Website Security and how to make your website more secure
[Start of transcript]
Just waiting for the last couple of stragglers to come along. We’ll get stuck into it exactly at 12 mid-day, and it should only take about 20-25 minutes to get through this, but it will also give you a bit of feedback on what’s happening, what you can do and how you can do it.
Good afternoon. Today’s Lunch and Learn is part of a series on digital security, but we’re not really looking at digital security from a vendor point of view, we’re looking at a digital security component that is designed to protect your business, and why you need to protect that component of it.
So today’s Lunch and Learn is “Why is my website a target of hackers?” And we’re just going to go through what the bad guys are doing, why we have websites, how they target your website, how they get in, what their end game is, and how do you stop it from happening to you, and then we can have a conclusion and questions and answers after that.
Why do YOU have a website?
Well, for most of us, it’s to get information out to the public. We have a product or a service that we want people to know about, so we have a website that tells everybody what we do. It can be either a static or a dynamic, doesn’t really matter. It’s just information.
Or, we could be running an e-commerce site, and that e-commerce site would generate revenue for the business. And in some cases, there are a lot of businesses that are purely based on e-commerce, so it’s very important that their website is really, really secure.
E-learning and education
Another component is e-learning and education, which is now on the rise, because it’s a lot easier and more efficient and effective to deliver learning to the general public over the digital world.
And then of course, we’ve got the blogging. And everybody, if they have a website now, is being told that they need to create content that goes on that site, and the best way to do that is to talk about either your products or your services in such a way that people will interact with what you’re talking about.
Blogging websites have been broken down into a number of CMS, which is content management systems, so that you can have total control over what you do. And we’re finding that WordPress, Joomla and Drupal are probably 70% of what people are using in the digital world as a blogging platform.
Who is targeting your website?
So, who and why are they targeting your website? Well, there’s three distinct, I suppose, animals that are out there, that are targeting your website.
There’s the script kiddies. Now, the script kiddies are people who are anywhere between 9 years old, 25 years old. They’re the up-and-comers. They’re thinking this is a lot of fun, and they use automated systems that they’ve downloaded from the cybercrime gangs. And those systems can be free, or they can cost a lot of money. One of the better ones is a Russian component that you can buy for $4,000 Euros. And that will give you the capability to start up your own business as a hacker.
We then have the hacktivists. Now, the hacktivists are the people who actually annoy the crap out of you. You’ve done something in your business and they didn’t like it, so they’re now in a position to be able to try and access your website. They’ll deface it. They may or may not steal information, but their whole role is to bring presence to what they don’t like about you.
And then, we’ve got the black hat hacker, the true blue person who wants to steal information or steal money from you. And they are the ones who are probably 0.001% of the all-encompassing class of digital criminal. And these are the people who live and breathe breaking into your website.
What do they want?
Well, we all know they want money, and they’ll go out of their way to steal either information or they’ll steal money from you if they can.
But they’re also after your intellectual property. Your intellectual property which is really important for how you do business and intellectual property that you keep on your website that is under lock and key either through an e-commerce gateway or other ways of controlling access to the system. So in other words, if you’ve got a PDF up there that you want to sell, your intellectual property is that you are selling that PDF as part of your business.
But one of the main things, and people do not realize is, that the bad guys want to steal access, or gain access to your website so they can infect visitors who are coming to your website. So they can upload malware to your website so that everybody who access your website has the complexity of being infected when they leave. And that is one of the reasons why the websites that we have are big targets for the cybercriminals.
How do they get in?
So, how do they get in? Well, they get in a number of ways.
Unpatched systems is one. If you’re running things like WordPress or Joomla, or Drupal, you will be constantly told that you need to update certain components of the website, because new components have been released to patch areas where you may have a vulnerability.
We also have insecure practices. Now, an insecure practice is when you install a website from initially when you set up your website and it comes up and goes, “What do you want to use as the administrator password?” And a lot of people will put in admin/admin.
Those automated systems that are ran by the script kiddies are actually looking for websites that have admin/admin as username and password. That is an insecure practice that we really need to stamp out. If you’re going to go—if you’re going to build a website, you have to think along the lines of it has to be secure from the moment you put it together.
And those insecure practices, you may have put in admin and admin as username and password. You’re quite happy with the way the website’s going. You’ve not got an e-commerce site that is based on that website, with the username and password of admin and admin, and that is not a really good place to be because that is what the bad guys are targeting.
And as I said, the digital criminal is no longer someone who we think is going to be relatively stupid, because they are very good at building our trust. They are very good at targeting us individually or as a group, and they go out of their way to make sure that along the way we are trusting them. Their trust comes down to social media, comes down to emails that we may have received from them. All of this is building trust within you and them.
The last thing that will allow them to get in though is a technology failure. Again, this is something that we keep an eye on, because the underlying system that your website is built on is built on technology.
A technology failure might also mean we haven’t closed a port on the firewall that goes to the website, or we’ve got problems with technology, or we’re being targeted by a degauss attack. Because they know that if a degauss attack is targeting your e-commerce site, then it’s not going to be able to deliver money to you.
What is their end game?
So what is the digital criminal’s end game? Their end game is to get as much out of you as they can.
So they are there to steal everything. And when I mean they steal everything, they literally do go out of their way to steal everything. So they want your database. They want your access to your PayPal system. They want to be able to steal whatever they can from you. And if you’ve got things behind payment gateways and firewalls, and all that sort of stuff, they want to get at that. And that is why they go out of their way to target your website.
