Summary
Running a secure website in today's digital world is like steering a ship through stormy seas. The threats are ever-present, evolving, and potentially devastating. This guide serves as your trustworthy compass and steadfast lighthouse, illuminating the dark corners of website security threats and offering guidance on how to steer clear of them.
We'll dive deep beneath the surface to explore common weaknesses that are hard to spot, defenses that can keep potential attacks away, and strategies to handle attacks when they do happen. But this isn't just about surviving—it's about sailing confidently, armed with the knowledge to turn challenges into opportunities for making your defenses stronger.
Remember, having a strong online presence is more than just building walls. It's about understanding the terrain, anticipating the dangers, and navigating them skillfully. As you delve into this guide, you're not just taking a defensive stance—you're proactively building a secure digital stronghold that earns trust and reliability in the ever-evolving digital domain.
Technology is playing an increasingly significant role in our lives as we become more dependent on it for various activities such as banking, trading, selling services, and sharing information. Whether we are individuals or corporations, this heightened dependence has also resulted in a significant surge in cybercrime.
Not a day goes by, it seems when we do not read about some scam or cyber-attack somewhere in the world, and indeed many of us have been victims of cyber-crime or at least attempted crime, in one way or another.
As more and more people now have their own websites, coupled with the fact that having a website has become an essential aspect of conducting business, the need for website security has increased exponentially.
It is a recognized fact that the majority of websites have poor and inadequate protection against cybercrime attacks. These attacks encompass a wide range of threats, from malware and viruses to cross-site scripting, SQL injection, DDoS attacks, and ‘Phishing’ attacks – perhaps the most familiar of these terms.
In this article, we’ll explore the most common website security threats, the risks and consequences of these attacks, and, perhaps more importantly, what preventative measures you can put in place to mitigate them.
Overview of Common Website Security Threats
Malware and virus
These terms are often used interchangeably – but there are subtle differences between them:
Malware (a contraction of malicious software) is a generic term for any type of malicious software – no matter what form it takes;
A virus is a specific type of malware that can self-replicate (just like a virus in the human body) and insert itself into your systems and others. A virus spreads by attaching itself to a file, program, or document and can be distributed through e.g. emails and websites. Typically, a user opens an ‘infected’ file which then allows the virus to enter and do its dirty work such as destroying files and data, corrupting applications, or even disabling functions.
Malware can compromise data held on, or transmitted by, devices such as mobiles, laptops, and anything connected to the internet. The common types are Ransomware, Spyware, Viruses, and Trojans.
Ransomware
This is used by criminals to compromise files or devices and then they demand a payment – ransom – to remove it. In January 2023 several educational establishments in the UK were hit in this way: resulting in details from 14 schools compromised and made public.
The attack can be spread by email, from Ads, through links to websites, and by websites. Unfortunately, this type of attack has become industrialized and criminals are offering ‘Ransomware as a Service’ (RaaS): meaning virtually any criminal can use this type of attack without having IT knowledge.
Spyware
This attack gathers information – hence the name – by monitoring activity and sending those details back to the attacker who then uses them for nefarious purposes.
Essentially it is invading privacy and tries to collect your usernames and passwords, PINs, payment details as well as your web browsing history. It can also steal contacts, photos, keystrokes, and call logs. There are several types of spyware:
Adware – which sends details to advertisers so they can use it to target you;
Keylogger – which does just what it says on the tin and records keystrokes;
Infostealer – which looks for specific details.
They are hard to spot but indications include devices running slowly, pop-ups, it may install new toolbars and search engines, it may not be possible to log into secure sites and there may be increased data usage.
Trojans
These are named after the famous trick (horse) used by the Greeks to gain entry to Troy and is software pretending to be legitimate and thus tricks users into downloading it. As you click on the executable file (.exe) it installs itself onto your device and they can use it.
Fortunately, Trojans are not self-replicating. They can be hidden in mobile apps, in emails and especially attachments, and in games and they manifest themselves in programs running slowly, or crashing, programs running inexplicably, incidences of pop-ups, and spam.
Virus
In contrast to Trojans, which are malicious programs disguised as legitimate software, viruses are self-replicating entities that infiltrate systems and applications. A good analogy is with a parasite that feeds off its host and needs the host to propagate it – like a tapeworm. It only replicates when the infected app is running.
They affect data and files which may be corrupted, encrypted, deleted, or moved. It spreads from device to device and through multi-user websites, especially with file sharing. There are several types:
Macro virus: which targets macros in applications;
Resident: which embeds itself inside the system so if the original virus is deleted it will reinsert itself;
File infectors: which attach themselves to the file so that as the file loads – so too does the virus (very common);
Overwrite: which overwrites files and data with malicious code;
Rootkit: This installs an unauthorized rootkit to enable attackers to take control.
You can recognize such attacks from abnormal file system activity, increased CPU and disk activity, unusual communication, inability to access files, slow running, frequent crashes, email corruption, frequent error messages, and loss of storage.
