What the site owner needs to know so that his site is not blocked or hacked?
Having previously run an Internet service for the protection of personal data, and for the last 3 years, an Internet service for protecting sites against losses and downtime as a result of Internet threats, I regularly explain to site owners what needs to be done to prevent the site from being blocked and hacked due to a breach security legislation and non-compliance with site security measures
Based on the accumulated experience, the basic requirements for the security of sites that are necessary for the site owners to know and follow were aggregated. If they are not aware of these requirements and do not comply with them, then sooner or later the site will be blocked by Roskomnadzor, hosting provider, search engines or hacked by intruders.
')
What threatens the failure: blocking the site at the request of Roskomnadzor
Hour X is already close - it is necessary to transfer sites with personal data of Russians to the territory of the Russian Federation before September 1, 2015! It is the site from the database that is to be transferred, and not just the database - much has been written about this, and this is the position of the main regulator in this area - Roskomnadzor.
In addition, the territorial location of such data will need to be reported to the territorial body of Roskomnadzor in a written notification of the processing of personal data.
If the site with personal data is not transferred to the territory of the Russian Federation, its owner faces a small fine. But, if after the payment of the fine the site is not moved, the site will be blocked by hosting providers at the request of Roskomnadzor.
No one doubts that verification of the fulfillment of this requirement will be carried out, but how exactly is not yet known, but it is worth remembering that today Roskomnadzor fulfills its obligations to block sites with a “little eye”.
Therefore, try the opportunity before September 1 or a little later to transfer the site with personal data of users (citizens of the Russian Federation) to Russian hosting.
What threatens the failure: a fine of up to 30 thousand rubles from Roskomnadzor
Almost all sites allow users to register and leave their personal data. For such sites, Federal Law No. 152- “On Personal Data” imposes a certain requirement: it is necessary to publish in public access a document defining the company's policy regarding the processing of personal data, as well as information about the realizable requirements for the protection of personal data.
To be precise, this requirement is spelled out in Part 2 of Article 18.1 of the Federal Law No. 152-FZ “On Personal Data:
Such a document is usually the “Policy regarding the processing of personal data”, which is better placed on the site as a pdf-file with the seal and signature of the CEO. The template of this document can be found on the Internet or on the services for the preparation of documents on personal data.
What threatens the failure:
All the same law obliges sites on which personal data are collected to accept consent to the processing of personal data from anyone who registers or leaves their personal data. In this case, consent may be given in any form, allowing to confirm the fact of its receipt, unless otherwise provided for in Law No. 152- “On Personal Data”.
Compliance with this requirement protects the site owner from complaints of individuals to Roskomnadzor about non-compliance with its rights as a subject of personal data. If a government agency receives a similar complaint, monitoring of the site and verification of the company's activities are organized. The verification will include a request for information on the collection of consent for the processing of personal data and, possibly, an on-site inspection.
Here is an example of a letter from Roskomnadzor to one of our clients. Pay attention to point 1).
In order not to bring the case to block the site and fines, place next to the registration form and feedback text about the user's consent to the collection and processing of his personal data.
I share about this 3 life hacks:
What threatens the failure: interception of traffic by the attacker and hacking the site
An SSL certificate protects the channel by encrypting all data transmitted between the site and the user, and increases user confidence.
For those who do not know or have forgotten, the SSL certificate is displayed as a green lock next to the site address in the browser.
An SSL certificate confirms ownership of the domain (for example, that you are connecting to this SiteSecure site) and that this site belongs to a specific company. In the latter case, the SSL certificate displays the name of the organization in the address bar of the browser:
In Europe and the United States, without an SSL certificate, it is almost impossible to imagine a single online store, commercial web site or online service. In Russia, SSL certificates are only gaining momentum, but many companies have already installed it on their websites. An SSL certificate, in addition to protecting the channel from intercepting data, increases customer confidence in the site and promotes SEO promotion - Google officially stated that since August 6, 2014, a valid SSL certificate is a positive factor when ranking a site in search results.
What threatens the failure: complete loss of the site
In the course of protecting and treating clients' sites as part of our Internet service, my colleagues and I often encounter sites that are “disfigured” by viruses. It is much faster and easier to restore a site from a backup, and then eliminate vulnerabilities and protect against infections. But there are cases when the site is not treatable due to the lack of a backup.
