Top 5 Reasons Your Small Business Website is Under Attack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/vulnerabilities---threats/top-5-reasons-your-small-business-website-is-under-attack/a/d-id/1298211

I was recently looking for a place to board our cat this summer, and one
business had on its home page, underneath the name of the company, the
words “Viagra discounts” in small but legible type. Assuming the company
isn’t branching out from felines to pharmaceuticals, why would this appear
on its website? The answer, of course, is that the company didn’t put it
there, and was probably unaware of it altogether.

When small business owners think about website security at all, their
attitude is usually something along the lines of, “Why would anyone attack
us? We’re not a bank and we don’t store credit card data.” Once the company
sets up its website, it “sets it and forgets it.” It may check its search
ranking once in a while to be sure it hasn’t been blacklisted by Google,
but that’s as far as it is likely to go. However, hackers are attacking
small business websites with increasing frequency and sophistication: In
the cyber-attack ecosystem small business websites are both an attack
platform and an attack target.

Unfortunately, the current upward trend of small businesses managing their
own websites will only amplify this problem. The National Small Business
Association 2013 Technology Survey found that nearly two-thirds of small
businesses maintain their own websites, up 15% from the 2010 report.
Meanwhile the report indicates that 64% of companies consider the time
required to simply maintain the site “a major challenge.”

If you work in, or provide security services to, a small business, below
are five points that you need to understand in order to effectively defend
your website from attack.

5. New vulnerabilities threaten your business every day: Small business
owners need to understand that vulnerability discovery and disclosure is
dynamic. Just because a website hasn’t been updated lately doesn’t mean
that new vulnerabilities aren’t a threat. In fact vulnerabilities in
existing code are more likely to appear on websites that haven’t been
updated. According to anonymized aggregated customer data we analyzed at
6Scan, for companies using Web content management systems this issue is
even more critical. At any given time between 70% and 80% of WordPress
users are running an outdated version which can contain critical, and well
documented, vulnerabilities.

4. Your site is under attack 24/7: Many small business owners check their
traffic figures daily, pleased to see any increase. They might not be so
happy to learn, as we did from our analysis, that, on average, 7% of the
traffic to their site is actively attacking it, attempting to detect and
exploit vulnerabilities. A site that gets 100 unique visitors per day
(placing it approximately at Alexa’s 100,000th most trafficked site) is a
target of two breach attempts every hour of every day -- almost 20,000
attacks per year. With these numbers it’s not a matter of if a
vulnerability will be exploited but when.

3. Hackers are more efficient than ever: Cisco’s 2014 Annual Security
Report referred to hacking legitimate websites as a “high-efficiency
infection strategy.” Once a site is compromised, it turns into an attack
platform, giving hackers the freedom to choose what devices to attack, what
viruses to distribute, even what date and time to launch the attacks for
maximum effect.

Back in my days at Zone Labs (one of the early desktop firewall vendors)
malware email attachments were all the rage. Now bad guys don’t need to go
through all the effort to push malicious attacks with a single payload --
they just hack legitimate websites and the victims to come to them. If they
want to beta test a new iOS exploit, they can run that for a few days. If
they want to build a botnet with proven malicious code, they just pop that
up. The victims will just keep showing up, not knowing the site has been
compromised. This ruthless strategy puts the “viral” back in viral
marketing.

2. Your site -- no matter how small -- is valuable to hackers: There is no
such thing as “too small to hack.” If a business has a website, hackers can
exploit it. Stealing personally identifiable information from users and
visitors is one way they derive value. But even without credit card data,
user/password credentials can be valuable when used as part of a bigger
scam.

Hackers also breach legitimate websites to post phishing pages -- this is
essential to get around anti-spam software that will flag a link to a
blacklisted IP. According to the Websense 2014 Threat Report, 85% of all
malicious Web links are hosted on hacked legitimate sites. A third way
attackers can use a hacked site is to host malicious content used in
phishing scams.

1. Your reputation gets hacked as well: Being blacklisted by Google damages
a small business’s brand, but it pales in comparison to being used as a
platform to attack its business partners -- and this is not a spy-movie,
spear-phishing scenario. Last year the networks of Facebook, Twitter,
Microsoft, and Apple were compromised in “watering hole” attacks. In these
attacks, cyber criminals hacked into small business Web sites that are
known to be frequented by employees of the targeted companies. These
specific attacks focused on small mobile application developers, but the
model works for any industry.

The days of small businesses putting up a few web pages and relying on
“security through obscurity” to protect them are gone forever. Hackers have
great incentive to unleash sophisticated -- and often highly automated --
attacks on even the smallest sites. Small business stakeholders must begin
to regard website security as a necessary part of operating in an online
world, or their customers and partners will pay the price.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!