In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Health Care, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

How to Perform a Security Audit: 11 Things to Put on Your Checklist (plus, the best tools you could use)

How to Perform a Security Audit: 11 Things to Put on Your Checklist (plus, the best tools you could use)

by Adriana Cacoveanu on May 22 2020

So, you need to do a quick risk assessment of your site. How do you perform a security audit?

Are there any quick and easy (and effective) things that you can do to evaluate your website and to detect any security risks lurking in there?

And what are some of the tools that you could use?

Here are the answers to all the dilemmas stemming from your main question:

"Security auditing: what do to?"

1. But First: What Is a Security Audit Report?

What do we mean by "audits" in this context?

 

  • pentests
  • regular security assessments
  • "security posture" tests
  • auditing logs

     

And what is a security audit report, more precisely?

What Is a Security Audit Report?

Source: searchcio.techtarget.com

In short: when you run a security audit you evaluate your website's performance in relation to a list of criteria.

And, more often than not, you'd want to include other types of security diagnosis into your workflow, as well:

 

  • penetration testing: where you (or an expert in your team) simulate the actions of a potential hacker, performing several attacks on your website to test its resilience
  • vulnerability assessment: where you try to identify any security weaknesses 

2. What Tasks Should You Put Into Your Security Audit Checklist? Top 11

What should you do in your regular security audits? 

What security audit procedures to include?

We've put together a list of 11 steps to put on your checklist. So, when conducting a security audit the first step is to:

2.1. Determine the Assets that You'll Be Focusing On

Set the scope of your audit:

Which are the high priority assets that you'll be scanning and monitoring?

For example, your list could include key assets like:

 

  • sensitive customer and company data
  • internal documentation
  • IT infrastructure

     

You can't expect to future-proof your website's improved level security if you're going to use the same vulnerable IT equipment, right?

Next, you'll want to set your security perimeter, as well:

What are the things that your audit will cover and those that should be skipped?

2.2. List Out Potential Threats

You can't build a shield around your website against a "no-name" threat, right?

You need to go ahead and name those threats, so you know what to look for and how to adapt your future security measures:

Here are just some examples of security threats that you might want to put on your list: 

 

  • negligent employees using weak passwords for sensitive company data 
  • malware
  • phishing attacks
  • denial of service attacks
  • malicious insiders

2.3. Assess the Current Level of Security Performance

Another key step to put on your security audit checklist.

Your team could be using the strongest passwords. They could be sticking to rigorous security procedures and best practices.

And yet, they might not be informed about the latest methods that hackers use to infiltrate systems...

A good evaluation of your organization's current security performance will help you identify precisely weak links like that one.

2.4. Set Up Configuration Scans

Using a higher-end scanner will help you:

 

  • detect security vulnerabilities 
  • assess the hardening of the PCs

     

Are there any malware/anti-spyware programs in there? Turned on encryption, settings that are temporarily changed? 

Therefore, keep in mind to run some configuration scans, too, when you do a security audit. They make a great "ally" for spotting any config mistakes that people in your team might have made.

2.5. Keep an Eye on Reports (Not Just on the Urgent Alerts)

As you put all your focus on urgent alerts, you might be tempted to underestimate the value of the reports generated by your auditing tools.

Now, that's one risky thing to do.

Instead, you'd want to keep an eye on those reports, for they can be a tremendous source of valuable information.

"Information" that might look non-alarming to you now, but, which — with time, if a suspicious activity becomes a routine — can turn into a major threat.

One that you'd ignore by... overlooking to go through your reports.

2.6. Monitor DNS for any Unexpected Changes

Are there any signs of sloppiness when it comes to the credentials used for your domain?

The quicker you identify them, the lower the security risk.

2.7. Run Daily Scans of Your Internet-facing Network

As you'll security audit your website, you'll want to be alerted (on a daily basis, if possible) about any "surprising" changes.

How to Perform a Security Audit: Run Daily Scans of Your Internet-Facing Network
 

2.8. Mirror Your Website

Why is this a "must" task to include in your security auditing plan?

Because by mirroring your website you spot some otherwise hard-to-access files and directories.

You'd be surprised at how many valuable:

 

  • internal IP addressing schemes
  • email addresses and phone numbers of people in your team
  • code-related comments
  • software versions
  • server names

     

... you can find in those comment fields.

2.9. Perform an Internal Vulnerability Scan

How? By opting for an enterprise-level vulnerability scanner.

What it does is install an agent on each computer in your organization, that will monitor their... vulnerability level.

How often should you run this type of scan? 

Monthly or quarterly would be great.

