What’s the first thing that comes to your mind when talking about a website? Design? Functionality? Marketing? All these things certainly matter but what you should never forget is security.
Today many developers feel trapped by clients who want their projects to be developed within impossible deadlines. Dev companies have to create apps, compatible with multiple devices, platforms, and operating systems at once. On top of that, clients want their app to be able to withstand any possible attacks, like Fort Knox.
Information is the greatest value nowadays and losing it is a nightmare for any modern person. Therefore, information protection becomes crucial in the world where hackers are willing to steal it every single day.
Cyber attacks in 2017
“No big deal”. You might say. Well… In order to jog your memory we prepared the list of top 3 most extensive internet security breaches of 2017:
One of the most impudent and spread cyber attack of 2017 was made by WannaCry malware. The virus infected more than 300k computers running Microsoft Windows OC all over the world. Hackers extorted bitcoin payments from their victims for restoring the data.
The next day after the attack Microsoft released the emergency security patches for different Windows OS versions. Nevertheless, since very first computers were hit by the ransomware, users paid about $130k in total for restoring their data.
Petya cyber attack
Summer 2017 remained hot for many Ukrainian governmental structures and private enterprises that have been attacked by Petya ransomware. Airports, capital’s metro, banks, supermarkets and thousands of small companies were paralyzed by the unknown malware. The virus was spreading so fast, that people all over the country were afraid to turn their home PCs on.
It appeared later that the most-used accounting software in the county M.E.Doc had been compromised to spread the malware that caused the first “wave” of attack.
Now, the lesson is learned and the government realized the need of cyber security department enhancements.
Uber data loss
2017 was not the best year for Uber, and security issues have only exacerbated the deteriorating situation. It turned out that personal information of 57 million US citizens has been stolen in October 2016 and company decided to hide this fact.
Hackers managed to steal such personal data as names, emails, phone numbers and driver’s license numbers. Nevertheless, Uber claims that the location data, credit card numbers, social security numbers or birth dates have been kept safe. The company also confirmed that they’d paid $100k to hackers for deleting the stolen data and keeping the breach in secret. But as we know, what is done by night appears by day.
Plus, you probably heard of Equifax hack that left over 145 million Americans’ insecure identities forever at risk, including Social Security numbers, dates of birth, addresses and, potentially, driver license numbers.
Information security best practices checklist
As soon as you have realized the importance of the project security, it’s time to find the weak spots and fix them. No matter if you sell a product (an app for example) or use some kind of software for your inner business needs, the CIA triad is what keeps you protected. CIA stands for confidentiality, integrity, and availability.
Figure out the data you need to protect
There is a tip that can save you time and resources: store and protect only that data that is absolutely needed. You can avoid huge problems like compromised data (such as credit cards numbers or addresses) if you simply don’t store it.
Encrypt sensitive data
Such data as access tokens, billing details, emails, etc. must be encrypted. If you’re using AWS then you can do it directly in a database by using AWS Aurora.
Use only secure software
Before using any software, scan it for vulnerabilities and keep it up-to-date. Moreover, don’t forget to disable or totally remove any software that is no longer in use, as it might become the backdoor for hackers.
Consider wise authentication
All the passwords should be encrypted. In addition, you might implement the password rules in order to avoid using weak ones like “password” or “12345”. But don’t overdo it, instead use multi-factor authentication (2FA) like SMS authentification, authentication via phone call, and email confirmation.
Control the web traffic
Control the infrastructure
Reduce manual operations as much as possible to ensure you can do upgrades quickly and automatically. Make logging centralized to avoid SSH for retrieving or accessing logs. Also, consider using intrusion detection system (IDS) to put advanced persistent threats (APT) to the minimum.
Create a guideline
When developing a new project of any complexity, create a security guideline, in order to train your act in a manner a single backdoor is left for hackers.
Have a plan
No matter how secure your website or mobile app is, anything might happen and you need to have a plan B. Hiding information like Uber did not a good idea, so think of the possible consequences, prepare a speech and keep in mind the potential ways of solving the problem.
We hope the post didn’t bring you a dose of paranoia but instead increased your awareness of cybersecurity importance. No matter what is the size of your project, keeping it secure is a must in times when users data is everything.
We, in GBKSOFT, care much about the information security on each step of development. Each team member, from developers to system administrators sticks to the special checklist, keeping the data safe and secure.