Download: Prioritising Website Security
Every so often, you will hear in the news of a number of big websites being compromised by hackers, and it may seem like these are rare occurrences. In actual fact, thousands of websites are attacked every day with some of these attacks being fatal.
It’s just that, apart from the owners of the compromised websites, and the people who frequent those websites, not many people get to hear of these attacks. Website security is a critical aspect of owning and running a website, and it is crucial that every website owner should prioritise it.
In the Security And Safety Risks On The Web blog post, I wrote about security concerns for an individual whilst on the web. This discussion was about personal security. Website security on the other hand, is less personal.
Because website security is rather removed from the owner of the website, it is easy for the owner of the website to feel far removed, and hence detached from the idea. It is for this reason that extra attention needs to be paid to website security, otherwise it is at high risk of being neglected.
Just like personal web security requires vigilance and taking the appropriate precautions to master, website security is also a matter of being vigilant and being pre-emptive. The website owner needs to educate themselves, on the necessary steps to be taken to ensure that their website is safe from malicious attacks.
The first step in prioritising website security, is to educate oneself about the forms of attacks that pose a threat to a website. It is only after understanding what form attacks may take, that the necessary steps to mitigate them can be taken.
In general, websites are attacked because of two major reasons: access control and software vulnerabilities. Access control, deals with whom and how people gain access to a website or its underlying network environment, whilst software vulnerability is concerned with security holes existing in the software running the website.
The biggest risks with access control, are the people who are rightfully given access to the websites in the first place. People are prone to errors and sometimes do not follow security protocols, and in the process, leave a website exposed to security vulnerabilities at the hands of hackers. What often happens is that people are tricked by hackers, into providing access to a website’s system through bait in emails and promotional links.
There is a popular attack method that takes advantage of vulnerable users, through access control, called a brute force attack. In a brute force attack, the hacker attempts to bombard a website with possible username and password combinations, until they gain access with credentials that work.
The data to use in a brute force attack may be obtained from continuous trial and error, until a match is found by means of a specialised script. Alternatively, the hacker may compile a list of passwords based on the words used on the website itself. This is why it is prudent to always use strong passwords.
Other access control methods also exist, including a method called Phishing where users are tricked into providing login information to malicious agents, through a false copy of a website, or via email.
No software is ever perfect. That’s why we get continuous updates for the software we use.
Unless a website is basic and only static, it is most likely running on a database. The database software has certain patterns of operation, which hackers can exploit to gain access to the database, through an attack called an SQL Injection.
In an SQL Injection attack, hackers literally “inject” code into the database, forcing it to reveal private data such as login credentials. Once these credentials have been exposed, the hacker can use them to locate vital information, such as credit card details or simply alter the website’s content.
Cross-Site Scripting or XSS is an attack in which the attacker will inject malicious code into a vulnerable website.
File Inclusion attacks, can make use of vulnerabilities within the software on a website, to execute malicious code that is either on the website, or existing remotely, to launch an attack.
The motivations for hacking are wide and varied, ranging from highly motived individuals with a score to settle, to bored computer enthusiasts.
For the highly motivated individual, the prize can be valued data, such as credit card details whilst for the bored enthusiasts, it can be as simple as a personal challenge. Other motivations are to deface a website by changing its message, or populating it with spam.
After learning about the vulnerabilities that exist, the next step is to take steps to apply security measures against each one.
Dealing with access control vulnerabilities, is for the most part, just a matter of practising good personal web security practices, for all individuals with privileged access on the website. This means having and maintaining a good password policy, like in terms of password length and required characters.
Software vulnerabilities are best addressed by making sure that all the software that runs on the website is up to date, and that regular patches are applied to the website database. Updating the database server is often the responsibility of the web host. Therefore, getting a reputable and professional host is critical.
Additional security software should also be installed on the website, that actively blocks malicious attacks, including a firewall mechanism. Some security software can also be installed to disguise the URL for the control panel of the website for certain popular Content Management Systems, such as Joomla or WordPress, in order to make it hard for attackers to find it
In my early days as a web designer and developer, I had several of the websites I was responsible for hacked. Believe me, if you haven’t encountered it yourself, it is not a pretty site. Recovery is a stressful and costly affair, which can be avoided through vigilance. Remember, prevention is better than cure.
What are your thoughts on website security or personal security on the Web, let us know in the comments below.
Want to hear some more from the Webmobyle Blog? Please