Is your website safe from hackers? 3 common myths about website security

Website and data security are things that understandably have been talked about a lot in the media. From the likes of Yahoo, Google, Ticketmaster down to Neopets and thousands of smaller data leaks that don't make it to the news. Hardly a week goes by without a new data leak disclosure being made public or a large website going offline to a DDoS attack. 

In this article I'm going to open a few ideas and dispel a few myths surrounding website security. 

Myth 1: Hackers in Movies 

The reality is that most data breaches are not the result of some tireless hacker, plugging away at a website, using cunning and ingenuity to guess passwords and finding vulnerabilities in API's. Like most things in movies, and TV shows (looking at you Mr. Robot), the reality is far less exciting. 

Here's how these attacks usually go: 

1. Someone with technical prowess runs scans on huge lists of URL's.
2. The scans pick up certain vulnerabilities such as outdated CMS versions, outdated plugins and themes, possible entry points for example contact form, e-commerce and membership plugins are bot magnets.
3. They find a likely target that might be a good candidate for their motives.
4. They narrow their strategy to find out everything they can about the target and vulnerabilities. This could include grabbing info about the domain name, nameservers, server as well as the application itself.
5. They decide what they want to do. Sometimes it can be a simple 'gotcha' text file in the website root, sometimes they steal data, sometimes they deface the site, sometimes they try to ransom the data and end up in prison. There are also many who get in touch with the website owners and let them know in the hope the company will pay them a bug bounty.

Usually, an attack on a website is not personal but of course the more sensitive the data, the more it's worth. Government agencies, city websites, healthcare providers, companies and countries engaged in controversial topics... are all at risk for more tailored attacks and should prepare accordingly. 

Myth 2: It takes a lot of work to hack an application 

As described above most of the work is automation, it's scanning, trying new things. Connecting data and methods together that ordinarily wouldn't be used in that way. This makes it all sound technical and a lot of work, but the reality again, is that most hacks are the result of basic security oversights. 

It's not usually a sophisticated hacker targeting your website.  It's a bot trying known tactics such as: 

• Reading your sitemap.xml for data leakage (extremely common). 

• Finding usernames leaking from author sitemaps and feeds. 

• File uploads folders on the server with directory listing turned on (allowing anyone to see all the uploads on the site). 

• Trying common endpoints such as WordPress' REST API to see what they can do. 

• Scraping and reading data from the site including core and plugin versions to look for known exploits. 

• Testing usernames and passwords and trying to brute-force so they can log in. 

In the case of Vastaamo, the database server URL was found on Google and it's suspected that the username and password were defaults (think username: admin, password: password). Hardly a master hacker at work there, but someone who was curious enough to test it out (and later convicted for extortion, blackmail and aggravated data breach among others). 

Myth 3: Our site isn't a target 

As outlined above, hacks are not usually personal. You don't have to have large databases of user data, credit cards or social security numbers for your site to be targeted. Pen-testing is a great way for larger entities to audit their applications and server security.  

For many sites and companies, pen testing is overkill, and it can be enough having a trusted partner who will take care of the following things. 

1. Monitoring
   Many attacks can be prevented ahead of time if the website is monitored. Bot activity, admin login attempts, and error logs are all great sources to see what’s happening on the app and pro-actively stop any activity before they get far.
2. Backups
   It’s surprising how often this part of maintenance is neglected or not working as it should be. A good and remote backup system is ultimate safety net should everything else fail.  
3. Updates
   Core, plugin and theme updates should be part of a good maintenance package, and a good technical partner can keep on top of the latest threats and vulnerabilities and advise on what to do. 

By taking a pro-active approach, the risk of intrusion and damage can be minimized, although never entirely removed. 

Final Thoughts 

Any website can be a target for attacks, and vulnerabilities in systems are often found in the most fundamental areas. By taking a proactive approach to cybersecurity, the risk of breaches and damages can be significantly reduced – though it can never be completely eliminated.

At Knowit, we take cybersecurity seriously and consider it a crucial aspect of maintaining online services. We strive to stay ahead of ever-evolving security threats, which is why our teams continuously focus on developing technical skills, increasing awareness, improving maintenance efficiency, and supporting our clients in preparing for future cybersecurity challenges.