(Video) Why is Your website a target of hackers

Why your website is a target of hackers. And we’re being very loose with the term hacker, because there are a number of different variations of people out there in the digital world who are deemed as “hackers.”

We’ve got three types really.

  • The main one and probably the most common one is the script kiddy. Now the script kiddy is the wannabe. The 14-year-old teenager who sits in the back room on a computer and thinks he’s a hacker. They download an application from the internet from a very unsavory site. They install it on their computer, which then makes them part of a bigger system to attack other people. And then they quite happily go off and target people on the internet.
  • The second is the hacktivist. Now hacktivists are people who can be the teenager, but they are also interested in pushing their own particular wheelbarrow. They are only interested in defacing websites or compromising people or finding out information about people. They are in a situation where they don’t want to break anything. Some of they do. But they are more interested in raising awareness about what they are interested in.
  • The third one is the true full-blown hacker. Now these are the guys, and there are probably .001% of the people who consider themselves hackers who are actually in it for the money. They are in it to disrupt and compromise things as much as possible.

So what are these people all after? It doesn’t really matter what they are from a script kiddy to a hacker to a hacktivist.

Why do we have websites?

Well, in most people’s eyes, and this is thinking from the last 5 years, a website is somewhere someone can come to your little piece of your digital world and get information about who you are, what you are, what you do, what you have to sell.

The second part of a website is a blogging website, where the content is changing all the time. You are putting videos up, you’re doing blogs. You’re getting your message out to the real world and getting other people to associate with you, join your tribe, get people interested in what you’re doing.

And the last part of having a website is as an e-commerce platform, so you can sell stuff.   You can get people interested in your product through the blogging. They come to your website, and they will then purchase something.

We know what the cost of a website is. The cost of a website is only part of the equation. We are looking at protecting not only the www component of your website, but if you’ve got a hosting platform where you’re using C-panel, then you have to make sure that doesn’t get compromised either.

You’re trying to make sure that logging onto that digital location is really secure.

So what are the bad guys, the hackers after?

Well primarily and only one of the large number of components, they’re after money. They’re after your money, they’re after other people’s money, and they’re access to money. So credit card details is one of their biggest targets. So if you’ve got an e-commerce site that takes credit card details, you have to make sure that they’re not collected in a way that they can be used by other people.

They are also after intellectual property / trade secrets. There was a company in 2010 who made metal detectors, and they used them to detect metal. One of their salesmen went to China, logged onto a free Wi-Fi, and had his laptop compromised, and they stole the blueprints to the metal detector..

The people who stole the blueprints, sold it to another company.   They started building replicated metal detectors, and from there they then undercut the original price. The funny thing was that the original makers of the detectors didn’t realize they’d been compromised until some of the replicas created by other manufacturers started coming in as warranty issues.

But more importantly, the hackers are after your visitors. You’ve done all the hard work, you have used your SEO or payperclick money to attract people and they are quite happily coming to your site regularly.   If your website is infected then they can compromise all those people.

So how do they get access to your website?

Well in the first case, they do a scan of the digital world. Remember those script kiddies, they are going to find out you’ve got a connection to it, whether it’s on your website, your office or your office 365, but they are going to find out what your connection is.

All that information then becomes critical to what they do next. How about a little social engineering? They then associate your website with your Facebook, Twitter, LinkedIn accounts, any of your social media platforms that you’re using. Now they can see exactly what you’re doing, who your people are and what your products are.

So you’re actually doing some of the hard work that the hackers need done by having all of that information out there.

I’m not saying you can’t have it out there. I’m saying you have to be very careful about what you put out there.

And then from that, they see if they can compromise your website.

Now compromising your website is the hard part of the whole process. The above process are all easy, they’re all done automatically. The next step is to come up with a plan of attack. That usually involves cross-site scripting or malware.

How are we going to go about protecting ourselves from these people who are targeting our websites? Well, one of the big things you can do and one of the main things you can do is you have complicated user names and passwords. And they are not only complicated but they are unique. They have to be 9 characters long. They have to have alphanumerical symbols. Everything that you can think of.

