Web hosting, cloud computing, server online data storage technology, internet concept. Flat design web banner.

Tips to Secure Web Hosting

Often when you talk of securing our web hosting, our minds are led to “Which host is can not be hacked?” But it is beyond that, some time we need to secure ourselves beyond just that. Things like, who signed up for the server? Which email was used? What name was used to register the domain?

Just before we look outside and start blaming web hosting service providers, we have to ensure that we personally take these tips to safeguard our service.

#TIP 1. Since this is your service so first thing is to have all credentials pointing towards you. Credentials such as usernames, emails that are used to identify you to your web hosting provider don’t have to belong to a third party but rather you. This makes it easy to recover your account easily.

#TIP 2. Enforce password complexity and 2 step verification. To make sure login is secure, you need to have 2FA enable and a strong password. This protects your account from being easily breached by adversaries.

#TIP 3. Avoid using insecure/unsupported third party apps. Web hosting service providers tend to avail you with a multitude of app choices to use for your services, from building your website, to accessing emails, to manipulating your databases. Some of these apps tend to be obsolete or insecure to use in the evolving technology. Therefore you need to look out on more secure applications.

#TIP 4. Update all apps or software used on your web host reguralrly, after making a good choice of what to use, make sure to update this tools regularly. Updates are a way to secure yourself with a fix of identified vulnerabilities or simply to keep abreast with new technology that has been added to a tool.

#TIP 5. Use the most secure web hosting you can find. No matter the content you are hosting or the services to expect from a hosting provider, Always lookout for services that are ideal in the present digital age. We have put together a list of tips to consider when choosing your web hosting provider just below.

Here are a few tips to consider to make a choice of a good hosting provider.

#TIP 1. Ensure the server has a backup policy. Backups no longer just apply to information in your computer but also you need to know that there is another option for your online information in case anything happens. You can control many aspects of backing up your computer data, but for websites, it can often depend on your hosting provider. Good enough, most web hosting providers do offer free backups, but these are variations on this theme. For example, some may require you to perform the backup procedure manually, while others may do it automatically and require you to contact their support team if you should need data restoration services. Ideally, look for a web hosting provider that carries out periodical automated backups and allows you to restore from them at any time on your own.

#TIP 2. Look out for servers with an automated Malware or Antivirus Scanning. Just as you may have an antivirus program on your computer which you are fully in control of. For websites, you depend on the hosting service provider to do this for you. It’s important to at least know they’re doing this and what level of information they can provide to you on potential problems. Some web hosts offer these services and you are able to see their reports and fixes or recommendation. But the very least you need to consider is to be able to restore your site from a previous version that wasn’t infected.

#TIP 3. Consider servers with Network Monitoring, Firewall and DDoS prevention systems. As websites are hosted in massive data centers, much of the controls here are automated. Make a choice on hosts having control and monitoring tools in place that keep an eye out for suspicious traffic or incidences. Firewalls are always our first line of defense from attacks from outside our systems and you need to make sure you have that wherever you are hosting your website. Whereas, Distributed Denial of Service (DDoS) attacks can be a big blow as attacker will want to flood your website with so much traffic to take it down completely from the site server.
These are often mitigated by using a good Contend Delivery Network (CDN) such as Cloudflare or website firewall such as Sucuri. Good enough, some hosting providers include this in their bundles, so look out for them!

#TIP 4. Secure File Transfer Protocol (SFTP). In circumstances where large files have to be uploaded to the website, it is more efficient to use FTP to do this, now there is SFTP which is the secure version of FTP and helps keep your data safe during transfer. While most popular web hosts offer FTP services, a handful of them only seem to offer SFTP so those handful are the ones you should look up to. Unless you do not use FTP or you don’t think of using it, you could skip this tip but we guarantee it is just as important as the rest.

#TIP 5. Spam filtering. You might be well aware of spam or junk. Just as annoying these messages can be is also how they can be a source of DDoS if you are suddenly flooded by such mail. If your host offers spam filtering, then the attack goes through its spam filters first which would be a win for you. Also, keeping spam out will help you save space in your mail folders. Most hosting providers have spam filters available, but some will require manual configuration. We’d suggest using those with automatic spam filters.

