Protecting Your Organization’s Reputation – Part 1

Organizations can get a bad reputation from a variety of externally initiated and/or internally created issues, such as: poor customer service, spamming/spoofing, CEO/CFO spear phishing scams, leakage of customer personal/financial/health information, environmental dumping, financial malfeasance, and the list goes on.  For many of these issues we can mitigate the probability and impact and/or provide corrective actions.  All of these have varying degrees of impact on an organization, from simple embarrassment to litigation to fines to prison, and can severely damage the reputation of an organization, in the eyes of its current and potential customers, partners, investors and employees.

Since this is a technology related blog, we’ll be looking at information security & management policies, procedures and controls that you can put in place, in order to protect customer, partner, investor and employee information, thus protecting and strengthening your organization’s reputation/brand. This is not an extensive or in-depth exploration of these topics, but hopefully it is good primer to help you get things started, if you haven’t already.

In this installment, of the multi-part series on “Protecting Your Organization’s Reputation”, we’ll be focusing on the area of Web Reputation.

Web Reputation

When contemplating working with you as a partner, as an employer, or researching a product or service that you offer, people will eventually end up at your website, most likely after a search on Google, Bing or other search engine.  You may also have a presence on social media sites such as:  LinkedIn, Twitter, Facebook, Pinterest, etc… How do you provide a level of assurance that your domain and/or website hasn’t been hijacked and redirected to a phishing or malware site? How do you protect your social media accounts passwords from being compromised? These are just a couple of exposure areas that, if exploited, could do damage to your web reputation.  So, what do you do to protect your Web Reputation? Let’s explore the following areas:

Secure Your Domain

Domain Hijacking is the process by which registration of a currently registered domain name is transferred without the permission of its original registrant. This can be done by acquiring personal information about the actual domain owner/registrant and then impersonating them to request the domain registrar modify the registration information and transfer the domain to another registrar.

Steps to mitigate this risk:

  • Create a dedicated e-mail address for domain registration/verification/contact
    • Don’t use it for any other online use
    • Protect the account/password with Two-factor Authentication/Multi-factor Authentication (2FA/MFA)
  • Secure your registrar account by ensuing that the domain registrar provides 2FA/MFA for accounts and enable it
  • Make sure your domain registrar provides Domain Locking and then use it
  • If your domain registrar doesn’t provide the previous two options, find a new domain registrar

DNS Poison Cache/Redirection can happen at the client side, server side or any device (routers, proxies, etc.) in between, that is providing a DNS cache for name resolution.  You don’t have any control over client and network devices outside your organization, but you may be managing your own external DNS, which if compromised, could have its cache and/or active records modified, so let’s focus on that.

Steps to mitigate this risk:

  • Patch/update your DNS servers
  • Disable any unnecessary protocols and services (reduces surface area exposure)
  • Install server anti-malware/antivirus and firewall software
  • Implement DNSSEC (Signs DNS Records)
  • Require authenticated record updates only
  • Restrict DNS zone transfers
  • Use a trusted DNS Proxy provider

Securing Your Website

Anytime you can offload risk to a third-party, it is definitely something to consider, especially when it comes to website hosting.  With that said, securing your website requires mitigation steps at various levels, depending on what services you are consuming from third-parties and/or hosting yourself.

Website Security Certificates (SSL Certificates) aren’t just for e-commerce anymore.  If you are collecting names, e-mail addresses and phone numbers on contact/download forms, not securing the traffic is doing a disservice to your users/customers.  Google, Microsoft, LinkedIn, Facebook and many others are automatically redirecting users from http to https connections today and many more will be doing so in the near future.  Is this a 100% foolproof way to protect you website?  No, but it will show users/customers that you value their security and privacy of their information.

Steps to mitigate this risk:

  • Use a certificate to protect communication of personal/sensitive information with website users
  • Make sure you are redirecting from http to https access for your site

Web Site Hardening -Protecting your web content from intentional and/or unintentional updates or deletions is a key piece reputation protection.  Controlling access and updates to content through a Content Management System (CMS), like WordPress, Joomla and Drupal is a good start.  You can have different tiers of content users, from full admins down to reviewers only and approval can be required before content change take place, this greatly reduces the risk both unwanted intentional/unintentional updates or deletions of content.

Adding a Web Application Firewall (WAF) is another great piece of protection.  A WAF is an appliance, server plugin, filter or cloud-based service that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection, but can typically be customized by rules to identify and block attacks.  There are many choices, like appliances from vendors such as Barracuda, F5, Cisco, Dell, etc., as well as, web-based WAF services and CMS specific firewalls.

Steps to mitigate this risk:

  • Utilize a CMS for controlling a website content access and modifications
  • Make sure you CMS is on the latest stable rev and is up-to-date on its patches
  • Implement suitable WAF(s), by type (appliance, host-based, cloud-based) and feature set, to meet your security requirements
  • If you deal with PCI, HIPAA or other regulatory requirement, make sure the WAF includes access control capability
  • Make sure your WAF is updated on a consistent basis

Server Hardening – If you are hosting your own web site/services infrastructure, then it is the utmost importance that you protect the underlying operating systems. Outdated, unpatched and unprotected OSes, put everything that runs on top of them at risk.  But, there are some very simple things you can do to protect and harden the operating system:

  • Run on the latest stable version of the OS
  • Ensure the system has the most recent service pack, security patches and hot-fixes
  • Disable/remove any unnecessary services (reduces attack surface area)
  • Use an OS/Host-based firewall for IP filtering and port protection
  • Install antivirus and/or anti-malware (much overlooked on server platforms) and verify that engine and pattern updates are being applied
  • Secure local admin accounts and admin privileges (password randomization, least privilege access, etc…)

Secure Your Social Media Accounts

More and more organizations are utilizing Social Media as part of an overall marketing strategy.  Since these sites have their own user credentials, someone has to maintain them for the organization, and if content creation/management is delegated, then multiple users may have access to these credentials.  Frequent turnover or change of duties of employees, in this area, can make this an administrative challenge with continual password changes.  If you don’t change the passwords and you have a disgruntled employee (or ex-employee), they could decide to make unauthorized changes or release the credentials into the wild, or potentially delete the entire account.

There are some ways, like MFA mentioned above, to protect the social media account from unauthorized profile changes and deletions with a secondary confirmation or notification as a SMS text or email message.  Also, there are some cloud-based Single Sign-On (SSO) solutions to allow administrators to obfuscate the account’s credentials and assign/map users/groups access to that account.  When the user no longer needs access, you remove the user from the group or specifically from access, depending on how they were assigned.

Steps to mitigate this risk:

  • Use complex passwords or phrases
  • If the Social Media site provides 2FA/MFA for accounts, enable it
  • Enable email or phone notifications for changes to account and suspicious activity (like unauthorized password change request)
  • Utilize a SSO provider, if possible, to control/hide password information, otherwise make sure to change the password for the social media account after a user performing a content management role with account has left that position

Next Installment…

E-mail, as we well know, has become the predominant form of business communication both internally and externally, so in Protecting Your Organization’s Reputation – Part 2, we’ll dive into protecting your e-mail reputation.