7 COMMON SITES ARE COMMITTED TO THE SITES
Waking up to discover that your site has been disfigured is
as uncomfortable as it is possible to feel it. Waking up to discover that your
users' information has been stolen and your credit cards used by third parties
is a liability and a nightmare. Sweet dreams now, everyone!
For website owners and others who do not know how to
reinforce their own servers against attacks, it seems a nightmare about which
they cannot do much. Well, I have good news: if you have a simple static site
on a host that even knows what they are doing, you are probably safe.
But the more complex systems you have in any situation, the
more potential security holes there will be. That means more vigilance, and
more work to ensure it. On the positive side, people who enter other systems
are nothing if they are not predictable. There are a number of quite common
types of attacks that can be prevented to a large extent through simple
forecasting and planning.
Without further ado, in no particular order, I present some
of the most common ways in which people will try to enter your site:
1. SOCIAL ENGINEERING
Ask any security expert in any field: the most common
failure point is not software or hardware. They are the people, and their
inclination to do silly things. You know, silly things like leaving passwords
written in an obvious place, or just giving a user's account to someone over
the phone.
It is quite common for a "hacker" to call customer
service before doing something else. If you can successfully convince someone
to simply give you the information they need, hours, or even days, have been
saved. Therefore, by ensuring that your servers are secure, you must also
ensure that your employees have security processes to follow.
2. MISSING SECURITY PATCHES
This is still great, believe it or not, and especially in
corporate environments. Updating many computers at once is a big problem.
Sometimes, updates are delayed by system administrators who just want to make
sure that none of the new updates will break their internal software. Others
are really restricted, they are forbidden to install updates by the nervous
administration.
Sometimes, the IT department is practically fired, and a
child in the mail room is told to "know about computers" to keep
everything running. Whatever the reason, sometimes security updates are not
installed, and systems are vulnerable. For websites, it's generally that nobody
is updating WordPress. Just do it.
3. INSECURE THE THIRD PARTY CODE
Programmers are a brilliant race in general, but some have
more experience than others. And even among the best, the bugs pass by. Many
people start in the world of programming by coding supplements for other
software, such as CMS add-ons.
Remember what I said about more complexity that leads to
more security holes? Well, more complements mean more complexity. Have all
add-ins checked in some way before installing them and update them every time
the fixes come out, like the rest of the software.
4. BAD USER SAFETY POLICIES
In this case, the security policy will refer to how you ask
your users to contribute to the security of their own account. These policies
are things like security questions, requirements for secure passwords,
two-factor authentication and even physical account security tokens used by
institutions like banks. Email verification is quite common, and one of the
easiest ways to handle this. However, it is not completely infallible.
However, having no way to verify who is who is just a recipe
for disaster.
5. INJECTION ATTACKS
These are also known as SQL injection attacks, or Sq Lite.
Basically, someone enters your website and looks for forms. A contact form, a
registration form, a submission form, any of these, will do so as long as they
send information directly to a SQL database.
They simply enter basic and common SQL statements into the
text fields in the hope of extracting data from their database. And unless the
entries in your form are disinfected (removed from things like SQL commands
when forms are sent), it will work.
6. DATA LEAKS
Depending on how things are programmed, the data can simply
... leak. URLs may contain confidential information, for example. People can
simply search their Google site and find URL with confidential information. If
you upload confidential files to unprotected folders on your server, anyone can
download them. If people can access the configuration files of their CMS in
some way, they probably have a way to enter.
This is not always the result of poor programming either.
Sometimes, you can forget about setting the correct permissions on a folder or
something like that. Accidental leaks happen.
7. CLICK JACKING
Click jacking occurs in one of two ways: one, someone
configures a malicious site with content that seems innocent enough. But when
they click on the site, they will do something they do not necessarily want to
do (like "I like" on Facebook and do not want them) or take them
somewhere they do not want to go.
Two, someone manages to inject code into their site to
hijack their clicks, with the same end result. In the worst case, this can
cause users to compromise personal information by writing their information on
a site that closely resembles their own, but is not.
