🔒 Cybersecurity for lawyers

User Tools

Site Tools

Trace:
firm_website

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
firm_website [2019/08/09 18:31] – neilfirm_website [2021/07/06 09:26] (current) – external edit 127.0.0.1
Line 2: Line 2:
  
 ====Key points: ==== ====Key points: ====
-  * [[#Secure your DNS: it's critical|Secure your DNS: it's critical]] +  * [[firm_website#Secure your DNS: it's critical|Secure your DNS: it's critical]] 
-  * [[#Host it (physically) in a suitable jurisdiction|Host it (physically) in a suitable jurisdiction]] +  * [[firm_website#Host your server (physically) in a suitable jurisdiction|Host your server (physically) in a suitable jurisdiction]] 
-  * [[#Keep your software up to date|Keep your software up to date]] +  * [[firm_website#Keep your software up to date|Keep your software up to date]] 
-  * [[#Encrypt traffic between your visitors and your website|Encrypt traffic between your visitors and your website]] +  * [[firm_website#Encrypt traffic between your visitors and your website|Encrypt traffic between your visitors and your website]] 
-  * [[#Take backups|Take backups]] +  * [[firm_website#Configure your site to be as secure as you can|Configure your site to be as secure as you can]] 
-  * [[#Be careful with contact forms and text entry fields|Be careful with contact forms and text entry fields]] +  * [[firm_website#Take regular backups, automatically|Take regular backups, automatically]] 
-  * [[#Control who can post content to your website|Control who can post content to your website]] +  * [[firm_website#Be careful with contact forms and text entry fields|Be careful with contact forms and text entry fields]] 
-  * [[#Your firm's website and Tor|Your firm's website and Tor]]+  * [[firm_website#Control who can post content to your website|Control who can post content to your website]] 
 +  * [[firm_website#Your firm's website and Tor|Your firm's website and Tor]] 
 +  * [[firm_website#Assess third party Javascript before embedding it in your site|Assess third party Javascript before embedding it in your site]]
  
 ====Secure your domain name: it's critical ==== ====Secure your domain name: it's critical ====
Line 44: Line 46:
 If not, and you have to give them your password, change the password once they have made the changes. If not, and you have to give them your password, change the password once they have made the changes.
  
-====Host it (physically) in a suitable country====+====Host your server (physically) in a suitable country====
  
 Different countries afford different protections, so host your website on a server in a country which affords you sufficient protections. Different countries afford different protections, so host your website on a server in a country which affords you sufficient protections.
  
 If you are using a third party to host your website, they should be established in a safe country too. If you are using a third party to host your website, they should be established in a safe country too.
- 
-If in doubt, hosting in the EU (including the UK!) is likely to be sensible. 
  
 [[https://www.mythic-beasts.com|Mythic Beasts]] offers UK-based hosting at reasonable prices. [[https://www.mythic-beasts.com|Mythic Beasts]] offers UK-based hosting at reasonable prices.
Line 58: Line 58:
 The more complex the software stack on which your website is running, the greater the opportunities for bugs or exploits.  The more complex the software stack on which your website is running, the greater the opportunities for bugs or exploits. 
  
-Keep an eye on updates to the software, and test and deploy quickly.+Keep an eye on updates to the software, and test and deploy quickly. You are probably better of enabling automatic updates if this is an option. There is a risk that an update might be incompatible with something you are doing with your site, and so automatically upgrading might cause problems, but you are more likely to have problems if you do not update your software.
  
 If you are using a third party to run your website, or you are hosting it on someone else’s platform, check out their policy on applying software updates. If you can, enter into a service level arrangement which sets out how and when they patch their servers, at both the operating system level and the application level (i.e. the web server software itself, as well as the software on which that web server software runs). If you are using a third party to run your website, or you are hosting it on someone else’s platform, check out their policy on applying software updates. If you can, enter into a service level arrangement which sets out how and when they patch their servers, at both the operating system level and the application level (i.e. the web server software itself, as well as the software on which that web server software runs).
 +
 ====Encrypt traffic between your visitors and your website ==== ====Encrypt traffic between your visitors and your website ====
  
