With the popularity of WordPress, and the support it gets from the development team, it’s easy to think that your installation of WordPress is secure. Since you didn’t code it from scratch, you might assume that it is hardened and you don’t have to do any further tinkering with security. Well, you may just want to put some effort into locking down your WordPress installation. As with any website, you need an IT Security Policy, walk through an IT Security Checklist
There are several methods that are generally used in an attack on a website. First you have mis-configurations. This can mean everything from leaving the ‘wp-config’ file readable to the world to allowing any kind of file to be uploaded in a form to weak password security. The second type of access can usually be gained through bad coding techniques. If you add a Plugin or write your own code to add to the WordPress installation, this can possible allow and attacker to take advantage of bad code to break into your site. And lastly you have can lump other attacks into infrastructure attacks. Maybe you don’t have a firewall running, or intrusion prevention service running to stop attacks. Or you are hosting you website on a shared service like Godaddy or Hostgator and someone else’s website is vulnerable, leading to a compromise of the whole hosted server.
For now, lets address some easy things you can do to reduce configuration weaknesses that could lead to a hacked website.
1) Password – no matter how many times you say it, people still use weak passwords that can be guessed or broken with brute force attacks. There are several free and paid login protection plugins you can use.
2) File Permissions – this is a bit trickier if you do not know how file permissions works. You can get an easy primer from the WordPress help file, http://codex.wordpress.org/Hardening_WordPress Its also provide a lots of details for the more technically savvy.
3) Monitoring – you should know what is going one with access attempts or changes in your files and configurations of your WordPress site. There are a number of tools you can search for monitoring and logging activity. Its especially important to monitor for healthcare IT security.
4) Security Testing – even if you have installed security plugins and have configured your website correctly, you should still periodically test the security for vulnerabilities. You can pay third party companies to do penetration testing or you can try some of the plugins on your own. Testing is important to risk management and assessment
There are lots of different tools you can use to secure your site. The first step is to know that it will not stay secure without you actively implementing security measures.
In today’s world, more and more employees are using their own devices to access company websites and work screens. iPhones and iPads are two devices that are very popular now and being used as the all in one device for many people. They don’t realize that these devices may not be that secure and for a company, it can have very costly data breach situations. Healthcare companies are especially susceptible to HIPAA patient data loss implications. If you lose data that is federally protected, then you open yourself up to legal repercussions and lawsuits from individuals as well and potential monetary penalties.
Many companies have adopted bring your own device (byod) policies because a lot of employees would just as soon use their own equipment. After all, they already have it and they are quite used to using it in most aspects of their lives. While this may seem like a perfectly reasonable solution, it may not be wise unless companies have truly looked at the issues with their risk management team. Fines as high as $1.5 million dollarshave already been assessed in at least one situation in a teaching hospital that lost data on a mobile device that was unencrypted.
Companies are now required to perform a risk assessment and implement a data breach protection program, including for mobile devices. Those without a plan in place can be on the receiving end of some pretty hefty fines. Some important numbers that companies should be aware of are:
-84% of employees use their smart phone for everything, including work and personal use
-47% of all people don’t use a password protection on their mobile devices
-51% of companies have no ability to erase data from a lost or stolen device
-49% of employees have received no training at all on mobile device security from their company
These issues are going to need to be addressed by all companies if they truly wish to remain out of hot water and avoid these issues with HIPAA protected data loss. A BYOD policy may save money in not having to supply equipment to employees but it also may leave you open to lawsuits and big fines. Deciding which route they want to take should rely heavily on risk assessment.
Data needs to remain safe at all times and this needs to be addressed by technology companies as well. Being able to erase information from a lost device, over the air and remotely is a technology that is a must for these sorts of companies who handle sensitive materials. Companies should really explore all options in protecting and destroying data if they follow a BYOD policy.
1) Dont Email. That’s a good first step in securing Email. Even if you share an account with someone and keep drafts of the email in a folder rather than actually sending the email, it is still sitting on someone else’s server, beyond your control. The government is success in subpoenaing Email service providers for logs and old data. If you don’t really have to email your shady doings, that’s a good step.
2) Encrypt Email. Say you are forced to Email. Encryption has been around for a long time. PGP is a past master at email encryption. If only you and the other do not share your secret keys, no one is going to really get past PGP encryption.
3) Email Antivirus. It should go without saying these days that anti-malware and anti-virus should be checking all inbound and outbound emails. Say you were using PGP encryption but accepted an attachment that has a virus, your encryption would be useless.
4) Secure Passwords. So this is Internet Security 101. If you have a weak password on your encrypted email, then your encryption protect is again useless. People still use easy to guess passwords, things you can probably find on their Facebook page such as pet’s name, kid’s name, college etc. This is your first line of defense. The Huffington Post just had a great article on weak passwords “The Top 25 Worst Passwords Of 2011: See What To Avoid” I particularly like the “trustno1” as a password. Here are the top ones:
5) Encrypt Login. When you are accessing you emails, make sure its over an encrypted login. If you don’t see the “https” in the URL, you are not encrypted. So if someone was on the same network as you, they could potentially capture your password. It is a simple security measure but one most people do not really think about.
So there could have been several thing General Petraeus could have done to protect himself further, the best would probably have been no online communications for the shady activities.