8 criteria to recognize a secure website
by Tina Siering
Why humans are often the greatest vulnerability
The threat level in the cyberspace has never been higher. The vast majority of companies and organizations have long since recognized the potential for damage from cybercriminals - and have upgraded accordingly with solid basic protection consisting of a firewall, antivirus software, endpoint protection, as well as intrusion detection systems (IDS) and intrusion prevention systems (IPS). Patch management is an essential part of any administrator's strategy. On the technical side, cyber criminals are therefore often faced with true cyber security bulwarks that can be overcome, but the path of lesser effort leads elsewhere: via the user. Social engineering is the term for this "sub-discipline" of hacking, in which psychological tricks and targeted manipulation are used to exploit human vulnerabilities on a larger scale than ever before.
In addition to criminals posing as customers, suppliers or new colleagues to gain access to secured areas in companies - so-called tailgaiting - manipulated e-mails, fraudulent websites or messages of fake identities in social networks are used. All it takes here is one ill-considered mouse click and malware lands on the unsuspecting victim's computer. Once a cybercriminal has successfully penetrated a system, he can all too often move laterally in the network without being detected and, for example, copy access data, leak data or encrypt data records via ransomware. The range of possible damage extends from data loss to blackmail attempts to espionage.
The human vulnerability works so well because social engineers exploit the trust of their victims by working at the interpersonal relationship level, where they can most easily manipulate their victims emotionally. To do this, the attackers combine psychology and technology: they exploit the gullibility and willing trust of their victims, put the targets under time pressure and promise "once-in-a-lifetime opportunities" or threaten consequences if there is no immediate response. Even critical, tech-savvy individuals are not safe from the psychologically trained professionals. Fake websites pose a particular danger. In the hectic pace of everyday work, for example, it is not immediately possible to distinguish a fake online banking website from the original. The same applies to an e-mail from a supposed superior or a perfectly forged text message with a malicious tracking link announcing the delivery of a parcel to the company.
8 criteria: How to tell if a website is reputable
1. A look at the URL
The URL is on the one hand the address of a website on the Internet - and on the other hand an important indicator for authenticity. Between www.postbank.de and www.postbamk.de is only one letter difference or even domain extensions ending on de.com instead of on .de . This small difference makes the potential threat. Therefore, always pay attention to the address bar of your browser!
2. No HTTPS for the connection
The letter "s" after "HTTP" (Hyper Text Transfer Protocol) in the address bar of your browser shows that the website provides an encrypted connection between your computer and the server. Especially for websites that require the entry of personal data, you benefit from a significantly higher level of data protection. Current browsers mark websites without HTTPS as "insecure". Conversely, this does not mean that pages with HTTPS are automatically secure! Because hackers can also easily create websites with encrypted connections. Always check the address bar to make sure you are really on the website you intended to visit. Before clicking on a link, first just pass your mouse over the link. You will then see the link destination in the lower left corner of your browser.
3. No embedded privacy policy
Any website operator that collects, transmits, uses or processes personal data on its site is required by the GDPR (General Data Protection Regulation) to publish the privacy policy applied on the website. If a website does not have the privacy policy listed mostly at the bottom of the page or if the language does not match the language of the website, this may indicate a dubious website. Other signs can be conspicuousness in the customer ratings, terms and conditions or the imprint.
4. Webshops with trust seals
Many web stores include "Trusted Shop" seals to underpin their seriousness. The trust seals awarded by independent institutions are indeed a good indicator of a reputable store. However, even seals should always be checked carefully. If a mouse click takes you to the page of the institute that awards the seal, you can assume that the store is trustworthy. If the seal is only a picture, be careful, because it was probably copied illegally from the net. In general, check other possible seals of approval as well, because often other fictitious seals are used. Here, too, you can quickly check the authenticity by clicking on the seal.
5. Beware of fake stores: f.e. pay attention to correct call-to-action buttons
Operators of online stores must adhere to guidelines that precisely define the structure of the store. For example, according to the requirements of the EU Consumer Directive, buttons that trigger an order must be marked with "order/book with obligation to pay" or "buy now". If you end up in a store where the button description is a terse "register", "continue" or "order": you should definitely refrain from placing an order. There is a very high probability that this is a fake store. If conspicuously low offers pile up in a store, you should also take a closer look - scammers work with this loading method! In addition, select only secure payment options. In dubious stores, several payment methods are offered up to the order step, and suddenly only prepayment, for example in the form of a bank transfer, is required for the actual order.
