Information Security

Has your site been hacked? Do you need to build trust with email providers and search engines? Learn how to thwart cybercriminals while promoting email delivery rates and domain authority.

Securing Browser Connections

There are several advantages to a secure browser connection. WiFi hotspots cannot pluck passwords from the data stream. It prevents DNS poising rerouting traffic to a fraudulent server. Also, it prevents the insertion of malicious adware into the page.

HTTPS

HTTPS encryption is the most visible sign of cybersecurity. The following table of images shows how popular browsers present connection security.
Visual Queues of a Secure HTTPS Connection. The use of HTTPS is expanding rapidly. However, 47% of sites make it optional or do not use it, as shown in the following diagram.
Percentage of Sites Using HTTPS Connections.

HTTP Security Headers

HTTP security headers extend the protection of an HTTPS connection. However, the following chart highlights there minimal adoption rate.
The adoption rate for HTTP Security Headers across Websites.

Content Security Policy

:
The content security policy identifies the DNS names for the resources the page is allowed to access. When not set, the browser can connect anywhere on the internet. Separate controls exist for JavaScript, images, and other resources on the web page. Getting services like Google Analytics working with this policy requires tracing browser connections to find the necessary entries.

HTTP Strict Transport Security

:
HTTP Strict Transport Security (HSTS) forces browsers to encrypt connections. The browser blocks insecure connections for a period set by the webserver. The client can remove the setting, but not by clearing the browser history. Sites with HSTS typically set it to zero seconds, which effectively disables the security feature.

X-Content Type

:
The browser looks at the URL to determine the content type. It does that with file extensions or by sniffing content. When the server sets the X-Content-Type header, the browser will only follow the direction of the server. It blocks repurposing a URL to run programs in the client browser.

X-Frame Options

:
X-Frame options prevent websites from being wrapped inside another. That means the website cannot be inside <frame>, <iframe>, <embed> or <object> tags. For example, Youtube leverages it to prevent others from front-ending their services.

HTTP Header Example

:
The following is an example of HTTP security headers.
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=2592000
Content-Security-Policy: img-src 'self'; script-src 'self' 'unsafe-inline' 'google-analytics.com';

Server Hardening

Server hardening minimizes the website attack surface.

Removing Services

:
A firewall is a shield against cyberattacks. Removing unneeded network services guarantees they cannot be compromised. Identify what is running with netstat -plnt. Shutdown and uninstall anything that does not help deliver the website. The ones to keep are HTTPS on port 443, HTTP on 80, and perhaps a database.

Private Networks

:
Private networks add a protective shell to servers. A private network uses IP addresses that cannot communicate directly over the internet. The private addresses ranges are 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. Internet communication goes through public IP addresses. Network Address Translation (NAT) converts the private IP to a public one. These are common in home and office networks. However, some cloud providers have virtual private servers that are not in a private network.

Security Patches

:
Failure to apply security patches leave sites vulnerable. Cyberattacks exploit known weaknesses with commonly available tools. However, 2/3 of web servers use end-of-life software, and the remainder often does not install the available patches. The following chart shows the distribution of software across websites relative to there end-of-life date.
Distribution of End of Life Software Across Websites.

Dedicated Virtual Servers

:
A dedicated virtual server is an operating system instance assigned to a single website. The majority of sites run on a shared system where a breach in one puts the others at risk. Dedicated resources contain the breach.

Secure Operating Systems

:
The Linux Operating System Logo. Selecting a popular operating system for web servers increases the chance that security gaps were fixed. The following chart shows the releases by market share. It shows Linux distributions have 86% of the market.

Minimal Access Rights

:
The starting point for a secure system is to have no access. Then grant privileges for known purposes. For example, content served by a web server should be read-only, and files with credentials should not be accessible through a URL. The Center for Internet Security provides dozens of commands to minimize access rights on web servers, operating systems, and databases.

Protected Process Model

:
The user ID running the web service should have minimal privilege with no login access. Web servers must start with an administrative user so they can bind to HTTP and HTTPS. Then it downgrades to a user with minimal access. That ensures only an administrator can start the website, but when compromised, there are insufficient privileges to cause more damage.

