Simple steps to a more safe and secure charity website
The safety and security of your charity website may not be the sexiest of reads on an autumn day... until now. Just kidding, BUT keeping your site and your users' information safe and secure is of paramount importance. Let's break down what your charity can actually do to keep on top of website security...
In July, more than 120 organisations, including many charities such as The National Trust and Sue Ryder, had their volunteer and fundraiser data compromised through a breach of Blackbaud’s cloud platform. Whilst Blackbaud acted to ensure the data accessed was destroyed – paying a ransom to the attackers – it once again prompts concerns around security online. So often, any control can feel out of our hands. But there are things that you and your technical team can do to improve your charity website’s security. Let’s consider some of the most common vulnerabilities to make sure you’re doing all that you can, to protect your charity website and supporters.
Watch out for weak points
One of the primary objectives for attackers is getting access to login credentials so they can obtain user information or even take control over admin systems. There are many ways attackers hope to achieve this, including using sophisticated algorithms and bots. Sounds scary, but there are some barriers we can put in their way! The context and communication that a website gives to the user when they are on a login page is very important. Let’s consider this from angles other than just a legitimate user. An interesting piece of information that can be taken from a login page is whether or not an account exists at all.
If someone enters an email that is correct on a login page, with a password that is incorrect – what is the message that you display to the user? If the message displayed communicates that the password is wrong, that person now knows that this email is real and also that the email has logged into the system before.
One approach to counter this extra bit of intel going out to hackers is to display a generic error if someone were to enter the wrong credentials, rather than specifying that the password is wrong. That way, no extra information is leaked.
When it comes to locking down the user login section of a product or service, there are a few simple ways to add an extra layer of security. For example, implementing a CAPTCHA if the user gets their details wrong too many times, or sending an email to alert a user after repeated incorrect login attempts.
When a user logs into a service they normally use a combination of username and password. But if a user’s details are compromised – anyone can log in as them. Whilst some services send you emails when logins from unexpected sources occur but by then it is too late.
As well as ensuring users create strong passwords containing a mix of uppercase, lowercase, numbers and symbols – there is also the option of using Multi-Factor authentication (or MFA) to add another layer of authentication. Once a user has logged in using their basic details, they need to prove their identity using another medium.
This could be by receiving a text message to their phone containing a code they need to input on the site, to confirm it is in fact the genuine user. This prevents unwanted logins as any attackers would need both the users details and access to their devices. Most systems that implement user logins as a service have MFA as an optional tick box to implement (for example https://auth0.com/docs/mfa).
An increasingly popular method of attack, as seen in the Blackbaud breach, is to get personal and private data by installing ransomware. Once installed, attackers will have access to personal data, databases or potentially even the entire system until the ‘ransom’ is paid. The most common way ransomware is installed is through phishing emails, attachments in emails and online ads, all of which can appear unassuming and legitimate.
So how do you prevent this from happening?
- Make sure anything you install is from a trusted source – look out for anything that seems out of place and educate all website users or admins on the topic of ransomware
- Have firewalls and programmes installed in your network that identify malicious files
- Update your operating system and software as soon as updates become available to prevent any loopholes that may leave you vulnerable to an attack
It’s also crucial that you take regular backups of your data as a mitigation to the worst case scenario where an attack does occur. Backup data should be kept in an external location that is not connected to your system; for example, a separate storage system or in secure cloud storage. Up to date backups will mean you can recover your data without paying for the ransom, reinstall any systems that are infected and identify what data may have been breached to notify any relevant parties.
We’ve covered a couple of best practice security tips for your charity to think about. Let’s dig a little deeper into some more technical tips that can add a thicker layer of security to your site. If this isn’t your forte – we’d recommend sharing these tips with a colleague or peer that loves this kind of stuff!
Tech tips to secure your site
OWASP Top 10
Using the OWASP Top 10, a standard for web application and security, is a good starting point to help build and think about security from the get-go; this will help you mitigate most common attacks such as SQL Injection and Cross Site Scripting (XSS).
Check your headers
The free website https://securityheaders.com allows you to scan the headers sent back from your website and highlights ones you can implement to increase your security. A breakdown of the important security headers is below:
|X-Content-Type-Options||This header stops web browsers trying to guess what the type of the content is and use the type declared by the server.|
|X-Frame-Options||This allows you to control if your website can be put inside of another (e.g. via an iframe).|
|Content-Security-Policy||A more complicated header, this one allows you fine grained control over what content can and cannot be loaded on your site. If you get this header wrong your site will break as JS and other files will not be allowed to load.|
|Content-Security-Policy-Report-Only||This header accepts the same value as that above but only reports whether the browser would block any content rather than actually blocking it.|
|Strict-Transport-Security||This headers tells a browser to never load anything over regular HTTP and always use HTTPS.|
|Referrer-Policy||Controls how much information is sent when a user goes from your website to another.|
|Feature-Policy||A new header that allows you to restrict what APIs the website can use and what is can block (microphone etc).|
Virtual Private Clouds (VPC)
Databases (DB) can either be open to the internet or not when they are created. The advantages of an internet-connected DB is that they are easy to connect to and develop on. The disadvantages are that anyone can connect. As an alternative you can install a DB inside a container that does not have internet access. Then you only allow certain services to connect to the VPC to access the database. This way you can tightly control who and what can access your data.
Web Application Firewalls (WAF) allow you to monitor and detect threats before they actually reach your website. You can look for unusual traffic patterns and stop them from ever reaching your website. This does have a slight overhead on your website (but this is being worked on) but adds an extra layer of security. Rate limiting the login endpoint will also help stop automated bots trying to log into the system.
Stronger and safer
These are just a few starter tips to keep your web platform and your users’ information secure. We must bear in mind that the best security practices are always changing as new technology emerges, but the basics exist for a reason. If we can get these in place, we’re off to a good start. Stay safe!
What Drupal 7 end of life means for your charity website
Drupal 7 will soon reach end of life. You must update your website now. If you fail to do this there’ll be no new security updates, hackers will take over your website, the pictures of your cat will be held to ransom for 8 bitcoins, which - just to top it off - you won’t be able to buy because they've nicked your credit card.
Find out more
Charity Chatbots in 2020: all talk or still worth a conversation?
Chatbots have been the next big charity digital trend for years now. Sure, chatbots have certainly made some waves in the charity sector, but in 2020, is this a digital tool every charity should be exploring, or a passing fad that’s already fading?
Find out more
Digital fundraising for small charities (in a hurry)
I’ve put together this handbook amidst the Coronavirus crisis to cover some of the topics of digital fundraising... in a hurry.
Find out more