2.10. Run Some Phishing Tests

You'll want to set up a routine of sending out fake phishing emails to people in your team.

It's still the most effective type of cybersecurity training that you could give your team:

 

  • they get a close-to-real-life experience of a phishing attack
  • they can assess their own vulnerability to scenarios where they'd give hackers access to sensitive information (by clicking on links or attachments in a phishing email)

2.11. Monitor Your Firewall's Logs

Watch for any inconsistent or unusual behavior in your firewall. 

How to Perform a Security Audit: Monitor Your Firewall's Logs

3. What Are Some of the Best Security Auditing Tools You Can Use? Top 5

Now that you have a plan put in place you need some tools to carry it out, right?

We've done our research, put together a list, then narrowed down the options to 5 tools that you should consider evaluating first:

3.1. The OWASP Testing Guide

A step-by-step checklist that'll streamline your manual testing efforts.

Note: running an OWASP top 10 check is one of those "quick and easy" things you that can do for assessing your website's security performance. You'd be testing it for 10 of the most common security risks.

3.2. Burp Suite

What if you wanted to put your security audit on autopilot?

You could go for Burp Suite to manually analyze your website, then run an active scan.

Note: the tool comes in two "flavors", a pro and a free version.

3.3. Nessus

If you're looking for an easy to use tool, Nessus Tenable's the one.

Use it to track down security vulnerabilities on your website. It's effective and it generates some detailed reports.

3.4. Qualys Web App Scans 

Its main selling points:

 

  • great coverage
  • accurate reports

3.5. Rapid7 

You might want to try their vulnerability scanner.

 

And 2 honorable mentions: Rapidfiretools.com and Risksense.

4. Final (Wise) Word

The keyword that best describes an effective security audit is "on-going":

It's definitelty not a one-time event, but rather a routine made of several "healthy" habits that you stick to.

A "routine" aimed at helping you formulate a custom set of security solutions:

 

  • network monitoring
  • data backup
  • employee education awareness
  • software updates
  • email protection

     

What if you don't have the resources — the time and the available people in your team — to run a security audit?

We're here to help.

Just drop us a line and let's tailor a security audit checklist that meets your website's specific challenges.

