As a site owner, it’s your job to ensure that you have created the first line of defense against hacking attacks. It’s important to understand that website and web app hacking is a very real threat that happens all the time, especially to those who don’t believe their site has any value to hackers. The majority of security breaches are not to steal your data or mess with your website layout. Instead, they have the intention of using your server as an email relay for spam or to set up a temporary web server, normally to serve files of an illegal nature. Other very common ways to abuse compromised machines include using your servers as part of a botnet, to mine for Bitcoins, or you could even be hit by ransomware.
By the time you hear about a hacker intrusion, it’s usually too late. It’s very difficult to undo the damage done by a hacker, especially if your platform contains valuable data that can be worth millions (if not billions) of dollars. The larger and more robust the platform, the more time, money and energy it will take to fix the hack. You can, however, take steps to prevent it! Even the most basic protection will discourage many hackers enough to make them go looking for easier pickings elsewhere. Thieves are more likely to steal from people who leave their doors unlocked.
At Azul Arc, keeping your web application or website (and its contents) secure is of ultimate importance. Below are 9 ways that hackers can attack as well as the measures that Azul Arc uses to defend against security threats.
General measures
1. Vulnerabilities
There are potential yet common security issues that may arise if some basic security precautions aren’t taken.
Vulnerabilities on Your Computer
Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security on your web server will make the slightest difference if there is a keylogger on your computer. Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities. If you are browsing untrusted sites, we also recommend using tools like no-script (or disabling javascript/flash/java) in your browser.
Vulnerabilities in the application
Improving software security is always an ongoing concern, and to that end you should always keep up to date. Read more about this in the next section, developing for security.
Vulnerabilities in Web Server
The web server where your application/website is hosted can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of this for you. If you\’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your hosting partner what security precautions they take.
2. Passwords
Many potential vulnerabilities can be avoided with simple security habits. A strong password is an important aspect of this.
The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server. At Azul Arc, we use Lastpass to store and generate secure passwords.
If you are not using a password generator and creating a password, here are guidelines for you to follow:
- Make the password unique and long
- Use a mix of alphanumeric characters (letters and numbers) and symbols:
- Uppercase (capital) letters. Examples: A, E, R
- Lowercase (small) letters. Examples: a, e, r
- Numbers. Examples: 2, 6, 7
- Symbols and special characters. Examples: ! @ & *
Recommendations & examples (source: Google)
- Replace letters with numbers & symbols: Choose a word or phrase and use numbers and symbols instead of some letters. Examples:
- “Spooky Halloween” becomes “sPo0kyH@ll0w3En”
- “Later gator” becomes “L8rg@+0R”
- Abbreviate a sentence: Come up with a sentence and use the first letter of each word. Example:
- “Uncle Peter always ate chocolate-covered everything” becomes “uP@8cCe!”
Things to avoid when choosing a password:
- Any permutation of your own real name, username, company name, or name of your website
- A word from a dictionary, in any language
- A short password
- Any numeric-only or alphabetic-only password (a mixture of both is best)
3. File Permission
FTP
When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.
File or directory Permissions
Rewritable files – Allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.
It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restriction for the purpose of doing things like uploading files.
4. Database security
Restricting Database User Privileges
For normal website/app operations, (such as posting, uploading media files, posting comments etc,) the MySQL database user only needs data read and data write privileges to the MySQL database; SELECT, INSERT, UPDATE and DELETE, therefore any other database structure and administration privileges, such as DROP, ALTER and GRANT can be revoked. By revoking such privileges you are also improving the containment policies.
Whitelisting IPs
Separating the database and code base on two separate servers (and can set firewall policies or different permissions on both).
5. Data back ups
It is important to back up your data regularly (weekly or daily backup is ideal), including your MySQL databases. The hosting partners we recommend have options for doing this automatically. Please check with your hosting provider if you are unsure about this and we can also assist you in getting this set up.
6. Logging
Forensics logs are your best friend when it comes to understanding your site. Logs allow you to see what was done by who and when. Unfortunately the logs will not tell you who by username, but it will allow you to identify the IP and time. Additionally, you will be able to see any of these attacks via the logs – Cross Site Scripting (XSS), Remote File Inclusion (RFI), Local File Inclusion (LFI) and Directory Traversal attempts. You will also be able to see brute force attempts.
Developing for Security
At Azul Arc, we stay informed about the latest security threats and follow best practices to prevent these attacks. For your information, these are the security risks for which we include preventative measures.
7. Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is the most common type of computer security vulnerability typically found in web applications. XSS attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site\’s owner.
8. SQL Injections
SQL injection uses malicious code to manipulate your database into revealing information, such as an entry field for execution (e.g. to dump the database contents to the attacker).
9. Remote + Local File Inclusion
Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. A common setup that can make a website vulnerable to RFI is when a developer uses PHP to include an external file based on data passed via URL parameter.
Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability, except instead of including remote files, only local files (e.g. files on the current server) can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
Cyber criminals are becoming more sophisticated, sharing successful techniques and tools with others hackers on the dark web. The good news is that cyber security is constantly improving, even as threats escalate. In the meantime, web owners can do their part to minimize these attacks by following the tips provided. If you are interested in getting an audit of your website or web app security, please contact us at www.azularc.com.