* Make sure you manage it correctly SSL/TLS certificate
* Use the latest website technology
* Ensure website security through good management
You can assume that maybe sometime , Your website will be attacked . The severity of the consequences of an attack depends on your readiness .
Improper technology management will inevitably lead to loopholes . To avoid an unprepared battle , You need to know how your website technology works , Where is the weak link of technology , And how to avoid these weak links .
Don't know how to deal with aggressive behavior , This is a loophole in itself , So this document will show you how to use the appropriate , Basic website security and maintenance measures , Protect your website and business .
Administration SSL/TLS certificate
Not all certification authorities “ Born equal ”. appropriate SSL/TLS The first step of certificate management is to choose the right partner . If you pursue the cheapest price , Then you can only get the lowest reliability .
In addition, you need to know several key points of certificate implementation and maintenance . The following sections show you two main measures that can be taken , These two measures can ensure the normal function of your certificate , Ensure the encryption of customer information during transmission , And let your website visitors rest assured
renew one 's subscription SSL/TLS certificate
As one of the easiest ways to protect website visitors' information , Is to make sure you renew on time SSL/TLS certificate .
When people visit using expired SSL/TLS The website of the certificate is , You will see a warning message , The website is no longer secure . Advice to customers ： Do not visit a website if the warning message pops up , Because any data you share may be blocked
You don't want potential customers visiting your website , See this warning message .
The good news is renewal SSL/TLS Certification is not difficult . You just need to plan ahead a little bit ： It may take one to two weeks to renew the certificate , It depends on the level of certificate you apply for , So don't wait until the last minute to apply for renewal .
Now we have management software , Can be in your SSL/TLS When the certificate is about to expire , Automatically send you a reminder , So there's no reason why you forget to renew .
Patches and updates
Patches and updates are the lifeline of website security . When hackers discover exploitable vulnerabilities , Vendors will quickly release patches to limit damage .
Only after installing and running these patches and updates , Your website is secure . otherwise , Cyber crime can still exploit relevant loopholes
This Recommendation applies to server software , Content management system and SSL/TLS library --- Anything that helps the site work .
Ensure the security of the server ： Antivirus and antispyware
You need to install the latest antivirus software on all devices , Including servers . This can help you mitigate the risk of patchless vulnerabilities （ But not that , You can ignore vulnerabilities other than zero day vulnerabilities ）, And alert when malware attempts to attack your device .
however , The design of malware often makes it difficult to detect . therefore , When malware muddles through , You need antispyware , Help you monitor the server and send and receive data .
With antispyware , You can monitor network traffic , Abnormal data request or unknown sensitive data outflow is found , And in a shorter time , Respond to network attacks or signs of malware infection .
You should ensure that you buy antispyware and antivirus products only from retail stores or trusted network providers . Some downloadable programs are actually masquerade malware .
Maintain good management practices
Good security is not just technology ; It also involves people and processes . You need a clear process , And you and your employees need to follow the process . The following sections introduce you to some good practices , Your business can take these measures , Ensure network security .
Good password security is an obvious security measure , However, people still can't update their passwords regularly . in fact , According to Symantec 《2015 Website security threat report 》, Many people use the same password for multiple accounts ; Once the password is obtained by cyber criminals , It will become real “ master key ” Good password management is the key .
Bad password management of e-mail accounts is one thing , But if you don't SSL/TLS secret key （ Data substring used to decrypt confidential information ） Strict safety measures , So this is a more serious problem . If the hacker gets the password to access these keys , Then he can access all your encrypted data . therefore , You should restrict access , Two factor verification is considered to improve the protection capability .
Setting access rights
To limit the possibility of password or key loss , You should keep the following suggestions in mind ：
* Strictly control anyone with access rights . By establishing the authorization hierarchy and “ Know the secret on demand ” Provide access rights on the basis of , You can control the risk
* For access SSL/TLS The behavior of key and other security data , Two step experiment
. This means that when the user accesses , You don't just need a password , Additional passwords are required ; The password is generated when the user attempts to log in , And it is usually sent to the user's email address or mobile phone .
* Consider two factor authentication . Two factor verification is further than two-step verification , I need you to know , Something that is owned or inseparable from you （ It's like fingerprints ） Two factors were extracted from the data .
therefore , The text sent to your phone is no different from the password , This is because text is also something you know -- The phone itself cannot generate a password -- So the phone itself is not a factor . Password generator （ For example, some banks provide password generator ) Constitute a different factor , He and password constitute two factor verification .
Implement employee entry and exit procedures
There are always employees in and out of your enterprise . It's not only important for new employees to get on the job and have good safety practice training , And for the former employees , It's also important to do a good job in the aftermath .
When someone joins your business , You should have a background check --- Even if it's just a call to their references , Ensure the authenticity of the recommender . If your website collects sensitive or personal information , And your new employee will have access to that data , Then the employee should also be checked for criminal record or background .
When an employee leaves , You should have a ready-made list , List all systems that employees have access to and what everyone has access to ; such , You can take back access and change your password . No matter whether the employee is in peace or not when leaving , You don't want your valuable data to fall into the wrong hands .