How aware are you of security?

Hello everyone,

as an IT-Professional I sometimes wonder if webmaster have the slightest amount of knowledge when it comes down to security? Because nearly every website I visit has critical security threads and is an open invite for black hats.

So my questions are
how aware are you of security?
What steps do you take to ensure the security of your website?
And last but not least: how often do you let a penetration tester check your website?

Thanks for your responses and best regards
Jens

 

I think you've already guessed the answer in your first sentence. We have an attitude that security trumps convenience at all times when it's online, but the number of customers who ask us to reduce, by-pass, or remove some security settings just for their own convenience is staggering. People have a belief that it will never happen to them, but it WILL - one day.

The majority of end users and site owners just want an easy life. They don't want to be spending their time updating their web sites (even if they know how), remembering long but secure passwords, and don't want to have something not work fully due to security settings they don't appreciate. It's an infuriating scenario for a host who is always the first to be blamed when something happens due to a customer's choices or lack of action, but it's also understandable that people want online stuff to be easy to use and access.

To give you a perfect example, we had a client who did a small update to their MS SQL database cluster - just a small one.....honestly (so they said!). Despite us telling them to always complete a manual backup immediately prior to making any changes, they carried out the update on their live server and managed to delete...wait for it.....450,000 customer records. The cluster didn't save them because the change was immediately pushed to the other servers in the cluster. So, for the sake of a couple of minutes to press a "backup database" button, they lost their entire customer database and all their customers' details.

Sometimes the best and only thing you can do is have an excellent backup system. Fortunately for them we were a bit paranoid about the importance of these database servers and ran a real-time backup with hourly versions (with 12 versions retained), a separate 2-hourly backup to a different backup server (with 12 versions retained), and a daily backup to a 3rd backup server with 7 days being retained. We managed to get their business back online with a version only 15 minutes old. If we hadn't had a robust backup system they would have lost their entire multi-million pound business (it's purely online) due to convenience being more important than taking a few extra precautions. Worryingly, this isn't an unusual scenario. Things like that happen all the time.