At Hyperfly, we are always thinking about security. In fact, you could say that we're paranoid. And if you did, we would take that as a compliment.
As more and more companies continue to experience serious and often crippling security breaches, it is no longer appropriate to place the onus solely on the client. Not at least for a provider of managed web services. So we've taken the extra steps necessary to help keep your applications and data protected.
Not everyone can be a security expert, most would agree that it's not exactly pleasant to think about the many ways your company could be victimized. Nevertheless, it is vital to not fall into complacency. Hiring a "security expert" or purchasing a "comprehensive security solution", doesn't guarantee safety. No software can guarantee your organization's security and no single tool covers all potential (and ever-evolving) cyber threats.
But at the end of the day, as your web services provider, we understand that you have a job to do - and that job is not cybersecurity. That's why we have assembled the 7 Layers of Security, which we provide with every solution we host.
What are some of the most common attack vectors?
1. Phishing
Phishing is a social engineering attack. If you are unfamiliar with the term, social engineering is the process that cybercriminals use to manipulate people into providing information. It starts most frequently over email and is almost always preventable.
There are a host of products, plugins, and extensions that can help to protect you from downloading a malicious file, but for phishing, there are two simple things you should be in the habit of doing: Check the complete sender address, so that you are hyper aware of conversations you are having with people outside of your organization, and ALWAYS hover your cursor over links and carefully inspect the domain before clicking. Many phishing attacks involve fake websites that look nearly identical to their legitimate counterpart, often with very similar domains, so if you don't look closely, you could be fooled.
2. Malware
Malware is any malicious software that is intentionally designed to harm or surveil your system or device. It comes in many different varieties, such as traditional viruses, self-replicating worms, and ransomware. A system is often infected when a malicious site is visited after clicking on a link contained in a phishing email.
You can avoid malware by creating habits like those mentioned above, by monitoring your traffic online, and using good antivirus solutions.
3. Ransomware
Ransomware has been responsible for some of the biggest data breaches in history. The Colonial Pipeline attack is a recent example. Ransomware is a kind of malware that locks a user out of their system by encrypting their data and requiring payment for the decryption key. Unfortunately for the victim, there can be consequences even worse than having data hijacked; they range from threats of exposing proprietary and sensitive information on public websites to even more sinister harassment. In addition, not all of these thugs keep their word. They are criminals after all. You might pay the ransom and never receive the keys to unlock your data.
This is where the importance of data encryption and redundancy come in. In the event of a worst-case-scenario, the stolen data being held for ransom is of very little value if it is undecipherable, and with your backups in place, you are prepared and don't have to suffer extended downtime.
4. DDoS Attack
Denial of Service Attacks are among the most common attack vectors. A DDoS attack is a malicious attempt to disrupt the normal operation of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of traffic. The result for users and customers is the inability to login, or even load a web page. Not good.
According to Dark Reading, DDoS attacks were up 31% in the first quarter of 2021 compared to Q1 2020 with no sign of it slowing. There are several common types of DDoS attacks that target the various components of a network connection. These include Application layer, protocol, and volumetric attacks.
A network connection is composed of many different layers, and attackers will use as many vectors as possible to try and blend in with other traffic as much as possible. This can sometimes make it difficult to detect the presence of an attacker amid normal traffic.
In addition to a number of mitigation techniques, including Rate Limiting and Black Hole Routing, a Web Application Firewall is among the most effective. By setting rules that filter certain types of requests, a DDoS attack may not even be successful. But if it is, adjustments can be made on the fly in order to shut it down.
5. SQL Injection
SQL injection is a code injection technique where a malicious user inserts code, often through inputs on website forms, which exploit vulnerabilities that allow manipulation and execution of SQL statements to read, change, and delete data.
This could result in a data dump of sensitive information and if this bad actor also has the ability to delete data, they can use these techniques to steal your data, delete it, and then hold it for ransom.