Image by raphaelsilva from Pixabay  

Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

The Complete Website UX Audit Checklist for 2020: 12 Steps to Uncover Usability Issues on Your Site
Users come to your website. They start the checkout process and... leave. Why is that? Is there a "best practice" process to identify the pain points in the user journey? A website UX audit checklist that you could use? And how would you know: what to include in your audit? what pages to review? how to interpret all the collected data and turn it into actionable insights? You've got the questions, we've got the answers. And we've included them all in an 11-point checklist to run whenever you want to assess the user experience on your website: What Is a UX Audit More Precisely? Source: process.st Let's go back to the example above: You notice that visitors on your website keep abandoning their shopping cart.  In this case, a website UX audit might uncover specific flaws in the customer journey responsible for this low conversion rate: confusing navigation structure cluttered screens a too complicated checkout process an inconsistent visual style across pages not enough payment options In other words: A UX audit helps you identify all those usability challenges with a direct impact on users' experience. key elements on your website that are too hard to find ... or too hard to use the workflow users are to perform is not that obvious and intuitive And it helps you find your answers to legitimate questions like: What is working and what isn't? What metrics are your collecting and what metrics should you be collecting? What does the gathered data tell you about your website users' needs? Why do they behave the way they do and how might they behave once you've taken follow-up action? In short: a UX audit provides you with those metrics which, once turned into updates to your website, help you boost conversions. Step 1: Run Stakeholder Interviews and User Surveys Start off by talking to your: development team, the one in charge with all the UX improvements on your website; ask them about their development challenges, future plans with the company website, and specific requirements for achieving those plans marketing team and salespeople, who might already have their own user survey results collected along the years Then, run your own updated user surveys and categorize results by: task severity findings per screen  Tip! Run usability tests to filter through the qualitative data collected on these interviews and surveys. For instance, users might report a discouragingly complex checkout process. A usability test will confirm or disprove this claim. Step 2: Create Your User Persona- A Key Point in the Website UX Audit Checklist Who are you improving your website UX for? And there are different types of users visiting your website and each user type stands for a unique way that you could improve the user experience delivered there. To narrow down your options, you need to figure out who's the most representative user for your website.  Remember to add these 3 key attributes to your user persona as you're building its profile: user goals: do they align with your business goals? needs: what does he/she try to accomplish when visiting your website? frustrations: things to avoid when designing this user persona's experience on your website Tip! Bring your business goals (that we'll be focusing on at Step 3) into the picture, as they'll help you determine who your user persona is. Also, while at this stage in your UX audit, answer these 3 crucial questions: what are your visitors' demographics and behaviors on your website where do they come from to your site? are current visitors also your target users? Step 3: Get Specific with Your Business Goals  Let me guess: Your business goals tied to your website are related to conversions and revenue. At this step of the audit, you'll want to clearly define those goals that a better UX can directly impact. Once you've defined your business goals, include these key questions into your website UX audit checklist: What's my business goal? What's the key user goal? What actions do I want users to perform on my website? What are the top brand values that I want to communicate to my website visitors? What are my key sales channels? Who are my top competitors? Step 4: Perform a Cognitive Walkthrough of Your Website  ... to see things through the visitors' eyes. Try to perform those actions that users come to your website for. And stay vigilant to detect any obstacles that might stop you or slow you down when trying to achieve your "user" goals. Tip! Since you already know all too well how your website works, base the whole process on established criteria. This way, you can keep your focus on those user goals. Step 5: Dive Deep into Your Data Analytics Your website analytics reports make some great insights into how great or... less than great the user experience delivered on your site is. Use it to "fuel" your UX audit with, as it'll provide you with key information on: conversion or cart abandonment what visitors were doing before accessing your website (most common entry points to your website) specific user flows on your site traffic metrics hotspots on your website Tip! Filter your data analytics by specific segments and timeframes.  Source: uxbooth.com Supplement the valuable data that you get from Google Analytics with reports provided by tools like: Kissmetrics Hotjar Crazy Egg Step 6: Determine Your Conversion Rate Performance Is your website an eCommerce one? Then you'll want to take a close look at your sales and download figures as you try to improve your site with a UX audit. Figure out how well your website copy supports the overall user experience and whether your website meets visitors' pain points. Step 7: Identify Your Highest Converting Pages Another crucial point to add to your website UX audit checklist. Why? Because the pages with the highest conversion rate give you an insight into what UX is doing right on your website. They stand for some successful customer journeys that you'll want to get inspired by and... replicate on other pages on your site, as well. Step 8: List Your High-Traffic Pages with a High Bounce Rate "How to perform a UX audit?" One of the essential tasks to add to your "To Do" list is identifying those high-traffic pages with a high bounce rate (above 70%). Step 9: Identify Strong Points and... Pain Points in the User Journey Where does the user step off the intended path? Why is he/she failing to take action? It's the strong points in the customer journey (those high-converting pages that you've listed at Step 7 are the best places to look for them) that'll provide you with the best solutions for fixing the weak points identified at this step. Step 10: Take a Close Look at Your Site Layout Your website layout is directly "responsible" for a great deal of the user experience delivered on your website.  