Source Code Contol

:
The purpose of source code control for security is to keep a golden image in a safe location. Then recovery from infected code only involves reinstallation. However, many sites keep source code on the webserver. The design results in malware and ransomware infecting the backup. Also, content management systems like WordPress it is challenging to separate applications, customizations, and malware from each other.

Key Management

Key management refers to the protection of passwords and security certificates.

Key Length

:
Key length affects the computing time needed to crack codes. The current standard is 2048 bits for RSA keys and 256 for elliptic. Shorter keys are insecure, while longer ones require excessive compute time. The elliptic key is a newer standard that allows equivalent protection using shorter keys that are more efficient. The following chart shows almost all keys use the older RSA standard.
Distribution of Certificate Key Lengths Across Websites.

Multifactor Authentication

:
Multifactor authentication typically uses a password and something else. The most common is a password combined with a second code from a hardware fob or cell phone software. The other security code depends on both an initial passcode and time synchronization between the server and the device. Usually, the server allows for limited time shifts by granting access to the previous, current, and next time code.

Role-Based Security

:
Role-based security is when the infrastructure, and not people, provide access credentials. It eliminates the need for users to manage passwords. An example is a backup role given to a server so it can save an image.

Password Complexity Rules

:
Password complexity rules ensure they are not too easy to guess or crack. Standard controls are a minimum length, no dictionary words, and reuse restrictions.

Key Rotation

:
Rotating keys and passwords limits exposure to stolen credentials. The following chart shows the rotation period for website certificates.
Distribution of Certificate Rotation Period Across Websites.

Protecting Infrastructure

Protecting infrastructure covers options beyond browser connections and server hardening. The following chart shows the percentage of domains that adopt these features.
Adoption Rates for Infrastructure Protection.

Certification Authority Authorization

:
The Certification Authority Authorization (CAA) is a DNS record. It limits who can validate security tokens. The record results in the web browser rejecting all but the named organization. It protects against compromised certificate providers as well as forged certificates installed on the client machine. The following is a sample record where 0 issue is for most scenarios, and letsencrypt.org is the certificate authority.
0 issue "letsencrypt.org"

DMARC

:
Domain Message Authentication Reporting & Conformance (DMARC) is an email security standard. It extends the SPF and DKIM standards with a policy for recipient email servers to handle authentication failures. Also, it helps detect forged emails by sending reports from receivers to the sender. The DNS TXT record shown below is under the name _dmarc.strategicmind.com.
v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:you@example.com

Secure Protocols

:
The supported HTTPS protocols in 2019 are TLS versions 1.1 and 1.2. The unsupported ones are SSL 2, SSL 3, and TLS 1.0. The most common client technology blocked by secure protocols is Windows 7 running IE 9, although that impacts less than one percent of users.

Secure Encryption

:
The cipher suite is a set of encryption algorithms that work with the protocol. The OpenSSL group grades each one from A to F. The web server can select from hundreds of options based on that grading. The above chart shows grade A as secure.

Encrypts Email Connections

:
Encrypted email connections use POPS and IMAPS that are typically on ports 995 and 993. They do not use POP and IMAP on ports 110 and 143.
Protecting Infrastructure with a Secure Domain Configuration.

Production Mode

:
Production mode is a web server setting that masks software details when connecting to a website. That makes it harder to figure out what type of cyberattack to launch. The following is an example of the default non-production mode. It includes the webserver version, operating system, and an out of support programming language.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.6.36
The following header appears when the same server goes into production mode.
Server: Apache

Sender Policy Framework

:
The Sender Policy Framework (SPF) is a DNS TXT record. It identifies which servers can send emails for the domain and prevents spoofing the mail transfer agent. The following example identifies the version, service, what server to allow, and denies all other servers.
v=spf1 mx include:_spf.google.com -all

Domain Keys Identified Email

:
Domain Keys Identified Email (DKIM) embeds a public key in the email message. The recipient email server validates the message using that key. It protects against spoofing email content.