Hoping that these tips have been helpful to you, these are just to ensure that you have a smooth web service and you don’t have to be a victim of several hacks on the web. There are endless attacks on websites everyday and the best you can do is to have a secure web hosting service as the internet is an overwhelming place for resources and everyone is trying their best to utilize it in both good and bad ways.

policy

Security Policies: Quick Notes

What is a security policy?

A security policy is a formal, detailed and easily understandable document that addresses general beliefs, goals, acceptable procedures and security controls that governs an organization or other entity. It addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls, computer security threats, and how to handle situations when they do occur. A security policy must identify all of a company’s assets as well as all the potential threats to those assets. And lastly, it should be subject to amendment as threats have a dynamic.

Why a security policy?

A security policy should be one of the first documents in place for a corporate organization or entity to function flexibly. It should address all security concerns, the likelihood that they will actually occur, ways forward and speculation clearly so that the employees and employers feel at ease implementing their mandate. So you need a security policy so as to:

  • Establish the rules for user behavior on use of organizational assets. This ensures proper compliance of the staff.
  • To define and authorize consequences of violation of certain guidelines.
  • Establish baseline stance on security to minimize the risk of occurrences in the organization.
  • Builds a sense of carefulness among staff therefore reduces risk of data loss or leak.
  • Protects the organization from external and internal “malicious” users.
  • Guides staff on acceptable and unacceptable behavior.
  • Carries with itself how information is disseminated (private, internal & public information).

A Good Security Policy

A good security policy should be readily available for its intended audience. It shouldn’t be hard to get.

It should be understandable and not confusing. Avoid using words that are beyond the understanding of your audience. It should clearly indicate how violations are handled.

A security policy should be applicable to the organization and only reveal information relevant to the functionality of the organization. It should cover use of organization assets, specify minimum security standards used in protection of assets, prohibitions against malicious actions, home use of organization equipment, use of personal equipment for carrying out official duties, procedures deemed as accepted or best practices, etc.

Work to develop a policy that balances both current practices of the organization and practices the organization wants to see in future. And most importantly make sure to have a policy that protects and organization against multiple types of threats.

And lastly, It should be accepted, put into use and reviewed frequently, at least once a year upcoming concerns should be updated in it. This is because breaches will always keep evolving and therefore new measures have to come in place.

5 steps to compile a good security policy

  • Identify issues
  • Conduct a context analysis on issues identified. (vulnerabilities, fix/ways forward, influence of behavior). Set of rules
  • Make a draft policy covering all the above.
  • Have a review of the document internally and or hire an external entity to review too.
  • Deploy the policy to the rest of the organization.

Document Outline

  • Introduction
  • Purpose
  • Scope
  • Roles and responsibilities
  • Sanctions and violations
  • Review schedule
  • Definition of terms, abbreviations/acronyms

Topics should center around the following

  • Physical Security
  • Security Training
  • Privacy
  • Software Licencing
  • Password
  • Virus protection
  • Acceptable use
  • Account management
  • Special access (Authority)
  • Change management
  • Incident management

checklist

A Checklist for HRDs before field engagement

As Human Rights Defenders, we are exposed to a lot of risks during our public or field engagements and most of these tend to hit us by surprise since we do not adequately prepare to overcome these emergencies.
It could be a kidnap and being stranded in the middle of nowhere, could be an accident, name it.

Field engagement in this case is conducting work in the natural environment other than in office. During field engagements, we tend to be with the general public, known or unknown and new to us because it is our first time to engage with them. Even when the environment is known to us, we can never guarantee the dynamics of people who have been working with and there for, we need to have a number of things ready just in case things happen to go side ways:

  1. Make sure your phone is charged before going out.
  2. Be sure to have some cash on you just in case you might need to use some quickly.
  3. Make your you have an ID on you to easily identify with legal authorities.
  4. Make sure your phone security is something that only you know (Don’t use fingerprint or face ID) when going for vital field work.
  5. Have a contact of someone to call in case of emergencies. You can write such contacts somewhere and carry with you.
Windows-7-end-of-support-1024x673

Windows 7 End of Support

What Human Rights Defenders need to know:

As most of us might not be aware that Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. The 10 years came to an end officially on the 14th of January 2020. If you are still using Windows 7, your PC will still work perfectly, except it will be more vulnerable to security risks and viruses. Your PC will continue to start and run, but will no longer receive software updates, including security updates, from Microsoft.

phishing-image_compressed

Phishing – What You Need To Know

Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication.

