The number of security threats are growing on a daily basis, here is some of the information you should take into consideration to help protect your website. Although many website administrators take precautions, hackers are coming up with new and innovative ways to gain access. Many of the popular ways are through Phishing, SQL injections, Cross Site Scripting, Social Engineering and this does not even scratch the surface.
First things first, hackers will try to get into your website through various methods. The first suggestion is to make sure you have a strong password. Your password should be at the minimum, 12 characters, I would suggest longer. A good way to do this is come up with a random sentence that you can remember but would be hard for a hacker to crack, then add some special characters, like maybe a 1 instead of an I or a 3 instead of an E. An example “When I was a kid I loved to ride my Honda motorcycle with my best buddy Tbone” so this is a statement that I could probably remember fairly easily. So, if I was to combine this and put a few special characters with it, this would make a decent and easy to remember password which could be “When1wasak1d!Ilovedtor1demyHondamotorcyclew1thmybestbuddyTbone#1!!!” (Remember Passwords are case sensitive). So now we have created a long password that is easy to remember and just added a few special characters. This would probably take awhile to crack. Slang words or nick names that would not be in a dictionary, are always good to use. Also, don’t use the same password for all of your passwords. Two-Factor Authentication (2FA) is also extremely beneficial to stop hackers and should always be used when possible. This will install on your phone and when logging in to a password protected area you must validate your 2FA before you are able to log in. Google makes a good two-factor authenticator that uses a Time-based One-time Password Algorithm. This way it has a second layer of protection through verifying with your phone.
Below are some examples of how hackers will try to compromise you or your business:
Brute Force Attack
This is usually and automated trial and error attack that is used often to try to guess the user name and password of the admin section of your website. Most of the time these automated attacks have a library of words and often use known passwords and combination of words, letters, and numbers. The automated scripts will run thousands of combinations per second in an attempt to crack your site. To help prevent these type of attacks, use complex (long) passwords. Most common CMS systems such as WordPress have plugins that will blacklist ip addresses that fail to login more than a specific number of times, of course the hacker can randomly spoof ip addresses, but adding these plugins or writing a script to do this will definitely make it more of a challenge. On a side note, never use know admin names as the user, such as “admin”, “administrator”, or even your company name, don’t use something that would be easy to guess.
Outdated CMS or Plugins
This happens with CMS systems such as WordPress, Joomla, Drupal, etc.. If you run your website is on a CMS platform, you should always keep your core software, themes, and plugins up to date. Most updates contain security fixes and if the software that is being updated has a known vulnerability, this means the hackers know this also. So many times hackers will scan the web to find sites using these outdated resources, knowing the vulnerability and are then able to utilize this to hack your site. So make sure that you are keeping these up to date at all times and if available set these up to update automatically.
SQL Injections are very common and many times much easier to perform than other hacking methods and there are various tools available to assist with this. Most websites utilize SQL (Structured Query Language) databases to perform many tasks from showing the webpage content, to making user changes, or even updating images. Everything is driven from the SQL database and served up to the user in the browser. Hackers utilize website forms to perform a series of tasks to figure out the construct of your database and build on that to the point that they are able to gain access. The hacker will do this by injecting crafted SQL commands into web forms, search boxes, session ids, and even HTTP headers.
SQL injection attacks can be prevented by correctly filtering user input. Most programming languages have special functions to safely handle user input that is going to be used in an SQL query. If a hacker acquires access to a site’s SQL database, he may steal, erase, or insert information including user names and passwords. It is always good practice to use CAPTCHA or Google’s reCAPTCHA to help eliminate bot submissions.
