A blog on Website Security

22nd February 2018
|

At Wanstor this week, we have been discussing website security. This is because of news that the Information Commissioner’s Office or ICO had to take its website down after a warning that hackers were taking control of visitor’s computers to mine cryptocurrency.

Following this story, some of our customers have been in contact regarding website security and suggested best practices. In light of this, Wanstor’s security experts have come together to develop the following high level guide to website security.

You may not think your website has anything worth hacking, but corporate websites are compromised all the time. Despite what people think, the majority of website security breaches are not to steal data or deface a website. Instead they are hacked to use servers as an email relay for spam, or to setup a temporary web server, normally to serve files of an illegal nature. Other common ways to abuse compromised machines include using your company servers as part of a botnet, or to mine for Bitcoins. You could even be hit by ransomware. Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software. By following the tips below, your website should be able to operate in a safer way and put hackers and the tools they use off from attack.

Keep software updated

It may seem obvious, but making sure you keep all software updated is vital to keeping your site secure. This applies to both the server operating system and to any software you may be running on your website such as a CMS or forum. When holes are found in website security software, hackers are quick to attempt abuse. If you are using a managed hosting solution, then your hosting company should take care of any updates, so you do not need to worry about this – unless your hosting company contacts you to tell you to worry!

If you are using third-party software on your website such as a CMS or forum, you should make sure you are quick to apply any security patches. Most vendors have a mailing list or RSS feed detailing any website security issues.  Many developers use tools like Composer, npm, or RubyGems to manage their software dependencies, and security vulnerabilities appearing in a package you depend upon but aren’t paying any attention to is one of the easiest ways to get caught out. Make sure you keep your dependencies up to date and use relevant tools to get automatic notifications when a vulnerability is announced in one of your components.

SQL injection

SQL injection attacks occur when attackers use a web form field or URL parameter to gain access to or manipulate your database. When you use standard Transact SQL, it is easy for such individuals to insert rogue code into your query that could be used to change tables, retrieve information and delete data. You can easily prevent this by always using parameterised queries – most web languages have this feature and it is easy to implement.

XSS

Cross-site scripting (XSS) attacks inject malicious JavaScript into your pages, which then runs in the browsers of your users, allowing page content to be modified or information to be stolen or transmitted to the attacker. For example, if you show comments on a page without validation, attackers might submit comments containing script tags and JavaScript, which could run in every other user’s browser and steal their login cookie, allowing the attacker to take control of accounts owned by each user who views the comment. You need to ensure that users cannot inject active JavaScript content into your pages.

The key here is to focus on how your user-generated content could escape the bounds you expect and be interpreted by the browser as something other than what you intended. This is similar to defending against SQL injection. When dynamically generating HTML, use functions which explicitly make the changes you’re looking for, or use functions in your templating tool that automatically ensure appropriate escaping, rather than concatenating strings or setting raw HTML content.

Another powerful tool in the XSS defender’s toolbox is Content Security Policy (CSP). CSP is a header your server can return which tells the browser to limit how and what JavaScript is executed in the page, for example to disallow running of any scripts not hosted on your domain, disallow inline JavaScript. Mozilla have an excellent guide with some example configurations. This makes it harder for an attacker’s scripts to work, even if they can get them into your page.

Error messages

Be careful with how much information you give away in error messages. Provide only minimal errors to your users, to make sure they do not leak secrets present on your server. Although tempting, do not provide full exception details either, as these can make complex attacks like SQL injection far easier. Keep detailed errors in your server logs, and show users only the information they need to see.

Server side validation

Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields which are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side as failing to do so could lead to malicious code or scripting code being inserted into the database or could cause undesirable results in your website.

Passwords

Everyone knows they should use complex passwords, but that doesn’t mean they always do. It is crucial to use strong passwords to your server and website admin area, but equally also important to insist on good password practices for your users to protect the security of their accounts. As much as users may not like it, enforcing password requirements such as a minimum of around eight characters, including an uppercase letter and number will help to protect their information in the long run. Passwords should always be stored as encrypted values, preferably using a one way hashing algorithm. Using this method means when you are authenticating users you are only ever comparing encrypted values.

In the event of someone hacking in and stealing your passwords, using hashed passwords could help damage limitation, as decrypting them is not possible. The best someone can do is a dictionary attack or brute force attack, essentially guessing every combination until it finds a match.

Thankfully, many CMS’s provide user management out of the box with a lot of these website security features built in, although some configuration or extra modules might be required to use to set the minimum password strength. If you are using .NET then its worth using membership providers as they are very configurable, provide inbuilt website security and include readymade controls for login and password reset.

