The news that’s made every business think twice about its vulnerability to hacking in 2015 is the attack on Ashley Madison. The public release of millions of user details, company banking data, and other sensitive information brought the company to a standstill; and with disgruntled customers bringing a £367 million lawsuit against it, the future of the company remains in the balance.
But it’s not the only high profile company to succumb to hacking. 2015 has seen 2.4 million Carphone Warehouse customers have their personal data and bank details compromised whilst an automated computer program, searching for vulnerabilities in British Airways online security, managed to access account details of tens of thousands of frequent flyers. And these are not the only household names to get stung by cybercriminals over the last few years: eBay, TK Maxx, Sony, JP Morgan, Staples, and Adobe have all fallen victim.
And it’s not just blue chip companies that are finding themselves under attack, either. According to Symantec, 66% of targeted cyber-attacks are on SMEs and the UK is second only to the USA in terms of the numbers of attacks. With the rise of automated hacking tools, which scan vast swathes of the internet looking for vulnerabilities in servers and sites, the risk of attack is increasing. Symantec saw 317 million new pieces of malware released during 2014 and, according to Sophos, 30,000 websites are infected with them every day, the majority being small business websites.
Whilst the consequences of being hacked vary, the impact can be devastating. Depending upon the nature of the attack, your entire online operations can be closed down; the personal data of customers, partners and employees can be stolen and sold on to third-party criminals; business banking data can be exploited and malicious software can be hidden on your system to infect the technology people use to visit your site.
All of these, of course, have potentially huge financial implications: loss of business, fraud, lawsuits, compensation, IT fees for fixing the vulnerability – the list goes on. The theft of intellectual property and industrial espionage alone cost UK companies nearly £17 billion in 2011.
Types of hacks and how they can be protected against
There are various ways hackers can target your business, below we cover some of the more common attacks and how you can protect against them.
In social engineering, the main vulnerability that hackers exploit is people. Hackers use a variety of techniques to manipulate people into either divulging sensitive information directly or by installing malicious software on a machine on their PC.
Common examples of Social engineering include:
One of the most common and well-known tactics where scam emails contain links which, when clicked on, either install malware or take the victim to a specially crafted website that is then used to extract information such as usernames and passwords.
This is where infected devices, like USB drives, are left in offices in the hope someone will plug it in to see what’s on the drive, software on the drive can be configured to either autorun or trick the staff member into executing a file thus infecting the target machine.
This is where an attacker will impersonate somebody in an attempt to trick the staff member into divulging sensitive information, for example an attacker may call pretending to be a manager requesting a password reset, often an elaborate back story will be provided and will often involve ‘sweet talking’ or ‘bullying’ the victim into bypassing security procedures.
How to protect your business from social engineering attacks.
The solution to preventing attacks by social engineering is to have watertight procedures and well-trained staff.
1. Educate Yourself.
Keep yourself up to date on the latest developments in cyber-crime and the types of attacks that are perpetrated, hackers are constantly evolving and developing new techniques so it is important you keep on top of the latest developments.
2. Have a security policy in place.
Have a written security policy and make sure all staff understands it, many organizations now require employees to sign a security policy. Procedures need to be kept up-to-date to deal with the changing face of cyber-attacks and should follow the guidelines laid down in the Data Protection Act.
All new and temporary staff should be given induction training and existing staff need refresher courses when new procedures need to be followed.
3. Promote awareness.
Make sure staff are made aware of any new techniques hackers are using and how they can identify and protect against them. Have procedures in place for staff to report any suspicious activity, hackers may make multiple attempts until they can find a member of staff they can
manipulate into getting what they want, by encouraging staff to report suspicious activity you can take preventative action.
4. Don’t be afraid to challenge somebody.
Whether it is an onsite visitor or a caller, staff should never be afraid to challenge somebodies to identify. One common technique is for the hacker to put pressure on the target through either a false sense of urgency, perceived seniority or just plain persistence, it is important to staff stick to procedure and don’t succumb to these pressures.
5. Lead by example.
As a manager it can be tempting to have the staff break procedure when it’s you that requires information, doing so leads to complacency which can negate any prior training that has been given to staff.
