No Matter How Small You Are, You Will Never Be Invisible
The size of your business or website isn’t going to be a strong factor on whether your site gets hacked. Big sites do tend to have different reasons to small sites on why they may be hacked but this doesn’t mean smaller sites are less likely to get hacked, in fact, it’s probably a higher chance.
Big businesses will obviously need to have nigh-impenetrable security to defend against hackers attacking for reasons such as:
- Hacking infamy for taking down a big website
- An ex-employee wanting vengeance or someone hired to take down the site.
- “For teh lulz” Lulzsec targeted Amazon, Facebook, Minecraft etc, Lizard Squad took down Xbox and PS4 servers on 2014 Xmas for no apparent reason.
Obviously taking down one of these websites is going to require actual hacking knowledge and not just copy+pasting off stack overflow, so to defend against professional hackers they are going to need professional defense.
But what about on the other side of the spectrum? Surely smaller businesses are safer because they are not as big? Actually smaller businesses are usually hacked for pretty much the same reasons, but on a smaller scale, unsurprisingly. Smaller businesses are renown for having weak security as they believe they are less of a target, which is actually the opposite. Hackers will tend to target these smaller sites for reasons such as:
- Even though they aren’t as big, smaller sites still count on the hacking leaderboards.
- Smaller sites can be used to distribute things such as “pharma-hacks”, which puts links in the back-end of the site that lead to “Pharmaceutical Sites” otherwise known as viagra.
- “For teh lulz” Although not as rewarding as taking down a larger site, a small site can still be changed from showing your business to be a floating ASCII skull promoting some terrorist organization, known as website defacement.
Notice the skull, self-promotion, how it’s the owners fault for letting the hacker hack them and, of course, the use of numbers in words. And the comic-sans font.
Of course you aren’t expected to spend millions on creating the perfect security system to defend your company, but you should at least do all the basics to prevent your website from promoting “The New Revolution of World Domination” or some other crazy organisation.
Passwords, Again?
I’ve said it before, I’ll say it again: change your passwords! This is the most basic thing you could do, and it’s also one of the most effective. Not only should you change your password to something strong (most sites come with an indicator to say whether it’s strong or not) but you should also change it regularly. What happens if someone gets your password and doesn’t do anything with it? You wouldn’t know until they actually do something, so changing it on a regular basis would make the old one void and suddenly your account is safe again.
While some websites actually enforce you to change it or at least notify you of changing it, most of these are ignored as around 2 minutes to create a new password is a hassle to most people. You should definitely change it if you haven’t done so in the past year, especially if it’s on a website such as Amazon or Sony due to recent threats that have surfaced.
So what does changing passwords have anything to do with my website? Don’t I have full access to my database? Obviously each website will require a password so that the owner can access it, or perhaps a database that holds all client information. This is even more of a reason to have stronger passwords as these accounts are likely to have much more precious information, these accounts will obviously need a new password regularly as if someone gets access to these, then you might as well get a new site.
And of course, usernames also provide the other half other your account, so choose something imaginative, instead of “Admin” or “username1”.
But wait, there’s more! If you manage to lose a mobile device or a laptop with website data on it, it would probably be wise to get a strong pin and try not to use a “connect the dots” password, as anyone looking over your shoulder can easily remember the shape of the connected dots. It would also be wise to invest in a “vault” app that holds all your important passwords where only you can access them on the device.
Anything else?
Attacks come in all different shapes and sizes, much like their targets. Most attacks are automated and have a large scale attack so it takes down any websites with low security, such as the Dictionary Attack or Brute Force Attack.
Another type of attack can be a DDOS (Distributed Denial of Service) which is also large scale, but only at one target. A DDOS acts as a way of knocking a website offline for a period of time, usually to stop the target from operating. A DDOS works by sending thousands or millions of requests per second to the website, until it eventually overloads and collapses. It is like searching in google for a specific website and clicking it, except x1,000,000 times per second.
This is less likely to happen to a small site but might if the attacker is the victim’s competitors. This is going to be automated, as a hacker isn’t likely to have 1,000,000 people waiting around to create a DDOS attack.
As mentioned above, website defacement usually occurs on smaller websites when the hacker isn’t too bothered about getting caught, as they completely change the design of the website to something which is obviously a hack. These aren’t too complicated, and is just one of the consequences of having a weak password.
Four parts of a defaced website: 1. Random image scooped off Google, 2. Misspelt Words 3. Random political statement asking to free somewhere or someone. 4. Telling the victim to “chill”
“Pharma Hacks”. These are when someone has gained access to your site and has hidden a link to a viagra site so it is boosted due to the victim site’s reputation. These are likely to be hidden as the attacker will try and make sure it doesn’t get removed. Again, another reason to get a stronger password.
None of these sites were originally pharmaceutical sites. You can tell by the url and the fact “PilgrimPeople” probably isn’t a bunch of pilgrims selling viagra.
So if you’ve reached this sentence you’ve hopefully read the article, or you’ve just scrolled all the way down in the hopes of a coupon code for free stuff. If you have read the article, I hope this has shed some light on why nobody is completely safe on the internet and that attacks can come in various shapes and sizes.
References:
http://zmus6e3hackzone.yolasite.com/
http://www.maurihackers.info/2013/11/10-sri-lankan-websites-defaced-by.html