Website Security: A Q&A With Ivanti’s Andrew Ariotti
It’s no secret that websites aren’t immune to cyberattacks—denial-of-service attacks, data breaches, brute-force login attempts, malicious payload exploits, undetected malicious bots, and more. In conjunction with October’s focus on National Cybersecurity Month, we reached out in a Q&A format to Andrew Ariotti, Ivanti’s senior manager of web marketing, for his take on the challenges associated with keeping Ivanti’s websites secure.
What are your primary responsibilities and goals as Senior Manager of Ivanti’s web team?
AA: My overall responsibility is to manage the content and development of all customer-facing websites for Ivanti. The primary focus is around the Ivanti website, as well as the translated versions (currently in 10 languages). I also manage the search engine optimization (SEO) for our websites, which includes working with several SEO agencies located around the globe. My team consists of content producers and developers that are the ones that make things happen. Outside of managing the team, I’ll dabble here and there from time to time on the content creation side and development. Development is scary, though, since I’ve been out of it for so long.
What do you see as the primary challenges / concerns / worries / pain points concerning the Ivanti websites across the globe and how they pertain to the protection, stability, and growth of Ivanti?
AA: A company’s website is the public’s first impression of the organization. That creates a massive amount of pressure on myself and my team to make sure that our messaging is spot on and the experience is a good one. A bad experience for prospective customers could sour their impression of Ivanti. With this in mind, security and stability are some of the most important things we focus on. Downtime isn’t an option these days, so we have put everything in place that we can to prevent it. I’m pleased to report that since the launch of Ivanti’s site we’ve achieved nearly 100% uptime!
When it comes to cyberattacks on websites, what are you most concerned about?
AA: I think the biggest concern is always around the stability of the site, and preventing any type of attack that could harm the image of the company. Routine maintenance, patching, load balancing, data backups, reviewing analytics and broken links, etc., are all part of stability. Obviously, there are many forms of cyberattacks, but stability of the site is the one that keeps me up at night.
As a follow-on question, cyber-attackers don’t typically target individual sites manually because it’s tedious and time consuming. They rely on automation such as bots that scrape lists of websites and check for a range of common vulnerabilities that can be easily exploited. What strategies and tools are you and your team employing to strengthen website security?
AA: A few months after launching our website we knew that we needed a security layer to prevent all of the common attacks on our website. We weighed our options and landed on Cloudflare as our security platform to cover the areas that we were concerned about. Once we brought it to our security and IT teams they were on board with the initiative. Since implementation we’ve been happy with the solution and feel like we’ve developed a world-class integration to provide the highest level of security.
Concerning the need to protect the administrator interface and other backend elements of the Ivanti website from brute force attacks, it this something Cloudflare helps with?
AA: Since we don’t have any sort of login on our marketing sites, we are generally protected from any brute force attacks that could target us. Most of those we leave behind the firewall here at Ivanti. Cloudflare does have several things in place to help prevent brute force attacks, but an intelligent system is the best way to prevent them.
Using insecure or simple passwords for the website’s administrator interface, FTP, or control panel can also lead to websites being compromised. What role does password management play with regard to Ivanti’s websites?
AA: Secure passwords are key and should be second nature for everyone at this point! Luckily we have two-factor authentication on everything that we run to keep us a little more safe. Changing passwords frequently is the best way to avoid having your internet accounts accessed. As far as Ivanti’s websites, we employ the same system that IT uses for single-sign-on (SSO) so that we have that extra protection and one less password to remember.
With regard to the best practice of testing website security, what learnings and insights are you able to share with readers?
AA: Find the right tools and price point that fit the needs of the organization. There are a lot of options out there, and the competition will never stop. Look for a good provider that delivers the layers of security you need and make sure you have a good backend developer like I have to implement it!
Are visitors or users of the Ivanti websites, such as the Community site, allowed to upload files for certain reasons? If so, what security risks might this pose?
AA: I don’t have a ton of exposure to the Community site, but I know that they do allow their users to upload text files and screenshots. Whenever the ability to upload files is an option there will always be a risk involved. Currently we are using Salesforce Communities to power our community/forums, which provides layers of security behind their system on top of Cloudflare.
What has your professional journey been like to get where you are today, and how has your role changed over the years?
AA: Since the AOL days I’ve always been obsessed with the internet. When web browsers became a thing, I dug into the HTML that made those pages work. When I was in high school, I looked for every technical class I could and landed on a class in web design. After graduating from Weber State University in Computer Science, I worked in web development in several jobs and eventually landed at LANDESK (now Ivanti) in 2013. The team was much smaller then—just myself and another backend developer. We wore lots of hats, which came with a lot of growth and learning. Along the way, I always enjoyed the project management side of the web so when the manager role opened, I went for it! I’ve been managing for a few years now and have enjoyed every minute. I have a great team, and great support from my manager and our amazing CMO.
What’s something you’ve done in your life that you’re particularly proud of?
AA: That would have to be my three beautiful children for sure—two boys that love the things I do (sports and video games) and a daughter that is full of energy. They are definitely my biggest accomplishments that continue to impress me every day.
Tell us a little about your name; its origin; who named you and why that name.
AA: I had to look it up, but apparently “Andrew” is of Greek origin. It was a pretty popular name in the 80s, so I imagine that had a lot to do with it. All of my siblings’ names are pretty standard, nothing too crazy. In asking my mom she said, “We just liked the name. A good, old-fashioned Bible name.” Upon some research, I’m not sure it is actually a Bible name. I love my mom regardless!