Organisations still making common security mistakes with their websites, says hosting firm

Business software default settings need to be more secure, says European hosting company LeaseWeb.

Business software default settings need to be more secure, says European hosting company, LeaseWeb.

Customers of the company's unmanaged datacentre and high-volume web hosting service that are targeted by cyber criminals are typically those that have simply accepted default system settings, says Alex de Joode, security officer at LeaseWeb.

While customers are responsible for installing and updating all software systems, LeaseWeb provides alerts about potentially compromised systems.

"I would like to see the software industry making default setting more secure, because although they may be less user friendly, they will make systems more secure automatically," he said.

De Joode argues that making defaults more secure will raise the overall security posture, particularly of smaller companies that do not have dedicated security teams.

"Only the security savvy organisations will know what default settings can be changed to improve ease of use without compromising security," he said

Other common failings that make legitimate websites easy prey for cyber criminals to exploit, include not ensuring that security patches for all software are up to date and not hardening websites against common attack methods such as SQL injection and cross-site scripting.

"Security, particularly in the online environment, is often an afterthought. Many organisations hosting websites, typically do not insist the developers make those sites secure from the start," says De Joode.

Another common failing is to secure the web server, but to forget about the associated database server, with sites falling victim to cyber criminals often having few if any access controls around the database, he says.

Any organisation hosting a website needs to think of securing the whole environment, and not just individual modules, says De Joode.

They also need to learn to think more like hackers and look for weaknesses in processes and procedures and ways around the checks and balances.

Monitoring hacker forums can help those responsible for security in systems to understand what kind of vulnerabilities cyber criminals are looking to exploit.

Regular penetration testing is another useful tool in helping to reduce the vulnerability of legitimate websites to hijacking.

While these approaches will help reduce the risk, no website can be considered completely safe from attackers, says De Joode.

In this case, it is important for organisations to choose hosting companies that have good relationships with the authorities to ensure that if an investigation is necessary, this will be carried out in the most sympathetic and least disruptive way as possible.

When choosing a hosting provider, says De Joode, organisations should ask whether prospective companies have a good relationship with law enforcement and how they would deal with investigations should a site or database be compromised, to minimise the impact on the business.

Read more on Antivirus, firewall and IDS products