Types and Tips for Online Security Threats
By Americaneagle.com Chief Technology Officer, Ryan McElrath
There are many common threats against websites today. According to the National Cyber Security Alliance (NCSA) and McAfee, close to one in five Americans report being victimized by a crime that was committed over the Internet. Whether it is a social media website such as Facebook or Twitter, an e-commerce website or a company website, every online platform is vulnerable to security attacks. It’s incumbent upon you to be aware of these types of attacks and make sure you and your hosting company are prepared to handle them.
While online threats are always
evolving, there are a few in particular that are currently popular among
hackers:
1. There are Web application attacks where hackers exploit vulnerabilities
within the website code or Web server security. Common techniques for this
include SQL Injection and Cross-site Scripting. A hacker may use an attack like
this to extract sensitive information (like credit card data) or post malware,
which is then downloaded by unknowing end users of the site.
2. There are distributed denial of service
(DDoS) attacks where
hackers attempt to take a website offline by overwhelming it with traffic
rather than trying to gain access to sensitive data. Botnets of potentially
thousands (and thousands) of infected computers spread out around the world are
typically used to launch these types of attacks that can last for multiple
hours or even days. Outages caused by DDoS attacks can result in heavy
financial loss, as well as significant damage to a company’s reputation.
3. There are also social engineering attacks where hackers trick humans into giving
them privileged information over the phone or via email, which is then used to
log into unauthorized systems. Phishing is an example of this – this is when a
hacker sends an email that appears to be legitimate and tricks the email
recipient into typing his or her login/password into a website that resembles
the real site. The hacker then uses that login/password to gain access to the
real website.
Within the last several years,
Sony, LinkedIn, Zappos, Yahoo, the South Carolina Department of Revenue and
several major universities have all been victims of security breaches that
exposed the personal data of millions of people. Meanwhile, large-scale DDoS
attacks have knocked a number of high-profile websites offline, including Bank
of America, JP Morgan Chase, MasterCard, NASDAQ, the FBI and the CIA.
With each of these types of
security attacks, companies need to be aware that no matter how large or small
they are, hackers are constantly looking for weaknesses within websites.
Below are a few simple tips on
how to reduce the risk of the most common threats that will pay tenfold in the
long run:
1. Using a Web application
firewall (WAF) is a very effective way to help defend your website against
application attacks that attempt to extract sensitive data from your site. A
Web application firewall sits in front of your website and filters all
requests, blocking requests that match the pattern of common attacks such as
SQL Injection and Cross-site Scripting. Imperva’s Cloud WAF is an affordable
software-as-a-service (SaaS) product for small to mid-enterprise businesses
that offers the highest levels of website security without requiring a large
equipment investment.
2. A common misconception about
distributed denial of service (DDoS) attacks is the idea that your Web hosting
provider will be able to stop any attack against your website with the
firewalls within their data center. The reality is that these attacks continue
to increase with intensity and regularly overrun even the most powerful of
firewalls, causing outages for your website. The best defense against these
types of attacks is to have protection through a DDoS mitigation provider that
can filter requests through their scrubbing centers before the attack reaches
your site’s infrastructure. These scrubbing centers allow legitimate traffic to
continue through to your website while stopping the attack traffic that is
attempting to knock your website offline.
3. Organizations can better
protect themselves against social engineering attacks by training employees on
security issues and going over specific methods that hackers may use to trick
them into giving up personal information. For example, some common techniques
used by hackers include acting like an internal employee or pretending that
they’re conducting a survey as a way to justify the types of questions they’re
asking. It’s important for employees to know that if they’re suspicious of a
call or email, to ask their manager before releasing the information.
Organizations should create an
incident response procedure to be used in the event that your website’s
security is breached. As part of the procedure, your organization should notify
the necessary authorities regarding the attack. This includes your local FBI
office as well as the major credit card associations if card data is exposed
during the attack.
About the Author: Ryan McElrath is the chief technology officer of Americaneagle.com, which is a Web
design and hosting company based in Park Ridge, Illinois. Some of their
5,000-plus clients include Hobby Lobby, New York Giants, NASCAR, Stuart
Weitzman, Garrett Popcorn, Chicago Bears, Abbott Laboratories and the U.S.
Army.


Leave Your Comment
Login to CommentBecome a Member
Not already a part of our community?
Sign UpSign up to participate in the discussion. It's free and quick.