(Ping! Zine Issue 72) – What Food Poisoning Can Teach You about Website Security
Everyone’s gotten a stomach bug from eating out before – whether it was at a 4-star downtown restaurant or take-out Chinese down the block. Thinking back on it, did you ever go back there, or did it make you a little nauseated even considering it?
Well, just like chefs have to worry about their food ruining someone’s day, website owners need to worry about their websites doing harm to their visitors. You don’t want anyone to dread a return visit to your site.
However, trying to manage “website security administration” is enough to cause an uneasy feeling for anyone – even those with plenty of free time. But for small business owners with a million other things to do, it seems nearly impossible.
If this sounds like the situation you’re in, we have bad news followed by some great news that can alleviate a lot of worry and stress.
The Risks You Face
First, let’s understand where you’re at as the owner of a small business website. Your top Internet security concerns are:
Protecting your website from attackers
Preventing your customers’ data from getting compromised
With that in mind, let’s get the bad news out of the way: these threats are very real and your website isn’t free from them, no matter the size of your business. With over three billion malware attacks per year, according to Kaspersky Security Bulletin 2013, a typical website can have hundreds (or even thousands) of potential vulnerabilities that attackers can leverage to compromise your site – infecting it with malicious software, known as “malware.”
Todd Redfoot, Chief Information Security Officer for GoDaddy points out, “Attackers know this, and are always on the prowl to find these websites. Once malware is placed on a site, it can display seedy ads, spread viruses, steal personal information, and damage the reputation of your website. Whether you have a purely informational website or an online business, it is important to regularly scan your website for malware and vulnerabilities to ensure it hasn’t been, or could easily be, compromised by hackers.”
If that weren’t enough, “If your website transmits sensitive private data such as username, password, and credit card numbers over the Internet, third parties can easily ‘snoop’ the data that is sent between your visitors and your website, exposing your customers’ sensitive information,” adds Wayne Thayer, Vice President & General Manager, Security Products for GoDaddy.
Simple Solutions to Your Problems
With the bad news about these threats out of the way, let’s get to the good news: there are simple-to-use tools to exponentially increase your website’s (and your customers’) security.
For GoDaddy customers, some of the tools available to your website are so easy for you to use, you literally don’t have to do anything. This is because GoDaddy handles a lot of threats through the industry-leading network security all of their hosting packages include. Redfoot continues, “Our Web hosting comes with advanced distributed denial-of-service (DDoS) protection, intrusion prevention systems, and no-cost access to a team of Web security professionals. We include this with every plan because it helps keep our customers’ sites protected from floods of malicious traffic and thousands of other security threats.”
However, no amount of network protection can stop every attack. To help site owners guard themselves against threats that come directly to their sites, GoDaddy has a suite of security-oriented products:
SSL certificates to protect your customers’ data from “snooping”
SiteLock to protect your website against abuse from attackers
Managed WordPress to provide top-of-the-line reliability and security for customers hosting WordPress sites
SSLs Keep Your Secrets, Well, Secret
As Thayer mentions third-party data snooping, where an eavesdropper scans data coming to and from your site looking for social security numbers or credit card numbers, he adds, “A Secure Socket Layer (SSL) certificate is a vital security layer to safeguard your customers.”
SSL is the standard security technology that protects millions of websites by encrypting communications between visitors and websites. By using SSL, only the visitor’s computer and your website can understand the data being sent back and forth. Third parties cannot decipher the information – even if they intercept it – which makes eavesdropping futile.
To ensure they don’t lull visitors into a false sense of security, GoDaddy also verifies ownership of the domain name being protected by the SSL. This lets customers know they’re dealing with a legitimate website and not an imposter. The most rigorously verified certificates, Extended Validation (EV), go even further in building customers’ trust by displaying the name of the business at the top of the browser window.
Building that kind of trust with customers pays off in the end. The right SSL certificate has been demonstrated to increase online transactions and conversion.
Letting your customers know that your site is secure is simple, too, Thayer adds. “Our SSL customers can display a badge on their websites letting their visitors know that their site is secure. Astute visitors will already know to look in the address bar for ‘https,’ but for everyone else, the security badge is a great way of saying, ‘You’re safe providing this website with your information.’”