Many people expect that hosting providers automatically back up all sites, but in fact this function is often not included and not paid.
How the lack of a backup can harm the site?
A typical security problem is a flaw when a group of hackers hacks the server with sites right away and replaces the main pages or all files with them. This is what the main page of the site looks like after hacking and deface (the hacker group’s contacts are hidden):
In our practice, there were cases when the site owner or the person responsible for the site did not have a backup copy to restore the pages after the deface. Therefore, be sure to check whether the backup site is hosted. And since hosting also has problems, use additional backup just in case.
What threatens the failure: inaccessibility of the site, falling sales and reputation
DDoS attacks have become a tool to undermine reputation, income and blackmail. Companies use them to undermine the sales and reputation of their competitors, making the sites of the latter inaccessible to potential customers. Especially this method is practiced in those industries where there is seasonal demand (tourism, selling flowers, the service “Santa Claus” in the new year, air ticket sales), as well as sites of the media, political parties and the government. In this case, quite often attacks are made on the sites of small and medium-sized companies, since almost all large companies have already protected their sites from DDoS attacks.
It is worth mentioning the e-commerce market. It is on it that DDoS-attacks are particularly sensitive, because the site is one of the key assets and its inaccessibility leads to direct losses.
At the same time, the number of DDoS attacks on sites is steadily increasing. This is due to an increase in the number of botnets worldwide (infected computers that perform an attack without the knowledge of its owner) and lower prices for organizing DDoS attacks (the cost of an hour’s attack decreased from $ 38).
Competent server setup by technicians, site monitoring and the use of services to protect against DDoS-attacks will protect against this threat.
What threatens the failure:
All have long been accustomed to put antivirus software on computers, laptops, and even on smartphones. But with regard to the protection of sites, the situation is different - they pay little attention to this. There are good reasons to worry though.
According to a study of the security of 320,000 commercial sites in Russia , conducted in the first quarter of 2015, every 10th site is either infected and blocked by search engines, or has security problems that would be blocked by search engines and antivirus programs. Although search engines do not detect such problems, but if they do, then the average time for blocking their site is 7 days. Therefore, if you detect and correct such problems quickly, the site and its owner will not be threatened with blocking the site.
At the same time, it is possible to quickly identify security problems on the site. For this purpose, 24-hour security monitoring services have been created, which promptly notify the owner of a virus penetration or the beginning of an attack, and also help in fixing the problem before the site is blocked by search engines.
If we talk about blocking the site by search engines and browsers affiliated with them (Chrome, Yandex Browser and Opera), this looks like a warning when you try to access a blocked site.
Infecting and blocking a site results in the loss of almost all search traffic and users accessing the site from popular browsers affiliated with search engines. And this is a financial loss and the fall of positions in the search results.
Use Internet security monitoring and site protection services to be the first to learn about security problems and get help in solving them before the site is blocked by search engines.
I deliberately did not address the requirement for password protection, since A lot has been written about it and nothing new to say.
In general, the requirements relating to the protection of the site and the requirements of the legislation will be typed with a dozen, but knowing and executing at least these, as well as using complex passwords, you remove from your site a lot of Russia-specific risks of being blocked and cracked.
Pruflinka:
Based on the accumulated experience, the basic requirements for the security of sites that are necessary for the site owners to know and follow were aggregated. If they are not aware of these requirements and do not comply with them, then sooner or later the site will be blocked by Roskomnadzor, hosting provider, search engines or hacked by intruders.
')
1. Storage of personal data of Russian citizens on the territory of the Russian Federation
What threatens the failure: blocking the site at the request of Roskomnadzor
Hour X is already close - it is necessary to transfer sites with personal data of Russians to the territory of the Russian Federation before September 1, 2015! It is the site from the database that is to be transferred, and not just the database - much has been written about this, and this is the position of the main regulator in this area - Roskomnadzor.
In addition, the territorial location of such data will need to be reported to the territorial body of Roskomnadzor in a written notification of the processing of personal data.
