Website Security in the Time of Ukraine

In the light of the crisis unfolding in Ukraine, cybersecurity has taken center stage in the minds of IT professionals around the world.

In a White House briefing document dated March 21, 2022, the Biden-Harris administration issued a notice of “evolving intelligence that Russia may be exploring options for potential cyberattacks” and stressed that they will “continue to use every tool to deter, disrupt, and if necessary, respond to cyberattacks… But the federal government can’t defend against this threat alone.”

While the chances that your business will fall under cyberattack may be limited, that’s still no excuse not to take the proper precautions.

In the first 48-hours following Russia’s initial attack on Ukrainian soil, the number of cyber-attacks spiked by 800%.

So, the question remains: how can you protect your website and business from a cyberattack?

Security Threats Happen To All Sizes of Organizations

At first thought, it may seem that hackers would be primarily focused on large corporations and government-operated sites.

But, don’t be lulled into a false sense of security, thinking that hackers won’t take an interest in small businesses.

In reality, small businesses have a BIG reason for concern.

As Secretary of Homeland Security Alejandro Mayorkas pointed out, about ½ to ¾ of all ransomware victims last year were small businesses.

Now, this is not to say you should start to panic.

But it would be wise to put together a cyber security plan of action and begin implementing it sooner rather than later. In the following sections, we’ll go over what that may look like for your business.

What kind of attacks to look for?

First, let’s go over some of the more common types of attacks to be on the lookout for.

How many of these are you familiar with?

  • Distributed Denial-of-Service (DD0S) Attacks disrupt services by making a network or machine unavailable to its rightful owner/users. A DDoS can be temporary or indefinite.
  • “Spear-phishing” is a clever name for when a hacker targets a specific company or individual and unleashes a malicious email spoofing attack. Spear-phishing is usually done by someone looking for things like trade secrets or financial gain. These are unlikely to be just random attacks.
  • Malware can be distributed and will often target specific companies and organizations. Malware can corrupt entire disk systems, potentially bringing down thousands of devices all at once.
  • Socially engineered phishing attacks are done through emails and text messages. Hackers will use false pretenses to contact and trick someone into giving up sensitive data, login credentials, etc.

Next, we’ll cover several methods you can use to prevent these types of attacks and keep your business safe in these tumultuous times.

5 To-do’s That Will Protect Your Business From Cyber Attacks

There are many approaches to website security. It would be difficult to make an all-inclusive list. But, we can go over some of the most important things that organizations can do to improve their cyber security.

To be more specific:

  • Improved login security
  • Password management
  • Email server security (DMARC)
  • Website security and firewalls
  • WordPress security

Let’s look at each of those more closely…

Improve Your Login Security

An essential first step to getting your company’s cybersecurity in order is to examine the technology you use to protect your and your employee’s login data.

These could be the credentials used to log into any number of services, including but not limited to:

  • your CMS backend
  • company email accounts
  • company social media accounts
  • and other SaaS products you may use/li>

Fortunately, there’s a solution that allows you to cover all the bases at once—it’s called Single Sign-On, or just SSO for short.

What is Single Sign-On (SSO)?

In a nutshell, SSO is a technology that allows your employees to login into any of their accounts using a single set of login credentials.

SSO uses an authentication token to verify users across a multitude of platforms.

For example, at the start of the day, your employee would log into the SSO app or login page using their master password—the only one they’ll ever need to enter.

Then the SSOautomatically creates an authentication token for that session which it stores on the SSO server or the employee’s browser.

Now, anytime the employee access another account during that session, the SSO uses the stored token to verify the employee’s identity, eliminating the need for them to enter another set of credentials.

This all happens rather seamlessly and quickly in the background.

Not convinced SSO is worth it yet?

Think about the many different platforms, accounts, and SaaS products your workforce uses to perform their job throughout the day.

Would you be shocked to learn that Okta’s Businesses at Work study found that the average company uses 88 different apps?

Or that Asana’s Anatomy Of Work Global Index study found that the average worker switches between 13 different apps 30 times per day?

It’s a lot.

And besides being a hassle for your employees to have to come up with that many secure passwords and remember them on demand, every one of those logins poses a potential security threat for your company.

In fact, login credentials are a longstanding and primary target for hackers, meaning any of the 13 different passwords Jane from accounting uses 30 times a day can be fairly easy entry points for a cybercriminal trying to access your company’s data.

That’s a significant reason why SSO is so essential for businesses.

SSO greatly reduces risk by allowing your employees to login into all of their accounts with a lone set of login credentials that they only need to enter one time a day.

