7 Layers Of Security

How We Keep Your Systems Secure


At Hyperfly, we are always thinking about security. In fact, you could say that we're paranoid. And if you did, we would take that as a compliment. 

As more and more companies continue to experience serious and often crippling security breaches, it is no longer appropriate to place the onus solely on the client. Not at least for a provider of managed web services. So we've taken the extra steps necessary to help keep your applications and data protected.

Not everyone can be a security expert, most would agree that it's not exactly pleasant to think about the many ways your company could be victimized. Nevertheless, it is vital to not fall into complacency. Hiring a "security expert" or purchasing a "comprehensive security solution", doesn't guarantee safety. No software can guarantee your organization's security and no single tool covers all potential (and ever-evolving) cyber threats.

But at the end of the day, as your web services provider, we understand that you have a job to do - and that job is not cybersecurity. That's why we have assembled the 7 Layers of Security, which we provide with every solution we host.


What are some of the most common attack vectors?


1. Phishing

Phishing is a social engineering attack. If you are unfamiliar with the term, social engineering is the process that cybercriminals use to manipulate people into providing information. It starts most frequently over email and is almost always preventable.

There are a host of products, plugins, and extensions that can help to protect you from downloading a malicious file, but for phishing, there are two simple things you should be in the habit of doing: Check the complete sender address, so that you are hyper aware of conversations you are having with people outside of your organization, and ALWAYS hover your cursor over links and carefully inspect the domain before clicking. Many phishing attacks involve fake websites that look nearly identical to their legitimate counterpart, often with very similar domains, so if you don't look closely, you could be fooled.

2. Malware

Malware is any malicious software that is intentionally designed to harm or surveil your system or device. It comes in many different varieties, such as traditional viruses, self-replicating worms, and ransomware. A system is often infected when a malicious site is visited after clicking on a link contained in a phishing email.

You can avoid malware by creating habits like those mentioned above, by monitoring your traffic online, and using good antivirus solutions.

3. Ransomware

Ransomware has been responsible for some of the biggest data breaches in history. The Colonial Pipeline attack is a recent example. Ransomware is a kind of malware that locks a user out of their system by encrypting their data and requiring payment for the decryption key. Unfortunately for the victim, there can be consequences even worse than having data hijacked; they range from threats of exposing proprietary and sensitive information on public websites to even more sinister harassment. In addition, not all of these thugs keep their word. They are criminals after all. You might pay the ransom and never receive the keys to unlock your data.

This is where the importance of data encryption and redundancy come in. In the event of a worst-case-scenario, the stolen data being held for ransom is of very little value if it is undecipherable, and with your backups in place, you are prepared and don't have to suffer extended downtime.

4. DDoS Attack

Denial of Service Attacks are among the most common attack vectors. A DDoS attack is a malicious attempt to disrupt the normal operation of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of traffic. The result for users and customers is the inability to login, or even load a web page. Not good.

According to Dark Reading, DDoS attacks were up 31% in the first quarter of 2021 compared to Q1 2020 with no sign of it slowing.  There are several common types of DDoS attacks that target the various components of a network connection. These include Application layer, protocol, and volumetric attacks.

A network connection is composed of many different layers, and attackers will use as many vectors as possible to try and blend in with other traffic as much as possible. This can sometimes make it difficult to detect the presence of an attacker amid normal traffic.

In addition to a number of mitigation techniques, including Rate Limiting and Black Hole Routing, a Web Application Firewall is among the most effective. By setting rules that filter certain types of requests, a DDoS attack may not even be successful. But if it is, adjustments can be made on the fly in order to shut it down.

5. SQL Injection

SQL injection is a code injection technique where a malicious user inserts code, often through inputs on website forms, which exploit vulnerabilities that allow manipulation and execution of SQL statements to read, change, and delete data.

This could result in a data dump of sensitive information and if this bad actor also has the ability to delete data, they can use these techniques to steal your data, delete it, and then hold it for ransom.

The good news is, with proper database configuration and input sanitation, this kind of vulnerability is easy to prevent.

1. Enforce Least Privilege

Make sure that database access is limited by table-level user grants. Statements that can be executed on any given table should be limited to that which is absolutely necessary for working with the data in each table. 

2. Use Prepared Statements

Also referred to as parameterized statements, prepared statements are a feature used to execute similar SQL statements repeatedly. We use them along with stored procedures throughout our applications. If a statement is not derived by external input, SQL injection cannot occur.

