Technology

Securing your business website

The other day a friend of mine called and asked for guidance. He is owning a small business and had registered his domain name for the business, got a web app developed by a software services firm in Mumbai, all developed, deployed and working. For this post let us call the website Example.COM. The business is not big, he employs less than 10 staffs all on offline activities. Their clients log in and check their transactions done with the company using the website example.com. In that sense the website is important to their business & over a period as revenues kick in he is aware that he has to have dedicated IT staff (Inhouse/Outsourced). Till then he was not having any regular maintenance or management, which is like driving without seatbelts.

Now the reason for his call was to find out how to have better control over his website. He was getting worried after the website went down nearly twice every week for last few weeks. The outsourced Mumbai services firm was giving him various reasons ranging from Registrar problem (which is highly unlikely) to server problems. And they can’t be held responsible too, as they have a contract or scope on what they are supposed to do (develop, maintain, deploy & manage).

I told him that you should hire my firm Vishwak Solutions to be your tech partner Smile. That aside, I told him to do the following and this post captures that.

securring business domain (safe locker)

Protect your domain name.

  1. Domain registrars including Dotster, GoDaddy, Network Solutions & Net4India have dashboards to manage your domain name & the DNS entries associated with it. When you hired the services firm you would have shared the credentials (with username/password ) for the registrar account with them. Immediately change the password and keep the password only with you. Any changes to DNS entry let them route to you, this will mean unfamiliar work for you but they can’t arbitrarily shuttle your website between servers or hijack it
  2. An email will be associated with the registrar account and by default its likely to show up in a whois public query on the Internet. Knowing this, hackers can attempt social engineering and gain unauthorized access to the email, using which they can reset the Registrar dashboard account & gain access to your domain. Your innocent looking email ID can become the weak link. In this case, my friends gmail ID was used for domain registration. I recommended him to immediately enable multi-factor authentication for his gmail ID (if you are using Hotmail instructions are here) which will prevent access to anyone without his mobile

Server hosting

  1. For example.com my friend has opted (not knowing the full impact) for a shared server, in which case his website gets hosted along with many other clients of the services firm. You get what you pay for, shared hosting is cheaper and that’s what my friend had paid for. Going with this option means your website performance can’t be guaranteed and can vary based on what the other websites in the same server is doing. Shared hosting is a good option for simple brochure ware & blog sites, but not for business webapps. I recommended him to go with his own server. Since cost is a concern and webapp load is low, a virtual server will do. Though Microsoft Azure or Amazon AWS provide this, they tend to be difficult to manage & estimate cost for this tiny requirement of example.com, since they charge for all ingredients (CPU, RAM, Storage, Bandwidth) separately. I prefer GoDaddy or Rackspace or Softlayer like ISP who offer bundles for as low as $20/Month. In this case I foresee my friend to pay about $130-200/Month for a good virtual server that will meet his needs
  2. Signup with hosting provider for daily or weekly backup of the entire virtual server that is away from the virtual server
  3. Keep the access to the hosting provider (GoDaddy/Rackspace/Softlayer) safe with you and this need not be shared with the services firm
  4. Get two administrator accounts created on the virtual server, one to be with my friend and one for the services firm
  5. Optionally, learn yourself on how to take a monthly backup of the virtual server to some other source like Google Drive or Microsoft OneDrive

Updates

  1. The software that runs in the server including your webapp is kind of a living thing. You need to constantly take care of it. In this case you need to sign up for an annual support contract with your server hosting vendor or with the Services Firm to do monthly updates of the entire software stack. Typically this will mean the Operating System (Windows Server or Linux), Database (SQL Server or MySQL), App Servers (.NET Framework or PHP Runtime), WebServer (Microsoft IIS or Apache), Specific software (WordPress or Joomla or Drupal) and any other runtimes
  2. As the webapp begins to do transactions, get your services firm to install and configure  a Web Application Firewall (WAF) like modsecurity to protect your webapp

Auditing

  1. In the next stage it is recommended to do a third party testing by a competent web security agency. You need to get a verification of the source code & architecture (white-box testing) and servers (black-box testing). Typically the agencies charge few hundred dollars for every iteration & to provide recommendations
  2. At the next level, you need to get detailed security tests for Personally identifiable information protection and targeted hacking

That’s it for now for my small business friend. For enterprises apps or for webapps doing financial transactions there are more steps to be taken care of. And that’s for an another day.