File uploads

Allowing users to upload files to your website can be a significant website security risk, even if it’s simply to change their photo, background picture or avatar. The risk is that any file uploaded however innocent it may look, could contain a script that when executed on your server completely opens up your website. If you have a file upload form then you need to treat all files with great suspicion. If you are allowing users to upload images, you cannot rely on the file extension or the mime type to verify that the file is an image as these can easily be faked. Even opening the file and reading the header, or using functions to check the image size are not fool proof. Most images formats allow storing a comment section which could contain PHP code that could be executed by the server.

So what can you do to prevent this? Ultimately you want to stop users from being able to execute any file they upload. By default web servers won’t attempt to execute files with image extensions, but it isn’t recommended to rely solely on checking the file extension as a file with the name image.jpg.php has been known to get through. Some options are to rename the file on upload to make sure ensure the correct file extension, or to change the file permissions so it can’t be executed.

In Wanstor’s opinion, the recommended solution is to prevent direct access to uploaded files. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database as a blob. If your files are not directly accessible you will need to create a script to fetch the files from the private folder (or an HTTP handler in .NET) and deliver them to the browser. Image tags support an src attribute that is not a direct URL to an image, so your src attribute can point to your file delivery script providing you set the correct content type in the HTTP header.

The majority of hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check. E.g. Make sure you have a firewall setup, and are blocking all non-essential ports.

If you are allowing files to be uploaded from the Internet only use secure transport methods to your server such as SFTP or SSH. Where possible have your database running on a different server to that of your web server. Doing this means the database server cannot be accessed directly from the outside world, only your web server can access it, minimising the risk of your data being exposed. Finally, don’t forget about restricting physical access to your server.

HTTPS

HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees users that they’re communicating with the server that they should be, and that nobody else can intercept or modify the content in transit. If you have anything that your users might want to remain private, it’s highly advisable to use only HTTPS in delivering it. That of course means credit card and login pages. A login form will often set a cookie for example, which is sent with every other request to your site that a logged in user makes, and is used to authenticate those requests. An attacker stealing this would be able to perfectly imitate a user and take over their login session. To defeat these kind of attacks, you almost always want to use HTTPS for your entire site.

Website security tools

Once you think you have done all you can, then it’s time to test your website security. The most effective way of doing this is via website security tools, often referred to as penetration testing or pen testing for short. There are many commercial and free products to assist you in this. They work on a similar basis to scripts hackers will use in that they test all know exploits and attempt to compromise your site using some of the previous mentioned methods such as SQL injection.

Some free tools that are worth looking at include:

  • Netsparker (Free community edition and trial version available). Good for testing SQL injection and XSS.
  • OpenVAS claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires a OpenVAS server to be installed which only runs on *nix. OpenVAS was fork of Nessus before it became a closed-source commercial product.
  • io is a tool offering a free online check to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
  • Xenotix XSS Exploit Framework is a tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.

The results from automated tests can be daunting, as they present a wealth of potential issues. The important thing is to focus on the critical issues first. Each issue reported normally comes with a good explanation of the potential vulnerability. You will probably find that some of the issues rated as low or medium in importance aren’t a concern for your site. If you wish to take things a step further then there are some further steps you can take to manually try to compromise your site by altering POST/GET values. A debugging proxy can assist you here as it allows you to intercept the values of an HTTP request between your browser and the server. A popular freeware application called Fiddler is a good starting point.

So what should you be trying to alter on the request? If you have pages which should only be visible to a logged in user then try changing URL parameters such as user id, or cookie values in an attempt to view details of another user. Another area worth testing are forms, changing the POST values to attempt to submit code to perform XSS or to upload a server side script.

Hopefully these tips will help keep your site and information safe. Thankfully most Content Management Systems have inbuilt website security features; it is a still a good idea to have knowledge of the most common security exploits, so you can make sure that you are covered.

