IT security is a topic that is currently being discussed everywhere. Ransomware, Trojans, phishing, DDoS attacks, viruses, and botnets are just a few examples of threats involved.
Websites are not immune to attacks – the numbers show that whatever is on the Internet will also be attacked. In the first half of 2019, Deutsche Telekom conducted a series of tests with 3,000 so-called “honeypots” – web servers that were specially set up to measure external attacks. The honeypots logged an average of 31 million attacks every day; even 46 million attacks came together in one day.
These numbers are interesting because they can be compared with values from 2017 – from an average of 4 million attacks per day, attacks have increased by 675% within two years.
Website security is, therefore, more important today than ever before – don’t give security gaps a chance, and protect your systems with suitable measures!
Any website is vulnerable, but there are a number of simple steps you can take to protect yourself. We present six basic steps.
Attack vectors
Websites can be attacked in many different ways (so-called attack vectors). The high number of attacks that the Telekom study was able to observe is mainly due to the fact that many attacks are now carried out automatically. Simple scripts are no longer used here; complex algorithms and AI applications are now part of the hackers’ repertoire.
Automated attacks on popular platforms
Of course, automation brings the best results when it can be applied on a large scale. That is why popular, widely used content management systems like WordPress are also preferred targets.
Here, hackers not only try to guess passwords with “brute force” attacks, but they also like to exploit known vulnerabilities that exist, for example, in systems that have not been updated. This affects both the systems themselves and plugins and extensions that have known vulnerabilities, such as cross-site scripting (XSS) or SQL injections. With the right tools, it is no problem for attackers to automatically detect and exploit these security gaps.
Phishing and social engineering
A much more complex but often successful attack vector is the human factor. “Phishing” is a term used primarily in the area of online banking as a threat, but of course, it also affects many other areas. The term describes the attempt to steal passwords and access authorizations via (more or less) deceptively real counterfeit login forms or by simulating other circumstances.
In more complex constellations, phishing is often associated with “social engineering.” Here (feigned), relationships between people are used to gain trust and, thus, to obtain information by fraud. In its simplest form, this can mean, for example, that malware attachments are (apparently) sent from familiar e-mail addresses and accompanied by a cover letter that looks realistic and personal. For more specific attacks, however, social engineering can also be used to spy on a specific target person in order to exploit their interests and weaknesses for an attack.
Distributed Denial of Service (DDoS)
A website can be the victim of a Distributed Denial of Service (DDoS) attack or, if it or the server has been compromised, itself be used as part of an attack. As a result, the website is flooded with many simultaneous requests that come from very different places (hence “distributed”). Bot networks are often used here. The primary goal is to overwhelm the server with too many requests so that the website is no longer accessible.
Consequences of a successful attack
If the attack on a website succeeds, there are a number of consequences that can arise for the operator.
Costs and effort
Repairing damage after an attack involves costs and expenditure of money and manpower. Under certain circumstances, the entire system has to be set up again, and servers have to be set up from scratch. Therefore, exact research into the cause is just as important as restoring the original condition – plus, apparently, some improvements.
The rule of thumb is: Prevention is always cheaper than cleaning up afterward. Better safe than sorry.
Loss of productivity
A failed website doesn’t just tie up manpower with you and your service providers. If your website plays a major role in your sales strategy – be it indirectly as a source of information for your customers or directly in an online shop – every downtime will, of course, cost you inquiries or even orders and, therefore, money.
Depending on the constellation, your website can also affect important company systems, the intranet, or other areas of the digital infrastructure. Again, it is obvious that this can harm the productivity of your company – and prevention is particularly important here.
Loss of reputation
A website that may be down for days, systems that cannot be reached – all of this can give your customers (or potential customers) the impression that you are not reliable. If your website is even used to spread malware (this has also happened after hacks), the damage to your reputation can also manifest itself technically as a significant drop in your SEO reputation. Under certain circumstances, your rankings then drop noticeably, damage that can only be repaired with a lot of effort and time.
Data loss
One of the very serious problems with a website hack is the possible loss of data – if, for example, information from a database is lost – or a data leak. Important company information and customer data should, therefore, under no circumstances be directly accessible via the website.
