Your site will be hacked. Can you handle it?
You can't ignore reality: thousands of websites are hacked every day and it can happen to you. Your website is probably being attacked right now and you don't even know about it. While it sounds daunting, with the right systems and procedures in place, you can rest easy knowing that you have prepared for a cyber crisis. This article will provide a summary of the best practices for minimizing risk, and for recovering your website should an intrusion occur.
Why would hackers want to target you?
Even low-profile organizations face the risk of being hacked. Many hacking attacks are automated, you are not necessarily singled out as a target, but your website may happen to be in the hacker's hit list.
There are several reasons why hackers may target your site, but they mostly fall within the following categories.
Breaking or taking your website down, corrupting or destroying data. This could be done for mere vandalism, to cause harm to your business, or to prove that your site is not well put together. Defacement and denial-of-service (DoS) attacks are the most common forms of disruption.
Using your website server to aid in the hacker's activities. This may include:
Link farms: creating pages or embedding links in your website, for the purpose of generating traffic and improving search engine rankings for other websites
Malware distribution: reprogramming your website so that it infects visitor computers with malware developed by the hacker
SPAM: using your website as the source of spam email or traffic
Computing power and bandwidth: utilizing the unused capacity on your website server to do work for the hacker (like hacking other websites), while helping keep the hacker's identity concealed
Accessing or stealing private data: commercial, financial, or intelligence. This is usually the motive behind attacks to large corporations or governments. While it is the type of attack that garners the most media attention, it may be the least of your concerns if you don't conduct e-commerce on your website.
Except for the case of disruption attacks, hackers have an incentive to keep their attacks invisible to website owners, which is why you need to periodically monitor your website for unusual activity.
How can you protect yourself?
It is impossible to cover in just one article all possible security scenarios and threats. Each case is unique and security measures need to be balanced against the impact on system performance and the user experience. The following are best practices for protecting against the most common threats. Think of them as common sense tips, similar to the ones you follow everyday to protect your home or your wallet.
If you are concerned about your website security or you have been hacked repeatedly, you may need the help from an expert that can perform security assessments, penetration tests, and hardening of your website.
Understanding common vulnerabilities will shed light on how to protect against them. Most vulnerabilities fall within the following categories. They are listed in order of difficulty for hackers to exploit.
Basic Security Measures
Unfortunately, most intrusions happen because owners don't follow basic security measures. Imagine leaving your laptop in a coffee shop, open and unlocked, with your credit card sitting next to it, along with post it notes of your PIN codes, and SSN. Very often, it can be that easy for hackers to break into your website. A few security measures that you should consider are:
Accounts and Permissions
Each website user should have their own account. Do not share accounts among multiple users.
Set the access permissions for each user. You don't need every user to be a super admin. Even users that connect to the website on a daily basis may not need to be a super admin.
Disable accounts that aren't in use.
Don't leave the default password on any account. Use different passwords for different accounts.
I know you know this but, repeat after me: use passwords that are difficult to guess. Unfortunately most people don't use secure passwords. Check this list of the most common passwords and please stay away from anything like them!
Think of your passwords in two groups: the ones that you need to memorize and the ones that you don't. In the first group is probably your email, debit card, and Facebook passwords. The list is probably short. These are passwords you may need even if you are not on your own computer. Don't be lazy, come up with complex passwords. Here is a trick: think of a phrase or sentence (not a nonsensical combination of words), 5 or 6 words long, and put it in a consistent form that uses uppercase, lowercase, numbers and symbols. For example: "Good morning! Coffee w/2 sugars, no cream". Voila, that's a very secure password. And you thought 8 characters was long. The more unique you make it, the more secure it will be. Read my blog post about secure and simple passwords.
The passwords you don't need to remember are those that you can save and refer to when needed. This may include your website passwords. Conventional wisdom dictates that you should memorize your passwords, but it is just impractical when you have dozens of accounts. Don't write them in a notebook or type them in an Excel spreadsheet. Instead, be a pro and get a password app like KeePass or 1Password. Not only you will be able to organize your passwords and keep them safe, you can use the program to generate long strings of random characters to use for those password that you don't need to remember.
In order to increase the security of your website, you may want to consider Two-Factor Authentication. In addition to requiring a password, two-factor authentication generates a unique, perishable code that is sent to the user's mobile phone or email address, as an extra layer of security to authenticate the identity of the user. Most modern servers and content management systems include this functionality.
Remember the 3-2-1 rule of backups: three copies of your data, stored in at least two different devices, and at least one copy located offsite. For your website this means: set up an automatic daily backup of your website, and download the website database and files periodically. A backup by itself may not prevent a hacker intrusion but it is essential for recovery.
Your website developer should set up and use a code repository. This has multiple benefits, and in the case of security, it can be a very useful tool to detect and fix any changes to files that need to be restored after an attack.
SSL (secure socket layer) is a technology that encrypts the connection between your website and the user's browser. Set up SSL and enforce it on all your site, for visitors and administrators alike. Non-secure communications can expose user credentials and other critical information, as well as open a pathway for attacks. Watch our video explainer about SSL and read why SSL is important for your website search engine optimization.
Hosting can be compared to office space. Shared hosting is like shared space, and having your own server is like having your own office. Shared space is easy, cheap, and hands off, but your security relies on all members of the shared space being disciplined following security rules. The difference with shared hosting is that you don't know who the other members of the server are, and cannot see what they are doing. So if they are putting you at risk, you won't know until it's too late.