For more information about Wanstor’s IT security solutions, please click here – https://www.wanstor.com/managed-it-security-services-business.htm

Read More

Reasons why business leaders need to consider outsourcing their IT service desk to a specialist provider

14th December 2017
|

Service Desk Operatives smiling

At Wanstor we have recently been talking to a number of existing and potential customers about their IT service desk support. Our discussions have highlighted a number of major trends which IT departments and business leaders were not aware of putting pressure on IT service desk resources. For example:

  • Employees are more mobile than ever before, meaning things break at different locations
  • Employees attitudes to work are changing from a place where you go, to something you do as and when required
  • Different business departments wanting access to cloud services
  • More and more applications are being developed and used in day to day business
  • Data management becoming a serious headache as employees and customers demand access to it 24/7
  • More and more devices being used – leading to security and patch management issues in terms of the right levels of resourcing and making sure users are safe at all times from potential attacks
  • New technology and new devices are being launched all the time – What is the best way to offer support?
  • Growing operational costs of supporting a sprawling mixed vendor IT infrastructure
  • End users complaining about the time it takes to solve issues through the IT service desk

Traditional IT help desks used to service the business during opening hours and at fixed locations, however this is no longer good enough. IT support staff are now required to be multi skilled across a range of technologies and provide support to staff at different locations 24/7.

As business technology has become increasingly complex, the need for dedicated IT support services has grown. Typically the IT help desk has provided end users with little more than basic trouble shooting and issue management services. In the past when technology was made by only a few manufacturers, staff could easily be trained and appear knowledgeable about computers and IT infrastructure. However as business has become more reliant on technology, a standardised and documented helpdesk approach is needed, one which offers a consistent set of services and protocols for help desk staff. Over the past decade, IT help desk staff have started to become hindered by the sheer speed at which enterprise technology has evolved. There are a number of trends that have made it increasingly difficult for traditional IT help desks to provide the kinds of support that end users need:

These trends include:

  • Improvements in users personal IT has changed perceptions and expectations of what IT can help them with in their working lives. The user experience of smartphones and laptops is significantly better than even 5 years ago. What’s more, many of the leading technology providers provide consumers with a high standard of customer service (Just think of the apple store). So, when they call up their company’s IT service desk, they quickly become frustrated by untrained staff, staff who do not keep lines of communication open or inefficient processes which they have to go through to get a simple problem fixed.
  • Most of the modern workforce have been using advanced technology for the majority of their lives. Many employees are now capable of resolving minor troubleshooting problems and are also used to looking for answers online through search engines. Quite often, the IT help desk is a last resort for more complex problems, meaning IT help desk staff must be prepared to resolve more difficult issues.
  • As technology has evolved users are using a variety of software and applications in their business lives. Today, the typical business will be using 100’s of applications, with staff constantly connecting to the network with different kinds of personal and mobile devices. Expecting the service desk to monitor and support this complexity alone is problematic, as every user has a different IT need in terms of software and applications.
  • Employees want to work when they want to not when they are told to. This change in mindset with regards to work alongside the widespread acceptance of cloud technology and mobile devices, means business users are now able to access company content from their smartphones or laptops at any hour of the day. Most of the time this is hugely beneficial to the user and the company, allowing workers to be productive whilst out of the office. However, when they have problems logging onto the system, or syncing a document to their device, they need support instantly. When an IT help desk is closed at weekends or after 5pm, the service simply does not match up to user and business requirements.
  • More pressure is being placed on IT helpdesks. Staff turnover is constant as many internal IT helpdesk staff simply cannot cope with the demands being made of them. The HDI regularly states that the staff turnover rate on IT service desks is as high as 40% with many staff who do not leave complaining of stress and stress related illnesses. Such a high staff turnover means internal IT service desks often have extremely large training bills as they are constantly struggle to train and retain skilled staff members alongside many positions remaining unfilled.

The issues identified above have led many businesses to explore alternatives to the traditional in-house IT support approach. At Wanstor we believe the aim is not to replace the talent firms already have. Rather, the goal should be to extend and enhance in-house IT staff, by letting them focus their attention on high value strategic activities, whilst using a mix of outsourced staff and technology to support wider business and IT goals for highly intensive administration tasks.

At Wanstor we believe by enhancing internal IT services teams with improved help desk technology and outsourced IT service desk teams for high volume/admin heavy tasks, businesses can fill the skills, cost and user satisfaction gaps which exist and achieve the best possible ROI from their technology. The main reasons many business leaders are talking to Wanstor about outsourcing their IT helpdesks are:

Improved communication – Focussed on the specific needs of the business and end users

Training – Outsourced IT service desk staff specialise in providing customer support for a wide range of technologies. This means that they are trained with the latest versions of software solutions. They can also be trained to help with a business’s specific technology set up.

Cost savings – Many IT outsourcing companies provide contracts that give businesses the option to only pay for the services they need and use. An internal IT service desk is a fixed cost in terms of people and technology which needs to be provided even when the business does not require large volumes of IT support. By moving to a pay as you go IT service model, it has been proven through many extensive studies that operational costs of IT service desks can be cut by over 20% in many cases.

