Your website is very likely to hold valuable client information and information about your own business. With website hacking on the rise and opportunists looking to breach databases and then sell this information on in illegal marketplaces such as the Dark Web, it’s more important than ever to get on top of your website security and protect your client information and any other sensitive information. This is highly important for E-commerce websites or other websites where you also may be holding information on credit or debit card information – even if this is managed by third-party software.
This article provides you with advice and steps to prevent website hacks and data breaches. We discuss the most common forms of attack, such as phishing and Distributed Denial of Service (DDoS) attacks, and other less common methods, as well as best practices to protect your website from infiltration and data breaches. There are serious criminal penalties now in force for cyber criminals but many of these criminals are very adept at hiding their tracks, making identification, extrication and prosecution highly challenging.
We are a leading boutique web design agency in Bristol and across the South West. We work with our clients to design their ideal websites and we have vigorous checks and protection against data breaches and security protocols. Get in touch for a free consultation.
Preventing Breaches from Phishing Attacks
https://unsplash.com/photos/black-flat-screen-computer-monitor-tiSE_paTt0A
Phishing is one of the most common types of attack on a business or a website. It’s quick and easy to do with relatively low risk to the attacker. You have likely seen many phishing emails, and these emails are designed to look like an official email, which then prompts you to enter login details. This then sends your login credentials to the criminal and they are then able to access your account.
This could be used to gain access to your website where further attacks such as malware could be installed to collect further information. They may just look to export all possible personal information to use to target people collected within the database, with financial phishing now that they have access to their personal emails, or sell this information on the Dark Web.
To protect yourself against phishing:
- Train staff and learn about the tell-tale signs of a phishing attack. Many companies such as banks, website host providers and CMS providers will never ask you to enter login details from an email. If it looks too good to be true, it most likely is, and these emails are extremely good at looking official. Don’t just click on links that you see, always take time to review the legitimacy of the link and make sure that you only log in to official websites.
- Ensure you have two-factor authentication and biometric security where possible for personal accounts. This doesn’t provide complete protection but adds a massive layer of additional security. For your website logins, implement two-factor security as well as IP checks so that someone with credentials can’t just log into the website once they have access to the username and password of an administrator account.
- Phishing attacks are low effort but have surprisingly high effectiveness. But they are completely preventable with education on clicking on links. Ensure to avidly review advertised websites as these have also been known to contain phishing landing pages as well as malware.
Malware
Malware may be installed if hackers gain access to the backend of your website. This is designed to spread more malware to personal devices to then obtain more victims. This may also be distributed online on nefarious websites, and could also even be sent via a phishing link, and the link then downloads the malware to your personal device. To prevent malware, regularly update and ensure you have anti-virus protection installed and avoid suspicious websites (adware). The main types of malware are:
- Spyware (Keyloggers). These install themselves on a personal device and record keystrokes. Common keystrokes are then indicative of passwords or PIN numbers which the hacker can then use to gain access to the relevant account.
- Trojans. Named after the famous trick that the Greeks used on the Trojans, Trojan Horse malware disguises itself as a genuine executable or other file and once it’s downloaded it installs hidden malware. It will likely install a keylogger or other malicious software such as screen recorders.
- Logic Bombs. Malware that waits until specific conditions are met, and then it activates with usually harmful effects on the device.
- Viruses. General malware that attacks the device and deletes key files and seeks to take down the device. Could also be used to bring down your website.
- Ransomware. Designed to take your device or log in credentials hostage for a large fee. Hackers will usually demand Cryptocurrency payments to attempt to cover their tracks and will extort you for monetary gain or deploy any combination of the other malicious malware mentioned to then majorly disrupt you.
Distributed Denial of Service Attacks to Your Website / Server or Internet Service Provider
DDoS attacks are designed to flood the server with pingbacks or just large volumes of traffic or ‘ghost’ traffic which doesn’t actually use any affected devices or physically target your server or internet service provider. It’s a deliberate attack designed to disrupt any service so it can be used to prevent you from accessing the internet or bringing down your website.
ISPs offer advanced packages to offer DDoS defence and your hosting provider will also have measures put in place to protect their servers against these attacks. This is usually a highly deliberate and targeted attack, so if you are concerned with this or have experienced an attack, then you will want to consider the upgrades that are available to defend you.
Brute Force Entry Methods
Just like burglars when they target homes, some of them will just attempt to use brute force to gain entry into a building – this is the same with cyber thieves and criminals. Some of them will just attempt to brute force and effectively guess what a password is after they identify the login email address.
Password security and ensuring that your password uses a variation of characters, special characters and numbers is the best way to prevent brute force entry, alongside two-factor security. Multiple login blocking can also help as these entry systems will attempt millions of common password combinations to attempt to enter.
Social engineering also falls under this category, in which the criminal gains more information about you, which can be used to breach security questions. Security questions are now, however, quite dated as a form of additional security. If you are still having to fill in security questions, then don’t make them real factual answers. If it asks for your first pet, for example, this can be worked out so make up a name or use a completely different answer that you will understand.
Generally Enhancing Your Website Security
It’s highly important to ensure that you are protecting your website with the aspects mentioned above. Other aspects that are important are to:
- Regularly updating software and plugins (depending on the CMS) to ensure that they are up-to-date. This protects your website against potential breaches.
- Ensure that internet safety is taught to anyone that has access to the website, as well as the use of password vaults, education on phishing and other aspects. You can also update your policies to protect you from exposure should a data breach occur from gross or deliberate negligence.
- Control devices that have access to the website and ensure that these are all secure. Avoid unregulated access from devices that have not passed security checks.
- Consider cyber security or other relevant cover in terms of insurance. This protects you if a very deliberate and targeted attack occurs.
Niche Yet Dangerous Breach Methods
If you are targeted by an advanced individual or group of cyber criminals – there is sadly not a huge amount that you can do. Encryption has been battle tested for many years, with some systems having yet to ever be breached, but this doesn’t mean that it’s impossible, just highly unlikely. Other dangerous and highly specialised attacks include:
- Man-in-the-middle-attacks. Where hackers will attempt to intercept and then alter traffic flow to other systems, usually under their control.
- Session Hijacking – Allows the criminal to emulate the unique and private session ID as well as IP address of a user to emulate them logging into the system.
- SQL Injection Attacks – Malicious code that gets the server to provide information it normally wouldn’t. Credit card numbers, log in credentials and other personal details are targeted in this attack.
The Implications of a Data Breach and Best Practice if it Occurs
The implications of a major data breach can be devastating for your business. The implications include significant financial loss as well as loss of reputation. Downtime and legal issues are also a large factor, and this is why it’s highly important to protect yourself from data breaches and implement best practices. It’s important if a breach should occur to:
- Contain the breach and make efforts to rectify the issue and remove the infiltration. Shut down affected systems and protect unaffected areas if possible.
- Notify anyone that is affected and notify them of the severity of the breach. Advise them to update login credentials and any other information that may have been compromised in the breach.
- Keep evidence that could lead to being able to identify the perpetrator and pursue legal action. This can also be used to identify and prove how the breach occurred.
- Carry out a full and thorough investigation of how the breach occurred. This is vital to preventing future incidents and helps to identify and address or fix vulnerabilities.
- Implement additional security and training to prevent the issue from happening again in the future, alongside fixing vulnerabilities. This is designed to ensure that the issue doesn’t occur again and that you are prepared for future issues should they occur.
