You are here: Resources > IT Security Technical Resources Part2 > Top 10 Website Security Myths
Top 10 Website Security Myths
When it comes to website security, impressionable companies and businesses who don't know any better tend to generalize and rationalize the methods by which they could keep their domains hacker-free. Therefore, as with any other urban legend out there, these institutions created plausible-sounding yet altogether erroneous conjectures that have muddled the line between the facts and the fiction of website security. At any rate, here are the top ten examples of these widespread inaccuracies:
1. The web developers will automatically handle website security: Companies working under this erroneous assumption should think again. Web developers will do squat with your webpage's overall security unless you specifically ask them to fix it and have this work accredited. Define your specifications and contracts to ensure that your developers will do a good job with your website's safety measures.
2. Nobody is interested in hacking your website: Right from the bat, you must realize that the Internet is the domain of the online outlaw or virtual villain, and as such any website containing important company or personal data is fair game for them. Unless you're fully prepared to fight off their attempts at breaching through your system, they'll makeshort work out of your precious homepage, so beware.
3. A website that uses SSL is secure: One look at an IT security news site will easily dispel this untruth. In fairness, the secure sockets layer (SSL for short) is a mandatory veneer of protection for your website. Nonetheless, it only encrypts your data so that it's not easily salvageable by amateur hackers; it's not the end-all, be-all safeguard that you seek, and it can still be bypassed or rendered moot by a variety of methods.
4. Not using Microsoft-brand software will keep your website safe: This sounds more like a joke from Apple users than a real website security myth, but people have actually thought that it's factual. In truth, even websites hosted by other platforms such as Unix or Mac OS will still need to regularly install updates and fixes. These operating systems may not be as much of a regular target as Windows, but they can still be invaded if a webmaster is unwary.
5. A firewall is enough to maintain the safety of your website: Most of the time, firewalls only protect the front end of a web server control traffic; a site that's worth it salt will need to peruse web requests that cannot be filtered by a mere firewall. Moreover, even though these applications are great for safeguarding your site against reported vulnerabilities, newer and deadlier programming bugs are typically discovered on a daily basis, so that's two issues that the standard firewall usually fails to cover.
6. File Backups will protect the site from harm: File backups assist in recovering an irretrievably compromised or corrupted website; it's not a defense mechanism that you can rely on whenever the going gets tough in the IT security front. Data poisoning can also alter both your on-site files as well as your backup files, so don't rest on your laurels just because you have a backup.
7. Encrypted data protects the site from hacker attacks: Just like with SSL, even if your data is encrypted, it doesn't necessarily mean that your company's confidential information or trade secrets are completely safe from the hands of cyber crooks everywhere. There are tools available or created by hackers that can decode these encryptions. Also, don't use weak or custom-developed algorithms; go for the strongest ones available.
8. An annual penetration test is an adequate enough safety measure for a website: As technology evolves, so does hacker attacks, and vulnerability hunting by both white-hat (helpful) and black-hat (malicious) hackers is an everyday sport for both. The pen test will only cover vulnerabilities present during the time of the test; who knows what developments might unfold afterwards? You shouldn't let your guard down regardless.
9. Using fully patched desktops will eliminate any hacker-related worries: Even if your entire staff has been assigned workstations that are regularly and automatically given updates, patches, fixes, and whatnot, you shouldn't necessarily assume that your network is safe from harm. The delay between vulnerability discovery and vulnerability patching should also be taken into consideration.
10. The SLA with your hosting company guarantees your system's protection: The service level agreement (SLA) that you have with your hosting company usually defines certain limited levels of uptime, but you should double-check what the exceptions are, what you're responsible for, and how these uptimes are calculated. For instance, the loss of Internet connectivity or power by the host may mean no comeback. At any rate, you should implement disaster recovery and business continuity plans because you really have no assurance that your website will remain online even with an SLA.
Always use Web Vulnerability Scanning to make sure your web site / web shop is secure