Shelter In Computers
In 2014 the total number of websites on the internet reached 1 billion, today it’s hovering somewhere in the neighborhood of 944 million due to websites going inactive and it is expected to normalize again at 1 billion sometime in 2015. Let’s take a minute to absorb that number for a moment. Another surprising statistic is that Google, one of the most popular search engines in the world, quarantines approximately 10,000 websites a day via its Safe Browsing technology. From our own research, of the millions of websites that push through our scanning technology, we often see 2 – 5% of the them have some Indicator of Compromise (IoC) that signifies a hack. Granted, this might be a bit high, as the websites being scanned are often suspected of having an issue, so to be conservative we would extrapolate that to suggest about 1% of the total websites online are hacked or infected. To put that into perspective, we are talking somewhere in the neighborhood of9 million websites that are currently hacked or infected.
With this sort of impact, it’s only natural that people are curious how websites keep getting hacked. The challenge however, is that the answer has been the same for quite some time.
In the past month or so I have been writing a series of articles on various aspects of website hacks and infections. First, I explored the Why in Why do Websites get Hacked, where we explored the various motivations behind today’s hacks. I then moved into the What of a hack, The Impacts of a Hacked Website, where we looked at implications of a hack to website owners of all calibers. Today, we’ll take a moment to under the How.
It is the one question that almost every website security professional gets at some point in their career, and in some cases, repeatedly. We have to remember that we take for granted the knowledge we have gained over the years; we forget what it is like not to know.
Interestingly enough, in the 4.5 years that I’ve been doing this, the anatomy of how websites get hacked has not evolved much. The landscape itself can be very complex, but I’ll try to break it down in it’s purest forms.
For those that will undoubtedly find this article too long, today’s websites get hacked because of three things:Access Control
Software VulnerabilitiesThird-Party Integrations
As of late I have evolved my original list of two to include third-party integrations / service providers and I’ll explain more about that below.
We cannot have a conversation about how websites get hacked without having an open dialog about everything that makes up a website.
There are various elements that make a website function and these things have to be working in unison. Components like the Domain Name System (DNS) – the thing that tells requests where to go. The web server houses the various website files and infrastructure houses the various web servers. These websites live in a complex ecosystem of interconnected nodes around the internet, but to you however, it is likely something you’ve never given much thought to.
Many of these features are provided to you by a number of service providers that make it very easy for you to create an online presence. These service providers sell you things like domain names, hosting space, and any number of services designed to make operating your website easy.
While I won’t dive into too many details around the threats that these various elements introduce, please understand that every one of the components described above has an impact on your overall security posture and can potentially contribute to how your website gets hacked.
There is a difference between Forensics and Remediation, and it is not as subtle as some might believe it to be.
Forensics has been around a very long time and follows a very stringent process of identifying what happened, but more importantly how it happened, and often includes some form of attribution (i.e., who did it?). Remediation however, is the art of cleaning or removing the infections. When it comes to everyday infections, forensics isn’t a necessity; in most cases it is quick to ascertain what happened and how to get it to stop. With that in mind, for complex cases, good remediation cannot be achieved without proper forensics. This might be a slightly unfair categorization, but I hope it helps to more clearly illustrate the subtle differences.
When you ask, “How do websites get hacked?” you are essentially asking for forensics. The problem is, true forensics is complex, time consuming and requires a lot of data – data that is often unavailable via most configurations. You can often segment which component is required based on audience; for small business owners on shared hosting environments, forensics is almost impossible – there is limited access. However, for large organizations/enterprises, forensics is a necessity and the necessary data is sometimes more attainable.
A few reasons you might require forensics:You need to understand what happened and have all associated data elements and access.
You are anEcommerce website and have to be PCI compliant. Your are an organization that has IR protocols in the event of a compromise.
You can break this down even further, but for our purposes it is unnecessary.
What I find most fascinating about hacks, when it comes to websites, is that they always come down to the same elements regardless of the size of organization. It does not matter if you are a Fortune 500 or a small business selling cupcakes, the only difference is the why.
In large organizations it is often because they dropped the ball. They knew exactly what the threat was, but they never thought it would extend to their websites, with the common response being – “I thought someone else was handling it”. When it comes to small businesses, it is often – “Why would anyone want to hack me? I never knew it’d be an issue for me, I’m not Target, I don’t have credit card information”.
The three attack vectors we continue to see exploited repeatedly revolve around the following:Access Control
Software VulnerabilitiesThird Party Integration / Services
Access control speaks specifically to the process of authentication and authorization; simply put, how you log in? When I say log in, I mean more than just your website. Here are a few areas to think about when assessing access control:How do you log into your hosting panel?