When you install a website through some of the hosting platforms, like the WordPress system, the first thing it does when you press the button that says install, it says it needs a username for the admin account. Your admin account is literally the keys to your kingdom. And a lot of people just go admin, password blank. So what you’ve done on the internet is give all of those hackers access to your site without you even doing anything in particular.

The script kiddies don’t have to do anything because they first thing they’re going to do with their automated systems is try admin blank, or admin password, admin 12345.

So instead of using admin, you use _29_admin41.

Yes, you have to remember that’s the name of it. But, and then you use a complicated password, a really complicated password, 9 characters long, to make sure that people cannot get in there.

The next thing you have to do for your website, and one of the most important things is you have to make sure that all of the small applications on the website are up to date. If they plug into j-script, or they have a Java component, they need to be updated and patched to make sure that a) they’ve got the most secure version and b) they’ve got the newest version.

You know that your passwords are in place, and all your systems including the actual underlining system like C-Panel itself, or WordPress are all updated.

Getting down to the nitty gritty of the website, most people have comments automatically enabled. If you want comments coming through, or if you flip the comments through to your social media, but if you want comments on your blog site, then you have to make sure that people who are coming to your site to put on the comments are leaving their username, creating a username, creating a password, and leaving an email address that you can then verify.

The fourth component of what you need to do is if you are logging on to your system, you have to make sure that you’re logging on through a secure connection. Used to be SSL. It’s now TSL. SSL is a method of encryption, which is not as secure as TSL, but it still works.

The fifth thing you need to do is no matter what happens, you need to back it up. You never know when your hosting platform is going to have a fire and burn to the ground. What are you going to do if that happens? Are you in a situation where you can build your website straight up and down on another platform?

Or if you don’t like the platform you’re on, and you want to move it to another place. You have to have a backup of it. Otherwise there’s a lot of work involved.

One thing that people don’t do is they don’t visit their site regularly. And I’m talking 1-2x a week, 1-2x a day, but no less than 1x a fortnight. Because you never know when these have to be applied. You never know whether someone’s left a comment, unless it’s emailing you as well. But if you’re visiting it regularly, and you can see what is happening, then you know that the look and feel of the website that you’ve produced is going to stay the same. And it’s very important you see it as regular as possible.

Getting down to the security component of what we’re talking about, most websites do not have a way of informing you that people have logged on or that something has happened or there’s no regular scan of PHP or of SQL. Now this is a module that goes onto WordPress. I’ll talk about WordPress here, but they have got modules that work with HTML and a number of the others CMS systems.

This module is very important. For one, it tells you when people log on, from where they’re logging on and if people have failed to log on. So if these people are trying admin, you’re going to get a message, or a consolidated message every day about these people who have been trying to access your site.

But Securi has two more things. They have a one-click secure system. So you install this plug-in on your website, and when you hit the secure one-click, it locks all of the PHP down, it changes some of the permissions to a level where things are still going to work, but they’re a lot more secure.

And if you really want to be secure, and you start to look at other components like e-commerce and gateways, then you need to start looking at a proxy gateway. Now a proxy gateway will cost $20-$40-$60 a month. If you’ve got a regular website that is getting accessed every 2-3 hours, 10-20-30x a day, as a small business, you need to start thinking about what these people are doing and how they’re getting to your website.

A proxy gateway creates your www request coming into the gateway and then getting physical forwarded to your hosting site. Now, what that does is it makes this part of your website very secure. Because they’ve got to come through this gateway before they can get to your site.

This site if it gets compromised, not a big deal, because there’s no information on that site or that area of the gateway. But is it going to allow the system to be compromised?

So instead of affecting this, trying to affect that, nothing happens. So they’re always in the situation where this information is going backwards and forward, and that is under SSL or TSL. So it’s all secure. And you then know that your site is going to be relatively secure. And that makes it a lot better for your website itself and for your own peace of mind.

So as I said, they are out there. The cyber criminals are targeting you not because you have something they want, but because you are connected to the internet, and that is really important. It’s a big message to get across. The fact that although you may think you don’t have anything worth stealing, or you’re too small to be a target, or it’ll never happen to us, with the script keys and the hacktivists and the real life hackers targeting your website just because you are on the internet makes you a target.

