There are several advantages to a secure browser connection. WiFi hotspots cannot pluck passwords from the data stream. It prevents DNS poising rerouting traffic to a fraudulent server. Also, it prevents the insertion of malicious adware into the page.
HTTPS encryption is the most visible sign of cybersecurity. The following table of images shows how popular browsers present connection security. The use of HTTPS is expanding rapidly. However, 47% of sites make it optional or do not use it, as shown in the following diagram.
: HTTP Strict Transport Security (HSTS) forces browsers to encrypt connections. The browser blocks insecure connections for a period set by the webserver. The client can remove the setting, but not by clearing the browser history. Sites with HSTS typically set it to zero seconds, which effectively disables the security feature.
: The browser looks at the URL to determine the content type. It does that with file extensions or by sniffing content. When the server sets the X-Content-Type header, the browser will only follow the direction of the server. It blocks repurposing a URL to run programs in the client browser.
: X-Frame options prevent websites from being wrapped inside another. That means the website cannot be inside <frame>, <iframe>, <embed> or <object> tags. For example, Youtube leverages it to prevent others from front-ending their services.
: Removing unneeded network services guarantees they cannot be compromised. Identify what is running with netstat -plnt. Shutdown and uninstall anything that does not help deliver the website. The ones to keep are HTTPS on port 443, HTTP on 80, and perhaps a database.
: A private network uses IP addresses that cannot communicate directly over the internet. The private addresses ranges are 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. Internet communication goes through public IP addresses. Network Address Translation (NAT) converts the private IP to a public one. These are common in home and office networks. However, some cloud providers have virtual private servers that are not in a private network.
: Failure to apply security patches leave sites vulnerable. Cyberattacks exploit known weaknesses with commonly available tools. However, 2/3 of web servers use end-of-life software, and the remainder often does not install the available patches. The following chart shows the distribution of software across websites relative to there end-of-life date.
: A dedicated virtual server is an operating system instance assigned to a single website. The majority of sites run on a shared system where a breach in one puts the others at risk. Dedicated resources contain the breach.
: Selecting a popular operating system for web servers increases the chance that security gaps were fixed. The following chart shows the releases by market share. It shows Linux distributions have 86% of the market.
: The starting point for a secure system is to have no access. Then grant privileges for known purposes. For example, content served by a web server should be read-only, and files with credentials should not be accessible through a URL. The Center for Internet Security provides dozens of commands to minimize access rights on web servers, operating systems, and databases.
: The user ID running the web service should have minimal privilege with no login access. Web servers must start with an administrative user so they can bind to HTTP and HTTPS. Then it downgrades to a user with minimal access. That ensures only an administrator can start the website, but when compromised, there are insufficient privileges to cause more damage.
: The purpose of source code control for security is to keep a golden image in a safe location. Then recovery from infected code only involves reinstallation. However, many sites keep source code on the webserver. The design results in malware and ransomware infecting the backup. Also, content management systems like WordPress it is challenging to separate applications, customizations, and malware from each other.
: Key length affects the computing time needed to crack codes. The current standard is 2048 bits for RSA keys and 256 for elliptic. Shorter keys are insecure, while longer ones require excessive compute time. The elliptic key is a newer standard that allows equivalent protection using shorter keys that are more efficient. The following chart shows almost all keys use the older RSA standard.
: Multifactor authentication typically uses a password and something else. The most common is a password combined with a second code from a hardware fob or cell phone software. The other security code depends on both an initial passcode and time synchronization between the server and the device. Usually, the server allows for limited time shifts by granting access to the previous, current, and next time code.
: Role-based security is when the infrastructure, and not people, provide access credentials. It eliminates the need for users to manage passwords. An example is a backup role given to a server so it can save an image.
: The Certification Authority Authorization (CAA) is a DNS record. It limits who can validate security tokens. The record results in the web browser rejecting all but the named organization. It protects against compromised certificate providers as well as forged certificates installed on the client machine. The following is a sample record where 0 issue is for most scenarios, and letsencrypt.org is the certificate authority.
: Domain Message Authentication Reporting & Conformance (DMARC) is an email security standard. It extends the SPF and DKIM standards with a policy for recipient email servers to handle authentication failures. Also, it helps detect forged emails by sending reports from receivers to the sender. The DNS TXT record shown below is under the name _dmarc.strategicmind.com.