How do you log into your server? (i.e., FTP, SFTP, SSH)How do you log into your website? (i.e., WordPress, Dreamweaver, Joomla!)
How do you log into your computer?How do you log into your social media forums?
The reality is that access control is much more important than most give it credit. It is like the person that locks their front door but leaves every window unlatched and the alarm system turned off. This begs the question, why did you even lock the door?
Exploitation of access control often comes in the form of a Brute Force attack, in which the attacker attempts to guess the possible username and password combinations in an effort to log in as the user. You can also see various social engineering attempts using phishing pages designed to capture a users username and password combination, or some form of Cross-Site Scripting (XSS) or Cross Site Request Forgery (CSRF) attack in which the attacker attempts to intercept the user credentials via their own browser. There is also the obvious Man in the Middle (MITM) attack, in which the user intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.
Software vulnerabilities are not for the faint of heart. I would argue that 95% of website owners are unable to address today’s software vulnerabilities; even everyday developers are unable to account for the threats their own code introduces. The problem, as I see it, is in the way we think. It takes a special way of thinking to break things; most of us are designed to see the good and use things as designed and only a few of us have that special skill to truly test and push things beyond their boundaries.
These software vulnerabilities extend beyond the website itself and easily bleed in to the various technologies we discussed above (i.e., web server, infrastructure, etc..). Anywhere there is a system, there is a potential software vulnerability waiting to be exploited. This can also extend to your browser (i.e., Chrome, Internet Explorer, Firefox, etc…).
Exploitation of software vulnerabilities comes in various forms, but for our sanity we will talk specifically to a website and not the various supporting elements. When it comes to websites, exploitation of a software vulnerability is achieved through a cleverly malformed Uniform Resource Locator (URL) or POST Headers. Via these two methods, an attacker is able to enact a number of attacks; things like Remote Code Execution (RCE), Remote / Local File Inclusion (R/LFI), and SQL Injection (SQLi) attacks. There are a number of other attacks, but these are some of the more common attacks we’re seeing affecting today’s websites.
Third party integrations / services are increasingly becoming a problem. This can be seen in various forms, with the most prominent being the integration of ads via ad networks leading to malvertising attacks and extends beyond that to services you might use, including things like a Content Distribution Network (CDN) – asin the recent Washington Post hack last week.
Third party integrations and services have become common place in today’s website ecosystem, and are especially popular in the highly extensible Content Management Systems (CMS) like WordPress, Joomla! and Drupal.
The problem with the exploitation of third-party integrations and services is that it is beyond the website owners ability to control. We assume when we integrate third party providers that they are doing everything they need to to ensure the service you are consuming is safe, and in most instances it is, but like everything else there is always the chance of compromise and such is the risk we assume.
It is easy to read this article and feel overwhelmed, but understand that half of the website security battle is awareness and education. The problem is that it is almost impossible to get in front of enough people to scale awareness and education. Once you get in front of people, the next battle is getting them to care. It is often only after someone feels the pain of a compromise that they begin to care or realize the harsh effects.
The first thing I always like to tell website owners is that security is about risk reduction not risk elimination. You must get your head around this simple fact because there is no such thing as a 100% solution to staying secure. Almost all the tools you employ within your environment aim to reduce your overall risk posture, whether it’s continuous scanning or a more proactive approach such as mitigating incoming attacks.
With this in mind, here are the tips I tend to offer everyone that will listen when it comes to managing their websites security:Employ Defense in Depth Principles – layers like an onion.
Leverage best practices like Least Privileged – not everyone needs administrative privileges.Place emphasis on how people access your website, leverage things like Multi-Factor and Two-Factor Authentication.
Protect yourself against the exploitation of software vulnerabilities through use of a Website Firewall – focuses on Known and Unknown Attacks.Backups are your friends – think of them as your safety net, try to have at least 60 days available.
Register your website with Search Engines – Google and Bing have Webmaster Tools, leverage their infrastructure to tell you the health of your website.
Security is not a singular event or action, but rather a series of them. It begins with good posture and the responsibility begins and stops with you. Realize that if you desire to know the How, you will inevitably cross one of the scenarios I describe above, and that’s ok. This is why people in this profession can often say, with some level of certainty that it’s likely attributed to X, Y or Z.
Developed by Webmaster Abbas Shahid Baqir
Webmaster Feedback: firstname.lastname@example.org
All Rights Reserved Copyright, 2010-2020 Student Shelter In Computers ®