According to a 2019 report by Accenture Cybercrime Could Cost Companies US$5.2 Trillion Over Next Five Years! How much will a lack in Cyber Security best practices cost you and your business?
Our world today continues to be more and more connected thanks to the staggering pace of technology innovation and access to data. We are more enabled, informed and connected than at any other time in the history of the earth. But we are also becoming dependent on this increasingly complex, internet enabled eco-system. From shopping and banking to communicating with our healthcare providers, we depend on and take for granted a secure environment. But how secure are we really?
In this final article about Google Lighthouse article we felt it was important to close this series with a few words about security and how you can use Google Lighthouse as one more arrow in your quiver in the fight to secure your environment and your customers data.
Google Lighthouse Security
Google Lighthouse has a few built-in security checks as part of their Best Practices, but they are not meant to replace any extensive security testing of your web applications. We always recommend using well-known and highly reputable audit tools to identify all possible security vulnerabilities. The following items are the common Best Practices security recommendations from Google Lighthouse tool which is a good place to start.
Google Lighthouse security audits focus on; HTTPS encrypted data, valid certificates, HTTP 1.1 vs HTTP/2, and JavaScript libraries’ vulnerabilities
1. HTTPS
One of the more obvious audit checks with Lighthouse is if your site is encrypting all data using HTTPS via a Certificate. Your Best Practices score will suffer if it is not! IETF, IAB, W3C, and the US Government have been calling for universal use of encryption by all Internet applications, which in the case of the web means HTTPS baring some new protocol.
It is difficult to say with certainty if the community will eliminate all HTTP traffic given 1) how many websites, servers and other communication channels currently leverage HTTP and 2) how expensive SSL Certificates have historically been. Fortunately, certificate cost is no longer an issue with wonder open source Certificate Authorities, such as Let's Encrypt, providing free and reliable certificates.
2. Certificate Validity
Lighthouse also lowers your score if your Certificate is not valid. This is an obvious complaint and one that is easily addressed by renewing your websites certificate on a regular schedule. Many Certificate Authorities have even made this process easier by providing ways to automatically renew your certificate through simple scripts that can be scheduled automatically.
3. HTTP 1.1 versus HTTP/2
HTTP/2 has the highest weighting factor in the Best Practices audit of Google Lighthouse resulting in over 20+ point gain over the older HTTP 1.1 network protocol!
HTTP 1.1 was standardized in late 90s and has long been approved upon with the later versions. Upgrading to the newer protocol reduces latency, giving end-users are more responsive and connected experience. Unfortunately, the older Windows software (IIS and Windows Server) and hardware devices such as older F5 devices are only capable of the now two-decade old HTTP 1.1 protocol.
Windows Server 2016 and above and IIS10 and above as well as .NET Kestrel are now by default on the newer HTTP/2.0 protocol so keeping current with the newer software is imperative. All newer network appliances utilize the HTTP/2.0 protocol as well, so it is important to upgrade your networks devices in addition to keeping on current versions of software.
4. JavaScript Library Vulnerabilities
Google lighthouse introduced known JavaScript vulnerabilities in version 2.5.0 when it integrated with the Snyk’s vulnerability database. Best Practices now includes this as part of its audit of front-end JavaScript libraries. For example, the following is a failed Best Practice audit against older version of jQuery and AngularJS.
Extra “Best Practice” Security Measures Beyond Google Lighthouse
We always recommend running a robust security audit in addition to Google Lighthouse and then address each individual vulnerability. Typically, this requires some rewriting parts of your web application to harden your code against new exploits that appear every month. Here are a few initial measures you can take that always appear on audits and thus eliminate issues from the start.
- Disable older SSL protocols like TLS 1.0, 1.1 and SSL
- Do not store passwords in any field on the web server. Utilize an encryption routine or mechanism like Azure Key Vault to safely store all passwords, ids, and secrets.
- Treat web servers as if they are already compromised and thus never store any sensitive or HIPAA related data on front end web servers.
- Make sure web servers are in a firewall protected DMZ with no direct connection to any Database Server.
- Only open Firewall Ports for Database Access and other Web Services as needed. All other ports both in and out of the Web Servers should be shut down by default. Never Allow All TCP or RDP without a whitelist.
- Always change the default password for cloud servers and disable any auto-generated security groups.
- Follow best coding practices and never allow obvious exploits such as SQL Injection or non-secure authentication methods. For example, the older Microsoft security block of the 90s used SHA1 hashing which was “cracked” back in the mid-2000s, yet many companies still use this today.
There are many considerations when making your site more secure. These are a few that Lighthouse helps to find along with our recommended best practices. Make sure that you have a comprehensive security plan in place and update it frequently. Cyber criminals are aggressive and constantly on the attack – you must remain vigilant.
Our experts can work with you to optimize your site security and make your information safely available to your users. If you’d like to learn more, Cyberlancers can perform a free performance check to help you understand how you are really performing. To learn more go here: https://www.cyberlancers.com/free-performance-check