Authentication: Website authentication can be done by using the user-id and password, by using social

sign in (Facebook, mail) or by using the biometrics (fingerprints, face). Authentication means verify the
user who they claim they are and to grant permission ...

Authenticate users and processes to ensure appropriate access control decisions both within and
across domains. Authentication is the process where a system establishes the validity of a
transmission, message, or a means of verifying the eligibility of an individual, process, or machine to
carry out a desired action, thereby ensuring that security is not compromised by an untrusted
source. It is essential that adequate authentication be achieved in order to implement security
policies and achieve security goals. Implications: Authentication service needed for users and
application processes.

External website security

However, there are hackers who conduct criminal activity for the excitement and joy of it. These are
some of the most dangerous kinds, particularly if they succeed in gaining control over any aspect of your
website or eCommerce procedure. For example, hackers may want to simply destroy all of your records
and personal information, infect your customers' computers or replace all of your content with another
message. Destroying reputation online is well within the abilities of someone who has gain access to
your site, so there's more than your customers' money and personal information at stake.

Keep Yourself Updated – You need to make sure that you and your team don't fall behind when it
comes to recognizing and understanding modern hacking threats. Even if you only have basic knowledge
over what is possible, then you can take steps to prevent it. By following updates on dedicated websites
and blogs,

updating your security software is also extremely important. If you fail to update your software
regularly, then you are extremely vulnerable to the most recent hacker techniques and malware.

Tighten Up Control To Access – The administration levels of your website offer the most potential for
damage. Great ways to prevent access is to limit the number of login attempts within a certain time, set
up alerts to notify you in the event of someone trying to access your admin levels and never send login
details via email or other 'hackable' formats.

A Web Application Firewall – A web application firewall (WAF) can be based in either software or
hardware and it sits between your website server and the data connection itself. A WAF will read every
single piece of information which passes through it.
Hide Admin Pages – If you don't want your admin pages to be indexed by search engines, then you
should use your robots_txt file. That will ensure they aren't listed in search engines, which can make
them much, much harder for hackers to find in the first place. Remember; hackers can't attempt to gain
entry to something if they can't find it.

Remove Form Auto-Fill – When you leave auto-fill enabled for forms on your website, you can leave it
extremely vulnerable to attack from any user's computer or phone that might have been stolen, or
illegally accessed. Although this can be extremely useful for some users, you should never allow your
website to suffer attacks as a result of user laziness.

Internal website security

Internal IT security is not always related to malicious employees, but is just as commonly the result of
well-meaning employees accidentally deleting important files, failing to update security and otherwise
leaving the entire system open to attack.

Train Employees On Digital Hygiene – By training your employees to avoid spam and 'phishing' emails,
you can hugely increase the day-to-day security of your online presence. Advise all employees not to
interact with suspicious emails, and never to open an email attachment unless they know what it
contains and where it has come from.

Tighten Overall Network Security – Computer users within your business are often the source of easy
access routes from potential threats. Through your employees' workstations, a hacker would be able to
gain access to your website's servers, which can really cause lasting damage.

For the best results and highest levels of security, make sure that your employees follow these essential
protocols.

 All logins needs to expire after a period of inactivity.

 Passwords need to be changed on a regular basis.
 Ensure that all passwords are strong and are never written down. That means nowhere on the
computer and nowhere in the office itself.
Limit Your Employee's Privileges – An effective way to guard against malicious insiders is to offer them
as little access as possible. That means that employees should only have access to the data, systems and
services that they need in order to do their jobs effectively.

Remote access solution

Remote access is the ability to access a computer or a network remotely through a network connection.
Remote access enables users to access the systems they need when they are not physically able to
connect directly; in other words, users access systems remotely by using a telecommunications or
internet connection. People at branch offices, telecommuters and people who are traveling may need
access to their companies' networks.

How remote access works

Remote access is usually accomplished with a combination of software, hardware and network
connectivity. For example, traditional remote access before the wide availability of internet connectivity
was accomplished using terminal emulation software that controlled access over a hardware modem
connected to a telephone network. Now, remote access is more commonly accomplished using a secure
software solution like a VPN -- software -- by connecting hosts through a hard-wired network interface
or Wi-Fi network interface -- hardware -- or by connecting via the internet -- network.

