To your customers, your website is the gateway to your products and services. But in the eyes of cybercriminals, it’s an entry point to your sensitive data. Without proper protections in place, attackers may be able to exploit your site’s vulnerabilities and gain unauthorized access, resulting in detrimental repercussions for your business.
In today’s world of ever-evolving security risks and hacking techniques, it’s not enough to set and forget the security measures you put in place to protect your site. What was once considered a foolproof security best practice may become penetrable by hackers tomorrow. Additionally, any new features and services you add to your site could inadvertently come into conflict with or override existing security protocols without your knowledge. Routine monitoring and testing is required to ensure your walls of defense continue to stand strong over time.
So what do you need to monitor for specifically? Here are 3 common security issues that should be on your checklist.
Expired or outdated SSL and TLS certificates
SSL and TLS certificates ensure that your customer’s data is transmitted safely with encryption. Over time, consumers have become more conscious of what makes a site safe and know to look for the lock icon in their browser’s address bar which indicates a site has a valid certificate and is secure.
Once they’ve installed an SSL or TLS certificate, many website owners think their job is done. However, depending on the duration of the certificate you purchase, it could expire in as little as 1 year. If you forget to renew or the credit card you paid with expires, your certificate will become invalid and your site will be flagged as not secure. Being proactive about keeping your site’s certificates up-to-date is a simple but pivotal step to protecting your customer’s data.
Make sure every certificate in use:
- Hasn't expired and is issued by a reputable Certificate Authority.
- Matches the domain it's being used on.
- Has up-to-date cipher suites and protocol versions.
- Isn't shared with untrusted or out-of-scope domains.
By using stronger cipher suites and TLS protocol versions, you make it more difficult for an attacker to eavesdrop on communications and avoid having to address vulnerabilities caused by less secure versions. Focusing on the version and using modern encryption is the easiest way to avoid multiple vulnerabilities down the road.
Additionally, shared certificates can pose a major risk if you don't trust that each listed domain is protecting the private keys. In general, you shouldn’t use certificates shared with out-of-scope domains.
Missing HTTP security headers
HTTP security headers are a subset of HTTP headers that can increase your website’s defense against common attacks like cross-site scripting (XSS) and clickjacking. Most modern browsers are built with some protections against these kind of attacks, but these settings can be turned off by default. By including HTTP security headers, you can force additional protections to be enabled and avoid vulnerabilities.
We generally recommend every website employ the following headers:
- Strict-Transport-Security: Generally you should be using HTTPS on all your sites. With this header, you can force the browser to use it consistently for your visitors.
- X-Content-Type-Options: Preventing MIME-sniffing can protect visitors from certain drive-by-downloads.
- X-Frame-Options: You can generally avoid click-jacking attacks by blocking your site from being embedded within other domains.
- X-XSS-Protection: Modern browsers can often detect reflected cross-site scripting. By enabling this header, you can allow the browsers to block these attacks.
By regularly crawling each of your sites for these headers, you can easily identify and remediate missing protections.
Ever-increasing privacy regulations, like GDPR and CCPA, require businesses to keep a careful watch on the cookies they are setting. However, many cookies are set by third parties and it can be a challenge to track them all. Use a crawler to identify all the cookies set by third-party domains to help maintain an accurate list of data processors.
Once you've cataloged all the cookies used, it's best to group them using the common categories:
In addition to monitoring cookies for privacy violations, you must monitor their security settings to ensure that hackers can’t access and steal sensitive customer data.
Make sure the cookies you use are appropriately flagged, for example:
- HTTPS websites should use the Secure Cookie Flag to prevent cookies from being accessed in transit.
You should also keep an eye on the duration of the cookies you're setting. Make sure that you're using session and persistent cookies in an appropriate and ethical manner.
Monitoring for these common website security issues can help you identify and remediate vulnerabilities across your organization, making a costly breach less likely to occur. With Halo Security’s website scanning technology, you can easily index, categorize, and monitor the certificates, HTTP headers, and cookies used across your websites. Our agentless, cloud-based attack surface management solution lets you get started easily and quickly. Schedule a free demo with our expert team today.
Editor's note (August 2022): This article was originally posted on the TrustedSite blog in Dec 2020. It has been updated for the Halo Security blog.