DC Web Makers
Ultimate Web Solutions
Continuing from Part 1:
VI. DNS Attacks
Although Domain Name Server (DNS) attacks are not common, their magnitude of damages are profound. Can you imagine, for example, for one hour, your users will not have access to your website, or worse, they are redirected to the attacker phishing WebPages.
VII. Admin Account Protections
Many serious applications, or big websites, come with an admin portal where the company staffs can login and manage the website and/or mobile App contents. To have admin account protections, you need to have:
1. different layer of admin access privileges based on organizational ranks and experiences
2. secure admin authentications where all of the company staffs should contact the chief IT administer if they forgot their password
3. Secure registrations where all staffs must be registered to the system as securely as possible. In other words, it is preposterous to see staff registration form or signup in the online search results
4. Restrictions against search engines where all admin pages must not be crawled and indexed by search engines, which can easily be done by adding admin to your disallowed directory lists in your robots.txt file
5. Staff activity surveillance where for very sensitive admin platforms, it is better to monitor staff activities as to what pages they visited, in what frequencies, etc
6. Valid IP/MAC address verifications where you verify the IP or MAC addresses before showing the login form to the company staffs. This simple approach will make the job of hackers much difficult.
VIII. Forgot Password Compromises
Sometimes the attackers try to penetrate to your system via fake forgot password attempts. Here are four remedies:
1. Count the total attempts and lock the user account after a certain number of attempts
2. Utilize multiple password retrieval options, like the combination of cell phone and email address verifications
3. Make sure your forgot password form can detect Ã¢ï¿½ï¿½spidersÃ¢ï¿½ï¿½ or robot submissions
4. Once a user password is successfully reset, email the user reminding them to change the reset-password immediately after the first login.
IX. Brutal-Force Attacks
Brutal-force attacks are mainly countless login attempts by attackers to break into a victim account, and steal their identity and data often time in a way that is impossible for the victim to notice. The only remedy I know of is to limit the maximum login attempts (to for instance five) while saving each attempt in the database. After it reaches the limit, you will lock the user account, and have the user contact the system administrators for the account reactivations.
X. Session Hijackings
Session hijacking is an attack of which many programmers and business owners should be aware. After the user successfully logs in to your system, they are assigned with one unique session ID for the ease of tracking. However, if the attackers takes a hold of a user's session IDs, they can hijack the user's accounts and make transactions on behalf of the user, especially via the shopping carts. Therefore, it is a good practice to logout users after a certain time of inactivity and destroy their sessions data properly.
What was discussed are first, yet fundamental areas of cyber security that are going to alarm many businesses within the next five years. Last but not least, the full implementation of cyber security initiatives requires a thorough understanding of the business processes and overarching the master plans. Indeed, as always, the strength of a chain is measured by its weakest link, so make sure to strengthen all of your system vulnerabilities and draft an updated contingency plans for catastrophic incidences.