Hackers exploit vulnerable systems – and unprepared individuals – to access trade and commercial secrets, damage or gain control of national assets of strategic importance, publicly embarrass top brands, and wreak general havoc with considerable financial, social and economic repercussions.
Yet, notwithstanding the barrage of alarming statistics coming our way and the plethora of tools available, it seems that a lot of people fail to take even the most basic of precautions.
So, if you’re the thrill-seeking type and want to add some spice to your day by making hackers’ lives easier, here are our 7 things you need to do to make sure your website gets compromised.
Note. The Recommendation section … that’s the serious part!
#1. Lame passwords are always a good place to start
123456 after all is much easier to remember than some 12-character string of disjointed characters. And if you’re guilty of this sin, then you’re in good company.
According to a list compiled by SplashData, 123456 was the most common password of 2013, followed by password, 12345678, qwerty and abc123.
Here are the top 10 for your amusement. Recognise any?
Insecure and weak passwords are a common exploit used by hackers in what are known as brute force attacks. In a brute force attack, bots are used to automatically and systematically enter usernames and passwords until the right combination is found. So the hacker doesn’t even have to lift a finger!
Recommendation. Enforce a strong password policy across your business. Don’t allow weak or dictionary-based passwords. Other techniques involve allowing login only from certain IP addresses, assigning unique login URLs, using CAPTCHAs or implementing some type of account lockout after a defined number of failed login attempts.
#2. Your bank called … they wanted to confirm your login details
Encourage your staff to click on any emails allegedly from your bank or their long-lost royal cousin from Nigeria who just came across a $100,000,000 secret bank account and needs someone trustworthy to transfer the funds to a secure location!
If this sounds amusing, it’s not! According to the RSA Fraud Report [PDF], in 2013 there were nearly 450,000 phishing attacks with estimated losses of over USD $5.9 billion.
In a phishing attack, an attacker attempts to acquire sensitive information such as usernames and passwords by masquerading as a trustworthy entity through email or instant messaging. Phishing attacks are sometimes also used to establish a beachhead for a more widespread attack through an organisations network.
Of course, not all phishing attacks are as obvious as the example above. For instance, a sales team might get emails requesting quotations and are asked to click on a url to read any RFP documentation. Or a customer service representative might click on a url sent by an ‘angry’ customer through online chat.
Recommendation. Train your staff (and customers) to recognise potential phishing attacks and how to deal with them. Even small changes to browsing habits can prove to be effective such as; typing a top level domain into the address bar instead of trusting the hyperlinks of a suspected phishing message. Use the latest browsers – most of them contain some type of phishing counter-measures that detect fraudulent sites.
#3. 2-step verification is for wimps
After all, with all the applications we have to manage on a daily basis, who has the time to enter 2 user names and passwords, right?
Well, look at it this way: Imagine if your bank, in an attempt to speed-up its turnaround time, had to remove the requirement to enter a PIN number and rely only on the debit card to make cash withdrawals from ATMs. I bet it wouldn’t be long before you started searching for a new bank!
2-step (multi-factor) verification adds that extra layer of security; but it would be pretty useless if you use dictionary-based passwords as described in Step 1.
Just as your bank account is only as secure as the combined PIN and card identification, business systems are only as secure as each account authorised to access them. Networks and websites recognise users through their usernames and passwords – whoever provides the right combination is assumed as being authorised.
Recommendation. Use 2-step verification, as a minimum, to access the most critical of your business systems such as content management systems, accounting packages, sensitive customer data etc.
#4. There’s a Dork for that!
If you want to make a newbie hacker’s day, make sure he can find your website and its known vulnerabilities in the greatest source of modern wisdom … Google. And don’t worry about him needing some technical expertise to know what to look for. In fact, kind-hearted and generous hackers have, for quite some time, maintained lists of these so-called Google Dorks; neatly categorised into the different types of vulnerabilities.
Looking for files containing passwords? There’s a Dork for that. Looking for login credentials? There’s a Dork for that. Looking for files containing juicy info? There’s a Dork for that too!
Google Dorking, aka Google Hacking, enables a hacker who is out for a quick and easy target to find sensitive data or evidence of vulnerabilities by querying a search engine like Google. And if they can’t Google it, they can Bing it.
All a potential hacker needs to do is run a query as in the example screengrab below:
Recommendation. Ensure that any content being indexed by Google (or other search engines) actually needs to be indexed. Typically, passwords, database connection strings and other sensitive files are not meant to be stored in an accessible, crawable portion of your website. If it needs to be there, put it in a directory with HTTP authentication and black list that directory using robots.txt.
#5. Ignore the most obvious signs
There are two types of hacking victims: those who know they’ve been hacked and those who haven’t realised it yet. For the latter, there can be signs which can be inferred from other activities, including:
- Increase in traffic from unusual locations such as suspiciously high outgoing network traffic, suspicious countries or referral sites, etc;
- Large amounts of spam emails and/or blog comments;
- Higher volume of 404 error pages;
- Site speed is slower than normal for an appreciable period of time.
Prevention is always better than cure. After all, I’m sure you prefer stopping a burglar from entering your home than looking for signs that he’s taking away your family china.
Recommendation. Identify potential web vulnerabilities before a hacker does, using a web application security scanner such as Acunetix. Make sure that your scanner can crawl all the website irrespective of the technologies used to build it and can return all vulnerabilities with zero or minimal false positives.
#6. Lock up the silverware and leave the front door open
Would you lock up the silverware and then leave the doors and windows open? Probably not.
Any attack on a network starts by the hacker identifying entry points from the outside world (internet) into your internal network. Hackers will eventually identify all the services you are running, even if you chose to hide them behind non-standard ports.
Recommendation. Make sure your scanner does not only identify vulnerabilities but is also able to locate any entry points into your network, giving you the chance to identify and close all doors and windows to potential hackers.
#7. Live under the illusion that hacking is only for experts and requires complex coding knowledge
If you think that website hacking is limited to elite criminals with special coding knowledge and skills who are only interested in high profile targets … think again.
According to Verizon Enterprise’s 2013 Data Breach Investigation Report (PDF), 78% of successful security intrusions were simple to pull off. The study explains how these security attacks required little or no special skills or resources to pull off. Consider also that 75% of all attacks were opportunistic in nature, i.e. there was never a specific target, just an easy one.
Tools that are freely available online allow even a teenager to pull off an SQL injection attack (one of the most commonly exploited vulnerabilities) within minutes. Havij, for example, created in 2011, is one of the most popular hacking tools used to automatically exploit SQLi attacks to steal anything from emails to passwords to credit card numbers. Even worse news? Hackers need absolutely no SQLi coding knowledge whatsoever to carry out the attack.
Recommendation. You haven’t downloaded that scanner yet? Get it now and start protecting your website before some basement-dwelling budding hacker takes a shot at your business.