheless).
A few general ideas to take on-board, though not necessarily suggestions for things to research:
- Never trust user input and never trust the client-side (as opposed to server-side); If you code something to interact with the information sent to the website by a user's browser (such as UA information, for example), considering that almost anything sent to the website by a user/visitor can be potentially forged, never treat that information as an absolute truth.
- Always back up; If something is important enough that it'd be problematic if something were to happen to it, keep regular, up to-date backups of it.
- Keep proactive; Security is an ever-changing and ever-evolving game, and as time progresses, so does the standards and so does what you do and don't need to know, and as such, there'll always be new things to learn and there'll always be room to improve.
- Never panic; Security is always easier to deal with when we're level-headed.
- Read lots of tutorials, pull apart anything you like that you can get your hands on to try to work out how it works, experiment like mad, and if you've got an idea, give it a go.
- If you have questions about something or if you need help, never be afraid to ask.
I am watching Captain America as I write this. There is a line that one of the bad guys says that makes the point that 'our lives are a digital book in the 21st century', everything that defines us is online somewhere, somehow.
Great movie; Enjoyed watching that one. And also very true; Ever more-so due to our ever-increasingly digitised lives and society that ever-increasingly relies on internet-based technologies.
While I don't plan to become a security expert or anything like that, I do very much want to be able to provide security on a case by case basis for my future clients. After all, who would actually use Google if they were always being hacked, or spammed, or whatever. By providing my clients a safe and secure site, they are in turn providing the same things for their customer to browse in, thus helping customers to want to spend money .
That is my goal. That is what I desire most to learn. That is my starting point, as more will always follow because 1 answer always creates 2 questions.
Like I said, both easy and difficult to answer But it is a definite direction.
Indeed it is, and well answered! It sounds to me like you've got a very good idea of what you're wanting and where you're going, and I think it's definitely a good direction to be heading. Happy to help wherever possible, as does I've no doubt the wider community here at MalwareTips. I hope that some of this helps out in some way, and again, welcome to the community.
