Have you ever heard fear in a person’s voice? “My website’s gone!” The owner of the company’s voice was filled with fear. The money invested in advertising and promotion of the website – in bringing prospective clients to the website was suddenly in jeopardy. Instead of the company website, a big black page announced that this website was “Owned” by some hacker from Indonesia. “Can this be fixed? How did this happen? Why would someone do this? How can I keep this from happening again?” The questions came at a frantic pace. Jack’s* day had suddenly turned upside down. Let’s look at how common the threat of compromised websites really is and what you should do to protect yours.
Hacked and Infected – Website Threats on the Rise
Security experts say that there are only two kinds of companies left in the US – those that have been hacked and those that don’t know they’ve been hacked. Forbes magazine recently ran an article with the title “2013: The Year You Get Hacked”. Google is now flagging some 10,000 compromised websites per day. This number is on the rise.
There are different types of threats that websites are exposed to, depending upon the nature of the company itself. Let’s look at some of the specifics of website threats and the kinds of companies at risk.
Website Attacks Motivated by Profit
Websites that contain high value information are often the targets of sophisticated attacks. In these attacks, the goal of the hackers is to steal valuable information that can then be re-sold. Often the target is credit card numbers, trade secrets, or other information that has a cash value.
Small businesses are usually not the targets of these types of attacks because they typically don’t have this kind of information in their websites. Even small e-commerce websites almost always conduct the processing of credit card numbers through third party PCI compliant gateways and processors – which means they don’t have customer credit card information saved on their website.
Phishing, DDoS, and More
You’ve probably seen some of these attacks firsthand or at least in the news. Phishing attacks come in the form of emails that “look” like they come from a large financial institution and then direct you to a counterfeit website. These kinds of attacks are popular and you’ve probably gotten these kinds of emails before. If something like this arrives in your inbox – just delete it without clicking the link.
DDoS (distributed denial of service) attacks usually make the headline news when they affect a very large company. Google and Yahoo both have been virtually shut down for a period of hours due to large distributed denial of service attacks. Essentially these attacks use large numbers of infected computers to act as drones and overwhelm the target website by sheer volume. Denial of service attacks are almost always directed at very large websites, so this is not a risk to most small business websites.
This type of website attack primarily affects small businesses. In this type of attack, hackers seek to destroy a website and put a new homepage in place. The new homepage contains a message announcing the hacker’s screen name.
There is nothing that the hacker gains as a result of this kind of attack other than bragging rights and street “cred” among others engaged in the same activity. This is the online equivalent of when troubled kids go through a neighborhood at night and smash mailboxes with baseball bats – there is no gain being sought. The only goal is destruction.
Just like with vandalism of tangible property, those who vandalize a website frequently return to have another go at it once the site is restored. Once a website is compromised once, it becomes a magnet for future attacks. Hackers circulate lists of sites that they have hacked – think of this like a resume for hackers. Once a website makes it onto a list like this, they often become a frequent target of similar attacks for years.
Larger businesses usually have the resources and systems in place to protect their website and defend against this kind of website vandalism. Small businesses frequently don’t take this kind of threat seriously until they’ve been affected by it.
Website Infection and Malware
This kind of attack also primarily affects small business websites. In this type of attack a website is infected with a virus or malware. The purpose of the virus or malware is usually to infect the computers of the people visiting the website. In this situation, the website is just a conduit that is used to further the plans of the attacker – which range from deleting files to identity theft.
This is one of the worst kinds of attacks for small business websites because the attack is not immediately obvious. The infection or malware is often cloaked, like a Trojan horse, so that it goes unnoticed until it is triggered. This means that it is often able to avoid detection – sometimes for weeks.
The owner of the company usually finds out that there is a problem with their website when they start getting complaints from clients or prospects who visited their website and had their computer infected as a result. When Google detects the infection it will display a warning next to your website if it shows up in the search results. Sometimes the first indication that there is something wrong comes when the owner goes to his own website and up pops a notice from the McAffee or AVG warning about visiting an infected website.
Software Updates – First Line of Defense
Far and away the most common ways that the bad guys break into a small business website is through vulnerability within the software or programs that the website runs on. Staying informed about the latest versions of the software that your website runs on and then updating that software whenever a new version is released can be a nuisance – having your site messed up can be a nightmare.
If you’re running a WordPress website, keeping your software updated is just a matter of logging in every day and checking your dashboard and plugins to see if any updates are available. If so – click the button to apply the update, but be sure you’ve backed up your site first. Occasionally an update won’t work as it is supposed to – that is when the backup comes in handy. Another thing to look out for is if the latest plugin version is more than two years old, you should stop using the plugin, as it has most likely been abandoned by the developer – not a good sign.
Keeping your site running on the latest software and plugins will go a long way to helping protect your website against all sorts of trouble.
The best thing you can do to ensure the safety and integrity of your passwords is to change them on a regular basis (like every 3 months) and make sure that your password is not a word found in the dictionary. Dictionary attacks are still a common method that hackers use to brute force their way into an account. They simply try every word in a dictionary of common passwords. Using upper and lower case letters, numbers, and special characters in a password that is at least 8 characters in length is a minimum. Longer passwords are better – but make sure you can remember it and that you have it recorded in a safe place.
If you share your password with someone else, make sure you change it when they no longer need it. A common occurrence when a password is compromised is that the password leak turns out to be from someone whose computer got infected with a virus that stole the passwords on the computer. Changing your password on a regular basis as well as after certain events (like an employee / contractor leaving) will go a long way to helping protect your website from harm.
Sometimes things do go wrong. This is where backups and monitoring come in handy. Monitoring alerts you to the presence of a problem as soon as it takes place. Essentially, this is a software tool that checks your site constantly to make sure that it is safe. If trouble is detected, you’re alerted instantly so that you can fix your website right away.
Software security isn’t a silver bullet, but it can provide a good measure of protection against lots of different threats. Not all security software is created equal – there are some free tools out there, but the really good stuff comes with a price tag – and a warranty. If they don’t believe in their software enough to guarantee it with a warranty – you shouldn’t put much stock in it either.
Protecting Your Website
The best way to protect your website is to rely on a multi-layered approach where there is no single point of failure. Website security is an evolving field – you need to ensure that your approach to security is robust enough to adapt to emerging threats. When you have this in place, you don’t have to worry about what if.
In Jack’s case, we investigated and found that the hackers got in through a recently discovered vulnerability in some of the software on his website. His site was restored from backup and a robust website protection program with warranty was put in place to ensure that he can rest well with peace of mind, knowing his website is properly protected.
If you want someone else to look after the security of your website, take a look at our website protection programs (complete with warranty coverage). With the proper levels of protection and appropriate systems in place, you can have peace of mind for the safety of your website.
*The name has been changed to protect privacy.