I’m not a big fan of New Year’s Resolutions, especially when server security is involved. Security should be a constant concern for anyone doing business on the web. But, as a new year begins, it is a good time for server hosting clients to review the security policies and the systems they have in place. It’s empowering to start the new year confident that everything is working as it should.
2017 has been an abysmal year for online security. We’ve seen massive data leaks from companies like Yahoo and Equifax. Catastrophic ransomware attacks swept through Europe and the US. Massive DDoS attacks ravaged the online economy. A thread joins all of these incidents: they could have been avoided with a few basic security precautions.
Know Your Infrastructure
Do you know every server you have deployed and which data is stored where? What about that MongoDB server you set up three years ago and haven’t touched since. Or the WordPress blog you set up last year to host a blog you haven’t published anything on in months.
It’s impossible to secure your infrastructure if you don’t have an up-to-date list of what that infrastructure is. The first step in your New Year security review should be to audit your servers to determine which software they’re running, what data is stored on them, and whether they pose a potential security threat.
In addition to being a hedge against human and technical error, backups are a vital security tool. Many of the problems caused by ransomware last year could have been avoided if comprehensive, up-to-date offsite backups had been available.
Check backup processes to make sure that they’re functioning as expected. There’s little more disheartening than needing to restore from a backup only to discover that a backup volume failed some time last year and you didn’t get the notification.
Run a few test restores of all backups to ensure that, if the worst happens, you can quickly get back to normal.
Rethink Your Update Policy
If you don’t update regularly, assume the software you depend on is vulnerable. It takes next to no time to update your servers and content management systems a couple of times a month so that security patches can be applied.
Remove Redundant User Accounts
Unused accounts create an unnecessary security risk. From time-to-time you may have reason to give access to your server to a third-party; often a developer or designer will need SSH or FTP access to do their work. Perhaps an employee who is no longer with your company had an account
Once those accounts are no longer required, they should be removed. This guide to removing user accounts covers the basics, but take care not to remove vital systems accounts. Make sure you understand what you’re deleting and err on the side of caution.
While you’re thinking about users and accounts, consider transitioning to encrypted keys for SSH authentication. They’re more secure and reduce the chances that a bad password will result in a successful brute force attack against the server.
There is, of course, a lot more to securing a server that we’ve covered here, but these tasks lay the foundation for a year without security disasters.