• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Website Security – The Importance of Access

January 21, 2013Tony Perez

FacebookTwitterSubscribe

I’m not sure why more emphasis isn’t put on access in website security discussions, but I’ll spend some time on it today. Understand that this emphasis is not just something pulled out of the clouds. Instead, it has come from months of thought and research – courtesy of client environments, enterprise incident handling cases, and our own honey pots.

Secure Website – Access Control

For some reason, what I’ve gathered is that website owners, in their minds, think they are really ingenious. We think that what we know, no one else knows; the harsh reality is that’s so far from the truth. There are also those that buy into the idea that information security is an absolute – if only it were. Website owners have to learn to set appropriate expectations. The information security domain is about risk reduction. That is the first thing to understand.

While software vulnerabilities are a real threat, without tangible evidence, I am willing to bet that access is gaining ground on software vulnerabilities more than most realize. Still working on evidence to support this. A good thing to remember is that as a product becomes more secure, and the attack vectors decrease, access only increases in importance.

It’s probably important to outline what we consider to be access, so here is what I’m talking about:

  • Access to your hosting control / administrative panel
  • Access to your server via FTP / SFTP / SSH
  • Access to your website’s administrative panel
  • Access to other applications on your server
  • Access to your database

Too often we talk to website owners and they focus on one or the other, either website administrative panel or host information but rarely on the server or various other elements. This makes for a catastrophic experience. You plug one hole only to leave another one wide open, and sadly you’re often plugging the wrong one. There are things you can do though, again, keeping the idea of reducing your risk in mind:

  • Employ least privileged concepts – apply a role appropriate to the task and no more
  • Get rid of accounts you don’t need
  • Audit your servers and websites – who is doing what, when and why
  • If possible, apply multi-factor authentication to all your access points
  • Disable access points until they are needed – reduce your access windows
  • Remove unneeded services off your server
  • Verify applications that are externally accessible versus tied to the network – can you access PHPMyAdmin outside of your cPanel?
  • Developers: a production box is not the place to develop, test or push updates without testing

In more instances than not, you, the website owner, have more ability than you might think in protecting your website. Doing some of the basics will greatly reduce your risk, which in turn will help you better protect your website and your followers. Today’s attacks are more automated than manual, remember that. For most reading this article this is true; applying some minor changes, both in the way you administer and work with your website, will go a long way in reducing your access risks.

I will be following this post up with examples of what we’re seeing and specific ways to thwart attacks, both at the application and server level.

There are a few of you out there who have your own high-profile sites and networks. If you experience a compromise let us know, we’d love to handle your incident on a one-on-one basis. Contact us at info@sucuri.net.

FacebookTwitterSubscribe

Categories: Security Education, Website SecurityTags: Best Practices, Passwords, Permissions, Server Security

About Tony Perez

Tony is the Head of Security Products at GoDaddy and Sucuri Co-Founder. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at perezbox.com and you can follow him on Twitter at @perezbox.

Reader Interactions

Comments

  1. Keith Davis

    February 16, 2013

    Hi Tony

    Interesting read.

    Noticed “Employ least privileged concepts – apply a role appropriate to the task and no more”

    I wonder how many sites have one Admin user doing everything – including writing the posts as Admin!

    got me thinking now.

  2. friv 3

    May 24, 2013

    I am glad to catch idea from your article. It has information I have been searching for a long time. Thanks so much.

  3. Minecraft Jugar

    September 7, 2013

    I be careful! thank so much.

  4. TopFlappyBird

    February 12, 2014

    THank for this post!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.