There is no question as to why security is important. Protection, safety, and loss prevention are a few words that comes to mind when discussing website security. Security does not lose its importance when the building of a website becomes the center of discussion, even if that website is for a small business. The truth is, small businesses are just as susceptible to cyber attacks as larger ones. The difference is, you may not have the man power, or the skill set to protect yourself from all of these attacks. What is important is that you know as much as you can and do as much as you can to protect your website.
Table of Contents
What are cyber attacks?
Before diving into the meat of the matter, it is imperative that we understand a few relevant terms. Cyber attacks are attempts to carry out malicious activities on a particular target computer or website. These activities can be anything from stealing information for some sort of gain, to altering or corrupting information to cause a malfunction. Cyber attacks exploit vulnerabilities within a website. Vulnerabilities are weaknesses within the structure of the website and its coding.
These are the most common website attacks you need to know as a small business owner.
1. Password Attacks
As the name suggests, these are attacks target a system that requires credentials to access data. If you wish to include online purchasing on your website, it is best to have your customers enter credentials before they can access your site. Examples of password attacks include brute force attacks and dictionary attacks. A brute force attack entails entering all possible combinations of the values in the entry pool, until one works. A dictionary attack uses a predefined list or ‘dictionary’ of entries for the attacker to attempt.
Solution: Password attacks
If you want to safeguard your website against password attacks, a few things can be done. First, you can program your website to require that created passwords fit certain complexity requirements – a mixture of characters, both lower and upper case; along with numbers and symbols, for example. Your PHP code can be written to enforce any form of complexity you want your users’ passwords to have. Another thing you can do is include two-factor verification for user login, and finally, you can require that the user changes their password regularly.
2. Scripting and Injection Attacks
In this cyber attack, the attacker attempts to insert malware into the code of a website. Examples of injection attacks are SQL Injection and Cross-Site Scripting (XSS).
SQL Injection
In a SQL Injection, the attacker enters SQL commands into user input fields or in the URL in an attempt to gain access to your website’s database. SQL commands are universal and well known, making this one of the simplest attacks to attempt.
Cross-Site Scripting
In XSS attacks, the hacker injects malicious JavaScript code in website files. Unfortunately, the user’s browser can interpret this as legitimate code from your website allowing the hijacking of a user’s session. Hackers can then perform unauthorised actions which can be detrimental to website owners.
Solution: Scripting and Injection
SQL Injection
A hacker using SQL Injection will try to input fields such as forms or a search bar. Attackers can enter SQL Codes into these fields, then attempt to access and pull stored user information from your database. Sanitisation and validation are important ways to assist in preventing this kind of cyber attack, but alone, they will not be enough. You can also implement firewalls and other web application tools to assist you in preventing these attacks.
Cross-Site Scripting (XSS)
XSS attacks make use of vulnerabilities in the front end of your website by simply injecting the script into your website’s code. Sanitisation and Validation can also assist in protecting your website from this attack, as well as constantly testing your website for malicious code.
3. Inclusion Attacks
Inclusion attacks are those where the intruder attempts to gain access to unauthorised information on the system by including files that are not intended for use on the website. There are two types of inclusion attacks – Local File Inclusion and Remote File Inclusion.
Local File Inclusion (LFI)
Local file inclusion, as the name suggests, targets a file that is stored locally on the system that is being attacked. This is done by manipulating the parameters of the include function in PHP code. The intruder attempts to change the argument of the include function from the file that it is intended to access, to another, more important files. Doing this can give them access to these files, allowing them to steal or corrupt the information stored in the file.
Remote File Inclusion (RFI)
The second type of inclusion attack is the remote file inclusion attack. In this attack, the intruder attempts to change the arguments of a function in your website’s code through the URL. These attacks target functions that must carry out important processes for the website to run. It means that if vital programming languages are altered in the right way, hackers will be able to carry out their initial plan, to add more malicious scripts.
Solution: Inclusion attacks
These attacks are implemented by altering your website’s URL as it carries out processes that it needs to function properly. If you pay attention to certain websites, you can see where important information such as the location of function parameters is. To do this, focus on the URL while the website switches from one page to another. This vulnerability is entirely as a result of improper coding practices. It can be prevented by using secure coding methods, such as initialising variables for imputed code instead of passing them string to a function.
How to Protect Your Website
Improper coding practices cause most of the vulnerabilities that are exploited by cyber-criminals. Understanding this makes the need of stressing the importance of proper coding obsolete.
Sanitisation and Validation
The above mentioned attacks are all ways to exploit improper coding practices. These practices are not incorrect, just insecure and can cause a lot of harm. The first level of defense against these cyber attacks is implementing string sanitisation and validation. These can both be done by including an extra line in your code that runs the input through a function that does one of two things. In the case of sanitisation, the function ‘sanitises’ the user’s input by ensuring that entered characters cannot confuse the system and removing the ones that do. Validation then ensures that the data is entered as expected.
If all else fails…
No website is completely safe; in fact, there is no such thing. Even with the knowledge of all of these attacks and vulnerabilities, understand that most hackers are highly skilled. Chances are, they know more about the technologies used to secure websites than the average Jo. Ensure that you signup with the best web hosting provider who can supply your website with secure servers that do not compromise your security plan. Smart hosting providers actually take care to keep their customers’ informed and will often provide security tips on their blog and in their knowledgebase. However, you should be mindful that some website attacks are not so easy to prevent, such as phishing and DDoS cyber attacks.
Phishing and DDoS
Phishing is a social engineering attack that attempts to trick users into giving up important information. DDoS stands for Distributed Denial of Service. Here, hackers use a number of malicious computers, called ‘bots’, to send a large about of fake traffic. This influx of traffic seeks to overload the server and serves as a distraction while hackers search for other data.
There are web application security tools that assist in preventing these cyber attacks. However, the question of the level of security is questionable. For this reason, we continue to stress the importance of website backup, just in case things go wrong.
Testing for Malware
Constant testing is also important. ‘Big-name’ companies pay white hat hackers to identify and inform them of vulnerabilities in their system. This is one way to address and handle grey areas. You may not be able to do this, but you can do your own tests. Create a security checklist of points to look for on your site. Do your research and talk to professionals about ways to protect your website. Keep an eye out for malware such as code you did not write and injected scripts.
Conclusion
No website is completely secure, even if they have security measures in place. Being aware of different kinds of data security issues and cyber attacks is the first step. You can use valuable insights to reduce the chances of successful attacks on your site. It is important to stay informed. These attacks are not the only ones you have to look there. There is no way to know everything about every possible website attack. So, website backup is of utmost importance. Ensure to keep your backup in a different location from your original server. Finally, continue testing. Security is not a goal to be reached, but a continued effort to protect your website.