Suppose the attackers manage to steal personal information from or about customers. In that case, this usually has to be reported not only to the individuals and companies concerned but also to the data protection authorities.
6 tips for keeping your website secure
Of course, not all attacks are successful, and there’s a lot you can do to make it as difficult as possible for hackers. Here we describe essential tips on how to protect your website from attacks.
Secure and segment networks
First of all: IT security must, of course, also be guaranteed in the rest of your systems; this starts with virus protection and firewalls, includes system updates for workstation computers, and does not end with privacy films for company laptops that are also used outside of the office.
The most important thing is: Wherever possible, segment your networks into different areas so that malicious programs cannot spread laterally from one system to another. Cut all connections that are not necessary! This means that a hacker who has access to your website cannot immediately access data from completely different areas.
Check whether all users with administration rights need them: Restrict access to important systems and authorizations as much as possible!
Read also: A secure password is a random password – how to take care of your data
Update, update, update
The same applies to your content management system (CMS): security updates are important. Unfortunately, you really can’t say that often enough. Every system has weaknesses, and every system gets security updates – and now, there are often only a few hours between the discovery of a vulnerability and the publication date of a script that exploits this vulnerability at least semi-automatically.
You should examine all the ways in which your systems can be attacked directly via the web. This is particularly true for content management systems such as WordPress and TYPO3, which are used by many companies and organizations.
You should, therefore, systematically ensure or have it ensured that your CMS, your shop system is up to date, ideally always the latest version has been imported. Security updates should be performed with high priority. There is hardly anything easier than protecting yourself from known security vulnerabilities that have already been patched.
Backup, backup, backup
You can’t say this often enough either: Make sure that all important information is backed up regularly and automatically and ideally stored physically separate from the live system – preferably without a direct connection to the Internet or the rest of your network.
Here, security means: You can be sure that you will soon be able to restore your system with all the data it contains – in the event of a hack, you protect yourself from data loss and long downtimes.
Check your backup policy and get advice on what makes sense for your “regular” backup frequency and how the backup copies can be stored.
Secure servers
Of course, what applies to your CMS should also apply to your server. Suppose you do not have the expertise to operate your own server yourself. In that case, you should use a professional provider who offers managed servers – including the necessary safeguards, necessary updates, and backups.
A well-run managed server that is tailored to your needs and has controllable and scalable capacities is also very reliable protection against DDoS attacks.
Train employees
While the human factor can be a dangerous vulnerability in phishing attacks, trained employees are the best defense strategy there. Teach them to recognize phishing attempts and, most importantly, to comply with security standards. Many of these attacks can already be repelled in this way.
Trained employees are also the best protection because they can identify successful attacks at an early stage and thus prevent greater damage.
The right password
Keeping your passwords in order will be an important requirement for your employees. However, this does not mean that passwords have to be changed regularly. Since October 2019, the Federal Office for Information Security (BSI) has also abandoned this maxim, which was often invoked in the past.
Instead, it is important that your employees only use passwords that meet at least two key criteria :
- Complex. The password must be sufficiently complex and long so that it cannot be guessed by brute force attempts without great effort – and in particular, must not appear in any word list (“lexicon”). Ideally, a password consists of more than ten characters and contains numbers and symbols as well as lower and upper case letters.
- Each password may only be used once; under no circumstances may the same combination of access code and password be selected for several different services.
For example, two-factor authentication (2FA) can be used as an additional measure, in which a login to a system still has to be confirmed using an independent device (e.g., a smartphone). This way, you protect your systems even if a password falls into the wrong hands.
In any case, a password that is suspected of having been compromised must be changed.
Conclusion
Even if the field of IT security is, of course, complex and hardly manageable, there are simple measures that you can use to significantly reduce the risk of becoming the target of a successful attack. Protect your site! In doing so, you make a significant contribution to improving the security of your IT systems as a whole.
Don’t be afraid to enlist the help of experts. Develop a clear plan together with experts, which measures are useful and important, prioritize them – and involve your employees.
Leave a Reply