In addition to offering multiple layers of verification, GoDaddy also offers SSLs that can secure single or multiple domains. None of which are difficult to use: automatic setup and configuration are provided for websites that are hosted with GoDaddy.
SiteLock Sounds the Alarm
Keeping your customers’ data safe is only part of the equation, though; you also need to keep your website’s files free from anything that would negatively impact your visitors. “GoDaddy offers comprehensive website protection through our partnership with SiteLock,” Thayer mentions.
SiteLock offers security for online businesses, using state-of-the-art, 360-degree technology that scans websites inside and out to flush out malware and identify vulnerabilities that could lead to serious security compromises. Once the scan’s complete, SiteLock alerts you if it’s found anything potentially hazardous, including malware and engineering-level weaknesses.
Thayer explains, “SiteLock monitors websites for any foul play and uncovers any weaknesses. But more important than just finding issues, SiteLock can also fix some of the problems it discovers using its SMART tool.” SMART is pretty impressive; not only does it scan all of your site’s files and notifies you of any malware it finds, it also automatically removes malware it finds for you.
Once SiteLock has determined your site’s got a clean bill of health, there’s nothing wrong with bragging about it. “SiteLock offers a badge for websites that it has scanned and found neither malware nor vulnerabilities. This way your website is known as a safe place on the Internet, free from the malware you find in so many places,” Thayer informs us.
Do I need an SSL Cert or SiteLock?
Which security solution you need depends on what kind of website you have.
SSL certificates are a must-have for websites that transmit sensitive user data, such as e-commerce sites or sites where visitors (or you, as the administrator) can log in.
SiteLock benefits most websites – not just those storing credit card or login data. No matter what kind of place you’re making for yourself on the Internet, attackers would love to compromise it and infect your visitors with malware. SiteLock protects everyone from that threat. However, websites built with tools such as the ones offered by GoDaddy, Squarespace, and Jimdo among others, generally don’t need services like SiteLock, because these websites reside in locked-down environments.
When you’re ready to increase the level of security for your website, you can take the following steps to setup your SSL Certificate and SiteLock.
Setting up SSL Certs
For SSL certificates, the steps you take to request and install the certificate depend on where the website is being hosted.
For customers hosting through GoDaddy, it’s incredibly simple because they take care of everything for you. All you need to provide is which domain name you want to protect.
Customers installing their SSL certificates elsewhere will need to go through some additional steps. First, they’ll need to generate a certificate signing request (CSR) on their host servers, and then provide the CSR to GoDaddy. After that, they validate their ownership of the domain, and then install the SSL certificate.
For Extended Validation certificates, GoDaddy will request some additional information to verify identity of the company that runs the website. They have plenty of information about this in their interface and support center.
Setting up SiteLock
Setting up SiteLock is straightforward. After entering the domain name you want to protect, there’s a brief process to make sure you own the website, and then it begins scanning for problems.
For SiteLock’s SMART malware removal tool, you’ll also need to also provide your File Transfer Protocol (FTP) login information from your hosting company. With it, SiteLock can download and scan your site for any known malware.
If you run into any issues, GoDaddy offers award-winning 24/7 customer support, worldwide, for free.
Managed WordPress Is an Ounce of Prevention
In addition to its strictly-security-oriented products, GoDaddy also offers Managed WordPress, which solves a lot of administrative nightmares of working with the world’s most widely used (and most frequently targeted) content management system (CMS).
Because of WordPress’ popularity, as soon as an exploit is found, abuse of it spreads quickly. The only way to protect yourself is to upgrade your version of WordPress as quickly as possible. Of course, as a small business owner, there are a million other things you need to accomplish besides checking for software updates day in and day out.
Managed WordPress alleviates that headache by automatically upgrading your site to the latest version of WordPress within hours of its release, minimizing your exposure to potential threats. Coupling this with SiteLock’s regular scans can make your website incredibly secure.
