The majority of website attacks against SMEs remain undetected because of the high level of sophistication of these attacks, as well as the low level of security awareness among the victims. We'll explore here why web security incidents happen and how to deal with breaches.
There are three main types of attacks: targeted attacks, semi-targeted and untargeted attacks. The targeted attack concept is very simple – the final target of hackers is your website (or any other technical infrastructure).
You may become the victim of a semi-targeted attack if your web server is hosted in the same subnet of a large data centre where that large company's server [the final target].
The third category is untargeted attacks, which are the most common today in the SME sector. Each byte of information has its price on the black and grey markets. In untargeted attacks, hackers make money on very large quantities of data, not quality.
As this article focuses on SME security, I will omit technical details on web hacking techniques (such as XSS and SQL injection), and instead will focus on the general security errors that lead to vulnerabilities, which are then exploited by hackers.
One of the oldest and simplest problems is default or weak passwords used to access admin interfaces of web applications. Another related and very widespread problem is default admin panel location, such as "/wp-admin/" or "/administrator/" which can lead to hacking success even with one simple XSS (Cross-Site Scripting) vulnerability. Password reuse is also a very common and dangerous practice. Avoid default admin panel location, and select strong and unique passwords so that these risks are avoided.
Another common problem is old and outdated software. Ensure that open source CMS such as Joomla, WordPress or osCommerce and associated modules and plugins are up-to-date.
Be careful when using third-party customised code that is not trusted by a large community of users. There are many examples of seemingly secure websites compromised through installation of a "Simple Online Poll v0.1" coded by inexperienced developers.
Ensure adequate access control. Don't share passwords - once they are compromised your website will follow. Consider limiting access to admin panels from specific IP addresses or at least from sub-networks (for no fixed IP). Ensure that, on your web server, file permissions are correct and other users (if any) cannot read your files.
The security of any web hosting service is also important. When selecting a hosting company, consider the company's reputation, the support offer (it should have a competent security team ready to react rapidly) and the provision of daily backups. It's very important to have a "clean" copy of your website without a backdoor in its source code. Backup of access logs is vital for security investigators during the incident forensics process.
Finally, ensure that all of the software used by your hosting company is regularly updated otherwise any measure taken by you will be pointless.
Upon discovering a hack, notify your web hosting company and temporarily shut down your website, change all passwords (FTP, cPanel, MySQL, SSH, etc) and ensure that no additional accounts were added.
After the hackers have been prevented from accessing your website, start the investigation process. Firstly, copy access logs to secure local storage - they will help to determine how hackers got in and trace the attackers.
It is important to understand whether an attack was targeted or untargeted. By understanding the attackers' motivation, you will be able to predict what they did (or at least what they aimed to do) and start an investigation from the right point. Contact a security company or a CERT (Computer Emergency Response Team) for assistance in the forensics process. Also, your web hosting company should be able to analyse logs and abnormal activities around your website. As soon as you can reconstruct an image of the security incident, take the following steps:
1. Ensure that the vulnerability or weakness is patched. Only after this step is completed should you run your website online again, otherwise you risk facing a second compromise.
2. If your customers' personal data was compromised, notify them and ask them to change all of their passwords as soon as possible. Assure them that you are taking the incident very seriously, an investigation is in progress and that you will do your best to ensure that it will never happen again. In many cases, a personal notification to each concerned customer is enough. There is no need to send a massive notification to everyone if only a couple of customers' accounts were compromised (just make sure that you are not mistaken about the scope of the incident!).
Depending on your country's legislation on cybercrime, you may wish to make a criminal complaint against the attackers even if they are hidden behind a chain of proxy servers.
It is always very useful to have your web application tested by an external security company or expert. Consider on-demand website security assessment SaaS (Software as a Service) solutions, which provide you with simplicity, flexibility and cost-efficiency. Two good guides giving advice on the selection of security assessment vendors/providers are written by analyst Alexander Michael: "You may think you have never been hacked... you just have not realized it yet" and CSO Viktor Polic: "The quest for weak links in information security".
To be efficient, your security audit must be run by a totally independent, external and vendor-neutral company, as even the best security expert may miss holes in a system that he configured.
If you are planning to conduct in-depth penetration test of your website or web application, I would suggest reading Frost & Sullivan's market research and watching its video entitled "The Importance of Ethical Hacking" which provides reader with a simple and clear guide on the selection of a penetration testing company.
Ilia Kolochenko is CEO of High-Tech Bridge SA