Remote access VPNs are used to connect individual users to private networks. With a remote access
VPN, each user needs a VPN client capable of connecting to the private network's VPN server.

When a user is connected to the network via a VPN client, the software encrypts the traffic before it
delivers it over the internet. The VPN server, or gateway, is located at the edge of the targeted network
and decrypts the data and sends it to the appropriate host inside the private network.

Firewall and basic rules recommendations

In a firewall rule, the action component decides if it will permit or block traffic. It has an action on match
feature. For example, if the traffic matches the components of a rule, then it will be permitted to connect
to the network. It is essential to consider the potential security risks when modifying a firewall rule to
avoid future issues. Following best practices for configuring firewalls can help you maximize the
effectiveness of your solution.

Each firewall rule should be documented to know what action the rule was intended to do. The
following data, at least, should be tracked:

 The firewall rule’s purpose

 The affected service(s) or application(s)
 The affected users and devices
 The date when the rule was added
 The rule’s expiration date, if applicable
 The name of the person who added the rule

Establish a formal change procedure

Firewall rules will need to be updated for any new services and new devices that are added. Before adding
or changing any firewall rules, a formal change procedure should be established for any new
modifications. The following steps are some guidelines for a change procedure process:

 Have in place a change request process for users to request modifications to a specific firewall
configuration
 Have a review process to analyze these new modification requests and determine the best
course of action for any security practices.
 A process to test the new modification requests on the production firewall rules
 A process for deployment of the tested new modification requests into production
 A process to validate the new firewall settings to ensure proper operating
 A process to document all changes have been tracked

Audit logs

A built-in reporting tool is incorporated in every firewall with detailed information about your traffic. This
tool will help with auditing logs looking for any changes or anomalies that might insinuate modifications
to your firewall settings. In optimizing your firewall, the logs’ data will show which firewall rules are not
being used and which are being activated. The logs’ data will also show you any “false positives” on traffic
that was not supposed to trigger security rules, but it is doing so any way. You can change the firewall
rules based off this information to reduce the false positives and improve service.

Firewall rules need reviewing

Networks are constantly changing by gaining new users and new devices. New services and new
applications are being accessed which means new firewall rules will need to be added. The old firewall
rules will need to be reviewed and deleted if necessary. It is a best practice to set up a regular maintenance
schedule to make updated changes to the firewall rules.
Make sure the firewall device is up to date

The firewall device should always be up to date with patches and firmware. If it is not, then it is vulnerable
to attacks and the firewall rules will be useless.

Automation is the key to update any firewall settings

As time passes, new technologies are created which require constant updates to the firewalls rules. As a
result of new technologies becoming available, firewall administrators will be flooded with new firewall
modifications. The administrators will need time and resources to analyze these new modification
requests and determine the best course of action for any security practices. This time constraint and lack
of resources can lead up to outdated, unused or overly permissive rules. The firewall performance can be
degraded which can lead to increased malicious attacks.

Wireless security

Unlike wired networks, which have robust security tools—such as firewalls, intrusion prevention
systems, content filters, and antivirus and anti-malware detection programs—wireless networks (also
called Wi-Fi) provide wireless access points that can be susceptible to infiltration. Because they may lack
the same protections as wired networks, wireless networks and devices can fall victim to a variety of
attacks designed to gain access to an enterprise network. An attacker could gain access to an
organization’s network through a wireless access point to conduct malicious activities—including packet
sniffing, creating rouge access points, password theft, and man-in-the-middle attacks. These attacks
could hinder network connectivity, slow processes, or even crash the organization’s system.

How can you minimize the risks to Wi-Fi networks?