That’s right, one and done.

To make it even more enticing, they can use SSO from any device and any location they may be working from. Remote workers? Not a problem. You can even configure various levels of access for different employees.

Additional Advantages of Using SSO

And that just briefly explains the primary security objective of SSO, it has bonus benefits too.

Let’s talk about a couple of secondary benefits of SSO our clients at 3 Media Web get the most benefit from.

More specifically:

  • Regulatory compliance
  • Employee usability (i.e., it makes their jobs easier!)

Regulatory Compliance

Specific regulations require companies to use adequate methods to protect the data they collect or require adequate authentication of anyone accessing data. Think Sarbanes-Oxley (SOX) and HIPAA.

Most SSO solutions can help immensely with this.

Many 3 Media Web clients are in the healthcare and banking sectors which, as you can imagine, store extremely sensitive data. There is just no room for risk in such ecosystems. SSO is especially useful in such situations as it grants our clients complete oversight of access to said data to conform to various regulatory practices.

Employee Usability

Is your head still spinning from the idea of your employees having to use so many different apps and login credentials?

Theirs probably are too.

Fortunately, you can make your infrastructure more secure and lighten the burden on your employees at the same time, thanks to SSO. 

This all equates to increased productivity (plus, your IT department will thank you for immensely reducing the number of password reset requests they get from your workforce).

Everyone wins! Well, everyone except the hackers.

Double Down Your Security with a Password Manager

While we’re on password security, I would be remiss not to mention password managers such as >Dashlane.

The job of a password manager is to store and autofill a user’s login credentials all across the internet from any device.

A password manager makes it more realistic for your employees to actually use a unique and complex password for each of their accounts instead of reusing the same password for everything (that’s a terrible habit).

Password managers also store the users’ login data in a secure location, making it more difficult for hackers to get to.

Why You Need a Password Manager and SSO

Password managers work hand-in-hand with SSO to provide an additional layer of security and simplicity for your users. Just because you use SSO doesn’t mean you don’t need a password manager or vice versa.

A password manager enables users to store all of their login data securely. In comparison, SSO contributes by making it safe to use just one login for all of their accounts, reducing the risk of password reuse.

It’s a one-two punch.

Just make sure your employees are trained on choosing highly secure passwords so that the credentials they use to sign in via SSO will be complex, long, and difficult to guess.

After all, your employees truly are your first line of defense regarding password and login security!

ASIDE: What makes a good password? Strong passwords are difficult to guess so brute force attacks are unlikely to be successful. Example:YourCatsNameLOL123” is not a good password. Something completely random like “Es5(z9g’,x*N2p{c” would be a much stronger password.

Get Your Email Security In Order

Now that we’ve covered password security, it’s time to talk about email security. Here’s one reason why it’s so important:

In a 2021 study, CISCO found that 90% of data breaches occur due to phishing. On top of that, 80% of reported security incidents stem from phishing attacks.

If you think your employees aren’t getting malicious emails, think again.

Tessian found that the average worker gets 14 malicious emails each year. That number soars to an average of 49 malicious emails per employee per year for retail workers.

It gets worse.

CISCO’s report suggests that at least one employee unknowingly clicked a phishing link at 86% of the companies that participated in the study.

The truth is, phishing scams are getting better and better, and it’s becoming increasingly difficult to tell an actual email from a spoof or fake email.

Here’s Where DMARC Comes In-Play

A lot of damage can be done when cybercriminals send malicious emails on behalf of legitimate organizations.

That’s why just about any company that uses email will benefit from using Domain-based Message Authentication Reporting and Conformance (DMARC).

When using DMARC, businesses can protect themselves from phishing, spoofed email addresses/fake emails, and email compromises in general by closely monitoring a domain’s outbound mail and verifying its authenticity using the DMARC policy.

This way, you can be sure that every piece of mail sent using your company’s domain was actually sent by your company and not a spoofed account.

For example, a cyber-criminal sends out a fake email from a local bank using a spoofed email address with the bank’s domain.

This malicious email tells the customer there is an issue with their credit card that needs to be addressed and asks them to login into their bank account immediately to remedy the problem.

From the customer’s perspective, the email looks legit. It is coming from what appears to be a bank email address, the logo is there, the branding is on point… It looks completely legit.

They’re worried about their credit card, so they click the link in the fake email and are taken to a phony website that looks exactly like the bank’s actual website.

The drama unfolds…

They type in their login info, and, just like that, the cybercriminals have secured the customer’s credentials which they can use to do some pretty severe damage.