If the site with personal data is not transferred to the territory of the Russian Federation, its owner faces a small fine. But, if after the payment of the fine the site is not moved, the site will be blocked by hosting providers at the request of Roskomnadzor.
No one doubts that verification of the fulfillment of this requirement will be carried out, but how exactly is not yet known, but it is worth remembering that today Roskomnadzor fulfills its obligations to block sites with a “little eye”.
Therefore, try the opportunity before September 1 or a little later to transfer the site with personal data of users (citizens of the Russian Federation) to Russian hosting.
2. Publication on the website of the organization’s personal data policy
What threatens the failure: a fine of up to 30 thousand rubles from Roskomnadzor
Almost all sites allow users to register and leave their personal data. For such sites, Federal Law No. 152- “On Personal Data” imposes a certain requirement: it is necessary to publish in public access a document defining the company's policy regarding the processing of personal data, as well as information about the realizable requirements for the protection of personal data.
To be precise, this requirement is spelled out in Part 2 of Article 18.1 of the Federal Law No. 152-FZ “On Personal Data:
“The operator who collects personal data using information and telecommunications networks is obliged to publish in the relevant information and telecommunications network a document defining its policy regarding the processing of personal data and information on the applicable requirements for the protection of personal data, as well as to provide access to the specified document using the appropriate information and telecommunication network. ”
Such a document is usually the “Policy regarding the processing of personal data”, which is better placed on the site as a pdf-file with the seal and signature of the CEO. The template of this document can be found on the Internet or on the services for the preparation of documents on personal data.
3. Collecting consent to the processing of personal data
What threatens the failure:
- website blocking by hosting providers at the request of Roskomnadzor
- entering the site into the Register of violators of rights of personal data subjects
- fine up to 300 thousand rubles from Roskomnadzor
All the same law obliges sites on which personal data are collected to accept consent to the processing of personal data from anyone who registers or leaves their personal data. In this case, consent may be given in any form, allowing to confirm the fact of its receipt, unless otherwise provided for in Law No. 152- “On Personal Data”.
Compliance with this requirement protects the site owner from complaints of individuals to Roskomnadzor about non-compliance with its rights as a subject of personal data. If a government agency receives a similar complaint, monitoring of the site and verification of the company's activities are organized. The verification will include a request for information on the collection of consent for the processing of personal data and, possibly, an on-site inspection.
Here is an example of a letter from Roskomnadzor to one of our clients. Pay attention to point 1).
In order not to bring the case to block the site and fines, place next to the registration form and feedback text about the user's consent to the collection and processing of his personal data.
I share about this 3 life hacks:
- Consent can not be collected, there are on the site posted rules for using the site or other public offer (for example, the User Agreement). It should contain information about the site, what services and opportunities it provides for registering users.
- If you collect personal data about health, political and religious views and other critical data for a person, or provide personal data to other organizations, it is better to separately post on the site consent to the processing of personal data. To do this, place on the registration page the phrase: “By registering, you consent to the processing of your personal data” and a link to the public offer of consent to the processing of personal data.
- Include in the consent to the processing of personal data consent to advertising mailing by e-mail and sms, to fulfill at the same time the requirement of the law "On Advertising".
4. SSL certificate on the site
What threatens the failure: interception of traffic by the attacker and hacking the site
An SSL certificate protects the channel by encrypting all data transmitted between the site and the user, and increases user confidence.
For those who do not know or have forgotten, the SSL certificate is displayed as a green lock next to the site address in the browser.
An SSL certificate confirms ownership of the domain (for example, that you are connecting to this SiteSecure site) and that this site belongs to a specific company. In the latter case, the SSL certificate displays the name of the organization in the address bar of the browser:
In Europe and the United States, without an SSL certificate, it is almost impossible to imagine a single online store, commercial web site or online service. In Russia, SSL certificates are only gaining momentum, but many companies have already installed it on their websites. An SSL certificate, in addition to protecting the channel from intercepting data, increases customer confidence in the site and promotes SEO promotion - Google officially stated that since August 6, 2014, a valid SSL certificate is a positive factor when ranking a site in search results.