The good news is, with proper database configuration and input sanitation, this kind of vulnerability is easy to prevent.
1. Enforce Least Privilege
Make sure that database access is limited by table-level user grants. Statements that can be executed on any given table should be limited to that which is absolutely necessary for working with the data in each table.
2. Use Prepared Statements
Also referred to as parameterized statements, prepared statements are a feature used to execute similar SQL statements repeatedly. We use them along with stored procedures throughout our applications. If a statement is not derived by external input, SQL injection cannot occur.
3. Use Stored Procedures
Stored procedures are a set of instructions that let you store sequences of queries that are frequently applied to your model, and help to share the processing load with the application layer. These are statements written with placeholders instead of actual values. The query is compiled just once and then values are passed via the placeholders. In addition to protecting against SQL injection, another advantage is that you can enhance the performance of queries considerably.
What are the 7 Layers of Security?
1. Tight application server and database security rules
Easy to say, not always easy to do. In order to protect your applications efficiently, we must have a granular understanding of the system architecture, the data flowing between client and server, user behavior, access controls, business logic, and so on. The goal is to have your settings and servers open just enough for things to work smoothly. It's commonplace to see server configurations with outdated plugins and overly permissible settings that aren't required or even remotely necessary for the use case.
Our practice is to start with maximum security and open things up only as necessary for the functionality of the application. That means, for example, setting the lowest possible max execution time, limiting the size of file uploads, and setting the highest possible database auth delay. These few settings alone can help prevent brute-force attacks without any noticeable effect or compromise of the user experience.
2. Filter all traffic through a Web Application Firewall
A Web Application Firewall (WAF) is a specific kind of application firewall that filters, monitors, and blocks traffic to a web application. WAF's focus on the application traffic and data flow analysis, monitoring primarily HTTP/HTTPS traffic. It can be set to whitelist or blacklist certain countries, IP address ranges, and monitor for specific types of activity among other things. Upon detection, the connection is refused and the activity is blocked.
WAF's are central to our DDoS mitigation strategy and we recommend them for all the internet-facing applications we host.
3. Always ensure data is encrypted in transit
4. Require strong passwords and Multi-Factor Authentication
Strong passwords are the first line of defense in preventing a data breach. But even the most savvy users are human and we all make mistakes. Whether a password has been left exposed in an insecure location, offered up after being manipulated, provided unwittingly through a fake website, or anything else, once someone's got it, length of alphanumeric characters no longer matters.
When you enable a second step, especially with a physical device or authenticator app like Authy, your password becomes only half the key. Just as our solutions come with security features by default, we simply don't offer a web application without some form of additional user authentication.
5. Monitor traffic regularly
If you don't know what "normal" activity is, it's kind of hard to spot irregular activity early on. We use a set of tools to monitor all traffic to your applications and set alarms that notify us when specific types of activity are detected or when certain utilization thresholds are crossed. This allows us to pounce on the unusual activity, and make any necessary adjustments to mitigate risk.
6. Store sensitive data encrypted at rest
We've been over this point a few times by now. In the event of a breach, you want the data to be undecipherable. That's what good encryption does. For all their efforts, it makes your data worthless to an attacker, giving them no leverage. At least not on the data front.
We encrypt all sensitive data by default, and while some solutions require a greater level of security than others, such as table and column-level encryption, we will always communicate clearly and transparently about your options and ensure that you know what you have and have what you know.
7. Backup data every day, hour, or minute
The importance of backups cannot be overstated. It's your last line of defense. If all else fails, whether it's a bad drive, corrupt data, or stolen database, without a backup you're in trouble.
Our database solutions are backed up at as frequent an interval as you choose, and we can save as many copies as you like. So in the unlikely event that your data needs to be restored, it can be done in a matter of seconds.
Whew, now with all that out of the way, we can focus on the fun part: Collaborating with you on your next project!
We'd love the opportunity to learn about your business and meet with you, physically or virtually.
Schedule a consultation today.