Dumaguete Info Search


Looking for a Website Scanner

Discussion in 'Science and Technology' started by Keara Morse, Dec 13, 2016.

  1. Keara Morse

    Keara Morse DI New Member

    Messages:
    10
    Trophy Points:
    3
    Ratings:
    +4 / -0
    Blood Type:
    O+
    We have encountered another hacking incident and confidential information of our clients were put at risk. We are slowly recovering from the occurrence and now we are looking for an efficient and comprehensive vulnerability scanner. I hope this is not an odd question to ask here but do you have any suggestions? Preferably one that you have actually used in your system.
     
  2. Robboy

    Robboy DI New Member

    Messages:
    13
    Trophy Points:
    48
    Ratings:
    +6 / -0
    First question is what platform are you using? If it's wordpress use wordfence plugin.
     
  3. Rye83

    Rye83 with pastrami Secured Account Highly Rated Poster SC Connoisseur Veteran Army

    Messages:
    10,607
    Trophy Points:
    451
    Occupation:
    Electronic Warfare
    Location:
    Herat
    Ratings:
    +12,088 / -11
    Blood Type:
    O+
    What type of service are you offering your customers? Design? Development? Hosting? All of the above?

    If you have a website where users can store/send sensitive information you had better have an SSL cert just for starters. If you already have that set up you can test your cert and server setup at:
    SSL Server Test (Powered by Qualys SSL Labs)
    Your site score should look something like this:

    Screenshot_20161214-220959.png
    :shades:

    After you get the SSL certs sorted you should have a look at a decent firewall for your server. If you don't have access to your server and someone else is providing that for you I would seriously look at switching hosts.
     
  4. SpringYellow

    SpringYellow DI Junior Member

    Messages:
    45
    Trophy Points:
    23
    Ratings:
    +11 / -0
    Blood Type:
    A+
    Retina Network Vulnerability Scanner can be suitable to @Keara Morse's inquiry. It can detect security issues in network, web and others. It is an efficient scanner.
     
    Last edited by a moderator: Dec 16, 2016
  5. Rye83

    Rye83 with pastrami Secured Account Highly Rated Poster SC Connoisseur Veteran Army

    Messages:
    10,607
    Trophy Points:
    451
    Occupation:
    Electronic Warfare
    Location:
    Herat
    Ratings:
    +12,088 / -11
    Blood Type:
    O+
    How much does that cost? I did a search for the scanner and it looks like a paid product. I won't be submitting my information to them for a free trial, I get enough spam as it is.
     
  6. TheDude

    TheDude DI Forum Patron Highly Rated Poster

    Messages:
    1,908
    Trophy Points:
    351
    Ratings:
    +1,449 / -5
    Probably too late. But asking about security scanners is about like asking how to build the site in the first place and which tools to use. If I tell you what code editor I use, are you going to be able to write code with it?

    And if you find the source of the exploit, do you have the capabilities to fix it?

    Most stuff is pretty basic and the people targeting you looking for basic stuff. Hopefully you are using something like Wordpress and you can simply go through your list of add-ons and update them (as well as the base system). If there are no recent updates, then Google the add-on for vulnerabilities and consider replacing anything which has been abandoned. There are also a lot of canned services you can use to do all this for you (for Wordpress) - Google for those as well.

    If you're not using something like Wordpress then your code will need custom fixes. By posting this question here, I'm assuming that might be outside your area of expertise. If you can't fix problems, then you probably won't find the vulnerabilities to begin with.

    You're best bet would be to hire someone to do all of this for you. If you can't afford to hire someone, then perhaps it's not valuable to have the client data accessible in your web server. Maybe look at Upwork.
     
    • Agree Agree x 1
  7. OP
    OP
    Keara Morse

    Keara Morse DI New Member

    Messages:
    10
    Trophy Points:
    3
    Ratings:
    +4 / -0
    Blood Type:
    O+
    Yeah I saw this link about Retina. Offers seems great but you are right this is a paid product and I wont throw cash if its unreliable and unproven.
     
  8. shakey

    shakey DI Junior Member Veteran Navy

    Messages:
    48
    Trophy Points:
    38
    Occupation:
    economic refugee
    Location:
    Sibulan
    Ratings:
    +74 / -0
    Look at your server logs at the Get commands during the time you were hacked and see what the hacker used as a Get command to get access to your users information. Hackers look in obvious places and craft their commands to see if there is a particular program running and what is the location of the files.

    Getting a SSL certificate is a must for any company and is a recurring expense that adds a layer of security between the clients browser and your servers input. Setting your server up for SSL can be as simple as moving the server files into the protected SSL directory on the server. Simple redirects from http to https can replace existing http files and customer input stays on the server rather than going out into the internet to an email address even though your email may use an https server.

    Also use a find and replace function in your html editor to replace http: with https:. It is necessary on all the pages and elements or else the viewer will get a 404 error for that item of code.

    You can determine who has access to your files and privileges by setting the CHMOD for your sensitive files. Your FTP program has these capabilities and a good explanation is at: How to change permissions (chmod) of a file « HostGator.com Support Portal

    Get acquainted with your server logs and get an SSL certificate.

    shakey
     
    • Like Like x 1
    Last edited: Jan 4, 2017
Loading...