Websites are your online business window or in fact your business itself. But unfortunately, just like a physical business and other software applications, your website is vulnerable to attack. In fact over 90,0000 websites are hacked every day. You might think that the bad guys were not interested in small business websites, but unfortunately, you’d be wrong. Smaller websites tend to be softer targets as there are generally fewer security precautions in place for the bad guys to penetrate. In fact, many of the features that make websites popular and engaging (such as plug-ins, social media links and more pages) increase the attack area available to hackers. As 60% of all website traffic today comes from internet “bots” many attacks are automated – so size doesn’t matter in this case. Not all bots are bad – some are search engine crawlers, for example – but far more are malicious. Another group of attackers are “script kiddies”, unskilled individuals who simply download toolkits from the web and set out to crack random sites with obvious vulnerabilities.
In essence, websites are just another software application like email or an accounting package, albeit residing in a more public domain and whose purpose is to attract strangers. Accordingly they have a similar range of weaknesses and a similar range of defensive measures you can take to other software applications. We have further articles about cyber security on our website.
In this article we will look at the most common types of attack and how you prepare your defences. Please be aware that this is not an exhaustive list – just the most common. The immediate response of a website owner to an attack on their website, is often to blame the hosting company. But in many cases, there are many things the owner (or their representative) can do. So like any project, tackle the easy to fix flaws first.
1. Protect logon Credentials
User names and passwords are the most common means used to access websites – both for administrators and users. But like all passwords they can be cracked, providing the bad guys with access to your site. According to Panda Security “81% of attacks are based on insecure or stolen passwords”. We have watched (via security software) an attack in progress on one of our client’s websites as someone or something tried to obtain administrator access. The attack ceased after about 30 unsuccessful attempts – only a small attack, but this was for a small website with little confidential data. So here are some actions to defend against unauthorised access:
• Change all default logon details and do not use “Admin” as a user name;
• Require complex passwords or pass-phrases on the website – at least 8 characters with upper and lower case characters and special characters;
• Limit the number of login attempts;
• Use two factor authentication for administrator access; and
• For WordPress sites use a different logon address from the standard mywebsite.com/wp-access. By using a different login address you make it just that bit more difficult for the bad guys to start a hack.
2. Implement effective Access Controls
Many websites, like other software applications, enable different levels of privileges to be assigned to different groups of users based on the activities they need to undertake. By restricting user access levels the damage that could be done by an unauthorised person can be contained. For example, the standard set of access rights for WordPress sites are Administrator, Editor, Author, Contributor and Subscriber. Only a very few people should have full administrator rights to your website with a few more having editor and author rights. With the majority of users only being able to post their own content or read only access.
3. Secure Sensitive Data
Sensitive data such as personal information, passwords, credit card numbers and health records should be encrypted both at rest and in transit. However, its often the case that the most common flaw is simply not encrypting sensitive data or that when encryption is employed it uses weak key generation and management and weak algorithms and protocols.
HTTPS or Hypertext Transfer Protocol Secure is the standards based response to this issue. HTTPS encrypts your data both at rest and in transit. When you connect to an HTTPS secured server the web browser checks the website’s security certificate and verifies it was issued by a legitimate certificate authority. This mechanism both secures your website and informs the user (via their browser) that it is secured.
Despite Google encouraging the uptake of HTTPS by penalising websites that don’t use it, we still see many websites that have not implemented this relatively simple precaution.
A word of warning though – some clever people have established fake sites and protected them with HTTPS. As a result, just because a website is showing as secure, it does mean that this is the site you intended to visit.
4. Protect against software vulnerabilities
Like all software, website applications contain software vulnerabilities (security flaws or glitches) that can be exploited by the bad guys. Modern software applications contain multiple pieces of smaller applications (such as plugins, open source codes and frameworks). The bad guys may choose to attack one of these 3rd party bits of software and use them as a way to spread infections or cause a data breach. This approach was blamed for a 2017 breach at Equifax where a security patch was not applied to Apache Struts2 and enabled the bad guys with access to 143 million records. More recently and on a significantly smaller scale, we took over support of a local organisation’s website that was based around a WordPress plugin. The bad guys attacked and infected the plugin at source with their malware that subsequently infected the 100,000 users of the plugin – including our client’s website!
There are a number of actions you can take to protect against this type of attack:
- Minimise the number of bits of 3rd party software you use, such as plugins and / or only use 3rd party software from reputable providers;
- Keep all software up to date and regularly install security patches. Apparently only 40% of WordPress websites are running the most current version!;
- Run security software such as Wordfence, Sitelock or Rapid 7 that help detect and repel attacks, and
- Regularly backup your website in order to have a restore point if all else fails!
5. Design out SQL Injections
We’re getting a bit more technical with this one, but SQL injection attacks are one of the most common ways of penetrating websites. Most websites use Structured Query Language (SQL) to interact with their data and provide functions such as create, retrieve, update, and delete database records. This technique is used for everything – from logging in a user to recording an ecommerce transaction.
In an SQL attack the attacker places an unexpected query in a web form with the intention of getting the application to run it. When successful these types of attack can inject malicious or spam posts into a site, steal customer information or bypass authentication to gain full control of the website. SQL attacks can be automated allowing hackers to attack thousands of websites testing different types of attack until they are successful.
These types of attack can be rebuffed at the design phase by:
• Keeping data separate from commands and queries;
• Using a safe API, which avoids the use of the interpreter entirely;
• Only accepting parameterised queries and stored procedures; and
• Validating untrusted inputs with a white list approach.
6. Prepare for Denial of Service (DoS/DDoS)
A denial of service attack floods a website with a huge amount of Internet traffic, causing its servers to become overwhelmed and crash. In a DOS attack one computer system is responsible for an attack on the victim. Whilst in a distributed denial of service attack many, sometime thousands, of computers attack the victim website. Most of these attacks are carried out using computers that have been compromised with malware and owners of the infected computers may not even be aware that their machine is sending requests for data to your website. Although there is an increasing array of sophisticated attack methods around these days, at a simple level anyone with basic knowledge can buy a “DDOS service” on the internet for around $100.
Denial of service attacks can be mitigated by:
- Rate limiting your web server’s router;
- Adding filters to your router to drop packets from dubious sources;
- Dropping spoofed or malformed packets;
- Using firewalls with DDoS protection; and
- Using third-party DDoS mitigation software from organisations such as Akamai, Cloudflare, or Arbor Networks.
How should you address these issues?
Security is not a one-shot activity, but ongoing over the life span of your website. The issues we have discussed above fall into different phases of a website’s life cycle as follows:
- At the design and build phase securing sensitive data and prevent SQL injections should be addressed;
- Policies and processes should be used to manage logon credentials and specify access controls, while
- Technical Operations should protect against software vulnerabilities and DDOS attacks.
There may be several unrelated parties involved in the development, hosting and maintenance of your website and each may not be fully aware of the responsibilities of the others. Consequently you, as the website owner, need to ensure appropriate security measures are appropriately implemented.
When a client talks to us at PAAC IT about their website intentions, we have a discussion about website security – their perception of risk, the impact of down time and of course their budget. As a result of the discussion we implement security protocols that meet our client’s requirements. We revisit these discussions over the course of a project and a website lifecycle.
We trust that you have found this article of interest and understand that there is a lot more to a functional website than just the online appearance. Click here to read our 4 stages to an effective website.
Need some help? Call us on 01428 770 2090 or use our query form at the bottom of our website page.