On the other hand, having your own office is more expensive, and requires more work, but provides more control.
If your website security is important to you, get off shared hosting. Pick a reputable hosting company that keeps server software up to date, has the technical capability to fend off attacks, and provides reliable backup service. We recommend Linode and Amazon Web Services.
Configuration and Settings
All the systems that make your website function have sets of recommended settings that should be followed: protecting directories, setting correct file permissions, enabling timeouts and retry attempts settings, enabling x-frame-options and configuring CORS, just to mention a few. It is important that these settings are configured with security, and not only performance or convenience in mind.
In a brute force attack hackers attempt to intrude by guessing possible passwords. This method relies on automatically trying thousands of different passwords in a very rapid succession.
Commonly these kinds of attacks are stopped by setting a wait time in between log in attempts, and blocking IP addresses or accounts that have exceeded a number of failed attempts.
This functionality is usually optional in content management systems and operating systems, but can be easily added and activated.
Hackers attempt to exploit known vulnerabilities found in outdated software. The cure: keep your website software up to date. This includes all components: the content management system, database, programming language, and operating system.
This is a very common type of attack. Hackers can easily target thousands of website that have a common outdated component and easily gain access. Your website is probably being "poked" now by automated hacker scripts trying to find known vulnerabilities they can exploit.
Vulnerabilities in Custom Software
When your website developer builds your website, there will typically be one or more pieces of custom software in the form of plugins obtained from 3rd parties or developed specifically for your website.
This custom software can create new security vulnerabilities if not developed following best practices for the programing language, content management system, and operating system.
The most common types of vulnerabilities are injection and broken authentication. In the case of injection, the vulnerable software fails to properly validate user input. Hackers can exploit that failure to input or 'inject' their own code and potentially gain access to the whole system.In the case of broken authentication, the software doesn't properly validate user access permissions and provides access to restricted files or information to unauthorized users.
In order to prevent this type of attack, make sure any 3rd party software is developed by reputable programmers, is obtained from the original source, and doesn't have any known vulnerabilities. In the case of custom software, make sure your developer follows security best practices.
This type of attack may not be the most common because it is limited in the number of websites that contain the same vulnerability. However, given enough incentive, hackers may devote time and effort trying to identify custom software vulnerabilities and exploit them.
When none of the previous types of attacks yield results, hackers my resort to social engineering: the collection or deduction of information based on public information, or by manipulating people into disclosing information.
One common example of social engineering is phishing: the hacker sends you an email that looks exactly like the ones you receive from your bank, with an offer or a security alert, asking you to log in to your online banking account. You click on the link and land on a website that looks exactly like your bank, but that is really a copycat hosted by the hacker. You try your username and password, and the first time it doesn't work, you try a second time and it works. The hacker now has your username and password.
Another example: you receive a call from your credit card company wanting to check on some suspicious activity on your credit card. Before proceeding they ask you to confirm your date of birth and SSN. The call is not really from your bank, and you just provided them with some pieces of information that they can use to call the bank and pretend to be you.
The most sophisticated hackers use social engineering, and they claim that social engineering yields 100% penetration success. If you are interested in this topic we recommend the book Ghost in the Wires by Kevin Mitnick.
How can you protect yourself against social engineering? Unlike other types of attack, this vulnerability is caused by human interaction and cannot be fixed by patching your software. However, there are some principles you can follow to protect yourself:
Educate yourself and be alert: being aware of how hackers operate, or what seemingly harmless behaviors can be used to undermine your security is the first line of defense against intrusions. And educate the people around you: co-workers, employees, friends and family - many times they are the ones that unknowingly help hackers piece together information that they use to attack you.
Exercise a healthy level of skepticism and paranoia when it comes to handing over information. Question why you must provide your zip code, phone number or day of birth when buying chewing gum at the pharmacy. Don't be shy: don't answer questions or hang up that phone call from a pushy telemarketer or credit card company employee that asks too many questions.
Be cautious with what information you share on social media. Just because you are asked to enter your address and day of birth doesn't mean you have to share it with the world. You can still share photos of your vacations, cute cats, and amazing brunch food, but you should not be documenting every single move you make.
What to do if you get hacked?
The only insurance against data loss is to backup frequently. If you only remember one thing from this article it should be the importance of having backups of your website.
Besides recovering data, you will need to clean up your website, remove any malware, and attempt to identify and rectify the vulnerability that was used to gain access to the site. Here are some basic steps to take after a hack occurs:
If possible, take the site offline: lock out all users except for your root or super admin user, while you clean up and recover after the hack.
Malicious code scan: if you have a repo for the website you may be able to easily find what files were changed or added to your website. If you don't you should do a code scan. For PHP-based website we use Look for Bad Guys and JAMSS. This process is tedious because you may get a lot of false-positives, and you may need to manually inspect each directory to remove suspicious files.
When recovering files from your backup, or from freshly downloaded copies of software, keep in mind that both processes will only take care of modified files, and will not remove any added files.
After changing all passwords and reviewing all accounts you should look into updating all of the site software and performing a review of any custom software to look for any vulnerabilities.
You may be able to find information on how and by whom the attack was performed by looking into the server logs, and the files that have been added or modified. In some cases, professional help may be required to find more information.
Follow these tips and you will be able to keep your website, data and business safe from the vast majority of attacks.