6. Adjusted browser settings
Every common browser offers the option of customizing the individual security functions. For example, scripts can be switched off, cross-page cookies can be prohibited or fingerprinters can be blocked. Pages that are displayed to you despite the increased security settings are mostly also trustworthy. However, security settings that are too hard can also impair the functioning of serious sites. This is where tact is needed. Some tips: Refrain from using active content unless you need it - this applies in particular to technologies such as Java, which are provided by additional plug-ins and are not already supported by the browser directly. If necessary, only activate them for trustworthy websites and activate the integrated mechanisms for phishing and malware protection.
7. Check the seriousness with tools
Google Safe Browsing is an excellent tool to check the seriousness of a website. For this purpose, the URL of the corresponding page is entered into the tool, which then starts an analysis. The tool then provides reliable statements about the security of a page.
8. In case of uncertainty: seek direct contact
Serious online offers have an imprint and the possibility to contact them by phone. If you are unsure: Call the provider. If your interlocutor can answer your questions competently and comprehensively, it should be assumed that the provider is reputable. If your contact person is unsure and obviously does not know his or her way around and cannot answer your questions satisfactorily: it is better to leave the offer alone. You can be sure that there is something wrong with the online presence as well.
Secure surfing: Organizations protect their networks with these measures
The most comprehensive system and network protection possible is based on several IT security layers that should interlock optimally. Protection tools such as firewalls and AV solutions are mandatory as basic protection, as are regular updates of operating systems and software. Targeted patch management closes security gaps and reduces the risk of "open barn doors" in the IT infrastructure. Security audits, consisting of penetration tests and automated vulnerability scanning, should be performed at regular intervals. Compared to penetration testing (e.g., annually), IT vulnerability scanning provides an exact statement about the existing IT security level of the infrastructure to be audited at much shorter intervals (e.g., monthly or weekly).
Social engineering audits
The purpose of regular social engineering audits is to check the security awareness of your company's employees, specifically the "human vulnerability". The audits put the rules of conduct of all employees of a company in dealing with IT systems to the test - and at the same time are used to uncover weaknesses and sensitize employees to awareness issues. In the course of the audit, concepts are developed that increase the company's internal IT security beyond the technical level.
IR Readiness
In order for companies to be able to react accurately in the event of a cyber attack, they need to be optimally prepared for this emergency. However, the prerequisite for a company's permanent incident response readiness is the development and implementation of a comprehensive cyber defense strategy. This defense strategy enables companies to detect and defend against complex attacks and to preventively increase their security status. With the right IR readiness strategy, organizations are provided with detailed policies, tools and processes to respond appropriately and effectively to a security incident.
Managed Detection and Response (MDR) Solution.
With our Active Cyber Defense (ACD) service, we enable you to protect against the consequences of cybercrime by detecting or identifying attackers on your network before they do any kind of damage. ACD is a fully managed security service that proactively and continuously analyzes networks for anomalies, identifying attackers' communications to their Command & Control Servers (C&Cs). You do not need to maintain your own personnel resources for permanent monitoring and incident detection. Our IT security analysts monitor your IT infrastructure around the clock for conspicuous activity and provide immediate information if action is required. ACD is implemented entirely as an on-premise solution. If action is required, the company's internal IT is informed immediately. The Active Cyber Defense Service enables networks to be actively, proactively and permanently secured. All systems within a network are always monitored - from desktop computers to cell phones and tablets to IoT devices.
Conclusion
Despite all its advantages, the Internet is also always a place of potential danger. Employees in companies should therefore be sensitized through awareness training so that they can distinguish between legitimate websites and fake offers. To minimize the technical risk, basic protection tools such as firewalls and AV solutions are essential, as is the timely patching of security gaps. Regular vulnerability scans and penetration tests give companies a comprehensive picture of how well their IT security is positioned to deal with real attacks - and the opportunity to make adjustments before the worst happens. With individually tailored incident response readiness, companies have policies and processes in place to handle security incidents appropriately. The recommended actions represent optimal preparation for an emergency. Prevention by means of early attack detection through active threat hunting is also important to achieve the highest level of network security: With ACD, Allgeier secion offers such an effective and efficient "Managed Detection and Response" service.