It's in the news, you can't escape it. Hacks. Outages. Exposures. Compromises. Sony, Citibank, Sega, Amazon, the WTO, even the CIA. If the big guys can't keep their stuff up and secure, is there any hope for the not-as-big guys? The answer is fortunately yes. I will go into that more at a later date, but to start with I want to talk a little about the nature of the beast, particularly as it relates to WebSight Design and our clients. For websites, hackers basically have one or more of the following goals:
- Site defacement - they want to replace your homepage with a message saying 'hacked by the hustle'
- Denial of service - they want to take your site offline so nobody can view it
- Malicious content insertion - they want to insert links that send your visitors to security scam sites
- Data theft - they want credit card info, or other info not intended to be available
- Hijacking of resources - they want somewhere to store and share their pirated media.
In order to accomplish their goals, they generally use one or more of four primary avenues of attack:
- SQL injection - this is one of the most common ways to hack a site. Hackers take advantage of forms on a website that is coded in such a way that they can be used to perform database operations that are not supposed to be allowed, such as inserting malicious links into the database.
- Application exploits - All websites run on web servers and typically use either Apache or MS IIS as their web server software. For sites with more dynamic content, they also use an additional application software layer such as PHP, ASP, or ColdFusion. All of the above applications have had security bugs in the past that could allow hackers to gain unauthorized access to a site, and while they are constantly being updated to close holes, new holes are always being discovered, and at any given time there may be holes that only a few hackers even know about, also known as zero-day exploits.
- Password hacking - Another way hackers can get unauthorized access to a site is by getting a hold of a working username and password, such as FTP login information or a CMS admin login. They can get the login info in a variety of ways, including 'brute force' automated guessing, grabbing the info in transit when someone is using an insecure wireless connection, or even via a virus or trojan 'keylogger' surreptitiously installed on the computer of the person who uses the login legitimately.
- Flooding - If a hacker wants to take a site down but doesn't have any holes in it available to exploit, they can also take the site down, i.e. denial of service, by flooding the site or its network with so many bad requests that the good ones can't make it through. And as an added bonus to the hackers, sometimes in the heat of a denial of service attack, actions are taken to try and track down and stop the flooding that may actually open up new avenues of attack. By understanding the hacker's goals and means, we can put up the best defense possible against them, as well as take measures to minimize the impact and/or downtime when a hack does occur. Some examples of this are keeping our servers and applications up to date with the latest security updates, coding all of our forms with 'validation' to prevent SQL injection, following best practices with regards to things like not storing credit card numbers in databases, and being fastidious about backups.
More to come...