So you have to make sure that although you are a target, you try to take yourself away by putting in a few initial systems that will protect you.

Now if you go to our website at the bottom of this page, there is a security website checklist. Just download it, leave your first name and your email address, and you can see – and this will give you an idea of where your website is and what you need to do to protect it.

If you have any problems, please drop me an email at support@RNIConsulting.com.au.

Thank you very much for your time.

How to increase your business protection by educating your staff against cybercrime

bigstock-Infected-By-Virus-Cartoon-Ser-6361614Staff education seems to be one of the strategies that is missing in most businesses when it comes to digital protection.   Education can have one of the biggest impacts on the digital security of any business / organisation.

When it comes to protecting your organisation against cybercrime you will always need the basics.

  • A decent second generation firewall (not something supplied by your ISP or bought from a local retail shop),
  • a centrally managed AV
  • a secure off site backup service and
  • Numerous other management components for protecting the organisation

But one of your best defences against cybercrime is making your staff are more aware of the dangers.   Technology and management can only go so far, no matter how good or expensive they are.

There is always a chance that the newest threat makes it through all that new technology and then all you have is a human to protect your business.   That staff member is in a position to either question the attack or just follow the normal process and “click on the link” for instance.   By having an educated user in place increases your protection level substantially because they will be more readily able to question the attack.

Your business induction process is a great place to start.   Included in that induction process should your Organisations cybercrime and digital education process.   The process should look at the basics of digital protection and why cybercrime is a problem.

Those basics being:

  • Passwords – using complicated ones, what is a complicated password, how to create them and why they are so important as a first level of protection for your organisation
  • Basics about the Internet and email including SPAM, Phishing and social engineering
  • Social media and its role in the Organisations profile and what can be posted and to where
  • Understanding WiFi and VPN and working in the cloud
  • BYOD and the Organisations digital policy

Like all education processes, cyber security education, is an ongoing process.   You need to ensure that staff and users are not forgetting the lessons learned.   To do that you need to have refresher information, reminders, that will allow the lessons to be remembered at all times.   These can include additional education courses, competitions, posters and anything else that you can think of that will make security front of mind by all users.

Education is also one of the cheapest ways to protect your organisation.   A second generation firewall can set you back thousands of dollars whereas a basic digital education course can cost as little at $50 per user.

Remember, the bad guys attack you thousands of times but all it takes is one to get through and your digital system is no longer yours.   When that happens I hope you have an educated user at the other end to question the attack!

Starbucks, free wifi and the bigger security picture!

Recently I had a holiday in Malaysia, the holiday was great but I realised that there is a severe problem with security and the attitude of people in regards to security when we were sitting down for coffee in Starbucks.

Like the rest of the world the Starbuck franchise in Malasia has free wifi, free in such a way that you do not even need to know a username or password to use it.   Now for most people this is great and don’t get me wrong I sometimes use it with a lot of restriction on myself because I know the dangers that can come from it.

While we were having coffee and I was thinking about the problems associated with this level of access these 2 characters walked in and sat down.   I was only taking limited notice of them, but my focused changed when they started to pull out some interesting equipment.   Apart from the laptops, high end HP systems, something that would set me back $4 or 5 K, they also added a couple of USB devices and started to run them up.

I ignored them for about 20 minutes as we were in a family discussion about what and where to eat (very important in our family for some reason) but I glanced over at the screen and all I saw was a graph that looked very similar to wire shark, not only that but it was also logging everything that was going through the WiFi.   I normally use wire shark to track rouge access points within client networks and what I was looking at was similar.

This bought this idea to me

One of the easiest ways for someone to steal all of your corporate information, personal information and client information is for you not to be thinking clearly in this type of environment.   Those two characters would have picked up any information that was transmitted to any website, share-point environment, mail server or CRM that was not SSL protected.   That information is in plain text.  Easy to track and even easier to use.

All information concerning Facebook, LinkedIn, even twitter would have been captured, that included the username and password to get onto the sites.   That information although may not seem important could be used very efficiently as a social engineering play to gain more information and create an in depth profile of you.

Yes free WiFi is great but if you do not have one that is locked down with a pass code then be very carefully with where you are going on your device.