Is Your Website Safe?
Posted by Stephen Tidmoreon September 10, 2015
A version of this article originally appeared in the September/October issue of Association Leadership, the magazine of the Texas Society of Account Executives. It was written by Stephen Tidmore and Nick Weynand.
In early July, we learned that the U.S. Office of Personnel Management suffered two major data hacks that led to the distribution of more than 21.4 million Americans’ sensitive personal information. The depth and detail of the information stolen is unprecedented. FBI Director James Comey said of the breach, “It’s a treasure trove of information about anybody who has worked for, tried to work for, or currently works for the United States government.”
While it is the largest single cyber theft in American history, the OPM breach isn’t nearly the first – nor will it be the last. To wit:
- In 2014, a number of major online retailers such as eBay, Staples, Neiman Marcus, and Home Depot saw millions of their customers’ credit card numbers stolen.
- Non-retailers such as JP Morgan Chase (finance), Community Health Systems (healthcare), and Sony (entertainment) have fallen victim to hackers recently.
- The famous “Heartbleed” bug in 2014 was able to steal highly sensitive server information, including usernames and passwords, from the widely used OpenSSL library (which encrypts much of the information shared online).
Cyber security failures have become so popular, in fact, that U.S. News and World Report tagged 2014 the “year the hack went viral.” As technology extends further into our daily lives, and as more data is put into the cloud, the steps you take to secure your members’ data is critical.
And while most hackers will continue to exploit larger organizations in possession of sensitive and actionable data, associations are not immune to the nefarious intentions of these anonymous (and often foreign) digital thieves. In fact, a couple of TSAE member associations have been victims to cyber attacks in the last few years.
Having designed and constructed several major association websites – including TSAE’s – we’re keen on ensuring that your association’s site is equipped with the tools, policies, and training necessary to discourage hacks.
The Benefits of Online Security
Despite what Hollywood suggests, hacking encrypted data isn’t a simple task. The OPM breach was actually two breaches conducted over the course of months by what is assumed to be a large team of hackers sponsored by the Chinese government.
Think of it this way:
You’re a burglar. Not wanting to get nabbed by the cops, you prefer a quick in-and-out job with low risk. So you drive up and down a residential street looking for possible candidates, finally settling on two large homes sitting side by side. They both appear empty and their size and style imply a lucrative haul waits inside.
The only real difference between the two houses? One has a sign in the front yard that reads “This Home is Protected by XYZ Security” and the other doesn’t.
Which house will you decide to rob?
Hackers tend to operate the same way. They’ll cruise the Internet looking for “open windows” through which they can easily slip. If they see that your association site has an easily exploitable gap, they’re much more likely to give it a go. However, if you adopt some basic cyber security tools and policies, the would-be thieves will stroll down the Internet superhighway to the next site.
So what can your association do to discourage would-be hackers from stealing your members’ data? We’ll start with the simplest tactics you can implement before digging into the more complex options available. Even if you don’t have a dedicated IT professional working on your website, you should be able to use many of these recommendations.
Use HTTPS with an SSL Certificate
Let’s start by wrapping our head around a couple of terms:
- “HTTP” stands for “hypertext transfer protocol,” which is a technical way of describing how data is transferred over the Internet – and how you see and interact with websites in your browser.
- “SSL” stands for “secure socket layer” and is the tool by which Internet communications are encrypted and, thus, secured.
- “HTTPS” (with the extra “s” for “secure”) uses the SSL to securely transfer data from your Web server to your users’ browsers.
When security isn’t a concern – such as when you share a blog post – HTTP is perfectly acceptable. But when the sensitivity of data must be protected, you want it to be on a secure site (i.e., HTTPS).
At the very least, those sections of your association’s website that contain personal member data need to be secured by an SSL certificate. If you don’t currently have an SSL certificate for your site, getting one is a relatively simple process. This article (http://info.ssl.com/Article.aspx?id=10694) from SSL.com will give you step-by-step instructions. But your quickest and easiest option is to purchase and install the SSL through your current Web host (or a third-party).
If you do nothing else to secure your website, make it the acquisition of an SSL certificate.
Another reason to secure your site is Google. The world’s dominant search engine is beginning to consider HTTPS status in its search ranking algorithm. In other words, secure websites will get more visibility than non-secure sites.