Customers using Managed WordPress are also protected from a variety of other ailments, such as brute force WordPress admin login attempts and dangerous plugins. GoDaddy’s development team works closely with the WordPress community to protect customers. They vet security threats and ensure that sites running vulnerable plugins automatically get updated or removed from the environment – as in the recent case of All-in-One-SEO Pack [http://www.pcworld.com/article/2357740/flaws-in-popular-seo-plugin-put-wordpress-websites-at-risk.html] where all sites with that plugin were automatically upgraded to a secure version.
If that sounds like something that would solve some of your problems, but you can’t deal with the hassle of moving your site, GoDaddy has a solution for that, as well. They offer a tool that migrates your WordPress content for you.
For anyone using WordPress, GoDaddy’s Managed WordPress is the ideal security platform.
How GoDaddy Does It (and How You Can Help)
When customers buy hosting from GoDaddy they are getting more than just space on fast and reliable servers. Behind the scenes, GoDaddy has a 24/7 security operations team keeping a close eye on their systems. Of course, it’s not a simple task: today’s attacks have evolved to defeat yesterday’s countermeasures.
However, there are always foolproof, must-have practices that GoDaddy uses (and recommends to its customers). Redfoot summarizes, “We use good password etiquette on admin accounts, use SSL where appropriate, scan our servers for vulnerabilities and fix any that we discover. In addition, we make sure we are using the latest versions of software and the most current patches and turn off or remove any services that aren’t needed. For both our sites’ and our customers’ servers, we also do a lot of server hardening to enhance security.”
They frequently see two common issues with customers’ accounts, though: weak passwords and outdated software. You can help GoDaddy (and the Internet at large) by making sure your site isn’t a security weak point.
Weak Passwords
Redfoot continued explaining that many compromises occur simply because customers use weak passwords for their hosting accounts. This leaves them vulnerable to brute force attacks, which use trial and error means to guess your login information.
By using strong, unique passwords, customers can reduce the likelihood their sites will get infested with malware. This not only includes FTP and admin-type passwords, but also the password to your GoDaddy account itself.
Outdated Software
Sites that don’t keep up-to-date with the latest software versions and patches pose a huge risk across the entire Internet. (How commonly this happens is part of what drove GoDaddy to develop its Managed WordPress platform.)
However, it’s not just a customer’s CMS that can cause issues. Thayer adds, “Another item often overlooked is extensions, or ‘plugins,’ to these popular content management systems. These need to be updated as well – usually more often than the CMSs they run within. Disabling plugins you aren’t currently using will cut down on how many you have to keep updated.
“For other vulnerabilities that can lead to compromises, customers can rely on SiteLock Premium’s daily scans to ensure their sites remain secure.”
Other tips include using two-step authentication if it’s available and keeping an eye out for any suspicious activity. Doing all of this will not only protect your own website and personal information from getting compromised, it helps make the Internet that much less dangerous.
Getting Down to Business
You’re now in a position to confidently go forward in protecting your website (and yourself) from the vast majority of security threats the Internet poses. Take this opportunity to redouble your efforts to make your website someone wants to return to – again and again.
Wayne Thayer, Vice President & General Manager, Security Products
Wayne is responsible for GoDaddy’s security products, including its SSL Certification Authority, code signing certificates and partnership with SiteLock, an online security scanner for websites. Wayne represents GoDaddy at the CA/Browser Forum, the standards body that defined Extended Validation SSL. He holds an MBA and a BS in Electrical Engineering, both from Penn State University.
When he’s not working or spending time with his family, Wayne enjoys competing in amateur mountain bike races. He completed the famed Leadville Trail 100 race a few years ago.
Todd Redfoot, Chief Information Security Officer
Todd is responsible for overseeing GoDaddy’s award winning Security Team. His specific focus is maintaining a safe hosting platform for customer websites and ensuring a high level of information security within the company.
Since joining GoDaddy in 2003 as a Senior Developer, Todd has led several Development and Security teams, including Email Systems, Marketing Infrastructure, and Internal Information Technology. Todd is well-versed in Network, Application, and Database security and is trained in several programming and software scripting languages. He has a Bachelor of Science in Computer Information Systems from Arizona State University.