SSL Certified/certificate 100% secure transaction with encryption. illustration ssl certificate, ssl secured, ssl shield symbols, protected safe data. with ribbon, gold style & black color

How SSL Works | Choose the Right Certificate Authority

How it Works?

Simplistically speaking, there are three main components in creating a connection;

  1. The Client – This is the computer that is requesting information.
  2. The Server – The computer which holds the information being requested by the Client.
  3. The Connection – The path along which data travels between the client and server.
How SSL works - the difference between HTTP and HTTPS.
HTTP vs HTTPS connection (Source: Sucuri)

To establish a secure connection with SSL, there are a few more terms you need to be aware of.

  • Certificate Signing Request (CSR) – This creates two keys on the server, one private and one public. The two keys work in tandem to help establish the secure connection.
  • Certificate Authority (CA) – This is an issuer of SSL certificates. Sort of like a security company that holds a database of trusted websites.

Once a connection is requested, the server will create the CSR. This action then sends data which includes the public key to the CA. The CA then creates a data structure which matches the private key.

The most critical part of the SSL Certificate is that it is digitally signed by the CA. This is vital because browsers only trust SSL Certificates signed by a very specific list of CAs such as VeriSign or DigiCert. The list of CAs are stringently vetted and must comply with security and authentication standards set by the browsers.

Types of SSL Certificates

Browsers identify SSL Certificates (EV Certificate is shown in this image) and activate the browser interface security enhancements.

Although all SSL certificates are designed for the same purpose, not all are equal. Think of it like buying a phone. All phones are basically designed to do the same thing, but there are different companies that manufacture them and produce many different models at varying price points.

To simplify the matters, we break down the SSL Certificate types by level of trust.

1- Domain Validated (DV) Certificate 

Among SSL Certificates, the Domain Validated Certificate is the most basic and simply assures users that the site is safe. There is not much detail except for that simple fact and many security organizations do not recommend using Domain Validated Certificates for websites that deal in commercial transactions. The Domain Validated Certificate is the budget smartphone of the SSL world.

2- Organization Validated (OV) Certificate

Organizational Certificates holders are more stringently vetted are by CAs than Domain Validated Certificate holders. In fact, the owners of these certificates are authenticated by dedicated staff who validate them against government-run business registries. OV Certificates contain information about the business holding them and are often used on commercial websites and represent the midrange smartphones of the SSL world.

3- Extended Validation (EV) Certificate

Representing the highest level of trust in SSL rankings, EV Certificates are opted for by the best of the best and extremely stringently vetted. By opting to use EV Certificates, these websites are buying deeply into consumer trust. These are the iPhoneX of the SSL world.

The fact that SSL Certification has become so highly recommended today, many fraud websites have also taken to using SSL. After all, there is little difference to the websites, except for the green certification padlock. This is the key reason more reputable organizations are going for SSL Certification that are more highly vetted.

ince any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites. – Wikipedia.

How to Choose the Right Certificate Authority

Certificate Authorities are like private security companies. They are the ones who issue digital certificates that facilitate the SSL establishment process. They also belong to a limited list of businesses that meet detailed criteria to maintain their place on that list. CAs who maintain their place on that list can issue SSL Certificates –  so the list is exclusive.

The process is not quite as simple as it sounds, since before a certificate can be issued, the CA must check the identity of the website applying for it. The level of detail in those checks depend on what type of SSL is being applied for.

The best CA is one who has been in the business for some time and follows best practices in business, not only for itself but also for any partners associated with the business. Ideally, they should also be able to demonstrate proven expertise in the field.

Look for a CA that stays up to current standards, are actively involved in the security industry and has as many resources as possible that support their customers.

A good CA would also;

  • Have reasonably short validation times
  • Be easily accessible to its customers
  • Have great support