Owning and operating a website is thrilling. You may have started one as a portfolio. Maybe it’s for your small business? Perhaps it’s just an online journal to collect and share your thoughts and experiences. Whatever the reason, it doesn’t mean someone else doesn’t want to spoil the fun.
It doesn’t matter if your site is a simple HTML file or built upon a big CMS platform like WordPress. Since it’s created with code and reliant on hardware you should know the inherent vulnerabilities. Why do people attack websites? That answer is the same as why you started one. Some do it for fun, others for malicious intent.
The following are four of the most common security issues you may face when running a website along with a few strategies for combating them.
1. User Error
User Error is the most frequent form of security issue when operating a website. Users sit on the top-level and generally do not have complete access to the software and hardware architecture of the website.
The error comes about when the user’s machine has been compromised and connected to the software or hardware of the website. These attacks may be from an infected file or as simple as connecting to an insecure WiFi network in public, which openly broadcasts your sensitive data.
The best course of action is to make an investment into internet security software that will help prevent attacks on your computer. This type of protection becomes the first line of defense against malicious files, phishing techniques, and brute attacks.
2. SQL Injections
An SQL Injection is a type of attack which targets a database. The attack is usually done when the attacker finds vulnerability in the code located on the server. SQL Injections are especially prevalent due to the adoption of Software as a Service, which relies heavily on database interaction.
Once inside, an attacker may gain access to login credentials and other important files stored within the database. These attacks are easy to carry out and can be targeted to many popular server side languages such as PHP and ASP.Net.
Troy Hunt has pieced a great, down-to-Earth example of how SQL Injections are carried out.
The likelihood of avoiding these types of attacks greatly depend on the services you use to operate the website. The best you can do is the research about your choice in hosting to ensure the company is providing continual updates on vulnerabilities and have a team ready to take action in the event of an attack.
Phishing is another common attack toward the user level. In this instance, an attacker may pose as a person of authority to extract sensitive information such as calling “on behalf” of a hosting provider in need of user credentials to apply “fixes”. These attacks may come through many sources such as email messages or false logins on websites posing as the real thing.
To avoid these attacks, you should strive to have a complete understanding of the tools, resources, and businesses used to operate your website. You should conduct due diligence about the validity of a person’s credentials (or website) before handing over important information.
4. Denial of Service Attacks
These types of attacks generally go after the network but fallout can be felt by anyone using the website due to its slow loading speed or its complete shutdown (which is especially damaging to businesses).
A botmaster may control hundreds (if not thousands) of computers infected with malware. This gives them control to begin attacking their target, which overloads the network due to the increased demand on bandwidth or overloading it with application requests.
DDoS attacks are hard to avoid depending on the intent of the attacker but there are ways precautions to prevent and mitigate the effects. This involves a two part process of protecting your personal computer from becoming a bot and increasing the DNS protection on the server. Caching programs are also very helpful for allowing access to the website during these attacks.
All-in-all, if you’re uploading and sharing data, via your website, you’re at risk of security issues. Your best bet is to stay educated, make the investment in tools, and understand how to mitigate the damage.