We have encountered another hacking incident and confidential information of our clients were put at risk. We are slowly recovering from the occurrence and now we are looking for an efficient and comprehensive vulnerability scanner. I hope this is not an odd question to ask here but do you have any suggestions? Preferably one that you have actually used in your system.
What type of service are you offering your customers? Design? Development? Hosting? All of the above? If you have a website where users can store/send sensitive information you had better have an SSL cert just for starters. If you already have that set up you can test your cert and server setup at: SSL Server Test (Powered by Qualys SSL Labs) Your site score should look something like this: After you get the SSL certs sorted you should have a look at a decent firewall for your server. If you don't have access to your server and someone else is providing that for you I would seriously look at switching hosts.
Retina Network Vulnerability Scanner can be suitable to @Keara Morse's inquiry. It can detect security issues in network, web and others. It is an efficient scanner.
How much does that cost? I did a search for the scanner and it looks like a paid product. I won't be submitting my information to them for a free trial, I get enough spam as it is.
Probably too late. But asking about security scanners is about like asking how to build the site in the first place and which tools to use. If I tell you what code editor I use, are you going to be able to write code with it? And if you find the source of the exploit, do you have the capabilities to fix it? Most stuff is pretty basic and the people targeting you looking for basic stuff. Hopefully you are using something like Wordpress and you can simply go through your list of add-ons and update them (as well as the base system). If there are no recent updates, then Google the add-on for vulnerabilities and consider replacing anything which has been abandoned. There are also a lot of canned services you can use to do all this for you (for Wordpress) - Google for those as well. If you're not using something like Wordpress then your code will need custom fixes. By posting this question here, I'm assuming that might be outside your area of expertise. If you can't fix problems, then you probably won't find the vulnerabilities to begin with. You're best bet would be to hire someone to do all of this for you. If you can't afford to hire someone, then perhaps it's not valuable to have the client data accessible in your web server. Maybe look at Upwork.
Yeah I saw this link about Retina. Offers seems great but you are right this is a paid product and I wont throw cash if its unreliable and unproven.
Look at your server logs at the Get commands during the time you were hacked and see what the hacker used as a Get command to get access to your users information. Hackers look in obvious places and craft their commands to see if there is a particular program running and what is the location of the files. Getting a SSL certificate is a must for any company and is a recurring expense that adds a layer of security between the clients browser and your servers input. Setting your server up for SSL can be as simple as moving the server files into the protected SSL directory on the server. Simple redirects from http to https can replace existing http files and customer input stays on the server rather than going out into the internet to an email address even though your email may use an https server. Also use a find and replace function in your html editor to replace http: with https:. It is necessary on all the pages and elements or else the viewer will get a 404 error for that item of code. You can determine who has access to your files and privileges by setting the CHMOD for your sensitive files. Your FTP program has these capabilities and a good explanation is at: How to change permissions (chmod) of a file « HostGator.com Support Portal Get acquainted with your server logs and get an SSL certificate. shakey