Cross-site request forgery (CSRF)
Many hackers will use cross-site forgery to exploit websites. This is done by forcing end users to execute unwanted actions which can give unauthorized commands and transmit them from the user who has permissions to be logged in, such as a member website or blog website. CSRF attacks are also conducted using malicious social engineering techniques, like emails or blog links that gets users to click, which initiates the sending of a forged request from that user to the server. These hackers use other various methods such as using hidden forms to transmit forged commands, AJAX, and also sometimes image tags can even be used. CSRF attacks can be used for unauthorized fund transfers, data theft, or even password changes, among other things. The best way to prevent these is logging out of applications on your server when you are done, don’t leave them on tabs running in the background, also not allowing browsers to retain passwords can help prevent these attacks. Another method to block these attacks is to generate unique random tokens for every user session request or ID. These are subsequently checked and verified by the server. Session requests having either duplicate tokens or missing values are then blocked.
Cross Site Scripting (XSS)
This is used with various other hacking methods and is used by hackers to seek out ways to exploit users or admins of the companies website to gain information that can help them gain access. This is a manipulation technique and can come in many different types of forms. They could contact you saying they were a company hired by your firm to check security and ask a series of questions, or tell you that they, know you are running a specific version of a CMS system and they found a security breach and want to help you fix it. The tactics are endless. The most recent Social Engineering hack was the Twitter hack, where able to send tweets out from over 100 high profile accounts. Just remember, if someone calls or emails and something does not seem right, it probably isn’t.
Distributed Denial of Service (DDoS) attacks and DOS (Denial of Service) attacks aim to disrupt your website and affect overall sales. These attacks flood your servers with numerous requests until they finally overload your server to the point that it crashes. There are many third party providers who can provide anti-DDoS hardware and software modules to ensure this does not happen.
Phishing attacks are a form of social engineering, there are many different variations of Phishing and can pose a real threat. Everyone gets spam and it can be used for many different purposes by hackers. Many times these look like legitimate emails from banks or even co-workers and can be very onvincing. These are called phishing scams and works very well. These attacks generally target stealing intellectual property, acquiring sensitive information, stealing money, accessing passwords, infections within the corporate infrastructure with malware, and can really cause serious damage. These attacks traditionally come through email but are not limited. Below are just a few other variations of Phishing:
Spear Phishing – This attack is much more strategic and personal. These emails generally target specific individuals, which the hacker has done research about them and can be very specific with their tactics. They usually also pick individuals who they know could result in financial gain or trade secrets. Then they develop a strategy that will trick that user or users into going to a website. These can be incredibly convincing and seem legit. The scary part is everyone is vulnerable, in fact, hackers used a Spear Phishing attack on the Democratic National Committee and were able to gain 50,000 emails, gain access to the DNC network using credentials from the attack and allegedly penetrated over 30 computers which allowed them to steal several gigabytes of sensitive data and they installed malware that allowed them to maintain the network to continue to steal information including screenshots, keystrokes, and data from the network.
Whaling – These attacks are targeted much like Spear Phishing, but these target the whales or senior leaders of the companies they are attacking. Since these targets hold higher positions within the company typically have complete access to sensitive data. Most often the goal of these attacks is through social engineering, get the whale to disclose sensitive information. Hackers are willing to spend more time on these attacks because the payoffs can be much larger. They generally gather as much personal data and research on these individuals to come up with very sophisticated and convincing methods to get access to the information they are wanting.
Smishing – This is when hackers utilize SMS or text messages to send to phone in order to launch an attack. These often will lead to fake sites and give an incentive such as a free one time special, but you have to put your credit card information in to qualify. This is just another tactic of phishing but using the phone and text to scam their victims.
Vishing – This is a different type of phishing than the others, this is done through phone calls. Have you ever had “the IRS call and tell you that you owe money?” this is vishing. Most of these scams will try to get you to buy gift cards in order to pay or get your banking information.
There are many other types of Phishing schemes out there, these are just a few and new ones come out daily. If something is too good to be true, it normally is!
You should always encourage employees of all levels to verify the veracity of urgent, unexpected messages through all communication channels, when in doubt, pick up the phone and call the person or company that is sending you the urgent message, if they call you, ask who they are with and tell them you will call their company. Unfortunately these days, you have to make sure you make smart decisions so you do not fall into one of these types of traps.