So, at this point in your website UX audit checklist you'll want to check specific aspects of your site layout with a direct impact on the visitors' experience: Does it manage to meet visitors' needs? Is your website navigation intuitive enough and easy to use? Is your on-site search accessible enough? Is your website copy in line with the user journey? Step 11: Run a Competitive Analysis How will this help you? You identify your target customers' expectations when interacting with websites similar to yours. That sell the same type of products or services. What's those sites' traffic compared to yours? How usable are they? How well do they rank in the search engine results page? Seize any opportunities that your competitors might have missed. Or get inspired by what they do great in terms of user experience and... do it better on your own company website. Step 12: Organize Your Findings Into a UX Audit Report And use categories like: major usability issues A/B test suggestions challenges predicted impact ... to sort and group your results. 3 Tips to Keep in Mind When Conducting Your UX Audit I've saved 3 best practices for last. Apply them to streamline the whole process and to future-proof your findings. Group all your findings into buckets. It'll bet easier for you (and your team) to interpret your findings when you group them into categories (e.g. the "website navigation UX issues" category) Take screenshots of all the issues found. In other words: screenshot everything! It's the easiest and most effective way to document every aspect (web page, interaction, etc.) of your website with a direct impact on the user experience. Look for trends. Use your spreadsheets of UX findings to identify... patterns. Are there any common conventions and structures that visitors expect to find on your website? That they're already familiar with?   The END! I think I know what you're thinking right now: "But taking all the steps included in your website UX audit checklist takes... ages! And during all this time I'd have to put my team's projects on... hold." Not if you pass on the audit "burden" to us. Just drop us a line and let's uncover all the opportunities for UX optimization on your website! Image by Mudassar Iqbal from Pixabay     ... Read more
Adriana Cacoveanu / Jul 01'2020
How to Improve Internal Site Search and Boost Your Conversion Rate in 12 Easy Steps
They're not there for the looks, you know. Users come to your website to search for... something — a product, a service, information. Its role is to make it easy for them to find that "something" via its search engine. But how to improve internal site search and "shorten the time between query to conversion"? What are some best practices when adding search functionality to your website so that: it serves up the most relevant search results? it reduces user-friction? it provides the best search experience? it helps users to convert faster? Here's your 12-step checklist to an effective on-site search: Why Site Search Is Important?   "Adding on-site search to your website increases conversions by 480%!" (Neil Patel).  Just think about it: The user's found your website (your SEO efforts have paid off). It's something specific that he's looking. Or he at least has some idea of the type of products/services that he's there for. Now, why would you want to make him go over... 5 different pages of results before he reaches that service/product page that he was looking for in the first place? Instead, your website's search engine should help him out with: search suggestions autofills real-time preview of search results Like Office Depot here, whose on-site search engine gave me plenty of search suggestions when I looked for a "chair": Step 1: Put It Front and Center One of the powerful internal site search best practices. But also the most ignored one. Don't be that website owner. Instead, put your search box where users can see it the instant they get on the web page: besides the navigation right below the navigation, as a distinctive element above the navigation in the header Take Zara's example here: how long does it take you to find the search box on this page? Step 2: How to improve internal site search: Make It Easier to Navigate  And what better example than Google's Search Engine itself? You just can't miss it on the page. Moreover, search results are grouped into different categories — images, videos, news — lifting some of the burdens off your shoulders as an online "searcher". It'll even turn your misspelled search queries... Key takeaways: consider using tabs by categories to make the user search experience as breezy possible make the most of keyword matches ... and assistive technologies It's all about shortening the time from the user's query to... conversion, remember? Step 3: Boost Your Site Search Engine with Product Metadata "How to improve search functionality?" By forgetting all about the "meta tags have no impact on SEO" principle and starting to add relevant product metadata. For yes, they do not count for traditional search engines, yet they have a huge impact on the way that your on-site search engine finds any product in your inventory. So "feed" it metadata: titles, tags, attributes, categories, descriptions, specific keywords that your target customers will enter... Step 4: Cater to All Kinds of Searches There'll be users who know exactly what they need. So they'll be typing the exact product/serial number in the search box. And there'll be users who have heard of an innovative, newly launched product in passing and will misspell its name. Make sure your on-site search will serve up relevant results for both types of user profiles: turn the product/serial number into a search criterion make sure your on-site search turns relevant results on "misspelled queries", as well  Step 5: "Fuel" Your Internal Search Engine with Long-Tail Keywords   "How to improve internal site search?" By optimizing your website copy for long-tail keywords (3-5 words). The more you use, the more power you'll inject into your search engine. Let's take this example: You go to Office Depot's website looking for an office chair. Chances are that you're trying to find something more specific than a "chair". You want it to be... grey, ergonomic, made of leather or mesh. You get the idea. You're not looking for a generic "office chair".  Now, switch from your role of potential customer to that of an online owner and start optimizing your website copy for long-tail keywords. They still have most of the search volume. Step 6: Give Users Multiple Filtering Options via Faceting  Add multiple categories to help users filter through generic query results.  