Design 7 Common Ways Sites Get Compromised
Waking up to find out that your site has been defaced is as awkward as it is possible to feel. Waking up to find out that your users’ information has been stolen and their credit cards used by third parties is a liability, and a nightmare. Sweet dreams now, everyone!
For website owners and others who might not know how to harden their own servers against attack, it seems like a nightmare they can’t do much about. Well, I have good news: if you have a simple static site on a host that even kind of knows what they’re doing, you’re probably safe.
But the more complex systems you have in any situation, the more potential security holes there are. That means more vigilance, and more work to secure it. On the up side, people who break into other systems are nothing if not predictable. There are a number of pretty common kinds of attacks that can be prevented largely through simple forethought and planning.
Without further ado, in no particular order, I present some of the more common ways people will try to break into your site:
1. Social Engineering
Ask any security expert in any field: The most common point of failure is not software or hardware. It’s people, and their penchant for doing silly things. You know, silly things like leaving passwords written down somewhere obvious, or just giving away a user’s account to someone on the phone.
It’s pretty darned common for a “hacker” to call customer service before they do anything else. If they can successfully convince someone to just hand over the information they need, they’ve saved themselves potentially hours, or even days, of time. So as you make sure your servers are secure, you should also make sure that your employees have security processes to follow.
2. Missing Security Patches
This is still a big one, believe it or not, and especially in corporate environments. Updating lots of computers at once is a big deal. Sometimes the updates are delayed by systems administrators who just want to make sure none of the new updates will break their in-house software. Others are actually constrained, prohibited from installing updates by nervous management.
Sometimes the IT department is all but laid off, and some kid from the mail room who “knows computers” is told to keep everything running. Whatever the reason, sometimes security updates don’t get installed, and systems are left vulnerable. For websites, it’s usually just that no one is updating WordPress. Just do it.
3. Insecure Third-Party Code
Programmers are a brilliant breed in general, but some are more experienced than others. And even among the best, bugs happen. A lot of people get their start in the world of programming by coding plugins for other software, like CMS plugins.
Remember what I said about more complexity leading to more security holes? Well more plugins means more complexity. Have all plugins checked somehow before you install them, and update them whenever fixes come out, just like the rest of your software.
4. Bad User Security Policies
In this case, security policy would refer to how you ask your users to contribute to their own account’s safety. These policies are things like security questions, requirements for strong passwords, two-factor authentication, and even physical account security tokens used by institutions like banks. Email verification is pretty common, and one of the easier ways to handle this. It’s not entirely foolproof, though.
5. Injection Attacks
These are also known as SQL Injection attacks, or SQLi. Basically, someone gets on your website, and goes looking for forms. A contact form, a sign-up form, a submission form, any of these will do so long as they submit information directly into a SQL database.
They just input basic, common SQL statements into text fields in the hopes of being able to pull data out of your database. And unless your form inputs are sanitized (stripped of things like SQL commands when the forms get submitted), it’ll work.
6. Data Leaks
Depending on how things are programmed, data can just… leak. URLs can actually contain sensitive information, for example. People can just Google your site, and find URLs with sensitive information in them. If sensitive files are uploaded to unprotected folders on your server, anybody can download them. If people can somehow access the configuration files for your CMS, they’ve probably got a way in.
This isn’t always the result of poor programming either. Sometimes you might forget to set the right permissions on a folder, or something. Accidental leaks happen.
Clickjacking happens in one of two ways: One, someone sets up a malicious site with content that looks innocent enough. But when they click around on that site, it will do something they don’t necessarily want to do (such as Liking something on Facebook that they did not intend to), or take them somewhere they don’t want to go.
Two, someone manages to inject code into your site to hijack their clicks, with the same end result. At worst, this can lead to users compromising personal information by typing their information into a site that looks a lot like yours, but isn’t, for example.
There are more possibilities that I have neither the time nor the expertise to properly explain; these are some of the most common, though. Plan for these, and you’re off to a good start. But it’s just a start.
If you’re interested in more security stuff, you can study up on basic information security practices at Decent Security, and follow its author Swift on Security on Twitter. Umm, that’s an account where an infosec professional pretends to be Taylor Swift, shares good security advice, and writes Cortana fan-fiction.
You know what? Just start with the website, and some Googling.