-Just as you would look for a [[secure_browsing#Check for a padlock, but it doesn't mean you're connecting to the right site|padlock]] on a website you are browsing, offer the same to your potential clients.+Just as you would look for a [[secure_browsing#Check for a padlock, but it doesn't mean you're connecting to the right site|padlock]] on a website you are browsing, offer the same to your potential clients, so that traffic to your website is encrypted. 
 + 
 +===Configure encryption === 
 + 
 +Set up your server so that visitors can connect to your website securely. 
 + 
 +Exactly how you do this depends on how your website is set up, but it usually entails: 
 + 
 +  * installing a digital certificate. Doing this is easy and cheap (free, if you use [[https://letsencrypt.org|Let’s Encrypt]], for which there is the excellent [[https://certbot.eff.org|certbot]] tool for configuration and management).  
 +  * changing your web server's configuration, to load the certificate and offer an encrypted connection. 
 +  * opening an additional port in your firewall, to allow traffic on port 443. 
 + 
 +If your website hosting provider offers "automatic SSL" or "automatic TLS", this is probably a way to set up an encrypted connection. 
 + 
 +If you run your own server, the easiest way to get this up and running is to use a free [[https://letsencrypt.org|Let’s Encrypt]] certificate, which you can install through the [[https://certbot.eff.org|certbot]] tool. 
 + 
 +===Renew your certificate automatically === 
 + 
 +A common failing when using an encryption certificate for a website is failing to renew it. If you do not renew it before it expires, visitors to your website will see an error message, which you do not want. 
 + 
 +LetsEncrypt certificates expire after three months, and, if you use certbot to install a LetsEncrypt certificate, it should handle renewals automatically. If you supplied an email address as part of the configuration process, you should get an email shortly before the certificate expires; for the first renewal at least, keep an eye on the site at the time the certificate expires, to check it has renewed automatically correctly. 
 + 
 +If you do not have a LetsEncrypt certificate, you will need to remember to buy a new certificate from whichever company is providing your certificate, and then download it and install it on your web server. 
 + 
 +===Redirect unencrypted connections to encrypted connections === 
 + 
 +In addition to setting up your server to offer an encrypted connection, make a further change so that visitors are automatically redirected to the secure version of your site. 
 + 
 +This means that, even if they access the insecure version of your website (http:), they will be automatically redirected to the secure version (https:), without them needing to do anything. 
 + 
 +If you use certbot to install a LetsEncrypt certificate, it will ask you during the installation of your first certificate if you want it to make the changes to your web server's configuration to do the redirection automatically. If you do not know what you are doing, this is probably a sensible thing to do. 
 + 
 +==== Configure your site to be as secure as you can ==== 
 + 
 +You can increase the security of your site, and lessen the risk of malicious or inadvertent compromises, by configuring the information which your site sends to a visitor in the background. These are not changes to the content of your pages, but rather some initial, behind the scenes, instructions. 
 + 
 +The easiest way to start is to visit [[https://securityheaders.com|securityheaders.com]] or [[https://observatory.mozilla.org|observatory.mozilla.org]] and put in your site's URL. It will assess your site, based on this background information, and give you a grading. More helpfully, it tells you (roughly) what you need to do to improve.
  
-Doing this is easy and cheap (free, if you use [[https://letsencrypt.org|Let’s Encrypt]], for which there is the excellent [[https://certbot.eff.org|certbot]] tool for configuration and management).+{{::screenshot_2019-08-23_at_20.09.08.png?400|}}
  
-It is hard to see how you could comply with your legal and regulatory obligations if you did not do this if you collect personal data on your website (such as through a contact form).+You implement these changes by configuring the "headers" which your web server sends, and you can normally do this either by changing your web server's configuration, or else on a directory-specific basis through using special file in the directory, called .htaccess.
  
-Once you have set up this encrypted connection, change your website configuration so that visitors are automatically redirected to the secure version of your site.+Make sure you test your site thoroughly after making changes, to make sure things work correctly. This is especially true if you load things (such as font, or images, or plugins) from third party locations, and lock down your settings (such as the "content security policy" header) to restrict what can be loaded from where. The easiest way of testing your site is by using [[tor|TorBrowser]], as this will ensure you are not loading content from your normal browser's local storage.
  
-==== Take backups ====+==== Take regular backups, automatically ====
  
-Ensure you have an accessible, tested backup of your firm's website. If you update your site regularly, consider automating your backups, so that you don't have to think about it (if you have to think about it, you'll probably forget to do it).+Ensure you have an [[backups|accessible, tested backup of your firm's website]]. If you update your site regularly, consider automating your backups, so that you don't have to think about it (if you have to think about it, you'll probably forget to do it).
  
-If your hosting provider decides to close shop unexpectedly, you can get back up and running far more quickly if you have a tested backup available.+If your hosting provider decides to close shop unexpectedly, or your website gets hacked, you can get back up and running far more quickly if you have a tested backup available.
  
 ==== Be careful with contact forms and text entry fields==== ==== Be careful with contact forms and text entry fields====
Line 91: Line 128:
 Give every person who can post content their own unique username, and the most restrictive set of permissions which let them do their job. Give every person who can post content their own unique username, and the most restrictive set of permissions which let them do their job.
  
-Make sure that access is secured by https.+Make sure that access is [[#Encrypt traffic between your visitors and your website|encrypted]].
  
 If your web host offers it, enable [[two-factor_authentication|two-factor authentication]]. If your web host offers it, enable [[two-factor_authentication|two-factor authentication]].
firm_website.1565375462.txt.gz · Last modified: 2021/07/06 09:26 (external edit)