blog.brandprotect.com

Got Hacked? – How to protect your site from being used for Identity Theft?

As an Incident Response Analyst at BrandProtect I communicate with ISP's, registrars and domain owners on a daily basis. Recently, I spoke with an aggravated website owner who said to me "I don't understand why my site has been repeatedly hacked, I changed my passwords, deleted the fraudulent folders and my hosting company is no help". Many frustrated website owners experience the same thing. They don't understand why they keep getting hacked. If you leave doors open to your site, it's very easy for, perpetrators to get in. The key to protecting your site is to maintain it and make sure security always comes first. A website is like your home-it's your virtual space. You should invest in secure doors and locks. It's mind boggling to see the number of sites that get hacked. Nowadays, creating your own website or blog is simple and inexpensive; unfortunately people are avoiding taking various security measures.

When building a website, don't build a castle on a cloud. Although it's important to make the site look good, what's the point if it's unsecure?  From my experience, I noticed that website owners lack the background to maintain their sites and don't understand the vulnerabilities sites have that hackers expect to find. Most often when sites get hacked we hear about terms like Patches, SQL injection and Cross Site Scripting (XSS). But, what do these terms really mean? Here are a few definitions that will help us understand how sites get hacked:

Patches - Patches work like bandages, they seal flaws in software to make it work better. Software companies often have to fix bugs on their program due to security problems or to add new features.

SQL injection - this is one of the most popular security vulnerabilities in web applications today.  We see this in sites that allow users to query a database; when a user enters data into a field, it is then inserted into a SQL command without any checking. This type of attack allows the perpetrators to manipulate the database of a site and allows them to bypass authentication into a site. Here is some more good info on SQL injection.

Cross Site Scripting (XSS) - this security vulnerability allows a malicious website to upload another website to another frame and use java script to read or write data on the other website. Attackers find clever ways of infecting malicious scripts into web pages where they can gain access to sensitive information. Unfortunately, many XSS vulnerabilities lead to phishing sites. 

The key to protecting your site from getting hacked is simple, maintain it and keep it up to date. If you are using Word Press, Joomla or Apache make sure you update it with the latest security patches. Updating your software is extremely important. Unlike Microsoft, web applications don't always alert their users to update. Therefore,   be proactive and don't always rely on your webhosting company. They are not responsible for maintaining your website and are not responsible if your site gets hacked. Always look for the latest updates and do your research. Lastly, secure your password. Take a look at Dylan Sachs blog on "Password Security - sing a song, save some stress". 

For expert advice I turned to BrandProtects IT Manager Adam Chrichton, who lists a few important tips:

1. If you operate your own web host, keep it up to date (whether IIS or Apache) with current patches.   Same goes for the database if you use one.   If you use a hosted service, make sure they keep things up to date/patched.  If they don't, find someone else.

2. Use very secure passwords for all logins.   If you must use a dictionary word, use two with a space or punctuation between them, and put at least one capital, one number and perhaps a punctuation mark.   Make sure it's at least 8 characters long.  If possible, change it every 45 - 90 days.

3. Guard against code errors like SQL injection vulnerabilities by having your web site code verified by a professional programmer. While lots of people can make a web site, and often at an inexpensive cost, they don't know how to format their database queries and statements to protect against common attacks.

4. If you operate your own web host, run a server antivirus product on it if it's Windows.   While some Linux viruses do exist, they're much less common since there are fewer desktop computers running Linux.

5. If you operate your own web host, make sure you have a good (i.e. tier one or two vendors like Cisco, Juniper, Watchguard, Sonicwall) firewall to protect it.   Put the web host server in a DMZ, not in your main (trusted) network.   Don't permit access between the DMZ and your main (trusted) network.

6. Don't be afraid to pay for a reputable firm to do a security audit if budget allows.   While security audits can't always practically have all recommendations followed to the letter, they will at least help you understand in what ways you're exposed.

Websites are fun and easy to create and also very useful. It's worth going the extra mile to get a professional to look at your site. The key to building a good website is to treat it like your home; secure it, clean it and maintain it.