3. Use Stored Procedures

Stored procedures are a set of instructions that let you store sequences of queries that are frequently applied to your model, and help to share the processing load with the application layer. These are statements written with placeholders instead of actual values. The query is compiled just once and then values are passed via the placeholders. In addition to protecting against SQL injection, another advantage is that you can enhance the performance of queries considerably.


What are the 7 Layers of Security?


1. Tight application server and database security rules

Easy to say, not always easy to do. In order to protect your applications efficiently, we must have a granular understanding of the system architecture, the data flowing between client and server, user behavior, access controls, business logic, and so on. The goal is to have your settings and servers open just enough for things to work smoothly. It's commonplace to see server configurations with outdated plugins and overly permissible settings that aren't required or even remotely necessary for the use case. 

Our practice is to start with maximum security and open things up only as necessary for the functionality of the application. That means, for example, setting the lowest possible max execution time, limiting the size of file uploads, and setting the highest possible database auth delay. These few settings alone can help prevent brute-force attacks without any noticeable effect or compromise of the user experience.

2. Filter all traffic through a Web Application Firewall

A Web Application Firewall (WAF) is a specific kind of application firewall that filters, monitors, and blocks traffic to a web application. WAF's focus on the application traffic and data flow analysis, monitoring primarily HTTP/HTTPS traffic. It can be set to whitelist or blacklist certain countries, IP address ranges, and monitor for specific types of activity among other things. Upon detection, the connection is refused and the activity is blocked.

WAF's are central to our DDoS mitigation strategy and we recommend them for all the internet-facing applications we host.

3. Always ensure data is encrypted in transit

SSL/TLS Certificates digitally bind a cryptographic key to an organization and are now generally considered critical for most websites and applications. When you visit a website with a valid certificate, a TLS "handshake" activates the padlock that you see in your browser, which represents the HTTPS protocol. This process ensures that the certificate is bound to the exact host of the site you are visiting and encrypts personal information and other data while connected to the site. 
A packet analyzer, or packet sniffer can intercept and log traffic that passes over a network. While not among the most common threats, it is something to be aware of because if your network permits communication between client and server in plain text, and someone goes through the trouble to intercept that communication, you will have a problem.
We are always surprised when we learn about large companies with heavy web activity, who continue operating over HTTP. A secure site should not be something that is added to a service or sold separately. Our sites and databases are secure by default and we maintain them regularly, installing security updates and applying new methods as necessary in order to stay up to date with current best practices.

4. Require strong passwords and Multi-Factor Authentication

Strong passwords are the first line of defense in preventing a data breach. But even the most savvy users are human and we all make mistakes. Whether a password has been left exposed in an insecure location, offered up after being manipulated, provided unwittingly through a fake website, or anything else, once someone's got it, length of alphanumeric characters no longer matters.

When you enable a second step, especially with a physical device or authenticator app like Authy, your password becomes only half the key. Just as our solutions come with security features by default, we simply don't offer a web application without some form of additional user authentication.

5. Monitor traffic regularly

If you don't know what "normal" activity is, it's kind of hard to spot irregular activity early on. We use a set of tools to monitor all traffic to your applications and set alarms that notify us when specific types of activity are detected or when certain utilization thresholds are crossed. This allows us to pounce on the unusual activity, and make any necessary adjustments to mitigate risk.

6. Store sensitive data encrypted at rest

We've been over this point a few times by now. In the event of a breach, you want the data to be undecipherable. That's what good encryption does. For all their efforts, it makes your data worthless to an attacker, giving them no leverage. At least not on the data front.

We encrypt all sensitive data by default, and while some solutions require a greater level of security than others, such as table and column-level encryption, we will always communicate clearly and transparently about your options and ensure that you know what you have and have what you know.

7. Backup data every day, hour, or minute

The importance of backups cannot be overstated. It's your last line of defense. If all else fails, whether it's a bad drive, corrupt data, or stolen database, without a backup you're in trouble.

Our database solutions are backed up at as frequent an interval as you choose, and we can save as many copies as you like. So in the unlikely event that your data needs to be restored, it can be done in a matter of seconds.


Whew, now with all that out of the way, we can focus on the fun part: Collaborating with you on your next project!

We'd love the opportunity to learn about your business and meet with you, physically or virtually.

Schedule a consultation today.