I’m not sure why more emphasis isn’t put on access in website security discussions, but I’ll spend some time on it today. Understand that this emphasis is not just something pulled out of the clouds. Instead, it has come from months of thought and research – courtesy of client environments, enterprise incident handling cases, and our own honey pots.
Secure Website – Access Control
For some reason, what I’ve gathered is that website owners, in their minds, think they are really ingenious. We think that what we know, no one else knows; the harsh reality is that’s so far from the truth. There are also those that buy into the idea that information security is an absolute – if only it were. Website owners have to learn to set appropriate expectations. The information security domain is about risk reduction. That is the first thing to understand.
While software vulnerabilities are a real threat, without tangible evidence, I am willing to bet that access is gaining ground on software vulnerabilities more than most realize. Still working on evidence to support this. A good thing to remember is that as a product becomes more secure, and the attack vectors decrease, access only increases in importance.
It’s probably important to outline what we consider to be access, so here is what I’m talking about:
- Access to your hosting control / administrative panel
- Access to your server via FTP / SFTP / SSH
- Access to your website’s administrative panel
- Access to other applications on your server
- Access to your database
Too often we talk to website owners and they focus on one or the other, either website administrative panel or host information but rarely on the server or various other elements. This makes for a catastrophic experience. You plug one hole only to leave another one wide open, and sadly you’re often plugging the wrong one. There are things you can do though, again, keeping the idea of reducing your risk in mind:
- Employ least privileged concepts – apply a role appropriate to the task and no more
- Get rid of accounts you don’t need
- Audit your servers and websites – who is doing what, when and why
- If possible, apply multi-factor authentication to all your access points
- Disable access points until they are needed – reduce your access windows
- Remove unneeded services off your server
- Verify applications that are externally accessible versus tied to the network – can you access PHPMyAdmin outside of your cPanel?
- Developers: a production box is not the place to develop, test or push updates without testing
In more instances than not, you, the website owner, have more ability than you might think in protecting your website. Doing some of the basics will greatly reduce your risk, which in turn will help you better protect your website and your followers. Today’s attacks are more automated than manual, remember that. For most reading this article this is true; applying some minor changes, both in the way you administer and work with your website, will go a long way in reducing your access risks.
I will be following this post up with examples of what we’re seeing and specific ways to thwart attacks, both at the application and server level.
There are a few of you out there who have your own high-profile sites and networks. If you experience a compromise let us know, we’d love to handle your incident on a one-on-one basis. Contact us at info@sucuri.net.
Hi Tony
Interesting read.
Noticed “Employ least privileged concepts – apply a role appropriate to the task and no more”
I wonder how many sites have one Admin user doing everything – including writing the posts as Admin!
got me thinking now.
I am glad to catch idea from your article. It has information I have been searching for a long time. Thanks so much.
I be careful! thank so much.
THank for this post!