Much like death and taxes, hackers are one of the certainties of life in the internet world. A single shared server can have dozens of hacked websites on it and a website can easily be hacked multiple times a year if not properly defended. Being small and obscure isn’t necessarily going to save you either. Hackers very seldom target individual sites, at least initially. Your average hacker is going to start with a network scan of a large block of IP’s, sometimes several thousand. After your hacker gets a list of IP addresses that respond, they’ll run a vulnerability scan on those servers.
The vulnerability scan will likely come back with a series of potential hacks, or exploits that could be employed in order to gain access. The important thing to note here is that an attacker doesn’t need to know that your site exists in order to find it on the web, locate a security vulnerability, and exploit that vulnerability.
So how do you stay ahead of the hackers?
The easiest way to keep hackers at bay is also the most mundane. Update everything. Software vendors are constantly releasing updates and patches to help keep you safe but most sites are woefully behind on updates. Updates and upgrades often take a back seat to work that seems to more directly impact the business but they’re the heart of security. Both your web software & your server should be checked for updates and kept up to date regularly.
Web Application Firewalls
You’re probably familiar with the firewall that runs on your computer and it should stand to reason that a firewall is even more critical on servers that are constantly exposed over the internet. A Web Application Firewall is a piece of software or hardware that’s responsible for blocking malicious traffic to your website. A WAF can be a physical piece of hardware you’ve purchased and dropped in a rack or it can be a service, like CloudFlare, that your route your traffic through before it hits your server.
DDOS stands for Distributed Denial of Service and it’s a method of attack that relies on overpowering a web server by throwing massive amounts of generic traffic at it. A DDOS is less common than a exploit because it generally requires the attacker to have access to a large pool of machines to initiate the attack from. Unlike an exploit, which generally seeks to access restricted data on your website, a DDOS exists purely for the purpose of taking you off of the web. As a general rule, if you’re being DDOS’d, you’ve either upset someone or you’ve got a hacker testing his abilities on your website. The attacking party has little to gain from this brand of attack.
So how do you stop a DDOS? Your two options tend to be to bulk up, or add enough resources to handle the traffic, or to employ a DDOS prevention service. These tend to be expensive but they’ll filter out the illegitimate traffic before it gets to your site.
Unless you’re running a very large business, employing a DDOS protection service can often be fiscally unfeasible. I would recommend leaving this one alone, unless you happen to be attacked, or trying to find a hosting service that offers one bundled at a discount rate, as many do.
Penetration Tests & Vulnerability Scans
A penetration test, or pen-test for short, involves hiring an Ethical Hacker to attempt to break into your website and show you where it’s vulnerable. Someone running a basic vulnerability scan is also an option and often cheaper. The difference? A vulnerability scan will look for holes in your security, a true pen-test will seek to exploit them.
It’s important, if you’re considering running a pen-test, to speak with your hosting provider prior to the test. If you’re on a shared server, your fake hack attempt could be seen as a real hack attempt on other websites on your server and may constitute illegal action. A good ethical hacker should be able to provide you with information about what is legal and what’s not when it comes to testing a website for vulnerabilities.
PCI stands for Payment Card Industry and PCI Compliance is generally a requirement to accept payments on the web. So, how do you find out if your website is PCI compliant?
PCI Compliance is often determined by a PCI compliance scan run by your credit card gateway provider. That could be someone like PayPal or Authorize.net. Normally, while your site is still small, you’re not going to see too many of these. As you start to increase revenue, you’re more likely to start getting messages from your payment provider to become PCI compliant.
The next question that comes up is how we get there. Well, there’s not really one path to PCI Compliance. Every scan is going to turn up different results and different vulnerabilities and standards that need to be met. I can suggest a few loop holes to get around it entirely.
The first is to avoid processing credit cards on your website at all. Using services like PayPal standard and 2Checkout, where a customer is directed to an external website to pay, will completely remove you from the scope of PCI Compliance. If you never actually take a credit card number, you can’t be liable for one.
The second(almost as good) method is to use services like Authorize.net Direct Post. In this scenario, visitors are putting in their credit card number on your website but it’s sent immediately to Authorize.net without ever going through your web server. I won’t get into the technical details of how this works, but it greatly lowers the scope of your PCI requirements.
As a final note on PCI, never, NEVER, store credit card information on your own website. Even though it’s possible to be PCI Compliant while storing local credit card numbers, the risk is simply higher than the reward could ever be. Do you remember what happened to Target recently? Imagine that being your business with hundreds or thousands of customers with credit card numbers filched from your store.E
This post is an excerpt from the short e-book, Understanding Websites from a Business Perspective, available on Amazon.