Domain Name Service

The Domain Name Service (DNS) converts names like strategicmind.com to an IP address like 8.8.8.8. It includes a registry for administration and a name service for lookups. Vendors frequently bundle them together, but that is not necessary.

Secure DNS Services. DNS provides administrative control over the domain. Regaining that control after a cyberattack takes days while restoring online reputations takes much longer. Monitoring email from the registrar and responding to unexpected changes is a critical security measure. Have a plan to prove ownership after a theft, which includes alternate email addresses and keeping contact details up to date. Periodically check the domain name and IP addresses with several blacklist service providers. Advertise a secure profile by using HTTPS and setting up DNS records for SPF, DKIM, DMARC, and CAA. Then check if the hosting provider has security accreditation.


Protecting Cloud Services

Security practices for cloud services vary dramatically. Here are the critical differences.

Data Center Audits

The hosting data center limits the maximal web server security. Secure the hosting platform by selecting an accredited facility. Numerous accreditations exist. Common ones are the Payment Card Industry - Data Security Standard (PCI-DSS), the Health Insurance Portability Act (HIPPA), or other reputable organizations. These certifications may be for specific industries, but the practices are universally applicable to any solution.

Email Services

The critical difference in email providers is their security. Review providers for SPAM filtering, DKIM, and secure network connections. These are critical because email is a common point of attack. The following chart shows service providers by there market share of hosted domains. The larger providers have more capital to spend on security measures.
Market Share of Email Providers.

Firewalls

A firewall selectively blocks traffic to network services. However, most sites do not effectively use them. For example, thirty-one percent of websites allow database access from the internet. It leaves them vulnerable because it is both unnecessary, and the protocol lacks internet grade security. Scan for accessible services from a remote site using the netstat -plnt. A web server only requires HTTP and HTTPS protocols on ports 80 and 443.

Firewalls control access based on user-defined rules. They work better in combination with private networks and dedicated virtual servers. The following chart highlights a secure design with the internet on the left and the user data on the right. Using multiple firewall zones forces attackers to breach several systems before accessing the data. Each of the following firewall types protects different aspects of communication.

Network Design for Firewalls and Zoning.

Network Zoning

:
Network zones are segments with different purposes and levels of trust. The first is the DMZ (DeMillirtized Zone) is for security. The second is the application or internal zone for programs but no user data. The data or private section holds user data. Networking zoning results in a more flexible multitier architecture.

Sessionless Firewalls

:
Session-oriented firewalls work on network connections, also known as the Transmission Control Protocol (TCP). Unlike sessionless rules, they evaluate the current packet as well as the history over the same IP and port. They can differentiate ingress and egress connections, making them far more functional compared to sessionless.

Session-Oriented Firewall

:
Session-oriented firewalls work on network connections, also known as the Transmission Control Protocol (TCP). Unlike sessionless rules, they evaluate the current packet as well as previous ones using the same IP and port. They can differentiate ingress and egress connections, making them far more functional compared to sessionless.

Web Application Firewall

:
A web application firewall (WAF) works on the HTTPS protocol. The rules are complicated, so products come with over a hundred built-in best practices. Examples are calling the same URL too frequently or scanning the website for files. Setup typically requires disabling a few rules that interfere with the application.

Blacklisting

Blacklists contain domain names and IP addresses with content that is frequently filtered. Being on those lists impacts the ability to send an email and rank web pages. Most websites and practically all email services share IP addresses. Anyone using an IP can get it blacklisted, and that impacts all the other clients using it.

Security Validation

Reviewing What Hackers Do

Forensic analysis reconstructs what hackers did after an event. Reviewing attempted and successful attacks clarify what security measures are working and if improvements are necessary. The data comes from routers, firewalls, servers, applications, databases, and other sources. It is copied from the source equipment and saved to a WORM (write once read many) devices to protect against tampering.
Reviewing What Hackers Do.

Security Testing

There are many types of security testing. An online resource to validate web server connections is SSL Labs. The Center for Internet Security provides command checklists for operating systems, web servers, and databases. The opensource tool NMAP (Network Mapper) probe networks to vulnerabilities.
Get the News Letter