Server vulnerabilities are weaknesses in the operating system and/or software installed on the server either as the result of a poor security policy, software misconfiguration or bug.
Successful attacks against a vulnerable server are often disastrous for the target as the end result is nearly always full unrestricted access to the server for the attacker.
Common attacks of this type include:
1. Brute force attacks.
These target services that require a username and password authentication to access the service, for example, SSH on Linux and RDP on Windows servers are common targets.
These types of attacks tend to be automated and have become more sophisticated of time, as more and more password data has become available to hackers through previous successfully hacks patterns have emerged into how humans select passwords, these patterns have been exploited to greatly increase the success rates of brute force hacks.
2. Software Exploits.
Modern software is extremely complex and often contains millions of lines of code, as a result, there are bugs in most software some of which can be exploited to allow hackers to gain access to a server.
It is a never-ending race between hackers and software developers to locate these bugs, in the case of the software developers so they can patch vulnerabilities before they can be exploited by hackers while the hackers, of course, want to find them first to exploit them for as long as possible until they are patched.
One recent example of this was the Heartbleed bug which potentially allowed hackers to exploit weaknesses in website encryption to obtain login information, there was a significant period between the bug being found and a patch being released so mitigation was a priority.
How to protect against server vulnerabilities
Having a thorough security policy in place in place is key to keeping your server secure, below are some of the ways you can achieve this:
1. Put in place a firewall policy.
Many attacks can be avoided altogether by simply ensuring vulnerable services are not accessible in the first place, using a firewall access ports can be restricted so they are only available from trusted locations (for example your company offices), hackers can’t target a service they can’t see online.
Only ports that absolutely must be publically available to deliver your services should be unrestricted, for example in the case of a server that is used only to deliver a website this would consist of just HTTP (80) and HTTPS (443) ports, all other ports should be either locked down completely or only accessible via trusted IP addresses.
2. Enable Intrusion prevention systems (IDS/IPS).
Intrusion prevention systems monitor network traffic or service logs for suspicious activity and stop any attempted intrusion. If a hacker is bombarding your site with thousands of attempts to log in, these systems can quickly find out the source of the attack and block the IP address of the attacker. At eUKhost, we think these systems are so important that they are pre-enabled on our all servers that have the latest versions of Plesk and cPanel installed.
3. Have patching and update policy in place.
It is good practice to have an update and patching policy; at eUKhost, it’s a standard part of the management service we provide for our customers. Software updates and patches are not only issued by developers to fix bugs but also to address security vulnerabilities which have recently come to light, so it’s important they are kept up-to-date.
4. Ensure you have a password policy in place.
A good password policy is also important for increasing security. Ensuring everyone has strong passwords which are changed on a regular basis and kept a secret is standard practice for most organizations these days. It’s an easy but effective way to reduce the chances of being hacked. Both Plesk and cPanel have controls built in that can be used to enforce minimum password strengths.
5. Be careful when installing new server software.
With modern package managers such as YUM & APT installing software is often a very easy task, however, configuring software securely for a production environment can often be a far more complex and it can be easy to leave software open to exploitation, for example forgetting to change a default password.
If you are a eUKhost client and are unsure about how to configure a software package then please contact our management team and they will be happy to advise.
By doing the above the majority of attacks can be either avoided altogether or greatly mitigated, if you want the very best in protection then invest in a hardware-based firewall such as our own FortiGate security appliance, this unifies firewall services, IDS/IPS, malware protection, application firewall, and DDoS protection into single devices that can protect multiple servers.
eUKhost management services also include free consultancy to help clients develop an appropriate security policy for their specific needs.
Application & Website Vulnerabilities
Unfortunately, it’s not just your server which is vulnerable to attack; sometimes it’s the applications that you run on it. This is especially the case with common platforms used to build websites, like WordPress and Magento. According to Alexa, 70% of the world’s top ranking WordPress sites are vulnerable to attack and there are three main attack vectors that hacker exploit to gain access: poorly configured servers; weak usernames and passwords to the admin panel or FTP account; and software vulnerability, such as using older versions of the platform or plugins.
1. Cross-site scripting.
Here, the hacker inserts malicious code onto a link on your website so that, when one of your visitors clicks on the link, malware infects their computer and allows information to be stolen.