: The supported HTTPS protocols in 2019 are TLS versions 1.1 and 1.2. The unsupported ones are SSL 2, SSL 3, and TLS 1.0. The most common client technology blocked by secure protocols is Windows 7 running IE 9, although that impacts less than one percent of users.
: The cipher suite is a set of encryption algorithms that work with the protocol. The OpenSSL group grades each one from A to F. The web server can select from hundreds of options based on that grading. The above chart shows grade A as secure.
: Production mode is a web server setting that masks software details when connecting to a website. That makes it harder to figure out what type of cyberattack to launch. The following is an example of the default non-production mode. It includes the webserver version, operating system, and an out of support programming language.
: The Sender Policy Framework (SPF) is a DNS TXT record. It identifies which servers can send emails for the domain and prevents spoofing the mail transfer agent. The following example identifies the version, service, what server to allow, and denies all other servers.
The Domain Name Service (DNS) converts names like strategicmind.com to an IP address like 18.104.22.168. It includes a registry for administration and a name service for lookups. Vendors frequently bundle them together, but that is not necessary.
DNS provides administrative control over the domain. Regaining that control after a cyberattack takes days while restoring online reputations takes much longer. Monitoring email from the registrar and responding to unexpected changes is a critical security measure. Have a plan to prove ownership after a theft, which includes alternate email addresses and keeping contact details up to date. Periodically check the domain name and IP addresses with several blacklist service providers. Advertise a secure profile by using HTTPS and setting up DNS records for SPF, DKIM, DMARC, and CAA. Then check if the hosting provider has security accreditation.
The hosting data center limits the maximal web server security. Secure the hosting platform by selecting an accredited facility. Numerous accreditations exist. Common ones are the Payment Card Industry - Data Security Standard (PCI-DSS), the Health Insurance Portability Act (HIPPA), or other reputable organizations. These certifications may be for specific industries, but the practices are universally applicable to any solution.
The critical difference in email providers is their security. Review providers for SPAM filtering, DKIM, and secure network connections. These are critical because email is a common point of attack. The following chart shows service providers by there market share of hosted domains. The larger providers have more capital to spend on security measures.
A firewall selectively blocks traffic to network services. However, most sites do not effectively use them. For example, thirty-one percent of websites allow database access from the internet. It leaves them vulnerable because it is both unnecessary, and the protocol lacks internet grade security. Scan for accessible services from a remote site using the netstat -plnt. A web server only requires HTTP and HTTPS protocols on ports 80 and 443.
Firewalls control access based on user-defined rules. They work better in combination with private networks and dedicated virtual servers. The following chart highlights a secure design with the internet on the left and the user data on the right. Using multiple firewall zones forces attackers to breach several systems before accessing the data. Each of the following firewall types protects different aspects of communication.
: Network zones are segments with different purposes and levels of trust. The first is the DMZ (DeMillirtized Zone) is for security. The second is the application or internal zone for programs but no user data. The data or private section holds user data. Networking zoning results in a more flexible multitier architecture.
: Session-oriented firewalls work on network connections, also known as the Transmission Control Protocol (TCP). Unlike sessionless rules, they evaluate the current packet as well as the history over the same IP and port. They can differentiate ingress and egress connections, making them far more functional compared to sessionless.
: Session-oriented firewalls work on network connections, also known as the Transmission Control Protocol (TCP). Unlike sessionless rules, they evaluate the current packet as well as previous ones using the same IP and port. They can differentiate ingress and egress connections, making them far more functional compared to sessionless.
: A web application firewall (WAF) works on the HTTPS protocol. The rules are complicated, so products come with over a hundred built-in best practices. Examples are calling the same URL too frequently or scanning the website for files. Setup typically requires disabling a few rules that interfere with the application.
Blacklists contain domain names and IP addresses with content that is frequently filtered. Being on those lists impacts the ability to send an email and rank web pages. Most websites and practically all email services share IP addresses. Anyone using an IP can get it blacklisted, and that impacts all the other clients using it.
Forensic analysis reconstructs what hackers did after an event. Reviewing attempted and successful attacks clarify what security measures are working and if improvements are necessary. The data comes from routers, firewalls, servers, applications, databases, and other sources. It is copied from the source equipment and saved to a WORM (write once read many) devices to protect against tampering.
There are many types of security testing. An online resource to validate web server connections is SSL Labs. The Center for Internet Security provides command checklists for operating systems, web servers, and databases. The opensource tool NMAP (Network Mapper) probe networks to vulnerabilities.