It Only Takes a DMARC Record To Prevent Spoofing and Phishing Attacks

Before the days of DMARC, two standards were used to protect organizations from email fraud:

  1. Sender Policy Framework (SPF) – a published list of servers that have been authorized to send out emails on behalf of a domain
  2. DomainKeys Identified Mail (DKIM) – provides emails with a tamper-proof domain seal

Unfortunately, cybercriminals have become savvy enough to work around these security measures individually, so DMARC was created.

Although DMARC uses SPF and DKIM technologies, DMARC serves as a much more secure system.

To protect your company email using DMARC, a DMARC record will need to be created and added to your DNS. The DMARC record is a bit of text that declares your email domain’s policy for emails based on whether they pass or fail SPF and DKIM authentication checks.

The DMARC record also generates an XML report that can be used to identify anyone who is using your organization’s email domain.

Here’s an overview of how DMARC works:

When an email is received, the ISP receiving the email will check it to ensure its SPF/DKIM records are valid and align with the domain name they were sent from.

These checks determine whether an email is labeled as DMARC Compliant or DMARC Failed.

If the email passes the SPF and DKIM checks, it is found to be DMARC Compliant and is sent through to the receiver’s inbox without issue.

If an email fails either the SPF or DKIM check (or both), the email will be flagged as DMARC Failed. At this point, the ISP will get instructions on what to do with the DMARC Failed email.

DMARC Policy 3-Ways

The instructions are based on how the DMARC policy is written in the DMARC record and can be one of three possible DMARC policies:

    1. None (monitoring only) – Tells the email receiver to send back DMARC reports to an address specified in the DMARC record but does not tell receivers how to handle a DMARC failed message. This policy is good for monitoring and gathering insights for organizations just beginning to use DMARC.
    2. Quarantine – This policy will also send a DMARC report, but unlike the None policy, Quarantine tells receivers to chuck unauthenticated messages into a spam folder. That means a spoofed email will still be delivered, but it will go to the spam folder instead of the inbox. Any email passing DMARC will simply be sent to the intended receiver’s inbox.
  • Reject – In addition to sending a DMARC report, the Reject policy tells email receivers to reject any email that fails DMARC—they won’t be sent to the spam folder or inbox. Of course, DMARC passed emails will go straight to the receiver’s inbox.

One important thing to remember is that DMARC policies are more of a request than an obligation.

In other words, just because you’re sending your DMARC policies on your organization’s emails, the receiver doesn’t necessarily have to follow the orders. Although they usually will abide by DMARC policies, on some occasions, a receiver will use their own local policy on some occasions.

But, I strongly encourage you not to be dissuaded by that. Having a solid DMARC policy will help protect your organization from spoofing attacks.

You can check to see if your organization is already using DMARC, SPF, or DKIM using this DMARC Domain Checker from dmarcarian–it’s free to use.

Strengthen Your Website Security & Firewall

What if I were to tell you there was a way you could bolster the security of your website and make it perform faster and more reliable at the same time?

Using a content delivery network (CDN) like Cloudflare it’s totally possible.

If you’re not familiar with Cloudflare, it is a massive network of servers that are distributed all around the world. They have servers located in more than 183 cities. The servers not only help improve page speed, but they also keep websites safe from DDoS attacks and the like.

It’s a win-win situation, really.

Plus, it’s pretty easy to use. You just need to sign up with Cloudflare if you already have a hosted website. Just add your website to the Cloudflare control panel, then sit back and reap the rewards.

Cloudflare will save bits of your website data on its servers across the globe so that when someone visits your site, Cloudflare will serve up a cached version of your site to the visitor much more quickly than if the request was sent directly to your own server.

How Cloudflare Secures Websites

While the benefits of Cloudflare beyond security are plentiful, since this article is about keeping your business safe from cyber-criminals, let’s take a closer look at how it helps do that.

In a nutshell:

Those trusty Cloudflare servers monitor and analyze all the data that is being passed when someone visits your site. This stops potential cyber-attacks, bots, and other undesirable outcomes.

Cloudflare will be on the lookout for IP addresses, the types of requests being received, how often requests come through, and on and on. You can even establish a firewall with Cloudflare using your own custom rules.

Cloudflare also protects your site’s DNS system, so, for example, were someone trying to look up your domain’s nameservers, all they’d see is a set of DNS provided by Cloudflare—not the real deal.

