By Americaneagle.com Chief Technology Officer, Ryan McElrath
There are many common threats against websites today. According to the National Cyber Security Alliance (NCSA) and McAfee, close to one in five Americans report being victimized by a crime that was committed over the Internet. Whether it is a social media website such as Facebook or Twitter, an ecommerce website or a company website, every online platform is vulnerable to security attacks. It's incumbent upon you to be aware of these types of attacks and make sure you and your hosting company are prepared to handle them.
While online threats are always evolving, there are a few in particular that are currently popular among hackers:
1. There are Web application attacks where hackers exploit vulnerabilities within the website code or Web server security. Common techniques for this include SQL Injection and Cross-site Scripting. A hacker may use an attack like this to extract sensitive information (like credit card data) or post malware, which is then downloaded by unknowing end users of the site.
2. There are distributed denial of service (DDoS) attacks where hackers attempt to take a website offline by overwhelming it with traffic rather than trying to gain access to sensitive data. Botnets of potentially thousands (and thousands) of infected computers spread out around the world are typically used to launch these types of attacks that can last for multiple hours or even days. Outages caused by DDoS attacks can result in heavy financial loss, as well as significant damage to a company's reputation.
3. There are also social engineering attacks where hackers trick humans into giving them privileged information over the phone or via email, which is then used to log into unauthorized systems. Phishing is an example of this - this is when a hacker sends an email that appears to be legitimate and tricks the email recipient into typing his or her login/password into a website that resembles the real site. The hacker then uses that login/password to gain access to the real website.
Within the last several years, Sony, LinkedIn, Zappos, Yahoo, the South Carolina Department of Revenue and several major universities have all been victims of security breaches that exposed the personal data of millions of people. Meanwhile, large-scale DDoS attacks have knocked a number of high-profile websites offline, including Bank of America, JP Morgan Chase, MasterCard, NASDAQ, the FBI and the CIA.
With each of these types of security attacks, companies need to be aware that no matter how large or small they are, hackers are constantly looking for weaknesses within websites.
Below are a few simple tips on how to reduce the risk of the most common threats that will pay tenfold in the long run:
1. Using a Web application firewall (WAF) is a very effective way to help defend your website against application attacks that attempt to extract sensitive data from your site. A Web application firewall sits in front of your website and filters all requests, blocking requests that match the pattern of common attacks such as SQL Injection and Cross-site Scripting. Imperva's Cloud WAF is an affordable software-as-a-service (SaaS) product for small to mid-enterprise businesses that offers the highest levels of website security without requiring a large equipment investment.
2. A common misconception about distributed denial of service (DDoS) attacks is the idea that your Web hosting provider will be able to stop any attack against your website with the firewalls within their data center. The reality is that these attacks continue to increase with intensity and regularly overrun even the most powerful of firewalls, causing outages for your website. The best defense against these types of attacks is to have protection through a DDoS mitigation provider that can filter requests through their scrubbing centers before the attack reaches your site's infrastructure. These scrubbing centers allow legitimate traffic to continue through to your website while stopping the attack traffic that is attempting to knock your website offline.
3. Organizations can better protect themselves against social engineering attacks by training employees on security issues and going over specific methods that hackers may use to trick them into giving up personal information. For example, some common techniques used by hackers include acting like an internal employee or pretending that they're conducting a survey as a way to justify the types of questions they're asking. It's important for employees to know that if they're suspicious of a call or email, to ask their manager before releasing the information.
Organizations should create an incident response procedure to be used in the event that your website's security is breached. As part of the procedure, your organization should notify the necessary authorities regarding the attack. This includes your local FBI office as well as the major credit card associations if card data is exposed during the attack.
About the Author: Ryan McElrath is the chief technology officer of Americaneagle.com, which is a Web design and hosting company based in Park Ridge, Illinois. Some of their 5,000-plus clients include Hobby Lobby, New York Giants, NASCAR, Stuart Weitzman, Garrett Popcorn, Chicago Bears, Abbott Laboratories and the U.S. Army.
