There’s a reason why IT security and vulnerability testers seem unusually paranoid pretty much all the time. Perhaps it’s easy for those of us who are not tech-savvy to mistake confusing paranoia for being knowledgeable about viable risks. One is an irrational fear, and the other flees the tracks before the train arrives. Perhaps the train does exist – and is heading right for us.
Doom and gloom metaphors aside, it’s important to understand the threat of cyberattack and identity theft, which often follows shortly thereafter.
Putting the ‘S’ in HTTPS
One of the most tried-and-true methods on how to keep data secure is by running a secure socket layer (SSL) site to protect sensitive customer data.
Essentially, you will need to protect against ‘man-in-the-middle’ attacks. The MO is simple: A hacker gains access to your network and actively watches for when the sensitive target data (personal, financial or HIPPA-protected information) travels from the customer’s ISP to your hosting server. Its name derives from the fact that the attacker cuts in between point ‘a’ and point ‘b’ in the path the data takes, and then extracts those packets of information.
Without any SSL protection, this is extremely easy to do for a committed, but novice, hacker. The ‘S’ in HTTPS indicates that SSL is in use, meaning that the data moves through a hardened tunnel where the man-in-the-middle would have been watching for it. Also, while the data is inside this tunnel, it’s encrypted.
Why is SSL so Secure?
The hacker would need to:
- Gain access to your network (difficult)
- Locate the target data (easy)
- Bypass or create a back door to exploit a vulnerability within the SSL (very difficult)
Then the hacker would have to crack the encryption with a) brute force, which could take a very long time, depending on the processing power of her or his hardware, or b) by discovering the encryption’s key.
As you can see, bludgeoning through an SSL takes a great deal of time and knowledge, and the hacker must actively be in the middle to sniff the target data packets in transit.
You Get What You Pay For
Usually, the more funding you invest in cyber security, the better your protection will be. It’s either that, or you’ll need the skillset and knowledge base to implement your own protections. However, largely the reason why your adversaries are hacking in the first place is because they enjoy what they do, they’re very good at it, and they are investing time, energy and risk of criminal prosecution.
They will be betting a great deal of chips on their ability to crack your vulnerabilities and leave no trail or identity for law enforcement to track. That means you need to raise your bet to surpass your adversary’s level of determination.
Why Certification Should Be Your Major Priority
This is why I’ve always suggested that you invest in acquiring SSL certification from a CA for your HTTPS pages. Going with the free option of not acquiring a certificate could hurt you in three ways:
- Your site will appear untrustworthy to many Web browsers, and could prompt that “Get me out of here!” button which will drive away your security-conscious customers.
- This will only make your HTTPS site an attractive target for attackers, even if your site is more thoroughly protected than most with a CA’s approval.
- Your company could be held liable for damages inflicted by a successful attack, and those liabilities might be amplified if it appears as though you were knowingly, inadequately protected.
What You Get For Your Investment
Investing in CA-certification will provide you with several major advantages, which will not only ensure that your customers’ valuable data doesn’t end up in the wrong hands, but it will also lessen your appearance of vulnerability by discouraging attacks. Good CAs will even come with warranties, refund policies and extended validation (EV). An EV will verify both your company and your domain, providing yet another means of certification that your customers will enjoy and will further raise the stakes for hackers on the prowl.
Considerations for SSL Setup
To begin, your web hosting service should provide you with the option to create HTTPS pages, and this page should come furnished with its own unique IP address. Not only is this needed to acquire certification, but this will also provide yet another layer of obfuscation for deterring attacks. Also…
- Ensure that all sensitive data only runs through SSL-certified pages
- Conserve bandwidth and keep your connection speed high by only protecting necessary pages, according to About Tech writer Jennifer Kyrnin.
- If you’re running images on your SSL pages, then make sure those too are rooted within the HTTPS IP address.
Security is of the utmost importance when it comes to protecting the integrity of both your website and your customers.