The number of sites on the web is growing, as is the percentage of sites that get hacked each year. It could be a bot trying to exploit a known vulnerability or a direct, targeted attack on your organization. Either way, you should adopt the mindset that you will be hacked. Thinking this way will encourage proactive behavior and better practices.
If you’re skeptical that someone would want to hack your website, then take a look at your web logs sometime. You will likely find evidence of someone or some bot trying to hack into your web server. If your organization is high profile, you might find that it happens every single day. Knowing in advance how hacks can happen, what the impact could be and how to mitigate the damage is imperative. Let’s take a look at how they happen.
One of the most infamous exploits to hit the web was a vulnerability in OpenSSL known as Heartbleed. OpenSSL is the layer of software that handles encryption on the server for secure data transactions. Heartbleed didn't care what content management system (CMS) you used because OpenSSL works at a lower level in concert with the web server software. It was a simple bug introduced by a very qualified programmer, and it was the type of mistake that anyone could have made.
What made this mistake so noteworthy is that more than two-thirds of all secure websites were affected. Despite more than 100 contributors to OpenSSL and more than 21,000 distinct code contributions, this simple vulnerability wasn't caught and patched for nearly three years.
The two latest high profile exploits, Spectre and Meltdown, both took advantage of vulnerabilities inherent in most modern computer processors. They allow users of shared computers (like web servers) to peek over the virtual wall separating their environment from other sites running on the same hardware.
With most websites depending on dozens of distinct applications, millions of lines of code and thousands of individual developers (not counting the code for your website itself), we can assume there are vulnerabilities in every operating system, web server, CMS
The most common reason a site will be hacked is poor initial configuration. Many website admins just aren't very experienced, and there is an awful lot to know. Configuring users in both the operating system and CMS, managing those users' permissions, managing firewall rules, web server configuration – the list goes on. But all of these factors are critical to security.
Many articles and how-to guides cover only the bare minimum to keep things simple for new users. This may be fine for an individual or a mom-and-pop business, but it’s unacceptable for a large, publicly held corporation. At this level, hacks are not just an inconvenience; they can have a serious impact on a business.
Lack of Maintenance
When code vulnerabilities are discovered, patches are created and users are given time to upgrade their systems before the vulnerability is announced to the public. Sadly, many websites are not patched regularly. Going back to our Heartbleed example, more than three years after the patch was released, there were still more than 200,000 web servers running the old, vulnerable version of OpenSSL.
Modern content management systems have layers upon layers of applications. A typical WordPress install will have a Linux operating system, web server software, PHP, MySQL and any number of plug-ins. All these things must be constantly monitored and maintained. It’s a fact that many service providers simply can't keep up.
Humans Being Human
Code vulnerabilities and lack of maintenance might seem frightening but they can pale in comparison to the risks brought about by letting human beings use your CMS. We
Everyone wants to be helpful and seem smart, which makes us inherently susceptible to social engineering. Certain requests should cause alarm bells to ring, such as:
- "Hi, this is Bob from IT. We're picking up some anomalous traffic coming from your machine..."
- "I'm going to send some diagnostic tools your way and..."
- "You're one of our power users so could you help me by..."
Unfortunately, these techniques often work on vulnerable people.
Another common pitfall is poor password practices. Take a quick peek at this list of common passwords. Does anything look familiar? Do any of these look like the root of your password or use a similar technique?
If so, your solution is not unique or clever and you should go change your passwords now! A brute force attack will start with a list like this, introduce variations and possibly find your password in minutes.
How to Keep Your Site Safe
Anyone who says "We can't be hacked" is tempting fate, but you can significantly minimize the risks. Here are some basic safeguards and processes you can put in place to protect sites from bad actors.
Good Security Habits
There are a few simple things your users can do to significantly reduce the risk of having their credentials compromised:
- Use "phrase" passwords. According to the National Institute of Standards and Technologies,
passphrasesare more memorable and secure. Password requirements with special characters and numbers are not as effective.
- Use a password manager. A password manager will help ensure that you use unique passwords on every site. You can also establish and enforce your own password guidelines.
- Teach the art of social engineering. Give users the knowledge to recognize it while it's happening, and the confidence to shut it down before it succeeds.
Always keep software up to date with security patches and new releases. If you are not responsible for maintaining your web server, then press all of your service providers for details about their processes that ensure your technology stack runs the latest critical patches.
This includes operating systems, web services,
Good maintenance practices extend to the hardware beyond your web
Remember, anytime a new exploit is discovered, you will unwillingly find yourself in a race with the bad guys. You have to get the patches in place before they find you. There are many actions to take and items to monitor so maintaining web servers is a full-time job.
Keep your list of authorized users up to date and always trim the ones who have left your organization. Coordinate a plan for handling terminations because disgruntled workers can do a lot of damage in short order.
Eliminate Attack Vectors
Every layer that adds code and complexity to your website also introduces potential vulnerabilities, so keep your technology stack as lean and simple as possible. Remove all applications and services that aren't necessary. Only run services that are required for your website and CMS to function.
Allow only inbound traffic to your web server on the ports that are required for your website, CMS or other necessary services. There is no point in exposing services you don't use.
Limit access to your CMS to users on your network or VPN. This can affect your content administrators so consider this trade-off carefully.
Keep Rotating Backups
Referring to an earlier point, the safest mindset is to assume you will be hacked. It underscores the value of keeping good backups. A thorough backup plan might include keeping six rotating daily backups, four-weekly, six-monthly and annual backups.
Because hacks are not always discovered right away, you never know how far back you might need to go. A single daily backup is risky.
Also note that simply setting the backup plan isn’t enough. You have to regularly verify that all backups are running and that you can recover from any of those backups in a timely manner. Imagine discovering that your backups weren't working only after you have been hacked… It’s not a scenario people want to find themselves in.
So What About SAM?
There are some unique properties of SAM that make it more difficult to hack sites built with this tool than sites built with other content management systems.
SAM is a single app to keep updated because it has no plugins and requires only the basic services that are core components of the Windows Server operating system. If you rely on Microsoft's Automatic Updates, your server will always be patched.
Even more noteworthy, SAM is a static site generator. Most content management systems generate pages on demand when a user requests them, but a static site generator works by generating pages and publishing them to the file system whenever there is a change to the content.
The CMS is not required for users to view the live website, and SAM can be hidden inside your network. In other words, there is no publicly visible CMS to hack! Most of our customers are never aware of the distinction but it's a quality that truly differentiates SAM from the crowd.
References & Resources
- Website Hacked Trend Report
- NoHacked: A year in review
- Website Security: How Do Websites Get Hacked?
- How They Hack Your Website: Overview of Common Techniques
- November 2017 Web Server Survey
- The Heartbleed Bug
- Meltdown and Spectre
- Heartbleed: 200,000 websites and systems still vulnerable to OpenSSL bug
- NIST Digital Identity Guidelines
- Worst Passwords of 2016