Prioritizing Website Security
Every so often, you will hear in the news of a number of big websites being compromised by hackers and it may seem like these are rare occurrences. In actual fact, thousands of websites are attacked every day with some of these attacks being fatal.
It's just that apart from the owners of the compromised websites and the people who frequent them, not many people get to hear of these attacks. Website security is a critical component of owning and running a website and it is crucial that every website owner should prioritize website security.
Website Security Is Less Personal
In the Security And Safety Risks On The Web blog post, I wrote about security concerns for an individual whilst on the web. This discussion was about personal security. Website security on the other hand is less personal.
Because website security is rather removed from the owner of the website, it is easy for the owner of the website to feel far removed and hence detached from it. It is for this reason that extra attention needs to be paid to website security otherwise it is at high risk of being neglected.
Just like personal web security requires vigilance and taking the appropriate precautions to master, website security is also a matter of being vigilant and being pre-emptive. The website owner needs to educate themselves of the necessary steps to be taken to ensure that their website is safe from malicious attacks.
Forms Of Attacks Out There
The first step in prioritizing website security is to educate oneself about the forms of attacks that pose a treat to a website. It is only after understanding what forms attacks may take that the necessary steps to mitigate them can be taken.
In general, website are attacked because of two major reasons; access control and software vulnerabilities. Access control deals with whom and how people gain access to a website or its underlying network environment whilst software vulnerability is concerned with security holes existing in the software running on the website.
Access Control Vulnerability
The biggest risk with access control are the people who are rightfully given access to the websites in the first place. People are prone to errors and sometimes do not follow protocols that leave a website vulnerable to attack by hackers. What often happens is that people are tricked by hackers into providing access to a website's system through bait in emails and promotional links.
There is a popular attack method that takes advantage of vulnerable users through access control called a brute force attack. In a brute force attack, the hacker attempts to bombard a website with possible username and password combinations until they gain access with one that works.
The data to use in a brute force attack may be obtained from continuous trial and error until a match is found by means of a specialized script. Alternatively, the hacker may compile a list of passwords based on the words used on the website itself. This is why it is prudent to always use strong passwords.
No software is ever perfect- that's why we get continuous updates for the software we use.
Unless a website is basic and thus only static, it is most likely running on a database. The database software has certain patterns of operating which hackers can exploit to gain access to the database through an attack called an SQL Injection.
In an SQL Injection attack, hackers literally “inject” code into the database forcing it to reveal private data such as login credentials. Once these credentials have been exposed, the hacker can use them to locate vital information such as credit card details or simply alter the website's content.
Cross-Site Scripting or XSS is an attack in which the attacker will inject malicious code into a vulnerable website. In this case, the website is not the target of the attack but the users of the website are targeted.
File Inclusion attacks can make use of vulnerabilities within the software on a website to execute malicious code that is either on the website or existing remotely to launch an attack.
Why Do Hackers Do It
The motivations for hacking are wide and varied ranging from highly motived individuals with a score in mind to bored computer enthusiasts. For the highly motivated individual, the prize can be valued data such as credit card details whilst for the bored enthusiasts it can be as simple as a personal challenge. Other motivations are to deface a website by changing the message it gives or populating it with spam.
Getting A Website Secure
After learning about the vulnerability available, the next step is to take steps to apply security measures against each one.
Dealing with access control vulnerabilities is for the most part just a matter of practising good personal web security measures for all individuals with privileged access on the website. This means having and maintaining a good password policy in terms of length and required characters.
Software vulnerabilities are best addressed by making sure that all the software that runs on the website is up to date and that regular patches are applied to the website database. Updating the database server is the responsibility of the web host, therefore getting a reputable and professional host is critical.
Additional security software should also be installed on the website that actively blocks malicious attacks, including a firewall mechanism. Some security software can also be installed to disguise the URL for the control panel of the website for certain popular CMS such as Joomla or Wordpress in order to make it hard for attackers to find it.
Prevention Is Better Than Cure
In my early days as a web designer and developer, I had several of the websites I was responsible for hacked. Believe me, if you haven’t encountered it yourself, it is not a pretty site. Recovery is a stressful and costly affair which can be prevented through vigilance. Remember, prevention is better than cure.
What are your thoughts on website security or personal security on the web, let us know in the comments below.