Web Application Firewall (WAF)

One way CDNs like Cloudflare improve security is through a Web Application Firewall. We call this WAF, and it serves as the cornerstone of Cloudflare’s application security features. The WAF will keep your organization’s applications and APIs safe and sound.

WAFs work by filtering, monitoring, and refusing malicious traffic attempting to access your web application. It prevents any unauthorized data from being sent out using strict policies that differentiate malicious traffic from safe traffic.

An especially interesting aspect of the Cloudflare WAF is that it uses machine learning (WAF – ML) to continuously make the technology more intelligent and secure. It will learn from attacks on other websites to protect yours.

Additionally, the service uses rate limiting, which serves as a second layer of protection against DDoS attacks by blocking visitors to your site with a suspicious quantity of request rates.

How Else Can Cloudflare Keep Your Site Safe

  • Mitigates DDoS Attacks – Using a service like Cloudflare will help protect your site against malicious and dangerous traffic.
  • Stopping Customer Data Breaches – Stop cybercriminals from breaching customer data like credit card info, credentials, and other personal data.
  • Bots Begone – You won’t need to worry about harmful bots scraping your content, setting up fraudulent checkout schemes, or taking over your accounts.
  • Rate Limiting – Protects critical resources by supplementing Cloudflare’s DDoS protection with fine-grained control to block or qualify visitors with suspicious request rates.

With Cloudflare (or its competitors) being so easy to set up and manage, there’s really no reason you shouldn’t be using this service.

Keep Your WordPress Secure

If your organization’s website uses WordPress, you already know it has some built-in security features in the WordPress installation itself. But there are additional security measures you should be taking as well.

You can give your WordPress site extra security by using a trusted, feature-rich security plugin. The two security plugins I recommend are simple enough to set up that you can start using them today.

They are:

  1. iThemes Security
  2. Wordfence Premium

Both will offer your WordPress site advanced security improvements, and neither will slow your site down or inhibit it.

iThemes Security is simple and intuitive, making it a good option for those new to website security. It works best for personal blogs and small or medium-sized websites.

Wordfence is also simple and offers advanced options such as real-time security enhancements. If your website has sensitive data and information and is a medium to large-sized business, Wordfence may be a good choice for you.

Both are good plugins that will help secure your website.

Key Features of WordPress Security Plugins

When researching which security plugin to use, keep in mind the features that your organization will most benefit from.

Here are some features that iThemes Security provides:

    • Stops brute force attacks. For example, iThemes Security allows users to limit user login attempts. If the user doesn’t enter the correct password after a few tries, they will be locked out. You can even have an email sent to notify you as soon as this happens.
  • Uses two-factor authentication (2FA). 2FA helps keep your site secure by requiring a password to be entered, and a code sent to your mobile device.
    • Requires Strong Passwords. For sites with many users, admins, and editors, iThemes enforces a strong password policy to keep things safe.
    • Database backups. iThemes will automatically backup your database and send a copy to your email. Useful if your website is ever breached, as you will have a backup copy easily accessible.
    • Monitor site activity. You’ll get a composite of site entries and activity, so you’ll know what is going on with your site at any given time.
    • Security grade report. A score report that evaluates your site’s overall security level and offers advice on how to improve it.
  • Malware scan. Regularly scans your site for errors, vulnerabilities, blacklist status, old software/plugins, and malware.

And here are some features that Wordfence provides:

  • Uses two-factor authentication (2FA). Wordfence also uses 2FA to help keep your site secure using a two-step login process.
  • Block IPs from specific locations or users. Allows users to block IP addresses from nations known for malicious activity or block specific IP addresses of known attackers.
  • Site visitor monitoring. It shows you the IP address, origin, and time of day users (and hackers) visit your site.
  • Alteration notifications. Get informed of any changes to the themes, plugins, or core of your WordPress site if it gets hacked.
  • Wordfence operates from your server. This makes it a better, more secure method for organizations concerned about data leaks.
  • Security scans. Wordfence will scan other plugins, files, and themes on your site to look for code injections, SEO spam, potential backdoor threats, malicious redirects, malware, and URLs.

Again, both of these plugins are great tools. To recap, medium to large businesses may benefit from Wordfence, whereas smaller websites will get a lot from iThemes Security. Either way, be sure to use one of them!

The Best Time To Secure Your Organization’s Website Is Now

There is no better time than the present to assess the security of an organization’s website. We’ve discussed several key actions you can take to improve the security of your website.

Some are more complex and time-consuming than others, but they could save your organization money and provide you with peace of mind knowing you’re doing all you can to protect yourself from potential IT security threats.

Continue Reading