30,000 Web Sites Hacked A Day. How Do You Host Yours?
Websites with basic security errors like this are responsible for distribution of most malicious code. |
Are you helping the cyber criminalsdistribute malicious code to your customers, friends and family? In the old days (well, the 90s) cyber criminals distributed malicious code via e-mail. Today the cyber criminals mostly use websites to distribute their nasty code. On average 30,000 new websites are identified every day (source Sophos Labs [Disclosure: I work for Sophos]) distributing malicious code to any users passing by. Many hold on to the idea that viruses are distributed from adult sites, gambling and other forms of vice but in reality the majority of these 30,000 sites are legitimate small businesses that are unwittingly distributing malicious code for the cyber criminals. You might be one of them. Another widely held web threat misconception is that cyber criminals only go after large enterprises or government organisations. I wish I had a dollar for every time someone said “but we are a small business, cyber criminals aren’t likely to target us” followed shortly by them getting hit by something nasty. Cyber criminals have automated scanning tools scouring the web looking for websites to infect to deploy their malicious code. Their target could be a personal blog, a small business website or a massive news site. Wherever there is a vulnerability they will happily capitalise on it to spread their wares.
There are lots of different ways to host your website, ranging from hosting it yourself to using a managed third party provider that looks after security for you. I am at present collating statistics about which of these methods tends to have the lowest security posture from the 30,000 sites a day, but in the interim let me ask you how you host your website.
Included below is a set of brief top tips that apply to any SME hosting a website but based on the survey responses I’ll produce a more detailed guide on how to secure your site and avoid becoming an accomplice for the cyber criminals. By applying some of these practices you can help make life much harder for cyber criminals trying to deploy their malicious code and avoid embarrassing conversations with customers after your website infects their computer.
Top tips to protect your websiteIf you look after your own website, you can apply the below practices. If you outsource this to a third party this constitutes a useful set of questions you can ask of your provider to see if they are well prepared for a problem. This is far from an exhaustive list, but a good start if you have a website and haven’t thought about security a great deal before.
- Make sure your web site was built following good secure coding principles. You can find a handy top ten tips to check for here.
- Check that your web server software and any other software you use is patched and up to date. If you use a third party make sure they have policies and processes to do this for you.
- Check that when you transfer personal information, credit card or other sensitive data you encrypt the web traffic using SSL. There is a great free tool you can use to check how well your site does this here.
- Get a professional review of your website by a penetration tester that can identify vulnerabilities before the cyber criminals do. Make sure you have applied best practice first otherwise they will waste your money telling you things you should already have fixed.
- Perform a regular scan or check on your website to spot unexpected changes or nasty malicious content.
- Insure you have frequent backups of your website (particularly if you host a database with dynamic content or user information) as you may be forced to restore it in the event of an attack. Sometimes tidying up the damage left by cyber criminals is hard work.
No comments:
Post a Comment