Compromise your visitors
But most importantly, they want to compromise your visitors. If you’re getting a lot of traffic, let’s say 20,000-30,000 visitors, unique visitors, a year, and they—a week, sorry, and they compromise your website, then every one of those 20,000 visitors that will come to your website leave infected. And that is why they go out of their way to make sure that they are targeting websites.
A compromised website can damage:
If you get compromised, your website is hacked, and either through a script kiddie, which is not so devastating as other ways, but if you get hacked by a hacktivist or a full-blown hacker, then you are going to have damage that you are not going to understand how to fix.
For one, it will damage your reputation. And by damaging your reputation, in the digital world, reputation is everything. And although we may think that yes, we’ve been hacked and we know. We’ve fixed the problem and we’re going to back after the general public again with the same product and the same line. We’ll find that our reputation is now tarnished. Because it’s been tarnished, the chances are that people, or less people, will now come to you.
But things a compromised website will do is it will impact cash flow, especially if you’re in an e-learning situation or an e-commerce situation, because you are in that situation that allows you to do whatever you need to do.
So if you get a compromised website and all the cash that you’re making is suddenly not going to your coffers but going to the bad guys, then you have a serious cash flow problem. That way, you now have something that you really need to do something about.
In addition to cash flow, it will impact your productivity. And I’m talking about whether you can build the widgets that you are selling on the site, on your website, and the productivity component of it is again another impact on your business.
What can you do to stop it happening to you?
So what do we do to stop it, and how do we stop it happening to us?
Patch it all
Well, one of the things we have to do is patch it. WordPress comes out with an update probably once every two or three weeks, and it will come up on your website saying you need to install the newest update.
It gets pretty annoying because it knows that if you don’t patch it then your system and your website is vulnerable. So you need to update your systems as often as required. But that also means you have to update your plugins and your widgets, and everything else that goes with either WordPress, or Joomla, or whatever other systems.
And if you’ve got a system that has been made by someone else, there better be a security component to it. Because if it’s been built on something that only one or two people have access to or have an understanding of, you still need to make sure that it’s not vulnerable to being hacked.
Process and policies
You also need to put in policies and procedures, and processes. How often do you visit your website? How often do you visit not only the front end but the back end? How often do you actually go to the home page of your website?
If you do go to your home page of your website, are you taking notice of things that aren’t working, aren’t doing what they are supposed to be doing, or that information is stale and old, and needs to be updated?
That also means the policies and procedures that you put in place for people who are actually updating the website themselves. If they’re installing a widget on a WordPress site, have you got specific criteria for why it’s being installed?
That specific criteria might include it’s got to have more than 4 ½ stars before you’re allowed to you, and it’s got to be around for more than a year, and it’s got to have more than 10,000 users. Now those criteria would make it very hard for someone to compromise your system through a plugin.
Complicated username and password
As I said, when you set up a WordPress site, it asks you for a username and password for the administrator. The best thing you can do is not only use a complicated password, but use a complicated username. For instance, admin_joeblow_123. And then you need to remember the password and the username, because otherwise you won’t get into your system.
Restrict or manage comments and users
You need to—most people have blogs, and if they’re blogging they are looking for comments or input from other people. And you also need to—because the bad guys also know this and there are times when you’ll get a lot of crap coming through your website, because you’ve got comments enabled but people don’t have to log in and use a username and password.
And that’s a restriction that you need to put in place if you’re going to accept comments. If you’re going to accept comments, the reason why you need a username and password is so that you go to the second step of not having the automated systems putting information into your comments on blogs.
And also, your users have usernames and passwords and you can enforce complicated passwords on them as well just to be on the safe side. But if they’re adding to a comment or if they’re blogging individually on your website, those people also need to have a decent username and password.
Wherever possible, try to make sure that the data is encrypted. Because if it’s encrypted, then if they do—if someone does break in and steal, for instance, your database of users and commenters, then that information is very hard to get out of that database. On top of that, if you’re encrypting the information, whether it’s coming or going, there’s no chance of being eavesdropped on and that information being picked up.
But encryption also goes to locking down your system as well. So two-factor authentication. Because with two-factor authentication, you use a username, a password and something else. To me, that is a lot more secure if you’re going to have a very productive website that is going to do things for you.
Use a web gateway
The last component that you can do for your website is to use a thing called a web gateway. Now, your web gateway literally is a gateway on the internet that captures all the traffic coming to your website. There are companies that actually sell the product of a web gateway. We’re not one of them, but what we have found is a web gateway cuts down probably 99% of people targeting your website. Everything else is still functional, but the bad guys have a lot of trouble getting past that gateway to get to your website itself.
So in conclusion, the bad guys are out there. Don’t get me wrong. They are out there. And they want access to your website to not only steal from you, but to also target your visitors. So make sure you protect your website the same way you protect any other digital system, because if you do that, if something that we initiate to get to the point where you’re protecting your business, then you also understand that we are protecting our clients, our people who are coming to our website.
So that’s the conclusion. My name is Roger Smith. I am an Amazon #1 author on cybercrime and digital security. I am also the CEO of R&I ICT Consulting Services, and I am a speaker on the digital world and how normal users need to be aware of the dangers and how they can take appropriate action.
[End of transcript]
Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework. Rapid Restart Appliance Creator. He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world.