How to ferret proof your website
Let me give you an example: I have a set of drawers for clothes.
- The ferrets know that they can open the bottom drawer and get in for a nap. It is very comfortable for them but not convenient for me. First score to the ferrets
- So, to counter this I installed some child proof locks – these are a little puzzle that you screw onto the side. The ferrets could no longer open the drawer. Chalk one up to me
- However, the back of the drawers has a hole for carrying and they have discovered this hole and can now climb into the drawers and go to sleep. They can’t (or won’t) then get out which is very inconvenient. 2-1 to the ferrets.
- I have to cover this hole. I have some handy squares of wood and so staple a piece on. 2 - 2.
- The ferrets discover it is a very thin piece of wood, like a veneer, and can destroy it. Nap time for ferrets in a pile of socks (the ones that haven’t been stolen). 3 - 2
- So, I have to get a thicker piece of wood which I hot glue on (as the wood is too thick for staples). For now, they cannot get into the drawers. 3 all.
I expect the next round any day now…
Just as I am in an arms race with my business (a collection of ferrets) you are in an arms race with hackers.
Of course, hackers don’t tip over their water bowl to discover what is underneath it. I am sure there are exceptions though.
In order to keep ahead of the hackers, you need to patch your web server, patch your database server, your firewalls, your security software, ensure that you are running the latest frameworks and confirm that the code your website runs is secure.
For example, here are just three entries from the Common Vulnerability and Exposure database https://cve.mitre.org/ - these are the sort of things that you might reported on a vulnerability assessment
- jQuery version with known vulnerabilities:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358.
This has been fixed in the latest version of jQuery that was released on April 10th, 2019.
- Information disclosure for ASP.Net:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0545
This may have been fixed in .Net 4.8 (released on April 18th, 2019)
- Cross site scripting vulnerability in versions of WordPress prior to version 5.1.1: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
WordPress version 5.1.1 that resolves this vulnerability was released in March 13th, 2019
Note that all these are recently released versions (as of April 29th, 2019). It might not be long before a vulnerability is found in these versions and new versions are released.
You’ll have to check for updates often - at least monthly – and then patch to the latest versions. Repeat from now until the end of time. You might have to allow yourself a full day to check and patch your operating systems, server software and application frameworks. Don’t forget the hardware!
Or get Webnetism to do it.
But do it.
If you are running vulnerable pieces of software it is just time that prevents your website being compromised. You risk the embarrassment and loss of reputation and your customer’s data if you are not patching.
In the meantime, let the arms race continue… It might work if I get a heavy dog bowl for putting the water in. They won’t be able to lift that up. For a while.
Sources:
Common Vulnerability and Exposure database
jQuery latest version information