Outsourcing part of your IT support service will only be successful if the solution and partner you choose aligns with the specific needs of your business. It is essential that business and IT decision makers develop a plan of requirements and expectations before they engage with an IT partner. By taking the time at the outset to decide what the business actually needs from an IT support partner you can decide on whether you are looking for a partner to resolve repetitive problems like resetting passwords, or are looking for a close partnership where your IT help desk is fully supported by an external team and best in class technology.

At Wanstor we recommend all businesses do 5 things before they engage with and decide on an outsourced IT service desk partnership. They are:

  • Discuss what is going wrong with your existing IT helpdesk team and see if there are any process or people improvements which could be made to alleviate pressure and improve the service required back to the business
  • Interview a selection of end users and find out what they want/expect from an IT service desk and then evaluate if you already have the skills/capabilities to satisfy those user demands or if you definitely need some help
  • Have a vision of what you want the IT service desk to look like. Can you provide that vision with internal staff or do you need expert outside help to reach your IT and business goals. If you do want external IT support what does your ideal IT partner look like and what services should they provide?
  • Engage with a partner who can support your vision and has the expertise and experience to turn it into reality. Your partner should be able to advise you on what is realistic, and you should expect them to be able to guide you to a degree.
  • Set KPIs to judge whether your partnership is successful, it is highly valuable to measure progress. Conduct regular customer satisfaction surveys to find out whether your business users are now happier with the service they are receiving.

In summary, the traditional IT help desk model is redundant. Business technology has moved on and is still moving through its various lifecycles at a real pace. As a result, traditional IT help desks are simply unable to cope with the increased demands being placed on them. At Wanstor we believe the future IT service desk model is a hybrid one. One which uses internal IT teams for strategic high value IT programmes of work and an external provider who can look after all of the operational IT demands from users such as patching, password re-sets, application updates and making sure the right security is in place. Get the internal/external IT service provider mix right and your business could benefit from access to highly trained staff as and when it needs them, lower operational costs and improved end user satisfaction levels.

To find out more about Wanstor’s vision of the IT service desk of the future download our whitepaper here.

Read More

Is your digital transformation working? Putting the basics in place

3rd November 2017
|

Digital Transformation

In the current business environment, it’s not enough to automate processes and increase efficiency. To succeed, companies need to be unique and truly differentiate themselves from the competition. Your customers are demanding a more personalised service, and their expectations about the service they receive from your business continue to rise every day. To meet rising customer expectations around their business, and stay competitive, companies need to move to a relationship/value based interactive model with their customers. This increasingly means starting with the customer impact first on any business project, initiative or budgetary spend. This is where digital strategies start and digital transformation can happen. Many businesses have started ‘digital’ programmes of work, but have not yet seen the rewards of their efforts.

At Wanstor we believe there are 4 things businesses should do before embarking on a digital transformation strategy. Under no circumstances is it good enough to dip a toe into digital transformation. Instead business leaders should either commit to a digital transformation programme of work fully or decide when they are going to commit to it. In summary – undertaking a digital transformation programme to execute a digital strategy is not an easy task and half-hearted approaches simply won’t work.

So what are the 4 things all business leaders should do if they want to successfully execute ‘digital’?

Take the time to develop a strategy

The strategy phase of the digital transformation process should help a business define and understand the problems it wants to solve and how it is going to solve them. The old way of working in business is to start with existing problems and requirements then develop a solution. This approach still has value, but only deals with problems that exist today, rather than looking at potential problems/pitfalls in the future. At Wanstor we recommend when building a digital transformation strategy, businesses should instead focus on outcomes and end goals if they are going to be successful. Ask questions such as – What does success look like? What customer experience do we want to create? What story do we want to tell to the business and customers?

Think about the key themes of your transformation and the experience you want to deliver. For example, a restaurant owner may want to personalise the dining experience further. Now the restauranteur has captured a vision of what they want to do, they now require a programme of work to help achieve the set vision. This is where digital comes into play. The restauranteur wants to create an actionable strategic vision that wraps around business objectives. To do this, they first of all need to identify gaps across people, processes, technology and offerings, and then create a roadmap to success. As well as having a clear plan, it is important that any digital initiative is completed at speed so as to stay ahead of the competition and improve the time to benefit ratio of projects which will affect the business and provide a customer with an improved experience.