5. Site backup
What threatens the failure: complete loss of the site
In the course of protecting and treating clients' sites as part of our Internet service, my colleagues and I often encounter sites that are “disfigured” by viruses. It is much faster and easier to restore a site from a backup, and then eliminate vulnerabilities and protect against infections. But there are cases when the site is not treatable due to the lack of a backup.
Many people expect that hosting providers automatically back up all sites, but in fact this function is often not included and not paid.
How the lack of a backup can harm the site?
A typical security problem is a flaw when a group of hackers hacks the server with sites right away and replaces the main pages or all files with them. This is what the main page of the site looks like after hacking and deface (the hacker group’s contacts are hidden):
In our practice, there were cases when the site owner or the person responsible for the site did not have a backup copy to restore the pages after the deface. Therefore, be sure to check whether the backup site is hosted. And since hosting also has problems, use additional backup just in case.
6. Protecting the site from DDOS attacks
What threatens the failure: inaccessibility of the site, falling sales and reputation
DDoS attacks have become a tool to undermine reputation, income and blackmail. Companies use them to undermine the sales and reputation of their competitors, making the sites of the latter inaccessible to potential customers. Especially this method is practiced in those industries where there is seasonal demand (tourism, selling flowers, the service “Santa Claus” in the new year, air ticket sales), as well as sites of the media, political parties and the government. In this case, quite often attacks are made on the sites of small and medium-sized companies, since almost all large companies have already protected their sites from DDoS attacks.
It is worth mentioning the e-commerce market. It is on it that DDoS-attacks are particularly sensitive, because the site is one of the key assets and its inaccessibility leads to direct losses.
At the same time, the number of DDoS attacks on sites is steadily increasing. This is due to an increase in the number of botnets worldwide (infected computers that perform an attack without the knowledge of its owner) and lower prices for organizing DDoS attacks (the cost of an hour’s attack decreased from $ 38).
Competent server setup by technicians, site monitoring and the use of services to protect against DDoS-attacks will protect against this threat.
7. Monitoring the security and protection of the site
What threatens the failure:
- hacking and site infection
- website blocking by hosting providers, search engines and antiviruses
- loss of site position in search
All have long been accustomed to put antivirus software on computers, laptops, and even on smartphones. But with regard to the protection of sites, the situation is different - they pay little attention to this. There are good reasons to worry though.
According to a study of the security of 320,000 commercial sites in Russia , conducted in the first quarter of 2015, every 10th site is either infected and blocked by search engines, or has security problems that would be blocked by search engines and antivirus programs. Although search engines do not detect such problems, but if they do, then the average time for blocking their site is 7 days. Therefore, if you detect and correct such problems quickly, the site and its owner will not be threatened with blocking the site.
At the same time, it is possible to quickly identify security problems on the site. For this purpose, 24-hour security monitoring services have been created, which promptly notify the owner of a virus penetration or the beginning of an attack, and also help in fixing the problem before the site is blocked by search engines.
If we talk about blocking the site by search engines and browsers affiliated with them (Chrome, Yandex Browser and Opera), this looks like a warning when you try to access a blocked site.
Infecting and blocking a site results in the loss of almost all search traffic and users accessing the site from popular browsers affiliated with search engines. And this is a financial loss and the fall of positions in the search results.
Use Internet security monitoring and site protection services to be the first to learn about security problems and get help in solving them before the site is blocked by search engines.
I deliberately did not address the requirement for password protection, since A lot has been written about it and nothing new to say.
In general, the requirements relating to the protection of the site and the requirements of the legislation will be typed with a dozen, but knowing and executing at least these, as well as using complex passwords, you remove from your site a lot of Russia-specific risks of being blocked and cracked.
Pruflinka:
- Security survey of 320,000 commercial sites in Q1 2015
- Federal Law of July 27, 2006 N 152- “On Personal Data”
- Federal Law of the Russian Federation of July 21, 2014 N 242-FZ “On Amendments to Certain Legislative Acts of the Russian Federation in Part of Clarifying the Procedure for Processing Personal Data in Information and Telecommunication Networks”
- Position of Roskomnadzor regarding certain provisions 242-
- Global DDoS Threat Landscape Q2 2015
Source: https://habr.com/ru/post/292620/
All Articles