Security, Vulnerability, Where to Turn

We are hearing  much about hacks these days and they’re coming to a neighborhood near you. Will they knock on your doorstep? They probably already have in one surreptitious way or another. So… all scariness put on the shelf for a moment… what can possibly be done?

The Good Guys Are Out There – Let’s Go Find ’em

I recently attended a webinar presented by WP Engine,  a top-level hosting company specializing in tuned WordPress hosting. The featured presenter was Tony Perez, CEO of Sucuri, a company that focuses on multi-level online security for websites and various online services. In his presentation, Mr. Perez laid out the landscape of online security and vulnerabilities. He described many ways and methods hackers use to hijack our websites, our email, our online purchases — any online activity or content. He describes a cunning, yet very interesting phenomenon that has more facets than you would have ever thought.

What Happens When Our Site is Hacked?

Tony mentions that the vast majority of online threats are automated and target what he calls the “low-hanging fruit” on the web. The hacking entity usually exploits easy targets with commonly-known vulnerabilities. These automated attackers often send out a barrage of attempts targeting these weaknesses, doing  so over and over, until they find a way into some area in a computer, a server, an online account, or similar target. While the vast majority of possible targets remain unharmed, the hacker-bots only care about what they can find and this is how their success begins.

Pinpointing The Targets

Tony Perez mentions three layers in the landscape of cyber security where threats are aimed which I paraphrase to be:

  • Human Nature
  • Our digital tangibles, the online services or personal devices we interact with
  • Online networks and integrated services

Human Nature is the weakest link, the element responsible for 95% of all online security compromises. Human Nature is the area where experts have the least control and often hesitate to address. There is an ever-present conflict (or competition) between safety and convenience and the deciding factor is in our individual control.

First on the List, Identify Priorities

Most businesses spent their energies and finances on sales, marketing, perhaps SEO since that has become such a topic of discussion, but security is frequently left out of the budgeting of time and money. Individuals are often strapped for time. Hackers will take advantage of this. Sadly, when the harsh reality comes to pass due to this common oversight, the expense can be enormous, much more than imagined and of course, never contemplated.

The Old Line, A Stitch-In-Time

However, if there is one element we could say is the primary solution to security issues, it would be maintenance. Maintenance, in this case, would be thinking ahead. And in the long run, would be the best money you could spend.

And the Solution Would Be…

Well, there is no one solution. Security online must involve multiple resources working together in tandem. All the best practices won’t guarantee you’ll never be hacked but in the case that you are compromised, swift and knowledgeable response is certainly in your best interest. Let’s first look at  the human element that Tony Perez points out and see what we should do on our end.

Human Factor Weaknesses include:

  • Lack of basic education in security
  • Deferred software updates
  • Un-secure usernames/passwords (read more…)
  • Poor server, website, or software configuration

Your choice of  service provider or hosting service can affect the technical points on this list. WP Engine, for example, restricts the use of some WordPress plugins, forces certain critical updates, and provides security monitoring by Sucuri. Other hosting services, such as SiteGround, offer similar basic monitoring services while HostGator, GoDaddy and some others sell add-ons to their basic plans but often don’t include or require their use.

On to the Technical Side of Security

To offer a sampling of what we are up against on the technical side, Mr. Perez mentions three types of attacks:

  1. External attacks
    • Brute-Force login attempts
    • Software (plugin) vulnerability exploitation
    • Security Software misconfiguration vulnerabilities
    • DDos attacks (overwhelming a server’s resources with a flood of activity)
  2. Internal attacks
    • cross-site contamination (once in, spreading horizontally)
    • lax server security configuration
    • back doors (once in, hackers may setup an easy point of re-entry should the malware be removed)
  3. Reflective attacks (interception of a site’s activity)
    • malvertizing (unwanted popups or content infection/insertion)
    • manipulation of DNS (using your domain to redirect to another website)
      • this can be obvious or can be masked by replicating the look and feel of your site when the visitor is taken away to unsafe territory
      • rerouting of e-commerce so purchase capital or credit card information is taken from your online purchasers
    • email phishing or spoofing
    • Search Engine Result Page infection (you site’s search engine listings actually go to another site)
    • Botnet Inclusion (your computer or website is enlisted into a network of malicious activity, becomes an active participant in the problem, in turn may become blacklisted, etc.)

Tony Perez goes into more detail in his presentation which for some can be fascinating indeed. But I will skip on to the solution side of Tony’s presentation: how Sucuri and WP Engine as well as other security providers and reputable hosting companies can offer protection.

The “Defense in Depth” Approach

Tony Perez uses the phrase “Defense in Depth” to describe a workable solution to provide online security.

Thorough Cleanup

Oftentimes, security measures aren’t deployed until after an attack is made. So a thorough clean up is needed. This is more than removing malicious links or images but actually removing the software that causes this when it resides on your server environment. This could be in the site’s folders or even in the database. An expert should be hired to make a thorough scan and removal of all sources of infection.

Continued Monitoring

Follow up with a steadfast watch over multiple areas for any resurgence of malicious activity:

  • content and activity within the site
  • information coming into the site
  • information leaving the site
  • monitoring changes in DNS for domains and subdomains

Staying Within the Security Loop

After cleanup is done, be sure to keep software and plugins updated, change your passwords regularly making them complex and secure, budget your time and money to include security with all online endeavors.

Deploy Multiple Layers of Defense

Not relying on on any single solution, but rather, a thorough, proven series of resources to cover all vulnerabilities. This could include site monitoring, updates on user education, website firewall, integration with hosting services, and more. And then, when and if another attack is encountered, deployment of a speedy and effective response.

Now, About Cost

This was not part of Tony Perez’ presentation but I know from my own experience that cost will certainly be a consideration. Don’t be shy. Talk to a security sales representative about your budget. See what can you work into your framework and remember to balance that with the value of what is at stake either with your business or customers. There is a lot to consider and the sooner you get started, the better you will be able to undertake the solution.

Don’t Delay – Get Underway

Websentia Web Services recommends you start now. Learn more about enhanced hosting and security services much like what WP Engine and Sucuri offer. Make security a priority.