BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Don't shortchange website security

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Mon, 11 Jan 2016 17:42:08 -0700
http://www.lcsun-news.com/story/money/business/2016/01/11/dont-shortchange-website-security/78305264/

I didn’t appreciate the threat of website-hackers until I really had to
deal with them. At the time I was the director of web communication for a
certain state university. At the time we had a great group of staff that
directed and maintained our servers, and they were really sticklers for
security. In fact we often argued about the lengths they went through to
keep the servers safe, which often made my duties more difficult as I
navigated the various firewalls and secure logins to perform updates and
maintenance.

But then one day, as I was looking for a file buried deep in the labyrinth
of directories for the website, I ran across an oddly named folder: Viagra.
Then another, this one called Cialis. In fact, tucked into this obscure
directory were dozens of other directories all given names of popular
prescription drugs.

I called the server administrator in charge and asked him about these
directories. He was quiet for a moment and said simply, almost sadly,
“we’ve been hacked.” The hackers had set up a complete online pharmacy in
our site. It was pretty eye-opening.

The result took our website down for a short time and the server team spent
hours cleaning up the hacker code from the website directories and
database. But it taught me how persistent hackers are, and how often
websites face threats from these people. In my almost five years in that
position we were hacked twice, but we faced hundreds of attempted attacks
every year.

And so does your website.

In the past year I have helped two friends whose websites have been hacked.
In one case the hackers changed the settings of the website so that anytime
someone tried to reach it they were instead redirected to a different site
loaded with spyware and viruses.

In the other case the hackers had set up an email system within the
website’s directories so they could send massive volumes of spam to email
addresses throughout the world. In that case the website’s hosting company
shut the website down because the spamming was a violation of the company’s
rules. And in fact, if they hadn’t shut the site down, she probably never
would have known there was a problem.

The result in each case was a loss of productivity, sales, and marketing.
But that’s only because they were lucky and knew me.

Usually it costs businesses hundreds if not thousands of dollars to recover
from a hacked website. In fact, a 2013 study by the National Small Business
Association said that 44% of small businesses had been attacked by hackers.
The average cost to those that were hacked was $8,700.

And that’s only if they can recover. Sometimes websites are too far gone
and have to be rebuilt from scratch. In these cases businesses pay even
more.

So what can you do?

The first step is to make sure that any software or code running on your
site is up to date. Hackers will often exploit vulnerabilities in websites,
and usually these vulnerabilities are due to out of date software or
scripts.

So for example, if your site uses the popular content management systems
Wordpress or Joomla, you need to ensure that the new versions are installed
as soon as they become available.

Further, systems like these often also rely on associated peripheral
software to manage various functions, like email or even the slideshows
they run. These pieces of software also need to be kept up to date with the
newest version installed.

You should also keep a recovery package of your site. If you use a
database, export a copy of that database every month. Also, download a copy
of all of your website’s actual files every month as well. If there is a
hack you will be able to recover fairly quickly.

Also, try as much as possible to not keep sensitive data on your site. If,
for example, you have an e-commerce site that allows people to purchase
products online via a credit card, never (EVER) save the credit card
numbers on your site. Instead allow the credit card processor or merchant
deal with the numbers, ensuring that if your site is hacked you are not
liable for customers’ data.

Lastly, and here is probably the smartest decision you could make, hire
someone – a company or individual – to maintain your site for you. Doing it
by yourself, if you are not an expert, is the cheap route to be sure, but
it’s also the route to a hacked site and even more lost money. Instead,
having a company employed standing by to both cut off and fix attacks will
save you more money and frustration in the long run.

When it comes to your website’s security, spend a little money, or at the
least a little time, to make sure you aren’t vulnerable.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.
Previous By Date Next
Previous By Thread Next

Current thread: