Security breaches are making the news on a daily basis. Credit monitoring services used by identity theft victims have been hacked. So have health care companies, retail stores, governmental agencies, movie studios, postal carriers, dating sites… The list goes on and on. And these are just the major players.
It is obvious why these sites are hammered on by hackers. They house content or intellectual property that could be sold, exploited or ransomed. Compromised sites = money. That makes sense, right? So what does a hacker gain by compromising a brochure mom-and-pop-shop or a restaurant? What benefits could their possibly be?
Essentially, money is at the basis of all of these attacks too. These sites run on servers. And an exploited site = free access to a server. So somewhere for the bad guys to host something. Gratis.
The effects of compromised sites can be devastating to all site owners. The site’s hosting company may take the site down, costing the site owner in-store customers. SEO ranking may plummet resulting in fewer viewers and fewer customers. The barrage of invisible traffic to exploit your vulnerable site may slow it and possibly even crash the server. The domain may get flagged by a search engine and give potential visitors security warnings. Emails @domainname.com may get flagged as spam because they originate from a compromised IP.
You get the picture: not pretty. We’ve cleaned up many hacked sites and here are a few things we’ve found:
- A 500MB file containing hundreds of encoded phishing pages (phishing – posing as a legitimate company to attempt to gain information from a user.)
- Email spamming.
- Code that is injected only when bots crawl a page (SEO gaming)
- FTP-like access to all site files
- Scripts that generate numerous holes (if all holes but one are patched, the remaining hole generates more holes.)
- Scripts that take anything a remote user passes to it and runs it on the compromised server. This turns the server into a zombie machine to run other attacks.
There are many more but they are basically variations of the above.
We’ve also seen the bad guy’s MO shift over the years. Brazen exploits (500MB worth of phishing) have given way to smaller openings that allow more remote flexibility and control. A 500MB file is noticeable, easy to find and get rid of. A single file that is 4kb in file size called css.php tucked away a folder? Well. That is much less obvious and way harder to find.
So how do you protect your site? There’s good news. There are steps you can take that will go a long way to keeping your kingdom secure. Even if you’re not super tech-savvy. Let’s start with a few that everyone can handle, and then, in a second post, I’ll give you a list of more technical steps that your tech team, internal staff or a contracted external team, should be regularly handling for you.
The first step in site security is adjusting your way of thinking.
Understand that Your Site REQUIRES Maintenance
Your site has moving parts that require regular maintenance. A site without maintenance is like a car without maintenance. It will eventually break down. Thankfully your car won’t run a phishing scam or be part of a bot attack while it is motionless on the side of the road. Your site might though.
It is your responsibility as a site owner to ensure the site is up-to-date. Do it yourself, assign internal resources or pay external resources but it must be done. This protects you, your reputation, and your users.
Enforce a Password Policy
The weakest link can easily be a user with the password: P@$$w0rd. Or 1234567. I would love to say this is just silly and no one does this. It is not the case and I see it on the reg.
Remembering complex passwords can be difficult for people. Instead remember one complex password and have that be to a service like LastPass to generate and store the rest. On top of that complex password, use 2-factor security to increase protection.
- Passwords should be random
- Contain at least 12 characters
- Consist of letters (upper and lower), numbers (upper and lower), and special characters.
(Just kidding about the “upper and lower” numbers. Making sure you were paying attention.)
Choose a Reputable Host Provider
There are many hosts out there. Do your research and make a decision based both price and security (too often the focus is just on price). Read reviews, ask around, get a recommendation from your technology partner. Overall, managed plans are typically best for small businesses. A technology partner with experience has likely seen the affects of hosting on one platform over another.
So. Review your passwords and your host provider, and next time, I’ll have a run down of the monthly maintenance your in-house or contracted tech team SHOULD be doing for you.