This one seems to go without saying, but you’d be shocked how many organizations – some of them huge global organizations – have poor password policies. For hackers, rarely-updated or overly-simple passwords are akin to leaving your front door open when you go on a two-week vacation.
(In fact, the St. Louis Cardinals baseball team is currently under F.B.I. investigation for hacking the Houston Astros’ computer network, but some reports suggest the Cardinals simply used a password from a former Astros employee (now with the Cardinals) that was never changed.)
The big takeaway is not to use a password for your website that is used anywhere else. It should be unique to your site. You can use a tool such as www.howsecureismypassword.net to test the sophistication of your password. And because the stress of using a new password for every account leads some organizations to grow lazy and duplicate, you can use a password manager like LastPass, Dashlane, or RoboForm. (At TradeMark Media, we have had great success with LastPass Enterprise to manage the passwords for our entire team.)
Encryption is G&F820X$$2
Encryption is the process of using a mathematical algorithm to turn your website data into “a form, often called ciphertext, that can’t be easily interpreted by unauthorized users” (i.e., hackers). Think Benedict Cumberbatch as Alan Turing in The Imitation Game, only you don’t need a room-sized mainframe to encrypt data these days.
Data that you want to remain secure should never be stored in plain text format, not on your server, your personal computer, or even a portable storage device such as a flash drive.
To easily encrypt data on your personal computer you can use tools that are built into Mac or Windows computers - FileVault for Macs (https://support.apple.com/en-us/HT204837) or BitLocker on Windows (http://windows.microsoft.com/en-us/windows/protect-files-bitlocker-drive-encryption#1TC=windows-8).
Update, Then Update Again
Those annoying little pop-ups you get now and then asking you to, “Search for updates” or “Update now” are easy to ignore. A simple click and they disappear and you don’t have to think of them again for a couple of days, when they inevitably pop up again.
The reason software companies bug you to update your applications so often is because they’re constantly improving them, and that often includes upgrades to security features. Keep your applications updated whenever possible. Regularly updating will ensure that your apps, server, and website won’t fall victim to a virus or security loophole that was fixed in a previous version that you failed to implement.
Missing Function-Level Access Control
When a user performs a function on your website – such as logging in, updating their profile, buying something, registering for an event with a credit card, etc. – your website will verify whether they have the proper access rights. In other words, the site checks, “Does this user have the right to do this particular task?”
But if the same check doesn’t take place at the server level, hackers can access the application without the appropriate permissions. This is one of the most common ways that hackers find their way into sensitive databases.
You can do an initial test of the access to your Web application by browsing your site from outside your own network. But we’d also recommend working with your Web host to run the application through a “proxy server,” which will identify whether you have access-level security holes.
But What if You Get Hacked?
If your association website is unlucky enough to attract the attention of a hacker, not all is lost. There are steps you can take to mitigate the damage and help prevent further attacks.
- Contact your website host and restore your site to a version before the hack.
- Change all passwords associated with your account including the CMS, FTP, databases, hosting control panel, and any other apps that have admin privileges on your site.
- Make sure not everyone is using the same username and password for everything. Most CMSs allow you to set up different users.
- Work with your Web developer to increase security on your site. If your developer can’t easily address your security issues, consider finding one who will. It’s too important to trust with someone unequipped to handle the threat.
The Final Word
There are nearly 1 billion websites on the Internet. One website for every seven people on the earth. That’s a bunch of sites, and there aren’t nearly enough active hackers to break into all of them. Besides, most websites are of no interest to serious hackers, who are usually looking for massive stores of data instead of smaller, potentially risky options.
In other words, you shouldn’t lay awake at night worried that your association is currently being robbed by some 18-year-old kid halfway around the world. But if you don’t take some of the basic steps listed here, you will become much more attractive to them.
And in the end, an association is only as strong as the trust its members place in them. By instituting some sound policies and working with a savvy Web developer, you can confidently assure your members that their data is as secure as possible.
They’ll thank you. And the hackers will move on to the next house.
Stephen Tidmore is TradeMark Media’s Director of Technology. With more than 20 years of experience in Web development and security, Stephen is an expert in providing clients powerful, secure, and modern websites and applications.