Do you know your way around your website’s security better than a hacker?
This is a real question to consider because hackers are out there, and they’re sneaky. They know their way around the world of web security, and they’re ready to jump through any loophole they can. The bad guys – those commonly known as “black hats” are after your personal information, your client's personal information, and worse: your identity. It can be a shock when it happens to you because you've assumed that you were taking the right security precautions. Unfortunately, you may have been living under the impression that some widely held misconceptions about web security were true. Here are some myths that could put your website at serious risk.
1. Hackers Aren’t Interested In ME
Those are the words most hackers want to hear. They don't care about anything except the vulnerability of your computer or the outdated security of your website. If they can get to you, they WILL, and they will disrupt everything possible for their own benefit. Banking credentials are a big target, but just one of the many in their sights. They will:
- Infiltrate email and corporate account credentials
- Gain access to the personal information of you, your clients, and your employees
- Hack into your server to use for any number of dirty schemes
- Potentially even create a website that looks exactly like yours and send your visitors to their own domain in order to steal login credentials, personal information, account numbers, and ultimately– money.
In short– hackers can ruin individuals and businesses alike.
It's all done with bots, and they will find you. Like search engines, hackers send out millions of bots to search the web. Once the bot arrives, it almost instantly knows all about your website. It knows which software and even which versions were used. It knows when your site was last updated and all about your server. They report this information back, and based on the information gathered, they decide whether to attempt to break in or send out additional bots to keep prying.
Try this: Go to www.builtwith.com and enter your website URL. The information you get back is what a bot retrieves. Scary, isn't it?
2. My Website Was Secure When It Was Built So It’s Secure Now
Even though your website was built by professionals 365 days ago, and it was secure then, it may not be today. In fact, it is probably not. Look how often your phone’s apps update… how often your browser updates… you’re getting the picture. The bad guys are always at work finding new ways to break in, break rules, and cause chaos. The best way to ensure your website, portal, or application is up-to-date and secure is to schedule regular maintenance.
Both Drupal and WordPress release security updates on a consistent basis. Both communities are constantly working to identify security risks and release patches and fixes for users to quickly add to their application or server before the issue causes irreparable damage. Take the Heartbleed Bug for example. This is a serious vulnerability affecting any server running affected versions of the OpenSSL cryptographic software library. Those who did not take immediate action to address the vulnerability left their information unprotected, ripe for hackers to come and steal.
3. I Updated My Website, So I'm All Set
Just like your computer– You may be up to date today on your website, but how do you know you didn’t get hacked while you were vulnerable? Once hackers get in, they create 'back doors'. Back doors are their own portals to your information. They are entry points where harm can easily get in at any time. Think about that. Even if you update your website and eliminate the perceived vulnerability, these guys have a way to get back in any time they want.
The only way to find and eliminate back doors is to perform regular security scans and code audits. Your CMS code can be compared to the original code to ensure that no unauthorized changes have been made. If you are wondering how to perform these security audits and safeguards, CommonPlaces employs tools that can help you navigate.
4. If They Break In, I Will Just Have My Website Fixed
NO! It’s not that simple. You may lose your whole investment, which might amount to tens of thousands of dollars. Hundreds of executives have called over the years saying that their site has been hacked and their developer can't fix it. In fact most of our clients came to us this way. If your website developer didn't use a proper source code repository and backup system, you probably lost your entire investment to a team of criminals. Sometimes our pros can go in and solve the problem, but often there is so much damage it's just cheaper to start over.
We can’t stress how important it is to make sure your web developer is using a source code repository like GIT or SVN and has daily, weekly, and monthly backups. You may have to roll back and use an older version that hasn't been hacked, but with the proper checkpoints in place, at least you CAN.
5. I Don't Store Customer Data, So It Won't Affect My Customers
This is another example of a common security misconception. What if the bad guys take control of your site and you can't get it back? What if they duplicate your site and send some of the traffic to something that looks like your website, but is a scam? What if they just decide to mess with your customers? Sharp college kids could send bots out as a prank, then break in and have fun with your customer at your expense. Some may just get a kick out of messing with people with “no real harm”, but even this can end up destroying the integrity and reputation of your business.
6. My Site’s SSL Keeps Me Secure
Would you have a locked gate with no fence attached? Probably not. The Secure Socket Layer is your gate– a security protocol in place which encrypts information passing between a server and a browser. With limited time and motivation on the part of the “lazy” hacker who isn't really looking around the gate for the fence, a consistently renewed SSL certificate is perfectly adequate security as long as the server itself is secure. However, for the patient, determined villain, there are many instances of breaking through, so your SSL alone is not enough.
What Should You Do So Your Site Doesn’t Get Hacked?
Be vigilant. Trust the professionals. Don't lull yourself into a false sense of security. Use your due diligence to check and recheck your website’s security protocols. Secure your servers from attack, identify any outdated and redundant security measures, and implement any repairs immediately. Keep in mind that you will need:
- Source code repository and back ups
- Routine application maintenance where your CMS is updated with security enhancements
- Automated and periodically scheduled manual security scans to test your website for vulnerabilities or 'back doors'
- Automated and periodic manual security audits where penetration testing is done
- Did we mention Trust the professionals? We are here to help!