From Home Depot and Target to major breaches like Equifax, in which 143 million customers of the credit reporting service had their personal and financial information stolen, hackers continually develop methods to gain access to websites and, more importantly, user information through various technology & devices. According to the 2016 IRTC Report:
- Businesses were the target of 40% of the security breaches (312 breaches).
- Medical and Healthcare entities made up 35.4% of data breach targets (276 breaches).
- Government or military targets made up 8.1% of cybersecurity breaches (63 breaches).
- Educational institutions accounted for 7.4% of data breaches (58 breaches).
In 2016, hackers not only logged an uptick of 38% in their use of phishing type security attacks according to “Key findings from the Global State of Information Security® Survey 2017” by PricewaterhouseCoopers, but it also became well-known that hackers were finding devices to target beyond computer systems and networks. Unsecured wireless medical devices, mobile devices, and even cloud architecture all came under attack in 2016. With security breaches arising on multiple fronts, companies, healthcare systems, governmental and educational entities, and individuals started to realize how real the threat of cyber security attacks was. In order to combat attacks, people began to increase their use of data security protection measures in 2016:
- 52% of individuals, businesses and entities utilized intrusion detection tools.
- 51% actively monitor and analyze security information for their vulnerable systems.
- 48% conduct vulnerability assessments.
- 47% utilize security information and event management tools.
- 47% regularly conduct cyber security threat assessments of their systems.
- 45% are subscribed to a threat intelligence service.
- 44% engage in data system penetration testing.
There is no question, people today worry about having their devices infected, identity stolen or online accounts hacked. The good news is that there are simple steps you can take to greatly reduce the chances of these bad things happening to you.
While you may not think your website has anything worth being hacked for, websites are compromised all the time. The majority of website security breaches are not to steal your data or deface your website, but instead attempts to use your server. Hackers then use your server as an email relay for spam, or to set up a temporary web server, normally to serve files of an illegal nature.
Fasturtle takes hacking very seriously, and we know that any website can be hacked at any time. Even the FBI acknowledges there are no absolute approaches that will make your information fool-proof and hacker safe. Now certainly, you can spends millions of dollars like our very own Government to put multi-tiered, multi-layered security protocols that alert potential breaches, but small to medium businesses and even the Fortune 500 do not have the resources nor budget to continually implement such sophisticated and sometimes classified systems. What can business owners do to secure their website and minimize risk for hack-attacks?
At Fasturtle here are some of the basic protocols we follow to minimize attacks:
- Having Google Search Console installed & set up is a basic way to receive warnings Google picks up on, particularly spam and malware injections. Google provides the suspicious code and notifies you via email. This allows you or your web developer to remove the code, back up the website with the code removed and now have a working clean website going forward.
- Got WordPress? Update plugins and themes. Over 50,000 WordPress.com websites are being launched daily and the number of businesses using WP themes is staggering. Plugins are updated for functionality but they are also updated to prevent hacking. Your WordPress site will alert you when plugins, themes, and the WordPress CMS need updates. Simply click the “Update Plugins” button on your site to begin the process.
- Install HTTPS. As of the beginning of 2017, Google made it clear that they require sites that want any chance of ranking to have an SSL or Security Certificate on their website. That means your URL should begin with https:// vs http://. SSL is security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private.
- File Uploads are common on websites. Think of how many times you have uploaded a resume, patient forms for doctor visits, online orders or selfies with your dog. Allowing users to upload files to your website can be a big website security risk, even if it’s simply to change their avatar. The risk is that any file uploaded, however innocent it may look, could contain a script that when executed on your server completely opens up your website. Ultimately you want to stop users from being able to execute any file they upload. By default, web servers won’t attempt to execute files with image extensions, but it isn’t recommended to rely solely on checking the file extension as a file with the name image.jpg.php has been known to get through. Some options are to rename the file on upload to ensure the correct file extension, or to change the file permissions, for example, chmod 0666 so it can’t be executed.
Probably the top recommended solution is to prevent direct access to uploaded files altogether. This way, any files uploaded to your website are stored in a folder outside of the webroot or in the database. Most hosting providers deal with the server configuration for you, but if you are hosting your website on your own server then there are few things you will want to check.
- Passwords, to state the obvious, still remain an easy doorway for hackers to infiltrate your website. Often people use simple passwords, and the same passwords for various logins, so once compromised, you would need to change it across all your platforms and applications.
Some things to consider to help you pick a password:
- Don’t re-use passwords. One ultra-secure one won’t be any good if someone finds it.
- While combining upper and lower case passwords with numbers to alter a memorable word G0oG13! – is often advised, these are more easily cracked than you might think. However, the longer they are the harder it is to figure out.
- Make a long but memorable “passphrase”. Instead of spaceman123, try something like Sp4c3th3Fin4lFr0ntier1966.
- For security questions, never answer the actual answer to the question. A hacker can visit your social media profiles to find out what high school you went to. Instead, use randomized answers to questions that are completely irrelevant. For example, “What was your first car?” Answer: “ColdStone Creamery97”
- Always use two-factor authentication, which will typically send a text message, email or phone call with a code to verify your log-in.
- Lock down your site directory & file permissions. To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP. Once inside, you’ll see a list of your existing file permissions and can set up the appropriate restrictions.
Some free tools that are worth looking at:
- Netsparker (Free community edition and trial version available).
Good for testing SQL injection and XSS
Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires an OpenVAS server to be installed which only runs on *nix.
- io (free online check)
A tool to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
- Xenotix XSS Exploit Framework
A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.