Cross-Site Scripting
This attack – known as XSS for short – is where normal trusted websites are infected with malicious ‘scripts’ or code. This is particularly likely where the website has poor data sanitization in place and allows attackers to modify the user’s code, thus allowing:
– Redirecting users to false or criminal websites;
– Capturing cookie information from websites visited to compromise those accounts;
– Browser crashes;
– Key strike capture – which can compromise passwords etc;
– Ask users to enter details on fake forms which enables fraud etc.
Prevention measures
A key measure is to ensure that you have adequate security in place at the start of any application development, making security an integral component rather than an add-on at a later stage when it might be too late! Other steps include:
– Ensure user input integrity by promptly validating and sanitizing any received inputs.
– Penetration testing aims to identify vulnerabilities in your application, much like how a detective conducts a security check of premises.
– Develop and follow secure development guidelines and build in security at every step.
– Use output encoding which replaces HTML control characters (e.g. <,>,”,&) by encoding them using established protocols and thus stops attackers from changing them.
– Use multiple layers of defense – such that if one level is breached there are others.
– Ensure IT staff is continually refreshed/updated on XSS prevention techniques.
SQL Injection (SQLi)
SQL stands for Structured Query Language and it is used in many databases. SQLi is a very common form of hacking and involves the injection of malicious code into SQL statements through web pages.
It arises when website queries are inadequately screened, filtered, and controlled and they inject code to extract information. By using SQLi criminals bypass applications’ security measures and use SQL queries to delete, modify and change records in a database.
Prevention measures
Mitigating SQL injection attacks requires employing various defensive techniques, which include implementing the following strategies:
Filter database inputs: detects and filters out malicious code and should be linked to sanitization of inputs as hackers will try to ‘abuse’ special characters to gain access. In-built SQL Sanitization libraries can help here to ensure that only those queries which conform are processed.
Restrict database code: prevents unintended database queries and exploration by limiting database procedures and code which further limits the options for hackers to gain entry. This reduces the code to the minimum necessary for the tasks.
Restrict database access: To prevent unauthorized access, data exfiltration, or deletion, it is important to restrict database access through access control measures. This involves continuously analyzing user activities to identify potential compromises, utilizing firewalls, minimizing the use of shared accounts, implementing encryption, and ensuring that error messages, which hackers may exploit for information, are kept to a minimum.
Maintain applications and databases: It is imperative to regularly apply patches and upgrades to keep security measures up to date. This proactive approach helps safeguard against potential vulnerabilities and threats.
Monitor application and database inputs and communications: regular monitoring of inputs and communication will enable you to detect and block malicious SQLi attempts. There are also specialized tools that you can use for example – Privileged Access Management (PIM); and Security Incident and Event Management (SIEM) which analyze ‘behavior’.
Wherever a website interfaces with SQL databases, there exists potential for SQL Injection attacks. To protect against these attacks, there are several ‘Penetration Testing’ tools available. Tools like SQLMap and jSQL are specifically designed to detect and expose SQLi vulnerabilities. These powerful tools simulate attack scenarios, assisting developers in identifying and patching potential security weaknesses.
DDoS attacks
Distributed Denial of Service (DDoS) attacks are becoming more frequent. The aim is to deny users access to a website by overloading it with traffic. Such incidents might occur unintentionally, such as during events like a ‘Black Friday’ sale, when an overwhelming number of users attempt to access a website simultaneously.
Of more concern however is a deliberate attack that can be devastating for organizations that rely on their website – e.g. online retailing, banks, and so on, by taking them out of service and causing massive disruption.
Attacks can be made on other websites – such as utilities or telecoms to cause a different type of disruption: e.g. the attacks by Russia on Ukrainian systems at the start of the 2022 invasion.
Attacks occur when an overwhelming volume of requests is sent to a targeted server, network, or system, effectively rendering it inaccessible to its intended users. A specific type of DDoS attack, known as a DNS amplification attack, leverages the functionality of open DNS servers to intensify the attack’s impact.
In a DNS amplification attack, the attacker tricks an open DNS server into sending a large amount of data to the target. They do this by sending a forged DNS lookup request that appears to come from the target’s IP address. When the DNS server responds, it mistakenly sends the response to the target’s IP address instead of the actual sender.
To make matters worse, the attacker often asks the DNS server for a lot of information using a specific command. This causes the server to send an even larger response back to the target, amplifying the attack. In simple terms, the attacker manipulates the DNS server to send a flood of data to overwhelm and disrupt the target’s network or system.
Prevention measures
Web hosts offer various levels of protection based on the scale of the website. These protective measures can be categorized into three increasing levels:
Traffic volume restrictions: This level involves imposing limitations on the flow of incoming traffic to manage and control the volume. It helps prevent overwhelming the website with excessive requests.
Cloud-based protection: At this level, a third-party service is employed to monitor and filter incoming traffic. This external service helps identify and block potentially malicious traffic before it reaches the website, adding an extra layer of defense.
Intrusion Protection Systems (IPS): IPS solutions analyze incoming traffic in real time, continuously monitoring for signs of malicious activities. They aim to proactively detect and thwart attacks, offering enhanced security measures to safeguard the website.