Network security protocols have advanced to offset the constant evolution of attacks. Wi-Fi Protected
Access 2 (WPA2) incorporates Advanced Encryption Standard (AES) and is the standard employed today
to secure wireless enterprises. the Wi-Fi Alliance began certifying devices that support Wi-Fi Protected
Access 3 (WPA3), which replaces WPA2. Users should employ the new standards as WPA3 devices
become available. IT security professionals and network administrators should also consider these
additional best practices to help safeguard their enterprise Wi-Fi networks:
 Deploy a wireless intrusion detection system (WIDS) and a wireless intrusion prevention system
(WIPS) on every network.
 Ensure existing equipment is free from known vulnerabilities by updating all software in
accordance with developer service pack issuance.
 Use existing equipment that can be securely configured.
 Establish multifactor authentication for access to your network. If this is not possible, consider
other secure authentication means beyond a single shared password, such as Active Directory
service authentication or an alternative method (e.g., tokens) to create multifactor authentication
into your network.
 Use Extensible Authentication Protocol-Transport Layer Security certificate-based methods (or
better) to secure the entire authentication transaction and communication.
  Use Counter Mode Cipher Block Chaining Message Authentication Code Protocol, a form of AES
encryption used by Wireless Application Protocol 2 (WAP) enterprise networks sparingly. If
possible, use more complex encryption technologies that conform to FIPS 140-2 as they are
developed and approved.
 Implement a guest Wi-Fi network that is separate from the main network. Employ routers with
multiple Service Set Identifiers (SSIDs) or engage other wireless isolation features to ensure that
organizational information is not accessible to guest network traffic or by engaging other wireless
isolation features.

What else can you do to secure your network?

Employing active WIDS/WIPS enables network administrators to create and enforce wireless security by
monitoring, detecting, and mitigating potential risks. Both WIDS and WIPS will detect and automatically
disconnect unauthorized devices. WIDS provides the ability to automatically monitor and detect the
presence of any unauthorized, rogue access points, while WIPS deploys countermeasures to identified
threats. Some common threats mitigated by WIPS are rogue access points, misconfigured access points,
client misassociation, unauthorized association, man-in-the-middle attacks, ad-hoc networks, Media
Access Control spoofing, honeypot/evil twin attacks, and denial-of-service attacks.

VLAN configuration recommendations

Planning a VLAN strategy

Depending on the size of the network, planning a VLAN strategy can be either fairly easy, or somewhat
complex. Remember, because each VLAN is also its own sub-network, we have to come up with a VLAN
strategy where it makes the most sense in terms of grouping devices. In todays modern networks with
virtualized layer 2 and layer 3 networks, the number of VLANs and layer 3 interfaces that can be
configured on enterprise hardware is in the multiple thousands. Additionally, since inter-VLAN routing
can now be performed at wire speed, there is no noticeable difference between sending/receiving
traffic from devices on the same VLAN vs. different VLANs.
That being said, due to broadcast overhead, its typically advisable that a single VLAN not have any more
than 500 or so devices. Any more than this and you begin to start having network congestion problems
due to a significant increase in broadcast traffic on the layer 2 segment. Most network designs call for
subnet sizes that have no more than 250 devices.

Configuring a VLAN and adding a switch port

Lets now move onto how to configure VLAN basics using a Cisco switch. In this example, we will
configure VLAN 80 as our server VLAN. We will then configure switch port 10 to use this new VLAN. Keep
in mind that out of the box, only VLAN 1 is configured on the switch and all switch ports are configured
to use this VLAN.

Configuring a VLAN trunk

In this next example, lets assume that we have two switches that are connected by a single Ethernet
interface: port 20 on both switches. Each switch has been configured with VLAN 1, 2 and 3. The goal is to
trunk only these three VLANs of the two switches together. To accomplish this, configure the following
on both switches

Laptop security configuration

An account password is an effective first line of defence, but only if you avoid choosing a commonly
used - and therefore easily guessed - password.

The best way to prevent this is to encrypt your laptop's hard drives. Encrypted drives can only be
accessed after the encryption key is supplied - usually in the form of a PIN, a password or by inserting a
USB stick containing the key.

Publicly accessible networks, such as those offered in airports, conference centres and hotel rooms,
present a particular security risk to laptop users.

Sometimes it can prove difficult to get a VPN connection working, so it's prudent to ensure that any
email program, webmail system or cloud based email service that you use is configured to use a secure
sockets layer (SSL) or transport layer security (TLS). This ensures that both your username and password,
and the contents of your emails, are encrypted as they travel across the internet.

When you connect your laptop to the internet when travelling, you may not be protected by any
security systems your company uses to filter out malicious emails or to keep you from malicious
websites. That can result in hackers exploiting vulnerabilities in the software on your computer to infect
it with malware.

To reduce the chances of this it is important to check that your computer's operating system and other
software has been updated with the latest security patches.

If you carry a USB memory stick to make backups of your work or store other data, it's important to
make sure that it is as secure as the data on your laptop.

Application policy recommendations

Applications are susceptible to attacks that may result in exposure or modification of sensitive data, or
impact on availability of services to authorized users.

Security and privacy policy recommendations

How customer account activity is tracked
Companies often use cookies to track which websites users are coming from and which websites they
are going to after they've visited the company website. In addition, usage activities can be tracked on
the company website itself. How those cookies are used to track user activities should be explained in
the privacy policy, along with the fact that users can de-implement cookie tracking if they choose to.
However, before a policy is published out to users, legal, compliance, marketing, and IT should define
which user activity patterns are to be tracked and how tracking information is to be used.

How customer information is provided to third parties

Internally, legal, compliance, and IT should develop policies and standards that govern how customer
information will be provided to third parties and what privacy protections will be implemented. In co-
marketing efforts where the customer is informed and can opt out of sharing personal information, the
company might share direct customer information and contact information with business partners. In
other cases, such as data analytics information offered for sale, the company might be required to
anonymize individual customer contacts and information so that data can't be traced back to
individuals.

Data protection and security

Security measures, secure storage, and protection of data for purposes of privacy should be defined as a
policy and as procedures that are activated in IT, which is the custodian of the data. IT practices should
adhere to guidance and standards that are issued from both legal and compliance sources.

Log information
As part of its network management, IT maintains server logs that automatically collect and store details
of how users used company online services; their telephone and/or IP addresses, time of contact,
duration of contact, etc.; the browser type used and the times and dates of their service requests; and
information gathered by cookies on the website. From a privacy standpoint, IT, legal, and compliance
should define how this information is to be used internally, how it is to be protected to guarantee the
privacy and security of individuals using the company website, and under which circumstances it will be
permissible to share this information.

Employee privacy practices

For companies in highly sensitive customer information industries (healthcare, finance, insurance, etc.),
employees may often be required to interact with customers online, by telephone, or in person. During
these times, sensitive information can be shared. Guided by the recommendations of its legal and
compliance departments, the company should have a set of written policies that govern how employees
are to treat customers and their private information, accompanied by training of all employees who are
in customer-facing functions and/or come in contact with sensitive information. Similar privacy policies
and procedures should be enacted for IT personnel who are tasked with managing and accessing private
customer information. As part of this process, IT should maintain extensive logs that track employee, IT,
and business partner access to customer information.
Privacy compliance
Companies should develop policies and procedures that minimally assure annual audits of information
security and privacy of customer and other information critical to the enterprise, with audit cycles
addressing and documenting any changes to existing information privacy practices.

Data retention
IT, together with business user areas, compliance, and legal, should annually review data retention
policies, making and documenting revisions as needed. Data retention specifically addresses how long
sensitive customer history will be maintained in corporate data stores.

Intrusion detection or prevention for systems containing customer data

As network attacks evolve so must network intrusion prevention and detection systems. Now
network intrusion prevention must involve anomaly-detection and application awareness.

. IDS vs. IPS

One of the most difficult factors in choosing a network intrusion detection and prevention system is
simply understanding when you need one and what functions it can address. With all the options on the
market for firewalls, application firewalls, unified threat management devices and intrusion prevention
or detection, it's hard to pick apart the features and get a handle on which devices are the most
appropriate for specific functions.

Preventing application threats with network intrusion prevention systems

Applications are increasingly becoming the entry path for serious threats. E-commerce applications, for
example, access internal databases with valuable information, so they are highly targeted.
Unfortunately, traditional network intrusion detection and protection systems are not designed to
protect organizations from application threats.

Installation, configuration and tuning network intrusion prevention

Installing and configuring anomaly-based intrusion prevention devices requires more effort than
signature-based devices. Anomaly-based devices aim to detect and prevent zero-day threats by
detecting network activity that is out of the ordinary. Installing and configuring a system that will
recognize unexpected activity requires an understanding of the activity that is expected. But monitoring
the network for a few hours is not sufficient. In order to avoid false positives, the system must recognize
activity changes that occur over the course of the day and at different times of the month.