This way, you enable them to make their way to more specific results. This internal site search "best practices" becomes a must-have if it's an: eCommerce website with a large inventory ... that you have. A customer won't spend half a day looking for a "green cotton t-shirt for girls size XS", digging through dozens of result pages. Take H&M's example here: they're using faceted search options to help me narrow down my options when I type a generic query like "shirt". Step 7: Tailor the Search Experience As Per the User's Location "How to improve internal site search?" Localize your website content. Or, in plain English: add regional dialect and idioms to your copy. And you'd also want to include "popular searches in your... (name of the region)". The whole idea is to: personalize the search experience, making it more user-friendly help the user find what he's searching for faster (and to convert faster, as well) Even if he's using a dialect-specific word or phrase as a search query. So, start building a list of synonyms for your search queries and use them to improve the search functionality on your website. Step 8: Implement In-Search Filtering Go beyond autocomplete if you want to provide the best search experience to your potential customers. In this respect, advanced in-search filtering is one of the most powerful on-site search features. Take this example: Someone enters "sneakers" in your search box. You'd want to give him/her more search options, more specific suggestions like "sneakers in men's clothes" or "sneakers on sale"... Again, a must-have on-site search feature if it's a large eCommerce website that you have. Step 9: Add Informational Content, As Well Not everyone on your website is there to buy something from you.  Some of them are looking for specific information on your products. So, another effective way of improving search functionality on your site is to you ensure there's enough info-rich content for these users to dig into. Step 10: Serve Targeted Search Results Based on User Behavior Data Here's another answer to your "How to improve internal site search?": Make the most of previous user behaviour to serve targeted search suggestions. Rely on users' profile log information to: identify distinctive patterns and tailor your recommendations accordingly identify regional phrases (e.g. "soda" instead of "coke") and use them to personalize your suggestions Step 11: Give Users More Control Over the On-Site Search Results How? By giving them: categories to filter through their search results drop-down menus brand names that they could use as search criteria a personal search results page where they can keep track of their past activity and use quick search options based on their past behavior Step 12: Serve Relevant FAQs on Every Search Another effective and easy way to optimize search function on your site is to display FAQS at the end of each search This way, users get more information about the product features/price/specific fees/brand that they're interested in. Tailor these lists of questions to the user's past behavior and query data and turn personalization into your most powerful ally. The END! Maybe you do want to increase the conversion rate on your website, but without having to: optimize heavy of loads content for long-tail keywords get tangled up in user data to track down all the regional words variations  write metadata for... hundreds of different product pages We get you. And we've got your back. Just drop us a line and let's improve your on-site search so that you stop leaving conversions on the table. ... Read more
Adriana Cacoveanu / Jun 26'2020
Drupal Performance Optimization: 17 Drupal Caching Best Practices To Speed Up Your Page Load Time- Part 2
"How can I make my Drupal 8 website faster?" Are you still struggling with this? Still striving to figure out which are the best (and most straightforward) Drupal performance optimization techniques for your website? Well, here I am today with a handful of 9 more ways that you can speed up your Drupal site. In addition to the 8 ones that I covered in the first part of this post. And yes: it's another round of Drupal caching best practices that'll help you boost your page load time. So, let's dive right into it: Tip #9: Use the Dynamic Page Cache Module  ... to cache for both authenticated and anonymous users. Unlike the Internal Page Cache module, that I mentioned in Part 1, which only caches pages for anonymous users. Tip #10: Use Distributed Cache, A Highly Effective Drupal Performance Optimization Technique But how does it work, more precisely? Once you've installed a distributed cache, it'll store your database's cache tables (Drupal's "cache_" tables) either in: file or memory Tip #11: Enable Drupal Cache for Anonymous Users Another one of those quick, yet powerful Drupal performance tuning steps that you can take. Tip #12: Use Squid to Cache Images and Static Content on Your Website "How to optimize Drupal for better performance?" You could go for Squid, an open-source caching proxy server. Now, since Drupal's already famed for its particularly dynamic content, the only cases where Squid does make a great performance booster are those where you need to cache static content. Tip #13: Add a Front-End Cache (i.e.Varnish Cache) Here's another handy Drupal performance optimization method for you: Use Varnish Cache to reduce the load on your server. How does it do it? It stores the HTML response, so that next time that the same page is requested, it serves it from memory. The result? Bypassed PHP and web server and... improved page load time. Tip #14: Use the Advanced CSS/JS Aggregation Module to Improve the Front-End Performance of Your Website  Combining your assets together is one of the most straightforward and effective ways to address those Drupal performance issues on your website. From: file grouping to caching to compressing ... the AdvAgg module handles all the steps that you need to take to aggregate your CSS and JS files. Tip #15: Install Memcache to Reduce Your Database Load You know how you're often struggling with keeping your database load to a minimum by caching database objects in RAM? In this respect, Memcache makes a great Drupal 8 performance optimization technique. It helps you reduce that load on the database and boost your page loading time. How? By taking standard caches out of the database. And by caching the results of resource-intensive database operations... Tip #16: Use the Entity Cache Module to Cache... Entities   Another caching best practice to boost Drupal 8 with is installing the Entity Cache module.  And its name says it all: it helps you cache entities. Tip #17: Cache Views  Here's the situation: Page requests made by registered users on your website lead to loads of queries to your database. Which impact the page load time. Now, to query the database, views are being used. And this is where this views caching module comes in handy to... boost things in there.   The END! These are our 17 recommendations for you on the best Drupal performance optimization methods for boosting your page load time. Not thrilled about the idea of having to go through the... Memcache installation process or to configure Varnish for Drupal? Or to put your current projects on hold so that your team can set up a... distributed cache? Maybe you don't have a professional Drupal maintenance team that could handle all these caching settings? We're here to help! Just drop us a line and let's figure out which of these 17 techniques are best suited for your website and the specific performance issues that it's struggling with. Let's speed things up in there! Image by Izwar Muis from Pixabay   ... Read more
Silviu Serdaru / Jun 23'2020