Content Delivery Networks (CDNs): Additionally CDNs, can be utilized to distribute incoming traffic across multiple servers. By doing so, the load on a single server is reduced, ensuring better performance and reducing the risk of a single point of failure.
Phishing attacks
This is an extremely common type of attack and something we encounter almost on a daily basis.
The objective of such attacks is to entice users to click on a website, thereby allowing the attackers to obtain information or upload malicious software – ‘fishing for information’.
There are many tricks and every day seems to bring a new one. “You have won a prize.”; Click on this link to reactivate your account”; “You have been credited with $25,000 in your Bitcoin account”, etc many people fall for them, because they are naïve and too trusting or too greedy!
There are 5 main types of Phishing – with similarly derived names:
Email – the scammer registers a fake address that mimics a real organization and sends out an official-looking e-mail. Sometimes they use a blend of letters e.g. using two VVs together instead of a W, making it difficult to detect at a glance. They are broad attempts and do not have specific information. As a general rule, the email address will give the game away.
Spear phishing – is a more targeted form of phishing where scammers possess specific information about the target. They use this information to craft emails that appear more authentic, increasing the chances of success.
Paying attention to details, such as the sender’s email address, grammar and spelling errors, suspicious attachments or links, and unexpected requests for personal or sensitive information, can help catch these fraudulent attempts.
Whaling – aimed at staff in organizations and often pretend to come from a superior asking them to do something – such as transfer money, etc. Regular training sessions to educate employees about whaling techniques, combined with the implementation of strict authorization procedures for financial transactions, can effectively counter such attacks.
Smishing/Vishing – Smishing (SMS phishing) and vishing (voice phishing) are similar to other phishing techniques but employ text messages or phone calls to deceive individuals. Scammers often send fraudulent messages or make phone calls claiming to alert recipients about suspicious activities. They then request the recipient to call a specific number or visit a website to verify or update their personal information.
With the increasing prevalence of remote working, these types of attacks have become more common. Scammers frequently impersonate the IT help desk to gain control over a target’s laptop or extract sensitive information. By remaining skeptical and verifying information independently, individuals can better safeguard themselves against smishing and vishing attacks.
Angler – This technique involves the use of social media platforms to carry out phishing attacks. Attackers create fake URLs, clone websites, and post deceptive content on platforms like Twitter, alongside other social media manipulation tactics. They exploit the trust and curiosity of users to lure them into visiting malicious websites or disclosing sensitive information.
Being vigilant, verifying the authenticity of URLs and websites, and avoiding sharing sensitive information publicly can help mitigate the risks associated with Angler attacks.
Best Practices for website security
Website security should not be an afterthought – it must be at the heart of your operations and there are a number of best practices that should be followed:
Regular updates and patches
Outdated software poses a significant risk as cybercriminals continuously discover new methods to exploit vulnerabilities. To mitigate this risk, software suppliers regularly release patches and updates that address identified weaknesses. It is imperative to prioritize and apply these updates promptly. Enabling automatic updates and patches is highly recommended to ensure you do not miss critical security fixes.
Strong authentication mechanisms
Access should require at least two-factor authentication (2FA) – e.g. password and a number – or biometrics – such as face recognition and/or security questions to keep unauthorized users out. Passwords should be strong and changed regularly. It is best to automate this. In addition, unused log-ins should be disabled after a period.
Dates of birth and pet names should be disallowed and instead more secure passwords using alphanumeric and special characters should be used – such as “Megal0man1aC!” or “D15graceful-Brat5!” which are much harder to guess. Many people use the same password for everything. This is an error and a different password should be used for every log-in.
Secure network and server configuration
Your website needs to have a secure URL and thus should have both HTTPS and SSL.
HTTPS – HyperText Transfer Protocol Secure: provides security over the internet and stops interruptions and interceptions of data.
SSL – Secure Sockets Layer: encrypts information to prevent others from reading it when it is being transferred and denies unauthorized users access. To reassure users about the security of your website, it is crucial to prominently display the SSL Certificate, indicating that their information is transmitted securely and protected.
In addition, the web host is key – it must offer secure hosting including SFTP which is Secure File Transfer Protocol, strict access controls to prohibit unauthorized access, automatic back-ups, security upgrades, etc.
Final Thoughts
Website threats grow daily – both in frequency and type. It is important to be aware of this and ensure that you have the best security. Poor website security will leave you vulnerable to attacks that can have devastating consequences – monetary loss, loss/corruption of data, customer dissatisfaction, and reputational loss.
To reiterate – this means:
– Choosing a reliable website host
– Keeping your website security up to date with upgrades/patches
– Backing it up regularly (as frequently as possible)
– Using a web application firewall
– Ysing two-factor authentication
– Strong passwords and changing them regularly
– Install HTTPS and SSL
Be proactive and ensure that website security is not a stand-alone issue but is a part of your overall IT strategy and risk management.
Of course, there is some cost to this – but when compared to the potential for business interruption or losses, the benefits outweigh the cost.