As the attackers are targeting your visitors this can have a disastrous effect on your reputation and will often result in your site being blacklisted and blocked by search engines.
2. SQL injection.
Where a hacker will find a form that needs to be filled in on your website, such as a newsletter subscription form, but instead of typing in a name and email address, they will type in SQL computer code that allows them access to your database. From here they can potentially download all the information stored on your database including the personal details of customers.
3. Man in the middle.
In a man in the middle attack, the hacker intercepts communication between your website the visitor. One example of how this works is when malware is sent from your website to the visitor’s browser. Once installed, the visitor is then redirected to a different site that looks just like yours. Any information they then provide is given, unwittingly, to the hacker.
How to protect against application vulnerabilities
Failure to protect vulnerable applications from being exploited can have seriously damaging consequences and so preventing an attack should be a priority. To do this there are a number of things you need to do.
1. Keep your application up to date.
Firstly, you should keep your application and any associated plugins up-to-date. If you are a WordPress user and you have a control panel that uses Plesk 12 or higher this is made easier through the inbuilt WordPress hardening and update tools, these allow you to security check every plugin and software update so that vulnerabilities are quickly spotted.
Most applications such as Magento and WordPress now come with version checking tools however these tend to require running manually so check often for updates.
2. Follow best practice guidelines.
Most application includes best practice guidelines for security, read these carefully and apply any recommendations.
3. Sign up for the developer’s mailing list or Forum.
Most application developer sites have security-related mailing lists or forums, sign up to these and act upon any recommendations.
When vulnerabilities are found it can take time before a patch is released, often developers will provide information via their mailing list or forum detailing how to mitigate the issue in the meantime.
4. Protect vulnerable areas of your website using .htaccess files.
If you use Apache then a great line of defense is to use .htaccess files to protect the vulnerable areas of your website such the admin interface. This can be used for a wide range of security measures including preventing access to databases, stopping hackers being able to browse your directories, denying access to files, password protecting directories and limiting access to your admin area to specific IPs.
5. Enable Intrusion prevention systems (IDS/IPS).
Both Plesk & cPanel come with intrusion prevention system that can be configured for certain applications, for example, fail2ban built into Plesk has predefined rulesets for WordPress which can be enabled.
6. Enable an application firewall.
Application firewalls work by using predefined ruleset to sanitize or block HTTP requests that do not conform to the rules, for example, if a request includes an SQL query which should not be part of the HTTP request (SQL injection) the firewall will block the request before it is executed by your application.
The most widely known application firewall is mod_security which is now built into Plesk and cPanel on our Linux servers and comes with a number of the custom ruleset that can be enabled.
When properly configured an application firewall can be extremely effective at blocking cross-site scripting and SQL injection attacks.
7. Enable site-wide SSL
Encryption is another layer of security that will prevent hackers from accessing important data. By enabling site-wide SSL, (Secure Sockets Layer) you can easily establish an encrypted link between a server and a client. This will help keep personal data, credit card information and passwords safe during transmission thus preventing man in the middle attacks.
It should be noted that the google now provides a ranking boost for sites using site-wide SSL so this is another reason to enable this.
8. Use a vulnerability scanner.
By using a vulnerability scanner such as our own MTV scan, these will undertake a deep scan of your website for known vulnerabilities, malware and intrusions as well as check your website’s reputation and see whether your website and email addresses have been blacklisted. As a result, this prevents infection and helps resolve issues with your website’s authority across the internet.
9. Backup regularly.
The final thing you should do is to regularly back up your files. Should the worst ever happen and you find your site has been hacked, the files on your server may be infected or even deleted. If you have your files backed up it means that restoring your website can be an easy thing to do. If you don’t, you may have to rebuild the website from scratch: programs, content, and database.
Of course, the easiest solution to prevent hacking is to ensure you choose a web host that provides robust and comprehensive security. At eUKhost, all our VPS, enterprise cloud and dedicated servers come with management services that can be called upon to harden servers and protect against attacks.
If you are concerned about your website security and want to know how eUKhost can help protect your business, call us on 0800 862 0380 or click the live chat button at the top of the page.