Design with the customer experience in mind

Designing any solution to a problem in a digital world should always start with the customer in mind. This means thinking about how customers and staff will interact with technology to improve the dining experience for example. First of all think about focusing on the experiences you want to create for your end-users, not the requirements of the solution. Also consider how you can change the way employees engage and collaborate and the way customers interact with your business. Your goal here should be to build the right experience, and allows your staff and ultimately your customers to reach their end goals e.g. a more efficient front of house operation resulting in a better customer dining experience.

Put the right pieces in place

Having a strategy and a design is a great start to your digital transformation. But if you can’t assemble the right pieces – people, propositions, processes and technology you actually haven’t got anything apart from random parts. At this stage it’s time to start unifying the team, the processes and ultimately start shaping the experience. E.g. A restaurant wants to make online bookings easier on its website. To accomplish this, they need to connect the different points of the customer journey with the booking system. What does the customer do when they land on the restaurants website for example? How easy is it to find the booking application? How is the booking data relayed to the restaurant they want to book a table in? Do staff at the restaurant understand the booking system and the customer’s requirements when they book?

It doesn’t matter how many systems need to be involved, it should all be seamless and easy for the customer who should feel like they are accessing one single system. At Wanstor we usually find for processes like ‘restaurant booking’ most restaurant businesses already have the right pieces of technology and parts of the process, but it’s joining them together that is quite often the problem. The key to success is leveraging all disparate systems, services and existing technologies to power elements of the digital ecosystem. Quite often a simple gap analysis of where you are now vs where you want to get to, highlights areas which need to be joined up or require work for integration. By putting the disparate pieces together ‘digital’ can actually start to become a reality.

Get ready for success

The final piece of the digital transformation puzzle is getting and keeping everything running smoothly. Regardless of your deployment method, you will want to implement a plan for continuous management and support. This starts with a dedicated digital transformation team who can help implement governance and a plan to keep your ‘digital’ roadmap and architecture up-to-date at all times. For IT they should consider adding a shared support structure, along the lines of a shared services centre, with skills across a variety of disciplines, such as change management, process optimisation, and agile management, so they can build repeatable processes that are supported by a dedicated group of experts. If you don’t have these skills in-house, you should find a managed service partner who can supplement the team with these skills.

In summary at Wanstor we usually see digital transformation programmes failing or not delivering the benefits they promise as teams, people, processes and technologies are disconnected. By following the 4 steps above you should have by now, grasped that digital transformation is not just about technology but about business change. Those businesses which put together the right strategy, design, and processes in place will ultimately achieve their digital transformation goals.

At Wanstor we believe ‘digital’ can bridge many business and technology gaps. By bringing together a top-down business approach with bottom-up operational experience ‘digital transformation’ adds customer, employee, and operational value by leveraging disparate products, services, and existing technologies, to create, build, and manage digital ecosystems.

By using digital transformation programmes to innovate and improve, businesses can create a long-term competitive advantage. One that creates improved customer loyalty, more customer spend and reduced business operating costs.

Read More

Cisco Meraki MV Series CCTV

15th May 2017
|

Cisco Meraki MV Series CCTV Business

Security cameras have become a necessary way to keep your business safe and operating smoothly, but the technology behind your CCTV has not progressed much over the last decade. Cisco recognised this and has developed the Cisco Meraki MV Series to remove the administrative hassle that you face with your business CCTV, allowing you to view and administer video from anywhere, while not significantly impacting your normal network traffic. Like the rest of the Cisco Meraki lineup, the MV (Meraki Vision) Series have been designed to look good, be quick and easy to set up and work seamlessly with all other Meraki products through the incredibly intuitive Meraki dashboard.

Read More

6 Retail WiFi and Restaurant WiFi Challenges

27th April 2017
|

Retail Restaurant WiFi Challenges

WiFi has become an important way for retail businesses and restaurants to improve their customer engagement and build a loyal following. It is also an incredibly valuable tool for you to gather your visitor metrics, better understand your customers and provide a mechanism for you to reach them easily and cheaply.  Retail WiFi and Restaurant WiFi challenges do exist though, as follows.

Read More

8 benefits of Cloud Computing for Restaurants

31st January 2017
|

8 Benefits Cloud Computing Restaurant Business

As a restaurant operator, you are no doubt always on the look out for ways to improve your processes and procedures in order to deliver sales growth, while also making efficiency and cost savings. After much hype, cloud computing is now a proven and mature way of delivering technology services to your restaurants, transforming the way your business operates and bringing benefits for all of your stakeholders.

Read More
Wanstor
124-126 Borough High Street London, SE1 1LB
Phone: 0333 123 0360, 020 7592 7860
IT Support London from Wanstor IT Support London